惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Hackread – Cybersecurity News, Data Breaches, AI and More
C
Check Point Blog
Hacker News: Ask HN
Hacker News: Ask HN
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
P
Proofpoint News Feed
V
Visual Studio Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
N
Netflix TechBlog - Medium
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 聂微东
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
S
Schneier on Security
T
Threat Research - Cisco Blogs
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Hacker News
The Hacker News
Google DeepMind News
Google DeepMind News
Microsoft Security Blog
Microsoft Security Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
GbyAI
GbyAI
N
News | PayPal Newsroom
L
LINUX DO - 最新话题
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Palo Alto Networks Blog
T
Tenable Blog
S
Secure Thoughts
T
Threatpost
V2EX - 技术
V2EX - 技术
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
罗磊的独立博客
P
Privacy & Cybersecurity Law Blog
Engineering at Meta
Engineering at Meta
小众软件
小众软件
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
Y
Y Combinator Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
Cybersecurity and Infrastructure Security Agency CISA
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
P
Privacy International News Feed
H
Heimdal Security Blog
量子位
B
Blog

Recent Commits to openclaw:main

test: merge chat side-result checks · openclaw/openclaw@ddd2c2a test: merge cron history checks · openclaw/openclaw@f7eb746 test: merge responsive navigation shell checks · openclaw/openclaw@c2e4b47 docs(changelog): add codex oauth fixes · openclaw/openclaw@628e6cd test: merge navigation routing cases · openclaw/openclaw@5d8cecb Tests: mock channel registry bundled fallback · openclaw/openclaw@2b08233 Secrets: avoid broad web search discovery for single plugin config · openclaw/openclaw@a464f59 test: merge config view browser checks · openclaw/openclaw@20cf511 fix(status): align oauth health with runtime · openclaw/openclaw@eed7116 feat: add macOS screen snapshots for monitor preview (#67954) thanks … · openclaw/openclaw@f377db1 fix: report shared auth scopes in hello-ok (#67810) thanks @BunsDev · openclaw/openclaw@0b6c39b Auto-reply: avoid eager bundled route fallback · openclaw/openclaw@3ea1bf4 Tests: narrow session binding contract setup · openclaw/openclaw@54e4e16 fix(macOS): enable undo/redo in webchat composer text input (#34962) · openclaw/openclaw@00951dc Tests: speed up channel setup promotion · openclaw/openclaw@82b529a Docs: refresh agent instructions · openclaw/openclaw@5775fe2 fix(auth): serialize OAuth refresh across agents to fix #26322 (#67876) · openclaw/openclaw@8e79080 test: allow ollama public surface boundary test · openclaw/openclaw@7d4f1a6 Docs: add test performance guardrails · openclaw/openclaw@89706d3 Tests: restore context-engine usage proof · openclaw/openclaw@e4c4f95 Tests: slim context engine runtime coverage · openclaw/openclaw@74c198f ci: retry failed custom checkouts · openclaw/openclaw@0ee5baf test: trim duplicate provider auth onboarding cases · openclaw/openclaw@1ffc02e matrix: fix sessions_spawn --thread subagent session spawning (#67643) · openclaw/openclaw@1ce2596 test: reduce auth choice fixture churn · openclaw/openclaw@857b9cd test: mock health status config boundaries · openclaw/openclaw@9d5ab4a test: mock onboard config io boundary · openclaw/openclaw@299694d test: mock legacy state plugin boundaries · openclaw/openclaw@2713089 test: mock channel install boundaries · openclaw/openclaw@b945248 test: mock doctor preview channel boundaries · openclaw/openclaw@b1a3ad4 test: trim doctor command hotspots · openclaw/openclaw@c66f16a test: isolate agent auth and spawn hotspots · openclaw/openclaw@9285935 test: stabilize MCP startup disposal race · openclaw/openclaw@dd9d2eb test: merge browser contract server suites · openclaw/openclaw@5817a76 test: narrow ollama provider discovery setup · openclaw/openclaw@a0d9598 build: declare qa-lab aimock runtime dependency · openclaw/openclaw@24431e5 test: speed up safe-bins exec harness · openclaw/openclaw@ee856ab test: preserve tool helpers in embedded runner mocks · openclaw/openclaw@acd86a0 refactor: move memory embeddings into provider plugins · openclaw/openclaw@77e6e4c test: reuse system-run temp fixtures · openclaw/openclaw@7e9ff0f test: trim hotspot wait overhead · openclaw/openclaw@12a59b0 Check: avoid duplicate boundary prep · openclaw/openclaw@baf11b8 test: reduce hotspot fixture overhead · openclaw/openclaw@3a59edd feat(ui): overhaul settings and slash command UX (#67819) thanks @Bun… · openclaw/openclaw@2cfb660 QA Matrix: exit cleanly on failure · openclaw/openclaw@42805d2 