From f493bb4be2b5ef130c2c2209056fa62084a49399 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=A4=A9=E6=B5=B7=20=E5=8E=9F?= <thaddeusjiang@gmail.com>
Date: Fri, 12 Jun 2026 00:12:08 +0900
Subject: [PATCH 1/2] =?UTF-8?q?fix(storage):=20=E4=BC=98=E5=8C=96=E5=9B=BE?=
 =?UTF-8?q?=E7=89=87=E5=AD=98=E5=82=A8=E5=8A=A0=E9=80=9F=E4=B8=8E=E9=83=A8?=
 =?UTF-8?q?=E7=BD=B2=E4=BB=A3=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Dockerfile                                    |   5 +-
 assets/vendor/heroicons.js                    |  13 +-
 config/config.exs                             |   9 +-
 config/nginx/dev.conf                         |  35 +++++
 config/nginx/prod.conf                        |  50 +++++++
 config/runtime.exs                            |   2 +-
 docker-compose.yml                            |  17 ++-
 docs/guides/deployment/docker.md              |  26 +++-
 docs/guides/development/setup.md              |  12 +-
 docs/guides/self-hosting/zeabur/README.md     |   5 +
 docs/guides/self-hosting/zeabur/vmemo.yml     |   6 +
 lib/vmemo_web/controllers/file_controller.ex  |  65 +++++----
 lib/vmemo_web/router.ex                       |   7 +-
 others/e2e-test/global-setup.ts               |  15 +-
 .../e2e-test/tests/photos-index-page.spec.ts  |  16 +-
 .../photos-index-page-macbook-13-darwin.png   | Bin 11361 -> 9183 bytes
 rel/entrypoint.sh                             |   5 +
 .../controllers/file_controller_test.exs      | 137 ++++++++++++++----
 18 files changed, 352 insertions(+), 73 deletions(-)
 create mode 100644 config/nginx/dev.conf
 create mode 100644 config/nginx/prod.conf

diff --git a/Dockerfile b/Dockerfile
index 432ea425..89e77d7f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,7 +28,7 @@ RUN mix release
 FROM base AS runner
 
 RUN apt-get update -y && \
-  apt-get install -y libstdc++6 openssl libncurses6 libtinfo6 locales ca-certificates imagemagick && \
+  apt-get install -y libstdc++6 openssl libncurses6 libtinfo6 locales ca-certificates imagemagick nginx && \
   apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Set the locale
@@ -41,10 +41,13 @@ ENV LC_ALL=en_US.UTF-8
 WORKDIR /app
 COPY --from=builder /app/_build/prod/rel/vmemo /app
 
+COPY config/nginx/prod.conf /etc/nginx/nginx.conf
 COPY rel/entrypoint.sh /usr/local/bin/entrypoint.sh
 RUN chmod +x /usr/local/bin/entrypoint.sh
 
 ENV HOME=/app
+ENV VMEMO_ENABLE_NGINX=true
+ENV PHX_PORT=4001
 
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["start"]
diff --git a/assets/vendor/heroicons.js b/assets/vendor/heroicons.js
index 296f80e4..fae6cb7a 100644
--- a/assets/vendor/heroicons.js
+++ b/assets/vendor/heroicons.js
@@ -2,8 +2,19 @@ const plugin = require("tailwindcss/plugin")
 const fs = require("fs")
 const path = require("path")
 
+function resolveDepsRoot() {
+  let envDepsRoot = process.env.MIX_DEPS_PATH && path.resolve(process.env.MIX_DEPS_PATH)
+  let localDepsRoot = path.join(__dirname, "../../deps")
+
+  if (envDepsRoot && fs.existsSync(path.join(envDepsRoot, "heroicons"))) {
+    return envDepsRoot
+  }
+
+  return localDepsRoot
+}
+
 module.exports = plugin(function({matchComponents, theme}) {
-  let iconsDir = path.join(__dirname, "../../deps/heroicons/optimized")
+  let iconsDir = path.join(resolveDepsRoot(), "heroicons/optimized")
   let values = {}
   let icons = [
     ["", "/24/outline"],
diff --git a/config/config.exs b/config/config.exs
index 4003bc9b..4ffc70b6 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -90,6 +90,13 @@ config :vmemo, VmemoWeb.Endpoint,
 # at the `config/runtime.exs`.
 config :vmemo, Vmemo.Mailer, adapter: Swoosh.Adapters.Local
 
+deps_path =
+  case System.get_env("MIX_DEPS_PATH") do
+    nil -> Path.expand("../deps", __DIR__)
+    "" -> Path.expand("../deps", __DIR__)
+    path -> Path.expand(path)
+  end
+
 # Configure esbuild (the version is required)
 config :esbuild,
   version: "0.17.11",
@@ -97,7 +104,7 @@ config :esbuild,
     args:
       ~w(js/app.js --bundle --target=es2017 --outdir=../priv/static/assets --external:/fonts/* --external:/images/*),
     cd: Path.expand("../assets", __DIR__),
-    env: %{"NODE_PATH" => Path.expand("../deps", __DIR__)}
+    env: %{"NODE_PATH" => deps_path}
   ]
 
 # Configure tailwind (the version is required)
diff --git a/config/nginx/dev.conf b/config/nginx/dev.conf
new file mode 100644
index 00000000..f52f7d52
--- /dev/null
+++ b/config/nginx/dev.conf
@@ -0,0 +1,35 @@
+events {}
+
+http {
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    "" close;
+  }
+
+  server {
+    listen 80;
+    server_name localhost;
+    client_max_body_size 50m;
+
+    location /storage/v1/_internal/ {
+      internal;
+      alias /app/storage/v1/;
+    }
+
+    location / {
+      proxy_pass http://host.docker.internal:4000;
+      proxy_http_version 1.1;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Port $server_port;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+    }
+  }
+}
diff --git a/config/nginx/prod.conf b/config/nginx/prod.conf
new file mode 100644
index 00000000..1178e718
--- /dev/null
+++ b/config/nginx/prod.conf
@@ -0,0 +1,50 @@
+events {}
+
+http {
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    "" close;
+  }
+
+  map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+    default $http_x_forwarded_proto;
+    "" $scheme;
+  }
+
+  map $http_x_forwarded_host $proxy_x_forwarded_host {
+    default $http_x_forwarded_host;
+    "" $host;
+  }
+
+  map $http_x_forwarded_port $proxy_x_forwarded_port {
+    default $http_x_forwarded_port;
+    "" $server_port;
+  }
+
+  server {
+    listen 4000;
+    server_name _;
+    client_max_body_size 50m;
+
+    location /storage/v1/_internal/ {
+      internal;
+      alias /app/storage/v1/;
+    }
+
+    location / {
+      proxy_pass http://127.0.0.1:4001;
+      proxy_http_version 1.1;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
+      proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+      proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+    }
+  }
+}
diff --git a/config/runtime.exs b/config/runtime.exs
index 25c308ed..af2f4699 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -165,7 +165,7 @@ if config_env() == :prod do
     root_source_code_paths: [File.cwd!()]
 
   host = System.get_env("PHX_HOST") || "vmemo.app"
-  port = String.to_integer(System.get_env("PORT") || "4000")
+  port = String.to_integer(System.get_env("PHX_PORT") || System.get_env("PORT") || "4000")
 
   config :vmemo, VmemoWeb.Endpoint,
     url: [host: host, port: 443, scheme: "https"],
diff --git a/docker-compose.yml b/docker-compose.yml
index 8776ea02..e882c0a7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,21 @@
-# Default `docker compose up` starts postgres + typesense only.
+# Default `docker compose up` starts local dependency services.
+# Use `docker compose --profile proxy up -d` to add the local Nginx proxy.
 # For test DB/search: `docker compose --profile test up` (or `COMPOSE_PROFILES=test`).
 services:
+  nginx:
+    profiles:
+      - proxy
+    image: nginx:1.27.5-alpine
+    hostname: nginx
+    restart: on-failure
+    ports:
+      - "4080:80"
+    volumes:
+      - ./config/nginx/dev.conf:/etc/nginx/nginx.conf:ro
+      - ./storage/v1:/app/storage/v1:ro
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+
   postgres:
     image: postgres:18
     hostname: postgres
diff --git a/docs/guides/deployment/docker.md b/docs/guides/deployment/docker.md
index 1ca4b487..7bf8f076 100644
--- a/docs/guides/deployment/docker.md
+++ b/docs/guides/deployment/docker.md
@@ -48,7 +48,8 @@ docker run --rm -p 4000:4000 \
 Release startup behavior:
 
 1. `bin/vmemo eval "Vmemo.Release.migrate()"`
-2. `bin/vmemo start`
+2. Start Nginx when `VMEMO_ENABLE_NGINX=true`
+3. `bin/vmemo start`
 
 Remote IEx:
 
@@ -93,6 +94,7 @@ docker manifest inspect thaddeusjiang/vmemo:latest >/dev/null && echo ok
 - `rel/entrypoint.sh` exists and is executable.
 - Entrypoint runs `bin/vmemo eval "Vmemo.Release.migrate()"`.
 - Dockerfile runner starts via `ENTRYPOINT + CMD ["start"]`.
+- Dockerfile runner starts Nginx before Phoenix when `VMEMO_ENABLE_NGINX=true`.
 - Dockerfile runner includes ImageMagick (`magick`) for AI vision request preprocessing.
 
