From 4903ae0c63e0b04c76274d16a22e8f060b645a72 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 19 Nov 2025 22:24:40 -0800
Subject: [PATCH 01/75] move service deletion to advanced tab

---
 app/views/projects/services/_advanced.html.erb | 15 +++++++++++++++
 app/views/projects/services/_overview.html.erb |  5 -----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/app/views/projects/services/_advanced.html.erb b/app/views/projects/services/_advanced.html.erb
index 9f675240..2cec9e48 100644
--- a/app/views/projects/services/_advanced.html.erb
+++ b/app/views/projects/services/_advanced.html.erb
@@ -57,4 +57,19 @@
       </div>
     <% end %>
   </div>
+</div>
+
+<div class="mt-8">
+  <h2 class="text-xl font-bold">Danger Zone</h2>
+  <hr class="mt-3 mb-4 border-t border-base-300" />
+
+  <%= button_to(
+    [@service.project, @service],
+    method: :delete,
+    class: "btn btn-error btn-outline",
+    form: { data: { turbo: false, confirm: t("are_you_sure") } }
+  ) do %>
+    <iconify-icon icon="lucide:trash" height="20"></iconify-icon>
+    Delete service
+  <% end %>
 </div>
\ No newline at end of file
diff --git a/app/views/projects/services/_overview.html.erb b/app/views/projects/services/_overview.html.erb
index d2472706..0c7bb7c8 100644
--- a/app/views/projects/services/_overview.html.erb
+++ b/app/views/projects/services/_overview.html.erb
@@ -55,9 +55,4 @@
       <%= form.submit class: "btn btn-primary" %>
     </div>
   <% end %>
-
-  <%= button_to [service.project, service], method: :delete, class: "btn btn-error btn-outline mt-2", form: { data: { turbo_confirm: t("are_you_sure") } } do %>
-    <iconify-icon icon="lucide:trash" height="20" class="text-error-content"></iconify-icon>
-    Delete service 
-  <% end %>
 </div>
\ No newline at end of file

From 79077f45a83fbf44ef52c7af9a0bbd80c3134228 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 21 Nov 2025 10:24:18 -0800
Subject: [PATCH 02/75] added authentication schemes

---
 Gemfile                                       |  1 +
 Gemfile.lock                                  | 50 ++++++++++
 app/avo/resources/ldap_configuration.rb       | 21 ++++
 app/avo/resources/oidc_configuration.rb       | 19 ++++
 app/avo/resources/sso_provider.rb             | 15 +++
 .../accounts/sso_providers_controller.rb      | 71 ++++++++++++++
 .../avo/ldap_configurations_controller.rb     |  4 +
 .../avo/oidc_configurations_controller.rb     |  4 +
 .../avo/sso_providers_controller.rb           |  4 +
 .../users/omniauth_callbacks_controller.rb    | 42 +++++++-
 app/controllers/users/sessions_controller.rb  |  1 +
 app/models/account.rb                         |  5 +
 app/models/ldap_configuration.rb              | 43 ++++++++
 app/models/oidc_configuration.rb              | 19 ++++
 app/models/sso_provider.rb                    | 36 +++++++
 .../accounts/sso_providers/_form.html.erb     | 98 +++++++++++++++++++
 .../accounts/sso_providers/edit.html.erb      | 13 +++
 app/views/accounts/sso_providers/new.html.erb | 13 +++
 .../accounts/sso_providers/show.html.erb      | 55 +++++++++++
 app/views/devise/sessions/new.html.erb        | 18 +++-
 app/views/settings/_layout.html.erb           |  6 ++
 config/initializers/devise.rb                 | 15 ++-
 config/initializers/inflections.rb            |  7 +-
 config/routes.rb                              |  1 +
 .../20251121024059_create_sso_providers.rb    | 12 +++
 ...251121024136_create_oidc_configurations.rb | 16 +++
 ...251121043926_create_ldap_configurations.rb | 18 ++++
 db/schema.rb                                  | 28 +++++-
 lib/devise/strategies/ldap_authenticatable.rb | 79 +++++++++++++++
 lib/omniauth/strategies/dynamic_oidc.rb       | 61 ++++++++++++
 spec/factories/ldap_configurations.rb         | 14 +++
 spec/factories/oidc_configurations.rb         | 28 ++++++
 spec/factories/sso_providers.rb               | 30 ++++++
 spec/models/ldap_configuration_spec.rb        |  5 +
 spec/models/oidc_configuration_spec.rb        | 21 ++++
 spec/models/service_spec.rb                   |  8 ++
 spec/models/sso_provider_spec.rb              | 27 +++++
 37 files changed, 896 insertions(+), 12 deletions(-)
 create mode 100644 app/avo/resources/ldap_configuration.rb
 create mode 100644 app/avo/resources/oidc_configuration.rb
 create mode 100644 app/avo/resources/sso_provider.rb
 create mode 100644 app/controllers/accounts/sso_providers_controller.rb
 create mode 100644 app/controllers/avo/ldap_configurations_controller.rb
 create mode 100644 app/controllers/avo/oidc_configurations_controller.rb
 create mode 100644 app/controllers/avo/sso_providers_controller.rb
 create mode 100644 app/models/ldap_configuration.rb
 create mode 100644 app/models/oidc_configuration.rb
 create mode 100644 app/models/sso_provider.rb
 create mode 100644 app/views/accounts/sso_providers/_form.html.erb
 create mode 100644 app/views/accounts/sso_providers/edit.html.erb
 create mode 100644 app/views/accounts/sso_providers/new.html.erb
 create mode 100644 app/views/accounts/sso_providers/show.html.erb
 create mode 100644 db/migrate/20251121024059_create_sso_providers.rb
 create mode 100644 db/migrate/20251121024136_create_oidc_configurations.rb
 create mode 100644 db/migrate/20251121043926_create_ldap_configurations.rb
 create mode 100644 lib/devise/strategies/ldap_authenticatable.rb
 create mode 100644 lib/omniauth/strategies/dynamic_oidc.rb
 create mode 100644 spec/factories/ldap_configurations.rb
 create mode 100644 spec/factories/oidc_configurations.rb
 create mode 100644 spec/factories/sso_providers.rb
 create mode 100644 spec/models/ldap_configuration_spec.rb
 create mode 100644 spec/models/oidc_configuration_spec.rb
 create mode 100644 spec/models/sso_provider_spec.rb

diff --git a/Gemfile b/Gemfile
index b595e0a1..16758cb9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -82,6 +82,7 @@ gem "pagy", "~> 9.4"
 gem "oj", "~> 3.16"
 gem "omniauth", "~> 2.1"
 gem "omniauth-rails_csrf_protection", "~> 1.0"
+gem "omniauth_openid_connect", "~> 0.8"
 
 gem "annotate", "~> 3.2"
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 9c76845c..ed064f46 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -97,10 +97,12 @@ GEM
       tzinfo (~> 2.0, >= 2.0.5)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
+    aes_key_wrap (1.1.0)
     annotate (3.2.0)
       activerecord (>= 3.2, < 8.0)
       rake (>= 10.4, < 14.0)
     ast (2.4.3)
+    attr_required (1.0.2)
     avo (3.25.3)
       actionview (>= 6.1)
       active_link_to
@@ -122,6 +124,7 @@ GEM
     bcrypt (3.1.20)
     benchmark (0.5.0)
     bigdecimal (3.3.1)
+    bindata (2.5.1)
     bindex (0.8.1)
     bootsnap (1.18.6)
       msgpack (~> 1.2)
@@ -192,6 +195,8 @@ GEM
       dry-inflector (~> 1.0)
       dry-logic (~> 1.4)
       zeitwerk (~> 2.6)
+    email_validator (2.2.4)
+      activemodel
     erb (5.1.3)
     erubi (1.13.1)
     et-orbi (1.4.0)
@@ -208,6 +213,8 @@ GEM
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
+    faraday-follow_redirects (0.4.0)
+      faraday (>= 1, < 3)
     faraday-net_http (3.4.1)
       net-http (>= 0.5.0)
     ffi (1.17.0-aarch64-linux-gnu)
@@ -284,6 +291,13 @@ GEM
     jsbundling-rails (1.3.1)
       railties (>= 6.0.0)
     json (2.13.2)
+    json-jwt (1.17.0)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      base64
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
     jsonpath (1.1.5)
       multi_json
     jwt (2.9.1)
@@ -398,6 +412,22 @@ GEM
     omniauth-rails_csrf_protection (1.0.2)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
+    omniauth_openid_connect (0.8.0)
+      omniauth (>= 1.9, < 3)
+      openid_connect (~> 2.2)
+    openid_connect (2.3.1)
+      activemodel
+      attr_required (>= 1.0.0)
+      email_validator
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      mail
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_url
+      webfinger (~> 2.0)
     orm_adapter (0.5.0)
     ostruct (0.6.2)
     pagy (9.4.0)
@@ -432,6 +462,13 @@ GEM
     raabro (1.4.0)
     racc (1.8.1)
     rack (3.1.18)
+    rack-oauth2 (2.3.0)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
     rack-protection (4.0.0)
       base64 (>= 0.1.0)
       rack (>= 3.0.0, < 4)
@@ -583,6 +620,11 @@ GEM
     stimulus-rails (1.3.4)
       railties (>= 6.0.0)
     stringio (3.1.7)
+    swd (2.0.3)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     sys-proctable (1.3.0)
       ffi (~> 1.1)
     tailwindcss-rails (2.7.6)
@@ -613,6 +655,9 @@ GEM
     unicode-emoji (4.0.4)
     uri (1.0.3)
     useragent (0.16.11)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
     version_gem (1.1.4)
     view_component (4.1.0)
       activesupport (>= 7.1.0, < 8.2)
@@ -624,6 +669,10 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
+    webfinger (2.1.3)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
     webmock (3.26.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -683,6 +732,7 @@ DEPENDENCIES
   omniauth-github (~> 2.0)
   omniauth-gitlab (~> 4.1)
   omniauth-rails_csrf_protection (~> 1.0)
+  omniauth_openid_connect (~> 0.8)
   pagy (~> 9.4)
   pg (~> 1.6)
   pretender (~> 0.6.0)
diff --git a/app/avo/resources/ldap_configuration.rb b/app/avo/resources/ldap_configuration.rb
new file mode 100644
index 00000000..fc4384f1
--- /dev/null
+++ b/app/avo/resources/ldap_configuration.rb
@@ -0,0 +1,21 @@
+class Avo::Resources::LdapConfiguration < Avo::BaseResource
+  # self.includes = []
+  # self.attachments = []
+  # self.search = {
+  #   query: -> { query.ransack(id_eq: q, m: "or").result(distinct: false) }
+  # }
+
+  def fields
+    field :id, as: :id
+    field :host, as: :text
+    field :port, as: :number
+    field :encryption, as: :text
+    field :base_dn, as: :text
+    field :bind_dn, as: :text
+    field :bind_password, as: :text
+    field :uid_attribute, as: :text
+    field :email_attribute, as: :text
+    field :name_attribute, as: :text
+    field :filter, as: :text
+  end
+end
diff --git a/app/avo/resources/oidc_configuration.rb b/app/avo/resources/oidc_configuration.rb
new file mode 100644
index 00000000..1a603d96
--- /dev/null
+++ b/app/avo/resources/oidc_configuration.rb
@@ -0,0 +1,19 @@
+class Avo::Resources::OIDCConfiguration < Avo::BaseResource
+  # self.includes = []
+  # self.attachments = []
+  # self.search = {
+  #   query: -> { query.ransack(id_eq: q, m: "or").result(distinct: false) }
+  # }
+
+  def fields
+    field :id, as: :id
+    field :issuer, as: :text
+    field :client_id, as: :text
+    field :client_secret, as: :text
+    field :authorization_endpoint, as: :text
+    field :token_endpoint, as: :text
+    field :userinfo_endpoint, as: :text
+    field :jwks_uri, as: :text
+    field :scopes, as: :text
+  end
+end
diff --git a/app/avo/resources/sso_provider.rb b/app/avo/resources/sso_provider.rb
new file mode 100644
index 00000000..29ca0a49
--- /dev/null
+++ b/app/avo/resources/sso_provider.rb
@@ -0,0 +1,15 @@
+class Avo::Resources::SSOProvider < Avo::BaseResource
+  # self.includes = []
+  # self.attachments = []
+  # self.search = {
+  #   query: -> { query.ransack(id_eq: q, m: "or").result(distinct: false) }
+  # }
+
+  def fields
+    field :id, as: :id
+    field :account, as: :belongs_to
+    field :configuration, as: :text
+    field :name, as: :text
+    field :enabled, as: :boolean
+  end
+end
diff --git a/app/controllers/accounts/sso_providers_controller.rb b/app/controllers/accounts/sso_providers_controller.rb
new file mode 100644
index 00000000..a9b95045
--- /dev/null
+++ b/app/controllers/accounts/sso_providers_controller.rb
@@ -0,0 +1,71 @@
+module Accounts
+  class SSOProvidersController < ApplicationController
+    def show
+      @sso_provider = current_account.sso_provider
+      @oidc_configuration = @sso_provider&.configuration
+    end
+
+    def new
+      @sso_provider = current_account.build_sso_provider
+      @oidc_configuration = OIDCConfiguration.new
+    end
+
+    def create
+      @oidc_configuration = OIDCConfiguration.new(oidc_configuration_params)
+      @sso_provider = current_account.build_sso_provider(sso_provider_params)
+      @sso_provider.configuration = @oidc_configuration
+
+      if @oidc_configuration.save && @sso_provider.save
+        redirect_to sso_provider_path, notice: "SSO provider created successfully"
+      else
+        render :new, status: :unprocessable_entity
+      end
+    end
+
+    def edit
+      @sso_provider = current_account.sso_provider
+      redirect_to new_sso_provider_path, alert: "No SSO provider configured" unless @sso_provider
+      @oidc_configuration = @sso_provider&.configuration
+    end
+
+    def update
+      @sso_provider = current_account.sso_provider
+      @oidc_configuration = @sso_provider.configuration
+
+      if @oidc_configuration.update(oidc_configuration_params) && @sso_provider.update(sso_provider_params)
+        redirect_to sso_provider_path, notice: "SSO provider updated successfully"
+      else
+        render :edit, status: :unprocessable_entity
+      end
+    end
+
+    def destroy
+      @sso_provider = current_account.sso_provider
+
+      if @sso_provider&.destroy
+        redirect_to sso_provider_path, notice: "SSO provider deleted"
+      else
+        redirect_to sso_provider_path, alert: "Failed to delete SSO provider"
+      end
+    end
+
+    private
+
+    def sso_provider_params
+      params.require(:sso_provider).permit(:name, :enabled)
+    end
+
+    def oidc_configuration_params
+      params.require(:oidc_configuration).permit(
+        :issuer,
+        :client_id,
+        :client_secret,
+        :authorization_endpoint,
+        :token_endpoint,
+        :userinfo_endpoint,
+        :jwks_uri,
+        :scopes
+      )
+    end
+  end
+end
diff --git a/app/controllers/avo/ldap_configurations_controller.rb b/app/controllers/avo/ldap_configurations_controller.rb
new file mode 100644
index 00000000..db3b9ff6
--- /dev/null
+++ b/app/controllers/avo/ldap_configurations_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/3.0/controllers.html
+class Avo::LdapConfigurationsController < Avo::ResourcesController
+end
diff --git a/app/controllers/avo/oidc_configurations_controller.rb b/app/controllers/avo/oidc_configurations_controller.rb
new file mode 100644
index 00000000..08b8968b
--- /dev/null
+++ b/app/controllers/avo/oidc_configurations_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/3.0/controllers.html
+class Avo::OIDCConfigurationsController < Avo::ResourcesController
+end
diff --git a/app/controllers/avo/sso_providers_controller.rb b/app/controllers/avo/sso_providers_controller.rb
new file mode 100644
index 00000000..bc0e5792
--- /dev/null
+++ b/app/controllers/avo/sso_providers_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/3.0/controllers.html
+class Avo::SSOProvidersController < Avo::ResourcesController
+end
diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index 5800bf61..9f1f3949 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -1,7 +1,7 @@
 module Users
   class OmniauthCallbacksController < Devise::OmniauthCallbacksController
-    before_action :set_provider, except: [ :failure ]
-    before_action :set_user, except: [ :failure ]
+    before_action :set_provider, except: [ :failure, :oidc ]
+    before_action :set_user, except: [ :failure, :oidc ]
 
     attr_reader :provider, :user
 
@@ -13,8 +13,46 @@ module Users
       handle_auth "Github"
     end
 
+    def oidc
+      sso_provider_id = session["sso_provider_id"]
+      sso_provider = SSOProvider.find_by(id: sso_provider_id) if sso_provider_id.present?
+
+      if sso_provider
+        @user = find_or_create_oidc_user
+        handle_oidc_auth(sso_provider)
+      else
+        redirect_to root_path, alert: "SSO provider not found"
+      end
+    end
+
     private
 
+    def find_or_create_oidc_user
+      if user_signed_in?
+        current_user
+      else
+        # Find or create user from OIDC data
+        create_user
+      end
+    end
+
+    def handle_oidc_auth(sso_provider)
+      # For OIDC, we don't store in Provider model, just authenticate
+      if user_signed_in?
+        flash[:notice] = "Your #{sso_provider.name} account was connected."
+        redirect_to edit_user_registration_path
+      else
+        sign_in_and_redirect @user, event: :authentication
+        # Set account from SSO provider
+        session[:account_id] = sso_provider.account_id
+        set_flash_message :notice, :success, kind: sso_provider.name
+      end
+
+      # Clear SSO session data
+      session.delete("sso_provider_id")
+      session.delete("sso_account_id")
+    end
+
     def handle_auth(kind)
       if provider.present?
         provider.update(provider_attrs)
diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index 43df8e2a..b5199475 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -40,6 +40,7 @@ class Users::SessionsController < Devise::SessionsController
   def account_login
     self.resource = resource_class.new(sign_in_params)
     clean_up_passwords(resource)
+    @sso_provider = @account.sso_provider if @account.sso_enabled?
     if @account.stack_manager&.portainer?
       render "devise/sessions/portainer"
     else
diff --git a/app/models/account.rb b/app/models/account.rb
index 1112e036..f41460f0 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -26,6 +26,7 @@ class Account < ApplicationRecord
   has_many :account_users, dependent: :destroy
   has_many :users, through: :account_users
   has_one :stack_manager, dependent: :destroy
+  has_one :sso_provider, dependent: :destroy
 
   has_many :clusters, dependent: :destroy
   has_many :build_clouds, through: :clusters
@@ -47,4 +48,8 @@ class Account < ApplicationRecord
   def github_provider
     @_github_account ||= owner.providers.find_by(provider: "github")
   end
+
+  def sso_enabled?
+    sso_provider&.enabled?
+  end
 end
diff --git a/app/models/ldap_configuration.rb b/app/models/ldap_configuration.rb
new file mode 100644
index 00000000..49f78280
--- /dev/null
+++ b/app/models/ldap_configuration.rb
@@ -0,0 +1,43 @@
+# == Schema Information
+#
+# Table name: ldap_configurations
+#
+#  id               :bigint           not null, primary key
+#  base_dn          :string           not null
+#  bind_dn          :string
+#  bind_password    :string
+#  email_attribute  :string           default("mail")
+#  encryption       :string           default("plain")
+#  filter           :string
+#  host             :string           not null
+#  name_attribute   :string           default("cn")
+#  port             :integer          default(389), not null
+#  uid_attribute    :string           default("uid"), not null
+#  created_at       :datetime         not null
+#  updated_at       :datetime         not null
+#
+class LdapConfiguration < ApplicationRecord
+  has_one :sso_provider, as: :configuration, dependent: :destroy
+
+  validates :host, presence: true
+  validates :port, presence: true, numericality: { only_integer: true, greater_than: 0 }
+  validates :base_dn, presence: true
+  validates :uid_attribute, presence: true
+  validates :encryption, inclusion: { in: %w[plain simple_tls start_tls] }
+
+  # Encryption options: plain (no encryption), simple_tls (LDAPS), start_tls (STARTTLS)
+  def encryption_method
+    case encryption
+    when "simple_tls"
+      :simple_tls
+    when "start_tls"
+      :start_tls
+    else
+      nil
+    end
+  end
+
+  def requires_auth?
+    bind_dn.present? && bind_password.present?
+  end
+end
diff --git a/app/models/oidc_configuration.rb b/app/models/oidc_configuration.rb
new file mode 100644
index 00000000..3928992b
--- /dev/null
+++ b/app/models/oidc_configuration.rb
@@ -0,0 +1,19 @@
+# == Schema Information
+#
+# Table name: oidc_configurations
+#
+#  id                     :bigint           not null, primary key
+#  authorization_endpoint :string
+#  client_secret          :string           not null
+#  issuer                 :string           not null
+#  jwks_uri               :string
+#  scopes                 :string           default("openid email profile")
+#  token_endpoint         :string
+#  userinfo_endpoint      :string
+#  created_at             :datetime         not null
+#  updated_at             :datetime         not null
+#  client_id              :string           not null
+#
+class OIDCConfiguration < ApplicationRecord
+  has_one :sso_provider, as: :configuration, dependent: :destroy
+end
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
new file mode 100644
index 00000000..da7a3f84
--- /dev/null
+++ b/app/models/sso_provider.rb
@@ -0,0 +1,36 @@
+# == Schema Information
+#
+# Table name: sso_providers
+#
+#  id                 :bigint           not null, primary key
+#  configuration_type :string           not null
+#  enabled            :boolean          default(TRUE), not null
+#  name               :string           not null
+#  created_at         :datetime         not null
+#  updated_at         :datetime         not null
+#  account_id         :bigint           not null
+#  configuration_id   :bigint           not null
+#
+# Indexes
+#
+#  index_sso_providers_on_account_id     (account_id) UNIQUE
+#  index_sso_providers_on_configuration  (configuration_type,configuration_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (account_id => accounts.id)
+#
+class SSOProvider < ApplicationRecord
+  belongs_to :account
+  belongs_to :configuration, polymorphic: true
+
+  validates :account_id, uniqueness: true
+
+  def oidc?
+    configuration_type == "OIDCConfiguration"
+  end
+
+  def ldap?
+    configuration_type == "LdapConfiguration"
+  end
+end
diff --git a/app/views/accounts/sso_providers/_form.html.erb b/app/views/accounts/sso_providers/_form.html.erb
new file mode 100644
index 00000000..b1b7df1f
--- /dev/null
+++ b/app/views/accounts/sso_providers/_form.html.erb
@@ -0,0 +1,98 @@
+<%= form_with model: sso_provider, url: sso_provider.persisted? ? sso_provider_path : sso_provider_path do |form| %>
+  <%= render "shared/error_messages", resource: form.object %>
+
+  <div class="form-control mt-4 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Provider Name</span>
+    </label>
+    <%= form.text_field :name, class: "input input-bordered", required: true, placeholder: "e.g., Company SSO" %>
+    <label class="label">
+      <span class="label-text-alt">A friendly name for this SSO provider</span>
+    </label>
+  </div>
+
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label cursor-pointer justify-start gap-2">
+      <%= form.check_box :enabled, class: "checkbox checkbox-primary" %>
+      <span class="label-text">Enable this provider</span>
+    </label>
+  </div>
+
+  <div class="divider">OIDC Configuration</div>
+
+  <%= fields_for :oidc_configuration, oidc_configuration do |oidc_form| %>
+    <div class="form-control mt-1 w-full max-w-sm">
+      <label class="label">
+        <span class="label-text">Issuer URL <span class="text-error">*</span></span>
+      </label>
+      <%= oidc_form.text_field :issuer, class: "input input-bordered", required: true, placeholder: "https://your-idp.com" %>
+      <label class="label">
+        <span class="label-text-alt">The base URL of your OIDC provider</span>
+      </label>
+    </div>
+
+    <div class="form-control mt-1 w-full max-w-sm">
+      <label class="label">
+        <span class="label-text">Client ID <span class="text-error">*</span></span>
+      </label>
+      <%= oidc_form.text_field :client_id, class: "input input-bordered", required: true %>
+    </div>
+
+    <div class="form-control mt-1 w-full max-w-sm">
+      <label class="label">
+        <span class="label-text">Client Secret <span class="text-error">*</span></span>
+      </label>
+      <%= oidc_form.password_field :client_secret, class: "input input-bordered", required: true %>
+    </div>
+
+    <div class="form-control mt-1 w-full max-w-sm">
+      <label class="label">
+        <span class="label-text">Scopes</span>
+      </label>
+      <%= oidc_form.text_field :scopes, class: "input input-bordered", placeholder: "openid email profile" %>
+      <label class="label">
+        <span class="label-text-alt">Space-separated list of scopes (defaults to "openid email profile")</span>
+      </label>
+    </div>
+
+    <details class="collapse collapse-arrow bg-base-200 mt-4 max-w-sm">
+      <summary class="collapse-title font-medium">
+        Advanced Settings (Optional)
+      </summary>
+      <div class="collapse-content space-y-4">
+        <div class="form-control mt-1 w-full">
+          <label class="label">
+            <span class="label-text">Authorization Endpoint</span>
+          </label>
+          <%= oidc_form.text_field :authorization_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
+        </div>
+
+        <div class="form-control mt-1 w-full">
+          <label class="label">
+            <span class="label-text">Token Endpoint</span>
+          </label>
+          <%= oidc_form.text_field :token_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
+        </div>
+
+        <div class="form-control mt-1 w-full">
+          <label class="label">
+            <span class="label-text">UserInfo Endpoint</span>
+          </label>
+          <%= oidc_form.text_field :userinfo_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
+        </div>
+
+        <div class="form-control mt-1 w-full">
+          <label class="label">
+            <span class="label-text">JWKS URI</span>
+          </label>
+          <%= oidc_form.text_field :jwks_uri, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
+        </div>
+      </div>
+    </details>
+  <% end %>
+
+  <div class="form-footer mt-6">
+    <%= form.submit sso_provider.persisted? ? "Update Provider" : "Create Provider", class: "btn btn-primary" %>
+    <%= link_to "Cancel", sso_provider_path, class: "btn btn-outline" %>
+  </div>
+<% end %>
diff --git a/app/views/accounts/sso_providers/edit.html.erb b/app/views/accounts/sso_providers/edit.html.erb
new file mode 100644
index 00000000..fbb4b760
--- /dev/null
+++ b/app/views/accounts/sso_providers/edit.html.erb
@@ -0,0 +1,13 @@
+<%= settings_layout do %>
+  <%= turbo_frame_tag "sso_provider" do %>
+    <div class="font-lg font-bold mt-4">
+      Edit <%= @sso_provider.name %>
+    </div>
+
+    <div class="text-sm text-gray-500 mt-2 mb-4">
+      Update your OIDC provider configuration.
+    </div>
+
+    <%= render "accounts/sso_providers/form", sso_provider: @sso_provider, oidc_configuration: @oidc_configuration %>
+  <% end %>
+<% end %>
diff --git a/app/views/accounts/sso_providers/new.html.erb b/app/views/accounts/sso_providers/new.html.erb
new file mode 100644
index 00000000..1e0fb228
--- /dev/null
+++ b/app/views/accounts/sso_providers/new.html.erb
@@ -0,0 +1,13 @@
+<%= settings_layout do %>
+  <%= turbo_frame_tag "sso_provider" do %>
+    <div class="font-lg font-bold mt-4">
+      Add OIDC Provider
+    </div>
+
+    <div class="text-sm text-gray-500 mt-2 mb-4">
+      Configure an OpenID Connect (OIDC) provider for SSO authentication. This will allow users to sign in using your organization's identity provider.
+    </div>
+
+    <%= render "accounts/sso_providers/form", sso_provider: @sso_provider, oidc_configuration: @oidc_configuration %>
+  <% end %>
+<% end %>
diff --git a/app/views/accounts/sso_providers/show.html.erb b/app/views/accounts/sso_providers/show.html.erb
new file mode 100644
index 00000000..8a86767a
--- /dev/null
+++ b/app/views/accounts/sso_providers/show.html.erb
@@ -0,0 +1,55 @@
+<%= settings_layout do %>
+  <h2 class="text-2xl font-bold">Authentication</h2>
+  <hr class="mt-3 mb-4 border-t border-base-300" />
+
+  <%= turbo_frame_tag "sso_provider" do %>
+    <% if @sso_provider.present? %>
+      <div class="card bg-base-200 mb-4">
+        <div class="card-body">
+          <div class="flex justify-between items-start">
+            <div>
+              <h3 class="text-lg font-semibold"><%= @sso_provider.name %></h3>
+              <div class="flex gap-2 mt-2">
+                <span class="badge badge-outline">OIDC</span>
+                <% if @sso_provider.enabled %>
+                  <span class="badge badge-success">Enabled</span>
+                <% else %>
+                  <span class="badge badge-ghost">Disabled</span>
+                <% end %>
+              </div>
+            </div>
+            <div class="flex gap-2">
+              <%= link_to "Edit", edit_sso_provider_path, class: "btn btn-sm btn-outline" %>
+              <%= button_to "Delete", sso_provider_path, method: :delete, class: "btn btn-sm btn-error", data: { turbo_confirm: "Are you sure you want to delete this SSO provider?" } %>
+            </div>
+          </div>
+
+          <% if @oidc_configuration %>
+            <div class="divider"></div>
+            <div class="grid grid-cols-2 gap-4 text-sm">
+              <div>
+                <span class="text-gray-500">Issuer:</span>
+                <div class="font-mono"><%= @oidc_configuration.issuer %></div>
+              </div>
+              <div>
+                <span class="text-gray-500">Client ID:</span>
+                <div class="font-mono"><%= @oidc_configuration.client_id %></div>
+              </div>
+              <div>
+                <span class="text-gray-500">Scopes:</span>
+                <div class="font-mono"><%= @oidc_configuration.scopes || "openid email profile" %></div>
+              </div>
+            </div>
+          <% end %>
+        </div>
+      </div>
+    <% else %>
+      <div class="alert mb-4">
+        <iconify-icon icon="lucide:info" class="mr-2"></iconify-icon>
+        <span>No SSO provider configured for this account.</span>
+      </div>
+
+      <%= link_to "+ Add OIDC Provider", new_sso_provider_path, class: "btn btn-primary btn-sm" %>
+    <% end %>
+  <% end %>
+<% end %>
diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb
index fc55f950..c95cd60f 100644
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -41,13 +41,27 @@
           <%= f.submit "Sign in", class: "btn btn-primary w-full" %>
         </div>
       <% end %>
-      <% unless Rails.application.config.local_mode %>
-
+      <% if defined?(@sso_provider) && @sso_provider.present? %>
         <div class="flex items-center my-4">
           <div class="flex-grow border-t border-gray-600"></div>
           <span class="mx-4 text-gray-500">OR</span>
           <div class="flex-grow border-t border-gray-600"></div>
         </div>
+
+        <%= button_to "Sign in with #{@sso_provider.name}",
+                      user_oidc_omniauth_authorize_path(sso_provider_id: @sso_provider.id),
+                      class: "btn btn-outline w-full",
+                      data: { turbo: false } %>
+      <% end %>
+
+      <% unless Rails.application.config.local_mode %>
+        <% unless defined?(@sso_provider) && @sso_provider.present? %>
+          <div class="flex items-center my-4">
+            <div class="flex-grow border-t border-gray-600"></div>
+            <span class="mx-4 text-gray-500">OR</span>
+            <div class="flex-grow border-t border-gray-600"></div>
+          </div>
+        <% end %>
         <%= render "devise/shared/links" %>
       <% end %>
     </div>
diff --git a/app/views/settings/_layout.html.erb b/app/views/settings/_layout.html.erb
index 169ccf8a..a14ce47e 100644
--- a/app/views/settings/_layout.html.erb
+++ b/app/views/settings/_layout.html.erb
@@ -39,6 +39,12 @@
               Credentials
             <% end %>
           </li>
+          <li class="<%= 'underline' if current_page?(sso_provider_path) || current_page?(new_sso_provider_path) || current_page?(edit_sso_provider_path) %>" style="text-underline-offset: 0.25rem;">
+            <%= link_to sso_provider_path do %>
+              <iconify-icon icon="lucide:shield-check" ></iconify-icon>
+              Authentication
+            <% end %>
+          </li>
           <% if Flipper.enabled?(:stack_manager, current_account) %>
           <li class="<%= 'underline' if controller_name == 'stack_managers' %>" style="text-underline-offset: 0.25rem;">
             <%= link_to stack_manager_path do %>
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index c74a6b1d..d74342d4 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -274,14 +274,21 @@ Devise.setup do |config|
   # TODO (chris): add digital ocean?
   config.omniauth :github, ENV["OMNIAUTH_GITHUB_PUBLIC_KEY"], ENV["OMNIAUTH_GITHUB_PRIVATE_KEY"], scope: "user,repo,write:packages,read:org"
   config.omniauth :developer if Rails.env.test?
+
+  # Dynamic OIDC provider
+  require Rails.root.join("lib/omniauth/strategies/dynamic_oidc")
+  config.omniauth :oidc, strategy_class: OmniAuth::Strategies::DynamicOIDC
+
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or
   # change the failure app, you can configure them inside the config.warden block.
   #
-  # config.warden do |manager|
-  #   manager.intercept_401 = false
-  #   manager.default_strategies(scope: :user).unshift :some_external_strategy
-  # end
+  # Load custom LDAP authentication strategy
+  require Rails.root.join('lib', 'devise', 'strategies', 'ldap_authenticatable')
+
+  config.warden do |manager|
+    manager.strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)
+  end
 
   # ==> Mountable engine configurations
   # When using Devise inside an engine, let's call it `MyEngine`, and this engine
diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb
index 3860f659..ad5df37e 100644
--- a/config/initializers/inflections.rb
+++ b/config/initializers/inflections.rb
@@ -11,6 +11,7 @@
 # end
 
 # These inflection rules are supported but not enabled by default:
-# ActiveSupport::Inflector.inflections(:en) do |inflect|
-#   inflect.acronym "RESTful"
-# end
+ActiveSupport::Inflector.inflections(:en) do |inflect|
+  inflect.acronym "OIDC"
+  inflect.acronym "SSO"
+end
diff --git a/config/routes.rb b/config/routes.rb
index 34020f20..e2f9bcee 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -19,6 +19,7 @@ Rails.application.routes.draw do
   resources :accounts, only: [ :create ] do
     collection do
       resources :account_users, only: %i[create index destroy], module: :accounts
+      resource :sso_provider, only: %i[show new create edit update destroy], module: :accounts
     end
     member do
       get :switch
diff --git a/db/migrate/20251121024059_create_sso_providers.rb b/db/migrate/20251121024059_create_sso_providers.rb
new file mode 100644
index 00000000..2d8edbd5
--- /dev/null
+++ b/db/migrate/20251121024059_create_sso_providers.rb
@@ -0,0 +1,12 @@
+class CreateSSOProviders < ActiveRecord::Migration[7.2]
+  def change
+    create_table :sso_providers do |t|
+      t.references :account, null: false, foreign_key: true, index: { unique: true }
+      t.references :configuration, polymorphic: true, null: false
+      t.string :name, null: false
+      t.boolean :enabled, default: true, null: false
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/migrate/20251121024136_create_oidc_configurations.rb b/db/migrate/20251121024136_create_oidc_configurations.rb
new file mode 100644
index 00000000..bb5a5595
--- /dev/null
+++ b/db/migrate/20251121024136_create_oidc_configurations.rb
@@ -0,0 +1,16 @@
+class CreateOIDCConfigurations < ActiveRecord::Migration[7.2]
+  def change
+    create_table :oidc_configurations do |t|
+      t.string :issuer, null: false
+      t.string :client_id, null: false
+      t.string :client_secret, null: false
+      t.string :authorization_endpoint
+      t.string :token_endpoint
+      t.string :userinfo_endpoint
+      t.string :jwks_uri
+      t.string :scopes, default: "openid email profile"
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/migrate/20251121043926_create_ldap_configurations.rb b/db/migrate/20251121043926_create_ldap_configurations.rb
new file mode 100644
index 00000000..48ad11dd
--- /dev/null
+++ b/db/migrate/20251121043926_create_ldap_configurations.rb
@@ -0,0 +1,18 @@
+class CreateLdapConfigurations < ActiveRecord::Migration[7.2]
+  def change
+    create_table :ldap_configurations do |t|
+      t.string :host, null: false
+      t.integer :port, default: 389, null: false
+      t.string :encryption, default: "plain"
+      t.string :base_dn, null: false
+      t.string :bind_dn
+      t.string :bind_password
+      t.string :uid_attribute, default: "uid", null: false
+      t.string :email_attribute, default: "mail"
+      t.string :name_attribute, default: "cn"
+      t.string :filter
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 71cdc21f..924d3720 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
+ActiveRecord::Schema[7.2].define(version: 2025_11_21_024136) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -375,6 +375,19 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
     t.index ["recipient_type", "recipient_id"], name: "index_noticed_notifications_on_recipient"
   end
 
+  create_table "oidc_configurations", force: :cascade do |t|
+    t.string "issuer", null: false
+    t.string "client_id", null: false
+    t.string "client_secret", null: false
+    t.string "authorization_endpoint"
+    t.string "token_endpoint"
+    t.string "userinfo_endpoint"
+    t.string "jwks_uri"
+    t.string "scopes", default: "openid email profile"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
   create_table "project_add_ons", force: :cascade do |t|
     t.bigint "project_id", null: false
     t.bigint "add_on_id", null: false
@@ -477,6 +490,18 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
     t.index ["project_id"], name: "index_services_on_project_id"
   end
 
+  create_table "sso_providers", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "configuration_type", null: false
+    t.bigint "configuration_id", null: false
+    t.string "name", null: false
+    t.boolean "enabled", default: true, null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["account_id"], name: "index_sso_providers_on_account_id", unique: true
+    t.index ["configuration_type", "configuration_id"], name: "index_sso_providers_on_configuration"
+  end
+
   create_table "stack_managers", force: :cascade do |t|
     t.string "provider_url", null: false
     t.integer "stack_manager_type", default: 0, null: false
@@ -544,6 +569,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
   add_foreign_key "projects", "clusters", column: "project_fork_cluster_id"
   add_foreign_key "providers", "users"
   add_foreign_key "services", "projects"
+  add_foreign_key "sso_providers", "accounts"
   add_foreign_key "stack_managers", "accounts"
   add_foreign_key "volumes", "projects"
 end
diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
new file mode 100644
index 00000000..1587cba1
--- /dev/null
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -0,0 +1,79 @@
+require 'net/ldap'
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    class LdapAuthenticatable < Authenticatable
+      def authenticate!
+        if params[:user]
+          ldap_config = find_ldap_configuration
+
+          return fail(:invalid_login) unless ldap_config
+
+          ldap = Net::LDAP.new(
+            host: ldap_config.host,
+            port: ldap_config.port,
+            encryption: ldap_config.encryption_method
+          )
+
+          # Build the user DN for authentication
+          user_dn = build_user_dn(ldap_config, email)
+          ldap.auth user_dn, password
+
+          if ldap.bind
+            # LDAP authentication successful, find or create user
+            user = User.find_or_create_by(email: email) do |u|
+              u.password = SecureRandom.hex(32) # Set random password since LDAP handles auth
+              u.account = find_or_create_account_for_ldap(ldap_config)
+            end
+            success!(user)
+          else
+            Rails.logger.info "LDAP bind failed for #{email}: #{ldap.get_operation_result.message}"
+            return fail(:invalid_login)
+          end
+        end
+      end
+
+      def email
+        params[:user][:email]
+      end
+
+      def password
+        params[:user][:password]
+      end
+
+      private
+
+      def find_ldap_configuration
+        # Find the LDAP configuration for the account
+        # This could be based on email domain or a selection during login
+        account_id = session[:ldap_account_id] || params[:account_id]
+
+        if account_id
+          sso_provider = SSOProvider.find_by(account_id: account_id, enabled: true)
+          return sso_provider.configuration if sso_provider&.ldap?
+        end
+
+        # Fallback: try to find by email domain or return first enabled LDAP config
+        LdapConfiguration.joins(:sso_provider)
+                         .where(sso_providers: { enabled: true })
+                         .first
+      end
+
+      def build_user_dn(ldap_config, email)
+        # Extract username from email if needed
+        username = email.split('@').first
+
+        # Build the DN using the uid attribute and base DN
+        "#{ldap_config.uid_attribute}=#{username},#{ldap_config.base_dn}"
+      end
+
+      def find_or_create_account_for_ldap(ldap_config)
+        sso_provider = ldap_config.sso_provider
+        sso_provider&.account
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)
diff --git a/lib/omniauth/strategies/dynamic_oidc.rb b/lib/omniauth/strategies/dynamic_oidc.rb
new file mode 100644
index 00000000..9591901b
--- /dev/null
+++ b/lib/omniauth/strategies/dynamic_oidc.rb
@@ -0,0 +1,61 @@
+require "omniauth_openid_connect"
+
+module OmniAuth
+  module Strategies
+    class DynamicOIDC < OmniAuth::Strategies::OpenIDConnect
+      option :name, "oidc"
+      option :issuer, "placeholder"  # Will be overridden
+
+      # Run before request_phase to load config from database
+      def request_phase
+        load_configuration_from_database
+        super
+      end
+
+      # Run before callback_phase to load config from database
+      def callback_phase
+        load_configuration_from_database
+        super
+      end
+
+      private
+
+      def load_configuration_from_database
+        sso_provider_id = request.params["sso_provider_id"] || session["sso_provider_id"]
+
+        return unless sso_provider_id.present?
+
+        begin
+          sso_provider = SSOProvider.find_by(id: sso_provider_id, enabled: true)
+
+          if sso_provider&.oidc? && sso_provider.configuration
+            oidc_config = sso_provider.configuration
+
+            # Override the options with database values
+            options[:issuer] = oidc_config.issuer
+            options[:client_options] = {
+              identifier: oidc_config.client_id,
+              secret: oidc_config.client_secret,
+              redirect_uri: callback_url,
+              authorization_endpoint: oidc_config.authorization_endpoint.presence,
+              token_endpoint: oidc_config.token_endpoint.presence,
+              userinfo_endpoint: oidc_config.userinfo_endpoint.presence,
+              jwks_uri: oidc_config.jwks_uri.presence
+            }.compact
+
+            options[:scope] = oidc_config.scopes&.split(" ") || [ :openid, :email, :profile ]
+            options[:response_type] = :code
+            options[:uid_field] = "sub"
+
+            # Store in session for callback
+            session["sso_provider_id"] = sso_provider.id
+            session["sso_account_id"] = sso_provider.account_id
+          end
+        rescue ActiveRecord::StatementInvalid, PG::UndefinedTable
+          # Database not ready yet or table doesn't exist
+          Rails.logger.debug "DynamicOIDC: database not ready"
+        end
+      end
+    end
+  end
+end
diff --git a/spec/factories/ldap_configurations.rb b/spec/factories/ldap_configurations.rb
new file mode 100644
index 00000000..bf7e136e
--- /dev/null
+++ b/spec/factories/ldap_configurations.rb
@@ -0,0 +1,14 @@
+FactoryBot.define do
+  factory :ldap_configuration do
+    host { "MyString" }
+    port { 1 }
+    encryption { "MyString" }
+    base_dn { "MyString" }
+    bind_dn { "MyString" }
+    bind_password { "MyString" }
+    uid_attribute { "MyString" }
+    email_attribute { "MyString" }
+    name_attribute { "MyString" }
+    filter { "MyString" }
+  end
+end
diff --git a/spec/factories/oidc_configurations.rb b/spec/factories/oidc_configurations.rb
new file mode 100644
index 00000000..668b106f
--- /dev/null
+++ b/spec/factories/oidc_configurations.rb
@@ -0,0 +1,28 @@
+# == Schema Information
+#
+# Table name: oidc_configurations
+#
+#  id                     :bigint           not null, primary key
+#  authorization_endpoint :string
+#  client_secret          :string           not null
+#  issuer                 :string           not null
+#  jwks_uri               :string
+#  scopes                 :string           default("openid email profile")
+#  token_endpoint         :string
+#  userinfo_endpoint      :string
+#  created_at             :datetime         not null
+#  updated_at             :datetime         not null
+#  client_id              :string           not null
+#
+FactoryBot.define do
+  factory :oidc_configuration do
+    issuer { "MyString" }
+    client_id { "MyString" }
+    client_secret { "MyString" }
+    authorization_endpoint { "MyString" }
+    token_endpoint { "MyString" }
+    userinfo_endpoint { "MyString" }
+    jwks_uri { "MyString" }
+    scopes { "MyString" }
+  end
+end
diff --git a/spec/factories/sso_providers.rb b/spec/factories/sso_providers.rb
new file mode 100644
index 00000000..2a8c4171
--- /dev/null
+++ b/spec/factories/sso_providers.rb
@@ -0,0 +1,30 @@
+# == Schema Information
+#
+# Table name: sso_providers
+#
+#  id                 :bigint           not null, primary key
+#  configuration_type :string           not null
+#  enabled            :boolean          default(TRUE), not null
+#  name               :string           not null
+#  created_at         :datetime         not null
+#  updated_at         :datetime         not null
+#  account_id         :bigint           not null
+#  configuration_id   :bigint           not null
+#
+# Indexes
+#
+#  index_sso_providers_on_account_id     (account_id) UNIQUE
+#  index_sso_providers_on_configuration  (configuration_type,configuration_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (account_id => accounts.id)
+#
+FactoryBot.define do
+  factory :sso_provider do
+    account { nil }
+    configuration { nil }
+    name { "MyString" }
+    enabled { false }
+  end
+end
diff --git a/spec/models/ldap_configuration_spec.rb b/spec/models/ldap_configuration_spec.rb
new file mode 100644
index 00000000..22dd7518
--- /dev/null
+++ b/spec/models/ldap_configuration_spec.rb
@@ -0,0 +1,5 @@
+require 'rails_helper'
+
+RSpec.describe LdapConfiguration, type: :model do
+  pending "add some examples to (or delete) #{__FILE__}"
+end
diff --git a/spec/models/oidc_configuration_spec.rb b/spec/models/oidc_configuration_spec.rb
new file mode 100644
index 00000000..3fe2e56e
--- /dev/null
+++ b/spec/models/oidc_configuration_spec.rb
@@ -0,0 +1,21 @@
+# == Schema Information
+#
+# Table name: oidc_configurations
+#
+#  id                     :bigint           not null, primary key
+#  authorization_endpoint :string
+#  client_secret          :string           not null
+#  issuer                 :string           not null
+#  jwks_uri               :string
+#  scopes                 :string           default("openid email profile")
+#  token_endpoint         :string
+#  userinfo_endpoint      :string
+#  created_at             :datetime         not null
+#  updated_at             :datetime         not null
+#  client_id              :string           not null
+#
+require 'rails_helper'
+
+RSpec.describe OIDCConfiguration, type: :model do
+  pending "add some examples to (or delete) #{__FILE__}"
+end
diff --git a/spec/models/service_spec.rb b/spec/models/service_spec.rb
index 251f1778..6c39f1e7 100644
--- a/spec/models/service_spec.rb
+++ b/spec/models/service_spec.rb
@@ -18,6 +18,14 @@
 #  updated_at              :datetime         not null
 #  project_id              :bigint           not null
 #
+# Indexes
+#
+#  index_services_on_project_id  (project_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (project_id => projects.id)
+#
 require 'rails_helper'
 
 RSpec.describe Service, type: :model do
diff --git a/spec/models/sso_provider_spec.rb b/spec/models/sso_provider_spec.rb
new file mode 100644
index 00000000..3aa365a1
--- /dev/null
+++ b/spec/models/sso_provider_spec.rb
@@ -0,0 +1,27 @@
+# == Schema Information
+#
+# Table name: sso_providers
+#
+#  id                 :bigint           not null, primary key
+#  configuration_type :string           not null
+#  enabled            :boolean          default(TRUE), not null
+#  name               :string           not null
+#  created_at         :datetime         not null
+#  updated_at         :datetime         not null
+#  account_id         :bigint           not null
+#  configuration_id   :bigint           not null
+#
+# Indexes
+#
+#  index_sso_providers_on_account_id     (account_id) UNIQUE
+#  index_sso_providers_on_configuration  (configuration_type,configuration_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (account_id => accounts.id)
+#
+require 'rails_helper'
+
+RSpec.describe SSOProvider, type: :model do
+  pending "add some examples to (or delete) #{__FILE__}"
+end

From 7344f4255219d52a5c6358a2d0c06272a4c5184a Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 21 Nov 2025 10:28:27 -0800
Subject: [PATCH 03/75] floating image for 404 page

---
 public/404.html                           |   2 +-
 public/images/illustrations/floating.webp | Bin 0 -> 303224 bytes
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 public/images/illustrations/floating.webp

diff --git a/public/404.html b/public/404.html
index 27b27b83..0453bd96 100644
--- a/public/404.html
+++ b/public/404.html
@@ -54,7 +54,7 @@
 