QA Matrix: isolate scenario coverage · openclaw/openclaw@7e659e1 Matrix: refresh crypto bootstrap state · openclaw/openclaw@94081d8 QA Lab: add provider registry · openclaw/openclaw@bb7e982 Matrix: add plugin changelog · openclaw/openclaw@4acab55 test: trim more hotspot overhead · openclaw/openclaw@f485311 test: trim remaining hotspot tests · openclaw/openclaw@6ba8626 test: narrow hotspot mocks · openclaw/openclaw@dbc8179 test: isolate gemini embedding request helpers · openclaw/openclaw@cd330f5 test: trim memory and mcp hotspots · openclaw/openclaw@fd48dfa test: slim provider registry mocks · openclaw/openclaw@2e08c77 test: harden Parallels update smoke · openclaw/openclaw@1a98090 feat: default Anthropic to Opus 4.7 · openclaw/openclaw@628b454 fix: harden node-host shell payload mutability checks · openclaw/openclaw@75c551e fix: land node-host approval binding for native binaries (#66731) (th… · openclaw/openclaw@29919bb CI: add daily schedule to CodeQL workflow (#67645) · openclaw/openclaw@69d25f5 fix(gateway): capture config hash after plugin auto-enable to prevent… · openclaw/openclaw@8c11210 fix: repair sanitized replay tool results before send (#67620) (thank… · openclaw/openclaw@c3c7a99 fix: restrict HTML timeout short-circuit to transient statuses · openclaw/openclaw@de129a6 fix: keep TUI watchdog bound to active run (#67401) (thanks @xantorres) · openclaw/openclaw@3525273 Gateway/skills: dedupe skills prefix-match + drop dead fallback on log · openclaw/openclaw@d7f489f Extensions/lmstudio: back off inference preload after consecutive fai… · openclaw/openclaw@b555214 TUI/streaming: add watchdog that resets the activity indicator after … · openclaw/openclaw@f44ab20 Agents/tool-loop: enable unknown-tool stream guard by default · openclaw/openclaw@36ed367 Gateway/skills: invalidate session skills snapshot on config write · openclaw/openclaw@b23d59a fix: classify HTML provider error pages correctly (#67642) (thanks @s… · openclaw/openclaw@e588e90 fix(skills): remove unused model-usage import (#67641) · openclaw/openclaw@55f05df docs(changelog): credit codex fix superseded PRs · openclaw/openclaw@e485f24 fix(openai-codex): normalize stale transport metadata in resolution a… · openclaw/openclaw@90801ba CI: pin Docker-related GitHub Actions (#67632) · openclaw/openclaw@f697b01 Android: modernize WebView and discovery API usage (#67627) · openclaw/openclaw@44a6e50 fix(deps): bump hono to 4.12.14 and @hono/node-server to 1.19.14 (GHS… · openclaw/openclaw@fbccc18 fix(deps): bump dompurify to 3.4.0 (#67614) · openclaw/openclaw@2c2dc00 CI: add explicit permissions to all workflow jobs (fixes code-scannin… · openclaw/openclaw@01b7516 fix: register bundled TTS providers and route overrides correctly (#6… · openclaw/openclaw@6ea3cdd fix: align host tilde paths with OS home (#62804) (thanks @stainlu) · openclaw/openclaw@ecfaf64 fix: flush creds queue before reconnect socket open (#67464) (thanks … · openclaw/openclaw@405c63f fix: strip standalone <function> tool call tags from visible text (#6… · openclaw/openclaw@78df859 fix(agents): preserve cli session metadata before transcript persist … · openclaw/openclaw@898fd04 docs(changelog): move cli transcript entry · openclaw/openclaw@c1817c6 fix(agents): normalize cli transcript api field · openclaw/openclaw@3a3fae0 docs(changelog): note cli transcript persistence · openclaw/openclaw@6c343f1 fix(agents): persist cli transcript turns · openclaw/openclaw@b8ef507 fix(msteams): harden security-sensitive flows (#65841) · openclaw/openclaw@c56b56e [Dashboard] Fix exec approval modal overflow for long command content… · openclaw/openclaw@053c5b0 Docs: remove QA changelog entry · openclaw/openclaw@7fd5771 QA: fix private runtime source loading (#67428) · openclaw/openclaw@d5933af docs(gateway): correct protocol.md schema path, hello-ok example, aut… · openclaw/openclaw@489404d CI: pin Node 22 runners to 22.18.0 · openclaw/openclaw@4ffa621 models.authStatus: normalize provider ids + tighten env-backed escape… · openclaw/openclaw@f2fdb9d Update CHANGELOG.md · openclaw/openclaw@7694a92 test(parallels): clean up npm update guard jobs · openclaw/openclaw@045ea7b Plugins: prefer scanDir override paths · openclaw/openclaw@b2974da fix(dreaming): default storage.mode to "separate" so phase blocks sto… · openclaw/openclaw@8c392f0 fix(memory-core): skip dreaming transcript ingestion via session stor… · openclaw/openclaw@a1b01f0 fix: dedupe replayed exec.finished node events (#67281) · openclaw/openclaw@5dcf526
Clarify exec filesystem policy drift (#79153) · openclaw/openclaw@83aad86
joshavant · 2026-05-08 · via Recent Commits to openclaw:main
Original file line numberDiff line numberDiff line change