 ### Required Environment Variables
@@ -109,6 +111,28 @@ docker manifest inspect thaddeusjiang/vmemo:latest >/dev/null && echo ok
 
 Optional: `MOONDREAM_URL`, `OPENROUTER_VISION_MODEL`, `SENTRY_ENV`
 
+Storage acceleration:
+
+- Browser-facing storage URLs stay under `/storage/v1`.
+- Phoenix performs the lightweight owner check, then returns `X-Accel-Redirect`
+  under `/storage/v1/_internal`.
+- Nginx sends the file bytes from the app's `storage/v1` directory. The production
+  Docker image enables this by default: Nginx listens on `4000`, while Phoenix
+  listens internally on `PHX_PORT=4001`.
+
+Example Nginx location:
+
+```nginx
+location /storage/v1/_internal/ {
+  internal;
+  alias /app/storage/v1/;
+}
+```
+
+Keep `/storage/v1/_internal/` internal-only. Browser-facing requests should continue to use
+`/storage/v1/:user_id/images/:filename` and `/storage/v1/:user_id/avatars/:filename`
+so they pass through Phoenix authorization before Nginx serves the file bytes.
+
 ### Troubleshooting
 
 Migration failure:
diff --git a/docs/guides/development/setup.md b/docs/guides/development/setup.md
index 9eabb85a..a84ada2a 100644
--- a/docs/guides/development/setup.md
+++ b/docs/guides/development/setup.md
@@ -19,11 +19,21 @@ From repository root:
 
 ```bash
 mise trust && mise install
-docker compose up -d
+docker compose --profile proxy up -d
 mix setup
 iex -S mix phx.server
 ```
 
+Open the app through the local reverse proxy:
+
+```text
+http://localhost:4080
+```
+
+Phoenix still runs on `http://localhost:4000`, but storage image responses use
+`X-Accel-Redirect`. Use the Nginx proxy on port `4080` when validating image
+loading performance or `/storage/v1` image URLs locally.
+
 Test dependencies:
 
 ```bash
diff --git a/docs/guides/self-hosting/zeabur/README.md b/docs/guides/self-hosting/zeabur/README.md
index 3a8ad000..28562ad6 100644
--- a/docs/guides/self-hosting/zeabur/README.md
+++ b/docs/guides/self-hosting/zeabur/README.md
@@ -15,3 +15,8 @@ SENTRY_DSN= # optional
 RESEND_API_KEY= # optional
 OPENROUTER_API_KEY= # optional
 ```
+
+The template exposes the Vmemo service on port `4000`. The production image starts
+Nginx on that public port and runs Phoenix internally on `4001`, so `/storage/v1`
+image requests keep the normal browser URL while Nginx handles the internal
+`X-Accel-Redirect` file response.
diff --git a/docs/guides/self-hosting/zeabur/vmemo.yml b/docs/guides/self-hosting/zeabur/vmemo.yml
index 9e2d28b8..561e7181 100644
--- a/docs/guides/self-hosting/zeabur/vmemo.yml
+++ b/docs/guides/self-hosting/zeabur/vmemo.yml
@@ -50,6 +50,12 @@ spec:
           PHX_SERVER:
             default: "true"
             expose: false
+          PHX_PORT:
+            default: "4001"
+            expose: false
+          VMEMO_ENABLE_NGINX:
+            default: "true"
+            expose: false
           SECRET_KEY_BASE:
             default: ${TYPESENSE_SERVICE_API_KEY}_${TYPESENSE_SERVICE_API_KEY}
             expose: false
diff --git a/lib/vmemo_web/controllers/file_controller.ex b/lib/vmemo_web/controllers/file_controller.ex
index 536330b0..2cb464be 100644
--- a/lib/vmemo_web/controllers/file_controller.ex
+++ b/lib/vmemo_web/controllers/file_controller.ex
@@ -2,6 +2,7 @@ defmodule VmemoWeb.FileController do
   use VmemoWeb, :controller
 
   @storage_root Path.expand("storage/v1")
+  @storage_accel_redirect_prefix "/storage/v1/_internal"
   @allowed_mime_types %{
     ".png" => "image/png",
     ".jpg" => "image/jpeg",
@@ -14,6 +15,7 @@ defmodule VmemoWeb.FileController do
 
   def show(conn, %{"user_id" => user_id, "filename" => filename}) do
     with {:ok, safe_user_id} <- normalize_user_id(user_id),
+         :ok <- authorize_storage_user(conn, safe_user_id),
          {:ok, safe_filename} <- normalize_filename(filename),
          {:ok, file_path} <- image_path(safe_user_id, safe_filename),
          {:ok, resolved_path} <- resolve_image_path(file_path) do
@@ -25,6 +27,7 @@ defmodule VmemoWeb.FileController do
 
   def show_avatar(conn, %{"user_id" => user_id, "filename" => filename}) do
     with {:ok, safe_user_id} <- normalize_user_id(user_id),
+         :ok <- authorize_storage_user(conn, safe_user_id),
          {:ok, safe_filename} <- normalize_filename(filename),
          {:ok, file_path} <- avatar_path(safe_user_id, safe_filename) do
       if File.exists?(file_path) do
@@ -39,19 +42,12 @@ defmodule VmemoWeb.FileController do
 
   defp send_storage_file(conn, file_path) do
     with {:ok, stat} <- File.stat(file_path),
-         {:ok, file_bin} <- read_file_binary(file_path, stat.size),
          etag <- build_etag(file_path, stat),
          last_modified <- build_last_modified(stat),
          false <- fresh?(conn, etag, stat) do
-      conn =
-        conn
-        |> put_resp_header("content-type", detect_safe_mime(file_path))
-        |> put_resp_header("content-disposition", "inline")
-        |> put_resp_header("cache-control", "public, max-age=31536000, immutable")
-        |> put_resp_header("etag", etag)
-        |> put_resp_header("last-modified", last_modified)
-
-      send_resp(conn, 200, file_bin)
+      conn
+      |> put_storage_headers(file_path, etag, last_modified)
+      |> send_storage_body(file_path)
     else
       true ->
         conn
@@ -67,6 +63,36 @@ defmodule VmemoWeb.FileController do
     end
   end
 
+  defp authorize_storage_user(conn, user_id) do
+    case conn.assigns[:current_user] do
+      %{id: ^user_id} -> :ok
+      %{id: current_user_id} when is_binary(current_user_id) -> :error
+      _ -> :error
+    end
+  end
+
+  defp put_storage_headers(conn, file_path, etag, last_modified) do
+    conn
+    |> put_resp_header("content-type", detect_safe_mime(file_path))
+    |> put_resp_header("content-disposition", "inline")
+    |> put_resp_header("cache-control", "public, max-age=31536000, immutable")
+    |> put_resp_header("etag", etag)
+    |> put_resp_header("last-modified", last_modified)
+  end
+
+  defp send_storage_body(conn, file_path) do
+    conn
+    |> put_resp_header("x-accel-redirect", storage_accel_redirect_path(file_path))
+    |> send_resp(200, "")
+  end
+
+  defp storage_accel_redirect_path(file_path) do
+    file_path
+    |> Path.expand()
+    |> Path.relative_to(@storage_root)
+    |> then(&Path.join(@storage_accel_redirect_prefix, &1))
+  end
+
   defp fresh?(conn, etag, stat) do
     if_none_match_present? = get_req_header(conn, "if-none-match") != []
 
@@ -212,23 +238,4 @@ defmodule VmemoWeb.FileController do
     extension = Path.extname(file_path) |> String.downcase()
     Map.get(@allowed_mime_types, extension, "application/octet-stream")
   end
-
-  defp read_file_binary(file_path, size)
-       when is_binary(file_path) and is_integer(size) and size >= 0 do
-    case :file.open(String.to_charlist(file_path), [:read, :binary]) do
-      {:ok, io} ->
-        try do
-          case :file.read(io, size) do
-            {:ok, data} -> {:ok, data}
-            :eof -> {:ok, <<>>}
-            {:error, _} = error -> error
-          end
-        after
-          :file.close(io)
-        end
-
-      {:error, _} = error ->
-        error
-    end
-  end
 end
diff --git a/lib/vmemo_web/router.ex b/lib/vmemo_web/router.ex
index 722f8ac5..961497b7 100644
--- a/lib/vmemo_web/router.ex
+++ b/lib/vmemo_web/router.ex
@@ -28,6 +28,11 @@ defmodule VmemoWeb.Router do
     plug VmemoWeb.ApiAuth
   end
 
+  pipeline :storage do
+    plug :fetch_session
+    plug :fetch_current_user
+  end
+
   # MCP pipeline - optional authentication for MCP server
   # Allows unauthenticated access for public tools, but sets actor if API token is provided
   # Only supports StreamableHttp (POST requests), not SSE (GET requests)
@@ -160,7 +165,7 @@ defmodule VmemoWeb.Router do
   end
 
   scope "/storage/v1/", VmemoWeb do
-    pipe_through :browser
+    pipe_through :storage
 
     get "/:user_id/images/:filename", FileController, :show
     get "/:user_id/avatars/:filename", FileController, :show_avatar
diff --git a/others/e2e-test/global-setup.ts b/others/e2e-test/global-setup.ts
index 9dc6a716..1a8b8318 100644
--- a/others/e2e-test/global-setup.ts
+++ b/others/e2e-test/global-setup.ts
@@ -20,11 +20,16 @@ export default async function globalSetup(config: FullConfig) {
       try {
         await page.goto("/login", { waitUntil: "domcontentloaded" });
 