         <!-- Right side - Illustration -->
         <div class="flex justify-center md:justify-end">
-          <img src="/images/illustrations/rover.webp" alt="Error illustration" class="w-full max-w-md">
+          <img src="/images/illustrations/floating.webp" alt="Error illustration" class="w-full max-w-md">
         </div>
       </div>
     </div>
diff --git a/public/images/illustrations/floating.webp b/public/images/illustrations/floating.webp
new file mode 100644
index 0000000000000000000000000000000000000000..06c339ed142b95cbccb1066429a6023685de7f46
GIT binary patch
literal 303224
zcmZ^|Wk4KFur9o~OCY#=@Zb&sf@|=_-QC?KxVwkozPP(<@WtKTosajPALstKU++%O
zQ%_ZO_0&lBOe;x=i`(Zx1JuPt6x9^DH4p&+!1vEB7Y)FR29OdJRaAle6akPb)<!l?
z(4Q(BTW3cl2@z5ape8BY5daDB6#xl92QV2JIoS&<D$4$6{r@ia3jm1!G_#EVwe|nD
z`Tu2+j7^-3000R1PYXdKdq?L_EcuCL-JI?J!%3g`tC6{Z@h2|%#0-v~9sI;||M7<Z
zgAf11X8(g<|HF<dN}`{~hW?33&HgWJ_<vy|b4Qy`oBxtRX=Cm3*@ypA{yP$66I)f~
z&pr9)MhI{MC;=n@A^=i=6hI6h3g85=0C+xYP5>i-6~Oc<0sepd|7)8NAP=zn^fmgd
z?ExMDM}P&u3}6m$1~7cGE}yNNeC|y@d6UndHNfM){D1m=mjBJGlPMeP|Dhm|MF0Sp
z^^cDmDgXd35de6L`}lat|M+<O0{}p+0s!5%|Lbp;2LN#2ee!Yt%TeY60BFGgKx5zk
za)zk@KvNh1fD5)aa5VToaiBhHNK;b);JO$9Kmh^(n9~3NqSpW9>{Iuj9#F6d0H}C<
zo~j7|AUy*Bp#HQ+(-xLhlni%+06=`uP)c5YxLf`Fdk#ciX+)uT`l!xqUSs<G8$oia
zN%(9vtRLeypOy4HWq#wHj{FJ*9<*e43SzIt*lw0F(t*BIGf$#O#Ft@#?jr140!l|z
zsrKFbfMj}{<6g&fM3`p9^!XZBfb^<e4Qc_^&6n<nTZKU`56wN|yaWyi_gd4vbom_$
z%e{;Dnm3_?!H=#NCsRXC6U&uGn-#79s?WdLa*_0MJ&Wo7`;e8JUYp$hlRLldkt_ML
z5X5_pjTTekN7o6^N{+2>{JXOoMPRTq9n}mKiW0e`TZD61LSTJ>WSDf&Uv^11RAkvj
z&6DRH9p*tUtM-eR_QBup3jPAGA2==HzL=$L)7am>x;1SpqPn@ceLFvw=iw$qr9VIC
ztOG}TC9+#2P|Ichm8x^ldV3YF<J;KqHe+Ms;!^neLG#0Xa-MM2$9vXz5}2m}9&Ny9
zw_9mB@Xx0ZkIiLw89ensN@dXNu-!>HYr7}r_I{lMBc)cawL5)W)ur04`#cgp3Q)3t
z7Rt}U&HXqOOR~}B_d)#i>+RV}lbv3dFA6d;GCVx|<MrOy!BnnLr`OH)NM9RQwGOY_
z^Wzqjm#ghsv+X=+;Kpn!jn&|EI6vt5?s)wvwvjQDvrN4}WJIK;?(f~516zFdYDS&H
z=(tCudc|73&qDykkV0mi`(CJx7g}zs{o8q>`a48VyxKx#%B3C227ia!TknWyTT_J&
zuibNSe2}M`#bUegL_{It!AJ&ge7UJa@_rJjSP{S2*rN4n<BI<;<^9T~=9j~#%-A=`
z-U^0#1HE<rcHjN!`-Vu<D5BK@pG3{Q$o<i{@mceW#1TH1m_Nw`^=CZZqrG=t^15Ez
zB-REaxOZo7vnx0;XY0+@ll@yhyd34f=oDImV_fNYsH9VijT;7uo?|j<ooC<cnsWS5
z%`6C>_6921UN{*tSli7qJ+Tl?u3Q#R*&L<f+pL3Pf{H7bT<+h)BvV#WF6>COc|kS<
zr?qc<oTX~y>Y5~pJ|dGNPRXT<2GetUd{e7lBs~d2OBa)++4MyyXEV)8J;(^it}onA
z`wTh{u>pyxXWT9iI^1I_GD}Udb~&pZuJ4Zl*#zp0Icz4UH4tylx99V9UQJaxye_Ag
z5^aq(noZXK+JT9K(fAA1>P_;M860Kml}as2A=i7ODNL%MpS6F)5OEmdx_)eJ7mlfy
z{wfxpO|ju~J_5UKPRH+jUU(dSSJ(3=O{Ysvo5Le@IMwT|ACKz|H$#m~>HIaKLDwF$
z?w0qb+|*;bW%6whi7B>19tSqxWJc4be|)IN+UfClId9yf&|^<#@Ow&b*q&*zSE!ac
z$MXYcsUAMB3P#RmYUykazmZXwjJJOcK9R5-bSZR6d``!I*O_3w><AM~>49xFAK{Tr
z+0A=6y%_(l`#z2)>fjnH(%1|nV;iF_RlWhgx$U!$U^L^7pqerY-y<@@O)h)C?q}+!
z1nlRz#a8F8H(7uy9D-UKs`OgitDM7i*g;+3IBtb`*S`IW=11PZf%WUN`LkKCg>j;l
zYM(bm7*=Z6nc*rk<!eX|z8GE5!*Uxg_T42~EHeohWPChrJ7JYHoIWE;;gv_Ej8nO2
z^BNJ<Bm~sx?%P=7X>s}Y=zB(>@-2;}mID0cEF<5zU|o5ExQ%4Em*{r;IRCCr!r4Zf
zOhFn4#HM*Os#)dnftM*S^wc9lbaS-TvPNHoYOPmn+(=0c64I1OD|gH!b85==!<&SB
zJG)A+L>juY1vV&pGDn{#-A`&YO=an*zy8rktAs$4x6Kgvt8)iQOEeN=!6@A6>9c>@
za+3`Me!ZIf=Q0adUzSCa9)6m+fU#S?=ytx|CZrKuu(82k?<u{pkL5_s8Mii@q456v
zwtv?45H!HGIoX4S>BT{tIUzyeRnia)gMXXbbfNn_(ssA}M$7cxN{KZa6D(Cp#W0=s
z@%r{4s$maxPN>aUWOT<L&JIe|lu@bK@`r&V4hBt&ckp(Zn08T9&GIC^&1r6nM8h(1
zUy>$?abBM1?-}u`O(jZFc$HydTe914^@JHP)aX@Rq|J9(l-^Dnn>9F1!ip|xzmINP
z`uI7_{+(2<Yl&Z*4^_cxn-aKQ9{q!Vb9{TuayDvaPsvx&f!ILUbtjLDWZ9ocArsc{
zEqzAvUW3oLltcdstiVttbbg*Gl=my25+7_*Nku>FF!)}~!tm$6fZ%dhVmr{{GNWB$
zJVDimKE#`Y)5-4tgj*PNR`p`!ze<6*9oxGr(88Ac8~?U|5ZRDje<Ms8dGNwUAI3R)
zA?B*hw^zbtd^hj|TYhZJDDruJWJ|<V+p2S~ZIb78ruPrto%=@?u__x+g3e-9$a|U-
zoxd2{?c`)B(O5BOg3sch?A_3*x2;L-tE<iIBPUgYh4F>U_H~E4E|OV3a%ZdU&pHu7
z<BtZXPENKMALD#)KSSS#>k$sn$8ucN{qM@y35Gb9SXVh~)#0Gi9(l#qml+u{hB%?B
z3Ops6NGNd7Sz7r(lIVp7=>}2mMrC`o_`SYWX&D;WT_`k!W&ht~I3tp0oX=9u03S0y
zPJi#?&ggNE3oG9zRb(wked;yQ`*^<8UbW}V0YcNdspQu`JCnrjPm|!Isb|;}b~U1@
z<k|10!5(-BD{dU$`FU?dQ^D%}z=z!*HzwnibVbGo>KH{^zK<A~zIH$P&3lAwEYavy
z+DVWL!u93nEszs51JSG$n#XdWF)#!gsH@*H<))pEx-v|AJe}cU|2U~5DmXD=kJAAc
zt)AiN#2P}pIvTpZ1XdaAHL_@xd!+UPKO|N))~XGaKx|rLOV0aX^o0***I28x0ZCU=
zD+_#Co-h5aLf6OJF=DGD=cl_3LnNsBYb3rF!fmUl#%`_&#|8I3pM<Bc?Fk_@h;Jp|
ze&fuy;w5Nm+%kSb^4^T5MDR+M`{XSzaW>PGGwuznImkIi3|jy2w3aSF#s}x0Y1DsI
zDOB8a5$0$JRf^x6(^POgX+xj9#KH~EOBKcoENkw&(i7Kp`gPekPwX1!HY#5Qcy-oP
zJ*)`)(NqE{^EqT&;E)5Sx|Uh$9SuRsT4T>cWyKW-Q1@u%hobkEe5r)(%yBN><9APt
ztmekmt_hxOOcHf54;w6bf9b*HHpA-<6HW_P@i=Cj(qgVwZ7F!3n*=A1>Yu}uBV}7d
zht*U&e&4ge?d|Te)QGQ56P<E3P@_u-xW*G3e!A$&#CI;jesX^yF{pA!#@9#`fhL64
z<GJSOX3=I13o=^K(BI5gTsVPv2~B<=^=fR$>bQrlm5*%^>=J{GJ_RqZx~)HlxU_!6
zKv3xncb>7IEp(Xq5Ieb;79<%TG}_%@Rcqu*<lw3Q%RXI|pR?aGS~wt+2u*e-=WFV)
zoapR(eqC9A50U+})!L(7WT+SuvN_2a`{8QKmrCR%nBnr2=|aS6^{E!E-J&7aNEOmq
zXGH<GRqh@7eGhhdT6>C4h+kXLy-V#d5wPv#EJ#5EcU0~XcyflixX-m9Bnu3`+vHMP
z34&13_yj@qY~U`NZ~Vugkh_P6H>gPNIHFZ4O&etWw>J}sDSmNK(29y-FUrEk1*h|9
zS-ik1?Xn$`;o6(6OJ+SjxbIBE_E=|OP3Ycv>QB7RszvK5f<Xt7kE<~YCV1dX+hf6K
zVeP?8-Hqm@neC1rchYmk&qhWM6uVM67>HBRBzk{0TJ-6sdG9+^pkbED97VhJ<KDq*
zLF;(P^X1>FW{xq9TdQEPk%pO{_69W!c%%}G&@a}-^{}UthXa(jQhWX9p`w~Gbtu`D
z(yOH-)8?t?`S~cYb={cDt&DicNJHHZJSWHjo~Ya-@`-eDd5nMeKsM%T5`Aj1(@@Z=
zmSZ^hdGF-KzKq`Q`TVpED`+g?cFh!4pdleae4Z0?dbr?-+&1X>yq2J8Yb?=JdOMC&
zQNV~3w!bhOW836u1qqb!TbUy#1J7pP#=d>2D7a9dwIKIutwU}#H+ds;$g{!+6|X3I
zA7d{3^NqA@P7qitk{%PR^KHx`$x^29YL&xEfvxd<Z_Q6f1JB#gbv+`T9JD1y5R6pW
z8iB=ffm~r1Cs`4vC!8t3$8eXM6PS7J;Z9r8(kBuibLJH4cvZa5T4=(JV2v)S#v&yI
z7;N)Ra47fg`V2uV+Ssfqf9ce%BC+q@SyuSo)k@5?(<J-VQ5VY$)TBkv-xuq0y(bLh
z_)p+ILpd=TD<!5KKDRADtzS9ClOTDeU;(e$bnxwAdkt>!WqQT0t*IT2a4oUD*XHNY
zf2xu*oU;XX{P$FeM&8e}`j~6YUhRERFu@zyohQCrUj1Cfsx|+*F77RFefYilafVVs
zhZ}BMSlGdJ65fvPWY1jdPlLK<3QImUeoUW2en(6VO;&rGgz2XsIKfF%3rF}N6NdgN
zHI~Wfeo7trV!Y4l>mf922566aO(;G`dLCxSZV>{TLy?wzhk70_O>0}mQxB8l(wv`m
z_sivfz&9P&du`Znd>09`B%lK?Q<Y!Osq0|4T(hZ%xjg<`<_;*nw`0@Thv#OIPvMND
zD%L3W;p+5(;nU26X5B3I;qF?~^;77y@imF%dJm%(ytV6)nTXX_SZpX(Mt{?~xb2Xy
z9eNo$NI%-})SB;%G*WmNE%Cms?x;iUn#?&5I=ayKbRmjv;s*Emv@~Z#+jst>G0LZ#
zXpK&5Fny^KctIoL@jX6$l2NbTX!ZK&X;6M?s>tHAaL+}ZuvGt+z?NNn&qoMT%x{3k
z<?2IW2l;60fsYKV-#ffZ6;^vs@6**?60|dKEAvRe^;Pcc+7Z6D&*ob$q_Dq8C|}Rp
zGkfJ($b7Rq)e~&>fQa1~sab!aP7qk_>tMsEahv>Q);*(q!9DqA?<v)Vk0;j^@MZae
z->dl`Y>!%_+Qhc&x-@y`_Hf9n`0W?nzYDFUV{1v{sryNFD)@Om?4zz1q?K{56}aTP
zN0i7cql+3dg3g)*v9$H_<6yQg)=rhN3(m}^w**-0jIJ%<f@ocxsYp_vV^gFHO|Ywk
zp59VRvjF4Q0n?B=iOgFWdOwldBE-lI5OLHxM_zMs5yA(PUya1c`iI3gGS9HlF-Q#w
zK}|5HktP-5WQ2a~{dgW>@F7uo_4DBK&3ICVphb+mcYBz?awcX3`X9HdhI_t~`6Z&a
zNT9{<Vg6%5FVGjHF)ipronsqh(`+w4Q#^V(bhUXDsned;hsJxV9~X1>GT%<Nt#%L#
zpU7$+#O{qRV#eftue+U^E&MBnHB}fB4Hx@&+CyDYZA0->&s>!K#QLH0oXo=M($*(V
z0L+#f@)_6MGu_2whPm=>W;O0+toXD?e4JS>PVma!Z{ebPA4^6i=qyN2`?RI?q5hsq
zGS^L&^5j+Y%zI`So%a&ftHy0`pIXw+(mqA(av&<uLf`#j#r<9zb78*m%ijm$-J#w`
zEu?C8#zz;y5#rNyL9*bZ>}MaNd~aSJy9_ME@hJT%4ntoH$h%N%I}Pr&HbK|F!aeKm
zTwYb@0+rqf^XlybhR^oeMeNkZ#2&E%i+o0oUn-`Yk_I>ofdAMjlXMdMiLH8DH8}(C
zN*6VO)^2m4nP7c8*WUt*vmK)Fi!^D(Bimk$9c~$Dfv~Fvv3GmzZtzQdXpe)2ul5>}
z8K~D2;f4zH9c_hZ5MH7(Lf8jsJb1H~`l>JBft=$r79ND<gN_kHB90j$M%eYUshVQ^
zuEwJ1ypFy@T<miRoihtYc!Ik$fqCVQAcWO}mI)Ex+JNMgKtq`wu&57D)7N~ju=sxr
z$1kHr$=zj5VFD@-RVjkd7f$QO@wp^%*pMGN>Pw;>0=zU^Ub8jk*e{v$GyHKr*E09A
ziJWtwFWpnV*&!PO%%pNq7nO3RQ@7{8$Ad5Bf(kTX*DEqiA-wAPPSac6*y}O-r#wTb
z^1Z6M{w4|9L<UVYZ)b@%=CB_l;M<1@%pNFTV+?Yk{x<e-F95}{`=)A*#_8Mj7{Qsu
z=w44m8&2ISYLP%bh0E8fI8R+B$C~OcLKAs)wK%Vq{2evr^7{J=Nd|p<>Lt`<C)pA7
zYx&E@K>ourUvUhlb#yGq%(GE~xA!T!S3{7O#sf)wNF}KLptPj`;X*zYOd<DJ^+ya>
z`9@Z+#4>Vy2ium%;pMKp80|v4%lZEECBCiER-?muD+@1i=*~`wJi6eNRo0ltqqAP6
zzDI)eg4b&<&bAxsUeXSE^v9BtjBeGMKkb-Xw$CGNsGs!7&`H|?n(Z&@pt`K<<tY%W
zM^^67zuLILQMu!|SjJhnJvk*e2d$jF$vH5Yv1{J+Nk(>?*-$d#^_6iNbSA#z7&pFf
zncVDK1d_|%#>c5<!h~LbVh7D=6iW-sxVDBRV%Rp$iGMMcQkLCk@9n1__fAJy4||D4
zs9RPh3jEW{^!W1kwvyw1(<~-v<AO-FPyOCJsDeQN=TS!FrkwO<`|D&`<ENo|9nzP)
zIab%@?J0-nus0*i!s)-!C)6qViyO&7je008cJlMqa_{;Iw@Ooh-b7lhYLBtTtJxk0
z7mU%gIWAy~xN2&kX=UJPQ?c>7P8A65_`NVi%zUQqUxJynR%NRA*YA=kO1Z!kYW9=>
z)_4C`i9+3gAYu^Qv!%GMNTL)kafD&!tAz`NUHA-Z=w4}E0sJi`@)9T4z$p6>mRDY?
zCp3DR?BYdxvQ6{T>85rDp@p4EDen&eFIMQQ0AuoK)3+P}g~feMY=aT&f{Pkd@22{g
zw%5Z^kV_!d+xRgj?73w2I`G19>SjKwJ(#M4SI1xt*QMPKTh8*<^odvP*@O6V)|rM6
z<Z!El^DLDB2uq1Rp=?#K=`npPl!_E)Fp?M+)C!J<%uRp<XXNNl%{H_Yi7B$KEpb)I
z<f2G1(TIbxh!~!|A$N4+u9vj*{)=?W4^4&QB46v<Kv;6|ji~;L!RiG`(5t8WY*v|I
zh(;ZJ)4oLEpZ8a*>7c?1%5*OYX;~$u$!9mmEjn0T2~VQ<<kX>+bFm&?nmYF}`R;Ol
zQuq2tW*_T=a;ceiZ2q=aA%m`tUF{GaivXIz2)|VUkXfRF*(?q!RE)u8EjuJ9(crZA
zcCNp8Navor`u>uJ0k{o)a-vS5ECbj<Old#A_ZM|iNT5@m45Xr)E7@q*S?m-Yl+EdI
z2mg7hD^?&D^6Za;@bPp$TB=g56Th=en#>fe#Vql*{H~oC@#uT+FEF`*zXUI1x-s^=
z;#pstxS76Cd+X8wi#JHgL(hJ}=CK!W;v4_!BmvXe>h!+3Z^9;i_g3(0ejA8s4$o>a
zZNBEDgxd8U3!asIu3`@uQ7LDrm=Z#<$KeTMWC+Nfs0p#^#Kz<z?s@?CI+)G15x}X-
zozGTi-v`4kJ>npDu@AuG-X;l5{2l?r%Rb9S8o#}}1gF+m&}$&laKU1o!)Ph2eawtH
zct(9x_E{C(Tj{cfKrmEs5u?geL579Y6?@#&0U#5rf`T+Q{77;or^P{(@|OP8{E_v!
z4u>c!3&X_{Daf|k-{N60s@W9N(^>zL+$9K1h{~NpQ_B&(0zbm!6{rnuH1KJ>0TdWX
zhuklRe2sfO5BHNtI((^oyv8j4D@wte4%JJ2&bHqa>_PWN*nPh}N`uP{qxiQUH6Mk?
zrd`*=(JDxws;Z9kcv?acrD@=xZj=L%^~6D8cpPk8JtIk88iWO@g*fG_Jq(FP<-%~H
zImB9Tz*Jv>x;!Tb<{xP=*j?;h{mOs9eeHatzc>HZs>34{dgyQlNI&K5IXVO9HZ{C2
z14tKIeBp}fhtHs4_%8j8thHy33{DMl%=bw7(;x7Wie0pbe_gjufu1~syElJ%yr#o1
zjIp3KA=8})L&CBBx-cBWm_j!5Ia*f%lk*>Ou8oVdHr1f><mf+n(-5dhD*4@`u$`O_
zJ0+HRP;^^3L-2fGaP?4tH}S!1BNZYWwY1aFXe#<jV#7Fg7)ka`SZ2}l33K6Mp$#ds
zP{l`mwz4Xjf-W)Ik%YMa`TAcCx=7MUW6f|Vs^iz}D~4jU7qVbzM$Qg12=BUl8PuTO
zwp`n0ekK@_dFyzY4dx2wDVIy?pB9I&*)R_dFtrvFAkT6rqQA$!{GkI^D>;n_s%w73
z&k$XNtHbx)t{zj*jvHav!lTFsK>wz~uW8y_GZE^V-9N^7wqcQqpNt>AN}n5ns7aTo
z!n(quSsFbCT4y>+`3<BiZQzj{4)rB|UAd29c;VB1PszFp6uTSEi#k3-14#n}dEATS
zSlB(sTUjkU3?P#QSAc1`Dj1kHNHS-_zq<?fBbXT)9|rgT&1vERA^hD73HMhUMaw-h
zT}*DHPJ`*_+s)$FbEJQ^*6yDFhV|AwLpJ&1%hS;;oZk@l1d+!}4Wq}t6oHruR2L+{
z5-FLnfJJg$LYLV3hD+6!g%bbcIEQ9}VUh$})ltz{I!*Qsj-97D+vb~Vgv;KUpf5DN
z)2hLhuO{$2M!V?|kvamjd5ieE@z#4|W2jV!TnJ^ynIklHJ;W0#sEU7aP`F0v1g}S=
zlcGV={6!<Mi!K0=aO>9}_--JLeb+#h?I!>~+#|Eoe!2owKd(0XQYGt}CMIAV_lpn~
z^wlqE<(6%J39FCXuQaH5dpVWK&*xiwpC+ZPOxI*D@64MMj7UlYl*Xn46;6nfDbL^{
zE4~jN&2!ylST((wB5-I{HA;~rCD0CUrzT0pNJE0U@|(!;i~(w-&kqz9$?Yl7t4dz&
z!SXS(Os{&uOi8)SVTQOr9o)n3I&agTpqQwf^q{=L3mEKousmcQk*UXfd2D<!miB89
z)t@_eCmb;sIGqj2pb5uUNo+12G-N}fCvWF(24hMjK*;scijQTG?1p~28-mw{$<d>a
zgMplwfDE=spoimSX!G#Wa;(d4_S7qamSu;L24ZOAf>)=oQnUoFYv`y}frh-`X|9Su
zheRXim))_Ry=}tE&)55SoE2Vp?N&Qei{^FFMT<6#sy2djXN$qd+Wsi8)}k=Wo1|Le
z^sz7xG2bA|lR`}l|60HJA?poP%I_(p!<JBnm4b*2$4R+ZEud>BNrocrULqD1v??kw
zM)BX3Vcu&EpU6#<Y!U{nf)@g3t=_4b=;|<Bht9+<(AQ{<6lF4wI2a5huHi2^)aR1i
z^bvPE0n6B*XOA)^CM@x=!G&SVZDpc~VXQzSC#S?hQS8lF)9_nL&_h2KlW1q1@2YY#
zz;t_uflNqk&TJkys=&1taSj4$`>c<NB1FTrWI%)VHZ>iDx1YWGG=yv!72w$}v{Dil
zMo@XjZz{8P6l6I?C!81zf)0!of7~2-kJR6dUM+LDS{!LIdyRWu7tcVml!w$*v}Y;#
zF&avdeB{*bFYQCfXr8QJXB>mGnYi%G9WR5IjE2{I#=I7it6T;Uj9gjj+FunF?UD^F
zK1d_e_y2tejIDYRY0pi@JDW%iSnmFw#GucTM&)_Tb}4c)A?r;GwP4`rJ2|0GJ-CjE
zea1B(q4qHY6L7PHjPk@*3DT<c7j9xMPwlJP%(O@@WJ^WfU<^BhCqYiXi;6?*#`R3o
zP194wYLR2W+KOwdk~p%cKu7!8+>xfMS3b3c{Hq%$^if&w^t}U1iMJ$5jbjIrx{6_W
zdYK)87S#zO<JxA_Y+)Wj&o@HN6rqK7V;_7z3Z$NK24-Mrj$BD5HfS|=$|%NSeyT>L
z(RQ-Jbe$AQWQu{ueX`4pZprPyY@z&@UdWe8hPUXw!y5)(+DPE_6}Iwt{+&<C<bJY+
z%J`!3U8{aNVM_Z)gjLJ0AyHtLcoYg*9+*GE<f!S-vpJW{hq!oJ{*g?|%&!}tc^PbA
zx**3d+DFh<uC#{Pb29Ei-Bw=^yt!o`@K31Pv?vwuedC_3n{M6Mf=G}t-?Ef?Y#uIy
zaP>_{f6umSm({D8ITRXwX3n%uCAzHKuR`c6K;e7mHIYdv5&xiaCG?0l?_I;l73-;=
z89mtR4eH*VLL3@nj-A19#L~9XOA~}B`%T}qaAkPr<%Co{Bmu%vmBx6iXY7L}SGuoJ
ztOoAYQ`WOLV=$RP&+C}*B2(Jm4G63Lhvy$dpU}O%3boTAdxs(eoI3fRJTw}jD6?2@
zOGEeoxmnMY+5&c+*<36GHlr~c_wQrZ>Ws({#&E6vwkTvglTBF<#gPKLX(M>>HoVqG
zJbWv8MuB=IfiDoIDWx|ODMxNr=F+?9t>kNYqg%p56T_1BvleJ$%TF1;>7%3eW#NVM
ze!ZYKZv-qyUY%%P(Q*k)1Sb&sy0hT$wQFmUI_qG0(C(jo)zUGBorgUolEvxDd9<g3
zuznaYynQRNSvsG5wXA+f^H}|8Z7x-Ziw^Jn6+kBq;876#*Uk}R+gYg3(Jf8z$}b<I
zIpbHdWpc=#&+RIu<&GFgP>~ZY3N~x(27T9=w-3}*&GZzNylpU+CH<WvaL@NJsh@5K
z6GV+sQkrX}>f4(Y%E;i?c7#4;)6k6~ODmdc$M7LqO!W)LFF|$s=dm*XL#s$IZ*eWM
zZMBeQts%b^TY;mFAqTD?TYA|ynz3SGDa!{RmcZ;aAfgt*A<9X;<>mr)(uxWjecx}M
z@VTG#>ACO$Uu~6Xd$U~_9Dh?p97SbR5LWYz7avyxX?;&jRnVn_WeY7Yq~;qtWxDGm
zxyQEsqn-_mJvVKOl&@_n2<=i8(Ps78%}c?Zh{619ur>U?DT)fG!-&@b)&Go7--A?l
zdG+RNu(ER*)UpG!tE|3U%f1GhT*H_VT~$SFGRqdVs{?<*J~$~Nz5K(9%V*88)Uh)7
za_ijL>*!G~%w<jZ3u6i@n(6`1R4o<lnl1$Mi0)`prjppz4gE1|5abbI>kez_7*(or
z!bm@H7yuh$Ppgv%t<&?B&aj3ge`;Ips6X4KcS$~zoHZyu$&rSBYPNK)C)@cAgOuJR
zBKxcC<?J2a*g@L%^CtUJGA1&mQ8l_+p0Hd}4+h9U5}1Qe#W*Yia7G<7|M=Uw3AeIs
z;_slc2}?iYq8p)43oIvWi2pj=K}|w7&B{=$km=mrUSiYphD;I5gRNF%CtVhhJ5sji
zpYm)?FNQw%R`_?@f_GDGDfOW}>JRUQMxiD(Z;3x7h+OJfOF64A86lX-*kY}FpB9S~
z*3S^#qr!CFQy>!3oDxYgFe_=_8!GaLIabPI571^Ur-p4xYfv#Br$V=n*J{SjUp5gY
zq;#y(l~W{tL{Nsoch`1Dx1OUphs>D7#FVOyt9Dll;Ha80xb=0<g2XN`KeT|Mfy;{1
z#(H{v$qsf;aJ=kZ*~OyR+Usd1IqyLVii0Yg5bwtiXMoIk3g?;1Qr4baUSoWPJx;T9
z^LU5dyC>1^c(PgZ$j$HEoPap<d|dDyMMJueo!hJN`(M32%LfDM7S5|0xDP`Ac9ZM8
z?pb@r33<i28yJ}jWs7|dE=#v&qzu92^O|FnGRg_l+<HnO#Fi7PUWX||FBZsx6JX$m
zv2IiMy|&>!_h6gGo2IALwG8+)kSnFnUpSq3z!TkXft-Cg!sPK1wMf;}kJ6aM<C@5b
zqkTrovhd9NjK)fTTtk~$aFd1qP@jT5gXd>NzI&9E4J?5(sKv<Tx1p*xOKAnZS9i9M
zYhN=_9Pd++89K*m>}JW0P0DU;#+-}mu#Av0jXM<muG<sU+*|?414`eLi{llKLU+q|
zOo$m6hB2d;j9EKZcsF+EvNfYZ!gUQM8~4G;LI>O~6;{FL`<KG+WHYb~Q>i8y|B`AL
zufyVZI7SA_JlcgZXjioFZ3WWC<Iluqw9bt=0{<R$%CN6miWm11`z&_T+9zP$5~DpO
z)*i^|H3a?2wYGa|v$27eBB}<-UgX+|Tr5+{Ok_^7RQ$atPUOYJUi<J8N>f!XSrqj~
zNRroYc`tnW+q6PidxS!8Q4LguOG)NnQ}Cwdf(&g)qP4Jv6)8+FpdyH2$@Vcwz2~rE
zB{Fm&nicE(hBWEbfv9a(EG>jhs!>K{0M->+w<d0qtJ0vBOMj`T$KjF0GFg-;@9}W3
zyp^DWEV|R^6td>rYeZ1zGG893+ZN20%(1>vAxf*33bAddhfizmjJMCPoG?*dDkg}=
zdqGy)sCJS{klTm}cx#-a*+wD>EZWf+{4i%)T>d7Nj*=cHP|+(|J{HHr9IPL>r9$Ii
z3U4rr9Iu25mp;nOi5San6tQ8<VQWh(kTmvU5ZWQ>z_m~1?CHPf-DpUjDC#;Y(1vj1
zz)pX&o?x`Cl(thgx9@BcSlpnokgHEF(Wmw{>|Gmelq@Kmh_|BFO-ZkmUaVsctq>hs
zs3X?u!Eaf8%B~B^Ri~+En1nNQ*T-<9jI&rz3Rz;Kv94!M?6*Q+RS_x^AXBm2#5WSr
zC-QxwB8ln`G?~iKB8J_(M%^%By}ElI__~K)?Se*Nw_ot>y8?%*M@BfQC0EK5SK7dO
z4R9)hVL>0K{E;Bsq(3Gb_pXCU8h!q*U`~q*OljMw)g0Wi-IRj$Hp_l(V2d=)9+yG6
zNFBu+xA#s&eN}kII-xP*5}N$>atacDf;Gh}UvONG%W$QNI=)lA=7?p1F{wPep0+Jf
z@fbw>u=+J(&nfFrBFlIxHu{VeFvr61!pt7RXwbF5shmL#nn5ck$J%$kT+FUc35y%G
ztq(~0Nj77bZU~FB{JlIX>6}UJ^`D$c@4;pV$4V1<%-4q!=76~)hL2eGATH}PbHAH@
z{K?~uWgX&Eq`?!P01n9jI}^&dV}g9Z`}ZI^g3uK_nnqv+Ow2#y9y3`ny7_ier5$xK
z_(FLztY!i~HvOS<R=M_0BRTv0U#QmjM&@}MjCemsvs8i<Ed$Z1E+PDez^qjarr{r)
z3$RVx(g9{Y))G}}SYpy^;rhq$YJvacmb_+Cwjji%E)5poV_T*CM+CCipX%`A92F?j
zj`8zgYl1tv&eH3sr52DXuyP!+x@LQfE5yfaMd>;xducl~zTC?h$sg62H3#!3ZE{+L
z4(SA6V4;SN&GqX3Jq+_fDB^8bg=tQ2X{oUoBA_VD1-ZJ<0dG?XDvN(GqLI0DeG%tw
zK%wuW3u*ELbKuCvAIDda5xZiyd3?WKwyva(NqYaByq1Pa90OjiU4wM`o+jdAF*RiP
z4=J6^2#N&9y6|cJlsF*E?lj2WQ=7PKGJC`&)p4vMUI@j`ffPUgOPP4c8A6Grx~j+q
z<$|MiW&!oE;sTBvAN;Bk7&c;l8zKsO=!+8Ll=PM1WRl=YXdOPu0`dZ$8}ILxDOMP#
z`O$CU@m35aj<Sr8JS$)CZJ1~KY9sCjZKw_ClL|+28!!sSg9L+BoN5eLQ)-QDvIIiI
zHq;h~xH5m*BtzHYGkP(K=Pt6LtLWt6=a`<N643DUA6~vC-wj2J3!hL~A>Hb$JpTa*
ztH$cjPp6D5zHp*8aq+Y_)uFabelxWi{=Qj`7fq=~R<RtCyd&kEyu_1<j5-usAyLH%
z4`d<ozdju<DPS~EJ<IWY%&Ckr;G<dCSgNTs&~Ypj?)Qy{G*{P>z$rkeNHM;{%^aHN
ztZ~Uq!(UKZph?ApK2??SH@6-6W|$nJ#z_mWJvLu@Kj{`4$`R`_Dwg4{!+_%NS!tJ4
zvys_tIb)7>#ijlL=KG>69?B7NHwu$sfA$S?`l6f&<rPcB+=aV*c!{uRz0s{XBc3J0
zWvnH`JUSWahlM=lJkpec`TVV#)FxfgdyPjYI}2>BFOO>d&k*Y$nae3NR4U}nnql+1
zB(jw?9x(*CJ{m)(jG9fua6cWTm7~>ZOF6dY3nIvQGYjhtGKa7XwVh2FXO}f<T-hQ0
zH8+0HIZ*S!M3c5>gsblDF-!!kt<2S%@651qmqlrqpyELt&K@g=X2xeZs%!Y06oDR-
z3p;Fbt5G6jvn#B8r>Io6u?hg+Mxu+Lx6pX@-uK1a=Q$*SKg}GSGtQj)DjvVb-%UJ}
z23smaK~!3LA=<|)pC{`>R-6HKbbJ3zG@>1_&|3D_O+JwZNQPfTK?m23$zJG>dgP=6
z%3YKVUi<$c-A@(64!p2bxaGKDmj*?{<PCD^+p;JqOM8onRO|r_LW|jM8{Te$cz*43
zoaC%TLl(Z;vgb)yeP<I)QPM;=)+uDQhY%IJpOVR>{k08ql6%AMfRTBRhx!|5Z(uxf
z>TjHM9F=I`%wupq>Py%dK88mQ2$feduRj?XV6Mg|dtz%i%6;*JAqZ#zI}1*SCvb1Z
z`{EpaH=XhssRt4rk%5g?Fpl*RsoSuvkh2DjZ)I7yi{ML4c18H03I<KB1s58itPWO=
z_T6{%_hgLvaox7Je>TNg-cLVFLt?7}vZsD2!tcW{)0LI1WP-`8?i9M<B3{R(mQ~bk
zeAu5P3z9-bm^2PQf1{A<rjc+F3C6QFGii?Os1ensuksrrp|Ft%+8<NCvd43WD;s(P
zG%8^y_J3KAHlIVO71dnxCuT0%<mX0*8OB$n>bhdlIQRx*>M!Y8FnN=jT$)#GV^#^S
z@9#Tl9mXG_yGFXqc2GNDyl~b+=8XzjQ;#$$iF*r{%w)`)MfQ&CHKHGUC-6qC^=(zb
zq+z*{F!h&j7~y}k9^E{{RsvW3s9|F(yjOH8=+PYDJys0Buy7MkhcJYJaj4rYpbZj&
zrAyDE+jTX~IL$v2@3UV}s#JxM{%s?;1^Xj$*#u*XLV2(QkTnyldZ;&kyCMoF7iwBj
z>MO&nBy##Jz}FquHTv~Ye{_?UdoKwCLBY_3;dDzQtVNMiUVV$NN`$JvQ*WplLh%SK
z-T%aLRFWxFDWV2nAST&^^GlZzgRx)#^Rc*GMex#Yt*fhlUTdg8=c)9U_6<nd#IGaD
z6{q?*ci*uf-;J{yQq2)q?pFbPKNz~=_ym(!A2Fj0+sY*&D+tYTD!+fV&IDRT(=uv{
z{9aop+=czI^WCXh_it2j4|*X!{miAiygVq92@g>j==7E((jA=UtIWvv#omw7<P!2X
zNF{kwU!JKpa#dJd1ZP2)nJ+vI-9o~bV5cxzKrok8+XN!w!pg*vnWkx3OndBSNzUJ{
zOL7)W5e9cdA{zR~w)iaa$G=3m_4+2yNHhvd;-V<Q-ps%-8yZWIC_bUoSi|?nAETQ&
zkH(R_M{;JnE-Qy{H{CCkR<-dkA#(7wLo1@P#+g4(6O+EgBV-3tm1CYx4j(lBv$@fS
zwF22;B4weo*;Seevq8L5m|RLb&qQJ!-$lJz5ICe+DCRbRF{$G*$<Gc+wg;6b{1u9k
zs}SXVm1%R?lq^Yn%yEs87R}ttmJrA|{dmpUb7@y)B=K-M@}yvkrGe#_zwAh&S&>d(
zG>UB~Jw>9rO1d?8in`&HV9^4pbu>zC2PEoz>cI@S6Ph;Wu3MNQr*G>u0n+1STe_pa
zM*?IU%abFY;Fl%Pq65pAIzn?jr2u56YyZsCG@UkQX@mTrsfEKW_iO~8&nPA>(Srr`
z*IcWGVd3L_SEpcsW*FZ5CiVi_GcohWtb%_yl_;FLpF{3eIvsz&*X|`SLG>4yUQtq;
ztloxDWqy^hhQz_EiKj_}@&WcmkJBOrr`cQ7I%j{MfT9f=%1`j;9tiYlNi(K7`wlBj
zbIk3%D1{H7fBGUUSp|Dzzb=V~@FXndq*l4;$TBPMX^IDVR8^b9Cr1uX#@TF@EW5Yg
zbD#`+0s21Txp&QpLjab_8bj9@$f#<FQb8x*>EGBL;rJq$z}k#Qc@?h2WTI_tK+nMj
z#aq*OazKR>jK0FZ!5BUztJ^M*hc-i&AYP$eu#>*Du9jg9{WapBn|p^dy5TmKiBgGa
zZ<rFSf&?Y~Jkq_Xp_|r`I%f9)!%2JeUJ&{y1WDKtJ5)u?+e>rx->6*-_kPbm`c<Ze
zLRv@3CV+9H$_Fh(1hU|zR3_4m43~Jgi&ve;2zs$gGNhPYW0)5`YHYA{mflDC#Ach8
zJfW=mHyt|xfA?Ry<G7b20Z7^snk8u%)G>{z8NGUC)rWm9h5e<@^B}Q^+IQ22K6HVT
zUGv;?PF9_PpMzKSpbmDZx2OYL-wm(f-{psz#$zIZ`Q5Bg-OO;h4g@@ThBY*3W-Bsg
z)73aom)dv^Bx`ZTbO{xc_(`aRj{OggIJHCH(&;^#mvj+X^!1Jvp+VRQ=pSSR{;ND!
z#{RZ8$<{6gw2EoxbV>=yrziZ{Cd>|;hqL!=&>Ng1VX-4>W2!9B0y`m34yAdc0an^#
zt>t(^Xk1IOm3h@<LH0sVmwdoN6*;15uLk@ii#%Y=Igc&5%)D%IZ|@!FtoH8B`)?5g
zi@&0@zyMi+J5s`X_0b@0o|-wi-K>lrLhP!#bSAP5jL<Eenf&x|=3jrI`&Hk`fQqDW
zsIF)T_OuzI8qEu)5#P6TrC_&N6NC{GOEI2=H%d9BX4oku_HY;D$|}sO4Yn*Z!=3ta
zW+^CJE#i=rd%_TDcRru3c%NNf(Gi6$&%gmTkJ>&%-HWq)ZAw7Wnl_P2Bua()e74dG
zm;8zekXse;Rpjsk*@vvv<KBV94gPtlm)68F>7`s7Nb>JilZ(a^K8`Z(R+U*8Y&o_a
z@gCw$vf#!hA%1>SmjuzlkI=u7k?#%%7_AAj)`7AIdkS5Z>nZkK^x0AGk`Yp;D-#OJ
zA+F)(IoNG{94iP<5U=A~!Kpzqr__@$9wUL9ztx9>`3^k`;Zu9#YF|YV%^f!_)#Id&
z_mxnYK-n3h>)3-vR>a|#$Uu0dXM-j2O0BL#L>{$R7btMKZO-1N$chE)_PqX2!TgaR
zw~+<u{NCXp;Jj!4=Xy?+D@1LF5|@ypedn1o;BxhiG~8-9h-Adl7{2>(4AQ`7Gu7x$
z;~}=U!j^!Wd(rh8svQ_L5=-<~SP)nXZ9>)uL1bCS)FV%8U-}{e7ZMbXoMpsUOS6hq
z?~mb@2#aD2c8<>0XUS0i3+3(jdiq|gxOY0-4ZK%&sApR<RYAQ>fblWL2bxhVSx<W=
zM5s%C$vAy>P}(D$>Q28`HmfJ-Zsu3Th=OX7#-f8NhU(0qR3u7<C~oz6q%6%k!Q)=@
z)daX&^aaq;WfP_;926k>uUwx>icJ4?pE@gmEMGmq<(}~6MRLu=O>Y_wSUYn3t@3@f
zs*!qTg<ACc#NLim;SC2=@sffbN6FaGlC~@&p_IDx4&2ng)r5HTIEWi<!3DZ(C0O~!
zTyCB@B8Xy{3}o)qs+_;<{a^o^q<*fj7<`T$C(^~40Y)|@bdu^Z|5`$ko8y@z|4qY8
zzW6kp0P#{bwcTPB)!JsG-AYh60EhMEm(I$GfY|r}L+BoAd%X-yh&*Zg>b9Y<2s5`G
z#`^pPNFAub15b=i6cFhxT5=!s${Z(hRle8Qno-m?&wxAMiXxZ8<SlgGIYIx0705Ht
zI?af(m_7C!$u0IQ;sATc#zNF*s3j(9TCSftvO-n}Yah5GbDvWlcBg&SZrmPi{q0_y
zN8RtYr}fuPOOW>3t0a}4%iVBa!~@)pTvNey-m3oKp;|8v<;{^QhCFRbvuC}UK=L4g
znZ!ISPcCVk=N73u9;v!Z*@d|D)9>;jhIzI;T>0=7MFC-3{DNDOK&~+P+2R6((mlp1
zVhI&A&hJ@=P5Gw!+N1Dko;%-M`KDo<@v44Av<y%5(aS%bTDQA!&bdZu^>DALo}%W{
z&rrc#!!D-vsc^+ARd~mKU#BBD#_u<&1I&Aw<@04%X`*3Wqh91XjOJ3;Xg7PfstDoW
z+O?qE;cdIJC_P}eS{-V-3<vg`A&~XEGT%Es<dhFt-#LX{MSQNzK{WqCp3hzTc@EL4
z=s55t{2cov*V_fgZn4$#R9)zUGiM`aG|+AtuVP!6{DB-ul2COL&~8Uh0iRF!3Jk73
z<mW;=Nq&A>a_?ICm3&o+ALNo3*6ky*kTloI5%*BdLVkrpV!m}uu(h8aHh-}(__7dl
z3~d+6XFfmyeXal+H4ddCySP3gKN_D^&53ckGymhCLU3WkXGz}Ppx=yojnU)?dNp<=
zvwPVWStQas+A)(0Egyo0nX_qcIx9grH1!Tw=T}_S9C?*0iE}g0pY|Hvrn4o+uFBE+
ziatniPQ`c3-^!ui{k}<Q`S~eWZX7OL0VjC$5A&a_dIh(K=ITIf+;a=QW5!mU9}Kq4
zmb0X)20#DsL0=7`RqySPZyl!xs9uWn37AU&32Q3RMemJ*@@&Ko6#h2iTz8f#BCzaN
zFi=BUoD(-BPmhGQfn&Doml_f3nj7=ZBvNyKXtC|S2`Edp+*m;&_q$@9=L989&xf}4
zr_e#!&>H<X3Czp>q0Td-kF{HwMQxnz>C>>4gUys{l{76H$_Gxdgs@S@ZIJm5E_9Zo
z=)WPgTY)62y{@h{3Vmi;JKIUX@SL{~TT*(9n>Zt|KEtZxJ9?IwCcT(m7rB-rw&Ie%
zqTISZI#3ZIA+S}~vZMpK7_ClH8_Nub*7}m{M(5J)l6cv6la_ORwawkrK=`n3ma{3H
z?>2RZ)us=zrUjlnBNkw+(M7eaWCp>)pOb3~38{*LLo*F!h#(s?kXQfF{ye1t9pBB}
z3a>9>1;Mkt6={O$xNy#M^~&?<`e<4Bj;U+1e=_Az8^RcieVAJXw0D^zLKPD|>1Y>`
z6vN|88(EeN*pr(}bPP4DBCqx6LM}*R1HLPwc%;f<!RlQahq24dgdmj&sG*?XS5L-7
zEa=-{xn7Y%5RlILy9@5xto_9GTZL&+nj@sp7DlQgC$?&a<csi8WVHC|?qiQpg+Qtf
zfpU#{PV2t9b4FISt~ChnHoZ`04%PQ&D`O(sz!J6Y2fygeOTs=(AS6}8bF<(Xap`ve
z-!xrXW^UEzV=9vj!*RfTdDl;>nfY&TUxKPt%09z&98Q22OOHjYIqY0b%!}aMMXL;<
zq`~a9ijk-uV)!MZHv-*o{GVNw4E6I^3tLEL$(<|~kwJ5@b!kpo(Hc}u!Jh_yTlnku
zEHd25rTbtl-4`b@RVm$t+y|2H%3qiYfIzHVgJwRPQiL?M_%Hkg`Zm%u4&bj_ohv`^
zbPSs5ZA$mjT+w@rkQS)D>&J1J+9{I%orUuCr7Xi)0P%XEvIi_#3831LxYkLM|LuhG
z^`^8UT10-2(h5&D*C+RFx8Li?kJ4pd)oq+3_<4g2Q!5jA2ZhN6uf9&IHfV=yE2Bjx
z0##oXwe2x*EJduVvg%P*Qt*JxHI`ziz(0H5v!qnZ8yiBx8q8;>=W<)R#d=yQ>#i1M
zz(1#4(zugnoM3;XlONN`l643wl->qw67HOfP^IA6O^EkaK1A_854g`as`zl<ghPYi
zG8ES=n%{Low5rwr@IJ4&XE4rVO+K?Gq+*o8h({99YkSGm@=mg>n>Ehivd`v-fT{B_
ze1jOV&pWceD%D=;))!(I0C_^M4=F`lT55A}m^z)lDkWc?*A=?vgVh*z$V51b79=+c
z+nxv&CGQ5?K63$YDrMAt+VJadKP@a>2Bo%l<sxD!*qvrsiMiYQTY(2kzS3(bup{68
zW}*+VrOzG7rWBoltuvsmLxc(&ztGNX>v%<l>W;vUO)Ektzk;{VLzX-r!w#3iwch?A
zJ1>EJFw<P2Fa+e|KBzNbsohCdh0WBZrHV0wLi21>N-mkQ3~7!tAU$r!){U`s@1;j;
zf?vI!QWkAYf%k7VGMW1u`5MiUtq`6Dtr;%!O3LwX;|EfkVEu4<lb3Iz&2I~8GDm|i
z%PIH}#z5SeT=PJxNd%b&cAe&TR5clkL9dCF3^e1u@6kxVQ@AVC|G3SByj*BD{KdU6
z(6S_mTZ3!>_fomqBvU>A$gqd#tVjvIs%|Kp+}41Fy;Gpx!XWTt9*Xb@CaB4kVdI`i
z@eDKyQjDgLOjVS(ir;Jq@5O2+q~GI)f?HPFus_AGsKoqER@5P#>=SH{aGsxHh-_^m
zQ%ez1XrO`SfXPDU>fRE&nHq$(h5g!~8NvE}B1byh@XbCtGdvw#xvFxm_-39lIP#Lj
zlD5|$15}8Zw?w7S_svq|o7d{4hm7G>wfy>zX2g}9Ii)m+f5tMZaJ5Our~CcA_X;L;
zbyaN-U@jrO=SLvllq9BY-+%^V827iD!sP%BX5$@Vkpsuqa6|n4O+GD4_}|$<jr1Qn
z-(^@(94<o{ISBf^E2jr7KI-(l4Dok2$+RpnLtTulFP`*Z8YKt5?rvIY9aDy8LpJSv
zsK(`D-B_Z^g9^_@H87Bx2i)HzgpuY|`g%mPj*)_044v(sNnjFHl@Z`FmzC5o1Brr~
z<UW4YXmP-B<C@7h7y_JPLz^y8Kcw_S%8NF5(6bv=I05C8kGk(d2oWI5_mmJit+KEF
z6A;ZjA5zmYJU-*Sxs56U0553!>V^+;jq0p*!!1#*G78^9<KU?~66ghry<2i58SB#g
z$9dH4&<{9aU$sevTKjTF4$Ll2;nn#M(!;VGV*M?CElWmkJV??QpARqnWY5;<kUs0u
zpv&Z3md;r}v{f~QMNmx;qYG9iY|v`J2jTF@@slC8>5>xj)(PdXSnJ#34|Nz9d?e}N