@@ -33,7 +33,7 @@ It also emits `security.trust_model.multi_user_heuristic` when config suggests l

3333

For intentional shared-user setups, the audit guidance is to sandbox all sessions, keep filesystem access workspace-scoped, and keep personal/private identities or credentials off that runtime.

3434

It also warns when small models (`<=300B`) are used without sandboxing and with web/browser tools enabled.

3535

For webhook ingress, it warns when `hooks.token` reuses the Gateway token, when `hooks.token` is short, when `hooks.path="/"`, when `hooks.defaultSessionKey` is unset, when `hooks.allowedAgentIds` is unrestricted, when request `sessionKey` overrides are enabled, and when overrides are enabled without `hooks.allowedSessionKeyPrefixes`.

36-

It also warns when sandbox Docker settings are configured while sandbox mode is off, when `gateway.nodes.denyCommands` uses ineffective pattern-like/unknown entries (exact node command-name matching only, not shell-text filtering), when `gateway.nodes.allowCommands` explicitly enables dangerous node commands, when global `tools.profile="minimal"` is overridden by agent tool profiles, when open groups expose runtime/filesystem tools without sandbox/workspace guards, and when installed plugin tools may be reachable under permissive tool policy.

36+

It also warns when sandbox Docker settings are configured while sandbox mode is off, when `gateway.nodes.denyCommands` uses ineffective pattern-like/unknown entries (exact node command-name matching only, not shell-text filtering), when `gateway.nodes.allowCommands` explicitly enables dangerous node commands, when global `tools.profile="minimal"` is overridden by agent tool profiles, when write/edit tools are disabled but `exec` is still available without a constraining sandbox filesystem boundary, when open groups expose runtime/filesystem tools without sandbox/workspace guards, and when installed plugin tools may be reachable under permissive tool policy.

3737

It also flags `gateway.allowRealIpFallback=true` (header-spoofing risk if proxies are misconfigured) and `discovery.mdns.mode="full"` (metadata leakage via mDNS TXT records).

3838

It also warns when sandbox browser uses Docker `bridge` network without `sandbox.browser.cdpSourceRange`.