-        const loginButton = page.getByRole("button", { name: /Login/i });
-        await expect(loginButton).toBeVisible({ timeout: 10_000 });
-        await page.getByLabel("Email").fill(email);
-        await page.getByLabel("Password").fill(password);
-        await loginButton.click();
+        const csrfToken = await page.locator('input[name="_csrf_token"]').inputValue();
+        await page.request.post("/login", {
+          form: {
+            _csrf_token: csrfToken,
+            "user[email]": email,
+            "user[password]": password,
+            "user[remember_me]": "false",
+          },
+        });
+        await page.goto("/home", { waitUntil: "domcontentloaded" });
         await expect(page).toHaveURL(/\/home/, { timeout: 10_000 });
         lastError = undefined;
         break;
diff --git a/others/e2e-test/tests/photos-index-page.spec.ts b/others/e2e-test/tests/photos-index-page.spec.ts
index ed6bb33a..05fba532 100644
--- a/others/e2e-test/tests/photos-index-page.spec.ts
+++ b/others/e2e-test/tests/photos-index-page.spec.ts
@@ -1,7 +1,19 @@
-import { test } from "@playwright/test";
+import { expect, test } from "@playwright/test";
 import { expectVisual, gotoAndAssertAttached } from "./visual-helpers.js";
 
 test("photos index page visual snapshot", async ({ page }) => {
   await gotoAndAssertAttached(page, "/images", page.locator("#infinite-scroll"));
-  await expectVisual(page, "photos-index-page", [page.locator("#waterfall-images")]);
+  const firstImage = page.locator("#waterfall-images img").first();
+
+  await expect(firstImage).toBeVisible({ timeout: 20_000 });
+  await expect
+    .poll(() =>
+      firstImage.evaluate((image) => (image as HTMLImageElement).naturalWidth),
+    )
+    .toBeGreaterThan(0);
+
+  await expectVisual(page, "photos-index-page", [
+    page.locator(".page-shell"),
+    page.getByLabel("Notifications"),
+  ]);
 });
diff --git a/others/e2e-test/tests/photos-index-page.spec.ts-snapshots/photos-index-page-macbook-13-darwin.png b/others/e2e-test/tests/photos-index-page.spec.ts-snapshots/photos-index-page-macbook-13-darwin.png
index 54075f20d086aac4e7b386868c999ad988de2d92..f65368daf00a7cac41ba130a3afaad60fe738d73 100644
GIT binary patch
literal 9183
zcmeHN`CC)hx{jitMWohNL?&Ag(mn{N2*?m(wL%pE1(}EFp^PD5nF3)5)>dl)(IP?0
zkhUB|0tqrDgaE+-Q6hs3VF*bWWK2j1AwUw6+!cE7zi@uI55FXPuV?QyyzBkm@BP-Z
z?_YIu*81egClClk>(ck%c|ah$!KK>KJv+glNa|Y+fqV+N^xe1DlZ$z*l!qmuf6WPP
zzBIjb<@|Zy-}n6VpU)qDjXtpJt51LU;!K_3VByP~*RTP1G@U-LQrCBR`g0cgqWbNd
zlsb)<Pj!g3zWX9lrY|1;4RU_hC0@c>f}N)5q37Dtf}34Mp4)tnK=jQbVZDWUdtg%p
z?Tu%X-90@$RkMM1+6!7d6N7Q8S&|aU3wNJXwZ2i$mXnIV%G?2g%<I|((2x&w+Clp&
zqy*1tG(54@&bQ_feUN)@fOgW?Tzu$`eGtgG^+us3E+A>|R_iW<;n>h!har&6m@362
zN6d&d-g>jNnUrC=^|(!gP|VDrLewFUKP&LG|7}Hi&Mn7QEDi_#sTx1Hxg~?OOB3``
z8l|>K{;VAgm|!I4$nd4{%;*DKx0-sEl9X04*G6@>dRWg|M42g9^*Yf?evyacR&y>x
z)F6<)W6>kKB5huP4Y&dIuJ*0{;oa}$E(JsdwXSxZgKQNu?r3Q92PzPM*Hzuc*eClj
zQmw44yr6y(JzncNd*%Y}REU#A?>ZQSbw#;DUe*2Yl!29~GJ=0&lyIuUINb%A-(_(2
z)`WKe(krU!1R|BbRu@Q$_KTdZ`?2pxW2;_t>yE(QoEkeKCrb114s)aQ$PJ>D0hW2x
zFLEqJG^=&^<c+~+*APq9*c{_*@@QC5zNt?S4u+Y0`AcZ)U|gea;`sX|E_wdcvG$ra
z>7q@WFo$kVjqZi6SBoAOT80NF4te<mr_8w7FI@-Swm73-@3|HE>h9gUr~B>WKE7>B
zmtoDiySv??;z0|Hgzi@#mfwYpj^+(j4KGi=x~HW_0{!VHjoidZ2P>kSiN3Xe>j&1Q
zsJ*$(E!=EjGXuT2U$gP|6zUr<G>lr-*{QIVN4bMW?I>2_Fm!!9zVBO&lK39mF91f|
ztBa_fVq4>wd;4@fg3W!OPu$gu`TCNV`p-;#3FC-G%ks;H$N_b2!_8kT(k6NJy@qxP
z5rm&@e$g`hxW-KFkIkeH?={ZMwOf2P#wjzLiCuepELR`1Db%yoH2_-}k{~)TF{VFz
zt;{L^%kk6LRM`?)$qR>>1}r+rUus$uJEX*k7QK|BM$Wi+P2{Z2Ozdj9uSUX?@7XAZ
zX<X?-tSkh*>G~YZwVA@#Z>M9;5D^h08L}nW>Oy_8a4O59ZDTYXw>0<#zeUu;N@6Yz
zVq~1$^*;ibaWCI$!>OIM;$o(;2sdmmp@eoI^8n=M^M!2N_}OfI+qyvkqNX)zEV3ez
zl#%tJ%(-A@pi0l5<iOatJan=7c?SJ*?!F1I1M*32j4#(`ca=|#IW;(?obDI{=x#PN
zPKj4hV27Ie8Efl|8B@4Kgi{74vh`wHu3?R$q`lYpdtaf5jKRdlAMLzo2o^i6yhwc+
zu2?A$qzh6t51ojhaY@V=W<1~r3&nY*4NH@(C}Y!TEe^crueylPwUOxu_WTG8za>S~
z70N+#2|x&rGN(GSQrG#=AKpIn!0QAheBjp5f{_p5@<pFe+fd$ZnT6qMTYjr{dN@;%
zW8dO`Fv10UqSCqm9p;G|;6QL`EALdpm7v%u?@x6$jEaT1m`%wXu7==VWR0A9ecy~~
zn6WW=Dew3YV;$hTFi=6ZB?m5NTlSn?_)lI;^TJawjT`mzrL-O9$H>fBS~{mKJ+^7`
zF2IvCc6H_xG8@fp`f++JIyNSz)H1y1$*B+qni1Bt?v*RiTHdV_xJ-ym=k{IDM$)Rp
zoz0>idotT9i8q232ccMvatcn)3$M6R7{^YT^8&m7;*fdZ*&FSd{Y24hx9N^R<j<!w