znCAf9s$Zl-ckfpE<$=7xFtwvGh7y-$qu;t7g<v7KvF7CYcfm@Xn;b~{#2-UHFx94S
z+#d&1MqzXx3_hc4=@&-e_w`vds_>jjPjYXZ3c;LiA(p9MKKe7x!?!I1)@DAwmW(2L
zQemnuE9ul)K}`$1C<LU_mHCHbT9?L8n>->rXKf2XS7g#1n^E647Ve9v6N^7%e~>BW
zsNTZKjyDx@iY)#p(Yhjmlu4euk&S97j1gIMDDk@5fH?Y-Jm(|(TljN8a%}l2LR9=b
z<$qrBw|f5%IObZkYBcJu@`G)&IfFMS(!^B-*HI3x&92Ztp`r-KVXLlS38wixaLtBR
zzw^&>c%+?8X;O1?)IY%{<jn`^UvhifI$Cthwhh5;@~qv(6-8dqsUMAnblVGt&018D
z?i;^U#+I5lQY<61xVFx#;HR^(?qaRA&1CNU8B=kacVr>`7l~Bw@CgpUN=EwSxH~>R
z5P1aU$8BKlg%nMIRtJO~`}<96LB*tzk&u=plC=$V`@~~40sTqP($ZuKFND?<#D(DN
zO=m$Bb`8s7N^6j&VALbtzYTM>g)3Rk!DXe3U*(9q^H6>v7;~z1n@-a)5pzGRD0icK
zeHR4P7I~uBSALzMYQB(Nn4K=BW8D`=sVpg32%li>t_Atx>6KNO;f{RXn1(6;9{^22
zvcHQJ@;D6nt!9;dH6!2IQdKc47i0d1z^^VV?L!!O&z5R~S&cw%B<{=lL~U)r$P2dA
z5X>40dYfRM*AZ6QL4}bew$vQV+5mcYVc$Gf+kV05Q?}Gr%(?-3oB{N;W5xXjCy(1w
z=O9Z9LA?(!U#U3NbrUC#*iz3SD+QzeaL5;YlU4UooIGetg+f+&*jtJCymzwl-h`8T
zZ7Fs~tZuM(6!1BIV&&bhaB`PDl?k!t!rpVdXJ5<eyHId?yFFDJvG%|o2ctdPGFISA
zS-H)gYJyl-aIYNLvlg%lzl)Uz?5RG8<%fIiu%0!YmH0`lJZn!)1uQKJ_r^m#YZ9yR
z?OA!vo>~i72^ja+AwBO^tjMRZ@_{{d46w2T-zlIMvY!=spJ4SHd+I)5l?T4p7R<}{
z7pw9bUjDGB0s*Tz@Np)TS1Fv8`Cq)`*;DL@SN)N%GRSM4!0P;cUg~VB)Oa-=`MN+n
z`xsW~PqC5_v8f8<)q3QcjPSDWW2JsQD+^##*TJh3$oCV#`{)I$^;20n%&zK!R}YZy
zJiPN;$f|u`R<5wCCgD{e^2OS~U9k(S+&5w6NxNz@TsboIXM=WDuXtAPV_5mzuDT3Y
zsj#msvdg`V6?~guwcf7!1XqQyuOY7U8XU_izL=E-u&rItsy6m@gLM_pvzq^bm5c4G
zY-rU9`$mDf;BVZl=wD~$efz2!T8+ZK1(42a`;?Xa{hTOk?5l2QwHW(;M05rBu)@EL
zlWkyMPeZHS*moGuWm=HTD*tFs9<s5vqt#{XyNTukMn|*S--VGetv1$mw0eVmF<8#=
z>0?&?vlux8Hg+IbX_45+>42Qo_zElkkiv*+XR!xXc{BJIz;P81vj*58_}me;b}p>S
zhJIC0T*Y5l3-mMcxxG~zt4gC^3kYX5ILMmdr+gd*d%G7_RYSkN0M4t!Mb-xY&Bpk8
zn`<^!)knWc@GYSKJ=O?sW#eJk+`F-=CHgG~Zy6`NWUcTVF18KXU3ajmBl>NJZh05R
zv1WKM6Vt0<cYnvK-spD<xRqY-WbJTE9x{K2{ha`+hM?b7)MnM%%{t-)7L?augXe>)
zap-p+v)NmmWG%5vuy_OP@cK|S9sOP+Hs2oCSyQZJ;j)-5)(@%{qF(}D3m*QIwZ&gK
zxC8e1e5hK5eryM8MP^5_#`w1Jl&4{nAAqVY@E3^GeA^vhz3~ylWxNHu{1H^`g}*E~
zt;nnwtUF$1v^l@PHjgwQ)p7XC57L~P9bgUeID;M21{*ykQeA+*QV=c6%s|#6cQe$u
z7htQGL8@Eu_dY&zYIcTEaswmnSPpx=9a24pzdGnF%ZxyV$#9x+lxv4zvrj-OKlu9?
znmIK)%}CiG3_JUK*zTK=>I?j}17=xf1Tt3o4Rb^*?DuO(6$*c!qB5surx`9kHOSZ{
zu;af1m1c#%FECl=8G#I#&lzL464>+JIOW9fKN65RH9gIkd9x9wJRgHipC6|Z;NMqp
zEbEK_M$I$jQ_gIGZQlr|lH=c8EauYc90TV8(rxuCZ2TcOmGQSCa?cN9=-f=QaSw%H
z=P$#lT=+K|hPijR%IG;(t|RMU@1Mk}BKS8GgJ}hqhA@1#3z;|i9CrU3oGOcd(-D|g
zx7&=MB@$)a)Cb$&;s{gK@oy^pa;Um4oH6tVdG;-Z6EHJOHNd~g*vn9AQ2@i}>$1#z
z6VAY@Fx3qICIK%k|Ma(vr1!~@epL_-!R|2C82`S6U0KFFVKBW!iUUgE7@P%D4e)OQ
z=1Mj27USuW5^VSZ9E5vesviE016+x^o@Yqik!<W8{csXKfT`N}HwJCFw>TKXpgN7}
z=oN4lhHEHQ1OG-rEytRh!WdQu6q+r+hvU!}rK;lJ2%Kdowd5-!>k2_R@v#t`hb2*}
zGX4z%Sz7L?Zy8+wCQ!~?4JTq7l&XM#Lm*bh;SU&JKhSSy70$$QC{-5!2H~sJ18y+H
zKB?D?7h`ZJZa}G0_%{Gt`S!ZVD0`hg=~r~Xv3MD!O5ooY$SP6i(^kgWQ*_y{2oA<C
zC{+~ydci91c1O$%wfpEWZz-IO9w1c+|Jq_Ij~4r)7;QI9YRqkYa5&}#sr>lY5Ky@`
z+!4WeJE$a)c1A56kM%(+FaA|QQ%<!vhBD+<h{O*ogadLQNae!6Qc%jF%Ifcoy5A<W
z`)_bWE&-|R_?H_;8OtpRWZ?ZQfh|6QL-IICWx>A?5M?Mn?;~TcwmxOyM-ezBUx8F6
z{Ieq{t>E;x48N;0g%D%T&4+{1?0`|};V*{ZvzBY(3x?nyu6+8tHaIIYU{o6TdyJm4
zjC#bsZmo<_DdF!bbV@hmHviJKD@G-UzZ1AAW#6m(tJmoml@$K=f~KV1&+#u{cVSc_
z`1=Vl`E)p8;a|dD$EXDGw*oGCwLTcbzl!~YQC{#j2P=8C+84#Yl68V8cla9*l)PH)
zi{f9*riUmO_#23lf;;Yy;$P2}fhZIFb%RL3owg_OFKJsr6osK*1AG+RX?qf*+F=;=
z0sY<qM<JbeBr&jEj8Tu#FC#Jv>9RA4vF!njx(t4a7Ay+wx+|IC?OlvI0)BT06Nh%)
zmCOkD8%AvfzoUpKL$}?@jB?!|Y8m+b0EaSk-;>NhH!DO<2fw*kD1E2hPR6>GAZj@H
z4FN)aEq_j6xZ570dVt?2D9Ee9nrKG6qamsl_|<?w_8LoGGU#0aQMJLZ5dN{s&wj+X
z_b5b_0l#$Ur}(6s41FI#R9@_hB<P!O<ON2*AsRxZ#l9=RCu{%XjDQm$R08b#74?LE
zy3frRI5$EWvF|&`W2?O(kzsHRgrX4Wn+$lej=aT4xC=zRhrT{&$I)nuld<qbh<XTp
zb+AsJFCQ`-UI$SZp)VKE@ou@-&4BncL>)rDI2+6<GBcbp@e7FBjC|(_<N9|x%&<68
zL#QRl_anr~F!?nj<0J?*75TmbI3Zs~F*YuMP(zWg6TAr?AIa#rE<$xfzKY-`Xv{0d
z$2}3MIr4=<o4^q-86i(YsItKKf`Dzn&=-u6HzQO!;5&wEyazsKlzb7P94xrEQtL^Z
zFm1++88fC&NpqsSbB=NHTZE!_xHm%A+2Z`izpjpA#7M<QcO5&!QQ{bx#6UShL#PY5
z*IdU@cDTO`dd3Ux+|)5r<OE}7cZAxAdnNUoF;^}Jq5qoMj*vz%43^U()Fjw*`{_1g
zE^h?!(38`hAD_7xEf++n&aiiv^jhWo21wX>>o{kJeKzCest8pT_V(&ETlygB>cgEJ
z_KggfTOm|-*ju2}C|3<Y+W3R%jty%*Bj&yc<pz6QHJVvJL+al*aB2)@$UG6DC=m7D
z)n_(e0m)nTbY`?+%)At$Zh~Htw>Gm^8>H|5mlLCKJZRblQM*9zPts-g?uP*f4{%=C
zk27dK2T`*@Z-p+i)jAlmXLrZNP)5y<AgT}O_0?qNu7p85ws%+*ON32dAgUhdRnlY9
z{)Azh=Q}I5Gi<gP5Gp_Bxzp(}SHZx)C{Bt}44e}pR6@-Ai?rBH`;3H(ofK=4Qx=5M
z!XR&h7Nh(ILw9fFoXG1$P9+eE9zos^E#@K^{0GG`v51j#U5Gjid3AJ{v=v6fiB5^k
z@zALQL@j~53_8s5FudlJn9R_52t*A<ynCd>{%t($>WoMqiJfLZRAa>ZMTglP48G%x
z7{=InEktEOym30rTO5SuI3XO5!P7yAGK2!&M;eT>h6CK;g!q8L^HqqVi-4CygV`D^
z{^o>Ojh<d&)Iz)qw=|fmdFan@J_N*|rym&A0q=ex4fb;$u$S|pEyHIgh$@J8UuZB&
z2NSnAA9moU<Pha-hP%=l%zQBUt>Yn+6F=pKD7uGs5jG9xXf9Sc9zJLMTppv=q1`W}
z!QRFN#ycHO0H`Jy)d%ec=rHfGv9rUW5CiD07?l_8-qm4p=xXv;HfQHcaGJwm0)py`
zQHB7ldu7*QTF5$L_@_p9yR*T%iJ*pH6m7%0Eu_JY1$hb9+er7Ev!NOz=+Pk68S4h>
zFbn9k^+m&EA37VhK&Z(el>zI@=rFs}`PPSevOgUSg&9K60x9hc(!I9pF#n<}8zGOZ
z(9y6MLoEa;T8VU9Nrye1u3-cpS*4SqOag{lfl|$pZjcspC0)k|8d<%AA?IVp&>K)H
zVHD7n)ne|Xi;kd@wKx}oE-;ARj#9J@=OXP|%+qB3kfzJAkpC#7=zTC%1?RSr7W*by
zvpmBN1;?N`hS5i1%J>fE2I(<hkX4VQkwI}Jlsd&g`YcS*c$j-nkI~3VM#`d_=sd8h
zY<4q}zJgQfQ7+P<$1Eqy87V-wq0_+8@&tqF+c-rhKyEwfv7KbTk@D!acNPTozr%3)
z5m4ndW86SJW(>&HkxJ?Ia}pF;7|nqC6;RP+jLWCTY)q$(R6}=+W5C{cFJo$dq;h$N
zaA!%6-JLFbq-MHv9Ri_)Z!@Y6L@FwSaAP%@qv=XV>ZQBZ5m0Jb9OLQ`sG{`%S3;Ay
zh^~Gl#K`Wk|GZirVrU(MRq3MP?YgDO+)me(Ko{9Fc3-B^4;ft>po$j4+f>qImym^#
zU=!J!_FnlliHxsZu&OS+mDgoHBwL$EHQCQLo==Ap46(hjDg(Mbu<0_($f^@5A?r}=
zy0Ed&7-T2IDnlr^Eg(&Ha-6I%kz6utY0nj29M3R24OY=baI2}yECRVdku17%Z8)p?
zRz}*H!D<1vy>RF<chjkfsB|ydZeDFqGuF-lR_(EE1?jTi(rJnK>GEy1^n>m*+D;Ev
z8L_RQE~B*3l_b(Y7anh?<(d`6csnUr(LH2~^3`QF19@y95p<K`Wc%#B4NgYf9%wZd
z**1_adjs7HBwR@Mi%n+x_z;6`BU<G_wpO}K+A=y{Vk#Z>vBUg(UuV=EL1?YL!nK4z
zUFLMqXC+o3LGf7IEAy8x7<Ye#E1HIDTS=2$*dak(Vx1D;qfC3N_=-eE-f!_L2d;J2
zV$v5bjf1{7o){V>K>j}Vl~rRGgYPGJMORSGnL&Tq@S;zGkg^y_24nyNi#Jv5D67#i
zhTk^<s}rjIMmlTyCWl_Sq#V+!$!Kx_X!-M#mmXYv=3%>RG(oY6?5)o;06zy<p5dU@
zK}%7l?r{8#FaA^=g53GZR7sQgKzl>>hmT&mXue|Ocz3(b5c~*W(OOJ<?XQ<8n;d)R
zdw<pR!;tY{GVxX;B-r}(9lI*FjDNoe48nIJRvAoNMEdBM1Mc~)8%8ce(yF2U+4S;J
zW9^poBc3x1UyoSY3rKrc7a4cr`#mtaFS$Cy0qA~YmYtIEt4IdoOAw2OBib3#L-+Zp
z55^C7C5LJTfPp3R?2?>w;~0w1f~=GlK<llA?D->D%!iH|3&8NhnRZCQ<w*?2$3qq!
z!n3$w4P^Uo!DNmey*)etMcdmRr8c-2jt{}ChIsZJX`jmCVKBKWrUz6mFnnX0tx<Lx
zBl2FD<rD~KRke=|egK<3=-S!O1@PlE`=Y=`#^irs7R^DkYnJYD*jli;Hlz<!K2W`x
zO_60$GK2DFpp^^FhLGlYRTO-x(7B_B53JtWjtH6<!?3(IXwh{nOU|r$+zCb-hxLMw
z5v<+OcJS#R&cM7PYIVS}O{90;1x|~ge>o%Q*v($BwZFsAyclY^euc6IddJ=1GyuZ7
zFeB*N(nhfApJQ;I5w&Ovl0CF*9e04!t_}*QoS<;5ZBSu9!*dtdN^JqMiKKJ>3!KIZ
zL7UGB{%sTF{gLtcH^S{5IOfiybIfdJMFnwRJtsKc4hWi($N>F5aFxcfy`*s}UxCwX
zkT>>l5}arG*}FYuh<+Hjv^y}?O6Rx~oR$vKp>%)|ylC~+ILjb?1#nS&6no*Lam?=L
zq;Lo_miI9dns4dl-^4I|EONO7g4k@*I3ES0xnamz+06%DvG9VXB{EL$h+H%o!<>0E
zj;Y;@_+pT?x|xsgCRUyO(`Ss-t3y|6GlZ=tjq@(B*^>i_I}6yrixyqY^NiK=Ko@O?
zu+kdGgmyM6)<AAG%0+9M6<1(0qxFQ?RSLoOkj8l-nC#M`kbPMV6If`yrJs?+X#Fc;
zw{{!AYUv!G@(|IwV8EC!$iov>o4x0A#_Jcsi`wDWX-nhC=;9z0Xn;YxwIL3wEVkMg
z7_qNJFXsUGYDF67elUKUx()^os%^%@R#sZUEsWU*q8Cj>uUmGV<6)x(1KD91JRB&G
z8|@P7EMQs^gZA3+mC_7ey-DZHGg72Xtpbm2zQVAf-n7gb-DTLG8NO&Mc0KpgIWj_q
zS?$a11E)Q?YDu4AaxJp#KQV5PcEGO!*fpAT&MjcTb;|;(zY!eA>jJ8pmA9<1D=t}=
zC1&pz#lZa$0r)ZGiV4*^4w5Ods?ewAt{8wBM%UGq<^_D3s+RQ2fC&~@+0zW&cOzI?
z<eEcT=jl=eb5$+3a%~Le9Iq*tU}MWGaITB7`(y;uF5{Lnm)>z5T~w`u*@tuJwz0UZ
zW)B&?*F`X@jazF-?|h6bUVs#^m~K03EB7|W?};JI@Bp?-Y99X~TZL4xKTfuTmE|=g
zmht;j!tfTTwUac@=g9I>f*{Cuwy-LmX9T|z#7wV1tA_6J6j^ObP)xUzWflC5n<0FA
z5TmY`b;8m;9wUplr2xyD={B>dthP@X#Aik^=TDH;oOI6z$k1ABYD3KhYVk1WXIWGE
z_b`h8qM;ZKLaawd__&-7@%n5vzpS#hv86L&8lN9rI&<#Y!?$7lvpUHr?@{p#<98E`
zdj<hk9fHrpB}jazy|Jn|N6l^Gs=wmWnR7Q@NAS=7gCumdD-7iO;}}iAtBV?bY#~{K
zJ*8Tpo11#IB#c;kNj_!xmZ5x6AWIw$SEUF)GouFiXSl%M%f?{7Zw(B*ST<Rm!Wqg(
zI06~XL#zFSpvw#dAe0~IXJCz1I1FPqlT1bSGnhY1NS-<dtE{;o<Yi+4=-1X7Y*}s$
zhEFDyd?zL`nx6<|v>L0{5`>;+I3SeOV4&P(VDJ&i<T^JP&sWE?EEc4SN`oPjhK&cr
za;pqdRS6asNTkf`7|>f2U>Pk#s#yf0-*Et-xXJ**tT=eAD2;4AUNNG-Phg%r45xl1
zLXnG^K+M-ETc8U}J~haqB1ak1FGe#Ohf^a6MQ25s06KkfnL<9W*@xt?)iaJkeM>m=
z_<~ZO++ak!%LY(YEzg=Nuo<2}4u$=~us$7}Q8$$8MmV}noDU2JWU1-|pYury*L}jU
z{sG~+!!wL}?f@j>V@3cqE=5HT_zd)sK|Zq>*pC7<YJgEq2uXKh1qHnll=p$r&Ln}0
zoo8g94bimA2zAo{CE{gPP~S;b*$+l<8s(4GC!Uf0J%aR-2vv!&bW%MlC<_y<YXzfG
z1xfm5+Q!&^1g6n$d^%2OdSILt1ZW~<;Ith{-+E6O+-Cu`tY&yB04L&EUZ9d_;B*1W
zUf+3)?(Y(+FGi=Wgr}K5@PZtI0&sfHLH3lm$nbtRtR)M@rpSzdA|?cQX&umQXf-Ei
zJxT6bpC>TB&kSoc8k<HFq)uPP3RK-xFnY+9<Zk9&4DfFguDgFirsvL>A~q~$Ww2SN
z`Y<Eg97*mre9j1eD6mmyWU54{I^h#ekgZcb_?%)Ssp~zDF@8p5Gd;njErhGe-El@x
zrAsZ?{ML}<ZnmS0@oy2d*MX(r<iH}t(QS<QbP2F=Bst05s!tf?55YF=JSz1fY@PEJ
zA6+3GR!5l#@2Zj1wZ3pN%Flppl*f!ow@lz7#L;zJAV&ucEJiI!OL8}0J;VGPgznQI
z$y%83b=<u}OynmQ>Es}MRtl251urtr9|Ui1uMlZ5LF@*1HL(!sNGczOH=pUBm}GC`
zNCx`p;Ek#P(&q#iBSgkYzl4kjUs3^secsZ-horB45+nUf1n`^is1*V2gnvDr8#P!U
znZW_Wn4cY(*({w#5;(&ihWbqrE@==Noz{@%pW}AF`1x-NTjNG)N+uVwf4{S5-iXfi
zOJ#N>SzP8WL;d#-2uB^jC^{Q~Zsz=LcG>6PqfWi##s~iWQ>#R1PePR^<iPCSb@F(V
zbncSCSbrEnyx}YsO(G25?6v}Fa+4^P<k5`sjwGdhmN3|lNQ7~eH42GdyMmAqV%z_Q
z<xmrg_sP(4XF8JAIZrU!Urs1L28n7C5^ubuUxxC;>LKB`GlaCR70z%!m$FJ5J9);m
ziDMM&!08DN?Itju^=h1MD6xP9zh(%l+8XL&xPO9F^u}jApWllSJAZrln3<LUm4TtK
z)MzBcB097sq|pt{7glx9CI<X9lvDa)FE>KR{A*@d0JH*y1`;3_(Um8(jP4a-RTsU=
zfd8bXn6`Yh33`V<Jwh4v`FzHpizY-`LKjFRI!L#hRn;Pz0lzsXDdjzW1#Q{M$|#ST
zLr`c2Lgdrv)I@4P-lAAjj_C~f=aNd^`ZLh`_8#SFM-iwaLGp%lS&3xPeJd>Kuzd{q
z0}?2tjEAC-@}rGMb(B6FfA(vbB)Z6o6Vd4IwWJE&V9ei<)bSR%khSB;Q5_9}pMazU
z%Ee?&iDc6qWkpqc$(aA9Q5~Jz2YKTUrjO<v?x0UyLgg>XB8e2z&9<Q0Co$+RL8>_8
zS;+m{lu;bzjl!N)1j|dv(38M2vPNM!TjLn@Pa#!2=_kk@m^6x`e$eyU6PFg#tx2Gc
z>`TkZXEme#!$ws!J0J3^6Gm}{W58oAMYw!CT}=WlWG`Axp$8cCKTkl4c%vE^@sIJN
zH%cCeJ5vdm_oXXMppWcPiz)v#M*Sf<ND)t424lWCilf@FbJq!(wxi1%DIO=g&04A)
z&al58DdKS&jC%SgjuwMXR4zj1d364fdO&`KrSwq(!~U_Pir<7`yEh%hxjx360R+wC
z>9moW>CUo}+B+Hc?>4BSGhyIB#^{amMI+7`BQ_}^GIgXCbVplAeHr&}cOpf+S&xx$
z{V0z515R)n0_Qd|ZKN`~{VXGEG~@miMpDGeUodp<Mx!{xF}!I*=v+hQAE|(D2dl`M
z#khaEMymJ<82rDZI7%LfHaj(V$|K7iDVuI%i^#EpasN<_RPoGiqs6ux#Zeuw`ILy@
z`B$={k^FR1tRbIG4EwEJNgY2A!+$xNqa|2Vjqv#kvWk&>beWb=z+Q&^G0jLFZy7co
z_885%K1Q0c1ki7j)sLi+#T6?k<QT*LFO^6ke+~v;8_iL^Xq-80M5yP<T1QgJhJ*#2
z@jS!+lfI;ocLj&t<41GUA7)<r5JEpp)+<l91r&OgQNLw`kyP>vEa0qBo#8mhMCK=m
zzKtv<Pn-3V{v@ORccn-vXRhPn=TRLc55$;ugwa=$Avl6Y)@1plJIbhkUqVvL$Aic4
zlu;ekhM1)U(r43^k5EijW%c;)XV4$rTO-B%851~dbVuU==9&{q{fo{&!aA})EFRxI
z4EkRbB-K1_kc;<5d4~P)5}2A$dIvgneL;{fwRXI>GUhi=btC0`B)Du<Mt9`(1Y9f?
z38tsh<*zS~?kP*h@e^bI%ehHGKhFlX80AscU~CymIIVP(#j5|&-As3*m1AGWkpFuZ
z1F7h0J}w&VQEh11V*o0VPlk$G43-su{%8xwwt^x5=47O#r$fd8t;E+X!CRv~8VxMZ
zy$Gp4paXg%ka50sV|~qt|5X)I)Q8H@TmzssLRT{SGwgwtuv`Sy56B>Ak7C(aa~SZ)
zOmZbveTxM3LHtvt8_pQ@k>_JnX+~Im1{VQg)moDo@L$M5>iR>vSOwPGLWgZef0X$L
zrpzU<-i(VEESoWm_x)NJNMTpeX&AAZ?o<naYFH8Ff+Jcf?M$3x)eL30|6{NVsqBm>
z-KvpPx(BQP8V)E=lM`Hj&qI8MMbnSbzIj1nQrjDWyb&WWqx;+v(00N}VpYQH+j%Gv
z)@%<(`+KvJ>fW19OQ1haR&EK9#{)EJOMtx@56@XMo!nsWW;s&dr_kjmfHh=mtpUmy
zgeAjB%g$k87fYs%i=qCzRt8ew*U{A_l1~;(vj(WD6-mCa^sMVR@Cz%psgsd@$S@aD
z;!n}_CZdvImPJ5AfMlD4^z7LK44h@fG)Q8gZ&{p_6!`~a{YcbLx1Cj>ZG(~10i<g`
zW4yIvESMSz4D`2TA!Ys@*~)|p=?=CE$n6G*+{r@P_6CE7yIokXg<mnw-<O9J`mbcg
z302dbZW&P07Z4Irlr-*Vj8-+qdI`J9F#kkRQtE$`<s{Tfcdd0m89oC@VpY<)XLcIw
z5MjCc9AT7ysT?Wx09hcRFx^8I0u>0skJhAjFE-XvVYyoC806osp^<7YAoC}LUb0uM
z1gaE+9z#g;P7fHVV~+JQjxqk@Mg~&vWn{j@8p*!26sQGwEV6Vjv3Z|?ju)2eCk*jl
zw>6Q9UrweaR!){>El@w`*y<qt`%>flM_8^^5)s~qZjPkp>*dNNtFahp25_7VAPrpk
z)+oPcS}p}%Fuo5Q;7Y1~4VjvlkF3*bFl>a4+nGrVpIvQ?n(4x74Y|hf{@XB5QupiR
zQpqsJVj#z3pz*RWY2q8z8KHA4VYPbiXLSE<geR%|9=SBS4Xp<9xCt2vRY)7(q*1<(
zeT3C&eaqlJXoMH3{b9MX>2|XmDCtYUaJ3|je2X=*t=w8zt|J)R2aWI|#jk)|ORR+M
zU)BR<`~ny54y2XO_sdl@S6Hqs8QKSp^djXyhAu0yI=Ztg2r3wg7F|g*&wN~_cP0zV
zwPHN73mWM~063Y>pIDIYIxB)I$6!Sd($9}<mu2-)!g|f~jB)+<QQicBv*@xDi^a(v
zvLvV_RP-Soea?SEGQ?k>BCOZ+ml@W7ALUITxFKC$V(27$*_xmMK+%sh^-bT5QicD!
zjj&+7_A;vfKH8gLa4WjPBpS#*wJ2yDObjG_eXBQv6g|&uB&=9#F@yT=qrC|T_oFLL
zqMYnctAa*@#4ys@GynBkn?Ci=A2vo<vjZ8^{}|&<P<RquWfFO0WtIhvgosh3y{GSY
z=eH|ji42y%bH#RwuxgvQA>Ege2?z|Yq+6Xt7Fn}(LBjxIJZbV7b9Or5z=IAxWS=dj
zD#FSw8_R(HMHd%>!~5t4lTgV*igiJQ;o&Pwm$QnqJZ3z9t)Y<s@kO!$NQTK41`Py<
zX%<06$9{(M2g_&#iJy`+CF7^t%*vpC&@kH~tT>s$e9W4hgo=K$ie&QX_O>*r4=~KP
z2rD*XEFUr>72#qBS$;AVbf;Py)DsrIwg@ZciGXq+2YVAR&H{N>GL3Y%TO8C46qeZt
zEBc&bApiIeCxXTU=+tDo>E5t9s52ydYa_6@h;jU>+6Ds0%jkT`V3_PL%Y!-s!W<ic
z#deJ1zs|@^`1mYcNm47xR#_j^-iijpECP$gVnE!5md=EbztXiOl}{EQYkg1~D-<}p
z5L!%kg%SLZ`8f$A(|gH!k+epJZ7mRLWd(w`MuZlvwG7~|wRa<w+#TeV1~|?Np%!Ks
zh^Rzxu_MFx&}9V(C~u(iCs#;!qa{L>gF)b7ae|9^qR`vDuAT&yU(l(^HPXFmjZmKV
z5O6gY!A1K)hVBt-ifM$EX>D}5$wi`Mr4|XLybA!w!w4@9X5{|3j}O7+fuL_l4ozh7
zsTK)&9#eih0|+mcO2lo!%Zh0Pm@m?GLdPO99BGx1!z#tM#*6Tx&jm*9CtJD_WTv&y
z<>}$0d&Dv!ZG_UBX(PZmoiY3C(P;@a4+6cahf4RibwboCTHOsM#8};p*uvM9GZ1cm
zBtfMf1$2XBEEFpLUC}u^5@Jk$kMa7&4xWUZ^P_YF5j{HNWH`!7p&WinF0KJV##M~g
z{U>K3@O%dJ#n82$?h{Led~YhamlX*z)?%z4wXK?o&~s*w1gbthy5Z@T3b`LtZdVEs
zWVD}$YBzf%BmjLG5|--Yr^D6O3YnHDwk<(~8GABL515^sAas|Q1nXk@G)b^>oV7yQ
zAf-0mMwl@;9Hp7})pH~a%?Ln3A9QY`!`&7OQIkkz7E+gf)i{$e`ojUq2u2@=j3s*I
zNHDaI)k686E3)S~=vR#elMq_)(!v_y=+TgIT}&@c0<>>qwUF0#C3ZLg{jzZ@<MRt`
z-3Un+_DSJ`-pge`*O68WX+5LW*AyfDvav3s^MIMz2upYEf|Mn?#kyob?2dGcg{bfw
z#TDL!e%<J}gw3o+8#xh}9@z~k+hV%GCk0Tjm(@Z(`;^w3yz~plK8(!YjZI5vs@xcZ
zoGSFMlmzkDW>_qw^*5`lQ;Fyojv+5_S<KFAMuO8#eukujK?2lC0<61gthGW^;=QVx
zW1?R<&S6yUKQtNPX~s2ukktoDRT^ORb>poSN_<2~MYf?|Iu=O=Wp`UU5}u}?y8_b2
z8%Wxt@&IdZn`EhwVYo#-y)Q(+cHGX8{BT8$@N~k3%OP<-X!B(Pf)6aPQi#faR81F>
z(XSmpWI!IZDklNz?yvMf>QbT{xc~&N-M~VjWT({93`hF4qt_KY_HCjs!D;%!N6H|1
zIf%nS*?{Qp_a8mWDk0-It2+8nk$&~qjnVjv?rsF8$|h$oT?gr7)l^XBTW`Z>cbs*=
zW@D`nq6&VhXjek|)uZ=aF!rvck)U+uk@tPS7KZeJJltrE5!;KufA!vr7HyhtVUWin
zB^1^{qhCJuU??6k+?7C7nYHk|2j0(F2g7y;=}=&(k;5x~e);B;cA98O5S4qSer{x@
zUqAZXM`D&`$p}7`x%-@P+si*J>xI!Z$XLL^$h99{zi^!OK<@Jtk9CqG{Q|NN1My?I
z2sxDn$KLVZ-&YKS$-1Z%jbTRq8T##pEv*KkQqNV++cNYkNZ&^|>|r&HU~}3L5B%H-
zR-<K*Q)T9#HP0P3##$iPnO0@9H39t+vLB=HFI`Lonp01Ivoa2LRY=<3#t(q*HxEv;
z5{QaDQ8OW}HTor_{}U9p#)~j>?yY}Ez;RJr78Hj$0?>5VWGjJOrdkxt<qY(T$bpQ(
zgIf@0?)**&Jhyc~-Ylko;N4R!1fs$ZRf}b;1N|a0;28$Ho`E3qfZxG&v=lO{Tmc<d
zrCSK(G{LM?UY8&Vo4#Q8gO5G)l5<X2wD-2t{)b=)L-1*igqWLs3%*sz9bgM6Ut}Q=
z<-e;?)_aj`op8iMe-0qw#`mw-R{5WRz!wPYa}`3&%sU6cw-1tsOZfu6+|WWG$I&s0
z#J?fQ)*WB$hOX@|Z1q0?BN%`mOGb#fR|OdNL;CJ|#t=NiLLka>ONChHd6HZmb3rx;
ze>y77;TIHvzhVX&2r<tOf$^M}d}ym+4ES)mg+LC&qm;+Zf+Sa!GaEr%bG)-}48!lB
zl7yJ)Pl5A-2#gr=bA~kwEd-(**VINxZxhMY-LfFzCmT5Uf?vb0&v^(j$9x0Mi-%!Q
zEy5W34z?1=G$>MG>`X~=b^I%FNEy69aqLZC^zE045HtM~aPEu1uq8ppFnENOK$Q8Q
zs_?5xl6CVENc-a~hhAtT`g)v_5L0;>j7K#XdG!j$5IWvcAgcaUMVP0%kz_rl3lcYM
z=ggbL;QMA`g3JfNcy|$uJ)p(-LgYxfK#l`~mBZycBwMe9+?@v@URX5vI_pJ{c^VjB
z*$Bf|SMY_tTylXZ*($a0y^Dcl>m`sq)CBORGWI^;LXf#}H(zmIKRC?lWDC!|B?D2R
z%L-vrGLo+6#ifI}2Hb_lV6V*%1ewaOV7svtOm=3)x#E2W*+7O?9~8lh$|PS;jKP3m
zh0$&lL+_<V!ptkdbyOV!pB2?y@j&T7<S{u)0Yr~?A^Ez?01O$B5$pV(L9eX_!pzP4
zxmr;LR^!>VOogYF4@4RF%0BD5bR=OX)xe<F9iXl!Bk!}$1e%|L=f*%B?B-Rm#Cv1}
zQRPQc??7&nvTwt%qma&i19?62A<*19&Qg;<29^t#al|#G1UdBiF6}OrCOLaHj2lw`
z=$bR|{+NbP^Gz_kCMycIOG+5Jp-Bm%B+IN)?qMB`<m^Vh2I6}rn6pj-uaJC%nj3}L
zi5F)_!1}VBA#S*gq#(+FLB73hXCzts8VubF=BhL9Hdi6od<x92Rhz(npT97|%RXsA
zTC?|Z?Q4H$lD1n!jP)Za%IyGN?FcrNdR8KN`7xMeP%Do!!kMH6k=yu4c@{p=n<Vc0
zF!&mfE6KQfG~wnp;B%cnrx&K$td{h$F;QX=C7&B9$IOd;N#^blHyY=~xbJY+N)0$}
zVj^CpR>7242DFMH4jxJkqU3WUCD_(XBzNC};SWMw&Scni#DReG4+eUR)!cP3^GLPN
zS6JI^EKVyoh?38Zlw8LOkmQ{`Y&<TBaI+Y7-}NBi92+*)P^IQyiBxg0u_T~sxs~n4
z=qfvilFyBlSVzl~^t~Gl?gF@wXw(&yo{)1h7__fCN6jj2MQS=wo2O}ojbXX=%MYUD
zb0Xzb^y*wBe>2x`U`~#2BN=tqB<MU)w!YeYP0g<8Kq?$t<;x$GC)`1T5G9`zDW8HS
zB_|nt8dw|wZ@$k^*LcFtv!&@Q(6qdoZlu~n1=<=(IF%G3N<Jq-F1_mMPICAM9-e9F
z)`LO!Q6qTVCPTEw=Wj#`U$IP%0+NKtcTR*ny3)`{l6X#(2hI;}_UoX_FA;&~b98-b
zFH-(MiwxDI36bxd2q|RUT|y&id;^%A3U199b4L{-^n8<SxC*1eK~;h_5{1Zjc7*f^
zUzCYt@^@VLY1noQbaf*5{E#dUqeP8vkW?Y^ogE={K95X9Qdw!^f{Q_0DaPEZHT?LR
zEHGLa?j{>9S%`dRhe(@8e>jt5-V8D}2c?(;Z3{8iZ5P59-)I5FWCNrNkw@1DGRAtK
zx`Cwg*)nK|YBIdjfXzP=as{O)0R4h2d$bT~ChH+#h_upMVkAqz<a8vXpO-)bfKmxK
zC$M#9$X$~V^i#6l&?rF#c?T&&M7|^6OOy-Eok&irbm6vt)J7#31Z;mmuJHt+ACe(w
zR8U(2`c|@r$W;G?90^&Ro1}FUT>$IVBshU<r5JG^HDbsTx?wex@^xzwNLWwa5K-2-
zKcvU~Zk{Bs$HeI>*Vo%e7ixmF>4?ie5n<>JbU=fe+myPs=V;5Lkg}-MA#(3@S7t<S
zDyfmo-V)>$7%@P{1z_zQ;Ift@5ItFjfA%fQQnj4Y`e14_)K*_nnC(+le-q?QBzcIm
z5*wo>#hal?Npc@Sr;U^^L2p#c#DIG|q3CY1Bp7X9QRG*(+{)Hy%F$A!X?Z2pO~EjX
z_(_vKM3i*cTlru;Skp+-`%1dPks@7m+fc17;JRdjkuig^B^qn1^s9v}sX@KZzq}vD
zK1g!dROhH%2$+(NWcZVGjUyq8&R+wyukqIRw1lI-7-z(ua-UWaF|l~Hmb(rNj+I12
zlzF<JG`QHpiRAdFWbse}MRc4F)K1~8Mg*j{8g9J<g=$sIj3R};bzrixJR;JH%<z){
zp-b|RG|wk%MS`&)T}w>!NrGF;2uXM1;h#PETD`dp<p#RJ=0}rEA|kEG3_r0u*VU6G
z`Z}_*M376j7}Lrz+J58;CCUmm{#m28m_|+3063ja@>we~!%x(1^iM@neG<t132Aiq
zFl_|dip)(|`WP!fyv)~W0`dG3Fq>0C5s_A8hM#yn9Fd7+`%ZLfLX~tDCq%Q|LR;Ml
zOt)qRKsc|IxdE*a+}<Q<treN!CsMB_<<dyLA4TU+C^AUKxe@IH2HSfyG!Z|s17KMm
zV{5b?@Y_;e5s_A8hMy2wFO4jqk(585t}G#x(ltf2O<?O?LW0wyI0EYYQJ%_jqhR>D
zL240^R%C{s-~_C1mXM_V&2%k^sdVE2Et?Z-S;`Qerd6{9G-vS>4pf2X(j>vPB2%wh
z1jTxFbYTO@{3pnw@x%)0b^_XH#@b^EQLkYNsHkSf-vXw0ku3MFHS4xjG`?<ZnV4k%
zn`G;dcu$<{F`n7(V6F2eNSWBc6{1=nBjr`#Ix?d)``?81=RXjJ==0->8c6|uLspvv
zR+5<=;j9ir?V!|zsfV!zv}JR#ItP3YAnBf@@!}`CFXrNeims#x17s!1<dShtINOM|
z>JzHI!55I<!@+<$48Hdn<lFxyZ@&D6Zi~4zsj?d>#1&*Y$*6RV(JU+xYAq&Mow|lG
ztXg5b(k3we!kgrMs@ALD=q~e>DOKD_F?Nw@$z;=wL9;IyY2SCj6>$t_7zh|_P>X}{
z!Q3SI)3sm!)T)=h9G+Oslhk7-$kk+4&}|1Z>k`rm&q2s~8)twPF;dwoa2`LKRG?eo
z4)e}@(>EUvjH{DUBQ-gXPD>^fC3^^FMHp#!B5Zw>HI(%lCalH5dE_ji4z-lkhi-mo
z)*qJVdq&mtC6&1|T~0D+Ad4|!Ss$deO#>I@CDu^cYmk9rus(d8upOQAwV8P$KqtgJ
z+A+Ra9v4!chtZWJl}pB{uxu01dgD##nzocRRP-65vl6WLFA_GTmaOuCb$6m|nfd0t
zX4xG{k)BCco0Ljd63T25ILlm&@HPGZIA^HnH^ACDu%5TIus0oZH5oW>_l?gsC+N_K
za_*#37t^&T6`*SlWn~y=4<(3Qw3aiJ_e<Bf2AoIl&k#1LbB405hAlpD_nQp}IyIwt
zHUp{Fhsfg5q-yAfK-plNb;5u#V(wp@p)?{{XDc|b+Dq84Zdog}AHCw}qma1g>%GG(
z#&)WaP9r7z3RxGD9-vzcWxHV37hgiz^gD(agC<!%81K0$Q`oqgcdly9I`$bcdH(8c
zhtA!6>i^yRQ(1oaKe=&w|E6WL#t!V#vQC8}8C*#1eooeq96HGkBAGoJW>q7g-TW8E
zkRz1_zT<Dt5jL~toG?v}!sTl<>)5MjkM7;Nb?wr*Q>Ts{{%GH>UE4OTTeWK0qIt7s
zjjEQ+lOc(#MygpQE7zf#>^_neW0XCEpjJ7mjIaKc64eZ|6?=a>@jvC2WVt%zkp*i&
z))8f0cf=YY(#~JW73v418LS7>(Ra2I|6|@x=F>qVV{af^0J1_d65ggC{z-@@WJ{9;
zmP0>YK1ckod0LE2)j_4p17ycRRtv)18J8?w#SwBPDF?&V|2=bx_#gCHAlG!rp{s>s
zUI`d$4FT_hbDsLSg_|{la+EL=$$R#s4aEPb??4yOp@ObEj=jqe`>8wftatXJE1vw!
zSKY}4R4IzVWN%aXpRe6~+%{vx|F9oQSExf9-83Bg6k<i?BN!gD;jTxVck|O9{9V&;
ztl?EMR2XRO-~WC3-s>(r>5yGFo1QNI7yeAT8XXWK+lpgLAyzL!WM#^B|GNBzKidp~
z0txbA%z@wUKXkhIpZn|R+Vp55yNY9H5!OBpl1AQO(aqm<831{7HAYzZ%mHJ>|KvYP
z7LVvrLiQQP{E`8de<FhC^gV9<X;`*evTR7-{`jtn_+R}u$U32?pNw5mtRmxUYgxkR
zsTcholL`e?)v}dcG*0{v|2Jgyx~O#7QLHb(8b>%i_l{PXN{DJ8b^O~y74bj)*<_`<
z`01*n*mwBqya}j;7<YNCJgB14Wa|IVmg0Z?>&bF-DW&U%Vwd67w^Rhy>DP2ilT8xo
zkf-tHY2ttX`^Yq1*3eA@u|PMxs!Mo1=Y3hCt10pzYwIN$!Ub>w$W>jUQL=3yR-MuH
zLW1n`hva}}yy3?t3s=BR>3q6i4cRpi8-%XzxnP#qb(I_)G5tCsa{Rcda0%R>E?1vY
zvH%d<0ItHa5o#}JlmbQiX^^q!B1O0bUO-o_kDrX)G3*Ao`h#$LL6a0&`Yo5CYQAs}
ze2}hDAC)c#gatFU-l74Q*druES46LMaS8gj7A}HI>H78Y)75~mTG;B97eV*sGN3@O
z03^IaxC#2nI-zeVU3Ul@3aw&_5OynH$>7(^FTvW0t^zG&RXR1(O^2`_pw(bP?@b3K
z=n3i6BEfaSO>hFpvvrC^$aX;3ZDe)K0AJ!B2~eWXO3=5BbrslwPSpvk$!;K6C<E)y
z$q2v4w@aYvqe-wtxC$Omm!($;Ss;SdMOKvw!S9oxSf4xzc5)ZEfv#AuEHd^0uo1v&
z8bSEX0lI;R9?@R9Lg6m>0^J(DRJxo1wh32VbHp(5G94=Pr~v(9mw_M2!ZE%4bhQBN
zF02YpPawWf0#y%<E<Vd;pqXqH^e&_8iC-BRRyQRSS60#G>*1%%7w&=^fV@bz7P^`E
zRS#CJBpiQ+t~;(nHQi$_14q*Nbc=_{cH-A)RQ1>m$o8bes^ntBbcebO+(oDAh9<Im
z__Y~SMdl$OSK8?EldA{$;8>S|&**aXD<+F}fUgIjss};&7j$ZJ*>t}Mm%&=PM*XtL
zI463AFs9z4VcGR`S;?t%x3~;U0eK(vSLvFgS6NK;E+Jw0u5{(e<<srwGH@VW89{(<
z3VOAKRF+Z%=IK3Toyj%RO>r5xflec+q&tLO!ywgYg7e?V(2-0J$X5!N!KHM5f`K^M
zd-Pg@sLmSk?0LGfWGd*saT!on)721Q6&WW4uU`Sx*OY|kSJC;B$)$VPWndeShawcY
zbmhS77NDv_fPOHYn#{pB*8&VIrdtk5mF`AomzNVy%_BsgL+4B8z?&-s2EL)oBFUxu
z#MzaP;q)zMNK?AVa*{dv#^UT)Aft!QN76*M+SyeHP6eeWOwT1NOXklvc9pQ;LeN)`
zpq~tzIJ$bmshR}pUz0T?bNh|`4hHU}iw@FM(4FPznuew(5~{yW)}2iB8(R$qRJsb#
z`siMCbo~gXP8ebBVKRghi{Upu6${LY(5XZkU9qF<43>JIgkXI!U29@@-rVO{;A+s9
z5>?X0COf#S*H9{^7~%REbjuSv`{tTsfdJh=m?%6%h9ewYp$w&a5wIUjSDM(dH&+n~
zY!3QDP?ypD+rd>5N^Q}QZ9BTc#16l?Tu|U%2~;wbu1;}oRY6jZ+zHt?q03L~;G6SC
z0!p<6HDvj8*v7fl5J-h)BWRyPmy_6mH<n09a8J;8fV?wKcZ+lD6Cl-;uzea`K(5zN
z;8h8-=}=Giw{xoxj+#s0KAtX1uBS*~?yv+|5@gXuW;nJ+z^F@(=$1z3OYGnqyMqLt
zf`rWy_~~%1V{00U3P?%t9wE~bJM_k`0D<Yf5>!IMMhS`>TZ=)Ir2^r5Kbe}?kvDb*
z2;2(^H5ss)4!b(FHh`#M1n@z*j=iy?IAFp$2_hX*XcD~W)Y^%m_8SncMXnQX>^B^6
z4<syvl!X%X&vs}XgHW#%5W?4!WhHjzjctPgn-9qlkRvoehi4sHml0G%euDTSvYf=u
zy|EurfbugW92k%Tc@hk5;mmr7pqdlL|4CMy*yT621_hi383T|sO9GTmcVtBasL2HK
zUy@ZNcI}NV0|8T-r6`o8EiM6aCp)kljGqq}QSL3WRf*kxV+%2W@)2ZgkI91NGC-T)
zyb8rnk30$GmyiV$d+^3)VSrm8r3PtLDe&7k$5meV^erR7{Jmt+#GbveuOPtTF)5;}
z<!O&dfgdJ1t=>UT=8A;#i^<TRP{bP>ivTtYLdpOn&XWV>TR5!Bp{HI1^yksFB$DKQ
zW5WQzhSiWVUds=<j&@d61Wzk9q&tqTDv^8q#(SE7o76$hJjfhvlLYbm(wtP4vC~B-
zLiz*fe2M(|=2{qkn>Rwz3aOyV0(>*oK~)Vpy-P|^znxTv-&{@8Z@V>+v;=ZD%7dEy
zoKrQCQ+R&D`U!N^i5z%y1q{D)`XOtPWGIvecy*dnst$5$OlaRi7U}+9TzPXoM&G#C
zA#D|8uaXIC&s3aI9|EWG1owV2`2MFy{Kg-X$-h-8<js{1`7!}NZ{~<<fSdLh@NOwx
z`TunA%^frN#@#&td5a)_O<XDr-k#}z`Uo~X@F2Xul@6ExyXVi|+<IeAIk6rR4>uYB
zxpD!^&q{YZH9<{583^zXk>FP1e{r7UH$TSI+wNCLt-^@4G0A}CXQw-ynu8{5RYLqJ
zaXLQ!g89lNPJvC$ydB?(K<b8&A)rYIEI&8h(bNhw4I#{5E&;##^Rk;$VgUnBS@bhx
zFNQIP>g5Bf&&zNywZ%-^G|+olhLrlyGVU_ZDTed`7<GBr06@)EQyoj~A=5o~0{!Fp
z_?FCiWw&S6K>qG^hJk7bVDP<z6lYRL#Plr#q5h;08*Plbt?sXeA$>4ztlSs?R@^by
ziPQx!S*j53|G`C4dUI~08}nh%0F2yOYZM^*&G8wIqwaudFaiIKT<jz>e$uheSHiG0
zgNDMo2Ezd8`0%{h&Z3?=iTUZ?g$G~b+g1(v=Ea!kZop+MyiW_mz`->zcx#h^0L1ej
zTA1z}>Z6T(?3>k*{?{%4#87B^?M~4D3lA~r4Yz5F?)bVJ#*P-l@M~HO_0NuvF4#W9
z8T7d(^1g=){oTaV!-1_jVgH#td`;&1qyumIXayKl!C+&X(f&DH{O(PM&362Jp@n?u
z?nM7@vaPVToxneH4GYDMw6sl+xc=RW7<deT#kwE^>u>$z<5wQP?efzO+hg<DQ^qLH
zn?V{#!~{?J2ek>H7MvXY#N8b1C&PU5p65RNY3U#stsdk7HQih!J=DE+)$+eTdiIvH
z57~O6BW8g1VO^7w{^2E<)`Q@G)(`{D&9M#sb>pjlw}9Qcc5qqQ$y1VR{(9xI-N!gw
z`syAh^3p$^AR5tb8Szg%VZ7506Kwn*7d`iT8+fh>g3mS8{H-@!^u`4nI#_z?9S^E$
z^e;vtT1korIH}oa&UeV{PTTCndq1m=f$yp=a5@w)hxJxIe|UyNrJK(2v4e^J%_<D&
z>nL8}xkj5z2KTsw?)jw$%$N6qSuJ830NP(U$bcxF^o_7F?)0yk9s%0@tnmXB)mYbj
zjjcJCelr06O9#MiS-Xh<ct1W3p0v|7EX$MAzub-S{6!IpC%AdPk=)hE$X0f~CpQi=
zEE)pCYb#8J*?OP|nzYh14(FnO+baOiV#<**c)5|rlYu?vh!-1SlG!1!9QK(DGw;cX
zB~7)AyOrqQpTcmSScl9(<sIYfwi{Pz2fxt;vmEw;?W|#wVatL9Nb-?}@xHB*{{6I(
zaOQ47CgJ!Jqg)Cm!+Pwc)iBS-8Zh2aVlvDD9Sk^9PrLX!z=eLsO$_I~$SmBv(-@C(
