fix(rsync): properly delete `._pico_keep_dir` first so os.Remove suceeds

fix(pgs): broken url for imgproxy integration

fix(pgs): never cache http-pass responses

Password-protected (http-pass) projects could be read without the
password. The shared cache keys entries on subdomain+method+uri with no
auth component, and only declines to store responses marked private or
no-store. http-pass assets were served as 200 with
`cache-control: max-age=60, s-maxage=600, must-revalidate`, so the first
authenticated request populated the cache and every subsequent
unauthenticated visitor got a cache hit that bypassed the password gate
for the duration of the TTL.

Mark http-pass asset responses `private, no-store` so the shared cache
refuses to store them. The override is applied after the user `_headers`
are merged, so a project's own cache-control cannot re-enable caching of
protected content.

Adds a regression test asserting an http-pass response is served
non-cacheable even when a `_headers` file requests aggressive caching.

fix: strip debug from linker

refactor: move go-rsync-receiver into pico monorepo

fix: require testcontainers for pico.sh ci

fix(ci): cleanup

chore(ci): cleanup

docs(pgs): help cmd for forms

chore: pico.sh ci script

fix(pgs): _headers should override default cache-control

Closes: https://github.com/picosh/pico/issues/215

feat(tui): analytics now displays device breakdown

You can see mobile vs desktop

docs: runbooks

fix: script

chore: script to find orphaned buckets

fix(auth): mime type can include charset

e.g. text/html; charset=utf-8

chore(visits): new indexes and parallel queries

chore: remove dev artifacts

refactor(visits): aggregate visit tables

Previously we had an analytics_visits table that held all the raw visit data.
This mean our analytics UI was constantly executing queries across 18 mil records
which was extremely slow.  This change aggregates those analytics every month
and then deletes all the raw data.

We keep 2 months worth of raw data and then everything else gets pushed into
the aggregate tables.

chore: script reap edits

fix: reap should look skip anyone that has pico+

chore: delete old analytics

chore: sql query to reap unused accounts

References: https://pico.prose.sh/ann-036-reap-inactive-accounts

fix(httpcache): cdn accept encoding

Two bugs combined to produce the broken behavior:

Bug 1: CDN forwarded Accept-Encoding to upstream (cmd/pgs/cdn/main.go)

proxyServe.ServeHTTP cloned the incoming request (including its Accept-Encoding: zstd header sent by Caddy) and forwarded it to ash.pgs.sh. The upstream responded with a zstd-compressed body + content-encoding: zstd. The CDN then cached that compressed blob. Caddy (sitting in front of the CDN) can't transcode
zstd→nothing, so clients received raw zstd bytes named .xml.

Fix: proxyReq.Header.Del("Accept-Encoding") before the upstream round-trip. The CDN should store one uncompressed representation per URL; Caddy handles per-client content encoding on egress.

Bug 2: matchVary was looking in the wrong place (pkg/httpcache/serve.go, rw.go)

When the response included Vary: Accept-Encoding, matchVary looked for Accept-Encoding in the response headers map — but Accept-Encoding is a request header and was never there. The cachedValue == "" branch silently continued, causing every request to match regardless of what encoding it accepted.

Fix: ToCacheValue now accepts the *http.Request and snapshots the Vary-relevant request header values into a new CacheValue.VaryRequestHeaders map[string]string field. matchVary now compares the incoming request's headers against that snapshot instead of looking in response headers. Legacy entries with no
VaryRequestHeaders are treated as misses so they repopulate correctly.