z)1(U(oHS8)`7@VQ?4ys&7%Jhfzy5;LGUT%L8f8pBcj#NoVNV)#;neqLT_@$JHc<&o
zA<Qig$%T@Zays~JGCqJUV{=1Tj?>UOvK5WP&69hUi(=bs|NZ*c&z^DQe3XlmSI|<^
z^aInfTzY|pg>ehm4-)K#no}m1#_^(~i-HXAT(5caMq(rz>7;jM>$>M2vBHyT(|$d8
zTtBdFE_vd%3`8K*6c8q<IRH}Q--zF}JW?B?W9Fam_RD+Gn=Jg8X$U<Rrr3D+<%P@U
zOV3~JPnWJn#-9sUYbq^*)gU@T9@-%{mTz|Ii$?2KK!}mROM(ozqBxaLxhDl_0{xq@
z3wEFW+2_>`GG2WmLr_^!Y6m(2v?Al(DbY*!FVEy)&4c_CJ)o!tf5D@rB1)&m^5Rex
zrryb~(z-U!-LdinMwn$EK)O;QJ?B@NGOG&|;+%FZ;G;s$F?gJ@^3H_oP@X-tU(cGS
zX0&n6i#*mr*R!&*@d?6D%R&f=EAixveI6xX;|X`P9XBiySBlU6=n3OQ(Bx|d_DMX<
zW~a!4=1|oV9Tn9q<EM6YeQ-7s164`q$LA3#v$(Ffxe`=~gM`*o3YGP{&`6zzsRqdt
z-wr&5UZ=j?l!$2ZCDS#gAhWJjU$j_N<0Z&g@EE3O>X^5zbX9d><K7E9aT~7>D!oCJ
zC$PKnO%d_G!_f=n=m)f^-%Pvq-14(s?Yn?WnJv`LSiU1J_M#@Il&vHolM)@;sq9WA
z1M@>s0rY65a*a%L{o_n!8t1B`@M6}XMs_0Lp&Yal2r&8TKzK=_chNz2N6E*ysrx3S
zzKp6I1{Eb3aL26IC?@V`V`o+uXnu7+T+&q-oQb$9(UGlVa4F&;CF1>)Q%2Ihd!@-!
z_to}qB<KoZvrl^4gm3ibaLO4VO4a_2i^cH@W-lgVKp_*L6p}d*I@5!m?r@N$<Z}uU
z3{D$x6ToCVi?-#LS$QTnd5uz<3^>qtsoa7z7FAW(-`97wR|vG_S@&ae`f0q++^;c9
zQ!_bZ8n-GE#v2TxqwC4`ZnsNM-aLQ5onbWJI2<fnex+?=ZOsOJ8HQuh>1+KBxehDe
zbK@)AagHedIJN*LUvL*t1#NLtgO#2Eup#`u^;|t0V#~Fml)U5VZ6}m7aDHGbIuW_C
z{@BwkYBY6Y@}4S^QR6=%mS&J-Ij)K*HL56Ci?O6_Oexd(6i)XOVYF^t+r&>IkU-wn
z_t@3%^Mi>82NFwV?=5L1XN3;~VknVakLe&%bwXuU!_gaM%^-?=jWZF)+6iiSHQ2@r
zZJ_%s+)oPWFwJr5*JHsLxftDp4{B+-mO{m6MUS-B_^(zr7XlN3wfJID@@*{eRWfC1
za4Wj8S{vkYf(e#e5PQ^m0yWa{>{{6aN9nW30Yfye7VapW4^hRm<L0C`na4_BXVK$E
zp5JUVIhp@ru1+5+Wd&puEM|zhZRlMG5e>yFV~Coeryo#hG03F#+Zu*fW!fh=2eJ>J
z`a4_C2S`}Suw6-WzBCpyRH>N+L>LBgaeY{K6pN@z2lPy&-)O3!wbyp87`qhmCVLbp
zsXs3D<0Iz>AW_ZC=+HJg{JpTDl<(<lFYaj2R=P}Qa`0MlUEi1#%)k`W7z;WOXM&i>
zZdHmz(GvFvi4lUjL^7pYq}}WXnir^`C>5!67*4r4w`hx6o&OLD2xo+_2=7(6T)1%I
z-2{;IKlA*b8pndy5=%Wa->$h^E}mPOG8-UJy)|eGWKatd%Zl06)Y{)*8BR=pR-gT{
z;9urt%c1gz7xqiuxo7mFV|88SasdXO*eG9PlK1suzZ^Y%UA2lq%oJ?%l}Xoqux!DT
zQ)Pe{ogi<NZPwiCG$0Sf^GzIuLROOOhAnEM{dVZg)1nw6+iX+mp^9aXZ~DionFo$J
z4Tj-~!yJ=x!woQqa)oYD6YhkhBsb394bVH-jwlhe5Y_Nvt)uHa>N!EffLkuuMN@<W
zi2BAa8Los)VUL4oHLBb5QB-da-mVySl?fpID4B!NZf<V0szj)5tueM`bESH~9Y%<*
zo*O@XJZ(D1=E{>>69h7QZ7CKm1j^%D7&p4tL?6C2Hvzj9L8B8~NrX<ocq@!zQz4fb
zf%Hi*VJH2WBwTSKR8W(ut7d_ef7;{&2-q=e6&pPLyK$Ctu3?Z;sbL1P+sMes*|7Id
zTu)^Iu8e#x)t-kV57CRT!|}eCMnC)c)je(Ct2!+xAAiTkP<eGO@$n+wXg$|<qnS%&
zVw7^dBS)mG3ziA<eGIBKuhwa4n47Xzqq5i|X{xm2TRXKx=9o`MWgRlJ`}pueRPNbD
z|8&_}`eJ28*NS);ZgB@=rj}fS-nrZyoRr3#+mD6Dev+WOvvsxKCHL&quQCCRCT9bR
zl6lfaA6hf8=72DnNtX-O_^edP%FKnk`)t=nLaJQ<3?#L<q-34mWEv0n45toPp%VrU
zOqc-IQC<*iCwgzm#CTK`$6c-*ACuw~s}-kraq74oI`GYTXPAEgZ1U%WF_ams^&Hm1
zy6X+FDe0W_bpk-eI*V_;GmucYJ4hPAM3PJFQGAd=SmWb?i6t3wDRguB)iI~+uXQYR
z9im5`V}lG{M-{xs#I)AR(KZG<6u`qJ^C@%K+-f;dCph`9P<f6GJE9fAsP;4CTF^G*
zWbqYlC1{}ZjTFB#Ao>0AS$XK0hJ@J2iRoOy6q8#DoML$fy@MXmK;*bpDp4;Dj0WuP
zP$MB2ITx;+wV_EC+%e5^B5<WmNwFXI9z4z?b211h*W$CnOtt;b7~|FwV0)u6d|=H3
z%~L;I)KQt6(YxA4?2!>)@2-=RG1MjR#7C`bV_X-w)I-c?VdnD5&#ZIYx-l`fPo3Gj
zs<Kzj{Tm{HYgsZn+JF`>f|{ZYm`McG>If*Opo3Z!=Z4>xLR07a{sKE90TV+r{K8v7
zI1ath1!=h3h7;IK{ulG7-I{N*bq8iMr4{FD5TBz6rrbZ2<6#TtePBvO-ej$b8G1p%
zDhtd=ec$2beisYZQiqg~7!wt^9yAbsGM6wcmVNV{fmF;Lo_*5&X*(h)iOW$Ha?dNp
z0uBZgO7XMr{c8W+0j%It*CK0RwxaH&t>oca1Z}d*a;!_fCYDaB;p|UXob?s+@C@q{
z;~_hnC=`h^OnOb%sYdzu7fl_-MkkCvMlA%<7JW&5zy4W3a^No!qjjO7d)D6ov%R@O
zcg{Y1P5A{0xbbg1pFZBevwW)p@qy0+Nn?Qwt7YbFCSD^40te}#ATaKo)o`Gv@*5v`
zx){(dP?7OZF@#P8tTKB=3VmIR60q}*yZ&L9xcKp19{GCY&XoT<3jp@!fxEs#@-15)
z5c#wGrs=NxGpk^mso8R@rgzaf=sI<A<FTWcc5SbttQaJE4TFTM@(N&vghM`XGZSwB
zZ*_p~a~1&ZvYLfo-GBBe_a8Yk4~XFav=NsfT>!p^m+uo?2*YHAgoG@-17%;qBQ_8h
zu_aFO9{2(dIhGUEoy`JOqgR!;%APiw=~a5h7jY@)mqK%Cdl|smfznUlm@WmDqbzOa
zs!FOXS!>6Ak&iD2HaRU!dQi&i8Nh_)o4V*(1dw>?hz5*@yNvuSJQa#+k5bm%VZw*J
z(eL*xH$R4$Yr%VsROLFf_EAvt=;JhlW~ayrO8gx501N11^Xp|*MSWL~UZ?MAjs3)w
z{#mO_fw`HUhPI&tC~6m>{VyVJ$>P=y{|l_1@pnSVz!6a6nht-hC#(KY1E=jkRHNRK
z<yPF$VC9}=v{CvX`r;Ok3I`9i>sc!){>&5e)}~?m0k@V*Qz}I3NyIt3B@3$Yrn>6<
z;))<)C8=+x>e3Z)P)o!}xkdj?C4M(tp0jt{+&arZ4SG$#F)P?QpNK9T8^7wW8lg{=
zaMH1b7$oq6^p--Y;N;=xxuUNOEW@spI1>{?WE#6`xIex??&l8;4ysCo_T!$)2&AkD
zN$Y<RM=&+xK0OC|`SjbZzSI)ZJm=R^ncBxSZ-9k1mzbxiduVQruI=4h^DAPP>hy-?
z16}`xnD@`|N9`j~vHf9L(AIfN`=P4DFScF<CpJfP54D4*R}Uxl{1ME(xwSa6?>bZd
zIo&yA-BFJT;ELTEBRSwHNVD28)zja7y8XM2z%~Ng2y7#;jlebn+X!qU@c#<|P^;|S
zvXKY2f433XM&Q4Uz_pRISn!cRn(Dg%2xL13w-MMz;J=E1!UzI^D3xVlng_szx+)IU
aAjq#q{$%#qy#OtcOBda~Bc8wU)Bga|6+o~6