zl36`=aSKc|rw_dQgC@g#JUNWi(JVs8d(lssk>PwCnTGpx86oN&GO9B!YJ`anYhXX<
zHyi$1A4RHb72$bF=_efvXWv-Hf!M7>zNcl$q)t0+In1<aIn1!6!DN_Mx?xCVjUxWu
z0{U4EuhDFioeabs*UI)+UNWf{6~RnH>Hy3!q=rm}&wD^fd41xW9fiE58O#s(l99N1
zo?QDgkU>57BbaJIBg}JUsmbtVF9a#0OEe!WWL^no=hBm*nE7~Ip7;SaGN;oQ_rOdW
z3t+DPCUfCy2>_&|CZWy|GP?$2*`2IpE-qRl%kjcwP*3?DX4<cYVYbn%CR5>?p7>Ez
zk9aXdNZp*FJiHK@j8py-mElECI~mklR>4H$fi{?NG^@!>_^1PX<k2GjNE31&fwJVP
zWH@g9G1;pLp=44o>V$cQvg%>hQU59v;pG~7WY8fxHWG3tw?J7RG9P#Sp5*zkATp{?
z4#70L)HaxT)W6C+xC46l=n$t1$-6R=udoaVA$E8GRY0o0xK^j6-}?BIS$$><X1Q7$
zfZ0d=jiwQi6FjVB{b5bIZ2OSxgfAJA%I;73dy{$cZSx>9t^XB<NmgaYkP61~@}uU!
zkKC|>Ug-}@gyc@4K=w2{nUu=heb4ONqwl~W{kk?RpWB}d>^=Hmia}pFQpYy6(G++k
zcs$S__K>Xt<9Kov5_Pv|g9#1<3L;1`O9MkDzy+}5iuO>e$TkDWdXuO-aRt~9=VuQh
z747j=^LHFOPHGSD3E3au*m6tOSpw!GCB81CuGQK)=C~qs?9(1@l`R#+_;DW+b@z&~
zwo=RML#kV)E{kz?Lqm?O+QX5ub%L=c*-6yRECt)a?5t*_$X(g~b!>47<XEpgY$)3<
z6icd1vhJPWd9X;WMvA>$T^8eMF>)-`9fFEvj=?C_on+lP{rrTgd|5S7q~u+>YF<;E
zov)6-F-v#I5|Wo;5T8fF?!Uomq$bN(6-J8Rzs%<=@8g7P0mlU0;Un25gV<h&ursBP
zjkXe>wrmKa$JKeN=FcyyZ5?1>6L1XC9iEl#B8FWLAz^nhj6YbDqXw$_FnSGlG*%Yo
zW&3@as;d6N+Ms-2jkwWUceq(H=O_q!U4(>PrP@$EWj?L28KdvenqoD(F)k4o!i^5P
z!&#D*WCVA8NYd`%FleMUTg`9A=)Si^TPw`~+-Rgb93<Hg2pd4+?$-urD^vqDVOWFl
zQeTf8n{cC|?y#j~`w?upCGMp6N)|0u8(}d9v*I#5#*G5H!$i3Z-vDf*gT&okA#+c5
zpc__XWsL+@N7x9_9D0P@IT*ix_9A(Au{=#$aRgRna1|Y=g$<iiZ&)r_C;ZyxO#<)7
zvaHC5rP<g?mj^cJncncHWb5E-k1t8QO>#5_;;=YXx<a^dS#Nk>vX|)fyB|rs8IZBn
z7lq|nMOPd*4(Sa~$>q!7eJFrL-tjVM!>~Z(y<}x^<7d6$2Duu7*B^l-^G=aKg(W&1
zC98}ZOZA4+<(h+CJJONRJCiOC)@T*TOX0?3y<va3u0z*S2T8qi>1r$zA6;(T7^F9B
zCY3`Ja*eb|?43^+v_^t!>C)gvC%s{uR5=;9lRJ>$yD?pfHIfH<Z`^38HFOH8o8wkw
zZIXQF(lrcNAj|VXZ!zLV1+Ae{t|_qfuq27TQ|YjBxy8|5SO6Ix5^fgI8vc;$FlwF7
zL9*{y2@v+xSPcU$bya1Bd4Vj=SJnwhHv&g`t>JyS{6TA;4{5QM<G+O@A|wHTGPSsO
z^fyrHSN-|r_3a@TaUgJ5F*?K3QYB)@e%*|;*Sw8~tvV6G|9$Mq6<^c}MI$Ta01$5s
zXk`PVw1G;$TF@Map$h{CUDFwElByhJoy<#mt5tg9W&Th8`Be!h@~JfIjn$Xt2Yjlk
z`E!da>(_P-kAfPr{EcxK|GN=6e%Be!mZ}e8&G9C!HF(@j{?A_+o*RcOmP^OjK(Kjb
zb$L;KwommJHx7?3VpUr1IxxALkn=m8;Si}-;nk}qq_w6W_nP1E=AtNMXM-glT%M<?
z*_A`7U#wg$>Ib9Up<}Ynu#HqV;Oh50q_g^ue#LLzwLAv~N$cWe#7Iq+uPU6nbp-;Q
z;MJNII{N4gQ)Dtlf>n42i*(j{cQ|FnPjDa*@g7U-4K4R&RYy~=TD3e1cJ~o<Hr5yh
z6`8UzR<8^roi*KJPPvD&A&>+3TJK=KuRVntD)2Rf<%-x*R%56aGB<&$>orMht#Ff5
z^7Fa?L|M)ofOw@^n-WC|0{vk6k%k?aH3q*_lYlB|qAzK!EfP3oyGL8_L)^mNKby3Y
zXo^$n3xe;?gq^k|ec^Md4&c<*Vx+eYaC3@ZW``d$y37DTmv2StvRrKe=XXrtL3j0q
z7o~cOQaj6$<~ol5j!P``A#OGa0Hrz6RHRXD1n<_Ogq}zAg}Y_)VT|7UKIyJK`R_T?
zLLX!6Oao|9gDFNNrv&UTCHVYaU$|JNG7z=DDrv7xTz?ZDgFeKmCISrkt5b+(wGI4#
z_Q8)?`od8%^~5LVFEvSjEfUXv+kWUn`Nd2Cl$WFi@q+vq%&<D)=Ky_SSD99z)0M$l
zNQ1Q><G*imY49O7?J*Z1Z<YD2Q`f*8=MaFl&==;&bPbxKmQ=7viygp!=d)hmL!4$d
z2&uj1*5D7rB+ok`$h+D?G)*F7I4<2=+rghS*@E$ZD;|SB#LH#_1bs2{s>zPQEMFud
z1P#;{nuWw!7?ZCqX`h?)S?eJGy^~6!k8wq&1Jo9oRAoNQGbjsT=u=&xNTx=36!rV$
zCYeaDt;v7)V;1-jb85^7$Zs>D(qfosOgRG4Bf7#5GK~kLLtTp5NWb0wx8us_Lu|a#
zgs`sAY>LWZrlGY6MOW$yZ_2a}icVK2Ew>2&{eOTTVnL$`A+AQvq$wY!`Zf>2=qO#`
z5t-f~(PAIca~J<V;LHU-#B9}sfMw05F{lp1RIer@9Br*DTqBVe<FLCsX}ZDj{}1pq
z{2?-5G$VB7nnX@B%yp#;0cjas;be(Q0Z|{)b(``3hY>#bLx}TxO$g9JCQw%lbG==H
zpftU%uu!7zIP@iHy9@tc;K~R@Y@TICsBYsftVUp}-?|zJOrL8C=S#E{hL&6U&XxZk
zhC>jMc4fB-p=mX5tEynCq0<r(oF3H_*3FjZG74>VkhYtR|9{+xL4=t1UetWhx{|X%
zAI$XoghT|W-)Rc?P#Qxh2p#h$efN|9CnD`2geb%EXq$tMYPP~Iur0mP&Xpi_jIMy=
zWJ$po{K$uZ_c<o8n`;PB%JH9U4SJR__2f0%&U<t65URG(7S>Faq$CEtPff`C8yA<m
zh!8n8IbgOe7$|1xY$V&pujgjfNl3t2Mq9w^lC*-Lusj64EnGa~Dndj_y6yaGOE8?z
z&$nwF*GKwY-npQ6MPH4;)z_sh;7~b6LQoTe-kIR?JGT)cGUWPW@%3n1fk+-Vulzag
zjl8pU;rPC7YnRHKC3PY<Bf;zyeW8AW6sr(u8e#8#66EHTWM>W0RlAV<sZ+r&EAE<Y
z0S0P#dGwXzRP&vU!|P@;5$JBz7qCQ%(*Shb1U_fcsrcuzF0yc%OUa*_(v@pJe(C0e
z=kB};jE=L=+`-B15RN;;PK>VLM$kJ#V~Fh|!yEj0laRpo4!ZpHz)yx*ZYKYyQ{oJH
z%T#O7s#Bj~<7X~fv+cmOk8uRbLwsC~<T&!nuD*pF2!0!C45%DS=U{=Kh<t>;FVd}E
zpGvobYsx?Bl)lV)cfb0>^0>j^XXApI<3j6|k@*b-!8vpWJVckC;kPBh??+_)Sbr|v
zVQwyeJ?X%kKCCtpR3^?^Irjh9)+PzTuoa;*M0O^t06(({e}5sX9HEx(bT^pwPCexI
zKchy8<+E^xWBs!k<s1l#_v;KO$e`+gKBpZ3D32_EgdV!{U1R<^{hUvF41vB{2F`FS
ze?L9HMrb@wYrw5k6T#<g5(3~_GXDs}bXT~_2qDHC{$iT}&@^DU8<toVxVW@|0J*E)
zFtioXM(l|!NC@0Prj39&+4XKSLWr^F<;w@nXz#yq><w98-GMOqJ-q>18qFo_X-f#4
z79&$f8YH{Jg+>Um&j(@I;^oGQe9W=-QfpU&Wj~kRfU9UeLeBz%;He<jM(QMc(49tz
zxsMLYg_XmGI?u5*WN{vX=Bt`R?|cduM&9#|7_=E(V5GHVPrB6zvGG#5pc?5M$IiQ5
zJP4fEXb$*EA;^Y2{>cb~_o6EpX%*Rj+-ro`J0MlG$~ccAV?*@1Vj977FWmv>5mX1B
znBoM&$I?}dR7>`rn~hM;Y?TNrB1ZY<&p&^}+*E|nCA5d&9R0cjPai_zOXwO#sv!H;
z)kcU7evt^OQO@yCA2KB=VYKa)?toAAn}IvqG#I*zu6v|HGR@^iq}?8sCtPccx6wb_
zx6wWX(>t{XoTS@M*m>$nF#J4O2qR~cmATyrv2UX^C^g1K{<$MYdk|2M)E`=>|5LY6
zCoCu7@JD1V3HZoXx!;KCe@la6BRsYKTszYeR9Dv@@YX-|4Ru-)5dTTGJOP!g*9Aw6
z|52I>BV6a7`EexzYyV{Z0hRt4F9zMkgv1qO1ri~{1xJkeOcoT#cb9+S=)sNz*T*%8
zH}3yPUeLMW3`Ol^{seq<Gu&`Q`dhLrm+#(B^ejIC_ACv8=l&!0Fy~uZLgI`#nVLX0
z-R7=1BJCAPkSkk0|Geuw2(g>#5Z2=VL_f@_K~Ovw<XQrSbo;sEi1eQ%Ss`1^PZQFL
zFgvpj!H=E)f%%X#fv|WHT_Ax<y6atX#MCM|kS$j!e%70r2(>Tk5Io@@IDj}OjbL;)
zU2y^pbRW6ph%JJ0tc*$JlVyVw!S*yQA|~(u_YiRWlMonxM^~Fb2VK2ujyNPD1^hBa
zIwhHBAl$C3Met42|D%QBO-u;_W2KF*BY`j-X1nHytL3PXsQ_}0(FnNh;aUU_{(q7(
z-u5Ll-VEf?cmimmJI*~v`ArH`N)(Wz7h(5zdPHQF|Dy=rY}erEEV>m)G(h*Ldyd$&
zPl_yghWe!#K;Yd%kKpr$zt<FQo_P`+KTqdNNTVxu(Gk~5G0-nf4rJV>p;u6n9>LxJ
z-cYm&&qZ*otf0$EsFDtQxag$$WPneaTp1pD5Pa{^Btp{stz~G_n(+7l(AOmt9;W-s
zMMrEkBtw-fy~7ejW+nXYt4Z)-?e821o27)u%CB_2@q|!8ha+8d#N9HWS`t4boJjzl
zTbJP0f9D0(+;qkx<yO!aBXLcFb=$h=Ol*_ECrP0M!HE!zF6a{9lKz!38fw0$BQ#E1
z^cN&llgO3;-4~^~=7<|*=o^qCG9<w$g7B%j1aJQ<UxwO7gvIkN{I~;B<|naQ2B7x#
zt=w|PHA{djDJnr9;DKS)v<a^N7X_ha1>x|dT~2wr4AKUZz&a@atorhW`>s0ekR9h{
zy4#3rWT=orlVCbwxYuiK;$wn8tBo{I+yF?KxBmqXeURM-shf~&zATA$udXi6`r+kU
zPuVRP(TrUs0oKZpEkS+|qaU>iUiD{PfhH<1A@B5qu3hp;*2)l!7)Z(|U&0T598}&0
zX2fMO_+)6Id#a&W7kz>&{mBHN=}oAcx$ur3*1*WwNp*#c^k1K@_&5N{WUiJVUxHT9
zk0BJ#s!_ag|DV-3b3ntKiKl(i2ZQ$yCWTz1F>}J2Vn9YbD8b+mU5*4<V2sY_6Fm2S
zj>62x#00p?311At_yHuJ#{e^LDuZJ-iP0gSPNTa;I6g(Au$CaA2Pk8$NO-FpUknxt
zbqIH|z`QLNiV;6b;G?Ug8w_M^H41+0OcaDNQweX6Dgck|Q5~Q%!I2#-5ObmgYsrSg
zbcKMdv`)bj$dy6%nj_pyeivM-&@(u|1oNga43p79hvih|AP;u{GJm&DVa}ToWI{3!
z+U{KkE_-`*fyM?usSIJnqY|i8D&09k@;f>O->LvIEeUMX?u>v<75cUfv%yJSA<SlR
zy5&@PbW@;gr&ht&F=jo1?f6f@=U|6U(D-2f0>OyC=&+V(4P6~5o26G^><dq@nW%zM
z6?*rrWrRl{m>VU?q8W<QC4sW8a3rP>VeKRhj5ZGIhFnhgOAEhjVYC$>e?d@Q4vq{W
ztexZor^O)5<AlfI7g0r5Pm@Ep4$J)AVC1*~YbN=?X#kY1J)F4f;FqW9;yolPT^B5)
zvsfg+m$3F-aN5{Ig2EUh{4_IsIe-p@B!0R)U{)22R41%G1Dy8NgIMK+_u9})dIz0K
zQb87D0yA2GMCKCK&hO$Ro)7YDPIx$a5liU`NxI0M5Sj;E#UW2!u_j#wrz+?N%Q%V6
zj9yNs>!b*Rd@r0)sRR^aDMnbk7>vd>$T(2U2+u+<Q=(*OASkDsj%TzAg-j)^9ox)E
zEDLfD7cvr;1-ytNIzNG*t^=Tb20|V>gU#jOb07z@hI07eIq2nOIv;^bR~pbNU=VX5
z!rF{FK33F2VlB)@LT2!CK3z3IE?rVU^G${z69{b20h_*INL|s)1@{CmThT=a^{XTM
zp#d75MId(_(WZcl#(c=$72skgcu|66Sf*QinCu!M`Z53#lb67DE_m$HA~0ZiH4lk_
z*hTzE=hv+X<QpKZCjc2mXnO$*eOf1s8P8hB0k;G%_tB}k71ND`w6gf)rUTr3%s`{o
z2jdQBtzcj+csZOdS2sUh6G-!pK_AgM32oDZMhj-=$6@f|{D{#Wf|sdrvRd6#y1bA^
zThPZ)g4?}e<Vd+%6$gi1{=7j$aSrSvD#?c8dim(wFs&!}xN5?i>x{F;m)i?Q2lKS@
zLE|(6FCUU&jb8a=9|+TPVUNhHgtu=QA+)kU(;C2Vw8p3U^DCQr<r@fI?x!o%tD5X8
zsL@5}(VqZUld7vKTg@tMj)VPh+lrDLpQ@@pf7yT(i^0oTbedirWIIu98uGYcM4Uz`
zx{I<@Uw%zDOgUPu#_9Hfm)(sLij&Plwd%klJQD$~5~XX?YT_{Y{NXot6TD2KE7EB-
z$OogES0wJ}MTk2V<h3nG0ZZT5eefch$=2vpM%Mz>=ttOb*#J3{=rp8)>Kl8EUj8PF
z59^anR~FW~pbkr3g4~I8<tb4(dU=fuwfd-Z8DTA>3v|pT%pFgclM>{=v6txOX1W4>
zG&&bpqkWje-ve~U(P^oGFZ{+Xp_gOnvh>Lz`%1X}8Rlq2pgWc>sz%MNzgR5-{ciNK
z6`iWjGO~NXmd%Ygj%cW(gvo%0EUk1+d(W_`gc^%{YF6H|RlSgN8G6Z#kZJlflN|y!
zIs!N%GZO4pNHB7IFxXUGnitU2{IzU_8VY@C_OiA(Bp-`j#A>o^UE&e4<;XSwaEv0{
z{ZyjFI||k8Hg@XOk}wR~6226YmFUt2^3lka3vWDg0-pN~^3Qmg*3QRZzHbc-To}Im
zNLHsy6<r5pqmyu>A_4D71_BT(@dY_pr4<gt(BU@t@-|sempr<v&^8QhY$oKLZ7cxM
zoGPQ`m%;Eq5PW@tEFRTEqss+t1;EA+U+57PMgve>Y@lJ^N-)?9zuZWMHbW$UHadqj
zdJ^_N#sE;26E{e9D_AUyU(Tkh)+3iJT*J08P~)Z%eD+`gXz&}Mt^_>Zu<*+wx<Wmw
z$(|Fo7eyM@LIl3bDjtA}<+6p<2$&p5_;q_azaHIW$H9%R0F6Zizt3}ln6FE!=1OoG
z7Xn~r(y2Q1f_xdeeTg%^B*35T;#>g1EQty`!R87AuxSx8O@|t~Vd(Y_&gf16{23oW
z_K+-U9BjHvBN)+47SJJ&t~t6{H&Mn5M+Dl16D)6$Lj|MD3BneW73rYS6-PIkhBBHE
z1b@c~)|Jbkg3(tQG0e|oD~ymF-pYfF8wL#8A;bwnIdm#G{hToDyJYKh$Rmq1z?*d+
zV^kmzzMT~ems4ef(~}Mm^AuSumRt?lQ^NN-5aTGJaC$Z?2(F^39pL0yP6DwvlVM$Q
zJ!D4#t_sA+2SZ}3K~~VvMbW(qj3!qj6nie+iln+hz7*hWj{(L;0^(C*te`YbkONNp
z5{x~Zt|+N$x}g9^i||EsdL$B;^MWk>3c%?Y3&-qC7f33Xt{KAB!WZ)hi|^)TU7ub<
zO`P;6AUlUnO-iFHig1o_bP<vSjFd-NfvT4ZK3!c1$)?BnNrrH=3|)*OI6iNflh7)C
zn!|iVH6kqAM&?f{k1RrixO(8?vpXJ%y_y+8jy@XLJXe&!Y&ltBQY*-w5X5`G#1`EM
zk>~x*NVHv#;2;<7sXl~ee<!O>s+a5t#?fME@yY>`MA~gbY(UjR1(Ua{5T5;jY;7`K
zAYTk})uBaCLgmfBW1~igfi50ijSnP1yM!!~Of}tLkh47m7T?`rNr>ZDGJ%@p0^soZ
zupol8caWhoiCnrSAV)KR#WX_ZaTgcype0veJm<bX{sd|-qN`6rqbq`P@8Sw`Drgcy
zS@^*)18qqKBL;i5p=}7^+N0@;WJ`*2)>T-sneci1VUOiR4Ti>Kd@yeNk)>UW+6db2
zPNyZ2PZqAB9F2h$g#qfHlMlG|4S!?UIR0cxrHiljfA-P?*POm^h5)!5(PbskO!kOi
zz5uGYKv12w!EQ$!fBN~C-*E3UuYaO;$>d8SIwVh@|NTcUJ#33H!c8}mZdqa-AU}k2
zbP`lFz^Y`G&944CE=z3^HITIO*+pZ78*e*VPhy31i-7J6O!3-?T>qSRe}^2g-o&z`
zs9wB4xb<peXiZ3^8w7M&-H@UW;rGPrn`A&yVm=9CcV`Os-dE@f6Uw7&40QAxq6qc`
zFd@cV6_h|tY`FxN2shtr>C}W;>9QkTS41(BKzvq!&Yw^yO!u8|^*w~HHj#B84>clP
za3Y{ci(=vgy3&LyLBFfJ&uluhBv3$ifuMdfp149VJ|#}JCLtePws84vr}HJC(#^rT
zmUv<aj)`)zXf%;5x;xx{{-!G%Dbh~Y3hVr$;Y1c7dyNdM6InrbsN2sHI^>U#1Nv-O
zN8h1|#{}e8)0HGJ9HpD;_H(KPb+Ppo(S;hp?n5*&8Oe^K%SxaX<Tb+Wcb){u=>kxb
z3;Oc}_KxRZq6m_0OQ$AKNB5!Y554>e_~Y4gH~43qjdrvUOMEaO*?2l%0?X)ba{pQU
zGyJqI;I0yuSVU0XN|v2KA>D!QKegkKG;n9#ffALmEQhQxfo!@>-G4ly<BV5?_mh#t
z4@WHfj;ta9AKf(fA37OltOUFgNMZ|N`BJj_1XQ|o7oeVTMpeM03qYa|nEi*WO`=}m
z0-VeeM+7(^-f$pM9?Tvl8%jVUTkQr!C*p|tg!p-YL}D<znGB(k{A3lbKyBiPT#!dc
zV8jOk^GoQ~jg&_ga0POFA17QU%<lsuPN3N-bPXewlKtcgM1A6fcA%Hhi6XY3*&@2C
zk(QHv><;7>5C?pA1wGn{A{L|B?sUZ?)semK4n)1<fPsYi?NG#IG~1FcZ=@!&f4c-Z
zzKnHW-C@t~HHa93W^?HLBejw}=@LYZV%-SB{ck|TU^E*~r;QXOd&n(FI}pqKy@0Pg
zh!~+$OrFWo=PX<>cb0U?6L~mkNTEc?)RFqg?sf~JRKc;UDgnQB8AFWK3C3jkYjhmF
zblZVbSMI&|@I9LU-{{b<AKyGYwRz5vcGdHzaDWC8lqW=Xi)#>dja5qs`Uhi($+j(F
z-s&AjF5Y|ny_tXRz=tO{&Fow{i3SOcWLYDGLB7~M$Z#eWz4E}m%uWa~!$uj?SMRs%
zd;rJxuNPMisF}eC2IXX>Bdnmi*gc36KZ`Y?g$Vq&K!~|E$2D)$v0Lv(a9kRBZ`-)0
z88jI9o2+ew0Nv3pLX`e<EQzi}=-&iFEV3b5>V{Jfzu`Fh%ibYn+#ujXG7PLwrQ5|#
zhzf+p3Ts1xf3If<Vug)JSasz7&m8xgZ!Tz&UQ>O~&{eIkkZuE4A*vW03#=U}9^fnl
zu_f+vE!l7LOSYw-_Y5xWr1BQi1=f=b@<^Jy5aoFJ(|xZ-@c~O9h;wn8A$P~+cg<{z
z!}fJetL%=TLje#e@1m;_Zo`Sr{A7<ZQT)J@0OD1grDgBF^DEo*$FnLqDY*p_ptEWS
z5`O7AM2-u7s_mW>Pp~(Dh%&@QTE>o>Kd~MR+utpndP@&UAn8NyLqs*d{4`IiQoO;C
z1pL5B;+)iN*1lyu`E*VdXSF7ladDa(5&0~z{1hRB94Q{*dH_)%PD$2m`3u&eKh{=r
zP-*XQvAHV|QJ(YvUii#p6tA!@fT$B^n99s}#QOE?(sD*+b`=w=6qh2>THO10K2J<a
z@eJ+v@k95xAwjc^-&pT{oLk(W#&&1oJ>g!g6<!wdkDY4lNbwIR;)m&RK<0j@&8(08
zrsdZZSY{s&7rPh{kw^Ot&;P$K+qz|<c!~M&!--gCEHmRN>*{CYvMVp~J`bC@8~tyB
zGQB3uS-yGyfn6JB5B;Nd294q^9)J(u4Y4WHgm<jNum0h#xQ=EaM|eo=1Rpq4tnp}n
zp7naj(gI2=a~%igc}WO}h7ZkShoS7+FxK_Ax_YTA@oxs&$9hSi<?vxvY)Cum73=@7
zRmC(_wb8Kg9uuAtE5nC#Kb>pKlPrq&dnHg);y;EP+}K-!bqzg)8h<LS=&~Oyk`e1m
zX)0=?VWZtGJSGlD51ivCGS<J$;(5EZqk0lg8*KR)uL;>)=%MXT<J{>Pi|L2qiImfn
zwZ>W`JST2P4-0-0pW&ZbTqBlbRZQYELoF5F6C0z4D?de=IiW1Lhbn4HNh~!`!&DCn
zj)&kO+U4I%u_T5C_+C3_l{9sgVIunpFN)*A1DE@^5>1a_LH;~Ci8>O8#Eo*f@T8c-
z1s=xyJ07EhS)e0VWK%}sL4!OeJSuJl4`==jmwo{(*w*cNRgtp95I?4SRcHtvBAx#+
zhmP-A#19lxLqd7k0KO^0tD^lLcHq+gRK>?E>L<%-DoCXLSGv!~3Ga$yz{ALYCe?Np
z`AgL`1tiiRjm!0)bm3t!n-e>n_$Qo(hOyw^YG6=5LLA;E(a?2@@U*xYJA^y_f0duI
z1bo=iq<+NQKc(?)B|I+H!wy{h|4F@*CE?4CPRd85FJ3D}|Kc>^b<uVQI}H7MPQ$}l
z9=_}9pn8Ouczckn=ZU$(1LH{SaP)5#f5vk0MRSAd5n{>%%_Ob2PZgdRvm`@@P=~*A
zo@!<3c&ECidW1;ZcS)m8wa+ce6kZvBf(~5dFA6+hDS5u6@)1HPd*1zXOA-wqU%!na
zJT%tD4uk&0VRQ`3$^*I8&w3|redu|YTzdHxm!GuHCS!!xM%yjuaPWU}++>Mq-H=`h
zd3+oW9ex<eI53LkX3Rq0-#yBlj2yT?#)~XJ!zOwE-Vyx(9gc^w6b%~e`dddep@TgA
z(AnWPj;zZFi}`s|!*3f=Z;Zu!yPD?JC|xATVm`Z{M<bdGvl!p)<jtrc&_ewE&Ak}W
zPM`&ZU!3E?r~%Xh1|FU2xyW`CYXP0NjrUkY1JD-Ge747;;8?f?yfW5P5iJH>$lt_M
zQ3=F_jw8Jk(LTh5_^Dosnn5lEH}p{CxDUDTi{hP#Mqn;n>!B!P0_Gar);kfc!d&>&
zLs41K)j!TV5go%^INn21ThR56ha#^>m@Am+orp$aE*$EiC@daxo$aBBmSL`Qy%d$i
zT<3WyqTe9b1)hpNf?OAQDze@Dw{z4FaqZx(C@>Ol)hXVJXb#?5B0Lu7bHlBJycW?f
zXsaW`b5RYn^_uWpY@NeetuwtBQ5URrwD4f;`y6S#COjEW1X}fzycuOpf?1vW2#>~V
zP*&;Y!mDvvkoDmN;obNM!irw62oJ|C@KxuFI|)z6j(gZD{_C0JgxBLCz-sj;*KaC3
zAcw?4D)Y_%oHbu~MgAI2eLp;+ygPYGE&`=qtnHlBK);>53q(a-nqDs{{ho3?0QF_h
zz!J{%`^vVf*y-W2wwW~g&E?+6X-!i49p->nz=^+1&F~vcGz~d1^YI1_zrB>piJh1~
zPE7loOY{SJVzwTxYx=FFiuj3{{l}&LjU_sapqMQOY8if8sWFCP=0~kezo}%qilUfb
zb$0qKCF+KwnEm^@{f?5)6ClMLFx=aF5{-aT%s(EV?KvqV21_vppWoPH63szVK=_R<
zyd~v!!YLs3_J&@PXdR#e1|FQ~A*nQ^0$MIk_l!h)F%?jHm}jKAs0#RgTaQTASy+YW
z%d<Tp(I>bH=(&BI7bLIyzzS$QOYwe01E3X<yO;N)z*pD`u_Y6|9?@iQ1vDJt^(bp1
zx&q#v>FtP?<14hErFc3j3b26h=X*J#tq2Rf*Q9wkstU1yz;@n^tUoXoLidmHYDCRI
z7ErN|S0nokl!fR$>E4W}7t8|w-pHGg-*cRWj^jNU(O94b{AZjOqYSY~3#Hq7Frqn7
z3j>!b-ixv)LM`Bvsh*2y3D`ozLeE9{U0@5*yV5)s(OR?x{4vjCQE|M5)_uGc(a(4b
z!xwlfDhs%PXVbkD(Qd?rpQm{#stUPKvyF!$It01UeUyiydYB8bTNKYk)@jTIyf@A(
z5j8_y$erhv$aWcZp?NQlMARO3VfY-6M2=gq3%J!A5%mCGcuMg^<nsu4;q44BL^J?-
z;hXVZhyucq7qqD!h-eh_LdhHtM8T2J3w4`&AEK|Y7g~4rK9n&Qd!hS4&qFi^d|~K#
z&qLXhz!#zydL5#r=nJ^s>rj3d{K7RJhiEPS!sQ-^iUY9tMc#(!XZ(fux!#7#0x-nR
z@H9lb0T`kudm5^Szz{y(%Mcw#U<e)MWvCtm!|=a63|Xfk7zPjVHepDVvtr8u)8;N*
zvSQ8pP0Oba>D;(dfh3wFqh=Tk{ReoIa4Xnu=Fzt?{LcnmSv#yjPDlA=yNtomx2NX_
zL*72SURe3xk2pQ9qPyIp_8<%^CU}W3<mt2L8~?=SYcr}lNi4@L5QY~#LpW4g`h{cR
z_jNU$WEJ&5VK~$igk#kefgEdptgGoHr+gluu!hOrA2Kco;#eLuJ*|wQz9<YYd3?}H
z?6PtkXxUXplTUt6P*~3xFAv6sS2)hR)81J&(LfZ2!@N7V_j<)~>X#l4k|`h@g+1@p
zA^GGWj&q;Y)ua*)M`0@!PY$`)Msu8ezOYmZiU48Q!GlAxO&oV`PA8FQ916SAbAzGt
zcaF=W#yiNPkSGv#wbzDRmpHD!mQfnfS0L<4Zw+o!V>s>)X`{)auow(>g{OvUuh}+k
z@s>n11A|@Wp&|J;wwZn<B~g}m2zIGw24lA$Y(p($jZ%o_L$G7LGGxBOHg>P86v~kZ
z!1~8|WT^6;ZSK`1GKdxfu+M}iMy;=fZSc#?GAK_n{yNJOgVQRu&0kAMAo>=5g{F96
zNP3ZNbz}nxRKSJ4ei9xS^Sx!;ZS5<6Xf61P?&E=>VHn%=IY#MI%#FS77oHalW7yVj
zFv=eK5qjlhcwTVZ!M1;+N%p*hy!y5fUKf+yVLiCXBzb5H@VZ!dT}*I~_2Fid<arNv
z4P7j}F1lZ4y|~#VcW4*rs@qj~U35Cm`f-a%?o`5DUr!TW7friZPi`?u9oh$;!Z#gt
z+Qrx3^W@7*zy3Y9vZ*U7MZ@)q@VaPN&H8eyN$S)DPZ&N&B(98~z4;zToqzKaZ+(|j
z*P~1SJBOqR&x_g|)|=ZLWR7(NJOPiUC6w&gjdnf!oEsi}{j02+V0&%R-`_61aFX!C
zIGXk6c9X=R58)HOnxvms$KI?*HyI_4brL?IbQ5n8ZCRhLHpm<L2tQ%%zFs2gS#%07
z(d3PF4nHAuzITXBp{!fyXwrsS04U(eG>;Gt*ICC-)ufH>GJ?YU>E0kFvaTH?ZKxfD
z!bcfiAj(+v4G)zz_UjM|pJjS~Nbr{RZeLkLoiP-?9OLyt+sgX4o2>D=gQ4)v7>^Ha
zSP!?CG}Hq`;rp?k9x{aJB5Mmt<MRMS;m2_v9vrT)KDIQHGxRx%!Y|{!JB(w!98+7)
z_&r5Y_%+k3LrIHn;;5=ph6ceX{8#bj;QW$xbVPY66A%ugaECXC!K|ypO3D}-funGm
z7l)+5`ig@K%b1{7IBIC22ZyDsw}bLY7#feG(6+#HLoSQ%;=r5|CL{_+p>mqX2JJZO
z@XuN03rz-6_#@L>LuJ<G{u$&;##kVQ|0<pu&gwJvOCw!qB9g-OUK&cWUVoWFx}<x8
zq(ZxTXgH|b_-QiPLfw%RmQVD|ke7A*gG92$egR404bKc)^c>$#AX(@GD23BJGGwsm
zI=<#9S!frO>e|E`!xYx}7d<6QaTk(;FWn1+!$-Zxm%Zc)ErC+F&kI8x*8kTM$d$~|
zP%65g2ZntDz&8_06&eMl&^X2OLUOYR@SQ|b#r54UrSO91g`q5l_mapIYV~WW*dAUN
z?g;`vOe#|hcYY~_!gOy7X;~N_`$`n5_G>9z=WU^<IPkNS5=A@vYpLFiJS`j(2!4}Q
zo>1{$OW`vw3!c#;!C#BZ6WaT0DID!#p%IH^L>+mO)B0<vstoT6YXyTXouvt_{k0S>
z^{((zG?>R}vLtQvucewNcvVQu0=m*9Noek`rEsTLg_<J5r+p<!lF(mEb<gyuFhNN8
zb0s-KV}C7$B_0({hzVOKn52kj;IE}Zn|e|(1`7)F+2k^W`u<u9uX|F+%HkT(NRuGW
zZ+|T{IKzuV4S``knNxmHyI)J;4lfElg@(;@y`_ig(XXYNGCU~E78~Y(4kpP#^?ogd
z(>*Bc6CLK)z1-!7cJ<d%eh&%{#D_U(lCR95a=(_s9-b4la1mmTT9rd$(9vH@E%lt>
z!@_*1ye2IQ{8}nJ*K0y*abmvJ+(A;%)?Z5DL9YopM2h)sKTkQ4+5AhXwy_=)iij2S
zk7>R#f|mVK3Kw`xs32O*kqgsGh?J2~sz~vcP)EF&W7cGq4m1Nw;Q((5Ek%skx;>w4
zNE8L7KKGW;R?L|BU~#!XW1&=RzNdu7!p3~2k|q-Z!;uuO_mogm;Fzz~HOK=R0Hyx&
zlu%yim>;w-Ndw>eNGdwROF~h>V}8+8lLXWaN#Q&%3Au%j`C=hS;P?wkeeNY8qXb}H
zn_LP|OC;4l&O?Ha6yUHCE;7J&21wx;4+&bZ6kzsiqKO}Uh@@U09atHP6wI45YglkP
zUxy`k(OpTve4(KDS^I!gYg#I2%ko~6zEjuizY)*>Yv<!b-;QimCcVJ5M;b7%NiKR+
z(uJe2FjdR>$&xEc{AQmYTRpaAMp0|FMBvcjE`mo3fYcKym{p+bsym!w|D0OeSIp`q
z6PVvL*2FIK1&*ppwYKiF@iC|LxZMLwS|V00xxjp(fY4D-9EGh@sfm|l<L~-pbvr-#
zDx+**%QP2}v;T>sZcCYzJzwjEp<m9(CtYa)vVr+Yae<@CILe<QO}nN9#&_>%Xcw($
zzkFcpY*%rkwJ<8aK?<ZC@ZKPpygej?WHnquFuy1xZrNi{6i!Zk7UqJ}gjMC_s`65T
zd4apA(Qp{`SgNz}2VnR2;!>4|MNaVR3Zmw714aFs+Dv$05DYu#2Fp}*S5h!9^%OH|
zh@v`_6h=9_2~0ohViT$6NDF>jMa*aih{A%@Wv^^7e!QGSRaRawuk;qO{0SiHv{Yq-
z_rSY*c_w+v6d*C!zov-M1Q7LPin7;gu>ZQBLz<!$GJ|=&kAV5z!BD@aCKnFF41W!k
zrfSFy{!~@G=pzi(rKBL4FTf;kl@O+!gXISEG)Lj0ttcTn$p6`$i^unDT0VF7f~BiA
zY~8j0$f@&JZr*$H^6kgKV2j{ki_~Mb3e${fCQH#4*}+%S3s>HFSP=Z=<oYSS8dfZp
zJEO0c1O3~^#M#R>?ml+Wj<b&gh3t%!WA{}s(+M_Fs*d#FAB{wd#)1K}-{l?i2Dd7o
z#e-t6DQT_>O?!=By6bX)I6a+eoHqn>{UuP6GWkgl=B2KJ<$DVTyg4wrMII-LTYZYP
zoxJN|lmPveT4X#2)4g0kkfNaygdb!VD{24$zMP!fv8X4--KGrH`z|^CL1?<uQi+UD
zV8X9H6r>VINe~YILlY|6Z1h>KOst%QY@}zw7UQ<v4Hpw^l|rPy4^wtEk)vp>3}N2v
zDO7pljJ<oaYk85)HKeII@l3dQoSizPy#<qwuOdekk|X@Gph(duBk$$1CP~P4I~44_
z^}SduNg0$^VcM^Xi&1n{j&O88gFyM*F!9oo?N8lw-c7SGe3ddh0uz6bLyT%DNth2N
z5-0l5#H*wO{@1<Sh(kd_ke4c)2~)oqB1LKEWeNM25hwb|!0V<H{@0Mb<LalnuQ^57
zebC(akgpI$1+21!En|$rlsnP9o2?`MG;!^zw{%@BBPE!#8fL%AE=194X~KLqr6|!{
z^X{PD_+Q_4+rH~IY?KO&3BddpSwd9uP<g_ERYfUNjB)o&j}Vcm<iy)LZSPdzVWfh?
zgeV#=QP?`xC`R<9aTjCKC;#i)ZrgVqc5(`^cQhq%mKUO2{3HtVvBY8&9AVmVM*TuW
zrjnEH=&i-(H=!D-;q?F+ike6jepgh8Xqa(VP1pQyh9S3f)syD;0#e0ALX>t?s&I5q
zO@#cPn0CE%4-sV=c1J(GZ+eFyb*wK#k#B%hVcy~)K-9;yo3Dq6DC@}kI_WR7%cw{p
z9tX)#R9mv}<Lm<DeaEmns*{K)`{+k{sK)HBLMk~$h@wT3g+rT(4|O!`Ug;+y$}#r2
z?&()JNSnR$kr&?i!l%9*^_OoyUHZn051hHncuA(Vrxc0#geccXl7)GplknItn{^gP
zJw>FI+Y+sBFwJN)kA38iUg#Nb`1!dj7G{t=jns0J5Jh>TWD9?Pbb9lgq3x>|Na-jj
z)YPowton+G5)XW?Yj!Zw)>pk(1LDq)&YMlLML5Oa8bTEHlP-Vz>!Z_K<_v9LqhLx$
zp|DPxb+vRCk)iz7X#H}8VK%;{2y(`A?%N|xw@;92{%HwOhGP=vZ-0Ayddu8l?Q0ZF
z<*5Itj#<}FhY?YdK`->m#m1O<r5cCK%@54cXIG@2^@J!&9w>$W_P57pw$2^)N6mt%
zob;Nt&!}6h&xi~aw#Dd@+YF!_^?d}=hu+&=j~`QzeNq%vFiWPt{q51IO|u5IuADoG
zL08fHM%@X$Mnp*mztSOhOP6+H0SuaTT1GMlAQdgAr6_JZ)I(nVU9<nqgDWTYY*Z?f
zho*yQt4a4(#}OGD-_{)uNS1zPISjn&_9+P|St-d+`pM)g3I>bLRor*9WfJUfhrPVG
zbK$5?wF{?q(l4dl1|7TTIU=pf8J+Q{R2dgk!{D9wO-<k!q@?bGdWo{nfBW&zUuU`Q
zkmFgY_P4)1I<;xmpw^XhCo$*@T4&Pb)OSQwY>%#ZN~VLV!C=<|)7Ce&E;Zq)I?43K
z<rq0<g6j??el6+#uKB~QL#rnBYFs+Am!=B}BpY<~bRSWUwPyYBoIKOt1e4tl%@RV4
z`wA)Q1Dh_Q?7wsf34fpAx<k1`W#8Y9cyo2%^6@<ymCoX&*)Cda&<zp*qBQfu^}>s?
zD5tLlpON40xo-th)*70~p*|%2rsBFobrr(jj`X{>fBA%-jmu>5)@)7o1aoe=5D+CE
zAEXanlVp?cF=}3+h3v0F&j;OiXt<L2+mUat?_V*oSCcYX6KFPpW}0(n1cAt7zz03>
zmK4f0{TMw*`sp7TkH(?z74AFQX2tQhquyOVuyRtbhQ(4l#${nq#@q*CAad&X+V(A#
zVf_0TRd>`rHq@YZY?12@IiFT0fBW;T14~DDsFo*@7WdFNV~*X$fyk-n7hCtS1e+FP
zbRCgf^B7wM{Z~$O-67AL3g&M{y}qz*_JF3@jB!ZN3u7*?NDz693bAcp&>gxCqwP!e
zEUjY+D3`eJP?Dz#=dVN0&uNvz7&p*hW3G`{5G9@+Wy`*$Qf`c56#i%Xtop_tAdT(q
zzC)?ssh>Z6KP6k7kS@ZM8zve=Y1UY6*H1*_-^XbE_L^ShGFUps{WMrM#(jsf1*#!t
zzSi9__R$1WZnbz2<=kVley5r6Cr0;C=YN^~`3Ko8twJNheJ(syC`1)8-^d*M!r~0M
z3nD^P{G5%_NGARTYw*>PCH-n=)-XZ|QH8g6;h_pq%80|-Yq5>y8FHV+gtY2+ZBjPH
zL=~1|;Mql8)8m5}ph9-KRbue)&6Kxf)rM`l4<0{z*`|G`u0Hg8|Nh;(w|;(a-n@SG
z>gCH9&!0bgbmi#QWz$FWXjQvRp0o*!@s+5)MHw*<k9E0|%{cZF6Cy*4S2n1CV3Gz4
z^4|D@8aT9(;d(2>;FGOP;~wLe?!NRQm}6(i`#XDP_o|)CJ-!jOv#KL=iP%Qp8FB?h
zg~+kTXPXnyZ;}rd<@<$|9g$%rUH<~B!IUz8wKfB1tUG%9Lk!2Af!DW9?OHX9bG#vH
zWl=`#=M&qC8*<IWg~)wWn2q^Sx5-(sFn?@m<^>A@I(%&vIHWJvZtR*fugx5%`yUut
z#V1}6HHuM2ygs(k7Bg;?$PlI6WLrMcEB$9!oZ+)mfWp%fV82nGQ>Ka?CagdI*21>)
z`G#Iao#Xvbtte$=P8HieFyq#X4N<Avw&Yd4o`&@qwIm%R94|wbGCDJ6sM2}Trc3^8
zqhoF?YLm?nuZJp!t0JBh+w2dGxGSPV#?FDZ;|ZP4g(YfUn-vhI$0fk=qb<)uEhp@F
z5XCw$XhQ?Hcsx`lR22of#4?&}#C;JSq6G8Iw&G5G_8hWCn62CLz=0^2p)!56WJpt`
z*P>JYtSck-wDF0zL&d%;B5ohs3LA0kAwEPoPuhs9b(y;c7V7@2Xz-{ExMcL>maplU
zEw{s2pPEnhNEuIu@&_uSld+AC8F6_;h_w1|Y{J=kj19n2jT~gcg3YB^Gkz4~S+d)_
zV}7iAuMN!_FNd<fQbT5+*w({{t0zQ6E+fNjz%hEf39I#5PACw6$$;BOC58<3$L@Z`
z`uR*vLp&Txd`<~*tJoGCZ^8`_B%;(?<G%fMI1ScobQdT%SBkC~qYU?AoflmUVcq?>
zqjUTla$KQ=cE&c^V8SgDCZaNT<GLM^o7rZ;FfVifg7Mul;F(c_mZtW|9nY<-*FTR;
z6z_(#z7_=(<`Uc5m~cl0icDR<#%&uXw-naw=|ngnUY25blTm<6p$_xUeP_KNzA$5a
z8=`7I)DPE=ZDDQ$?zu=2`7E%+Ws{RS23GB(1URs}6nH1Kb12kj%M%L=qIFl%_%@XN
zrTSSL+vv0b7h@7CqTHwBu9%X{l+~6EpK^o&Q6fcrr<BdB>iE-PESM{N;@MEb{mSRN
zQ*4`Tz;Rl^BCY8st~y1suff7yqrt#pDeyxorloDM_@0$T^m7v}ehq2O0~HTfk8L$f
zxC)|0<o#-#r-oz>fu%bV2Br^7frY77x=vgDSzr&QiC;sMWV7N~9ou|j47iTsMPlD_
zmP(TtTW9TX3ltC^$?<C{<z0XA3l`n5zNYv!M72LCogl|pM%xXzDIz8^ZyRJtP2yTu
zyiui4;4nF`e~RQ-di)g&3-OJ7@odO@VT8irda-T10k=)agjnz+Kc6NxzQyX{ubDw0
zZKWK4q(EA>UI#*0oXt~A@oR_@4!#+wY_4mutepXOQ_zHRS_?OiCw4Qe--j+3AnuU^
z2c<Ykny-G(qP^cOo(&P1veww5X1H1`D{H_7iJA~oUySo|SwfT6SwOrH1m=Y0_&bHs
z@{YX9LVhK2yqo{st7a~1u`9@c<HW)y#NH*W9GcMGu!L)4fcQub9GarI)L8tEh5cFj
z_&7t=4EKm#^w@x_A#ft&=6*&tO=Mb^H58Z}0}hbHr=%dsJMIf-q5oVU9?m*N!!2Uh
z0RwJ=$O*B@w`_#d6L|<0@d*P2C}ncsuoOcpFy;n}e`pn{q#2C{gTVj}$$qFB^T=ee
z=_dp3q}T~@(i$dKhy-W$T17k%0>qV)1e6rQwbn9!mV+^^rI41X&d_z&1Fih0ACJvw
zlivvz*0Q>d+100vcWl{ez=aqEPfUJ3#=<X&+zQJ$rXU1N>X8FSqzWm!9Ef0v*iHHv
ziqCk>|6usho=G901gqXxyGGVZsr`Jr3^>jwdP3|`$id4ADAm>xKXXR_@q#3|N(x{o
zJnlA2#+XuaC&es({>RNnT6@BQ@wW2$(}3gCn-{aEsNYSvh2kgDukSP7EeRX|D|saZ
zY%2+lF*~=qD?hP>{OBujlFyIge>Y-gLNMsZ3OVk?;$9W}Q_5izF5E}_gxL5?!=0SK
zyOt6+MgZ}LBn66@rS5h(k|pIi2U(MNZY2NvKZd#@K^==q`fpuV)(@#0_U7zQO*kGZ
z1B5t!mBDr%Y1*K*6qpDBPLTx1o0YNX#JemrXUQ4mvQEg^a+Y(TQamf_hubGL&u@DZ
zRoICCQA`Su`#fu`^7yN+ESc9JK*nlGiWM{RsK5FP%g)9!X5NpG_qA~jfua$tw4)9$
z=vLPEKQ!Bn<IwU_fT-k?SoDSd`lf8+3IHG;kOU{0PTHPFqgaB5W|uFg1R-<r7LI^y
z_gH~DFRmF>JM91Dch`{P$Q7jxGJu>XnPbi6zsk?j`MC=K>?%uXnyF+Rd6#AB6Hm#a
z+y%*dj&lG6Uto3qVB43?^V|NX;6rTCzgjt}P1$q~f=879c5K=BR}1A6PXGX=RT7+P
z8d{Dq4_KxykSiIlLHgJgwx92QR_#%T7j!G@OSUrS*u1yAJHKIK$8xC*!bT3mqGHFm
zztH?8R7?)_C*G4~S(+(mxyL<b$r_bfrlfxkBVKItIeunEA05pmf8?Wmv$|EuU=lE*
zY?oq1+rP-gGWw!H{hcif&frhWH}NS;*kuw$c^QU`oo?${D;W95JU_CaPt9!3VnxQ@
zVX>g#UksE|+*$q2ipx@!&YM<n$_tjWG3n*WJuqna7&~t|OMq6tlgkEG@DL`VbSHkg
zkA}ZEDW|^sDnF4Y3(jRsD?I%*%iA^5<OCRY=pg%UC<}s?yNg?A(!_|g_TPW9<@D$7
zQF4kms=tS%iM_uqPljT%{8;K*vPhB{t;WHcsdim=76$|N4=d{?Kt##+{9LvFq9)7g
z+{*7DX@K~rJF#OZIp-Zq-%XO_JsA1FHeGX<Jn+BfTMJvJ*F=Z3CSQJ{2-m+@Ag%T)
zzpW$!@YQad7|YE6z%tmHQ;Hl1V;^D5)k$Q*@bjL*rCo)FDA9(WXCD3Kb7{pzRo`5>
zfFJf@!c=b2Czi!KWXP0egRPou!xf8R=`dn<OD~Zjs`36O`Q-f<8ChPhP<<0+1AaTu
zc&3U=zpzA(@s=RB!s!3D-@Hz<gcyCWeL{gDuO&Z6EBeds5-Y%@_-4xo{Jlsql0%i{
zfh?ID%a6<^!}U+I-A1#NXg=OKsjv{0d+`&T*Zyjs#NtAVZx15?fuj_II96Zvjpg$?
z`EeGEe~aDrPLi0w%+|9#Q-}(=&b0hnpEA>5I)%!t35xGzV*mvwDDo-$zVel&bf8go
zC<P2OX4q>!=U7_2)IY755EXgw?|jTke_ftsc2o|vcb8Fs($mu9+Twv)Sk}d5$G+h3
z6k9FFdX^Y(3{5X2<TxhgU-*!P{^m5P#qSF#y+4fuRGyb9&5Wx8u(Bu1j>lN|%MP=G
za#v{9cgpG`ZWbD?2df(dgecebf9zFe`n&h!7Du*GcoRcL0vfKJAj6oGz6`<IzArm+