3939

It also flags dangerous sandbox Docker network modes (including `host` and `container:*` namespace joins).

Original file line numberDiff line numberDiff line change

@@ -64,6 +64,7 @@ Rules of thumb:

6464

- `deny` always wins.

6565

- If `allow` is non-empty, everything else is treated as blocked.

6666

- Tool policy is the hard stop: `/exec` cannot override a denied `exec` tool.

67+

- Tool policy filters tool availability by name; it does not inspect side effects inside `exec`. If `exec` is allowed, denying `write`, `edit`, or `apply_patch` does not make shell commands read-only.

6768

- `/exec` only changes session defaults for authorized senders; it does not grant tool access.

6869

Provider tool keys accept either `provider` (e.g. `google-antigravity`) or `provider/model` (e.g. `openai/gpt-5.4`).

6970

@@ -88,6 +89,7 @@ Available groups:

8889

- `group:runtime`: `exec`, `process`, `code_execution` (`bash` is accepted as

8990

an alias for `exec`)

9091

- `group:fs`: `read`, `write`, `edit`, `apply_patch`

92+

For read-only agents, deny `group:runtime` as well as mutating filesystem tools unless sandbox filesystem policy or a separate host boundary enforces the read-only constraint.

9193

- `group:sessions`: `sessions_list`, `sessions_history`, `sessions_send`, `sessions_spawn`, `sessions_yield`, `subagents`, `session_status`

9294

- `group:memory`: `memory_search`, `memory_get`

9395

- `group:web`: `web_search`, `x_search`, `web_fetch`

Original file line numberDiff line numberDiff line change

@@ -91,6 +91,7 @@ exhaustive):

9191

| `tools.exec.host_sandbox_no_sandbox_defaults` | warn | `exec host=sandbox` fails closed when sandbox is off | `tools.exec.host`, `agents.defaults.sandbox.mode` | no |

9292

| `tools.exec.host_sandbox_no_sandbox_agents` | warn | Per-agent `exec host=sandbox` fails closed when sandbox is off | `agents.list[].tools.exec.host`, `agents.list[].sandbox.mode` | no |

9393

| `tools.exec.security_full_configured` | warn/critical | Host exec is running with `security="full"` | `tools.exec.security`, `agents.list[].tools.exec.security` | no |

94+

| `tools.exec.fs_tools_disabled_but_exec_enabled` | warn | Filesystem tool policy does not make shell execution read-only | `tools.deny`, `agents.list[].tools.deny`, `agents.*.sandbox.workspaceAccess` | no |

9495

| `tools.exec.auto_allow_skills_enabled` | warn | Exec approvals trust skill bins implicitly | `~/.openclaw/exec-approvals.json` | no |

9596

| `tools.exec.allowlist_interpreter_without_strict_inline_eval` | warn | Interpreter allowlists permit inline eval without forced reapproval | `tools.exec.strictInlineEval`, `agents.list[].tools.exec.strictInlineEval`, exec approvals allowlist | no |

9697

| `tools.exec.safe_bins_interpreter_unprofiled` | warn | Interpreter/runtime bins in `safeBins` without explicit profiles broaden exec risk | `tools.exec.safeBins`, `tools.exec.safeBinProfiles`, `agents.list[].tools.exec.*` | no |

Original file line numberDiff line numberDiff line change

@@ -220,6 +220,7 @@ Advisory triage guidance:

220220
221221

- **Inbound access** (DM policies, group policies, allowlists): can strangers trigger the bot?

222222

- **Tool blast radius** (elevated tools + open rooms): could prompt injection turn into shell/file/network actions?

223+

- **Exec filesystem drift**: are mutating filesystem tools denied while `exec`/`process` remain available without sandbox filesystem constraints?

223224

- **Exec approval drift** (`security=full`, `autoAllowSkills`, interpreter allowlists without `strictInlineEval`): are host-exec guardrails still doing what you think they are?

224225

- `security="full"` is a broad posture warning, not proof of a bug. It is the chosen default for trusted personal-assistant setups; tighten it only when your threat model needs approval or allowlist guardrails.