literal 11361
zcmeHNXH=8fx{hKQDKZW^I5>zNM;$>xL_lg(Mi4Nd(xe7OL<AC~w<L@XaE=V1LzPf;
z=mrQqv=EAd(jo*xCm@{wk&;9blH8qe&boK4`}h3xSH88gzrEl6*5`e`{jXc*#!}*P
z;t&W#%H+mxcOa0x;8E<vce}yQ2Ip=O1oAz^<hQF<!RgE62U61mGA7puc*kFI3{Onm
zfE-f4cJ1hH--MU0wO4=t^+Zb3`I``9_oMf0u39~m{XRqfUh0zvclXNvrhWY%(dwm7
z|M82Y((9H7QvW!x=LcVSh5<V(G11LBD1iCW+!mchZnY#kFm7M3TMOBqV;^V2V6dNn
z5LWSVadAcSOX}cxs4w^7k4?hCSm!SEM)Y?s;Q6hg1)cB+vr7^JxpHLTHZQQQ0<sSR
zaVe#bJK>*;rd0pxG*B)Y{IbM-Mc#t#J_><EC|}*;bl;5F1%Vu`R8$ZII*?w8=J+hp
zINf_LfTf?^qR|QdMB(Ubdu!)^|6f|@vpt&436OmRrtC{W<KbG(KwYoxnSZ0zg<>>K
z-rgeO6}77$#flcZwb1#IJWj=X3im3IBkFEw3v3`_5QwDB%8CY^O0BHye=r_zq+6aA
z7ZnvZb*g-1q)42}nVA=-YsoYT1+fYXTX{aK(d}(#7Dk=mt!h-+!3;f({rtEKZHnHL
z>!CqUE3qzMdC5?mt#<*9d886)KJo+=29w)^cO32=N@d!anRTXVcv4H8M){eQ<t+VE
zMt>gF_I-dt34U|K#9}%d#(yZ;WlnnLLCMQi;4BYUcoN=`X29<E-+FtGU*N73Qdw!N
z>Is^OcIU{*hz;I3qfcwV=Ixl8Yg_-oK<<bszP8u{73xGljE^Eo88(Qj+X#A|<;Pfj
z#~`wL@68BGd}Co@A&E}~g1WpYC@lUMIzd`|A+?`nlg3tYs`DQzy*J$!ORub0SBjQa
zXzbP;t*owAfj5TFb|iUd5BO?EbV$dV(X|Rqn5ov!XnYnSi#s-NAlM>Xyt<g%V(1*Y
zm`lf#_;vJ>QMVMQi@?fn?-0U0s>^dJu+C(>m$&yQVpJ_dp*FzKVOrBpI#<)N{DDc@
zCZc|&T1raF1Lo(qp-$G@m{t%3Pc(!S`lcv5*jQR7>}!dQjRkW?dyN%PUz+#Nv%EY!
zOmy?TR^R_z^H)MvJ+a%GdVTGob*R*rR%z&VlbG~!)u40I{x3xKM3{ib#(Zs6Xk7R^
zMkvzK-~^S=CX8);O(5sZqS(XJF}BW^{1;vnk?-(S>??nLzfy2JyKnS}lFeA)sQ0<T
zzAH74$dSj0>m5oJ54+{GeP;^uGef5$W#f+P>)5tnuQ9}H{ZSfDV&QA=W%CbhueB?{
zw@#+O(OWYg6WqH}Ujlu59YSv{HCT}d;k>serI-TdU#bS&ZB@bY3lBTmOwT>@<|LyU
zk7VvR1I>mDm~cuOLfVlS%9IZpds)7<y+KAIklYTs1&!N-H-8i^7)Xfw*@jRUT4QCK
z!naw|XflkF)aGqc!u)S=%>J2q97M#0RM<G(0<A~K$`^YhyWpu42Nl%L)3E_`YHr;4
zlXiJJola?i^9JDEuhjF6vwRlbMCT1!7zA)-G-4<%-Z9RO!xP~fGYLxC)j?Vq6+f%3
zFt^&E!ywR^kC2Q<2>9k|A5O5E%!5`AqPfejm{)-t*;hW={<>C(hGTe43k-)s0!J!8
zKH`y|(MKnbraWLc3AkU&2g}iYD+8o)XO2V7tt7Hknig_G6}=W?-q}bb>U)Q-RH3;~
zgdwVkB=T0>`7F=+)r(VUg23AfF^IL#??=5Vx=Zi1CM!FzQZQR7!~)s_{`S@)^BK%=
z!!s{_SY!0=pdD?q0Ill;ue@+W>}$6ctzjzam`%~$+jWa2^{Z(Y-8z2Xe>}KLt-T0N
zYV@%T4cqKB&W9zOwP@t7)|<tHaPZ&^MM}s%1R-esXex@sTcTzgWp1sx!UZc&-8$<@
zcL+*2TYO1zvAo7(E5!kF_?$YjVa<rDBw!&0$<Fx9;GvT^!bn{es~~O#k?Mc5TJ00H
z$Sy%D(X=P;cuxFPo#{W-kB5J04qL6A&q**>9I0e9a`{WPqz+|rng;#DsrW8r=*&xF
zbM4v0v2{L|A?UZXI3kZV_>%6|BeXV>#AAVs=kh&$Q|$&cWG+&Gp7!1%q&WF=KDNVD
z4a&>gPvm}FVT~ebpFa7FdK1ROH@fYRxfV4WJ-TOMX;zhuwY4F=e_xk5b8}&{01;NT
zJ<wpcm))r7bTnrW0uLN^v&=WwUn<Bp)yh@yG>8Zq4;XBL$(%LsQY8s^3{`#BI~j`x
z&Js?ScNc_K^Q1A<G@EEV-xY%H$%dXE=eS3&u&1OIUSLLhCo-$5-Si2*vmN(ZqjCd<
z3KpL%lJ0|SEmx4u4+VXlijG%+@>d8n{-OmY6j<g@dELN;Pj41uswYC}MNlhW25w#A
zng4D_BRL9Y(F`8CHJhSZJM&k9g-T=D5Q;q>L@y?+f{=%QZIP`Wd5i<Pd2M<g-ndN`
zY=5?eqnIrcs;PP*@zX3C9xU@x{7e&)$h1+pg(tE`5^vjKbXO`VeVb2s9Hv?F`C$+v
zW<d+@_tdO&on}*FG_Bzfq)KP9GR-{;MQK?chAL<w91(7uljd3IuiIN2!Yl*wPNHyI
zf=b<jDw;>PZDbScec9Hln}-*k`^z?YdwZXYIBT9>^LXIxskqC3GlFo6Ne??M^w!>i
ztaC?YrL^@Rllk6Vfqf}LsdmfHR$_}_9U{BXeZMQUEx}wzO<9k#;JTG0SW{5VfzKzN
zOBhgvKt9P<xRXP+*A!^M(^9pZZq4+Gv0m(b+<35yohP;ECxh@{`&4yz^GGK5Ul!q?
zLH<h9_IqgaYO}0%{y@H}eSM%e)i4RFP_yp7+m`P7LcEGVfD&)pf6y#b@42i`L<_j=
znL)kHPf-c$WPNtJ@PyLNAm2%cPm1lA_jf_Vj2*(LpEe%g@Z&x%cJx8Kf{uTyWel2C
zk>!?TVma2<*2X3>P<HQq6*3zOYHPLWwzG`*fyIyHXB@Q~N9=2Srlz75_;5{~^$(}C
zm>aQum>A$^+q0?|CYIJ^hQy|&t=2R6l|C&8+R3jrwv7#ZJ78Ko*HGY+>?{mFOZ9H)
z<Z~r{;QCBqv^;Cdt^%FN{bRN>1+x|dH&}RWNa0kHkr-}h^^~fUqD~;FX@gEdDEkD~
zE4Arq3xh2TC=M=WYRHKOefC(k56q#Xnv>>r!#j68Iq=w>(cW8>6<C?QgM;7vFXRke
zEnHIyX?yn4E^`TE`GEckvOzt_8@9eytF08-T)fhV6}oA3Wg4SIt61<pvgb=ZqcN=G
zTz(D-c>}s;jk7s|sGIrAEE9zO*g6@*-v9xLUuXi#J|+KkEgqw%?2fW=a0p`!A4AhY
zMe_+oEfwYug6z>oa`3LQ=E#Pvy-(ru8G`vg4#*gMZI(9Jnn{R0&T;qnjOjBu+mi(q
z^qE1c9`*iRU0ofc!ifP#XBi&UUg$G(@5$8X%4A&*8?OsUQsAlzeCaCn%i*A)HLQ2w
z=Cd$UBmq|jpuf`Vcgyb2rmDq8dOkLaee8+wz<25x^}9J}`ExBsiuGX_tV7@Lvm_<v
zbtfk$`@5i)+w_t~pO3xjThxFt71I~y4D?X9Js|8GTY1VA<&WqtdV51Tn~UdmOJH7W
z(ZV-Q#p{)O4VQBnBmva{*^Re=aTl`Ve>~0wiB8$M;j(~*rESkWlQu{_7!Jylc-G^j
zHeSLRm?=DwId(2T{1Oq(2xC_g2=i?u_soz`G+nLzXH=)M77fMDs3ioAGf4oCVA2Dq
zQ4i6~0YNx_OOUD`W-ez3a$9b@0%j~^J_Bn+1(;()JRZdwo{!U8|0g4So`u8nw^3{q
zw3xJ*HvxSs0br_?bI5E`;x(X*C@I|VLo6#Ttvb2d_;^~t+@I<WgT<;FKq<s(P5HkL
zo)<Wsi|~_~Y>7~u_Jngs^x0lDhd0kcw?3A&ALq6mLt6dEQ93y$j8#;U)<ULOL*UBD
zW{P-{<EPR7ek;yA0BavrrRkpunFdgv)NiUKt>$g9$AX0ZpT^8?R}ieZ#_Knd4Y<o?
z?Fv12hWyC-6i-)I*VO|zJ-((p2aR~NDw8Y&NKC4O$JEEz_2>pZhh9rr=v2V!)^kCg
z>E`XC2rjh6$z$i*fVpq+sKpL!4xOYVJ}DJ-uy{DQZ1tTqYT=bCx;9|c`<R?uIsaCw
z`7_g50%@st|G_@b2oQH$Ascf?s_FR#%)(2hFbPT?tR4WZb^6(xsTTs4`deJ%bysUZ
z<<S(do=T{EuyzZDDf|V8`p$e9bPiKS-KHu5!x@DVx7W#egP^S8d@Q|J6wsMl&})2X
z(b{x-{-C9W{wx4hCW7tB{n9xY15R(em9N*Tk&h~I(|2{{>0YFYU3pG|AVgTI7qGO3
zfc2S=VGR8$oIGo2`k7_k&Bm2#K@u~1+v6iBf=-dqGrP+-J&fFD4D>K{0RlxoCi33e
zkHmv@2Yd?qD^-d8TLtQ{Da#-7&xP9?eE#RD#<f`FVFZlQFY6q9l8zK6JUMdSOE0;B
z<3VF(NeW-zNUx+EY!LAGpSd~Y(Jmjfy&A+Y7n~bIv7M5BuBV~7=t;5qd{=;~Gk-*o
zcyV5aQ<#eY-@F}*QEl9m7Wh!)gTm{#tw6TqVJ*<>Pl3w^FZC148%?gK>Cyw2hstWz