zScputsjN&D+YX<;?8o0u-+bv}0rF*k9|0j#zpwvD#3&c~yD3<D&vj6CN5kmt_e>{J
z_I)J?>pQL7m=a|HhuKX5#Xsslck9Ji7AGTC<P#4fk0F8o-;Ol&_uI=azSqd0=>Bau
zpzoOt3Fh5f3roDa+&C6IK4>5Lz1MBtfu}54UZ}1K2a)^0Cx7d~)S~qNZk1rn51Sd4
zTonUA=*_M5Q4abf0*m~B+*rcIUv`j{y}|GeS6nP$-l(k!2N5NxJo3QB6Z^NV?vjT7
zf73T9#{8s}gL<0}CgZ=HJ~pXISCzv$|Ds6^jfufAHjh<o(4H48Xx?dH5RZSi5=--M
z>*~8HwoAAG(DD3E32pnI9$4zBWrh-D0=wEdK~0z3V{!9AQ=>?2kY~&szNbw>mG%iE
z016iGG43CePx%8@dwrQP4_uyM+W?C|bideJ?N4Tz^Fd{C@(h=1%xpf@JFP0q=;Q@J
zwBmzzE90=<C&`S%*|^uH@$GSw1<wOnM5#T?_&a0sX)0`g*u}?W#&vWtUv`m}FTwk^
zOwiCLEPKYxP9R2Sq#QH*%`c}ZuSad8Z<@q-mM$Cr^u@?>Y?#cGU$gxAwYy1x(y_$9
z)6}H6iftoKFEKu+Yg-TM$r@~zd|xN94EnIR_>7Wy%r84TtE_pjj~h#jT(VBAKaXrs
zu~*(%?_x33I@48fv=?%Z`Qso@b#<|gG)-dEl9i62l3|LCVpZG8vgq?tVpD?U|M$Tr
zRrR@zbV_1$koiW)qFZ2}R6WAtsCBNJ$ShL;%vZ9ismyL0>AOK%q{Yb85sK)xwM&X`
zWs&q{8F6v>t^_!upHW2}1UosCw3rHVZG<wq-RzMZD_ks;TE`hhr5&rn^BEP?6Sh(_
zX|aGVFhUjGes)O6w0IUwPb3i&?XEK5upS2GRAwv9loq?w6^u|vx5)nR9UQ^3secI}
zDbFf#ql04F2)6QBX>k}`#RyGw$J!nCPWM?nHTTm5WS>&t11@UmGJ7e+C@W5<YZ#%8
z?lhaD@&y)AcX<g%CaYTDb6!g6D|?Bv$%?D!f+KX(U0`bj%yYAl`Y5$%%xBejJE=k%
z(`z%ek`)ioMMoH>TWn|4xW#hnhrD9p9jYAoSsHb8C~W4rvf^d3K8zeCyU)G|{F+78
z;7UR<fEDEXEXwF<yXm5=_=2n{fljg|w#5hcSXhl|Ef6L@6~WKFRZ)fA6mF6fS!Bx+
zXd-*drbxe>1=eAjFf?K{dB~`S=EHW*CMi~s<t9)?_N6^h{~?R43p7!<q$qfj8oJ1S
zswpYD$$SYEll^H&*uP?_b)F^$MOaxjRze@xPkrRXIFPFe<d7BF5E=Hc+&WVef-UMI
zEVlwu*4j_=<-{g*S^`;QEA5AO@37=LMH7ImR&~Lz5~`maVLu;|6MNC+B%qRY+72D#
zS#}*S0P9#~9ychT8*Qj(a^hIJGKu2j>;><IEWVD?eHkrEgF7gnA8e>-qm;Oft|0-9
z4Ex#&*^aUR+gtCgVzv1#vEmuiZ$oifDe(nePXYnD8|{RuPgsJr*3x(B%!-58D4qjh
zM^}^*Ysf-Kuz>Dk`@rg(%rb0fUR}40m1h~X^N=moSw?IO@|HxF(KXlxJ}X#^ednv=
z(nPC|M~+G-U`tJt5vS5sCDKWUIW|GI<1EPDaMN##Sb+{vIa8vx)CL*x44pp_G}4`5
z54`_`McJJOy_O<Mg@mV5ILE`5-Yp}1biRZFbg$Y1-IG|Dov7F5vJyR@a9*&dj!B3a
zVY-@xG`g<I)}QwxmS-#LGv5d`!X?#Br9E{)LR<&(fmlLSbhyLv%XEkZ+Rw>!*-TcX
zhn3BSu%~a!hw-cEN|A76h^}{Ii?7lH7HN+ebXbybRl)^S&0?GCnRLi}8}w>oSVo8Z
zsa9U#d^ZcVgLT+cR;D{uO}<U#FBvjVE{BA<NoW#a`To{j!}~1Onv3bK#9``$v#XhH
zVN(amgaucA-2*AxlE{_;P%oHa$z@v4lI<IBy)}&$>UuTvm|Ybu2`24w>I*fHwHZmS
zkpqa9zVpP*7aX(qW|I}m%--=O%eL!vR+2E4VotAO(pK43>>zf^y!|hD=!2X#NS%`m
z+9gSJxMf9Y;I~hoyz+=G$5>fKraWNrwvxV@!Af<hia7+fwYQ+nI%M&)AN%TuVMHw{
zzjO)5%3i;Cfh85%=LAc*FJ1LivT(H$l|sS1ZC|AjudxT+_iHPR+?Z6ck=DEH@r7wt
zl9i|FgdK@2<WA93vskfCS1%KK?W>G}HSL1$hG6h2Bpq)t8i2M(W?4dxQXS{)f5non
zIgfry7NJ_cI4YOhU|**Zsm$|#3d8tXa!?rn2A0gTc5H>)&pQ^+^6oXGZko-?wVrC(
zF=S&U6{n1gSAxS>yAE|M0K?BsuxPAY&8PnUnx)=eddW9Jz3f*kGfH7&dy7)qd9~oN
z2zr+A0MzVbz1XXb+y0D2-;iWFX)dc*OLC>MWex0XXF=NN4{%w?8KMtoS}HybmOW?r
zcac6y5vgE!utIUay%V;!L5xo90GHL!x10+ge`CueUCRwoECQP|>!NwAVxMZN#C=cz
z?CmHL;c>5m&m5f!_`uqQmPlBaZ3!#}Z`VU9B9#o6P$O;w16Xwji_qL$@YxX836*@H
z{}9U~__KX37KMxGparaESE>-#{$E&qe-WVhbzn3XdRIsJz|fJ_Mxg~UEDfL4bWf@%
zMHA|-Je+%dWEK8Sd^V{EqxsNZWdxxUtP88|4wi^(>YhccYTGIf$FA>LjXxKjO;&=@
zfo6h%HH;u~j78z!<1)*{4~#k|d9<=Qqcj{k_^~Q~AUd0@1g9z}3*(F+INyrMG36zT
z#SL`MWLCD;r0T-d<|V818-g>Y5S$jqNT70ptPIPc+(su0#@94m;~u1LxRa_dHh;=0
z{i5JJ4o(|;K%B=39<dnmZe-!Otgh+F3ipVb(CR*9wSGiw4vKTqR}bp`I!@w?tc3K_
z5?MMvq-Tt;R8C9+6_Ni8tM;`*Gi?<Z4HbaCsg)6wr&$J$-r+1D=hiU|S?RV?4=L7I
zS-DRan*V~)!9vK`w1yF!ZV_1Zuds-`UdLQkJG)hb+vqS>@B>6<L6njHQpnl7ijm56
zOQ7T)7Lv_rbW3qoyAf_m!O;3WEBRI;^9uNEuYjy=EBL@!7C`1DE*6vL=$4&|ha0Md
zGB;V#R}q+b!+aF3gS>-&KB|;aU$d7iD1Ud=DH*J)XOlX}xQms2UV(WUTt-yL?H}X<
zyN&V!zhzmuwN6>UsyEn45hR!y&FbD)T*mitQBeiiYb&{UaCG<nEf$u~=@XwY<-^sL
zfJ4u(tnwYi<!JEOoDC!T+juA$%{j(9SzOMdONO!fU8w-Hnon5i2a>qHz`{Cp2*&JJ
zhdIEeqqhRbSzw-~M@%0SP@qZrWjoG_|DnLtFtFSof^pZW>lnChv}SdSVTt*(qYkOa
zD!82FbDtW+s{gdOY!0KZ%_@h%L;h;ReKktU@G}d|4Rpv-CA2{5X${}8`rjfh*BENJ
zNUa5njcP^QP_4?Stmqw<nh)y_Q-BikH%Pq9M;QU<ipzV(S*aBcg3&ggzdmjl%ovST
zf5l?6HM#Dn$ZEK#v~!yn%@8<LT*{0vT%WIHHG|>464jSeTH79xZ?{ocyF?b8yX%gn
zifEdo)9U&$2sRRz0javGvem58mN?k&Zmh`ntE%er=hVieIC0cvjbPFFwB9fUD595|
zl*@RCVKAStjDwUNMSj(nU)>E;?kmof;JVS4V=2qdmLxi(0;}RY63%5@6yu<Wuxubf
zt*;(tuhKm>$_m`Y(sL)Bu|ye-m2b6PGZ20xVcn9hupj0h>nD49bd~Kai_gdOh3Shj
zx+>e!?`J4HFD^UNRUj2CAzL!4Dt@2kXLCYbQJ$5t#Yd_+kBVR{TqQ0$lEnv8f<m$v
zMpFfzvIN~;S1eLT+)$=fd%<WpR9v<rLvu>dM)u+;D*GK4p%3YbI|^x;JWIQq@vxD&
zY)uzP0b(l19~?bpxXdzil#7mVj!{T&G)d+(Je&bBuefYU*Og;(J%wr|=&v3%1)g9j
zx~z^U#40(H9IO0{A<;uz=FkCUs=ubaH)JlM#-c3Mms{S@6^E3kjFx<UV=;P^j_9J4
zy34RsI~Wr`lDKBdFk*bDtGTwkAls*E<pXSm8jE~tU|CxnlJ7rCa%^Hb`h<>Hrj+)`
zFUP@Q42tIjMl{Hic&s5?EgEEJxw<S0gKjiBvR1Gl9qy<fjwq#I2iaBO3B%$lk@>+G
z>mA6+9pa-m$KM9y_NI-BteGrI7t;^7l@gbbTPe0OFb)-&#|;FaKRYkPL9JREfuVm9
zqvFq4mL9AhKB%R!GRt8=C?jKSkvYa#0D85x28;Mt!0>mBipnGkQwMc}!K{`pORTaF
z85>iG%+#pSfKXP0fqK<eFu2!fDCh<Y(?5)QAt9?}i?^)u-N@khNfR0Ihw*?|Zk0iz
zS`Rqv&KLz*8(5sqk11SVPMP`!Gddn5p}mF!0L5iSD6IvLpNLU#cb2F7=mihev{*`&
zy2to9UTijE0tmFp)}0M54;}@Th!?1K=>=!i^io14UCRhrS8PNs7wFTXQdO-6mzB!s
zC*TST)Pb5#FsdfbAe#)`elSF)5}XU!0BXx5@(qK{#bWfkf<@{aI)S28Qy0mU^#WsL
zfF?MZ4SXP`$`Z>0pIuW&KkZqj?y47FsHR;~$#Fy!gX9qs-76RY0z*<nv%%<MG3w10
zEmUpR3&&MckU=69zQ-^*QFz9#<^)x(5=3*rXj#VS=Q|dv{WYDiOf_*<Y2-G`!Z_JL
zc*J?EpuLtXo(oP75~JSoELLaK2}6`qYgtt36(eO@@ln2F1<h?#DmZ;xjC!p<<f`^M
zp}uljD2II3FjRik#7Atfjuli5(&U2E;t8XlPgt&At`ibjRnrX_q&5D`Sb3a8_!M4{
z8>gu6=VaZcV$>V(P_R0y6X>RDigA%YDfTj2P7)&VBri}2!gXLYdZ-xvPGG_Mqh6S-
znz)$kF?9LCa9L4|l(%?^)##^!(a0HM^qVVQvSLr2P+mFpkvv(>GG0cxijm0pmKBuf
zwtA3}p<~1-cms>p1$2T_xN6!gbsUC8GGLw|Q6B#@E6CNW0DSfyBu2p%S+;Jj6X>vN
zdL?rT-eJfbB}^jySyq}t`V@fARlADO@DIY(7`@O>HF08T<2v2Km{~%cgt%as5vcl<
z^YP0DVl<rHDO_#R3%Qh24Ovs+C4*+DqezLp8yIQQr3_pSUZaRn@dOsGZ|DW>qiPx}
zXA-Pr*gQ;PJ>?xfP_9P-7kOKY(Xsav=_*9i3AA1{9g#6w!%vKx0|ZNmgDcp`(xDbS
zuD&iqjFMZkc<rkfny994ntVyVn~^iWaEZ*DdYR}MPEKQ?{_?S6)O=XJDx(*izbYoq
zBwGxfelT)=Gm4iGbM9+q0oh5#+l)8-<GC4P^jwPN>yCPXW~-)_k|om_#?D<N=9#Cf
z9ONfe0)w}`b<#vJs$L>s&Cm_mRnvT_;xHtV!Lz%d2_fd3`FgF<x|7N>P@C_S^S4yQ
zC_6Y-z}lx9=z?OpEK~B|X86n|ZvWi)xO+Y=>o5-LlZbXn7hmoF;?;*1pSkxmF)HuL
z0`?RA&_*$Rl_#!K%?zJ@n%J#>{1yitf5rt@Tz}`|FTMX=X;`MLBx)dUXV&|VTzc3R
zW5nowlY|vx(haWP)e`&2l5#H?KxdGA9J|Lu)dtCurRb4;(}fjie<fjYCfz^_6;ok3
z;=P<9w6KH_LMXew6_%qu37-_Xm&_AZVR;s@Yv_l(im8PZsra5D^o=Gbgb*7q>6ani
zomiCwedjB}Ivgcq_0<n_O)ZU)ATDzlL}!r1oUtTIhoXc+A-d3h!b;pPV=dMZ9o5oC
z`H}Y_qi7MCA;gYr>3j)Qf&L+3B?ctPSjTjPN2pS|COeFSqZvj0G`S%jqf-;|(REL;
z6zZ{zeM?8sa-|fc$&EB;8AoT3<Xl9TlTa4jOTto|C1kzP6M2;qCz2Ujs~-%cMP$dM
z7+F<9E9m}ZEu0s!g7pNQP)fxlhR-%eQa??0h+?u}B12KSX_kUNOWBTkqMA}_EiWqh
zGnCFC>G=*B`V*)C`3hkv78bLT>Iv<kN*XUKT;?*E7LgzK)72)BOZTC*P)E$lt|zFS
zO4=eRGTdh{_0#0X1$6ld_~~x47P^R8C3S_<M}>4#PL%!1XgY=D=Ye!t321Z&S_@;v
ztU9`ahAE_AO-6K#VK~hpLFUtG38-Z8N!G%0F{_=v@Cj2#oK!xT<}jY#A_<xvCQ~J9
z7uMn)F{{76pm_=@k96=l!hqUWhKN=&ErBeuT8rU|m^Ddfq_?P}(y}4rV+K@9GAXj0
z%%4CGS&_A1MT=QWbOvoxN3|tG%^*h9BP2z0$np~?B>T%+2w^dMyWS|Gj#^0t<9No@
z7INfgva$p!$iB7~a>`jJ^#+|+Mm=RhqN9wdp>A^IW3m+q)RVnyEriHfcXUS`Wi&z}
z6!K$GT}yKG6|&|8){?zoEqKdWZ*_;^nJStt4YW>CjH(qS$>U^w2@H@uY%Nfdm=&r!
zsEaCEE(=^%Gpza>CCTk%@sZ*nztv)RC1$ac?r`~{h_*?B^tTyTr;{YTk_`PL4ANb0
zF+7m7e02wnP(;V%K=mL7*4(n>Y`V20bkm({F<h0ia_SGCFg0{l1{lULvfd?GdMsW2
z2<>#ISq!J;tkU{}=BS~k62RvmL+b!(av)vh2+efISqul{ta>^mjadnO62H8!7+NjK
zrOB>z#UnJ*9d0pfm$TaH5Za)GB89JY1Y_$llBS!}<&IEGcaX&}N6z{~kK|E8>?C%M
z3mIKo$&*=hStC@??PD>tma{tQ5jvuT9EC2$Wk%O9cX=|FP94Edx0A(?Th8jNOUkRD
z7!vuipBY})lSJ(!%Ns$Zn`JRrPsFUQx<tF7fW8Zy*5AzdT2ZE~AgddpkSwfN476Fy
z>aI(uu>$fJH;-)$u<wmBMI{@Kt|!(;)+DUPVPaNKePVj4ex3<imPd@RlS!t&M+R*@
zD#-IJhw5ThZ+$}D)X!~Es~^k|n@y_RL)Wzi7|xB-eP}rZxTLJUI>j|W`CJe)(-g+o
zYa~@qrvp}1h9TiymIIxYvij>38l`-W3R&Wl46;4s%C0g<dc5_pK*}1ZR}zM)o?RkV
z_#K06bRxMjG0w$i)<YR7Yp`CSd8%i<cxj!Y7-iRxWUXMLGtGLS<3iR@-ICU<c$Ns4
zX))t$Hretv6JHApvZIhST({6B#WPd1T=z20?k3rKB@@?M5xy^FtdaU9pW+!SSUwjS
zXp2afotW6!il7-X)@c1g$J9<Qu}brpf%X(hSEYu9jx<Z6fQ&U($5d21<%KG@KO=1=
z`63=<;bmb>?iR7e>lp2((n%sxWq&Zz-qa+_HZ1I5QG6_7P1G^eMCE)Yfo>GVP}`7X
zYz_l|35(KkU&5NAXH0Jt&PjplWo4*+WRx<;GH|L@L2V_hX?li+DV#aNWSGieTZ5#m
zQee3H49mjWDPYaeHOXSsO$SkOSjS*{LX$J%Si>DHtjpXn^3^O|L)+9%5kc}e%3y2F
zOOjT}GT4{G%KSpUnxk*Zs~Zn7N_vCQb`43}-QtGopKoc{Pl;Fa^o{mZ)x07h&iIni
zHX^0G5ziUw7GZ6^;}rd<ud3N6L<PSv+)f~gJFe0|f2LU+G*!BqtaE%K70pBusv630
z``JV0h~2`5S+|j}I{j`6SHpD<tyMHt1*mll<85b>yLTETe4wyCYYA6<^iEMV6X+m3
z+7JfZdnU<~{)<5_5?1IJvQ-DYquo(5OGtFJ84S4Aq9l7KsD^k-SfjH<tEPH~x+s~l
zqN7b?#9c`8cT&Ir@1|QMwvCciE#2c0qF_E41xK62i2K1y0*R>w(mkdKtJG(&U{y}{
z&=v(VhXi*lLvBNo!qdN%D}IfzP`y{lRfY9WPX$v{a7HoY?$_jyP;LxMwC)69sahk%
zs_gnFzj}G2iOq0^+|bk{jrXjV=9AgNYHb-WRHfEGrf}slg@kr6V{TuP$WxymmSXM6
z!h$V-OQuSwf9RWX$tyJd8FO!%WRei`UyG2n-ab`WvH=T3DkmKju3GMEBGa2O*HVCF
z^A_(6kgT|ToUm+b-jS!wn*Q;!s+LwHuss-bN0Ee{aLR|hI+Z`ZZ@RE@1HTcczLWm#
z$%^%jgTQoU&^>3AQ9_8Z$1cemNTPP>)eD66TlJ(c^<MvI4^>Nd64#Clx<RQ)Vk@(E
zKk>?I7hiwFH776JWQ?$gZEfy|Qcv|yX;!SCUBsn5qizGjYo9@{1gV?)XR~S<O2XRO
ziaN^(vO{Mjic#luk8iYM`QarjEvyW>kKHhfDD${yLewGMGn*CbWD?b;76#p@JcQdm
zozII<+w_iagkp(ICMu20jJmxEx~-a9-15_Ey)%au>mm}=`esJmgBo@bQNj5!($jpM
z;~Sw^%;^NBVhp41rz8a6!GrF}PE&Nw99FCwNKAA6VA!op8186sL~<ITZ+s(EOHMIK
z{+3~PI^lTv^~qvWAAK{273)3{QukX7yEhzxj3~#HXF^j)U6VXgwG<N)(?N#a&`bp8
zj(TfjC8nmjW-cq%GbEzgV#eLJ1n7Ys_PE5Q@_HtDq-v=uBm)?CH*1JSL|F&^DJ<pC
zGjmz7-qJ**5##P_FT(ZWlkZ7NiF8czNY&Dq1hjZ0?wE@awA-pLdo3lI4LW8nE7oU5
z0m&H1xI2R2-M9HKNg~n*(yu8ZRZ9mF&qU7|ch4B{jfgVzIw~OD)-m%~vHClShx0|o
z-8V@H<@1fXCLJBoFDW8bOFt4$!&b)KkX!`xR=N4%qS0FYGLIGOHxKcc%D8K-MPTpM
z==%h@Xqs+G5vf|nl5lom;2lJOpT64xsi>cBna_$fETM2zw*b!?4e^L5_sFXvQ4772
zB1*N)Ceh3n%D8*MiD2J)Z{BlxsG?q(&x$oVrD&x3z_|M+2|>SCqwf=hp<Fs8MU-k;
zNrLHmmvJ{VH^G1UZU;o6Bsyh2D^_b3(OAj2YpqT30&|bNDh64M`Xoh^YS~VL*_wfO
z5XBd?-kbMa2Kq$$bOEc@0)mkv40zUR@dk*<tKr6Y0qCwiNg1VDj*(cpKVsay=tS`h
z(|6r3{v6XM3s|+56ANt}<E~#4iienM#8ug6y)H=^rCP3NV(|y#ZfI_bpJ-KDlOXua
z&?O64wbmh_%pHL{*4h+*F>LTnv1gzjNfo799vXzg<0<3rV2amhtNXK4=4q`*7P4w>
zMIxzfV%%M;#cv>@?BgCuJXLf^swma+#z81LGwxn;rg)H!rhDa`ygFndtJWSQlKCQW
z$1f?xlPoafrLg0xKT<`hmM^X%;rX0lH#9fJpY-i;RMN4U^v6P0t;0wlwQUT$mf94*
z@||y@#hd`rovET!OR%>{bZ6XcOYtrPdz}|@9_WuntXij#Ko*F?o!%55)2g&4LBcty
zJ5oifmdIoR;r)tXcQnP<3>$n?zS*QZ7O`qwMB=FJV%VLn#oHjV)!!@K%+VXEqE(9}
zy+Cwk*j;U)_?;z|Cx|w~^u}UVts6-klmCF7ohFL+nQ81Z!KQ=GNFA+QatXu^M%`mh
z6d%;5^LeqRmd;qrs&zk!V{Jy=OKucT)T+H*s41c^Qb#M7;^N@(4t4G(pm?N(zmAh=
z(&>xEtXj{KIL=|veV&x!mxd01B+t0%iqz4{rK&g-vVzWo++>`3wL2xugpsaX%&PUa
zCJYXD7<0pmkcnzlUY8`vyw(-Dlaxyn62^gyxsheaRLwN}t{ihkS1e}L`rIfC>B2E5
zzA724_J%v$Ld-rrkvmDbbR<#KjxgjVHz30`@04&6W`&+u%&OJjNf??j<homv`Rdc|
zumCejN90aYF8xUqeZFAMr)0*K{5o2C>7yf-uxkD0Aq*=Sa)*#H8`%2~*`>LD$epZQ
z#*!$OWyt-CjM@U@ZU`<F^urQXtzn5o!TBlVEV9fRBCGuT=Tb{9-H<z3xy&I^9LtEi
z+C~PhSA+F&B1=-;u#{D6bShEE9E~{3>}2Q$cG%+*SF9$zkSAHWtRhj|!hk!^B7-+e
z*B^rZTP1+>;!;+v)-0lsj{$dzMTW1b*w`!9|4w<R7xE-4mmMUE2LWe{MJ8~<rfWX_
zN6IO^u#}Z+0Z}N)csr1cVJ%Pp4foBqAto#&JlgVK4O?_Vo@C{6j090Thc~^+Fm}q<
zcJ`^SvCA6#;n}TohqkSnH)Y(2L4CV-Y}>q1ooW?J7b}n}Yx<N)6SzBS^rxE1$<;GK
zqGTy@=POvW#5-lnSE^dOX_o=x=dRkk|LmOzmsBuMCoE&-T22(IGTOR2laZ{YtUhSg
zhU0fXn*Xhspm&e2pWeTD`Rwt7ySHgjxp?mMNnACGD{VnJOIB^vzVDbNd#)u&0weT6
z-el!+RTBimEwo8)O@^}}VfM0(d-NMHXvnaUqsNY)IAz*|p}jgZt5dOfo=nNT9msat
zvcBJT#Nyq5B}f3B^uaP#u60Qe8!*@=eoSc5mZf5w;fsHZfPQs#LEdEL^3Wg%+EuWL
z|Bz6lmA}o*gE6SDxGq@6%C$8KVsXaW=<0+W?ZrARJe~mfGU$Q4$;#!8gDC94n%5Nx
zL3)?zvFxl9>v`yb<*ZzLkRYbBK+TIXgd>C7tbc{`A~YS4FIl;KaTSHxjI>XR6PEO<
zIr}Ea^CKO&oR#Zv5=5_Hq`6;^@T66A*bz6tyRHNBB`cR;Z&B#SKzl0>fy#`XHpQU3
zgF0Y2E7z$ch}tWlxtg7TrBA~xE@-#P_T_Ubm&jzIP>gZ*d?o^yxh6dYc2jKM3RbR*
zNfhVf%&Abqm)@=R!@7PpFP~GnSkjAv=`+k6NlzHF*!)OL*UILtVCA}zM6nX1?A8E+
znE~DZM08bbT|TFJ$t4V{P-dQ;kfv2(RRWyLZ|lBg<$8cb(fJ3)xcU*?3>$V2%%!q%
z`JL*egfP@$h>iV-5U2g)U!k0{jr*3B>p2p}IS})>ETPV#3!-3L2-)`hPW4hl9Bv@Y
zg`5OD1N&S7aj$ILx2#-W7=*#Y0x-LS2zy$!es&?atF|q_Q@!*fVXVmby2Oj{XRgWN
z`0apgTgl2bJb^fj#g`!#K~UdTJDlKcl}#()R4>a(98aQ4d<(*%Sq7emZc}aAN>;CV
z#la8?F3&3x7JX;-Gu$@7mKAiWmkT70sTo_Z<|8=jX!v~sXlrB3*06eQDiD>iWq$}k
z(vTiUAzO7DR@ALtzBvj+FKGGBn_y|diFff@AshBRtJl>ekc*IItVPJwR{h&(u$I<#
zm0|^3QzTB|N@9D0r~aSpaU(T1+qGH21Ureu2Uv-yMi4do(919_oNRVkR<N5$AiWq>
zZxtq#YL%V;0;9dLUE5VmLy;(qDn~OCQuY3LQxZVCZnG+~f(>^QiPoU9!I#i#hR;sG
zvqLs(uZr14A~_LKlKNSMSc^`1h|Sj8s;aDFTL{HUM7dv)P^<mJjS0YPhOOGKVxql-
zVn3kl4kP3m(&rQ`8*HO$v5GxTLU|QV++%EnUQ5h+hRNF4ChMq@86p<1(d2m@La<&R
zZ%zhe6>U>JR<eb~A{0!HWG57xX}|?Imdz$vCzVXFNhsVHOJ{l!khRJ#jKE@^Ht8c)
zvinIWQ$a~&GeWbzt#-L^SP0o-+gUZ!S1b}D$=L#gXtNK$hQglMq~@$<^N58BNS65#
zsI@9Bi-KS$ZISJgnh7+B1qGu>TxUYI0Uh=MuywYm4XfFmB$$36a=j#>+q~oNqOZv|
z$nlq=87vxiG33V}0=TxCtK*<oPaD*c6>WLZIDsI^{VW2xLEVo6ullyf>!zyl5{)?k
z^5A_!x`n4aLS02{Pd8SyPe?S|;m7VU0=xEl-zP$@ls3ovuBzD}9Qn}0J;p|WH}td9
zc*|n4IlWoc_7)DO80>gimr!rX+0Vh&2eP%k50y=E;h?+FaXCK$U#}*=BqOcsHm4t}
zTC=NotV52iK?Hs?4?Ksn_ShQ#r^@CoiDxh1m}VycTyok&khRd(3}$7!N<h*8hc{th
zd##nx2y2*)2@F>^{RD)r!iI}*uz#B!PI%SE#*AQfTUA5`z(z6<BBIRwPJye6wk3Up
z!bv3}X<@@%2nrEVkx6%vRW{o)j@50jCL**CHTYrx7$UM&UHTeUdD)cENQHBSgfy2G
zHF%v34H1!V^Iwu6Rj6iDzG8*DN=#@2Z17SW9wMR)y^jH^r({dRVpPrmLCFvU8@$Sn
zh=?fvxSRhU#2s9*_(TE<I%QL)v&yX|D6|+ic!L)vBC;wjdighVugXD0<keua69TQb
zC0XK>P8v~3^cgpJR}d&7BJajOCj5<@t?7TxI{F0wnqo`lvdRt7M1^Vt2Vckui-;(=
z`@z3UQd9b02M&J$e|p-G><LQe8j0%~;NZt)fe{hq9(ncekkF9+uYto}fS>v{WDzUf
z)dJ)F4mdcrF*G8w%Fcb3(&9d#|6sadFQ88m+mSm-?F<wcs*D`$?r%XOB68GUAD5D1
zYtVl--OzC0lhSr9W3^jDWM~$0FfVX`BO(gy^qVWCB-Ww-c)FqCsK;Wm8Tp-xC#}$!
zPCy6m2!uyOl)2}x&XnM6LT@r~Y!v4CKsIv~tKBez&``ox(81?&03;#`>$WTTO}X3C
z8_qZ<5%FBN8HHVn=Q;^)?l9=!NAE%;A`0oeJ?V|~rZ=B^r3>%uuo>%F@vapeYKR>i
z(+DIHQTq13B>bmhTTzNE{tMihX)8*&RnH*dp$XW*u6`CuBBH?7ORxVY?v|#M`u;(%
z)7w`3!m78X_!yRB2lFBaPWrFe+bzBEf7p|eQm$419Mq|6BPz1;O)oxVSO*@wCm1UI
z*BqZLKX~DOG&A2=Re@5rt=%o4lixO2`;<?(L4e4#1w8mlKD6{dIx?iEzoB=Zr!Xg>
zZK%u2_a+Ik!!GdP@G6+;Z<}sZB*qETY=U)4{j3usay$SYoY(<r5oMT}fN&m>O>EBU
zcZeX7^HK0%o@7H>L^)Tu@XZmM;JB)QYKaoLo<<M;!5?Z772O7JmfD0atbj8J6S-eN
z4?dX{YZ28x2X2Pj0-t*dD8eXC<arf6_(5r~MfNU_p-oF$(4Q6XEfVPjx6p%Q8iOsO
zfbp@wrnC(Re6E5v2o)u~haT)6WPvTB?BBX!O<Ef;hE?!Tv7#i8(1UrY7uq5!{X3|!
zIK+J!B9%}b!6KhC@WH=_z%8;GU4=C7DDI!ZN;sovk<&W(;A;ip7LnIy;eh5s+?PFG
z2}K%(i?q@3!7t~`oIZ8(q>1CljvhID=-`20^y}NFSC8&pJ9li~u0`W|wW^daU93Q^
zETMitiYWcGL^!i4?pwl2_zsD9t7!B{!SRnS9^AZq`tTktYUOvJC!)L?(ahvHub@*6
zZ4@#p^9^PG_es~b&+c6(w+%QERXm1ey2g1MSPc&sGs^N3aQ?@H%is4dYM~~wTHQu6
z)#JL-tcdFg8YR92JOAyo?|T)oAQO?#;MX`NXI!^K6=f1Na@htw|Mls{UYQURQP=_}
zit&u&s<0vsHwqgWCZi8CC;wE>4w#4vZ^1A@6t`Q4Rnc`4`Hp7zVdi_|aseiyntvjg
zJ8@hCR>iA@jw<~CAZGWjW?p!SY@HtBmwj=Y?VK{|Cw7$64}qBZNlyn{BJv*-gI?yx
zZEaZ@R}wr*d>Dh6FVw+HL|K=+vCF_X&Ecjx@)bQY3^HR7^VULmiKx`C(4}#l)`gXE
zpeB4o#ovMuC(jANOJp^;0$hs5Wv(C8(HW9~K6^ok`DI@RTq1JxdJbEB<Fdi5j^|4O
z(t1aO5cB@bc!?-zY9eNdGQ?pXK?<pp93U$63WfMlCBQ_K_j}0loZ|30tdNV#0`l69
zLY&;s0!&1eP5_pJaoGZu<S7kE>lz6{%p1}nCbG4=4_D^IWlt26AIZeL&rpaj7e-7(
zexqW*O1C&H6)WTeQh_`+q7X+lhfGA1z)Gb!ter}lEEh;?9}YsyUtp%SU?oi)wn-(m
zkPJjQ9-<KUgG@)TN~9qUd#I9fO9yhE5CcNo7co7;Diwn9<u;PpNj?zexeh|y2QT?D
zR{hEu@sOmXsed>IaZk8Z7_2<SS+$L{MNSZ9IDtX@DO#!rRxWi$jF1(iwF`nE?go~6
zgO!7v5p|>mQL^n2<nDr%rh}EaoM|>v28lsb_X7a2s}5B95v%kmoZV+1g&Cv<c`pMX
zewi03oyICfg7ZD?qiZBP%Ra{+KI;#ZUSgF`SQ9_nMk}QUxlA#`53jReQV?U+hk4s6
zW*7C9A4K_Y!4D6FNu|Kb`Mimz?V^e@gpBR|(Z^LAC4CH5_F-;9ts+V$MTlI71!E7t
z$ODqT04p<?6N}VPfF?<Z63>f)9zN@jk>+8Q4#B<hml8To5;fyC=;5^%MB0i~{OpN|
zN@#*iAu4hXdAJ`$x`<WY;;(`dsx4PYtNjRg5{dvMD+a6F#$S0QlvJ`1nL2)i9X{c}
zM;RHbp1@yi74(KAtlP*C)Zt<Hs61HNn!gSzXq${7O1jVtI*G;LQERLc$>i@h71UqO
z5M|jI137%kfsTe_mF0r{ZCM4Ek~KsrCw)a69*K??W0i0C`;Q7TyUH6P*UpatC#fVj
z+JjY|WN-I~3c5{l*HHB+-0+`X*yuV|xtzQ4RZzi8B@YqhSQ-H~JQf<+60yq3+&vFl
zxV`)#N;K>P)+CokMmZR(9?aa~u!nQXAR@;WH;{(Udjq4YU}b0Cw(GQqLX2{VNGrL+
zf-^iC7<B+E8?!dA5%%yYlE|sYyoH&#oVaK-SeeM#<YL&wQ)Cj6vFeT(jNy&AXem|+
zD~x6S47<3VTq2^R1D`?+SBFJ=u*zD&ciP*qjZ;V`BCXWg2!J{7Kt)%v%5uKa--2!Y
zp5(N5*PHOdeL#^Fi&X+_r7wkjyh~CMQSO<a!6hOCCJJM$`W06hAHzl-EU$<hYVC|h
z7XBI&l>sZSF*W83*vVyO77-=tc@tP%r6Exhu<|fZW50!+Z1s>_M3i~pMJuTAAqx@p
z2P=zN8ut@y<@+SXlm4+k5>mJ=BANwOPUmRCZ?KnF$}u8xufO&ypgc?mh<*es2QxJ3
zZ`jP8q!|$z^Yqx_4<`H-AUXk7w&Q0?7VPFcGVOo0^lg?u5rdD{cFq|%X!OhrF>)_4
zKOTAtR%Ws@EeCdUm`S$%X_9)guABAS>%HSzmQLqLf9<tg>hX_o$d|EdB#oOH1+bmZ
zk+gTOIQC??-U_|Ev|C9p`Uhu7JuZue3V@Xs!R)LO*v~WM-Tyii8L%f%C%xP~wthwf
z{nK7SQg06$sts03nb}|&Z0JUE?|%(xs`X!a>AQ{zxwyD%aZmb}FH1eH0fxGOm0x*T
zumW~;YWer)TJj1#7oYi}H(u-<T`#?Xe#X6W?+*(LjRPz1v$Asw?C4LLD)`Gpr8>_&
z_FfMJUs%++m^=Nv%jF(_jD@}hD@!;zxCgfM9#WECMcPd}@G9Ciy+6BpWb>klHTuaX
zO1?{WDD)dxxr32YhG9?lQxkt~NSwENhtW&--}+>=1rZPT&FNVqn={4Iev*$nK%whk
z<sv?=jKQWZpfdihL&_rcx=&hj>|sz`^y$+2v8_uc*C=*RkbSqkfsic$tQ^XPazE_q
zV3Qj8yRI2aH|;-h?y7Bv&)<3RIV@IKgI?c0y=&F1Q9WDLDw#8-E5(g#WgmYAgfcT&
z-HeI!S72KoBE@U;Op&Ev*;>sy^&357$;Q2>&Yn4S^2G6@M-Cr6uz%m4-Me;f-?nx0
zri~lct(iBjU%Ptc@}>1QQk;BB`aKQ6LFK?oER%<EU%<W|ta|k0bLqz;a8PrwvP!Tx
z^>5hN#Xv-hkbkd2V9-FYqOmZq6gGC4BZwqs1vmu;%>^q<IoN6??CcW+qWM)oTvinH
zGgx_;fj!${YmY>cIx2v_MnPx5$|c4-ybtzvX%y+91d{WBpm4CV$Z%(cVQ)t|qsUYx
zzzZ>uKZDiHjdla<?z4oVo76yjW(ZUSti;9`OL+pe_c$0iuLgJu1o{B1Gzmjzybb%i
zB8<FN1d+iAs5@Bk8EV4!u)ky6P{a_e2zVp{`Vy=xHPVa#Z178jqQ0yOpZf!#m0;yz
z1I@359X<s{3M&Kt902VAE0-8&yVbD8tHDSEb#UJs|C|OZhZ$zyAZ&4qCyew_2izI|
z+y^UL80FYO*yA?{MyDx+zwGG8O2jJhF$TFP3Y&Z;j%-i}+#LM`Gge(K45{1!+q@2r
zoKgvAEbvnZtYjG??ccD?tv)#NL?!SC;HN5BdEW?QKZJdLmvA&#DI5Sl&B4ke2AJi8
zjXoboJXkGO!ajY#%BAvcQwKY}A&z8L4BN2Jc(8Jqbcc4qR!@Q>WfcRLf<E7Xl`Uku
zBm!IgG2v)))vzA=Y{Dw>F><9n1)F^dkPJ`_t^&yC2v%tpQcw62c6&1*nWY+d3G%s)
zRkEd;R{+~R1(0k}4vE=-Pb60PSf*W8!*+i`KzdF&@J!s}%UJa(iH_@s{k{rGUZ{td
z46r8`Sh+?T<%Sq+_%=YIg{uc12YbqamE&Z|cp0{QS|IUe1sM^DdK!Y2oh6z23vBtf
z8jxgH5j+U>bOkF@<ycS&dwx9uX+<UR*a!3s$0|KS%7tyP={q1vYbC)wK+hbkvP_CI
zhhf)eMv@_F;-&-htivilNTA#Y+y0}5By-gSx5YfaVU<_t#=Z~xehVS#c13Z)f;<<n
z${l30vS8zPgOZDif*V1eXISNIs%`6F=jVWu*Q(-}1$gW(tg=7RqAu9^pEM-VqErP}
z2RxY=t8PqlSp>HJCPLE8tSt8co)TCkl1`EKG;IDqkR;VBb-`uvPHn8xAPA>?4ZA-b
zkfeCd3iBtt(+;a>1UuHi?teu%n(PUyOm`8u^95FUU%zt)VEZq}kt7dUZLWknQ?SaT
zdX0Sv4!~wGlIR{Q&g5KZX9ZTdLZ|t;Z~`Vp5ue+vJZGSt?O5d~eGcz{6Yv3nsP}bN
zpRdz_os(E)J3Z3wjl&T*7eqX-unO%9cJ5)7i8{>q5e~uH7~+0`mFNu{)Uo2BN{2{(
zj|MmdE#45~c7_#cW2h6vP_-f{<+5Qo1+Nl<x}0EDx*zHk#VT4d6W)Pya5928A7OP`
z8tK%=DqknDWhoql6#>LyA1l;VNT&l<`EOz;cEdp!<$@oEwX9MTvjCmpSmmiiGM<2=
z@HD}vHj~xr1fVk?tK5;moWI~K9DyH0Sg}6$#W_D=mCHujzZnk0;_%Udm1{Sg^9NQr
zd3_U~jlp3U;(#9YE$Zcx1#|9Um1EX(#7a004-j}3i(&;^2j$q3u*w-ih*?YFK<oz|
z$v?1)-GOp4GFH7zq@A}8PQ*Oe;dF`BY!Q%C8mxSAR~;OQ0S4??%8K?IkkbIHI2N}N
zbarA@8yAXky2~(~p`&=Tvf<$vXPgX^2{{sfV0HV@3*syhVcu%Mq3vds+ZN(%6Jb^p
zaJFNmd(uKUe~K`zfFoV7+TqFw=cx#j0ym83Sn>V@aJ<|S%oD=RfvkF6dGJk6mS7j+
zM$RbZ!?W;B1req`Y-s0L{YD1Do2C+s)dx13vkLAHZ$6V?ZW3y``zxVac62jYf|(8*
zQ&<f*K{u-;n5w9eIa(1NL^r<)FfneRp&e#bTn60S7huj4XjWilyc*l2V*z#yYMfO^
zNm-#y840E|Xq07zJPF#g6JWv|LF1H4df|s`CJHb|2s2BuQvMX#{2;&#0*&Kp>9PfE
zE(kCMFrx@7<_~d=Jwbj6GGfLW)wB!O<YW1D7eQu%2-U<zVNHDjraNZzVCB37)(jS4
zvO$J+Pd&wlp_=dImk%0b6lDcH64l(1Up5eAu2NBty)jKjmS5XJhEs@&;`W%Pz5tU3
zGODtYK4U?evGU6cg3QHgimO7J?efb~$T0XTs-F>!^-O+g0vQEaQM>a2np`ZuCWegh
zs*2|Tn&$G$U4qOz$|@>7o|z-R%!Uk4tFqz&c;=G)QWY}Fv%0=xM>E-2d<}PojG+pP
zo1>Xd^2>gL%sndW2%1?dzjT2N?W4-#a#+TCD!-(LjMS{O*JGJdEWX|+$gHWhl5;?r
z!Sc&g%;=%Ecq)|HBfpf!j2Vh6A^^w)#)~iCO_;G=ad96Y^9hTuTM09-tFG%d9J5t^
zX$=|ys*4-JnBXMw#hL^&Tv>Vl4r4mA_<EHvGl}}*cTmhO`DHX{q*h=nK}?2Z`K2Ie
zWL98_Suo6}EWUm+fJSZw#uG5iZ}Q7(0?ooI?71(3$?KM18lpyN6~^5V%oG-1W4utK
zq!PPi;TP}c^2=#L%^XUM>)@9*EWZwfjTCBZ2Yxvqz+{IFH#NpZ&`U9vUtepmp+&2)
zZ_vv;0cIiL<`*><mjSy3ycS@p1IHsZ#v`#yca~qnT!CYkB75wuQ)zCAQ)fwo1h&5f
zn6(6)6BHSD(4>--@3s7LF#qqJp=n^CDGRXWk)ydPJ8S7q&iUKUI{AhFepq7=uucdt
zeg@>otID{hzNDq7K4jBFGykJgj1W+R1=#U~oGw;XwoOZNDbRk-sjvKR9!-b<yCs-R
z&_OR$85h=zv{W^QZFywjf8Vc=`g@lJ*o%antCZQ-+K_9ZKjxkJ#y@S;wB)L9g9OtN
zJen!9xD5J_mb%vPZBH!xvq!D@qe#*$rRp?lQB=w0cL^{NUf_{Lnej-i$E|S3`RBfK
ztUp^t!F|I5>;^*5JId^dkDjBYtvz!4Gb_iH1C(3V1PLY=d`wqn+)=x6FWPzG`5zp|
zwo+}=S%BS5@L5@%owM{AL;AX-cRsgrTpUwPt%XEOFa`0$;j=R1T3U=p@h*!m26G(#
zBdJmw!vgGK0??W2Y`f-S$WVXG?w1_*uTp6NFC>_f2$EBsaS?6BvqZNgmqOT97FK9q
zumF38AoQ9#TdbiNGBy~y=M~%5s|ID}{ZN207simT>MTA?D{(K@W$~pDw#Ds~SvMA7
zM-zs6M<_EMrHN>%YmM0c%*r<Vv%4a*Ul(Amm_UT)sIw<N+J|%gc5_aDV_V-#k+ov^
zH8dlksBeTa<4!t9(#nH2J}|Q`^m9;R)>#3jJ>lqVb#~s;G8}TYn0E9N>&X^MtUimc
z5iJNveIt|^*VZi(l<mFhW+dy*yP66+EWW%iNKiUUo$b&k44E2^-}jdFY83@mm1WlG
zzxuY$m#{Qhh%)1%I)r<%u1hY5vaUU)z;;S3+nQuFcxJEMX7HTJB~1jUJ=NI~y+KP;
zd*qJiR@T9Vlvin%R}bYQY&Bj{X7L$y1?K|o=bi~--Mn3SeJ`$9`e=l%xnoorkI@j4
zRT;GDp_%oyIfddX<d#;xRV09&q|BcB=mZWqTTVarnRWRn#kHJ;)ms?|VO^f9GVZJi
z_>}9j`c@R{_je|xl_N=5S?Wv}TV9!6uvDKRbE66S-?8qmrL^X-sOsO8V0NV{<2nk@
zt5o-8SHf5f52&oLSV<*fygT8n&u3M(Q^^@JH5|A1HH)M*jl!D9a%#x(v;?({RT&pk
zY+j|hFS`=P;yFQG1-%keF0^weu+{dfvZcz*n5p5oy>D1lKRPI@AuOYQo|csWH&uut
zOUS6eyh?Rnb|s9(wt=eheIlVm?yl=VnA<~<@mQs0%+zrF-Zw15$5d4>7Ei;sH}N3Y
zHC|F=&wLe?SE=sHu7t5TXH-*;+tSJRc5Vc{Iil4VcU4ZtOby5HeZ!(XMNNIe!s+F-
zgudex*+oksd6nwE>`E95xxZ0G*)9nuQyd6>o!_c4uB(KMnHrAY`-Vlnl8S1~qN%wi
zA#fW-woCPRmFm9iN*D|O1_fmumreQ+1RL+EF)prbjF}sb-}{CoVYsJys>!11b`685
zx*}VqV!TRqUv@Q&rD8kv^s8v{#DhRsJFUhNGAR{f=7!_<zF`S@Mmd#Z$uu-O!Ej+U
z#^Y3pYtgRDu7<I+OsATD7EPKG5N}gsPrTKKce#EW9$Hv#j#Ny=STbEoNSrA~iE%rn
z;ah$9&Q~l$pKEIAJIUmuHx$uAHFjK4Xz3eFIP{U_X$hs2$0?aKA}mfCs>Ha0axmp+
zIqP%~OV(vdX(0=y2Q@IFDQax3N^maNaq*RKma*Sm6jJ7R!6Ym#p>fg(C6<&`4S1I7
zz2<HV%iAUjX$lLb0|<{7Dls1ak6+@-L$*F+*?UMG1xE=ccN_pItyzgZ_4(&cOI>H|
zzIQBzEy<M8NR~^jMF^4CDlu;VkDMu6vuVczSt9pWMgHM}$pV7pY*r<9;-9u875lBZ
z8OgHwo~DRCXSvkh3zKN465|U0m^tNbJ>%FXmehIGkoSGTqyd3)K{dASA22OdjiH+#
znptMgRzsaxF5RP{5*<@w$=UwVaxKzv{@Eaw-(MV5kaa;W2~I(<Tvmzkgny_s-)cj)
zJh8AWuc?A+vs~JZa9O*g#Gd*5<7CRwV%o7UEZ4WIpzU(WMFTKVO(n)1{z>vG)pNy-
zNS5$XKI*3si>1-o37NIKO6;`tkC2wO&gfmQSl)M0KMUoOF@()cl^DPOPmfdnc5}~u
zXUTtA`GmxZC6AoI$@D^rZTJT#amD`Y@5itb%%XaRuvl7x(7B@$OV0jJj4^ZLi3j~z
zAx=;{j{9QCB7$cpe-*}G{=?!{w9DelVXPYc3~HwpOQr9<@QL~=vFE=3lxQic58L+C
z%4)K_+Bqhc)FFU&4^&~?=^qe>TrFpu2w;`DM(I>wsdNWH^e83vr}dA9cbQ(RZbh;3
z40TsI8>Eu&z8K{bqQbcHKNSfo4BqyNRcUL5lhY}cbR>|Tro_Jg2g1Ajz^yM>sh&_c
zQ&}iIYd|UANEPPH@sEOM*#VoMvwF3rQZ@k*LP=y6g6Tynj3@n5;8CXErl+iGhbx=j
zER+r>oK9y}Vd1{1Klf67Haxbn%6)Dr8rxq&$xTO~qV+0_yQJ#eO7vd$$ja)ss-mgS
zGHG~LLh2k!?09O;wRq394=k*RS1OvlLP>YR>fI`g-${MB6z#G4zJ*nCOgbe~oMqC(
z8dw!pVvAB$&V{?Jx@%_j+(pSOkx2r539XN-u*iT^l2f5BD{jZIqCTu*(#Oao^$4!Z
zsW9%E`f)7KdD*RKR@#LWOdl3WR}x-pS5#Q;sKzmW$E7!-S$$7ZFV;no<fR8-QEe55
zT}CMmc{?n=9>t3My-~STW{K2Nj1b#!UxmFi`Y`2gzvyZtEA^_%WsOKOjxf8q3hS9T
znlR;RyWnyJtM_fHB`iTAx#j>`rk4r~*NhU3Ia<%V6wZo1%15ybW`Q&;Gof~86;_*`
z@)@(WnsXtHm3|MkV!I)cbSBt#{-D5cVk&3I(qh)R5LW-U)Jh!|NcU^FMg3KnmZBN5
zG@EfIm{BmVQu#?B`I3}?+x?pY!=5RZDOa1h=R+6@=c<%!PJyHrLHB4C_F*dJRG{PH
zs}YQcfsP7g49lZS3A=ql6<BnBYUEn1`^wufjEW7^iQ|Dh^2{B)XodpA(<zTvnZD~E
zS{ND+s*{gc9F53J=$$-Dfpt$#VVsKg+xnaV(vn=6?373TApBmYz;JzvlC<u$3z3YH