fix(pgs): dupe headers

chore(pgs): configurable max items for lru

chore: lint

chore: disable flaky test

chore(httpcache): cache-status cleanup and random bug fixes

chore: normalize header keys

chore: disable imgproxy tests

We don't have them setup properly atm

refactor(storage): no need for metadata just need content type

chore: rm dead code

refactor(storage): put accepts ObjectInfo instead of FileEntry

This is a symmetric change so everything uses the same objects

feat(pgs): record metrics for compressed file types

fix(pgs): check handler fast bail when domain is empty

refactor(httpcache): ignore routes should use no-store

fix(httpcache): verified heuristically cachable status codes

refactor(pgs): use http.ServeContent

refactor: new image proxy object that uses httputil reverse proxy

fix(pgs): typo

chore(pgs): make our cache age match our lru cache ttl

Fix cache metrics and update deps

fix(pgs): cdn routing to correct place

fix(pgs): admin check logic

chore(pgs): log key eviction

fix(pgs): use URL.Path so we ignore query params

feat(httpcache): ignore routes cfg

fix(pgs): prom names and set headers instead of add

chore(pgs): HEAD can share same key as GET

fix(pgs): 304 send correct status and headers

fix(pgs): httpcache must return cached headers when returning 304

fix(pgs): gauge name si unit

fix(pgs): httpcache rw.Write needs to report the num of bytes

refactor(pgs): custom rfc9111 compliant cache

chore: scripts

docs(tui): per file max size 100mb

feat(pgs): 100mb max file size

fix: test

feat(pgs): increase max file size to 250mb

fix(pgs): force redirect from root

fix(pgs): normalize ext

docs: rm auto form

chore(storage): cleanup

refactor: move shared/storage to storage

refactor: merge pboj and shared/storage

Update soju build to support webpush changes and upgrade to go 1.26

Fix host resolution for caddy

chore(pgs): require pico+ for auto-forms

chore(feeds): update retry attempt max in ls cmd

feat(pgs): auto-forms

fix(feeds): parse urls properly with comments

chore(feeds): extend retry number to 100

10 is too small since we count every 10 minutes

feat(pgs): all projects named `bin` will have their files deleted automatically after 2 weeks

This replicates the 0x0.st functionality where you can uploading any file and it'll eventually be deleted.

chore(pgs): setting acl is pico+ only

feat(pgs): http-pass ACL

This feature enables users to set their project to "http-pass" which requires a password to access the site.

The user can set the acl via:

`ssh pgs.sh acl {project} --type http-pass --acl {pass}`

When accessing the project the user will have to enter the password to access the site.  When access has been granted we set a cookie in the user's browser.  That cookie is valid for 24 hours.

feat(pgs): project names prefixed with `private-` will have new acl type "private"

For security reasons once a project is named `private-` it can never have its ACL type changed.

Right now we do not support making other projects private.

fix(pgs): ability to pipe files to pgs

docs(pgs): more usage for help page

chore(bouncer): bump soju to latest

fix(tui): revert 'q' to go back

This is conflicting with our text input boxes so I'm reverting for now

Chore: Unified Error Logs throughout the repo (#210)

fix(pssh): race in tests

fix(pssh): fix race

fix(pssh): tests

fix(pssh): normalize line endings for pty enabled ssh output

refactor(pgs): use dynamic port for ssh tests

feat(tui): 'q' goes to prev page

fix(pssh): normalize line ending with pty

fix(pssh): redundant sesh passing

fix(pssh): strip quotes after splitting on them

fix: properly parse ssh command args with quotes

chore: added test for pssh cmd parsing

chore(pssh): add error/print helper cmds

fix(pgs): downgrade storages to v0.0.16

http cache is being truncated on large files

Reference: https://github.com/darkweak/storages/issues/41

chore(pgs): test failure

chore(pgs): tests to prevent infinite redirects

Fix deps

Upgrade to go 1.25

feat(pubsub): round robin

refactor: move picosh/pubsub into repo

chore: more refactor cleanup

refactor: fix issues with imports and create shared/router pkg

refactor: migrate picosh/utils

feat(pipe): ?prefix= query param for pub and pipe

feat(auth): `/pubkeys/{user}` public endpoint

fix(pgs): inverted logic check for pico+

chore: gitignore

feat(pico): access_logs cli command

chore(tui): tokens text for Apple Terminal

chore(bouncer): motd updates

fix: identity is always pubkey so check it as well

fix(ssh): only use pubkey name if not ssh cert

chore(pipe): use ssh cert identity if available

chore(pipemgr): use cert location

feat(ssh): find pubkey name and use as identity for access logs

fix(tui.access_logs): start at last access with cmds to go to top or bot list

refactor: remove minio

We haven't used minio in months and if we did choose another object storage it wouldn't minio

docs(pgs): simplify pgs marketing

refactor(pgs): cache-control max-age and revalidate

We want to prevent the browser from caching stale static pages by requiring it to revalidate using ETag after 1 minute.