225226

- **Network exposure** (Gateway bind/auth, Tailscale Serve/Funnel, weak/short auth tokens).

Original file line numberDiff line numberDiff line change

@@ -97,6 +97,7 @@ If a tool is not allowed by policy, the endpoint returns **404**.

9797

Important boundary notes:

9898
9999

- Exec approvals are operator guardrails, not a separate authorization boundary for this HTTP endpoint. If a tool is reachable here via Gateway auth + tool policy, `/tools/invoke` does not add an extra per-call approval prompt.

100+

- If `exec` is reachable here, treat it as a mutating shell surface. Denying `write`, `edit`, `apply_patch`, or HTTP filesystem-write tools does not make shell execution read-only.

100101

- Do not share Gateway bearer credentials with untrusted callers. If you need separation across trust boundaries, run separate gateways (and ideally separate OS users/hosts).

101102
102103

Gateway HTTP also applies a hard deny list by default (even if session policy allows the tool):

Original file line numberDiff line numberDiff line change

@@ -56,7 +56,8 @@ Exec approvals are enforced locally on the execution host:

5656
5757

- Gateway-authenticated callers are trusted operators for that Gateway.

5858

- Paired nodes extend that trusted operator capability onto the node host.

59-

- Exec approvals reduce accidental execution risk, but are **not** a per-user auth boundary.

59+

- Exec approvals reduce accidental execution risk, but are **not** a per-user auth boundary or filesystem read-only policy.

60+

- Once approved, a command can mutate files according to the selected host or sandbox filesystem permissions.

6061

- Approved node-host runs bind canonical execution context: canonical cwd, exact argv, env binding when present, and pinned executable path when applicable.

6162

- For shell scripts and direct interpreter/runtime file invocations, OpenClaw also tries to bind one concrete local file operand. If that bound file changes after approval but before execution, the run is denied instead of executing drifted content.

6263

- File binding is intentionally best-effort, **not** a complete semantic model of every interpreter/runtime loader path. If approval mode cannot identify exactly one concrete local file to bind, it refuses to mint an approval-backed run instead of pretending full coverage.

Original file line numberDiff line numberDiff line change

@@ -6,8 +6,9 @@ read_when:

66

title: "Exec tool"

77

---

88
9-

Run shell commands in the workspace. Supports foreground + background execution via `process`.

10-

If `process` is disallowed, `exec` runs synchronously and ignores `yieldMs`/`background`.

9+

Run shell commands in the workspace. `exec` is a mutating shell surface: commands can create, edit, or delete files wherever the selected host or sandbox filesystem permits. Disabling OpenClaw filesystem tools such as `write`, `edit`, or `apply_patch` does not make `exec` read-only.

10+
11+

Supports foreground + background execution via `process`. If `process` is disallowed, `exec` runs synchronously and ignores `yieldMs`/`background`.

1112

Background sessions are scoped per agent; `process` only sees sessions from the same agent.

1213
1314

## Parameters

Original file line numberDiff line numberDiff line change

@@ -300,7 +300,7 @@ Legacy `agent.*` configs are migrated by `openclaw doctor`; prefer `agents.defau

300300

}

301301

```

302302

</Tab>

303-

<Tab title="Safe execution (no file modifications)">

303+

<Tab title="Shell execution with filesystem tools disabled">

304304

```json

305305

{

306306

"tools": {

@@ -309,6 +309,11 @@ Legacy `agent.*` configs are migrated by `openclaw doctor`; prefer `agents.defau

309309

}

310310

}

311311

```

312+
313+

<Warning>

314+

This policy disables OpenClaw filesystem tools, but `exec` is still a shell and can write files wherever the selected host or sandbox filesystem allows. For a read-only agent, deny `exec` and `process`, or combine shell access with sandbox filesystem controls such as `agents.defaults.sandbox.workspaceAccess: "ro"` or `"none"`.

315+

</Warning>

316+
312317

</Tab>

313318

<Tab title="Communication-only">

314319

```json

Original file line numberDiff line numberDiff line change

@@ -271,6 +271,43 @@ describe("noteSecurityWarnings gateway exposure", () => {

271271

expect(message).toContain("openclaw approvals get --gateway");