zgH=ghw>Yv!1F(!11-3Fh<uK;%vhD>#<r7VjOlE2Ho+}~v76pb=Qwp!jV~zzgUKUUz
z-p{0wkSqk@c~n>+W$<pc<i3?LbCw!u!P01B0`Y?i3=30&RNarqFm8S@Dv|Bd$UH*v
zk}B*|)6;T|xWV9AQH5l73L{q?VT{fzu-F1qGnSt9lJRr33K_t%=+`ua<JA=yo-;2)
z)ztwEp}{T+<g74KjeuOcqriHnnw0Y&j~GT9sgF`Di%ujcZ=%3(vnhEE|HMGLM}5qc
zMNXNp%=lb^t;#STt-%L|(r6#m;dm;Fd`w1Q-cf<!4AV)qm(jG7>Zs3>sHF^{xs$&F
z%Tr9I_;-fWbE;#bC^DGvyq^NY{^n9HlmRu3+6YdNMD`m1&Hbwa`_fd(MlhldQ5&DK
zAo|9K5PggSi*0Hm&H$)DSHG_qQtzvc!-7aeL4x#zq3R1yn#d>y)!Zs0KMSJG2-IgP
zu;6&p@QFZ`sVZZFATp6qJw>$o!lkBBk5TolL0#DH$RT?Sutv)jSgB$b^I(O`sEcYW
zhTiiaT+d`tUpUY#ZsN)^b+KFw2}n!GzEy#JW)_ceCCEutc)yZDVoDRV=T%_Q`A#pc
zt|~rcDYOHD`yus(#~fd)RK+qWWG<n5DFwD}oH<+smTwMf!VxZn95cZiT~J@R&>R*6
z3s+GSwO9symVofRh5{>6OraaHELRhYWRUM!3E;K6>I?gsLP=x^G^q&N6A{Exg&@AE
z0{hq$TqA&mE2xMnEQ0nWj5obdUy%*XfDR(d5*0C51X-nl9CcD(c-R!WBFh(}dayl^
zKrT2D$~%2fUu|Q}AT_dZS@lqX1yH{vg!BE?7tS*Sx{WLg)WZw`BrGohy~j88m2V2Y
zkmaLMHCVUh4|5HI`myQ@`<Q`GB(QKP)li1z&klt33B%Oa2WCL)k!7xG_)7j5Lufx+
zeTC<mL1|=pZ%_-?HSuGG26ri=l@}f`1MLa0a51$|jHS<m4utnB)K}{m6QKUcGD|HC
zls>Mz6X0jIDleRE28pAA<*lX^_6i>_k`Ux?Q(rk|KwE)@3#$bG1lc1XBVm3%^@Tmn
zpaQZ?QwjB1^b9XTsDD^}y=Ml7m%#E`QwZ}!4@*sg{nF|yw1ElG5Mbc~3gMdQ(UEXp
zyQsWyuNfqX0+z|@ATLXv;|Td{s;}lu6QB*i@?28}y(EuS8uV#*l^4!1gW|x#d6mI0
zg2!P8!v1FJE6WVDyTCF*6?jL>9XH$w{7o;F7j`oN>I^JTHAPUJ#m-kr3I02)ueZ&>
zJs4Lwry`glb_8Z7{CEDKyoP6)0L=%MF^b@<)Dcpc;sf?mUbxE)vIEOQHIRjc&hXL{
zFVO9a@@mR30XmH<oLvcY6gr}-P&~mw$_uBOL1SPUsRUNb9OilyU(n;L^7`8h96#d9
zT_tc^<gm7&_=Cfh7q&M68iy;KSpj5ck+UPkBlHSVUN4zJ24ESc09uJ0eJEbx80FPF
z*#xv8T)CwH=1UwSD1KprVAX}IO@L103a6KUe+nE^w0H(IL3vduCNKwB`b)n+m%On+
zqxgmiLsb_JHi5ptazXmlWpQ)0f#M%dRbHQ(z#?F=CX;;=#Eq>+iiemaPIX1*v6tX0
zuyAMD_q(*Q-;v@a&Qe`?fV-3@8Cj1=KCf6|<D@giPt2O2x|%at)7pGzXpQ!gd*xWx
zyy#Bx73ZrioW_`M=QE71&E?(zS>vWR#aqmgsJi}QO3OO<G6U>(xwlEwc$kRdF@CMO
zusu6k%DUqZeP)aeb&+}2GfCr-FU4ofovgZE;zUbXXZ)ehjI_06UO^T#?<Jx5jmuP5
z?_?gdly$}(`pj^<TIRJ8G;SxNc#ip;iVIg8PD@#5+`-R`xq&8$H&xEK;Y0BrSE;TF
z#Yo9(k3IN_k++=0+bw2X@uv8Xg<OgY2N@)JtuY5aGW^bycu%E_3!W4oa;@t6RK8?2
zNALf@82na~c3D}-JnK&JB8$2eS7e?{No$PS>(5ABP}<cOGETZtJjw4B7w(rNN%fI?
z-ZLCel6E6xjH50TU$Ug?YR)7}Ty@0mcZ|u8rQP=;#sO!FKe<V9;WPp*ZJklO-ZC<0
zm37x8j6F^ikMdpB^_M>5_q_B!+INQMp^`4pEnsYSpm>#A6&JQoX6{jUd{h~QGy0mO
ztHko<W)sD)ET_6&8folK=RNaV8ywXs<y;^6Vx5WNTkcd`y_3`C|Ld9;ey)$fdEG<K
zEfX(R87bc7`-%&VgK%u0l5?k|i=_sNhxx1Ga&ns!$~arRa4}z__?T5;3AdGTIa#(G
ztx^2U1F&STjH@YHSi4eu&04S|!cD^UkSwAbQM^s-2rA(Q5^jcI5mJHTaefF(Hb}V5
za>bVd6ra;Nfl9tR%C}2m#hc6&zq27K;VRP27B5xYPfqbXtuv@(iFC`!Lgo1c6z{VM
zD*0%TZ8e38eJ&LL({>(|aB<nzL#9}5qWGXKP|0N3HbbPCs!_a9+htI4N49O2DEd=;
z(YBz3lS{Ts@`SlH#T&I>110U{niVfjgx8>Wq#Z!X4!IV_(qvF^icjjeiAjDqNVSsE
z#QU5SzqBhR;nGs=17YHJ3W{gybr+LNmTH}3i9;R~@3bc-xg*tvixP`X6#vxc0VLt%
zGHsqDF+ijEsGnhy_A>1UIU=GV#ZUEp3`w@jw8LUVKrxE1`UNEUZjxv>rHH2)DBi07
zGep9r<e3#KM4a=Xc&vjV$s~Ce#4_YYCyLLS?gb*bEzb(e5aTt9-#P-3aB^u@LxPBD
zPw`!YA`nSyY1USN_)(GKzm7#DGo@KS`N1zI#e)rw1SChK*=X_MhA+j7od`(YNwaCv
z!#+2P9~&BtM>wr4`&xLIZzofB3LqIT%hrkx?*3%XW{kxn{w7JbMRJI1LMH7DJi@gl
z*?z&{SvfLlv&7?(-IDCI+;Ali8MbrrNOVFuc3o`vJ(x_}Yzc6LyU4L8Qo|~5GH(~+
zk&ALHMrasok%5~t365|E8D?jZF{uNYxl8cKC>fSsWO!AB4Bb4*aOAlr!E#Crw~Lao
z`z;*dq7tmAz;HMdnY#sCaActbD<Lm@?M)`{YB&<;D8EWc3rRi5>@Dm@BV1X2l@=DB
zRw2`O0~}c_zuuJ<PURruw*(ydV31yAMTOOVWB~t!M!2Z-Dkmto23TYQmxd!#q*r-4
zA)+oB!duYDQ%!bN6caAyCsX)6G{V_sS0yQ7Q#vw-ccPJDva7O?Fvdm(@%w1xy6mbd
zB1C^oX7O)egi}eb>Jq|@Vq_RsLnA#TR}BGSR|px$2f@fm$yG}}m}V#QxHcFu`^c>-
z(m{M%GLfxgScF^4tun&Fy)tAb*9RlJ<yH~dU{6Lel&w=(B-~YM<&+HE<LqQCH^w4d
zS88Pt48rS@!EBwwB5S0UpImS>2N})HvB+1G%(BFSSzcr|+b%&7E-$kvRwjsSM#gg+
zEHYneg^L8|3Xu71{|kz|)@0T_iD0=Ona~}e2xpgBSLK1Y&SXYAZbFfPGV6>uaJ?j%
z(p{m*S($ZM8u%fIjA^gCNW`2#V(pOylKNR>Q1?P2+(cq+6b0^<C!^ZuAre_9vF1wx
z+d|2({v3$}80FPyIlwv8My9pj6ClDx<y8+c;89gFum>WM3G%9m6!2>%GO+`m1CiVE
zs*()g9&0Bvdl(Sm6w<1I2=J^nnc9Ibfk;Pb6(j*1%tq$+XdtpjT3HGBZ;FEq?)0y5
zNSL#%qWkDCq9K{x6L1JukyfX{-|^gJc!x&gka^N-C-$4;O~&^W9P(0=RjZI+WOFjW
zGseOY&MK>>1HZEc$OxZ_Lk7sI&vD;kUoyk9#KVx&vZ^8Ki}{31*hzbw`^XphjRSSx
z-7=Xkng>H-yd+go(092gnXSs)L#}$^*Cr&|d1o41Ih`nk8%ZiZ%=e8y8LJsv9e?}V
zIbG26%L!c3dKj`sQqd#8_p%8YsS|fU_mM9uLLkhW&((V{<cmR49mae6vXfz|%su3)
z7k*s@2|G_@iVmR=E+VN`p}pi`b}~oD?r_T8@8xwv;upv9^f3$>C#lAQy&L7o2vz1B
zbj6Y%>SB<;bPty7H&Dn;N!1?ftqdg7bIkT9-}P>87Ytl}$9#V1GZezUa;g&2i)=#%
zr?SC;mp}VMZ4?Z~)yt-F6A*zy{*Y5yfZoMCWM+=p?&Le)$>{{Ep)XHPV}&N8klk|1
zibZ*rF(xuCmDvYe_RRMyqTu<HajaxZ0wJMJQi?8uJin3@pE7gXlkRvYyA!+zW^+Q{
zfe@}Fr?z0ct=<$*a_r7$Kl*h|6sB0W4JV~h$Q(H}8R3Pt)hPa>W6mZIe_0)cnXaD2
z2>lL1UT9LPHNd-`iQ+dpWNSEj`=c1P!M~(2(g1{T7AaK}-dU$OQoKb|mii;N+>d74
zeJ>-nt01JGlyby_yAKs8UZOEm-Qk<=MzO7rE#iZEfRK|?icVp>y@@Ekp&>)<p&M>T
zuug2-kPp9b3=-ohrIsVRh^`vNBQ&I|Ie6X8aMqV<8XGhVgKz^W)eqR+%uewHO_}Qq
zS$i#%b?Fs6<ZQqECWFw`QmQ(viy7@e`0tvp`S=|Vqglsx%{5x4Is?DE#X$74K}Ln3
zx(5Xa`xBPzIP36hE9>8njN|)mr<r@7G8`==qv#%_vrcs;)Ynp1>9h3Q7uL^57{JQi
zXvBugPR68Tq|`P<_o4(LzC*V9!#CUrWxZWLUM4GZ?f%RDh+<@VT}n*?bPL=F?A;5t
znzZY24D0mABuQVn=Ysv=3{aEFsFrZ<ZAAilucGZ|9D2k0KC%OqUzv{6civ~1+FnNG
zM{}#Z2;+T9cA9hSJqw{fO*gM%ttS3_-NjgSr;M_mLAg)03Es6NWxFjn^@&CDZXIlS
zKN_*_LJ}j^U`Gi>n~>bLM1<^G@`}BdoC{>}j31wfmE*&KD^A2PaIGMt2H?1_O$gPs
z)K&Yfxb&Tcb?CD*=5D@QjVAq<9(~R5b(V}O591E_5}+H>)flwqS_uC_{h5sNio<Zh
z?KQ%3Ep5#q>u-khuh%n4DB1_%PNg9rPh7s&vdh8ztM)!J>Pr9@-qS!B?q1}NIVV2z
zuicN!s1Nbm$xMXb-X)q%-1mxq1t0App@LlC?Mq9Ipxc(O@u&@#lKI#1^(7RY!*0ub
z2)8rW{$lxw7)J9eWz<6C_Mik|wqLnV=k0sWnEs<dLbbtd;X@n=uQPoxWZh*KBm4Xk
zDhF&kl#a04UbxldosSvc50_AM6|;S8q!CX0SLpf8AF&MbFUY9bh|Rjdi$FR{z2O_L
zx)|wO5=f}JfbDi+0%)%ipUl|%i~)aR3FQ-u)<XN42%JM|^#AtHL`MCqB@}H1YkN}@
zFxv{W_;Tw##{M4-5~?>;dsmlGIiO<CZ;nN?1ei}k<pFAzIUWSaR*puaez@*tF>ttq
zqN_0NW<f$@@6w&-?0d<=-~|~q8>EHyF%c4HtTSl!g=CfpEeRx4U5vIj6``=LV9T#|
zJYvDHv4rx81!&>z2!j2}eY)sqG)sr8B@}JNXHRkx{D##Ty!MilMZ}K=3Dp~(ZFDE(
zwH0VFY5PN#6!S@_Y;J58*-0bR^)1_d;gM(-7l%nGIsna{=OxGut37DVMJLOQ=VerH
zWVX$d(AJi}`Ip-su;gg=mQa~ouq?WVMo8;hrt5;kQ7k_;l2G(3Dtl9iU^YXofvYbh
zvk<vTMs){e`+W#ut$fWUZoSW<<OfYcg(f31^FRZkt52D(^AAO`K$%xU(GEcNv?xJq
zXw3oNolj<|a;S{z2*<3mTnJTd`I}DIa*t)pb22J@A{cvFiXb(lTHmFA#IS&A_Lfle
z3l>}GPH5^?qTSRT4_MA@D5KgUF~16gq*nHNL)V;7VqtToj7k@a!<KsziUySLK7ap9
z7CAp?5{g!$F#l?Vptb_d#&5deX2CP7jCvn~Sr>Q_dS<B6Z`p}h7C*bnDC;5uyIX{S
z)4On^0pI-gh=tItGKxOOUtt3r2r}(?KkPei*G(sjqMtPx6%voW4x}Nh^vPYZ>1UHx
z?7EW3B58IRMc-ks4-GUzNL$8|b=wb~x%StKFIYJ3E~P3XFYA0S!bjhl6OSaZn7Um`
zS(jm#b!!g7#|+~mSX2!#$SCTMy0+&ee6$9~u(X;}N`)psu0y#AAZ_zmUhOHRXbs?c
zTUR55oW=s{PB~Q-ZpBP>BZ$nAAhCQkNGa<g*m{(QKyo3Ata+pqb;4RpTnQ!rl39Ao
zDes3s>sx(-NqdsavPVwQAe?nJ72#xVmRY|U<Wx{3$TE*K5>OTrS~#DaqNy0`O>u(C
z0I8*~q{^0ru(o;=SiTlo_DL#Qfv-Z_X@r)Sg_iF|NmUeH-ONmQxlU-|0+Nchf~)C{
z1el$rmI1P=3bguEnIJQ})N(*pS$_bl14#%puLvza43dhPz^c%m8lmPqp@p-^D(e)e
z+LVHD^L?qMm8_z=km_C;LQd<d&@xY2S^M$Sr!FSK&LKj}Wobq4qp6Tl?u4FMoH9$K
zgS4WpSZY}k0?@583+I<trI6IC@&utD2`!!F6|IL+*12wkp|*=M%L<8AzzL$Bl_VH#
zEwkK}ShNH}S!TErj@thcSuD;HD@Ou=dR&yCw1ddP*(Dauf=}kj&V;3on<7gsnHBaL
zJUuByaN12|=_|A7bL_OhmGIR2p2V_HYB|mWr;k+$QhQ4*N2L~3#Z5aC5vKY+N^1bE
z1x+DsHA2<?@=9b5$(1b{GF?bdxa$8*T8XGkvU@OKiWz1kWE~=`gjXQx?R5n%JuX1l
zn(l?D^07Ec@H%K|zAK^YC`sjN3X<YKLZuH?2wwxA$|<XyNsi}=1xh;-62f+uQewJm
zB+Ey_q~JChL9G3pj1o|W<hjo^kaRvBp=>P?<yLBv>9rwJ^bjNA>=prKjVsCZ^#JKn
zK0?|;$<j$^E0XP5BjM3p7sA>(!pW`7B;P*=M;|H^+J?LoO=dfhgtwo8M%xn--hM8a
z1lA%sU*3(2f?I0@xL$vWC1+BQtp5fUol8rY+ej#}j53n6&lHP^q6ZrZbgf@Sl6R#^
z=Ffyg5AzZ3mUM|DA-9$%B&nYz9uUoTCgfcrhlJkVHnCmFq#8;8xp3%xMZ(_9QSwLV
zo$Zs`mrACQD$JGyhPL_;`VJF3!tU;z@<-|98mY!>Q0PZXjo{b!j=&Ldf7jFwWm9OR
zC=Vi`vuOx{TS^)c4|Y%MST3c3l&0+{4vHRRBnY++OBj(4_e}3xK9zwKsBIa;;79og
zh0D4ni>OC?XLhNO+Ca)Q(-wxo^IZsszZNN?AMc;lwPIQ$Db|mkF$(@zjgUArT$G4;
zdSG_9%IS=xV$&^U7`!_%VR083BIen_Io+$IH<7x1|0bj0&_6T+W7{#=!TkKt+@4i4
zm`L$@ed%Hpd?h2{@w+aW!SeFR{9e^EI*<}Be2P)9d9;ZTd4aHCeRF(K-<nw*NgZ3C
z#W4zgQIs$__?eXO?$pu&b+S8?YR<NsVeoQyLgkL)f&ZE1gX-mUB{kjrC8OZLx`fNt
zVX@%T`Bg(3=5Zs1o&Gz9!H0bbnM*mvfq+YEM>NUrNy@w0T}HtX-8I7IxpKg_s~bi)
zFXT;X+-I7bQShy7gwE-o;J+U?HjisnG$E<<66Y8NTPHgbK7RuILT_)I*tSFxja0jB
zKmwy+ztV)z)<M7*es{-|KT7**q~>${#xQuj7h!Y>C(w(0uzOm^vMDrD`E6e@3Jz*Y
zFg*+5ML*s*vrC2422%bZ>lp^0N<}yw_z2m>JUck2d*yUS0>N4j7zIc5HxN>{!E}B{
z=l80X(SeZAcQ(V|2YCpqt$kQ7;?9;aP4l`D9=>ylVeo8cLhEA5AnxPo#eJ%#H4rA+
zhbA!!_OC>MJsrKpJl;LIO%ZQG#ykfZ25<8r#7_4Rwgp{UHK=wL2SP`yV-%y{AFVXP
z?3Q@V`tsn+j-``m1d(AsF$_MNhEUu36{v;Y*f63|Zf63@22U6TM-Mg<ZWnVRw719R
zcdw8_Bd|=jm|^h4d<5O|pjpJ-tz(<zcPGfKc!Oc^92dgwkQbQj<LSkHs-`s%Y<f>}
zF$(stMDX1Uj72}(HK}!BF9OeEXBY-=_aXeYpGRRq7gr9bmB~Z^YU`iCC^)#aMhIR5
ze|<i^ut#}cjZidfH^bm_X$i!C1YYls&hAt)Az^972aJNF2O9~+^TY!#>&yL9+ZOgD
zJheVgVif!+9|8G9s1@^Q=lEuMT?kYIH!=*K>q1B#@Bm=E-ZrRQ;;ePA30>r!%_AFR
zcO+yjew9(Me<cF*w%Fp+zL8ZE(VrXoh*`+BHG^wqFcQ4Bi)9qNJt3jFbp%!XI61j~
zDvkdB2*LVxVOifQsWgIEpGAy<f3(&J&&#;+MBv$ZEwdQtAJo=~(#KN^x|K_+5zgj5
z$td_t8iMp?NFwm;;vVIaYV?o$d=?(R!?QY+@FBFV|B^v)RDT0udZtJS5qNe{k8(*g
z`nQ{ki{<&=DXj~-6XIIK+zf*6<RVxf2p;@TE$&e+iAF!Cc0@p;A8sGpG`BOsuJ3mY
zf~`}W2-m&;0u7<JHjinR--CYcd_oa%d*kr>Sse&_Gaq9R{JIoDdwsMJZ}{bfZWU5$
z6f1X#LGabp18b%?5&)OJ&mefECxQD8s8DeI2ExcWtUB+<rR9Apr_>0Ao5nH*{!)kF
zy-+evcx78*^i8@g<m#&aRa0q%#MVd#!TXXDz)yn-*9zljw&<_0>uUy9PoohW`>kUP
z9NIx6girSXBxETJ&}uyueskU6n&}LL$yrY@2ELeqK)wY?xI=K5E=Ctc-q|>;b_OE>
zbD4(>fun~Q3FWQ57~y6XXo=2=y0>{mz05{J=N54cfgk20pf8jJ5w7PURg_+dd9Za<
zgRCY(Xlp2A;91TD^<P1RYj~h}`osKa`<O=A9SElF3m5{wEl*(Ye-9zt$3(Jl9btL8
zYkbpOPK4EdKQjbg?@e&u1R<zQ&=g%@eZFU6^E}Q3*kQ*Q0e@{ofN$*p2;oUg`24VK
z)|dMxx6J24sGaW`Bj6*+3G(wN-~$}P1dX&=Zw^jvUBHc?`@LrjfWy0L1p4Cv!gE}B
z1lXP*=NEJ+>`wSyKZXJD)yxF@ez)<#GA^i}O?kO%blr3sVR$zu<6rYA69Ioie1MI)
zaCvVV!mcdsR>G5T+#1gS_(>tc{w?_6RxYSRocHd)#73Eogymk}G60_MO5mR-9v&=H
zxX=#9T~W7I_bHc<06pC<#=riR3I9jK1MJ2HCHWW^eLOO)MNS6-_0W@yf4BHhJV2it
z@ZjHUP(^E;5`AY~|B6Wn*)v~Y_#4!W;s@4)2kn_`(3H61^RekIb2}2c=eWl3_joFb
zFSrRE;5a@^Bcfwl%)RvkD<>t0&wq!}Z*T{V;tl4CMF*epL6q}a><KtAvvnRPg88D4
z82uheP4Nkbql3_NM#$7@f5=Z~ez0*+6<>{@zVvejzu((y6tB?xFK~b>IUyp)l4H+@
z|15zgXSL1eM0j7}6@%Y{DJi~TZFCS|=6_8&+b*~g`LCECZW>Z8xki{@J({s^P-~6i
zA8rH(*ovP&b;#Fo>CKq`@8gwi)7#~DCg86Z&)9cga*B_bJsKQ5%+#Mc7wWol|FN@I
zZa+A+dTjd&nVbp!n<g>z{nkRG_=$tS!Cl+`W9H!}PKLglvyiFibrBnIb#vxZHzVH{
zZ7ebutAK+Q#>^KCeOG5Dqj4oRi1IgMtWk`7FI6MMF=GTY;C4ogHHCq1^Z+k19(!Vg
z-6o7}J_FzN*~oyjpMVCgZ03u71>@dJwaAPt>p})R#CY-Az_9nPHg+;47eIqcmf_;N
zg;DQ~_I5HSgP$S;e%EXX*vp{zc4r3}mF=Lx45KCJFk{|(-Mz@LwDuu`2R4Hx^b|v0
z*F<kJFN-Dt1FmMSWWK<V_fBOpGAAR0#l}j`YYch6Pfup1|6O44(%VqUf0rTe3>%r6
zje!9-GE?$CV8}a|49=~<V4abY<2FOy-ehv-jl%`80R~EzYYchklG!;D7jRqiB<vDH
z-rWwv!{;wtu+2CL{*xi^(-1N}YvF?A42DVIAB=h1lli$07H|)<#Qz{;-b0oFk~I<*
z9570J_cG{xk4(_dVSziRLE^QQLGKANLLGmi0v>FRIDTN%+szE23T{+z#u%}!X4D%K
zV2IFCRKP_H5o-y<-o0dsW_XDTCYT}CJjT7_jS>1372L2)5Niqp-w(_Y+i_69<xG$<
zjC_O55h~*b1+xv1!Hj%wlS#S=6g;*YAAK15ZZb+jo?`;8WqNdF>^s^hp-!M+x#7{)
z4SpJ$CAK4&;I)s@(ag!<H=9{PrJRs}KQ=iUBr*7XW*H_l2NQg6aMVs<^t+o()AUau
zL42UGQ6-k)?-b*N+Cc*DU}}_$V*Fd*JhApef}MuOI}wb36aCE-Dwd20oEeRbV$T@>
z|3)V2bVR_PnivHhGXfrBq@;U@2(}p*Iqoq8E@h-pOGFSKU|a-WWC;A&GE=O*fPkBr
z7C!qK1Fs@OwQv$3_|~wnZDbJK&QzhV0Ks#+Suu-Ia3*6V;2s{}%0|TiM!{#vTx|jf
zrkND283s=?Sgaj*;Hp7UBM}GHF<2;n0vzB%#ze{241?o+O%@uD2L_uGIUh0(-a|&K
z-z_+B$dCxW#6WnE*+LEBfGf<1@IAmtxRl{Szn}r`WJ1_}U?lw1GF|e-p@B^%#2kjg
zYsh#Vg$81L&4+=Eg*%upKG(qjH!vRBFc{8izR(9~V6o{?D+vr;AQSdSF!0D`Hk68F
zFg(|Y$sUabxSY|D>k*^jkBt}_2nN118A2{I8g_@8F^=<C;Jm@$dx+uiSu$iRVFAu-
zEZBc!JUrKwp=DU0pQ&KYV?f-*n91-03jAg&3}!&=4mD<|D-=i$HWS)0B0fjvtnCOA
z;I>9W?IcJv*Px-2P9(6_M0h8PA#oFvhGrmv`vyYp#|(+xp+-%*2l_<#nHiH0sx8iK
z9E4tBOni>a+Gcvh+bz8cIuH?6{i?J&m<Ent85GYmY^)u+L(H`~jZ@LztYlGH%S?m0
zjEb8YHk2=3V+h<gq_ivjzXMg)HN&7Q!{Q944UN(i9xQ8{S)+ea+pVxTi&0Q12^O6v
z<JRXd?I7gDxT@at&!-AgSS?M0oKG1R&oghRmR8`mv3p(<{mVlY)&hgT|1{&`rUnkJ
z(*!KH=QmA7Kcmw#b#>kxur@F-&S2tXd9D6JPmHbPNk45Bb>$8<28J^*K2JvOXKL@m
zw%!Fy^mFf0R{W7E(8!I9=9@Y8)5`9_l2++7`uQ`MmDLPGplB2$<7Q?Kz2{bN5$7h=
z@S)hcOj#W_143>vG!8R#Xpv%D_w|6Hjue|yN2#jhbS8jfFGJ%CWa<V#Rc7&uw=UUQ
z5wU*0s^U5(z--3G^Nk()M2)pRaM%>Vqi=+&nrHxYW^mlh+_Cm4u+UB81)noi)dBtQ
z{X}#WX6{gtB=z;B;52clqDt`5{jxt{aD0JG-mlcx1+35nMa5M#KfhCqj^`Ua{&$qu
zb-X0_uBb-pebzdL$4!kMYNWj0;Dtsisy%w&P=?3JL1qtaR$V#Fcm}GeaILR_8y_7Y
z!#7u~;u_54g$Ai9&ZzMfiDY~{-1MO#iVJ%(<Mv5SRnzxEt}{R`ZTxs$R9x3FL%q~g
zPi@b>n*s6@%lM%xitA%;oZl&_dD`AgM#wA40A8uK8o8m)N@}mJ*O4J|D-$SVgwn!1
zZX92!sE3+fg#?J?3N?Y~Q?+#pH`G=|agdgm?J+~-qhtizjw!8Y*fBj-QDt;IzmtrS
z$CyF%j!R|v*`cN?s;-W=oI&z?h7iqBS;J%4G2B;Btu?$(43fibrcmG`g@t|Cp?V6c
zw|-Y54kfK6W4NWtx{)94rg|Es-KD$ADESj}$l9&2KIMmMtEbtzowbfpvOA+WL<JJm
zRUJdx9p$u2x9h<$`6QXd<J46ogCDA|oR(;I?<U}+iAIs{4P}MR7&6>fO<(GD>2ESl
ze%~mfy6WmMhN!V>>Z{dRKQT^@u$x7+QCVHik@1mYYNgfnW1zf|4C8E3s_F@jsD)yx
zq0?1JLQ0)YBkHfJUSi4gOf41D=tA!?QqF1|InFAoS6QMqYAH;gvu$Ife3s1P3T`#^
zCQlA8Rnk*SpBu_hd5VEVi`CTIJkcL2X)9^-<&v>dH4`c1xsrN^DaSVoX^b|P?m9!|
zNG}tKIx4CAnW8QVsh&2sjIr`2GLo%dRn*B`IlWg$8Fabk43@i@Nt8cML2bnq^-xB)
zNR!VI0hSU%3?&+>o`%xda{i!-HfVCT-x)0bK&G<SIpy@J;Jc418mP$)X0+VMSfck_
zs%ar(uAddryLw!iB((J0%Uq(_iYZ%gK2Qxkva~q=zZfmgBZE2JUA1%yYwm$cXc=ko
z-!NP*Ycf%NrSzu48VyxKO|-bi43{rkMiZ@9NP)3}ch7GMC^4N5mo*$O4I{HTbA&Ql
zJx6dqQUUEH4c^+#aM_*1aH1}%sBBBYzV~<a(_e?{$$0r!GM%m8)zDkxg$a&TKLs?n
zTv33jqwz!;BNR|Xd$Nf>A*$yo;k&h)@p5cB^NEHkAM5%IWFsf3o=E`Lg#q(wGN2vq
zDW07<$Yv%ARXo}7E&FT4RL6v(B36ZCJy?)z=`^)-gW%oT#(?>e-H4*O%I4+B)MQ(e
zhAW*u`1T1S=ILZcd%RULVQb46$mY&gIp(DBmgOa4a^*9msHS@HTh-iyY;p2Pg>#7D
z{U=7uKaerKRjGX4-Z`U2wtBw8X$EgC88VkMr;-J!lCUEK^Bc&Pr;JiIA+G3_@i}BV
zKn8UO6=J?Pu8b4e{Kd*<4Wau6hRh93D(#HwxIeq5C+Wg8F{-8lx;0?PeA#AFQI<$`
z@pSXRiU~<Su23{j4dCW`6Ek%ovwDPzFyCF%tE30%%nW8V)04n`Btz!MK8BU!1GNx&
zZAs@s&ZJA%D47sXaLW~knTC;RUCgQqLe9@^liPvxYi5gznNQ&UBSYrsVB?AwD1fgg
zrZvrMAicXm#bgDyI*gfTk$LU;Ugm{dS<$DGuSU8!n^nCWBW(A+ikXsg8dy|E&PCi@
zH>i3Vjr8<Z^->Gm1~Fz{Lq_%v$rgQo^N6|`jikSGDVNtqY|9o6n%*(9l7E+FmM1&M
zHqP!qx_yUg89>;+mND~cGPFBOuvhygx5(>EIzP8!3G>0WYK)m9vzS_j^D^t*ks0j@
zxsw>~R4da7+8yUX(-&lHXN!_jA5YBfSlpXLGLKS;NQP}a7&BjVm|HYjG6kMl*sXLz
z63|^LWiCN`;4{!vjSOz5N3!Vq#ihN<C)G$)^D306l-TwaW9D^abeEJrAy-%RtCB(^
z!QHJ+mJqb(PQXl2*~~6lEO8=kt{YS%t$~C%pE8L_i*4%|GY=%g+v|gjiN3dKc-@Rf
z66rmvWEDYs1;)&myi6~uFIUWuwvTR@&4I)_zap_@gf{CaXsSWx_ijmIeZG4_(_Bs@
z?0eP727>k$jF~r(0iGgQc9@^-pVBJ7D+zu9B@&Yv+I((frl{;D7<H2u-><A4S}(g3
z$-#XpWFA5LV8+Z%$Ot!Fk`LBbhh}#!lT0I-SU`aUC4{z&k(g;b8R9vjB|_+p4I>-n
zav>SHUw!l^XkW;Xd5g^yqj6H;?XmgYE2Pv&UKUgyFP)&Rs1q_>4I*RQ>4DHi+}Sd=
zSw1(Cp9fS&LxT40jF=+}lR;k4EM^~0E$Uq*je%roA;ob)gSI-1nB9%YD4!%)Q4e-Z
zY*omUWa~k-QG}4)ejYN7CbQh>p(uShx2%7S3`UZ(g_Xu8g7$8Vn18kzW>m-`Ix$c7
zOleolhve=dg%O$>+5(>-rptk3oKF^)FBeu0u9L-qWN;CM(SxA<O9srZ3zB*6{75_^
z?ropgx<~?&$w!pMc>}cNj0a2+70E;|Y!L_Ro1^o4R8C_c`CLp@L}npqU(I;=aS1Zh
zr-(q%m9@hf=5ir<eN<5lCTM?;@$#*FWT-no)^pL1c28|zBC$rYySSRTVS+a65MH{F
zm5lWw7G3uK<l;WnGnh!0A5#%Axe3~vF<d?tLI(R(eHDCT<EW<j+)1*RP!VGZ+P$vB
zrQHE!vO7Q4N9JeyXLc&%tC5^Pt{xsbVOtMI%NxDPY%gljIiJohA5c4s14;do>Y+42
zyZ>XfwAfCj`*gh$erM~rmW8}Y37$|5s|nkOF<72#k@4>GL~ler+Bd6v#Z(4Th@}+6
zx5U^M@(L?OcOnzMm{l)?-`h2<Q~A_JQjjOrLPx^(sSK6>$WLbc44W5xbL+%*rIKr;
zE=wzgO9pJq9*>k<;~ZqjyF9g7U$1T)+p1V%jnwBUl~9<leK7;&+wYS(U)*YQK3!Zp
zvRNS?Qm17U!U@9mLQbHxDu_(_nKr}v{>+LY4fA@CdOfWUDuCPf43l5ABD3E0SzKp+
zb7t+>_T@7;lCmwU46bX~R+eG%{+wjmm$1fB(JxM{9ND^b8WXACGpe9IVf$W`lr+>%
z=KZWVCgRDFr9+z+PhlW+Tvic0Heg$A2Fb_Ekcn?B&}Ua*91!y0z`}uz3n$e`K_6EG
z?FibflNjlKI~y7MTK3Kx-^G%kJA3B#t)D-kMhd%-5(sj}w&skGV@CUv;jg7_z2ezV
z^y%96nLTUg_97*|T?H&AXm|Vtklf#9BMg|V?)XDr{*~yLr&f<`Uon#lDfKL71yBsz
zx-mZ9|1KdxEmhs|haUTf{Ecw`2j}*#nLV&^QC|b8`DOC&xdv^158=_xCKf?Lqj&0D
zB}!!Xbtd(nGD7-|BxoPZ;P~}GZ;}tENx!tv794?%oD0K9LiG7A`OXluPhw>3+E9#y
z#9@-J1GHt01x88B3X+)U_DSv~g|<Zui{s|zBuTNG)VoQ@o<A8CMShiuWJSl9GH*Pz
zt!GReJ~EiZ#pW`vII@*yNc^zBKM9P6yYlXv5!rSkq8r_ONM@`q@3s)IS7$tYp^by2
zM(v!mYXfZ7A807yhlVy197{;Mq`=mgvGD$G!6ZEHlXN!;*RA77=<@JfBtPb|%DD-^
zR*hlslUb!L5+T>gxst%P9R%H)TiZ@jWV&b>_uYhRB^Us^4h=18kt8`!#%(8D{|^4V
z-q=0^Ns~!KCEOplmMa<i+?ZX{izLc%5-ugK&1T%|JUF<pMM9-#pme)OupSzNdS0$+
z9YT_2Kj}6N*G4hqy)e0worFv0ce1TKtoc2|JMlYu=OPKSy=43D1Z%w*?VkSFpM*@)
zW4X41P~CnL>^x|1BRR9aTq_T2Eg9>c_a{kHyC%~<7*WkSjdfh*NY*SP(`FH>*JP}_
zoTSa|60IPt?FKuO#ErBO((IXrYVR=EohEM3IB7P9P<<WRnI&(yy_02GP%V!W?d*{^
zsF@_YNvJ-b(Qb0EyrEr?W8G0LEDr8)dwGKjSY=qS2da%_y!*4jK`Ug~JOXw9aKIB6
zAaEr8A;Geu+GmV-dkGxWUw$1UP<PycJU8qDhvQS}RU6gXFy?J4a8PyG^~MNl)>+VV
zOyZz@l4}rwdR<1nl_ZYTp;9X%A*%ffdp1iP)JJNqAW$#Mu-9Ek;xJy9SmyMowi@^F
zVu^$DndQ}L0`<@Y;FFL^;-Kl$%A66^`ZMyKAac09kyUF6)U7Mf=Y_w-LDeLcB@?Pu
zVeH#S<e<%RYCWO)YVdQ@E^;Idl2Mi{s1}+4ez>{FK^<h&Mnd)ejDC+>B8TCOd@^T6
zHR}re;i@7BrTrnD<`b${Vf_1}%t5VW)3=1Mwi*CAbIKgrR>{<hP(3sO0P$Bc2l>30
zN{<|1tv@5+a9^2&DoUlQgzDC12*jO)4w@~I4ic<aVGMlQ5;~k8NTZmnxV9Pu@%ust
z<%yC-a|qT$6Hw54se=Ycq7Mmhtv{pS<g8MM;iw#{O|WiVhCw`D>L8z2GH5g5dKJdO
zPrRiL${i+u0ulq;Y9PdI#SUsBf0_`khbADQBXS2#lRdjNVC&CNxS-r&JSKO7d<oaB
z%UEcV+(ACCq)uA`_9~2pAK2v%$`dYe4r$1?8VqqA!GoH}8~?-v?4b#0XpQ7SePoTL
z3?X}eM#FJIk_U~IG@}UFt;=wTyNMp!JSlV12yImu4<8mi$gozzeD)=1Uk!-3fapP{
zJ<`QmiJ(0+0TF#Edyw-<*)ox^y+0%3dp6mFJg&->GbU`aE<+-&C47+ANtyB@Az^!E
z#>A_o4|3WpPkv-0a9;+B;)0|PGR%}EmMR49zOO+McNIT~`b(0Ygzn846(1BpsCl#u
zS**d^CRpUoDu7UhVEJ*vfzUl95f<@h5(s6zD?6ShAb9W2xcGnwLe2~1#)tHT?+1X9
zJBtWH)F@J71m+-o&&kNRw-7>U9!ZPff&}nGq0v4mgiLcKMMN1w_zTd;l}QRAD*aqW
z#MB^!FUi=rryN2KeS)QfwJAaTRB-g0AVQREjcn*d5O2E=j+_}K5uy^er9uzF`09*~
zKb1wu*zL14u(TzRUj~o%3L``=J>SZKm_`KhKCj@BGlMij<oL&P2@qL>P`)YS<8JZ@
zk*V2z(F-k4Fuw^P?UqQ040TQl-S=Vy^TCM#DLGUmA)<_vJ_=hvKEnC#jF7uXB}5K&
z4p@ZjNd^M?{Saw~TtY-CN4^%XlL-jubGji?Qm|w~q~#xTTdbBl5Yi82jNC~!`QOyt
zk41};b$~`te;y=llTV1qtI5V75elzISYMJsa$<T3g@_!=&v`969|{oIPen=GUPvJ#
zE!T)^B6A@HfxYcMOxhx+{BQEk2O|Y#nggMIb%x0aL81x~xi?t<O+12X6W%YyN!(6a
zAtHzJbN$5PdOE^;pI1O>v%o?`THf(~;xONd0KX{%<%B?yg@_ClHbe+PNE3qmpO6x_
zky?nztK%j8cP;}#esCgG+9bFTQPycex-O!xfiS-tL*@8%q6?9G&sX~GN)|%>eOQTG
z2`@y(2AA|%)DRP)ehxQS`cZr#qGCIB*sYv|`$HHk#|8*6L`5#@tcVc~1pMdG61Nax
zNNfB?Pwh!Z$X|lt^7k?fk@MgXz4W3wVgD4o6yq<%5T)Fyi^4}Z6ZYHg<0Wn;#t_wh
ztABQ-A@r}tfO(Z5L+&#z`sQvG!v6(`>6uNCA<BPU$Gm7}ApE!PAto*>%8;>Vuuk#s
z>_G7WOEF{~Ez1!3E;j3suLE2te&A@#bWEBd%CtpqgpBi|_<|=elPgr5Au4cGPkb7h
zfZ`2iVbI)0pdl)MRWCg0;7sudyQ8MnA`NNvALxM#wG9-na0_aBZWC#Uv?|AJoOO3`
zif8B-hno1k)R;1E+RT|VXUv$E;bKQbxmQQquD7F8QM|)O44cQMvgVxrz$azH7<uKl
zkDRfIYaNmAgs(O!W@l9+#Y0?zoBl{m&A&m5L(dh@?54QX5xI7~Z*!gxPDb$(ZI5x2
zJ1n)NoRAH|<@asjQb(laoAbqn1S~73Q9Q->7&x~}9Vy2bf%=2ZT<VC(q2~4|oA6~x
z1rx<zoQRy(q>2tHfP~@aXS>xAQG(8w;=0d^%9|)&<5}bsZcF{lcpsAXUah#+5mBnn
z`@`d`+tbS$DV}3ahR)?vJx4Y}-j64{*b$LSwFPhDo_DL7C82nbeX!HGRL+=}Aa%`7
zu69JE<rs7#B<}dWzgJd`;z#bnPA5_~Q+|i!Lua|%{jV`km$lDgUF7AtEixM@-lTUN
zc5-J-&1_T#`LB1s`_sg=CY}5cOCs*B>RP~&;#XE>@cc<CX6{ND@d|gmKlLiydh+ha
zF+Yv<^^tkqE2TD2Jj`+EX<h1NN(l@ZKifU;&mFQ<Xwh%l+M{<qS^g2rr@P12O&`#*
zQVwT|zj+Wny|AZN#{2<;Mo)0r`@2RT-*j2?7A;eyPNO<i$`r|yB~4OqBgF#^NJ39s
zA+_=>3_E;~TVK4@4;VgANTuu>GY%RjdrO&$pH8Mu#w~}DU-p)A5<j^!rAnTJu@CW*
z670fH+#xlxYs_Hv6FsCfW&piDHS#fx{)mT^c?jyIJ@v6k)Nmc+y`x-2Q2c)C;~5zL
zGS4WP8A4A?bxiJIV430-r8R~+mFl<}94_*TvIIkM=G4YFEPU=2<pzlAn99iLW}zd^
z8%iz)(Hl}3dx6ItyrFbPQ4x;R#T`ss<qc&uisDMCi(i=d$P<e75Jr8Ox@co!jp7BR
z5X0!xsfrE2<t#5Ky>OH(eQIJ68~b}fS&O5%VQS)fHZJypavMm^NKL#%x7J_VTHuS*
zJ?Q}@D+B41sfq9CR^y+3y3akJG(%F(z*IyTSr69VL+0~<G80L0y;MX8S@{T+WHla8
zjzOuZsfV-}nQw#uS&#P<-$W?&N9ti3$h8qvGAN!;DlwE!4oEd@P8S#<i*B6flfhVu
z>!up^per09KsVj<$<JVFQmWx_y2=r9=r;6vVm$*>M^X)E&^3-wK)1Qqll%;(ll)T)
zSJ4GWD52ZI>q!SR#kEokcag<oBUI4s;q~MjI5i=)@Eln$My#eg$m_{@ICU_!@B!JH
zkyg?j@9`wa4W|-(QwhJ5Rgbim?tG6Ybs0}rP9>C+6^=AOcb&(Rae%6SDxr<cKN7-Z
z_j^3q1E|)f4$@;}Y63yB=e(WRBLUU5)WHUjsFCb#Zzm-gQ3t0AcA^U;P)YWcx09Zb
zs#dDtUvxzY6p{Vq?PMvW8kQ<Jhpr}p9I|3>Cnq4)PpN{N>Dm+Uk+mycPV8}z>Rzhg
zU9xyA0hJ63yqpwfOr0q;P)!zuOlNvIX$7hpqynacyfzUZ-M_t@Oa@isQUOQO6(^ES
zm+j?b2dLVf3b>yxkVqZf@E8v#4?)#a%k%q*PE91<ONPC@n`B^Aozvq>3(}P*f?~SI
zyqna5RrNi-13?}cN=T(^8SB|(0IVA5@hzoWj)e2+aII&PRj_KAr?*X%&X-tFg079c
znw*1GM?Abu%R%o?3{7+>n(58NI|)|3v^+Rv+ouO1VPg{65}@hSG%qHl7*}WV)TW*K
z#wtkJi6k`{fSUVuPV-#S0a#V{yp*~7pZ`c83Rw%2sgMIech;A$KX%i3NA0;_O1d|a
znZT--2Q_i)Bd=NVO?f}$R+9-0%aZtTu&MaVXRkSW>ohMTzXGdyp3nw|-T3CO72Pmq
zVKT@!LV`WNKXOQ>SCL1+YOjZrw%d(guZ5AjLrLWr>YrU7oi)viNO}g=4?LOlgI{cc
z(X)_rsM}}&!f$QmJ)|PC;y{mO^OxJeU}<vjF#yCq+R<xBS7=qvLs{_OC^&3^j^!)>
z_+YxXkQvabqen95wJ>;8^*|*PSaZ0ikR8x!iYIbR8<-5W>5|6<@ZtmyA-AE`FP_J^
z7r>?u`qr?4iY+~Z_`9LiHIHNKa<Ca~(kYt{bRFy!<Xwi=PHzumQ5X2khR*RCJ}`8o
zN04^dii>*|$A!S>;A*{48RG+?6TE>;0#_|OisQmyRE7Q;BZ!>g31kzv8skYE9|ohf
z5rX~}Mi4v33&>S)wcdj`HVj5%%RpHWX9OJ^dH?WE23Kc2hXp<0R0XZd3Dk7YAH^74
zM_Haix(}RYgF25BJm~qOIlAHup2FSWw0e-NzmAjmfnGnxz^nH>guNr2G&O^M^%_Qy
zqj>yS53gEz25A*ww0<pQY+l6(j`H|%7G4eW3{C-~H9^SPwvv&2#nXp99$qc>2$Vub
zin<}|x(YsUtf!BB46pZi1V@0)hzf}#8Xq~HJ{sYx8y<nmM)NYro!i3&=6m@Vg0GV7
z9>7juGNkrG_SFSkT<hgyCBEXE9>DEP<gS7d3mSO%&CADefK|-{_=|&hVJQq6QG*;r
zrg`_Uq5xLsx8LNj@dmV&Fz}GC&UiS>yGM2g*c0A<C&J(Z`MzEly(n+kXs>wpsEe>x
zzx`e|RE=5^28;dK*?op8@$S(NVI6+^<r^j#@VA50P?4Iy&M@IL&mM~r*2A}6+K>Ud
ztFqOs<zTrvS5tktrFH9~l3|W#kAnz{ecyJ|AaSg@BumY%>VheDH7?7~&eBvhZ=Dpo
zdiHn@u?oNKHj`qYP}OqEo5L{a)qV+%_UaMF5WC*nZVw6kl~I_zN_UP|kE$4}_uKAp
zIu$8kPn_(0uO2-y){M8^31so!Q~>p47kTxVi?M!s+Z{*Nf|PI#*`;1Rc3`YCZ@Z(&
zA_J*FH@u2m#8}VXc88N8KLu#3q&wNGM<m8#ueaQxbOSz9i?o%hdEKBt$fHMk2H82@
zay!!j&3S5WX+_P-H625y5v<BlwY+7GJ&<(=j~=B^R{6KwY#9;`2b-!(^EH2Ml&Nr4
zj;iI?_Cxx)9z7bNtdHMvX+v@)I8>G8Yv!iam)8%24yAka=!3F)zvV=ULDpNLwXzW{
zRcm430^!kfD$4ruZTF6mfOxsq#z3b(rw7Jf;?-k4%3A)myTn)kqS-YDYxE7l@W*=f
zID)cvzU>wm4nSe4fhuxiFn)B3SC0oM>+IW3lrjJ;%QHxGE?CSJ9zDHWDC^l<?|v45
zx?BSctApV2POl!h8D+b@-gY}N0TedMR<R09hGu*9s0y<<$J<U>!39F<fK*x-T)r>7
zdVYel%D?TzVm5&0JbC(Zz~{c6Jx1WHkKcOZ*YW|Vvb5EM&uqoB$2T~u_ghcg!U^*G
zrD$ygpYc6~XU`vS*2K5pqz+C{w@QNMCNTPj@b0+>XDxsGiAz{P*9x+AtHEg3Y!4qN
zaMn%_K>2|cG`A5&%E0M`!o%lZIP0tjAm(+lg5?7=8aRDPc=>#Svz~bZ;w)Z}7pL%p
zQ(va1k9eHr_VNV8qr5;RSUt$e>N&#8r#A!b93Fx4Ixpb{{R+Tn!xqBRXGWy;u16r!
zzhngky5)e;<r@ocp9PRsZO=fA`<xXN>eS!LNbzjp@$)^T)zU){%6+WVNA*#`=Qopu
z*U#EWtEZ<R#L4}Pz^BVVCmZ2A(}d^GW=Ly<=OA`m#z>Ve8n|4xtMCBY6=}`zAjG(5
zqHLgEhj1$s@n^>gFQ5aE)(THTh@E_Fs5<z;<JWr%Z=mCm)@IK_DCezZqBWje2?w!{
zb`oAe=OV3x9)=JTE-hvOMM<rV8L#A_t%Y~cl}PKN$03BW?*}~$WF@7+*u6hrvx)E&
z`ZLmc<benwGWNdnw?TugOsdK_O~1c<`HtzrYv}JtE8a8tXZp5hKJj_>s)$kIok^^L
z>;siQzWTs5rysJz1mR8e4ANphk7dNPxm)eD*MWzhbiv|#p8ld<A`~Q%El*f|`L@&d
znym<rqc@>ec26hSnV0?=l|@ZLlVr^sCruXKNW-C4NzY0MG3U`PIZBc!lOgo)T@>M&
zG#+YI_qc?Za%+nW1F?kS{SuUJB|MZ`47HnjU_y+&bAS%D3Dtvs<qYAa)EjGc^T>qQ
zq?;~3A-@Di2~VYgSZj!fCSIr064L1M6mKPASZj)>cD7s<be9Qlr8%(H5>IUbU0x#5
zLArS!OY&o_A3Zgtg{&r#8j!CM9!ra1t$m)F_>HVL5kK8GUQ6D^TBkg=H^|VHfJ%3-
z*OK?K))kNKF1l)&j`Uhm18d#&*v_UaPC%oZ<+bEPtQGFDEu_myz)!YHcr9&=wPHQC
zd30F`<dWrhE@_Fi*ygE?p;HqmA^XL1Ne8gy@2QCaiI$Un>bayl*vja!HIr!xtRj2E