zt?QW+CWX=C!PBvWj()Jy?)`bvWX%a5oa(NzMQyUv%8LN4D<w}MDy}I`fg!*td`YE=
ziNg^$NDaU>xKYOtdeeVW{K!2W9huM<qlwOxnXOS;;|fTctUN4Vt=NPY&K$_HP*T#?
z?EZtqEFLvr*Wy+iHrUPSalE1ShYtYsOA4FM2)ZMm9=3WmABL^o=#c?_mJiI7JD3>9
z@G5=O{B-Zeyy}f<VxqK1En}CXg9El+C8#gQM3uDddpde7j6qa)@40E&<{GCxH-|-*
z%v_utd)2TQBW@9-j3@PARv&-oNa^oSR4YwZajJgUy|k&|KP!-*DR!*&9WHkRP-W<_
z`ypUz>~%9UIvG@$`OGjx^HVMNZqDr~*vme_26XM6OyGz|JC98hd@__?>^1q|WY-uT
zBHjX;B~WQ)FuXyG)7I~xrEu``^LzfqG_Y|t+2Nq}%!|`z$vK$$-fUx8#L~EHtZ9l;
z2n#RlBai-RQ*5shuw=lV;POCrNuB^{biPZS3{VLC&!cMpphK0Fl|9PS=N>Q8<1T;x
z=h&$@j;*0#D`;pEoGC?@r3C9@4afC&)!+!TNUq~tm3XF@<1evS@HL;GgFt5Ohkm`f
zNClYmgm)ciHH5hyG!9ltx3i5hE)VW){tp-6+hMHQ7(6!~gki+#Hmdv0<*GkSr;?ah
z?;;9l44L%7e7r6w1{JUqC@)U(<`IwWQPq5WVAvqeRI=}YPZ}STFZP%pS(#^&5i<9x
z(ATe%#Ao6u-x-h=2W;Uy3Y13~TW>dDm4QU4d%Zo6G;~8r_=1?U-UZ;aN5j*wSbW`*
z1Q0s-?VId)gQXEqy!WF80ai;H-l)gy1#J@{c<r-{`Q?)+4=N@~@+VN#;{lx0L<M(D
z0w}PZcd=|lbsj2Pa^C59j?5$;!=nqm0$Sb&!#Av(qC)_jkHpS(V^iS#ZY0_=blFf^
z-~Z$3l*8la<v^YOa)bFb3GXQQ9HZLsr6nD7oe0Z*WcAt`Z4bG$IxUSafBwV^4;!!O
z(NP*ea=vUHiDZtRN`jwtL}#@~meeo3#g#X^1HeeT7cFlN<!!z>roeH0^!3XW=<rM>
zDESs7U;+u_ce;#*4PhIjH4&Vhmp2DGTkJ(Q)7~=BVWV{Pq>?GufNOkz_jzHGl5O12
z+P(}T8_ikFPf>A7V@4NR=A!{jeT&CiOw)i%<!6#Le?OifNT=m1BA+ImA>wR`O-VU@
z`@aKli?rEi=71yyOcnM5-%hkIb-DVuAK0GAV~v84n*fp|FuULVONLQ19S7Vv=Yd1n
z{r8~wKMyR}KD<zpSCgUQAHetP#noQ{M%q(_=5Z1mr`zKdG`)t#YW>Ji!FJ=Ac}-cF
z+5n?Rmyv!^y=wEI?(!`izI+5^bu-`=TnxavraVpmg-=hW+m!7q3vzSaK;QzEjDV=E
zaMqrT5EJ$*R;0!3zWsUeE4?4d`gPhir?KTdZ7tR^P2Jtyf=vrSV%tKJLOB5X82&tF
zl~(^s*Z`YENh=tHZZ3e9s>Fey66*sJ4ARN3Tf?<Iu6SFf8WdC<zES7B?P{C-&hp*+
zOl_ah{+9piYN$-n9opA6Efv!C`lXaC15{{av?J(676(g#b{GU28k8?chDk<JUX_QJ
zgRN~!GJD81{wMW^IgiqHgAj7_$=W_MA6~j=1W;{BoPja<w7#ZwV10QgI@~_Xdw0?p
z<L&lIaDv7B+K1g~o1QmLF~y}#NDY_x`k*BU9J&_`bQ7U+>Cz<->h~A>ay<u2<aPWX
zbxeYw5Vm8lfLn;;I2=x;p{J*({RE&i&fHA(Y1*~l5wId2pMwEyksoY6o5a!XeqkA&
zWYCc>8|shnJDv3+%z>%Z{1}PM()70Hpt>^k>#M1!yTO5oiHc8Vjas9nkzQUmGX_>p
z7Cui=g=h8!(PK@s`Yky}l8W#%2k+)0JIDBngi@2^g?caUK=PyTGqS(~uKaWkZj4Nn
z1A+J+bR8b&)9+uFLQ`tgh<T{K4y${M8rP9>viV7;jN^nnM@4r|*QJ`ubp3q?z)8(>
z5MCnyrq>2!SC*r*PXc;jv|#ila?#zUym9@24<X(_(ee8xAf)6A)7>>e^HBGUjJ-~k
zlU?_~m?kzZlQvrW7x^4-NO?-m1q|I^T9{gSy;sQVVX0^2Hf(DA&{rWq%+k{ffhW$3
zc)&k7o``h8uObpJxo{z>Pec?hSw1uv8_4Vau}R{`^B=(b-@Pul0no**smzR$^Qc=s
zw($}wBei*jh3CL>5wN^<4{wjLWR=8_75|f@<-<ar@R~?etKZkPB2~uib#97iOi3Ny
zSIHc`9qJM{qxkvf9s1DvBkGOPFG7ii^f<wpey@g+`65Enp{PYs^rqMCx->}%7qIYK
zqeypHP#sppG)mkyh!>skSxa6p3wd(qAgTjZJO5hgScu-XB8ZbSL{ER55bpAwNDtpX
z70m*?smx!`<9=uYi|_nhaFB=<n?E4h%|azAEb*O4E#HeovQ~wPtEkINc<s{jANnNp
z(cm<yh8y<TfeT=PlRNzD-AMP}MAGi4;s5V?Vvk4(-~FG3cV7MW!vC?&H!bb>+&9<w
ze_{L0HNLrqsKk8Bt)epaEgrtb!?$=4!rL8K_g{*K2uVo9cez)|-VlfcUwAJ-gaN<R
z<8Sp?*gO1}oDB30-(deY*#E5~{NE1xzZMTJSBeb+f)Q`Br`euMZ7U;Xp&sovu>rb`
zq`<zb0sFJ;)z_ZcVQ?OgA9rX*ziEvUUOsq7VZBTnyJirPz=|s>c5O|g#ud2@6;#)q
zlsfCE^PugB{IMX#@NVV9#SH(G0!@OEu<TrTts^xlg_KCP+^01t<=L}DC)bxu6<Dy$
zAcMk1FMQ}9c+fhEHL5D^X+&M8%<g{x!&MlFt~*KIsnQt!Co7=!NB(?TCu{YQ_u{W|
zKe0C{-~%b-=sUUc>f4^OTBy*hqT(u5sU7NOdFgR^aWb(iaPGKWb7Z6bX(6#uu=|)?
zO~@?A)1rsCa$RhPFflY7<&0>dhgq9!KV;ZQlZbP8s}?@qH-|)N3aX8FRxFSMLcEBh
zCM)n=(XiQn51ui!r&jX6<h868m;Sy(CXs_u9tJ5d_8tn*u!D7SSXzQC(M_+RmH|RB
zGK@b}<ic_=*<ow;QTI#taPr=Gqcnp8dpi)v?uv9(+S8~>2j7>AP*X_X_YRF=o_!^Z
zLrvhcl11aJk8NIA%&XpSN0Kl#zBMf}Z$$fwDZ$*hntRN5IjZ0HpVJmi4%{F93$C~`
z6h}Nozgy8zir&cAk<Hw2{B38KJ2g~|2WL@d=*5Sdh6}tWxTVm#A8NX8{#yv=P~TSi
zfs_Ztq}?@v`OvkWU4Q`l2wddQmo%dqOKC>$ldS}-13l_NJtGAUzjt8J9Zb0J!kJ4N
zp55<tH<;bMye?Le>4`g*yb=};j;H?bmF*qM33G_MH{Pc?ESPt<q5MX4%2_8{mjcK1
z+0{4M)c*d%h$F%iSS2u-r^;R3lNTpSG<O&$qcCHtBjtsB*b}PXj;YEJL#fMMo}GHj
z1W8en2zXR@Y~<oS^73m-Pt6WIzBGD=Lsa}keOY{bWQeat!}$pMcBnJSz++26oA0Xe
zU900C$-`~O1H~_aou6Hss)!S>>X&lT&neqtWWL4WlytUgjdv~x=8Wi;YcNmQ5|M(r
zWA1}g0s1LcVls_=cr}aGznK3@q~C?gfCqHX=o0WH!hpFUPl3K9kAv?a=GlZB_I8|0
zE+RH=E+vXsi?P=!pNl%QVrX3XbI8@sUd-)!wGh8?2YXWFI`;XJ*3R|73$K$k1n4R0
zq`K}uyvCo$9m*c99?cCPNLQ@}UE|iUbH|EtxK8n&Ko!0D+EQQL40bX?MB7OgxWTiq
z@SXvW$K%VyLkRDlw#XJrrWyWgx4gB<zIhQTx6ca2Q@C^KwC5D8*jJ*^i^363VV_%`
zSdJ%SR@cLXH!hD}iQMJ*>mbpt`O0NXFVcfLcmMJrIm3Ako7DBkjvFclxgpJaPiSQ|
zUOz?KHn=V`nU<+1vt#(z;?Z@Hr)Vwm>y+`9$fB6dZj4oL$KSV0MNH$BBd~}V#Ij>*
zdq&*T7<2S0Yr-}}Wa3@cIt|K>Dl$!xwWEvH%^Ar)vGYO|m)aeU^XsH_)h;X=Z_)qQ
zFrH18u=u@a{z>n(Gs1X3>T=z7`ypnG7%4W9R)XA>5m1c#&t?Gu;{Md(J(rbgG;1jL
zkT%U9$+d1GlSC*2&6SYr8uczKVLv&cvPIu7E_@PKr7PRRD{t{R6Xq$MV~6cUR(@@Y
z-_>&t6SS}#kHjQdho3GLO)m}cKT_i4B<(ooO(5?I6kQJ0#P%&BwrUYuKlI?wb6)(d
zIN?JLu(Y%UP^swzWznjltDvGQuQ_`YUVbTJ0~w=vB!fJ*;<@-#$elL1^n3jD<3VVr
z*IQ>d{$Z3rOxy*qtIfDC=nqcbiW(pCoAphHFG7DWTF%HC-vjOkyjDzNG?fIFIO}sZ
z=A_TXPPIsiNZx^*O9<TOCEB_v(r;iTHbaTD<;O1;nxFvT(9}R^DGRi)BrUuc0qia0
ztxbu*3?38sL4@qFP7DO!5xwbjxYc8aET3JdeD0?tfP$$4fnG(k7I@ev>;%Lhe>*O<
VeZFvL5R5=fuABc>a?R!G{{SHqk2(MV