272272

});

273273
274+

it("warns when filesystem tools are disabled but exec remains available", async () => {

275+

await noteSecurityWarnings({

276+

tools: {

277+

allow: ["read", "exec", "process"],

278+

deny: ["write", "edit", "apply_patch"],

279+

},

280+

} as OpenClawConfig);

281+
282+

const message = lastMessage();

283+

expect(message).toContain("filesystem write tools are disabled, but exec is still available");

284+

expect(message).toContain("Runtime tools: exec, process");

285+

expect(message).toContain('sandbox.mode="off"');

286+

expect(message).toContain("also deny exec/process");

287+

});

288+
289+

it("does not warn about exec filesystem policy when sandbox access is read-only", async () => {

290+

await noteSecurityWarnings({

291+

agents: {

292+

defaults: {

293+

sandbox: {

294+

mode: "all",

295+

workspaceAccess: "ro",

296+

},

297+

},

298+

},

299+

tools: {

300+

allow: ["read", "exec", "process"],

301+

deny: ["write", "edit", "apply_patch"],

302+

},

303+

} as OpenClawConfig);

304+
305+

const message = lastMessage();

306+

expect(message).not.toContain(

307+

"filesystem write tools are disabled, but exec is still available",

308+

);

309+

});

310+
274311

it("warns when tools.exec is broader than host exec defaults", async () => {

275312

await withExecApprovalsFile(

276313

{

Original file line numberDiff line numberDiff line change

@@ -10,6 +10,7 @@ import { isLoopbackHost, resolveGatewayBindHost } from "../gateway/net.js";

1010

import { resolveExecPolicyScopeSnapshot } from "../infra/exec-approvals-effective.js";

1111

import { loadExecApprovals, type ExecAsk, type ExecSecurity } from "../infra/exec-approvals.js";

1212

import { resolveDmAllowState } from "../security/dm-policy-shared.js";

13+

import { collectExecFilesystemPolicyDriftHits } from "../security/exec-filesystem-policy.js";

1314

import { normalizeOptionalString } from "../shared/string-coerce.js";

1415

import { note } from "../terminal/note.js";

1516

import { resolveDefaultChannelAccountContext } from "./channel-account-context.js";

@@ -165,6 +166,18 @@ function collectDurableExecApprovalWarnings(cfg: OpenClawConfig): string[] {

165166

return [];

166167

}

167168
169+

function collectExecFilesystemPolicyWarnings(cfg: OpenClawConfig): string[] {

170+

return collectExecFilesystemPolicyDriftHits(cfg).map((hit) =>

171+

[

172+

`- ${hit.scopeLabel}: filesystem write tools are disabled, but exec is still available.`,

173+

` Runtime tools: ${hit.runtimeTools.join(", ")}; disabled filesystem tools: ${hit.disabledFilesystemTools.join(", ")}.`,

174+

` Effective exec host is "${hit.execHost}" with sandbox.mode="${hit.sandboxMode}" and workspaceAccess="${hit.sandboxWorkspaceAccess}".`,

175+

" The exec shell can still write wherever that host or sandbox filesystem permits.",

176+

' For read-only agents, also deny exec/process; otherwise use sandbox mode "all" with workspaceAccess "ro" or "none".',

177+

].join("\n"),

178+

);

179+

}

180+
168181

export async function noteSecurityWarnings(cfg: OpenClawConfig) {

169182

const warnings: string[] = [];

170183

const auditHint = `- Run: ${formatCliCommand("openclaw security audit --deep")}`;

@@ -179,6 +192,7 @@ export async function noteSecurityWarnings(cfg: OpenClawConfig) {

179192
180193

warnings.push(...collectImplicitHeartbeatDirectPolicyWarnings(cfg));

181194

warnings.push(...collectExecPolicyConflictWarnings(cfg));

195+

warnings.push(...collectExecFilesystemPolicyWarnings(cfg));

182196

warnings.push(...collectDurableExecApprovalWarnings(cfg));

183197
184198

// ===========================================