refactor(analytics): add indexes to improve query performance

fix(tui): border boundaries

style(prose): margin on the tags section

feat(tui.logs): allow logs to be manually scrolled

fix(tui.logs): filtered logs corruption

feat(prose): added horizontal rule to list parser

refactor(prose): replace ul/li with custom list impl

chore(prose,pastes): rotate caddy logs

fix(prose): list parser key is `draft`

chore(prose): list parser tests

chore(prose): add raw .lxt route

fix(prose): remove log line

feat(prose): lists are back bby

feat(pipe): web based rss feed

feat(pipe): monitors

This change introduces pipe monitors: a way to receive status updates on
your pipes.

chore(feeds): add deprecation notice for free pico users

fix(auth): updated_at required for pico+ feed posts

docs(readme): feeds txt

chore(prose): we no longer do anything with "prose" pgs project

This is from when we had a single object store.  We now have an object
store per service so creating a prose project is no longer required.

fix(prose): filter aliases by user_id

This was erroneously showing posts from other users

chore: move marketing materials to pipe

fix: tui pages

docs(pgs): Add docs link to marketing template

Taking inspiration from <https://pipe.pico.sh/> (commit 2aab941), this
patch adds "Docs" links to the top and bottom of the <https://pgs.sh/>
template, making it easy to jump straight to <https://pico.sh/pgs> with
a single click.

The markup has been slightly tweaked to improve the resulting layout.

fix(pipe): tests timing issue

chore(pipe): more e2e tests

chore(pipe): more e2e tests for blocking and non-blocking behavior

refactor: use `resolveTopic` to determine topic name

chore(pipe): extract topic name logic into testable function

docs: agents typo

fix(pipe): use ticker timer instead of sleep

The time.Sleep in the default case blocks for 5 seconds, during which context cancellation is ignored.
If the session ends, the goroutine won't notice until the sleep completes.

chore(pipe): use different port for tests

chore(pipe): added tests

refactor(pipe): cli code organization

Use a struct with methods to abstract cli middleware code into discrete
functions

fix: tests

chore: update utils

feat(tui): new pages section showing all sites

fix(tui/access_logs): set cursor to 0 when filtering

chore: add tests

fix(rsync): delete largest path first

docs(tui): pubkeys desc about ssh certs

feat(tui): access logs

docs: agents.md

chore: update vaxis

refactor(db): use sqlx

feat: find access logs by pubkey

feat: access logs

This adds a new table to pico to track access logs.  This helps pico
admins understand what pubkeys are access their services and what their
identity is in the case of certified public keys.

chore(pgs): hide dot files from dir listing pages

chore: fix lint

fix(prose): close img obj

fix: tunnel leaks

fix(pgs): gen dir listing close object

fix(pgs): memory leaks

All changes replace defer with immediate Close() calls to ensure resources are released promptly rather than accumulating until function return.

feat(pgs): show dir listing when no index.html present

chore(db): remove unused queries

feat(auth): authenticate key handler using ssh cert

feat: access control using ssh certs

fix: image request detection was matching anything instead of .jpg

chore(mime): more types

fix(pgs): tar.gz mime type

fix(auth): don't extend a pico+ sub by a year if it is expired

docs: readme

fix(pipe): to topic fns should handle if user already incldued

chore(bouncer): pin to v0.9.0

fix(pico): check if entry or entry.Reader is nil

I'm not sure why we would ever receive a nil entry but it is showing up
in the logs

```
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x9a258]

goroutine 14513 [running]:
io.ReadAll({0x0, 0x0})
     /usr/local/go/src/io/io.go:712 +0x58
github.com/picosh/pico/pkg/apps/pico.(*UploadHandler).Write(0x400000c198, 0x400045eb90, 0x4000990960)
     /app/pkg/apps/pico/file_handler.go:305 +0xfc
github.com/picosh/pico/pkg/send/protocols/sftp.(*handler).Filecmd(0x4000f67b30, 0x40015c8b60?)
     /app/pkg/send/protocols/sftp/handler.go:53 +0x84
github.com/picosh/pico/pkg/send/protocols/sftp.(*handlererr).Filecmd(0x4000a5e0a0, 0xe0?)
```