diff --git a/rel/entrypoint.sh b/rel/entrypoint.sh
index 60872bf9..ae2001e3 100644
--- a/rel/entrypoint.sh
+++ b/rel/entrypoint.sh
@@ -3,4 +3,9 @@ set -eu
 
 /app/bin/vmemo eval "Vmemo.Release.migrate()"
 
+if [ "${1:-}" = "start" ] && [ "${VMEMO_ENABLE_NGINX:-}" = "true" ]; then
+  nginx -t
+  nginx
+fi
+
 exec /app/bin/vmemo "$@"
diff --git a/test/vmemo_web/controllers/file_controller_test.exs b/test/vmemo_web/controllers/file_controller_test.exs
index 56feaf46..c36802c9 100644
--- a/test/vmemo_web/controllers/file_controller_test.exs
+++ b/test/vmemo_web/controllers/file_controller_test.exs
@@ -1,31 +1,42 @@
 defmodule VmemoWeb.FileControllerTest do
-  use VmemoWeb.ConnCase, async: true
+  use VmemoWeb.ConnCase, async: false
+
+  import Vmemo.AccountFixtures
 
   @base_dir Path.join(["storage", "v1"])
 
-  setup do
-    user_id = "test-user-#{System.unique_integer([:positive])}"
-    image_dir = Path.join([@base_dir, user_id, "images"])
+  setup %{conn: conn} do
+    user = user_fixture()
+    other_user = user_fixture()
+    conn = log_in_user(conn, user)
+
+    image_dir = Path.join([@base_dir, user.id, "images"])
     File.mkdir_p!(image_dir)
 
     on_exit(fn ->
-      File.rm_rf!(Path.join([@base_dir, user_id]))
+      File.rm_rf!(Path.join([@base_dir, user.id]))
+      File.rm_rf!(Path.join([@base_dir, other_user.id]))
     end)
 
-    {:ok, user_id: user_id, image_dir: image_dir}
+    {:ok, conn: conn, user: user, other_user: other_user, image_dir: image_dir}
   end
 
-  test "returns original image when thumbnail is missing", %{
+  test "accelerates fallback original image when thumbnail is missing", %{
     conn: conn,
-    user_id: user_id,
+    user: user,
     image_dir: image_dir
   } do
     original = Path.join(image_dir, "sample.png")
     File.write!(original, "png-data")
 
-    conn = get(conn, ~p"/storage/v1/#{user_id}/images/sample--m.png")
+    conn = get(conn, ~p"/storage/v1/#{user.id}/images/sample--m.png")
+
+    assert response(conn, 200) == ""
+
+    assert get_resp_header(conn, "x-accel-redirect") == [
+             "/storage/v1/_internal/#{user.id}/images/sample.png"
+           ]
 
-    assert response(conn, 200) == "png-data"
     assert get_resp_header(conn, "content-type") == ["image/png"]
     assert get_resp_header(conn, "content-disposition") == ["inline"]
     assert get_resp_header(conn, "cache-control") == ["public, max-age=31536000, immutable"]
@@ -35,37 +46,47 @@ defmodule VmemoWeb.FileControllerTest do
 
   test "falls back to another extension when exact original does not exist", %{
     conn: conn,
-    user_id: user_id,
+    user: user,
     image_dir: image_dir
   } do
     png = Path.join(image_dir, "sample.png")
     File.write!(png, "png-fallback")
 
-    conn = get(conn, ~p"/storage/v1/#{user_id}/images/sample--m.webp")
+    conn = get(conn, ~p"/storage/v1/#{user.id}/images/sample--m.webp")
+
+    assert response(conn, 200) == ""
+
+    assert get_resp_header(conn, "x-accel-redirect") == [
+             "/storage/v1/_internal/#{user.id}/images/sample.png"
+           ]
 
-    assert response(conn, 200) == "png-fallback"
     assert get_resp_header(conn, "content-type") == ["image/png"]
   end
 
-  test "serves tiff images with image/tiff content type", %{
+  test "accelerates tiff images with image/tiff content type", %{
     conn: conn,
-    user_id: user_id,
+    user: user,
     image_dir: image_dir
   } do
     tiff = Path.join(image_dir, "sample.tiff")
     File.write!(tiff, "tiff-data")
 
-    conn = get(conn, ~p"/storage/v1/#{user_id}/images/sample.tiff")
+    conn = get(conn, ~p"/storage/v1/#{user.id}/images/sample.tiff")
+
+    assert response(conn, 200) == ""
+
+    assert get_resp_header(conn, "x-accel-redirect") == [
+             "/storage/v1/_internal/#{user.id}/images/sample.tiff"
+           ]
 
-    assert response(conn, 200) == "tiff-data"
     assert get_resp_header(conn, "content-type") == ["image/tiff"]
   end
 
   test "returns 404 with no-store when both thumbnail and original are missing", %{
     conn: conn,
-    user_id: user_id
+    user: user
   } do
-    conn = get(conn, ~p"/storage/v1/#{user_id}/images/not-found--s.png")
+    conn = get(conn, ~p"/storage/v1/#{user.id}/images/not-found--s.png")
 
     assert response(conn, 404) == "File not found"
     assert get_resp_header(conn, "cache-control") == ["no-store"]
@@ -74,40 +95,98 @@ defmodule VmemoWeb.FileControllerTest do
 
   test "returns 304 when if-none-match matches etag", %{
     conn: conn,
-    user_id: user_id,
+    user: user,
     image_dir: image_dir
   } do
     original = Path.join(image_dir, "etag.png")
     File.write!(original, "etag-data")
 
-    first = get(conn, ~p"/storage/v1/#{user_id}/images/etag.png")
-    assert response(first, 200) == "etag-data"
+    first = get(conn, ~p"/storage/v1/#{user.id}/images/etag.png")
+    assert response(first, 200) == ""
     [etag] = get_resp_header(first, "etag")
 
     second =
       conn
       |> put_req_header("if-none-match", etag)
-      |> get(~p"/storage/v1/#{user_id}/images/etag.png")
+      |> get(~p"/storage/v1/#{user.id}/images/etag.png")
 
     assert response(second, 304) == ""
     assert get_resp_header(second, "cache-control") == ["public, max-age=0, must-revalidate"]
   end
 
-  test "returns 404 for invalid filename pattern", %{conn: conn, user_id: user_id} do
-    conn = get(conn, "/storage/v1/#{user_id}/images/evil file.png")
+  test "returns 404 for invalid filename pattern", %{conn: conn, user: user} do
+    conn = get(conn, "/storage/v1/#{user.id}/images/evil file.png")
     assert response(conn, 404) == "File not found"
   end
 
-  test "serves avatar when file exists", %{conn: conn, user_id: user_id} do
-    avatar_dir = Path.join([@base_dir, user_id, "avatars"])
+  test "accelerates avatar when file exists", %{conn: conn, user: user} do
+    avatar_dir = Path.join([@base_dir, user.id, "avatars"])
     File.mkdir_p!(avatar_dir)
     avatar = Path.join(avatar_dir, "me.jpg")
     File.write!(avatar, "jpg-data")
 
-    conn = get(conn, ~p"/storage/v1/#{user_id}/avatars/me.jpg")
+    conn = get(conn, ~p"/storage/v1/#{user.id}/avatars/me.jpg")
+
+    assert response(conn, 200) == ""
+
+    assert get_resp_header(conn, "x-accel-redirect") == [
+             "/storage/v1/_internal/#{user.id}/avatars/me.jpg"
+           ]
 
-    assert response(conn, 200) == "jpg-data"
     assert get_resp_header(conn, "content-type") == ["image/jpeg"]
     assert get_resp_header(conn, "cache-control") == ["public, max-age=31536000, immutable"]
   end
+
+  test "does not serve image files to anonymous users", %{
+    user: user,
+    image_dir: image_dir
+  } do
+    original = Path.join(image_dir, "private.png")
+    File.write!(original, "private-data")
+
+    conn =
+      Phoenix.ConnTest.build_conn()
+      |> get(~p"/storage/v1/#{user.id}/images/private.png")
+
+    assert response(conn, 404) == "File not found"
+    assert get_resp_header(conn, "cache-control") == ["no-store"]
+  end
+
+  test "does not serve another user's image files", %{
+    other_user: other_user,
+    user: user,
+    image_dir: image_dir
+  } do
+    original = Path.join(image_dir, "private.png")
+    File.write!(original, "private-data")
+
+    conn =
+      Phoenix.ConnTest.build_conn()
+      |> log_in_user(other_user)
+      |> get(~p"/storage/v1/#{user.id}/images/private.png")
+
+    assert response(conn, 404) == "File not found"
+    assert get_resp_header(conn, "cache-control") == ["no-store"]
+  end
+
+  test "uses x-accel-redirect by default", %{
+    conn: conn,
+    user: user,
+    image_dir: image_dir
+  } do
+    original = Path.join(image_dir, "accelerated.png")
+    File.write!(original, "accelerated-data")
+
+    conn = get(conn, ~p"/storage/v1/#{user.id}/images/accelerated.png")
+
+    assert response(conn, 200) == ""
+
+    assert get_resp_header(conn, "x-accel-redirect") == [
+             "/storage/v1/_internal/#{user.id}/images/accelerated.png"
+           ]
+
+    assert get_resp_header(conn, "content-type") == ["image/png"]
+    assert get_resp_header(conn, "content-disposition") == ["inline"]
+    assert get_resp_header(conn, "cache-control") == ["public, max-age=31536000, immutable"]
+  end
 end