zbIE65E04!kNft;TNcODfl7V2Wn8y|%%TFLocAw{x5n!vF$Mz#x`A9<`zut4n1h7@z
zWBZV-cBFN57kVz43bq<}Y%h~FkF<*JB+n&tz*Y;7?Qyd1k!tA{c`o@HY<2S3?jnnh
zw483C=aO&1R&S5(S~3idu#9du&n4@?)?knAe7g1#O6a!tT=Emx8tbv0NY^+*A>9_9
zOSXcoX&&1my5%F}(QWLxWE<F8=&|idS2%*7Zno!=9boHQk8Nu@Z3LBWyyudgVC#F2
zZMr-KWL?5@=`OIf-D6XR$cjd2CadyZvIlJK@z}&lvbFK`G=uz4?<IS|)^DEMpJd4T
zN4$jY1Meljg020Y+pBcz%EQqr4fOYUFZms89rE06q64(ObyQs6k_L*qI|PEeySuwP
z1PG05pmBG1cL?t80n)ezcMmQBf(Gr!y)*BwJ8#YW=FYq|fA%_k_Nr6$Ree=w*Qp&2
zN4__<rFb7yTb#e%$RXF2_K^H)de(8&#*ZIzvZaXj-g=myg9V^a^kfx&A0&9YF*vOx
zbPn2QTM@Vf36Bm^pwq~LmZ;G$*gi^N3uO{R8|n&o#PZ;A?SgL68{9TSuvwd&EAdmX
zP0!M4+gaiBu)k&I!Weo8^Oq(ES%u-xYnq+~(bE3l`s9nON@MkX$vol5AGRfj(ru1c
zY<uCG;|h6uWclAdG*+M`<mn&I%;|T<+nmDaZJ)f{wYc0jxnIl1U>k4`c4xn>0O)1<
zY`ih;hrGS(63k}_o{Z-wOc_D*#lh^2hczed%5{OYR0#<(gXy|a@4r|>YCWf?fn@G4
zqvCx|-XHCyz5MrmnRxW7=A3f#Aq_DrAzXxSZlrn3xA}!3+wx1{MqhtU;~6FSpWV`}
zcxN(@J+z80k9@oJDTfCwZ7x8n=QI=?1Bsrd=C?shaSKou-Qea>Ap6W^{sp9=t_JEp
z$Dei8FI3#GZzpICZsd1j``iM5Oa#@E{o&n^R|HbB$rSi@@A@!%MDSlfp3*e93Au@v
z;AY;Q7d(Ee>V<!0Iejoald}zpY$4v{-Hdw?oK<bRXSOfgmNSNLyDyh`TS#Ox{GD8?
zkU^imIwIDW^F*?;mSgZ(yNGLQXGIj79$3q4!)5@}##0Ki{<yN130JIdYNt#TTNYHC
zX2bS`WY4S|GV9sUN{1>_3|h+NB0z;V#GW_hBCtn&zkqLAtx6R86kLmD!*&YWmR$y_
zKwhcJfh*QAt^Q0DOB7U#Wy4kl+jd<7s-RdIPlPK@Hl3hFm3eH`X-b1DuF+!*o-@t;
zXt${vlZ3z2m5fKJ5Ntp@54a_=ea)vS9#OMX%#MAZ3GHUXA%NbBS3Y)(Uct?&EYl}h
z``d<N4X*X6Y|NT+!8V1a*r`Y-kBg8w)Sz@8z(rzvkO-bTJpXd5k8cdz4a3iUsIML2
zry7=IHd%E#q$bTkCI6kaz16JRbz_Dw7fk~SxL6F3Dsnoz@nJ-Zm`+?G>2yk2?k}wI
zv4)nFlr3>nIL!eo5G?qiE4j0ANf~qldZScB$;{VV&54n5la_3gE(_BVTdiHoCB#d(
z4R<~~C=p+~7woGcNE=Wd^u#HWKO`&322a7Zct`pO)(4#jsJKz6@y*!M{9-;0dKsF}
zMF@bbt?J*}f@b?{`W1SYZia#3%%KNu_{BW;#*}epobGh$6JoJ{$_bxdRPzR!`lTzu
z1N8_9CHF3w>UG|1UosDF;LDOp^47V#<f1B&z&E-%o+2l<Hoos*ti5ldQeR!O=iBKe
ze*KD5)xae-!82@xIA`u1bXAu3+sFa=u^#v^t2xgn#`Nk>(2rnSK0BV0EO*cYIYzor
zW3%L?Y%%!`6J2~W97Oi!HX+<&Q#X&>jsyJO<q6$raI-;w)@DFpiRi_ChfiM60}1RF
z-<cm<^Ik?G@7oVwtIZm6xc-}57#!GU7m2LK=@Ihxc2w*<;BxRl1Tk#8diwh&XB%_S
zEh9evaqnld(&8Puac?<3olYPGT&!sBMXKT@0P@3oDOXgp$7eYiU^cUDDY)+rpI{}3
zC{t8JYBsqqYPQ1tEU@Qj@l%^toH3OferR$sA}9jw%b?$gRB1{f*EkW(XG`7hGk(u}
zyF{7aQQ*Y|QWud1ltx29-R@s{mEkg;1rd(fN2_4W=K6wm*V}>Lehmx{sRTolG2(}I
z!lURYf9W!209}n=7ow;NAf}r!W#9*|GWSD@Xc9Xn%pSBuRM?k1ugSCFm<v-t2)Yw`
z3Qh0cix@+{5uQ^rI%9DS>Cs|LVw*NuVO!-S*weLr)Jm##$HE!W6NSu-lQi17<dR)S
zYO<{n6~ogB{JxCZcnFo5@%^YYzRe8~^!`>t2_C8oz7cLOBTh25W)j#yug>8XYTp%?
zw4)oj2-o)lpZn?9GzZGXAylHPHqrFspf`GN?8#>f>2TL~ZZ-|o=*mkh6dY7QH;IR=
zw-Q)(FJ>et3U+j&s)%gJ$M*G0$g0n?i#cYHsVEX8K!n0vQvbuz7LipH72i64tP?*Y
z=YfMYLlSsL;>(Y+k^fV#JGjm~6t63#(3J5z5vobP>5<>anlLa4GZ=Uz3DSkA=JusG
zrOiCldPdh5l_4%PM1ggH)FHg(p#Fj8?p)=k&}K;`HFgmaj0M4n&_fL4U++>?2}nZ(
zCNl>?T>?DsVrS0cG(xLmpt7r25)`kCG;5=oM1!;ePU4Wpp}Mj=6B>wJ3+^?2oFmJW
zlC7G|a_MPexT_g@4UnH|gIN!NadC2<4!tn5Uw*VGB~~Niq`XGKQtmF&-F`)x;U?1;
zC2{{!<{(#2ohYdj3LCep&3MZJzi;<mbBA9LTdg?)R}le8wS&Rmu1<|_n-W<V`740v
zeDm>N8Rf;O&-$SZxw_tu`mvga1=1D!Y-YI=8uv)ap}+!(jfAOhy?HlXNF)XTqI~n8
z%8_XbXBP*9Ep|@Xe7#cY6ydd!aRuiU#wg_2#CSg<KZR5~?M{#adS*ByYNnES=w+7D
z<sdh|Fjc_T$@FJ<zaKQg#Q_kQMT7KGrkFVKCnzMt?yyBPfg5viQ$OMP@^w=_BSX$J
zGqzb0Qg}dzdS-$z(XI>T7*Alfw@edT9M+hY=?{qkwO3Jw*Dzg?ASft(OGY<0QN{xa
z`B0+zCiIg>;lyHT(1jBG8b#vB6V`ay-Z!-wRD;?eR`{8;(>X<tBIsX+T?SO&41y(z
zu(SeoBzGqefsDYY8RG*XL7ZFtC^Hh0cFADiOw~u<&cr%xe5o-<mu&hYcf|}=aitGr
zg@&UHg1((mj$#FnP2I#6Hr<>0kc4(AYSgA8Mj9bOCV`8J$h|^Jc)`8mO%ZwKA9A~a
z%=_mFwCYT-H!*~*nu6lrGrpfffR-~x*W7Gre1;);EUSy_jIWic_nF0${n+{6xc(e0
zhS*u5oUD9PDgCLRhij~8+6vL<E2mShNx2$>RyVf((H&&$^s-72a&F5}k#r2c>ud10
z-vo@;A~ZbV^t~wQ)M=uw29W6Q-FKf_m|%o6D=BbK7W946o;I%J$8y$|eo0nLuh)cK
zjfiKosE=4MBM=}^uHtuOvWyp67*foeE$Cn%@z)nWT&_$#SG3Yz>s8bNT@fX-vJ-O#
z6eP-J)dp*~BlOi#&I1{!p2y_5569u0JCxu>;U~>F{cu;w^jZn~=+rs1%Z-})@-(wD
zc!Gy$j#suvpl%YDvay~abd(2KHO1;qaL6XUD3N@Er_mNJ<N$r+OhTG~sy5ikfCWP4
zHH|8eXqXqkX7~wr!N7Oys4n7W;>K4Y?PY8pBLU||ZFAMv(*u=ppKR^f61eDC*Wjyu
z{`zyk)`gU()ubI?!3hsKRO?o;i+J3*qdDM4*UF=L@g_135nszwdk9oV^{$S+LX%xw
zMAfQ=Vbh&)BPf}EED?f{S#~?)`4)}2by?Ff9#Yi{afsGcp+clT_`5_1MFo1MFB4nj
zu&NDeBeO~<&?~xzRN#3uao1VnBV@UB;jL@`*#h2XpjMO!#Cw%#+4BNSAy)ASobRPc
zuA@=uh+8v&uZ+hIe2uL!sJHLZ|4|mEuJZG-u$E+pim7_;iCAMwmaQ)-?Kn-bJ*n8n
zg@jLAJZ}JT+f7~nfNYT#fu?{-w_c))nONB=WS)4YI`;}E?I16(0*NfspoytR;n>}o
zBM(UhIh;ChSl&}3Oj;K59gv_J%K6)>!u0_VS6Ng_E<%YG;rm(8c6fzr(hxdPiIv{k
z^S>@ly9i>R%oDXNsQPuyT4A*IFej-J?YtM~Ne+z^OhB?yVc+y6?XQT#(y-OI#n?W~
z!`|9{6<q2B!mSu-LT1?!ts;16>Ml_V;f9;KmrN{I$6erzBx{VzsPOJzOdkfHRWYu?
zlsjSt3n$hY)w6WD5-SP@jo}U@iq=O(Eh5<=<Qkxx#g|tv+9h6Kjm$X+)!Yo34kikG
zmnf7s)(+ErC7*l*)_M<})O}%k9TE@WfhcaXc|~!yaXYw_(!?d7yaPgelPkG5YudQ1
zIREaKAn1}cHvdL{8vP@%lF9_ZRaBp#>mg}#PfGxD_~OTyZP2cH=c*r^V0l9?oMt&f
zzlbc}0;}A8tmcUqv^3*FG(jc`F2FBJc^A%Y5mSkIknJ*s`*d02K1g%SDmA?(*OBe{
zes0xgw=p!Ox>~}tiZWb%jNz`D`gy(*CzW~0D7o~I=@N22opt*Cb4HKD^PwEomjVAW
ziqmoLpi(5W%rt=X6K;|=f9kN<lAfV<ei<%TsOi_GhVLHJtOY%!H`rWSy0@IE-k-%Y
zTiEo)L`C&8ByHMI99Day4-u4JwlV_h>-(Re6l!S^1kv}a{22&`1ykAzKOlX7F#-Ef
z;x2WoRl$d^M*Ju*kZI52wBhZtF9{}nYh_28cq5X>9b_w?$34!FZ13Z=QSG`<-FfQc
z5jUH4C%YT%XXBk;Jk^!)$bP@8$(f7V^RZr8M_)2<!Jxlkdj9UXJ^DhxYVHT1LIL(=
z61+x`rVT0Q2G4GibSD88?;6RI7o4+@R$@I>zyO~aYp3g?#4|vAMjEw6oKd`w=d`gC
z&`P_{(V9FeZ)eFDerAgf=nrRzx$m!l$BVR~WGvB>zmMUxDT5LFM!#HMSylDu8pHTu
z4Xz``*KcnlOA%ef@R63Kv_%F~!5wNg60{+!E}?Uvq<}n@=-VJS<!DNOJ^c57@#9%)
z7-*Yn>0&ff=P6*4#l(K0igKZ>Y40;~*gx1@J=-NVoQhYNp#3O)0L?Bt_eihBael7!
zw893iQP0Ulz_+_2&bdrn+d}_(p-*<G)1@Jqx2M##ss>TDSh)L{-|Lm_5AhH;q?Dg5
znLE8PwshbHqSai!3^ZJer6j6#wb{#BbTwY&Y3yf(v7ctqwq2Kb@+ZH-p()-325zg3
zO=o`AcD$spX??^<A*8W`K5&k$na!fw0zgC_=@JZV!{OB@or)k8U0_6RV(ynxS(6Rm
zSk19BLD1Q!)|U}0-K%{{Azx6yaYf6MNl|RC=d`hB#YU(MNv>39BRnnrb}C*GPj@Ka
z#YB{Lfn=5JnSfl#FI$%H+t3-B>QRU-ejvdvI<GyqKleIP)B;T^CZ55ysJz3O@bonW
z;uNcB#j<GyLK%8<8;$xmETwf-T1gG5?*$F42)3BABzv>i7Q)&JhQ4mLqz$jiOaZO*
z7{s4gx$=GyD78hk$s%B<R0Ykz#rwUew2{?VIOxH%jV1k(8&@Z-_|ct7Dy7%+n}=H2
z+XIM&$=c|_>Y}>TGDkb}522s?zD|^CocMoXh(h)XDtI3q6f2WK#w|iB;wHs@k_S}Q
z3Ijr$=PHc1e+yNV`#iMMg8Xjp<FP!<p>worf3^0xU9$4z%=LbxE?td^9bjkKcyKak
z{)<Fo`<!-SQO*VVNb*W$4DS1@xa!z1F2hl&k7id~c*8GJN5za~H-Z_1Z;~})^UOM^
zGU%Pj0;JIS<6ko;{RQGwN@JAVS)%s7)&Sj3OM_+|;!9>2P0ML{aGFVvCr%hnoNGel
ziD!opx$@SY2=pzf(i{U|^K>wxdomo^l<?1re142kwN?G3GAK`g<C*H=);JTDD7R!g
zWbLAm%aqlv=F1vPy(APD%lHAwlaEWjxCPBm4O^7?djMF4LPUZmkS(>QOfCZVe5(dJ
zpy1WG@JgD$4E>w{;a7@shxP5;9_zC#>4(udv%-`pk43p56L=M9v&nU!FgxLl3_kIm
zGuF75T_@c<2p-SG&4q%x4}%X^hJDZb_?p}z5RH~UFEq2Oq#)wY>Havs=f<2=^qctx
za9)DFJm^!(04pft2Q7ISQ{5qit;W=sflcBR6G{ux{ZQo_#36rb5E6ejHG;B-7-G@O
z*&@-NHg#$L%=EH{io7kD&Auw^b6Lc(0GSOXNgYt?)phS?n}LW&%abmP$XpNlBT4RJ
zsnKT*u({eir(kp^$}NA>A1VaCvbU_xfw7nZU-0G6sx;<2@)NamDddv2Z^G@4M$ggw
z$pnaSieJm5LqCJlztbw#!K{qSr|qw-8eaHc4~U{p6w@RzD(~-Z9n1@2eKg<|({#gW
z{$dm?qYnp1<+<6&{d3>7FF`RmBa~s}ER5R-5x3l|jMg2;Rq)u5tkxv>Y8Z``d{C!8
zqU2cat6aEG8W+^?b*2qu&<eXUmi0A`d?0?ViNvIjtr%2|LXBc@YdlO`8+>9VLv$ws
zmd+@)2_tC62tE_zMl^$rw}@uOgaecBhon-10~t+^K`@P6jY42KiJ8QUbUAe@v$(j#
z$Z4d_$DkEW@*)P!T9jALJTu+#(z!ee&lXX5r8Mza4Y~n^EHz5VkM7~Wq%sQB5RC<W
z3rjsuicklMArY&|TNxxDv}E<X-;b}5@B`XFe*O3<TaxVFiBPL^tr*KRic;xCoF{Qq
zAramdV)vDZr3d{pT4-n^Pp2B4q&>RqN;Lq1CQ;TS6vGA8pv!51E$e_IRqQ$tg>KwA
zcvD3;E3m*(NQz5Zu^C}t3yrWD@ZmfIl9wN(Qa+(9R$L8@`POJ!2^Fr-MmOMGZ+|7v
z-cSi`&)QW3qt%6jAueiG>Vp@m?jIW4nb=GJ{yCspu1WJTS5z>OOv{i0CqjQd9DU4w
zhzU~e#fwJx*aA$`J6TYMU=?Y2A#k=zM<1~5jA!CFeBkeuV$4bxL(?aho6#u&Zc4C?
z!zXf#AdDtKJ?;^kOpLuC;v~ODVbvzh5lA$&i;bs!k*tYS4D!G&*G1F!hr$Jz6om%h
zsEx;%#>bBBMzG)Pe@9iRFBlugs-X43r?$pb5s-s$pJ0(&C1#gPqnaHc{zRHoD_0nI
z4x3pKlF|j4IhK~F8KRDSAm+?zwaf^ZLPSXvM!~)xp`#ZO_Lm34xxm4rYO)}XmkV}%
zq&*{{N4hpN4Yn*UL4`5l6b&k2h&5zDjJ6W!bfk@mTafi2R7n+=N8Op|xFoYNNeGIz
z5Pu|wU)BZ?5Rl7x(5UF?vd?kCduQFk1GLTdiS-+NC6AW)few@{b9s^2Ttt*pG*<%L
z5c(nFlC5{6!ClJ4h9k4J#6?jTbcLf4NeUqu{L+a$$iw&YA>mWG2Jo}macZg_bZRr|
zp+HbS3)leJM$zonVy^HP+ss;AooA?R*K6WebO|DfQSQCpd?l#0Tt*IhM1!(~<aWqi
z8<-5o_hQiv0N?%ba3dZ>vCp`}x(AS?s=<2ACoPyRC+<>6YvBp^7|z0#$XL8+oNOC(
zm;rRCdgce}Cx_zFAAD~S9kalYB`k0eLmZ7>k(hN-`1-R5{D4Ma#Z`ig>?~x3#T=z%
zq5#ClR}S`V21wmBfSpVQtsSP`BZ+{4d?xp=pLnC2iy$dBI^3JGRMWc;`ZYGf6U6{&
zv>5amb>>MIXLi6eREF1=PCok%POTn^@QnZzuHYBJh_F3&o-QY7CL38W)QRi&at6Yi
zYHuR7O}U5~vEDA?TU9<LYb2g*C1<zmpG2d5p93-X$A^7uJ1Lb&D1&N_1elRN7k{<3
zhzWT39tc|8Y3WlDumqbSirX^sxPLL2AqN1H3vHivw@1td<q$oM7pX~I2j|W)(q^Zn
zfVq2Lu{lnWwKx)di%H-XzdM*MKur3!^fHPd#zhhDcA!M|OOKh+S!^I)x`7(}ud0bc
z_<cR>NP*tjQ6qWyEjaiN<dFg=v8vCeJJA@D2n3;7Q?%YCp=I-#eEmV{koepqwDa*^
z6pS#E?X5w3MF-)J+jf+Uo}jr&1mq-nG?X(A2JeFqWgd~UgC@RM5iQ94oSeAZzV~y(
z7>^_6e#+v#;i*gpRUCf^F5PqQ`S}Xx%%=ubmy?5X->0s7*vgbD1zqf_&o_~jL{EsL
zEkT9tE_nId$<F-!H4xz+M+dg8f(TLmE?=qYIU8j%E}O)lCH8ofwa_R>13kdp$0N~4
zV`Ji6xN4A>4+(aF!|wo>v;Nu54;j;WTwhHxmQbtGSQ5G2B&<*!24hf!sB*JV*=F@5
z3de8r;(O0Q;J2n4<d?R^pa)Y_R&WRPpZN)&40I;a<xV3P)XzLfge+Z2k^{dHunr_Y
zp4{9E{azc%cx(L(;mcbO^{}aJdG!!dU;jdx18F=M6aL)pZ0jEuiH5mD+;;#v+IZ{7
z=dUi_>1!l>c}UBdEb!mlX2xx^=K?gO)5pg_MOFwdsNv<l%(NefXIeW5PC6GZguXr8
zR{+0LeB@Zk>hJV|K&OToh#eaddiB7cZ2N|N$fsqkGU<DPj<1(BV_mV011}3NbSo^b
zWN`%V`ju_FgD6aYcrjC+J>d8Rh2iH;N02u!KAH+xj&A|O%pMFNQR?hLur&Dgqb6`M
zqfAiK+MCH%e5R8CRrn?tADeX|NFKj7q_Zt88&9pHfOF{NQ;ojNiar|Z6uC41eHTwA
zP%7+Xc%j1vayr4|tJ+0{p354fP|dt)1xlM-w<+#qmlxq=2b=Y$ijBo6iMy%BpPlGM
zR=iBW*<ieGIMcPxO}3+Si^H(1Ungidwzg5Q+f5k0aNoiudJy%>w(-OCJpiB<O52T=
zK-LjHwTh|f2Nrn9V<RdYTm+`WYPPe)HDu2E8ZK5}&fy>lk}1*E*VNEL>BJd{{xn*T
z{u<Y8)B87``ThrU5<0ExS5>#+9JX5zGA&{qx`ct6>hVOV`)cy$e$_o<y42(E)7adT
zL1HbiXltqs*W{VE2BI2+!@kY^BQ|I_b5GK5RJyJhvEIVr;>@N)?{Y)BK~$QXg~;!+
z(;}&lQ?rYLGJ0j8<`C(QlklrLV9Pd2>!cM3)qSQA-$&g=a@4fGDAsp%Vx%5A2N!;U
zVPFj+Tz-N}a=EXVDqCnS<qV^{S%C)|E$mv-NX!?otGV!~H3qEsetsO1Q!eJ8P(q;I
zBW93Fb^D`yCVFKiZR`QH&_!?z-=ErSXx7$afUU7IF17-6?sE-`#9AQu_B5U#irm@b
z@VU8#$gJuY986U_ed?uI6Y3g-#zw1c`6>#tbJI)b7zi{w8`R)N2Gs>Hi?%bXa_Gf+
zPn~<cUEh;1{7BR|criZ&4M!1s3cHqTK8-`$)+MEegbygSgQDs|nLo`l4;0+^HGavo
zQaBP7bo8f=h$16uT)?{4sGlWfw?9VrA7X3{q7Dl{2Sl4k_bC<f?-+(@_0lG;J3)D_
zp@w%A6}-aGd%#})HZUn9EdH+NkX|p)zp<voO90m0DW@*;3~RjN;O;{%9xHNT?v7$7
zK7y0vY?!8Gm1A$rD0lXYHxLL_x3Mb9HsSp~A5q8FnLA@e{61M3<j}z*J5?ED+On>n
zS8da&P4W$B*#Vk)7^UU^Q1&M&NzI`xTa$F?*xT8{EWN5qBtS*n#^Tqh+bcWeuBmS3
zL(()+aH{6Oa10mg#B9s?^&wpiXtypsZP6mE6SAPHD!WgJZoavW4M_YawI7ET)DRL!
z4XHg*Z5uOidd{?rB$=GrG0*}M?ncn;WioCk`(AE|yW~D#@N2p<^)uZj?(iApc_ku)
z?fwa!7PN)(K!fA!FDz4RT>_$LZx#K_&uIJSsQWFTCkMw2(<DJ9Ii_P9>C9^g`l_3O
zhVW{*V-}ByBI(SdbZ9LjGEg91h(*op<{p+N!ObnX+9QUs5IUX<_vQ@?dke|$(C6Z4
zk7F&p@i+i!$Iya|kU66Eo7l2FGj5XKDW19Ucfm$NQ)w1`+!_nf)gwpt1>DO?T0MQ~
z!}d(Arg|fD--2Qi-A_idVr2$OB27+4=GIVat7084wL|HW_dPyJ=~4}vaC$Y3D-5F|
zZV5%&dPllY>F?>$l7>(0IVye@mR>na(<m)tb2?X|=r0OM!^9u@$oel*cuq~pRq)4k
z9x0WPz%{HU-yD>xFs&u1r<6^AHR+Gevp~Frd1;s0uTR9I9TC+^B)Rhmg$H3kgd;sM
zzaaz4{oE4<^E?Uugx7|ld@P7k>U8A*P3c}$M%%EK#eU;9!toQy6_;cju~q{<>ns#5
z?R~3CgF<Jo35=3}A&X&m+`WxEIQ-A0#1InN{8jZ0{>nbn4Y=$xT1jW`9Y6=l&}_FS
zESw97dq8sFV<#8lNQBRt?y|0KD$b$hvtM>qRTUmxl}$oiKgC_AZK1EWXlCq`OV01E
z2<JNfogsdi8PSh5jEEIMr$Oqo->(C+yE&jffwAhE{V-KN1ZSi~5EAllX_VMlgcN7s
z>KmB35)+&3y-#>X**0p}MgEN{d6uAMvszmmZ(W+b4cit`);&Fg;CsUkIqAA;;N;q-
zBWg>)q8$VG{pq<sjK`0vi{FMkHcGhW)iq5AOZgEldZEdzAt3Pss<I3(DaN30kTAsN
z>Z&mPhM4;n+hl{$m(nqu1P3&I0`uxjM2JWnE7TG|2tR)a+gNd!;4dh9%{Z~ch(icd
zGPPV=)FVsu?_6LlBU=|*@*Lq%j`o-w*g#7+?Ngi|=(ixH2Motn<RoSOOmY!+Oo#*h
z0s2{@+7E|Mxz4pyL=krW<hh+gft3*At;`3N<MI7~n31mK87;j%7DTSWI~wRvs6~2Z
ze|jYk(+|6!KM+OP@?gv<-DIH#Hf?xDV~tmZAQsRXImm_(>5^BFx1IBl7RrB65bs*x
z$^1RvzsYmOU-p>({m={(8)|J4gj1|b5=bAAeBmN#B9>huWG!g~Q1~w3#+Ei}0Pp%{
z6YJc4=ND*=hq>iDlN;!EDpu9-4T>g@TfAf2AIbV>GbGx9O$wC2LXcMBJbs9L0Ka<2
zj`!wwPELd`4650<7z>{*@gLm!Ye-eG>pC2Em4F2M7(Y)l^&uI@Cmr;;C%evwca!b9
z11*O!PldXsTLQ(pz3%?(v7I^b;M8@J24zJ+Hb|Z~4S$=dmR7d)!k+9pV3O`QG6*ou
zLW2>q`i95LT-Y|5>igbFRwPS<sJof1c9@Flh0v(l=mi<XGf#LsP!f^9t=94DLV`mZ
z(YMUx0~hP9jk>E%MHqj(sGw@cWxC5=CMjZoN~fT;ftW*O7T{qZ7G6X^K(phzE|@*)
z5h4;p)3Jh=nQX=!&kU7j<LYP9UZ|l{9Sja<oS5}flnHt^Zg$mVQ7aUUpx#vh=Ml2*
z_6gacmp2YYXr}X=VccP8q9t6l?f{ph-Su|QYsb`F=$VroO!$ekDX>{_n>i*EJ#l^F
zlP0GpsV&2k#YwUttFYNNa~WMfw<lX@=e`&vn7Dle7X4dwU33;wc2%aGJ?zM<TTuNc
zubrxt`%T|u3Zp2$OY%%~gv_$(HFt0TiN~5(hKa|zUjnn&V=a2$(}`+;xR<h|qE#+A
z%3-6<Hk^ui>$b4l-Pp5(h<XR92Mn7aLQC27>PdsEqwjT$1-T5y4ZF@V8coE6sNYU(
z-Z0_=;MwcXPo`)CET!$AD~4OfAeh3Y*00bg_iw<5--cz#%Lm?97UV%ItF%H{+>?+{
znE6#9Y~CZfychW_8(Fp6poud!oSW%J+1{3MPdcJ~YcG71&6ip2^>Re~qoy4TvLJnn
z44<3W@P0PYDH1m4N8xq4{$F0gz|P$`%Qt@T1(7*9@9>l}E{fsZclUl&0VgaM8;MMv
z)rVF`O3-v1DV*`|(fDZRsC;B2G`&I@1opQ{Q52XseAIAaUmIQN4%rCle!Pcn7zdB1
z%LcPT7mbfR66-yjVcoZKE7#0L>!=rob~yW2vrA}?)vO<AH_Bc~gVHl=u4Ez`@ly#(
z`toC(VM~_dRk2wXHpM5bgFD7&JHy5NM6pFiKLG=s%iWEFn9yI?<1xn7J7vVs(Df6A
zJT1DMs~u7FMaXljiL)Fatckf$CU65R%AD)l(4f<?c?u~*T|DD`lMYZ)#ZJ#R!>aF|
z14}7_j1M++R@F$jjUYH4jB{y>>UcqEi=iInLilMYRkPkpV_J=I&OI#qFpTW0kO>%q
zw#leGgp=@587ep|D<&anNuge8t_CF%jg1WE*P(T4p&#522`XGh@NW^=E#$Rm{>0%_
zhqo|3V6dzf7b<W<^$NZ)Yc_0)5tU43vurf^IYFoS;ay{nd-Yt4ajO^>a0RGhU92iQ
zM_1znz2o)Z<b*>B4e)9n>^$3c-=8WC6EM<4g{oDYDz;=Yf~@=Nvq~aX5+oSmi@sKR
z5LyV%#PuHEZj&&4iLVOApA|^?_v{5J`HfAd!vS72f-a+nEpesVIJt;Na$iA%U%$i2
zBZAHi5%zL}8eWT%YjFQ~OQFMgT@^Z&IWz?Seqt7nT?}tuNTtI?x1UxXHZV~SCmCw>
zx;1>i!=wXPA4IE(h-5+|Tj@(w^1?G!%V>zg*ZCnZY|v1nP^GQTpI%1^w{CL)Brgdy
zuoqK01JEQt2<q=yKO*8<m2&ocZb0#ac0q+J^)&48()|LRa!l+gCqxDf<zkb_&Ns0b
za|oTnihz+&n@p}-cc5X!u+anUIFKw#5-CT_G_Vt>gqk>8aCj}<svgxXWcJg9N-SQf
z3S~Ag^y~pkttnCL_a_d(!~)p>XaB3<E3}*oCkX?ViQ<eX)wGM;is%4r>?tLdm2~h>
zw?d$imlk0<g6@@eAb=RsyblJ_%YX{O=^PF32_~M{m8{s6$~vVC2dkIbs6VGL>G&ly
zcBE~-=o4N6%x{OyerrmC6N!~SUl6(EDZ~+baq4yn2Z}~j@%YvZf{Epk$aX(nm@U9X
z35|;#cjU6r$%_SxhQ)NW5=Jgid-{r!*p@_k$UArC5Llo^kT)ZeI<W@PNOK=Q4|hka
zbK<!CfG3M$=<=oKLQF@>_{~i~)k{FWFMATKu`lo3vaWX}i7*#Ib`1hrrx&HXZ$~=B
zo>C;%;>i#RN@dWBqaK@JUhKtOjikiFB!dezsb{G8X2O_u;9mX&s$FjaVX^k-YE@jx
zixpU|*mF#;dw~vEFemwVb^DqPBmAVfsjIT#JWU2OtU%fu{sf_)F_>y^c`OA=#b*;h
z+G3C7Kv^e=an;#MKqs&dq5V3k!#oBy?MKN3Ir7}*iNWC?Xg8rTIW;fEE`}<&naeW+
z8Q48BS>yh38)1NWl~Gra(gVk748J9&fzBA4SjpTgjnSk-A9;MUh_el%F|#_)=BA@%
z>J9f+B%^}!qePeQSE8<0<EaYDtz&7=M>2sp8WAZTzTwTuwOF1uy+E5@kWSDG`mRg<
z3ICF3auS5AcP3K?O~D0yJEv_l_bC>jj<UK){e%T5Tzr{0%+x>GmvT4r=j7f+6xlzJ
z^T$(Q*?T9WvW7J8>TB%j_t=iFFxi)7)ifuxc36(b$Z9gG5>r<52O96Kc=)<p;4^|f
zcx0Ymisc$ObHYc_GPuSFdyZ_N!%iSkn2bl3Adw#|TP`jlFQX*jF??;Cdg__Dmq2FJ
zi(j8vnr9OwgNq?8lI4D_a9$MvjYAEn?dSHR>+nnuE4-Ni9FtX0K2Hcw`NJ6cimg2I
zbSVUrt*&3#q>94nD^Xwh5*hdU&+@Hev)C?R>k&UlsQS!3-q}Gv#yQ$9vFKrDWz5_t
z2`Km3b~SG<(D}erS<7GPBc@b7;m$F;Xcw0ienx~mcIQwQ72UkQu;qf*FuImiV;pU|
z)jYB6s^Le2ivII6wD4xk<!=6cKroA4>K$VKu{g#PZxhxl6kw{~ttT5>`Nh<%VtTad
zj**7Z-J}>~`qPok?3i~n`}TbYa4c+U4Tk#XI7Xy@c8y}6dy|LJ3f-$4)oixf?Iu9|
z)q5--XkMKBh3_*K=-6&_rra>{Tt}D3_EZMb(4Oy<xXW_$7{9xDRt)0{eWdd(JCN}f
zY1a5+&e9K+{L>*VSr4gk<tINNen(4^Iewt?5(QO{uyOt;@h;AdHM(OV|6@fpZ%Ki^
zPqjeWt~T{}*<-WHuu_^C8*lDel7lT7i_Z-MW={Qc3Ykia)$tc<_`J6J5@-(`nAwiB
z?;FKs>(f(lBJgO9rHCr^WH)Ep;_VUDAEt&-nGscwQVveF721otbNm=>GvxyRrjs6|
zlQy77G0=)_!1BY_r@w7&`*uCDIHmp)`P`8hk8$?_P<=aIwEq29oPzXw6Pp*JhN$FH
zk#3-4)!7HXV=3e@ZUoJ3S)LkQyiL9b-qR?&Cya{TAQZDat}ZTozU&}eORTEi%({6p
zvt2l+XGHp%c2L!OE6-U;@?B?t5*RV}sv8}2N_lLHGPjE+n|1j$)KxsR8h<X0uw<1w
zKDuWZ!J`?oVJp8*j5f}`)R1^lMFxR22BT>!lVzQ3!g#NOQ7p1vYQ~!(Pqmz>N#lX<
z3F%`85q6tOxuzRZ;z8%=D$m!DkD+zXD9MtCu1S>J#Ve*zpfgJj<#M5>?ah6<J!L?{
zM!)XFSkvG7Awb&kNU}S@ztH-Z9|8OVX^DO(EV7F!YVV)6LahWO;-0p|o>OM<+oB`Y
zSy6?);;wS!rKj}l@yPCxf#!W-8n>yd7c0}xxtICv2+1N@Bnh6Sn_2~GDSSX~@#mu7
zgZ8^%nn)>QhHp=3eb)Tqzj+h~p}lu;lSx*yY?Ad&gvCR}n+BP|G_w{}&y<E=DDVm(
ziA2C0>hql;bQu|6pQyN%7EdmJ`OfiS_x#rhmoZmY&*ll;12j&<l8TrQQeIVz0`GEZ
zd~~RJU;!~qtIycA8$AtjY3HJPmK;pOKu&`@u71wPB*-R#-A^XWTQAR38Q<@n0M?5|
z#QOo=E9xPD`AcVrqF?RD*Fd$CEw|=k9>?ZO00!vS`iT}v`t0VZt*mfduWM0gyK0G@
zLLI@aY{&YnbI7Fv4b+C=Y!O=}2jXGJ#w?flr6rHVhRu6!Hntz=U+di6o=)KX;DUMh
z7K5fAbr4GZr~fYg{6pNgkw-+JD6=>fZ4e7L9Adp|ALV5p+}6$4(5~rJh>G873++od
zPt6hJ2R~Rm_XAcsVmu>EA80h>J}S8m6yF9AxhEYUc-8}sICtX<PMXy54YLv-1kZEN
zl4Y~%iGYZ$2;K#g%D^tej~1^JnTobzD?Uc(oPEd-FZRo*{8pS2+fJOWO)(!W`pgD9
z*DznU3Npfhyu#yOCIVgCXkKcy8eC$Wm#5v<Jr!+b5MBgSf>Vs|=^l&+m>V(0ujJ1N
zIu$!Ej(V(Gh63csUfe|lXu2=ed*R^>?U^NZvDa7im^S|0h;l7`t;Ry@ON$8x>WVP@
z8CCN!P73@p*eW#Wj?eNMRzP5bX@M9`Ix=w6-`Y2-3C;XM0=1{eXPy6ZOLi!q&`LE1
zn}{^U>03}wSWZBc^T4^fS^r+n0|B#ljq?NRV?SMYMghhnB72B2!^YdTmrdg459Q1k
z1M^MR4X~mtf%&p421DPpoGLvSK5+aS$6y_R+Q>iS%LNvg^r~lBW+hB1bkd1k?hn>)
zFw}%Bk!gS>nZ3XE3c@e=NHD1$`}iLLOo?OP1l;R177VazgGS4)8&%}hV~GdVhhCr9
zKj7fB;<!5K6NIk?8kF;-hS6ZbKmH}4*2M%d@8O}irk5|F6mRIeKA6Kx3h=wPjmr!2
z7>_{J-vLO9!n`eI`Y?<0@vpv#Wk1vTe}eJx{Okd!6yHQnYU;z?q8}Ys6<z`cpdO|e
ztz`SpFQ^5kgn$3O%oNQxT<dnBc)A=AYFDnlBDz)d2#N9dTGA_z<t<=yTM)%xm!&OE
zef;p;Y{XId;yQQvCnAr#Jin}H`v#rgOu<-Hsqc&wI2bFiE8cfm;8=jzx)|kuwC$Af
z*fJy6_i%X=bHZg%y#4y{v}N7oPALdMQjJ=6JPg1ubjWJN(MURnX<=qdg+fZ+3|s<I
zo+w*3QO;zWk_pR+-@~GD#;bUz^aSPQS<WiRHi<Tv<;rtOQTo6z_Hu<&d`QU)mcAgA
zFo{mu3|?g+5Kov-AqfFJqZXzhj@F5fNM)Qfk0+gz)VOb-6ILa?hLFc>9;yJan-UuO
z^)+b=`BoK=2`mqVR8-w@+7x-5RjA3jk<La4d8<jre)KEUqvV(ots3k7Y?Q}d4LxU{
zbREb=q*J*kv=p%$7a9}0Cn^&K4Cktd-G6v;;55?_NEVLxWEY!}c|o-5VVz^w;me}z
zPHIpvlF78JnIs(9>Cdja)RCAMNxIFYIoZS2^kKI8j0BpxkZCpTxNm^3GcEjF>DItJ
z)83i78{5HE8B0+#?p&<}t~)NN9(PP-$h#gjN$_OUaVS_fHj&v8F!Fgu=VpLIjj|ih
z0b4o2DQ)ax=#X7z<P`+~Z$7pTH{$Nm6vIAXsW~8^MJY&Fd(kK}{9p@^H3y}@4IkVB
zbc>g%GR({fkHqeIbb9QxzA-Ah^Oc#HtDVb<-SfA3Imm^&&5V8;F@lecG}Ir9mwj#k
z+?a)9uRiGAvkvTP;x;|c1|-cku#>Ms>+hvEUUjmpA`-H#JJ8rG$lXi!1}uvGF-ka(
zzRf%5Lgk^Q@S&W@=S31(rWK^>8KKF7&cROdOQu#Ogfclz*-VZvLZtbgE(Mqd>=v(W
zXTSlDN@~wsdz=(MHwAEb)@g407^a*TGc~HtH&43IcGEM~s4iVO;!|}qxGE*go%h3M
zj&6-pptp2Uo{XYRZ1CQ8vQBX|O>pd8c5Nt-HZ9MwOUL*aq@Q=b@M-wOd^}RRH^$?u
z?=&7&aW{DiC~tl}wkPvp6ZNmCbx>7t{|xuT)z0S9HiabXVEV*riT@)&w`@6)Z|Yoy
zyh)Jrk|mGHw-9=@$fnh+ERIB3)!jCnWqzQyWoFcWiXp((v>GefIOpDRnydckVC-V5
z&?bsVcM=A_DS{I`y|z@E3t+XXy)jrysDo=NnBU?w>RU_7JwHRqPpi@Gsh7O>z+0<Q
z*FW+~HqLirJ=O4tN$knLS9Ls5!wexAjaRMzl+apkPB{8QwGYJFS|*Fi-2~=*4YhVS
zv0$WJh0p$?6P$iqmjb<tp6yzxDfqN8k#&yD+#=5U#Iq82j?Ua8Ns9FGO!_`bN3aS$
zOjTLRJ;or8^+Z(t#&@hv-DjlRJHgA#w#jFqJfNf3d^0iXoC1}I6iPtQHF>i{KAqx6
z5fnhzW=z)FwTx=j@RW-K$>xXl!YJB2la=YAseIGCmK_+?tj6#riKJYfw_kB`d=hYE
zlcqa^CBn<S8gMEwgu*CFLqqed)*KrELvIr9nM6{#8e!5H{NC7E2XL~TyYH6#vM+Ba
z+oZVI`O6rkb8$w_z1sHRL4SA89yjjXaH@q2MF1_GN>C3Q#W#j%srGSHMMpEmE)uhu
zgL8GZDs9CAHipzyBc-R7@Gt^$D1_w#kYE=KdLuB~`Xoc?V@zVWH5{S3r;%)2Z_xR=
z;#`zPxeCs9Thi4+Fv-t24|Q|&hr|4It0;CqXqkr@3A+Tnhyrk`(VW-hyK?aMZc^pB
zX@NlKSlmiG&v3K#HM)~_Vk%3@YbK-#(DC%AOimVViFb3CqVL>Evp@y#)~X)GR89Fd
zR5GsW=X{w|40Eqm)o2>gVQi$5i|Q%JPC0LPvu&W2`Qm4yIV<PBMRV#eZ46sqe<J0+
zYe@)}kq)!3*;BgTBZ{8(FHi4pTks(FaYY@n?9-IqUH{OT<kuDcxp}LqVANQ7b1dIj
za#r6-TV)cIo(}-m6&+8u+YWn|xl%M`=rVH5t9BY)W+b1VEk;k?YSJahT2T1-wo-6z
zGhp^rdT}?cFRKBU1c!e68hn9XeYB(FdG2ZIU>Ayzafkd6J^fo3{V+vXBS{z(j^!#^
z5!#Sf>pS{pDmmswx*)bwwN?kHZzx)LNl2ddwNXOEUgfoC>e(r7@oB8c=UtVyXKJ1?
z>4p7uoST16&x4cgZ1Qy|msEdH%ALUK*k_4iApb}GFZufqK4~8s4mu~Fx>_ZPnxI#^
zHv*N>nXl=eCL4lfnkZLGcSvuhUlU~$4i}theNtOn++;7knf;)6S{3E*nQ3b|50o-X
z8aIsBSaO2SKl2=%wY_x$9-BO@`O%x2`M*p>(Mp!c-7a=c&Dj9To7q*5xK&Gr*BxG?
zyAwC3w+`U#{b|Vir<JP<g3lxG8Rnh#%&WOPdwYHS;hSXFinT7?(3ykreSLl7qyXD3
zhQITxFSDeXPJe`xbI%ivs@P^wY~p?NvB0FBNFgyNvgA%8SyIurz14TVEtNKXVXYxu
zW~k>}_4$?A>3#VaVUj8R^DOSye3#DDPo;YcK|s}#-B!_&rSZe>@g<v0yTfa$?luw*
z9eZx;A8p92lt8V?GfumaS9SIj&ei2w>d{Y)cZr?rtiACI%)1E*Oe9NR0SuI@&$W;H
zH5-=4FL@bTQfDFGpWi1_{8}$G{rnyPma$4$)r#Kx22=2yL|pDpG6)Q@4m{kZf6nIF
z;wv1;xu@DW(z~WrZI(S`cG^AU^?^keh}xz6{ht2}uS(`vqS@=SM<mF&7uliZ%WGKu
z&@53(6Hs1vKj8$NFLWv{JFI)0Z`?gkZ~Hy{0d0d{yFHv<U$(ya-<=-B;7=C_`#tUd
z-jhWq-Rg6H`ktP4Lz8g4UMan)FmwaBz2lm#Ux$RyQR5>6&_F|6&Ee-kG8Cc<qKhQS
zeO00^p`;+!(CcWxLbP#wab@M-)qoT$|2o%9_=5eadslxVvbftkOSB0=J@@AIX7vYr
zyZs~@00uuJ`=QIfQNGf?np_s(_<q;`m-s)wDZc66^=*SY`tCfFHa`WvnZI~|S#P)I
z0uKGheH!1K-ipDxf8PH92AhIw3L3$uq5*F;;P0=64@u9U$A~NRXZ&Z?P0|-pOz;)h
zrSF%o5}5LN8%(+b{eu7I1P1@<R_~hyue{$6-qC$jeF^|?|9;&Ueek~luRYqoO@PfG
z62J+A@UNF(@SE^=QSh?^7y=AlO4tW4^vwpifa$^LJIkYeDq!i?>6eJcfW+5=2d691
z7Vvtn2TQ~m_~Py1so=%qs{I~3@pk*-`nG*PF}R&0stm4wfPHa&(tRqJn!Xlk4%h<c
zgR!@M{|EqqTi=>rSvy$2iyD9j-e_MQ+MVX!R-W=+3Le2PCWoS9zJcIyF#0p~o9xfN
z=QoUkY;f9hz!mJv$g{`W<xRkG&$P(*TgIn|XVvwBpuXdRJy9#Lz~7!0d<4F^CVgN9
zgJ1i=qRa)Iq+sw(z%7#8qlf&rdR}>g-$ZgFk#jOaGRf>exsnnvOJY6asLTg#C_hsE
z^+nu}%IA&-1%LOSts#98#)qPq9cs^XFf?4Hvup}$!sa=5hdTe$HUB5l#5Zp1d<ec^
zkX1b(#sx^FR=LHt!ROfNTqk@vAcju92{LtK6jA;Vy->Y>r1N7y1NC2es{e@u|4^32
z%qXFc?^Q#yv+-zah~!EOF&fTyANG3So6^mrN4P5m2Z@Xgi(dBsQq%v6Ow!Wqm4bmT
zpPW9agP^i~wLfUrZLoK+?DpCJOn|%Q=}PMr`u}C^|5k<}exqjJ+^QYN*Q`%!w+`KP
z1!MXCgTu=j?IUT2C;u&){@eBc0;Gg4V8Pz;=g7>Sx=+aziF(M+?CbVE&?&zUyt@7m
zRsMIM*`;Q$WHv;=Jb=xol)F^wEVO9<m?0&3uKa(8wtu+h5X!n1lz4M}N0ii@U`^n?
zx#1LQzKgM>*C)sSOUL_n*lXJ?!XMA3&Om-$&OwA*?>gxM4ITYooBH2^6@3F;=WIhX
z%!^}9;4gi`e6DfQ&;QWMUjXHQ8|wZ6PO36)>S{A6`pG5sMKSk!8ZZ7bBHjx1|54oh
z$727Zh)eM`b0Kqu%dB`%sJDJR`*9j-ag5RTU$itfZEWh-xACH*(i%0P`CX>X|1~%x
z-b^K0i|GrYRVY4EcUQ3mzH8!Nq>axxe%`3s>+|<ySA8475TB=Gh1<-kwtmCc+u)*$
z(9-+jFG5xP#tf_Qi~5&2=%01D%l)7x$5Tu%)EYgAGhEVYPX;_yD3bbDsjZT9?vy%Y
z0jBeCyt+tv<X}hWGoleE&_nX<U*N)jmg8L=@zuaUoJ?h=e4R7y;t`b-U)yaF5GIQ?
zKi>M$%3repkM7Bop+(S5a!GFYwf{dy?b&9;0kVKVmDn>>h_IIVXLmY<8{l6NHYed5
zKj_wPP^E20-F{0q=byETi~SrU<@BPM30tFut%3xZ3H>}u&j>!n^eDk2X{7sW8Q){7
z*EWi=v%mVe@0wxw_|hu20vd#y-QDTs-oGJ|V*}}pwVyC#8lAZ)ZV~6CT+6kin$_aG
z&20pS!IzTR5F+uAn7#NU=Z_-u&|fiAzl{nZT$}vmOdV;mVPhEy^!jqTG&(3TI|k@;
zxP+_){?<xK`ybL5;4&cTj>MlB|8wO*Ej=My!VmnbL_PPxA*Ah(|4|43AEPB;mUe?}
zq7A=2tMWQ<D49Y~d8S@P{F~CMP>v?!mkp6=a2!w0h_Jb-?umYVDOvQA0--(V?T^i0
z0=RMO{=%}dJkj6>w%%S>cf4ap1`2ZIH}kV_#23ndqu=X1|Af(Ka+_a)$Jv|=gkYp{
z?JKK~gj7VCI!ecKyIGhuiF!yj%Kr_Wz8_y6L3T-g{ya6YHaOO#L?wQ~u7{$ytu!o-
z1lj<dt5xvFg~aaEWXRnA{`*pWU4O7Ps+8b}ZtHY}*i}iH<QBXDF3Wil?zuF=^6t1L
zKS-dPej~m%={RuX{|5;Dv-*~J-!KwL!J&mz<bVE_J!VAj;lV88!}5xcp*Q|}bc}6M
zHh<h_PmP9VNa}=m9V6sKkZT%zTKdK>`-89hyRf%fXCVMoxcArYX1!`Ntb|aVFcv2I
zgl9OoP<;L=uHKwCQDC@Gs<x`eTq~+~El9|&!{8Y2_3hn#1h~GSAwhdEm-0LLVjD`N
zd8+11=ses_%7-=qWa$I7JY;}9v1lDK2gRQM73wLfkh}VJJ_2azS>tuoT#E3H#+FkG
zN&L8X4zA*48)}1DCJXB5aQ|T$nRDmzFZ{oMaKNzVut!jY%0R60@$<^t7>BcI=$1Br
zKQY`J|4YwZBE$%Li6kevr$7I6mR?@uEl{`zALJ+HGX!C+A{0%rJEU4hCwlDux9C8F
zGSt10YVO2_5}HrBo>56^^`t`0D-Y0^OSR)uR?SxlwWp{1F9>S(+m$c&gJp&(o1dSK
zH26N2k+@LjYQKLZr=n@@7eZdvA2$mMky=Uv#gE@*(->KwwGOvjgqE@X-}T%i$h%l3
zp)r_Ds03v^I!;ebhgT_%^C1sv{<?ms!h_c+md+B0utuAkcYS2g)sXoy=LC7><hXKB
zw;AU^<}N8hOC>Vs)zz-ene&6re;aZyy{UqSmh{B1Lhz1=v)^vGxG!F7dS=|W^*=3F
zlIBD=7wE0b)od?HJ?8}a;D~DKJ2YDYi1qbBDUVeYH;^xjcW;;7{g-mbbb2Tqc(0zX