docs: readme

fix(feeds): last digest can be nil

chore(feeds): better formatting for smtp emails

chore(feeds): limit message body size to 5mb

This is in an effort to prevent abuse or having insanely massive RSS
feed digests.  The actual limit is subject to change.

chore: gitignore aider

feat: Add size limit warning banner

feat(feeds): cli `print` command prints the feed post

chore(prose): add some tagging to post page elements

This should make it easier to manipulate our date elements in case
someone wants to remove them with css

chore: gha for more pgs images

chore: update souin

fix(feeds): nil pointer

docs(feeds): clarify run cli

fix(feeds): remove references to `digest_interval`

refactor(feeds): deprecate `digest_interval`; use `cron` instead

Reference: https://pico.sh/feeds#cron

refactor(feeds): only fetch users with feeds post

feat(feeds): a wild `cron` property appears

Now users can specify a digest interval for their rss-to-email posts
using a cron format.

The primary limitation is we run our feed processor every minute so we
don't support the seconds specificity in cron.

Reference: https://github.com/adhocore/gronx?tab=readme-ov-file#cron-expression

chore: rm test files

fix(feeds): sanitize feed content to be utf8

Our postgres db expects utf8

fix(pastes): caddy syntax

fix(pastes): caddyfile syntax err

fix(pastes): allow script-src

feat(pastes): copy button

Add copy button to Pastes

refactor(prose): only display 1 post per user in feed

fix(feeds): lint

refactor(feeds): replace sendgrid with smtp

fix(storage): upload files with 0o777 perms

feat(prose): allow `robots.txt` to be uploaded and served for blog

feat(pssh): handle keepalive

chore(pgs): fmt

docs(pgs): selfhost copy

feat(pgs): self hosted init cmd

docs: selfhost

Don't start pgs ssh with cdn

Add imgproxy metrics

Update minio profile

chore(pgs): standalone docker image

feat(pgs): standalone pgs binary

This introduces a new cmd binary for pgs: standalone.

This allows end-users to self-host their own version of `pgs` with as
few dependencies as possible.  With this change users can self-host pgs
with (2) deps: caddy and sqlite

fix(pgs): fs adapter atomically replace files

fix(pgs): fs adapter make sure files are closed properly

chore(pico): missing help cmd txt

feat(pico): `user` and `not-found` commands to cli

fix(pgs): cli fzf cmd the ListObjects needs trailing `/`

chore(pgs): cleanup

fix(pgs): rsync --delete regression

chore(imgproxy): add to pgs network

chore(auth): rotate logs

fix(pgs): fs adapter updates

fix(fs): dont fail when listing or deleting that dont exist

refactor(config): remove old cfg options

fix(pgs): home page

fix(pgs): getobject should return always objectinfo

fix(pgs): reset os.File reader

feat(pgs): fs adapter generate etag on-the-fly

Move around caddyfiles

fix(pgs): cdn send partial url to proxy instead of entire url

fix(pgs): cdn manually proxy check handler

fix(pgs): cdn check endpoint

refactor(pgs): use base storage adapter

refactor(pgs): lite -> cdn naming

docker compose

dockerfile work

refactor(pgs): "lite" version of pgs with cache and proxy to ash.pgs

fix(prose): rss link

refactor(prose): use local fs for storing images

This commit removes the dependency on `minio` for hosting images
uploaded to prose.

Instead we are using the local filesystem with an fs adapter.

We are also now using a local imgproxy container on the prose VM
instead.

fix(pgs): redirect to file

Merge remote-tracking branch 'origin/main'

Add the ability to hide log lines