From 3de0285fb6dbb50a3e6c082cd8346bf1f4590dd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=A4=A9=E6=B5=B7=20=E5=8E=9F?= <thaddeusjiang@gmail.com>
Date: Sat, 13 Jun 2026 21:09:51 +0900
Subject: [PATCH 2/2] =?UTF-8?q?test(e2e):=20=E6=B7=BB=E5=8A=A0=E5=9B=BE?=
 =?UTF-8?q?=E7=89=87=E5=B1=95=E7=A4=BA=E6=80=A7=E8=83=BD=E9=AA=8C=E8=AF=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 others/e2e-test/README.md                     |  23 +++
 others/e2e-test/package.json                  |   3 +-
 .../tests/photos-index-performance.spec.ts    | 173 ++++++++++++++++++
 3 files changed, 198 insertions(+), 1 deletion(-)
 create mode 100644 others/e2e-test/tests/photos-index-performance.spec.ts

diff --git a/others/e2e-test/README.md b/others/e2e-test/README.md
index dbf998a9..53b62a22 100644
--- a/others/e2e-test/README.md
+++ b/others/e2e-test/README.md
@@ -29,6 +29,9 @@ bun run e2e -- tests/home-page.spec.ts
 
 # UI mode (scoped)
 bun run e2e:ui -- tests/home-page.spec.ts
+
+# Image display performance probe
+E2E_BASE_URL=http://localhost:4000 bun run perf:images
 ```
 
 Do not run the full suite unless explicitly requested.
@@ -46,6 +49,26 @@ For local prerequisites and execution flow, follow:
 
 - `/.agents/skills/vmemo-e2e-testing/SKILL.md`
 
+## Image Performance Probe
+
+`bun run perf:images` verifies the `/images` page against a running Vmemo target and prints a JSON report with:
+
+- first image ready time
+- `/storage/v1` response status, duration, content type, server, and bytes
+- browser image resource timing and decoded dimensions
+
+The default budgets target the local Docker e2e environment:
+
+```bash
+PHOTOS_INDEX_READY_BUDGET_MS=3000 \
+STORAGE_IMAGE_RESPONSE_BUDGET_MS=1500 \
+PHOTOS_INDEX_MIN_IMAGES=1 \
+E2E_BASE_URL=http://localhost:4000 \
+bun run perf:images
+```
+
+The report is also attached to the Playwright output as `photos-index-image-performance.json`.
+
 ## CI Notes
 
 - CI e2e workflow trigger label: `run-e2e-test`
diff --git a/others/e2e-test/package.json b/others/e2e-test/package.json
index e2cc46f2..aedc8aea 100644
--- a/others/e2e-test/package.json
+++ b/others/e2e-test/package.json
@@ -5,7 +5,8 @@
   "scripts": {
     "e2e": "playwright test",
     "e2e:ui": "playwright test --ui",
-    "e2e:update-snapshots": "playwright test --update-snapshots"
+    "e2e:update-snapshots": "playwright test --update-snapshots",
+    "perf:images": "playwright test tests/photos-index-performance.spec.ts --project=macbook-13"
   },
   "devDependencies": {
     "@playwright/test": "^1.58.2",
diff --git a/others/e2e-test/tests/photos-index-performance.spec.ts b/others/e2e-test/tests/photos-index-performance.spec.ts
new file mode 100644
index 00000000..36751d93
--- /dev/null
+++ b/others/e2e-test/tests/photos-index-performance.spec.ts
@@ -0,0 +1,173 @@
+import { expect, test, type Request } from "@playwright/test";
+
+type BrowserImageMetric = {
+  url: string;
+  naturalWidth: number;
+  naturalHeight: number;
+  complete: boolean;
+  durationMs: number;
+  transferSize: number;
+  encodedBodySize: number;
+  decodedBodySize: number;
+};
+
+type ResponseMetric = {
+  url: string;
+  status: number;
+  durationMs: number;
+  contentLength: number | null;
+  contentType: string | null;
+  server: string | null;
+};
+
+const pageReadyBudgetMs = readNumberEnv("PHOTOS_INDEX_READY_BUDGET_MS", 3_000);
+const imageResponseBudgetMs = readNumberEnv("STORAGE_IMAGE_RESPONSE_BUDGET_MS", 1_500);
+const minExpectedImages = readNumberEnv("PHOTOS_INDEX_MIN_IMAGES", 1);
+
+test("photos index image display performance", async ({ page }, testInfo) => {
+  const storageResponses: ResponseMetric[] = [];
+  const storageRequestStartMs = new Map<Request, number>();
+
+  page.on("request", (request) => {
+    if (isStorageImageUrl(request.url())) {
+      storageRequestStartMs.set(request, Date.now());
+    }
+  });
+
+  page.on("response", (response) => {
+    const url = response.url();
+
+    if (!isStorageImageUrl(url)) {
+      return;
+    }
+
+    const request = response.request();
+    const headers = response.headers();
+    const startedAt = storageRequestStartMs.get(request);
+    storageRequestStartMs.delete(request);
+
+    storageResponses.push({
+      url: new URL(url).pathname,
+      status: response.status(),
+      durationMs: startedAt ? Date.now() - startedAt : 0,
+      contentLength: parseNullableInteger(headers["content-length"]),
+      contentType: headers["content-type"] ?? null,
+      server: headers.server ?? null,
+    });
+  });
+
+  const startMs = Date.now();
+
+  await page.goto("/images", { waitUntil: "domcontentloaded" });
+  await expect(page.locator("#infinite-scroll")).toHaveCount(1, { timeout: 20_000 });
+
+  const firstImage = page.locator("#waterfall-images img").first();
+  await expect(firstImage).toBeVisible({ timeout: 20_000 });
+  await expect
+    .poll(() =>
+      firstImage.evaluate(
+        (image) => (image as HTMLImageElement).complete && (image as HTMLImageElement).naturalWidth > 0,
+      ),
+    )
+    .toBe(true);
+
+  const firstImageReadyMs = Date.now() - startMs;
+  const browserImages = await collectBrowserImageMetrics(page);
+  const loadedImages = browserImages.filter((image) => image.complete && image.naturalWidth > 0);
+  const report = buildReport(firstImageReadyMs, browserImages, storageResponses);
+
+  console.log(JSON.stringify(report, null, 2));
+
+  await testInfo.attach("photos-index-image-performance.json", {
+    body: JSON.stringify(report, null, 2),
+    contentType: "application/json",
+  });
+
+  expect(loadedImages.length).toBeGreaterThanOrEqual(minExpectedImages);
+  expect(storageResponses.length).toBeGreaterThanOrEqual(minExpectedImages);
+  expect(storageResponses.map((response) => response.status)).toEqual(
+    expect.arrayContaining([200]),
+  );
+  expect(storageResponses.every((response) => response.status < 400)).toBe(true);
+  expect(firstImageReadyMs).toBeLessThanOrEqual(pageReadyBudgetMs);
+  expect(maxDuration(storageResponses)).toBeLessThanOrEqual(imageResponseBudgetMs);
+});
+
+async function collectBrowserImageMetrics(page: import("@playwright/test").Page) {
+  return page.locator("#waterfall-images img").evaluateAll((images) =>
+    images.map((image) => {
+      const htmlImage = image as HTMLImageElement;
+      const entry = performance
+        .getEntriesByName(htmlImage.currentSrc)
+        .at(-1) as PerformanceResourceTiming | undefined;
+
+      return {
+        url: new URL(htmlImage.currentSrc).pathname,
+        naturalWidth: htmlImage.naturalWidth,
+        naturalHeight: htmlImage.naturalHeight,
+        complete: htmlImage.complete,
+        durationMs: Math.round(entry?.duration ?? 0),
+        transferSize: entry?.transferSize ?? 0,
+        encodedBodySize: entry?.encodedBodySize ?? 0,
+        decodedBodySize: entry?.decodedBodySize ?? 0,
+      } satisfies BrowserImageMetric;
+    }),
+  );
+}
+
+function buildReport(
+  firstImageReadyMs: number,
+  browserImages: BrowserImageMetric[],
+  storageResponses: ResponseMetric[],
+) {
+  const totalEncodedBytes = browserImages.reduce(
+    (sum, image) => sum + image.encodedBodySize,
+    0,
+  );
+
+  return {
+    budgets: {
+      pageReadyBudgetMs,
+      imageResponseBudgetMs,
+      minExpectedImages,
+    },
+    summary: {
+      firstImageReadyMs,
+      imageCount: browserImages.length,
+      storageRequestCount: storageResponses.length,
+      maxBrowserImageDurationMs: maxDuration(browserImages),
+      maxStorageResponseDurationMs: maxDuration(storageResponses),
+      totalEncodedBytes,
+    },
+    browserImages,
+    storageResponses,
+  };
+}
+
+function maxDuration(metrics: Array<{ durationMs: number }>) {
+  return metrics.reduce((max, metric) => Math.max(max, metric.durationMs), 0);
+}
+
+function readNumberEnv(name: string, fallback: number) {
+  const value = process.env[name];
+
+  if (!value) {
+    return fallback;
+  }
+
+  const parsed = Number(value);
+  return Number.isFinite(parsed) ? parsed : fallback;
+}
+
+function parseNullableInteger(value: string | undefined) {
+  if (!value) {
+    return null;
+  }
+
+  const parsed = Number.parseInt(value, 10);
+  return Number.isFinite(parsed) ? parsed : null;
+}
+
+function isStorageImageUrl(url: string) {
+  return url.includes("/storage/v1/") && !url.includes("/storage/v1/_internal/");
+}