zi7B%PP{zb~G)eR2?fF5B>l1o^PbH)z_;?1RtN3q~;Y#YXYJxxlonnmGe_b2B`-ZIC
z0kVE!@q{nS^m0+t!0$=W*;qQlb&K(L>5+g*fPDel6q3b+Esj$20Io+b-vg-(5x$3m
z;g5Htat1vZ<}UHcI=)yGKaflO=X6N*veVoSG^$0ROpjXgg79=Lz2=NZY}sbDJGDQA
z6j#&hB>Ey;;fKcc)n+X<zvAGP{ndI-R<HvC>9Nl;-(dLf1s{(+e5^QQw0|k=0iWSQ
zcw-~(sF&S8JNAFV?Sz&yHI0Zxin9<7+I!@LL^C2|^!jZTxJwb31$RwNhC58<@`if@
zvh1X*O*c**iW&ASZ%B3XQMH!|j6Z&hnGw9qwd3_sp*-O8-q!wSDY{!)=R~nZ7Qxjf
z4ICRE4HK@OKP5{Mfuzn>8Djuz!`P-h0?pUovoK{a_QD0CNuHh7*GmlDR(*ywNihG8
z28!a!c&rco_qV6$oz9b=cpCpvs{I#fVsz4nyK*c_$k`oyd)#fux3T7FR*i@i>?dBO
zQ|BQ&%>$)mB;6>=k60-mq14wJHUf+I%MAWjTL_rhY8pc*87sN7qImKBr@1FZ6^e({
z6{N;F+~R$tR<@IO>Ex9}frMi8wl#$li0JwG#>$}cXsgc9wGvK#vH9=$L)QPp+FJ%x
zwXJQSl+qp2T@n(4Al==Kgmi}>-QC@dNOwvj9nzhOgfs{ON=V#Aqnmxs`R={HSuExl
z<BccYF#)GqB#XIv?4UAA0Xg?MiEJ0Dw^)2Lo)wF9HVH&&_VwFGW`U>w4Fr;>SZjOI
zj=w2u_4A#K*Q=y$<*rG2SzNIYrkHrFaL^ftdfnq%q-gV!=rYW!Uq!|Glmt8sdqVQz
zU~HICV41||;U&9Xo`m^5YMmoAQu^|AkP`4lT&XxTyT!B(zqQ!2T$Qh?Go^@oUWW0%
zzF2iwSQA`>PNB7zDogK6ekRv3JY#afhE-tXho1-W@?CLBb`bh6*e~5s<?R>N%lbl?
zPGatK<fVfH+s3V_fz_kbjsy}=a`pRI^!=84Vcen!I%)nlfA-IWrQZ+ku<?Fg*WfNv
ziGuLa&_W@w(RU0l%VRB!-<JfO@iLAIOenUCNO+3bLV&TsX9*%`KxnRy#JA`S7plb*
zV}8~+*#5u3Foy5|s_(CHxGx(a!d|5tI)QV3(n(C(+OJm~EG5)?7$8>}E@#k3Jwoj=
zS{Jo2@gP^Xb_W^#QAL%<-NN)OZ=@tynbPPL?hCH@$tD+*pbFWp`b%6-Sd?Wt3n|6T
z@+oI|XlJ)ie(+NmF=3kGTOg;4h6wm(RM0*FZ$+JfH}KTj|4rpV--)7u-DbMvbx6*s
zA*2%=htDz55tvY|!UG64nG3H1FnosSB(#0c?9(<W5-{tduAGNpH|o=6khlF634+PC
z&g4>@n>66`6$4KU(^QTtad)Z&)UV;0d}l~K1AO`R&Wvlhc~*hJJp99T;$fX?o)%gk
z*J|$)hw?)TH+rg2OWV*YDkvt#_-VauM!ni=EuUSdocyQ#xLa`hO#8PO<(~3|U>7GV
z4IOo;CpNONn#v_DW*ErfN&EAB6DylI?Du8;7qp~PeDlU+ubjOL1U&i(&D*+|vEctg
z{2hLY2hFu!ZIzJJ+^9vCak6EmxswC2=lV6RvMRvJ*!mC}UotE_{Sati>W75W?fbFh
zQSEa>217~*2Gk9Q5+WGPC&T?Pk!Sp=V}Rg?{|`EhS8B!#u*v2A8cde8^T!d83P^V~
zP$B`IEs!oVsaWd$MI9AdOYiWI$=NnRto=k^xQ_DArSqW^nmn;w61jrjvNSXN++Uz2
z*C8pknS{37roZjK5bGn0*U+oqZ7o-8fLYr|VJ$nq{`AAg`)5PKQB;C_s&-jeaO5Su
zNuE&idbEU|a{~&sPX7zjtJaCdJa}093<~MRGE(jC19TPD1v`?s<{G}Cu(5G<4+*_h
zuSg3tJs`z>>q{)q<!@fP9%>o+1JS}kak|`H9&%-}mk#yqAV=FnVg6uB1q6oePA2AF
zLcfrRD$j~6>fRa;=pWGOM@#t`1q?-3r7x&V%{d(CMfi&Hm|Yh=qU{5E%J^^+*)Mmt
ztN2KFYB?Kibssn+;EQR5D{a+2crx`Us774|Y%zMo2EDRU;#pr6^O<z$nCkD~PZ0m5
zyxwDoLaWblNez1KFE!$wNP8&Qtty_kjDCdAK|MDG2i}!mQBQ02-kNEUsv$;ekRc+Y
ztMc*(e!%M^;a<=&r|i4fDfKm#ljY29+rDYg^l(*|1EFY2Cm-y2&6*9hciq-*<l5f2
z4pSeXNdH&$3aiFcXDDV*JK|FQAy^rQH3IeH4E2pG8LBTPr7eK)nz*7YT0VpjSkmgz
z6dL@chYv^sx}Q5@e@$L>@8B&%DgAa(*DMYq$Ro*0ZxZuR$}c&y0r~o#|GTQkgpX89
zWCe09OQGTnvCj!Y%C(iPP$(Qu*L{P$_)@@@u;iH6qGQu=;RKx<zf^i4oC;bDxQDM|
z7V?C@a;S%~8k%w?R!^-5Mq=1cgR8R?!{-9Y&9g}E<6-?5UU8Q@a-2pGt~nL(*J^)@
zXaMN^Z}?}zWIyU210KxLyzv9*HD)5p_?R<b7vn&Z_@2D91MZ(4TG0KY593u;)rDsS
zYe^qAdhP~<ixRsE!Pq`}f$*Hkxqtj8l7FA^4b=cCc5fyR*ka9cT|v=y#!lIxvbUs^
zInm+(>SUnOU+d=?UH9l3f`4>NU)hboc#75b%}+NX@fx(>*VeEiZ6K(xfo88DEU;*5
zyq+$e??|!G9;+eer6^z>*Zu8(-ag--;-0bQe({;h)+g6}x*a|%BhAfYD=@=J#5kHv
z2ow%XN2>0I<yot7uLt-nD_Q3za$BojH;?<mw1Nd~xxtnaCTv(@k%7RUTg3+~#rr>2
z8ORi#v9pf{F6dFE24tf*be4En19r2H_jMVAz04`W{E&|cuA}1(LE8ym4RYozXQcfG
zGITtEpw<$1uLa)7rRs)^@9JkWU!==A)2&KplLo84NcvIOHSK+M1nqPanrCM%v~^>|
ztUjod&6p(p(QYN}Ts-o(l=x5Z^_N^q=lkS*yv_W_Drp<iU6b00qN;uzQk+s?li5-~
zYnDA}8^wE^)neo6B$VdZa{Z?PLexQXT(8AP2GTaVo5#IZJ+L;IzCM2^0uzS)qUD^s
zKYz`!eQTV-hOr+ecOCR9RGwC?WxMVg&aY%7R?%jBqIx9VXfzSI-AWy~Wi=xBK>fYT
zqN`05+5l!fKl_NNd)7OhSPGWZaqN5h5uyx(9bgD{mU98;xa#>Ts455`t*wyYiedYm
z>DvGpvnSd=F3LxUXm?&3gfV|WMiMWgL5R@a43Ax{@q5($UZHC_Tv&1Nhq~mx^mC+3
z8)5+;=qTtdxg9<-^P86C28ea&HlyE3?j>vHx-45u)EkihgC!8skc^XWR+%bog_-iY
zwF6JoymT4!@bC&sT`nm`@u;UQCK+lE9~=Z<Z0*j}v7Z@$tStQQdIY7|>hjN~*kVMw
z7KtOCZoo>#n>7p84c6TJNoiAAX1ew4QvBi*7wsBu#FlIKDB|J3QnG5Y=9=;gUfvz!
zCiq9;p!Br+y-AqO{}-d%nR@R1nlY9NVd>meAT3T@`EYbSYG2>js`EhK1_kle=v{F&
z<F?7+(!qF2{=VgL|CbQe?%jI<sT+M}=@Cnx0AKR)3iSTrf>Kn!Mj5ITn_!xm>pd?p
zPIAOs--)n|9x5J(tis``y*N^SH6%;7!|0`junBrQQpm5(0=iD;@R>1KdH={P3L)eZ
zc`KcNxKz_i!)UH_VXxc@o8OGAsffrVf4BUS0;|k<dx+^8wm+YN2g+#AGf=s;ud~KK
z8>Hj8%bg$aBCYS2fVfbAp?^KlOlg8J(&FkWQ&$E;flyZV7G1%t96#I3+mg`lgIxBS
zfQ+a?{Q$}{vn85QHCF#Dde3A8(6Y6-c)|On`l>2P;VC=@SM>VJKQ6!_wm(^fKes%^
zA{lI}YoITdbx|-NvEV~da=Fnv$6gwNs3bqPo;=`!S!I9yGL4+-56mYhyZVSm&{AwW
z<>ohT^9q3YI5#4<&QP*c$Bv_b=8okF+*+`l>@1!D`s;4}yYa8hI$?Wls+sT1xkN12
z@{pwbnkEoj1CwB{N$71sVrj9Aq8VvR|57>{)b)o;I#eH9Jh{8I=0usCvyht|4Kni-
zr4u6YWAyolWsej{3~tNJnNn;L`)<(pbS{LPSGA5X2T1EzcSUnxk<LJe7^z{EGQ^*t
zh@6S0E0=S`N$6kBMykoXHK+}r*8IgD2Zc9iZck=QXLg{{C4S;VND$!u(4`T#QBnQ&
z=cW$_F}$ia`8sRg;mbAHzthg|(KJbylk#bS{77p>vbQLhVPu!)F!e7_BVEC!EB*oq
z*Na6OP0gP;+x?OR8i_bjB^OVlDx~p<B0(fTpro!`Rg=!U2CeR|(%teuX!@N!P2@sU
ze_4%c1K8>NPST4vLAwYgL;8dyDx^_2-RF-+OiFnMC0$rcmU~{SO95ZpyP2S&x;~0R
zbV(0vIm&U}8P#Ft_qs+?(Vcuv@bIh!zI^TaZ6?N*X4hG<|F_q%q4RB6fZWCko}G-n
z#fyk$6J7uOtMtIHT7=u>4YNYoTVdlQKb}aD3$janfd<T&wBg@+AiJwE9^=!`jP?yQ
zU|#C-<M5A><4qu^$6-=PI=)UWynL>K@Xckxn2ByVTNH7<$fktt4+{m!DD|i{gQ=PK
zaW`7`fyt#_@ON^Apol12VWsaU$9~XE_@J7+F9`yQw#KbuY~`8>z<)`DP$OIep2664
zr?uyyeq}~a-|OWwVMB7I0<_ORTYer~xno1(<~ALST{hNj<5*xY8}s-zwxDl%Yyu8Y
zCLp<c&JQpPb$$+kb0!|dHs=hMT|%fA(jEqs#1JCKelSx>@U;rd!~w`4=j!m7B#sai
zrqz~zxTo@OtiMJvSI@cvb?T~^%>Eg@*I6Ergn6c}{o3tEMe;0_$u8eVP(C{+Wo1}w
z`fvLfUyc&^Mr0ToFVLtp^j6+#NOhPq-g8FB=U?5;K$;HUeU#%Po7cO=C$|w2kjdjW
zKhGs_txW=oGQtTOo+P_dj2j*MB`Kiq*TKQdAyq<Q-Pg1GUS;}a2rqL7uvh#-czR!i
z;|K#ybSv$R0sjF}$0`5mfCibbyff`I6FhzB5~y~AL*y5Bi{;ypC0GUMvo25NDOyUD
zs7G`bw&BcLZ>z%nYUYRg4#>NR;qmswUXkLu-)?tdd#80IFaDt>km^-x00I-pjyVf<
zy6XW!1z-22Q6*HuouI=n2aQo77UQI;e|%A^zF<RSOxvHV;s7TKP3cauyq~R}83aTm
zD%YbP0uJpRK-c*CYzSrEy2cuknL=Hf#CTFqTw)3#^T74aT(S1D@fKqNlOqe{8oob!
zkOg?{E5>Zc^D8~8&0s3XDEz%*d+k8_(%P<x{&+Qk6pi|j@td1y3u)k_Jy8#3`=_ct
z)MS_S4)WHy2*`(!SkK)O)JZ>k?`x&CLU?#Zb)F6N8%-;s;<+%2YwRy=XmL$u0UFR4
zb1&)({5V=z9%)Zy?=z~wpU2(XQ+uf4v1VQFl$Bp$&6Xukg4?C4BVrF?#+rw3IwH%v
z8Z}Z7-Ya@{+lX02@dZ(0L*89Ir49!5XDN#J*w%fL6W0QgcAIXWh;bY>D#Jh5F)YBN
zfA5$>up*{)Uzg#(l2_>7jn=;!hGLbfvv@NP?(C`|Xmm>4oM?n1=<z`i*sLJ4U8}CP
zP|&TUXdvfk(DQAc?&3~`$8uR4q2O<uZjYjmH9<m~8sYXYI8J+gQ_Ge!jLWVnBo4Y>
zQ@8J+fX4Mf+^W#+@EK1}j|^yT)8XkCY@T>E($<NN+ek&0`L5p!`#%h385vVlyf!=0
z$8t=!;=bG+>_m*kJY{<>?GNlz!M_Wk?YQ3Sx<~E9%@OUu;*ns^Q(kakvfsk>;gA~2
z9aIeMR-#;QAD5gRWQC0t^C>G^p^sfjH!^NSPJJ0@5cRNUe=$H*JXOH8R%~0YYdp;+
zphhqH4jQ@{eTCu{lB;U)yf`gr?K%7h2D+bV!Nl@BmY?xYYsDwh#3G(3d*DZDtjANI
z)V$9VGt!qzYN7q<#FGgH{_;~r*M->BVpR>C{7i-mZ7_0o-#d$Kh6g#A8av<<DiDZE
zg*CzDF%NM!X{GQ4xUK?=NXQNsDB+sRhP}eKa>VZfE6lsdzc`#NVY?)bK&r4yP3vB4
zD6trrSsn)}Ml!Du-_&;kN=dA|qXSfrmTOVV+GE1A-|bLTwcv`;|GAzUngxifc8+pS
zCW~n0pGC=7G5I@fd*5F&kWEM_fRHB4AjT|_xd;I8G;%#ce!~<Mx}<1Xw}Y<^&>$h9
z0za0(<~-=fk>}~`ha^waOPN45^nN2+?p`EGUIVe^CvDSiavt2mF!;2WXxWZgb%n#H
z{uu%9KvdeGa-aWGqr!R=k`fc~n#(O2Ge3s(Hlu?SpZf>|P4sLu{+_)Qq<w$QH8<j_
zaHka7-G<_A4qlOtYup@Eg=n(>_3_0Ib43kd(<CkW>=#&99Sj6RR93}*`e)dTeg65T
zgL<k8_Bi?2kKc9s8H8U(QV~P-v@lEVg!rc@rg2a+v)Qi=05d~%djcW8_1%xp^6nF)
zazpbQKT~%wAGMPJR6%sUpU;g(2i*U{v@QB!$!~&WTz^nKwWcmgeWpY!RX2_Nsy>c)
zx!~x=&Ei*&?$McuCm;^%3=dgKXjQkMnZ&fPF)D;Y;eFo8P%fFb01%^YB-Fpi#Z_4l
zppfl$z`N9nA**EE^Y;RrC$=zSAM3S}&`2&7Xl3TvPj|-#+x`smI1HV@-~_ukJkG%G
znknC9fiS-j>N2;vL>F$tZ3d&4IsgO^McDo|T`$=ePp%i&K?cEH-Mom}hPNLv_{5wt
z?gdy*e+^sl-)qgomrD>`qzcNWZC7=X6;9fn!JI=cYh<v8NNYKvBjI4W8MebD$P-b2
z<^qREst(lCgkc9pi;nHs!sNsOe$6jg(rCYa!zstT$Chug@lF~{No(enFQh-CJT&}c
z;=|d*StRb5kBSb5#<TPw>kQ8lgh<oA;>_%6AXp*l6^~voqCpr$<+?|^{ywwo-#y}f
zjB`N$GC%A%75t3YF@YYnCga(RD$V!P1)$uZN_WB^4wEaUfrPwz$DNI;Fl*OCyVv{+
z%!?HlT>p>Yx~v%HUx+h8#^I|uOfwqLPx-e$jLE}2GLFrBa~~*i<j`Kpj8{uSI6y}V
z4$Z=JdqDFQIDAUsxpgT{)e7pHj!`Q)9KD%q;2vKsVP1^W-B+pQg6c#M;>_@MdP)IS
z5^MckhPVVuV9#bw|M0PUp>n5fmP{O1(+BOH5F+us(fOschDFMZfZ`z{VD)NEQ)J)x
zo$(yz2t(%}#TInMeTk2MwXlm7Mn+?tW`I=BH*e4pba^iRy2U{^wdS6V%u*05N377J
z@SstlH(BW#do8sPyeB3f22nI#Ml1ExnG<;3N!`BGu0zWRTHI9Rosxm%!jkSrE={!!
zRUcz|A<7ERzn7{FM}X^X>xoQ-c)ak^1*hu^JY}C}=wwoB&A08-no5bf?fDsTP=OY*
zc<lCyoQEvij5QyJw}>`+-1|2&`n_krtB5v=_OIG^${H5u9?+q^4%hI|Zr0~`jHUP)
zuEgt+M(U@TbhB2k3f<U%H+`DpN$Ox|f`w}5993eT@kxmpmro<2-fK^doO*`4<^>5S
zY|OmEQd(bR*ALb*Z7J;(LPPvAUMYwNV*OcJa`=-6G8{)iE^A_^&u8$VRJcxkHi7Wr
z+IgFJ5P#H%CJjRt)t@xn>fU_dzjXt=Vom%SOS)INb%&Fr1u9t|bHT3!86$Tv2E4Y^
zd{?pv7NatMS!PB<>7zfJQVS?_CcMTUwy1Aek)e~|HJ8cZ^(=+5C<2@WD0MHD#TWec
z2jyo9vTTJAisJtW4<H$Q5kB&O|M;m;dQa-O0U^xl5QN(|nKLgwQ9>H<IJlf&<b#1e
zq?c0J*o2qa{GzkHk8nLZrFP#HHXEgZIt{ZNN#t>=EX;Oaz>!x0T3h}Mx%BikDyOLe
z=^9Qj&GtKyzB*^2*PstPHt+C=4gMkxJNQ4C&OLwt4@b@y4ig|5NQ;_yHHz^^ifAR`
zL8uXH-U&qQDA^bw-M%iU(T~WmTb^W^)uH~FYrfG8g6i^W2B3fkeN)&x)62V}Qjb7<
zhfBnnm_wpHy;uu;B5-~nseAZQ*t^}a$Gbw5?#4ey-}gM{KYA17wsh|}3As{z7D_%=
zytoCUH~TEq>9x0o5qS>+w$_^w<KZfOCd6f6bns!kF}{MTM@?17qA;7t{5T?~YVwgc
zTni8pc=$~{7q@+ou|2W*VbkvBs_yL=&M4GF9^nmPq#$*Y5Ro`w6k&R*!!*{{W07^q
zLocnFo7fL1Ycih1zV<CH##jvSahuD&;^H|!>w3#Me4{Zv(+m}+-0qPEODScU5yP41
zs1PtB1Exnz(tmuUwkBY2@cm(^aPMLNDc6bv&Hw&Hh*>zR5LQB-g2iWK$84Z2)1}ki
zr@8V^3s_OPmBr$sW#Kr<T0TPb*`udmE0^dnWLv^&%?F7!_S-i`)tC7lR2e}h7mSQ0
ze(kdY;vuBeXh(Cf1hSbhJ?j|Q)7i4c-*U!UOCKatUdg=&hvPxc`!FQ9DsCYmG|VXR
zxDh6B^*yJ$pq!cJVGV*morj+kE<uGU(XVu^+1*o7FI_gREbBrPV`PDC63Jfn+QsJi
zU56L1ta08p`mm+H-T__tVn<8rKhWHH%-G7R0D@x-AXp;BG`3UB=oXu#El@azTwyvU
z?-X>lxk?+torZ$KNLK8xpt`4sz`H|31p|ZciuHsCLT#9o2k2bUFEdhcZ(9FdMSh^w
z{P9C9h(^iDp;rFd*L|L87(D2cWF@ucn5xB$O9vK1=imx7M&4b=MZd%9tNtD&nCDy&
z=&AE?FTo0+`npmf>^K><l19^ZtVlN+wU)9*ssLBpZMyoB0Ih}vQw6W2{CszI`zTua
zN6=ipU(f;2$x=HueR$gQ7{$w{ZfB}qk3ET>VHfFRLrR(ohk)5fjB38rTkmr8o_l!@
z#oq+>%~A<CMUoJ!grb0BwSF(Qg#<m<(B(aT-l<J%{*PgZc~&O@(mg_wgb8ie(@G{x
zCYy!E=(zV5{5bCOuN584q!58Sl0e)Mc1vDkbA3i+;E{Nb_=3z6Ngj$AeCo$Js8Cgu
zseLdQH!#VEv26NWC-XD^cuWg9A;8n&&__LI&$mYlP$41<i_apBe_{=Q^AC;>-Kp$1
zEd385>=ol9#E+3XMOrEKT)JEos07C4_0j*F8Ow8)f>38NPIC?Y<)Uc7mx0iYk&X0n
zM#?QW*lIJ}HUI|~wp1|HDdj^>Dg|R3fIv()(OEbAe&MVl!IHnA|Gu&tC_iFPiR@Uu
zaPaloWU4o<k-A5?UuczXlpDrI;A~Q&E}*w$cu|312*Ptc<Z*#>937cHP{;3aq^tES
zBN6$T)jb9JEf#Eh17~l0E1(6)VzZmth}P|zjsU-9W7s}T8#x6}mbls!KVoKrPfGT>
zFEN%^zvP3i5A!j3&swCsYFDOQe(jzz2C{|hQbhcPcIm`gOX(RTQFnChr@UH`yLxwf
z2IHDsL9k9kUgEc?_!bKM9a1RJ2@X{`(2d!|#5NBAJ-P)B2o0b#J7|A39<A>j2iI$Q
zX87f!0S4Jyl<HdN43QD@OFPQCc#%CtB@@}d=kwb^dzKk&+}vQ@NeNfPSdK-ZsRt+~
zHq|n|IR<kR-<`np?-`MkDb#pgNtro(C$Zhb4Fo6CFpAVbH;f4&4CoA0X47}@Q#c^#
zZUbJkH{&9F1<=x+N6<#J`5g_ynw&t#KlkRfuCue}wXA1nV>~dd=xX7GTG`UP?C-_t
zueW}wdHu&d#iFW6B|wluV0Zwl;Sz$O=P7<Fyn^n4!y0O1mxxE$vILI~4IfVBTeyxU
z3`lhlH@qhk`0zvGt%=F}IOtOC+UA>`@L~V(5{QabC~~x)Vo2do_ph~N7IqR3C31Bk
zSmHjoN%z}Y2&gTp_2;cq@-nHL>hcHfRcGt8Uuj<k@cOIY%6nI(dHxjeYFeuVGgkV<
zX!P6m`{9Gjuc-~?x3$wegza`M3l6cagD5S#?03I=QyRuiEM>)&(reDWIfp0)c^bbF
zSEBFw*PP~D75_gBl-pRo#z4}K)hbFzf81%H_ZGv4tm{K`V_4e-6P2u2kw~>ihqtz&
zVh`;Hv}iyp-v$QDdUfrBNRzJN)QcD4T2N=VB>OJ%auK%7AN%tD>Y&VwY}nw(y8GsT
zJ9<dSWblsCDnd%DxCi?bR(FLN-d&0II%xV9Hlpb6>{Dg1m8FBZc!x4kjkk!?6`pCI
z+^~s1HihZ)YysEA`PkKD%fIII<&k0NPOz=rF8h9G^h0q(g;MvuQgAPpL|6>lYsVb%
zW%R2s7brT-?8ThjRnZ!1c*`9J8Vlk=nf_2)l69`Ito`@^Sp4Hw!-Mg4U58>75at5z
zaGzEJd71tgo|yO{8TofdC#QwGlp`$6S;#vk?wo*!eTc=FcWc$v7hOA9H$i(7csDru
zKO(qbY(zBg#@xH#?WtRGaC^b>JHzEjMf#q-mamtk48@J~?g1kBKd<}YejomsMPlPt
z<zVAOee$6PH1C(@{vOo^=RGn)lltMX4M9YDDZi+h$bm|xncPkYdX&`sYrsTk2*UN8
z=YL-8zlHL>ntGXGf|~AQ``435+HHDt_V84+R#;^o*zPAPqr(+1?bS}g@BY%xJCEIJ
z4JXQzuO-lm=VOlGk)Q}Ykv)%O`uhjoO3wJpEfzJGpZtFbn7=nJpCrjds`e%o_%H-J
z<R^wBi<a`1d%M>&RnDfLu3n4nmw`@5$6C>Pmc;ZLIvnap<N8sgqTCo65`v_OOG3-4
z>euDFc)N>(2cgTo^799?yF&!x9~3{!S<BuG^(faG4YGcFPLFX^#<U6(ey$B~c4*e4
zT+<4k1tr^f7t(nf8K(U}B#C<T4cys)ktH(FlwsFx+_ErGz5hS=t(|`A@W8_QN;ae@
zvnV<J9t_FJMCXxMtpI9&o(YSLifv*Fhn^UaeauN?;dUGBx}DA&Er{sZi5?hV`{Q7V
z<%c9FbFOA8A1V=l)UUsb`oH}!q#f9C<LC9BWWt(yDIX6n%+L0@`ZYuc{6I4StMDRu
zdQf@S4y%j$NXm76((M!A*iH<MQO)y_l~LqIiw(}=I$4QBgi1~v{@1_#2SELoQ^wkN
zRVks=y3!-$77eViT1>LspFnd{QtZHlsMqo2a*F=^`R>jp44-5Ufz*vc=_yiaANt--
z&gh@TY6<ludU<-Q7A>rfm1EP!v-Cf)wEyL)?ot|uEfNBlY4VD^XLpN8Z4SsGJRj5@
zw^u(WQz%|NwpHJH$5wo=?MVACy7l#jP%tudR$rFpC}voiED_x2G-Y9fz7LG`+~xdD
z?)^&|{JHNS=JLE>o>5!?sm~3APH(oJd&x_3NU#a0{thfGnMX;Npb~+-UC2%{>5<GE
z2;2@Tr~#rKNkDHE6m&gW#e$#y-hfue{-|po_!mzMtcJS0o;hH=?!PzczpLAy4|iQ#
z4CdYOSn@CD!<dz)C(hktYeAUs_cdIIgtlCjzm)B?D_6r69mIT}x^Tj;6^QXHR<|!D
zO}kUZ%#nze0B00=oE2K3omTpup??Q4{;p#GTce`i+iL^~y;NG#9SUI3XaM8zzNrUm
zokPqa_r!La-@d`&HLooEzHiDtE@cR5Oo@HR+AVSNfR_A!%GdzyVm60Z)H$4Rfj%?}
z<0v(!Tae<%#(Q9TsjdakSODTU6#3q9SbHyi8G05&<!+12=yLjvT$&*imW8}7zdFf4
z7qpkzC8kwj+=1=^aqq#?xl^R>HCu$U%|Wbf)i2nDEz-$*DR;*rlQ2f8_ivHWE(3;9
zsd5I>s`#BQn8&$d^g}l{d`5V2Qwl+dN6ax&E7cQnY7u_Xv?7@V)mk3VUNF)F>W>uv
zr-1**NxxF_m7{)4yV=pRJN@?dQX*jqu_Ezi;NMdiH*C#j>eDBrAZ3cT+Ty)N@$=%_
z^>zsx<GAqzbw$i8sOz>$V?6%}W&PtJ?rq&=N?-%8<JazKXgK5Iz^%#V-Y`~{?j$(>
zVfd?IGD0%PSdkQf7xWA~37KeMEf%yNGJIvf$9)CtlUVz${#Sp7q*~|@QC&&*o^wIM
zV79CR$VbmADqaCcX^rF5B1lSZ<50Cn`OuRs_S-h)$Q!M9g#o=Vs%yFRyJ~xI&uAGg
zr2YT5nc}r1<);mi;GG7AL_IfQMB^%SGf{wJ&@qAryx3;2{7Ebtd5lGq8#ZLu2n9)9
zEVuA`Gr)0B`cW?_-+MrWTyJo86m3Ny?CTGw>%IEXCd%19{s_kKFyuH6yZJ=v5SZNd
zWiS5)yFtN~!KTx0$BvHpr7{(L+B~-4cjAewQwKDT%3`~zICPTuhA20Vjo;-qPySz2
zP5MF1ZE!IQk?1-Km2CU*ud@nYZthKuYs5_F7b!j?$$uPg>iC)?M}N}QtnAY|rsI|3
zDAnN`%Q|8tctnC2uqOXJt2$jq9wuGT(Fs0N5v%3#wuFz}r3Yo`u*cfGGBK>-uECE6
z@@y^e*WR64`hO}Bmo3cqD8){!(b6m)aFsHyA5GK51_NcNb>uZbW4ZXb?1wk8evnns
zXEO_`(#{PRXdWd4SU416B0xVW;PX>fw8sfY>XB9*z8hsBq&ZvSTRl&AnH%_x0~*NX
zLBF-|;yR%9(-S}D>k%krh;VJu!Q^kVEHLKN8|)Ut*_1e<?y0a`6S&0j7|<B{PLB?s
z8$)UJSCSpW2LmRli_a4GT%$iN$D`j&YTV~W|NVe)f@!~&o4piP0{X`GA;crLq8TA~
zmDuyTX(0!&R+1YTG1*2(n4cQ=M!nffH4>~Lkx(%_#`(#tVpU_6PnHXoRo2%wBXUFt
zlJ#9(wV58ChE%7kja(V}JFz$@)H7rdt)NWnXz4>qo=wOl#EgJK1rLsydUGc*?uH*F
z);+3d0_xX7zvPGBU2Z2x;{;bCphEzQjvOt@o?fjaGRBln0a2n4z2lsJXZ&rC{bx0^
zE<o>ggoSFSteQ7O|AECiyOWR<pkHtT<9j-HH37bd(g6igSulIlDQ5>+we=F2^D&w`
z{NCzIppc^hZUUDch;@E-4&{=`DZ{c%+C~o>&NHA;GO7X={RRAEFMjiHP{5rz{uoN0
z4ZsN_>SDSRHJ(eE$h;hQ{#*Mqk9tC4BSiN-r8r%rA_ekGt%Wl1wvRDqfnQb?(PC@G
zist?{;<b!i&?dibXpnt^y%!bV>kUlVIA2`^y4QVY^<K*-IAg9c<fi;s`qrO?p(7!X
zWa-}#1520Zo6h#F*X!etBk1-~vtbelO<le-2t{um`|Em>rkxmIMz=ab0$$dhx~7r~
zHS4Lpl#|jBD8WZFBWL+MrZ-eBRxLz)t8{wZ%N!8+-;%;27^EtIo6Ngs_fl+#KSU$%
zjH#aUj2mI9M7>wD1X*GS{1fNN&QzCvN?)HA`u00S&16Z8Y9UPs_{W)A<(%21tb`UG
zL+g*PFJb%@yDbJg*z|;Tf?{oE=zSTn(DbRUII89qMNTXm&z=X$KtE(&UPeY_mb6t3
zipx7TxtD-JUHTsJCM2X{+<{_BUGw1F`e}FA^Ycs*o8P<K(o}!maSDmhM-{M-`gQc0
zN4cuw<CmyaJ*Sa3B;_MICbkZImYMY>cd8nW3Du!((nPO1eo%HDeV*V9qi{Wa-$(bP
zNC*yx&C;?PgXXT}P-J1?>Q`xQ()O<+N7Q!$c>Lhn+kJh^Yp@Vhvo}KWC*37{<u%c{
z2>*gsvvk+*m93OrIlCY_;<x=TmklcRF+$LOcmR6oBNk*1^WB@~aHo7Jpy~bID$~(i
zoZHx_)smcF!(og8az<35DYDr3c}oesCVzhOB0ShLl)`L0;1pi4SyX*|7z0f*$%)8x
zJsEeGU+~Qap+~>SoPAJTDFhUW3%6@oCNw;+wN^oRt(BLW+Be<vy8NIpLMw}{%tS3|
zJW*4AD($6G0oDHG(j{+7&(&%wPk_i}|40=PwcusSuCwaOe|1&mZw<bH$V%ynVS3kS
zD^PbJZ>!fXibq%pBIA>)i!uoKu-8#|-sh2dBYixK@$?T%@{zo8hJ<7Z>QpCp#Oj)N
zU?WJ(iXiDH8f9IQGNG;HNeu_)n>3SdbzeKWKR)Pc((>!KPj@U)1Rm7~2r0GQ6eLg_
zR3I4LSOJ(4S18S^8;JVIE6WNzsER*vDZrE&zaR0HmK-TuU-P^{AUE-i^a`X^4pqE^
zteABw@3Gh1S!e&{ESC}pk9WM`E{v$+9ATTxNbhzgIX(f3<Hr`qqht2@C6A3iv4k}6
zxkeg>lfA6-uV<7RcB(X_TVJx}qqt2nh9=l9BwLE)a5=7^41%jMoscQ9O!Oq2CsF~$
z&+hF>0Ns~5sBK4fam)P|^14V#(%O5>^qFzRLTe~#1*K{w#5!tWB~h2V!v`hulgn_%
z1%58&(+aY^_KX1l)DG2v^2xFwR#!nO&WoQ@)tm_JoZ2XU7jN9fIVDI5oiOn`SJYcx
z$NFBgXO$@F;JdGO8y{GE;*8tkg68vFtCkGDO~fph!?x;S%X_r7a8lInbVnv`V8Y1~
z@CK`zr#(RI`1IaMtMJV*<2Cm+Fx?@*+xJr>TX(H@!b_iLelo;H*oDjh#;ZTtQj7!e
zxOpyWeVx3EvD}O5DYmP1ii}wCOR}6=5y~jHSJ&z~DgZHl%&hy?mcE*k(2Qr61v}<L
zNm`|Arr5T&_n}C|<p87BJA$Y6sHPl}$=-8d-bsfq!$f&^jTh5-r6*3}xHA;xRm^_p
zK(QDz@G8_z{s;k572>pY_X<AqUOHDT(W(DMf2`C%X2v`J^Swte)F-H<c8T&dWq9j%
z9sR=E2hLYRPm5yeKzgQCHWH4-kLJl>q}Y!E9#D|Aod?`b%7m>B-|ULZ=SCb}uWfxf
z0U%s<p*QS9Ksbw_l5`69+)}TlCj*ATr+qYTI39UxHoY@dYn!CiLUa3=73Os)Ag)UV
z@<Xp3zhdN~f5%*tztl~_XYzPoh>5>madL{Hft+h#ib6aw*Aw5De4b{npkZ}AZK5P0
znZJ&P?wdikw_K>d&fgao^UVdUx*#N?_Yq7$W%kA{<J9QLl}tn-lXPB_IW#}kUeg^J
zK`Ao-$QmQhWfg`aM~lecpo6Q9W2cG<QReowMWLh?Yy}`$ffO$w91WsJe)gb_8d}kF
zTnMU=JaaI8-3d&i0p(wl^FgLB0)=d3>+OfVxu!MUYL&?EL)w~O#h&D`LyH|2DzAI$
zeTrvaLu*H1{04W6SA(jXLaNT21)Om{=Y$`uOnVE4>%j7KE1}~{%WU_GW>!tcdz9$H
zr09r7RY5w9V;@-Omm)PMF`|PY$zt1WbBzAHirk1v_z!FAOp{H0sr7x{Mkl>D!^e<)
zKT=RAkSivmza_O*na8)LYZWTYO~SdJ_sdp`{UpDXoq}rj0+lMBtno?^mj^|bzfUiC
zH7FF|YRb}5_sBFZ0Ei()!WZFexr}ih<()O&M=@;(fVr70eX_v)Hdyde*cW>ZIHwiE
z@|jlh2Ht@c)!^kiv5(nLctD;YSpI}!<K7S@?`g8+UBlu2GQe!RO|9m3D71(MXxbs=
zv}CL0kw`Bwv;7gY?VpKK&O<Scs&i5i?S^HKZc`DSB2EB}wc`a=+#-&#`EXWUFb#Up
zU72dams9mUQ-JryHt3Ye{vwTqH*M8t*oZFyuY8et*lpCDUHR!v{d&mWoHwlKY@178
z)E4;FbzoegXIhP#a?mQ-XEy?r$NOLV>aLql8O3(+`#Q5LiTI`qD8;DgVdUAgU-R%z
zX#>Np-Q4%e!BlS+BrW?w`^cRAFhEO`FqlM_>NF1Ua)0*E_;sscog(VO0m)cPA`w-c
z3E45F0iQwIZF68y{Y1aNk*Fm!_UmnwCVWSX{q{B4Ni^r-r(=f$yMBvxbxw(yqiCk=
zYO$k{eS3p*72lYP0pS+6mdSkRDq#j>B_VdciC72zRbu(FsrI1hS5>u6Ti!_w$5JZo
zjfqKyDo~i$R|Do>fV>VpJBIO&`l+UsxhCc)Tl}okE*D``4KVp@9hUv6^aXH*><5FV
z!3bDIE=FZ}B`HGgveOF*exJcRVs5TM2h@WEzCgK&ReAGaV>+b-KzTjXxDiSVvmirR
z`<~Fs(FMj<L$v)Q?86@K@IdSXXA^7%xqtryCkd}k*MO0$<<-n1`=1W&hBKdf-n*X^
zL6!w#rk#4PAT)sQWgO6xUqnX-Fv`TmfO1fc(=$vS8aP-9D`c?}y5nzz+we%5#s<?G
zuZezesb%v-F$MSUuAE<6rh+fFZ7h=aDDauXJjz%qJD*N)2#ZC56R6PchlirDwPo#@
ze?%h}s3MTTK5aBkc+a2@xQzAgqL5vxq};CDQJ;h{uM5^r%2N2q>&!plD^8TKT3iW;
zPAFcUa0#!X%Rk-96g_Oz=)td}Rcg!V!&^D|uFFKg;8GfoQO691gr9cEJ#$dWg=@<2
zw~&JpasKEuZ@YH^QwR$h@YqgApHefgdp0Y;7BeJtfXh4jwrJtk6baa4pYLDkKnQ0W
zYsX{gt#D4#?kx6?oeeD34o41E$=>Vg?feALWgLydF1Gjnb$YV$F0=)2)qcVS+JMG5
z-O7f`w>QLq#))und_T~=maonIgSQ0KWJ;{+fyvSb`#xcHs0~PueNZdF2_l&)#$qE1
zK`Tq`;<Ksk{!z*rkZFA0YVbW9%0Te~UJ7b5PD?TY1W>Ik6+dcQab4FTnPaNNSG`p#
z<K(?pPZH8*#=UwZXV&n}nYwGgVPDDA?|o}59vuvnJOrO#V)B%wAnJM!FKb`*@B};t
zw;eiEtVzZwf|@&tSl}u6jAA{5BM$FFvP{o&rmb(<8&m2?DRC}L_r?U6bzqj$_PsO;
zz6sCbwovr?KY4I{gn7p^ZSR<9rUT2n&`t;7Ty2@LOZF)HB06CDy`(@7dMGb~2K#YV
zSg-g+f<|Fz$bN<<O{sC7-#AKoLJALiy8MYY?^3-Ss$Xk#NUT!(9H<Gi*vJF&QDmK!
zZT2+9;Yf?bgc_UT6<FM3-0HK_Zym5u?m{0L_H*{@>{Cir58=RHwsUSYw(YocR|W;^
zKR65*+ZXxejRN_c=dd2>jg%E+9en~b7^LRUE|yZN5Z;2FC%AfBKJSARfY66&)VgFm
zDGZCOUq)wxSx;PTqN6xM)qK!8Z9vv^5mUH?FbF$cZ3Bw{AYhr;M>(^PnV`tb9W9Eg
zR|!V`_EIP@0Zvt)2@<qd-39HcIo-s7a(36pj)ePRXxfVAMht-glzeCnTJf95b<?ob
z_(eaO<p@lxz1rF?!THwveUb92>{Sn%z_$<i`9#7aEF@FvSqhsjg+3&@;7}Oj(|dS=
zpZPXS?L*UdK=Lj#5F7qD;qiCn$;D6l6OU;`i>i(JZzll$6uSK0^cR~0%hm$*1TD!R
zr3`MeTr%7@0!v$?*EDwh?KcowDrU?}f1jdE-y*w~4T>~;CLIKAj2_j>1MhSeam(c?
zOhSa-8WqyA7-|lAYHOwb#H^kaTN&h|IUKA!1LN!4=YOOYAYe!w9pT*=(mFFjM^=0k
z^wAgmCp?XUz7Z_~8VimlI@%K^NgJ6^Klh5Y`a+Oy*6^_N_l1-SHEoHXSNcmY-_<vf
zyLwT8|6bK7v04)6j8AiM1Tk40Nhm;0T%Ai<h)ICEwx@?$s8i2QFBR;0TH41+G9*rb
z@TCv-_GUQivc!8QkQpkR0A=D^><R1hneXd)r-b-iD6BLke<S;RAqY8I6DI!FpDggE
zZQedflugoDQ*~nWqQLyJsK^&dsHbTxXJ9a&)TJ%sUa_%QAb254$DX%sGnV&)Fy+5~
zN8lpkz06-gjaKWe@{S{ITO_{AmIqDRPsRz6(4J(@Q?(24^78$SgM|yT4^hd7@<YmR
z0`|Zd*YeQwyU;UO>Wj|=G?A8e%P?PGF=6>-Fs)E~*$0EOjFg~EP)ipWLRO6rshD@&
zeMXv9C8_Ib6=tB|H4{N8&rRrU+e=y61B);%WTl$e>@-&!G_4+{{`aI~udl(M2h-A&
zMDWceAYARAzF7Cpp@}(N<Qr<j#izl#W~gM8J)fWj`JMVTREIzFBu@_PHDmB9<b8N4
ze)-;vOI>IHabp)~pY4sA{bTeq#{D8ln3NgPz$3s*j9Q!t+*wzMuc#b=OCH<Vf_=Cg
zu+2v%IQu5g|B)?=nB@aQhk)$|5+4dApN25Jxzs`q@%M|F%qETJc`M7T5j^-Jgb|#I
zA49LD!JFOu$MJ<CPTMEtulq#-HP7M(uTa_XG3NIGOOgap0LIlkl1%F?M3rV5KiRgz
zyCnHm6Si>2f60#+*;WKXWN5QCgZ`Ziybs)2PoS`dRC?ap7l~OQE-Z@F9o%6`&#u%v
z{OyLwF3@iYApH{dt?uO*_S6f`qPINh(z;;0DEOVH06FEFhFRy@D>cnt5<;?`rJ`>a
z=}eb|xvcX<>j}*C=T@RV*@3g9Q7Jy2RQ%Mh4(mPVZ3eTV<sW{W%Z!BGc@uvXyL*ck
zcI^mkrT9*A01dIm6I9;(iimQOt0pl0L;F#ll1{K2stfr5jo1>3=%Y7c9>-8E!OXnC
z7~fx>rQ;~4MQ}n};JQW3%&q(Rri6_yGI!i?Xhe`A_il^nvuAUd=PPd=b_t-lha=(P
z0eKe!`5i}#$>^$H0Xl{!^K<*yOK$=j`%~p;YW#0xp)Jien<+%B!nc}T;2ncYpEE(W
zW5D&xCwK&oEj`bx)L%QE=5jjN<Nf-qP^bO6>Qb!$6zF@ay6yCLJyGE2cWO$I`p8yI
zdz8rN4u4wcF6%`W>xnhJ%U{J%jkW0eTq@myR$C+NG5Z1r@@rgO@a;g3T%Q`8o24=#
z=<66<(Urz9s29PSMi+ORWQn6zWfE@uu5_o_a0(=c%hxVoSRLz#p6?cg+0y#Q5`Z30
z*^B>jnRX7C{!G@wmGD*N_m}v?N2NbM02h8z70EpRaqdvR$f2G*B2K#<N@M+syQ$ph
zfma1Ruri^|4Fl|^<9Q!Vc1RzUVRzcBXBC*L-F#}*oJ20qzg=6Z{K{SXM<yl8`9{<(
z-*4SSbxM%)m#k5mUoc~0wgd`1+$wBp-ZcVL8#+lk;f>dO64%fb^|>dA`?ZD7f^7CW
z3Ts&z;(a_IROb>3pPb7W3~7F+%`Xw7G_w;!wGpju?zJ9t%XMB3er0R*EM*$(MU>yp
z5)$WJUG1rg>_XX+DI*mnvfbdmWR*fhet`gv!#`^I!}2(54(bXi%hxh720yqiZC?ol
zUaj;V3urk#ba`n+MX3<Si19Pd;Qm&-%R@zdJ*I5?<xZJaF0Yi(lVclb*j&zCGmbD`
z!YfnW1L)gA8{qF8=l~l3mD=EkSq^e?Gv_J*+6DswVqFbfE1%r~KA`xX-xoM7xi@j`
ztNW1T@((bNv+B&vlHzl-M{DZpHropwjfY{3K$~f{=c<7Jb@2S>kD@n7Z*&R&>y+Fz
zXo;Ek6}BGTxu_E&{))H}!eUTIq}eQkmV8bgTsfpLQ4P|tJc^0wUY$yu#<x8uAd0B0
zh|NSeC0_fJ{Ib+(j_NNDMQK3oETnl!J9;~*-_vTDS|xpbjCA9&Q%kbNC9_R+!*O4$
zTa?%>(Tm#bX(C2uyE(r}hWb7N^FJs<*2ji$E=d567Ke~)McGGvZJ&MKSLwRL$GJPr
zdG6;)ISfIrONAN7<@tWMpi6P<_X5TXGVH>r-=YrJ4D8=)&qXZLABf1b0eeeJ5kaSV
zk{|(RtF>deErR(0hjGg?cE$1O@p(7`K*Yg*^U~1fkW17oHicp$7||4PzLLnzc?DxX
z@tq>F597$4`DIS>BXh)6muSRX(}9UQZ}=w^Y4HBO^$_#?%@A6FDr6vVTI2Aw1gu97
z{?kj@hf85CtjF6ZV69BkjhD%=w7|F#UGpgo)vNj_Ud1Lndsd&f2ZQjqIq@wbD8JQI
zK7R^z-%p))n&CnHZHxOc54)d@zwGTl1X;`n!dl*c>nvF$U!73~0Wlt1yL#Ldf53d0
zo`yZ>W9hmjkt3xU%%fO!nZ%|P!fc)Bli^2cDlsN)U67J}?1u3YWRGtzmbSQtg(0@`
zP}|nRgde?Cq$9PB!H&f>r|hS;eQRSQb2DGm;`HkWR%6G-9qKEkn1n92SjH7)oA~=c
z*8t>^1U7H1e_(`y{Nu5qTzZ@*hEzU7I4%*Xx4V0%FaKjXvJUENApENS3R;tg&p!n3
z#Tb3}m-=K%y0SguV?bfO40(uPyI+RmwJ|CyrlI-_uQQxFy8jHa@tbq}ZE+)nFqF`n
z1B(OBPHqYu`%SIJb>?c3@d)Yl=rX`m!qJKyjSZog6xq9y0<Ckt4U_%-=2ZSy1YN36
z<vx@l2Ii_1nD~=!8sLo}z9fji=@2w9{QJ`nI=(a?F(j&%V19*7+slDIA1d^&^T+6K
zlIg~0p3j_fCW5S4`|4fZfdQi0RZvHs->kn$Bp-5RRs-5jE+P7BqSz1z+s^D%T%YYh
zk2h#hew*5DTnOKO9R0HN2`BIqDq_585@586A#KKgs>OCewb^?4DFzgl0BemoDFYfh
zr<{-}%zR!Y@3&KK*z1-3aAA10Q3j*k|84G&+-h01pLQLAJl+5u#*@sBVKilTY#5+j
zzHJ?9!oqykzch0*!(w9_w*K5s_&X=?B1S;if}YU{#OH222=b#a-^nmJ&6Os@pu^(&
z<*gO1UkKx8*$G$nM!G$QE)R3XweWb0!_7-EW`V2fzYvvV`~L=k7Ww$Z?c4L!naWS0
zRv@T5h%A2d#o}5a-hE5io_8Zbe=G1eKAOR2--BtxXd9)S_-`WUhcYPSp}Ll1PZGt)
zG20voa_J<3A1fUWk$#-vxj{PNGj%bBN-WD+(z6q-p$2=UaBncf9OBCK1OV^i<Cb<*
zO&pIBkLqY5`)aE7qJ9&Cw7E`4^!mMFYmb7VhW;L3$bY^?FSH2V*f`*uG+O+-Eq=CF
zJPNG-<!=kt_d(Gmo70mN?j^BmI+9&8Fn$&j-?0w|bMA%!{}q!EeK@ZJmz8Q^Q}OcL
zud&~N3i9a1Pq8h=HHTSg#63ou1Im}-7g7a|f3It*u!UUee{#+{1blO$7joF~q@%E;
zXf+B`$}JtzY>gkXXKdJa0sJY1GgVPn4}XWj+~}$?{`_Pr4c8c6=^5DNi=cKA2R@GM
zr`>$Z%`S5-$Knxjmr>9hGzdL<LW6YHf&aPDmd?I?${K^_@Jl$HdVwDX+>1F3Nv<vQ
z05vFuS8-O`WI87=3I6^j0DAosgN=KvSc;!6&~aP32wL)Xg<+g`zZ`qvt835j45)WH
z{#D_q89|wI>*4XUYe2#>EG9b%LesWrrtl)ylu9lLV|=Ewbbbf%g)?=DEgT9t9;ayi
zfFF2FsLA&Zb!Qm)z{i=nh+hQ@tuNTY&b!u(ERMg&tW6^046R+hB6GZ$+ivypMKRY+
z74p-LUlFM1!YnalMtOC1#w%Ye82QnH3`oViDi*E+T#4)HO4>QS){+nHeq!N~#%%+=
zZMc_i#XX3E@cfO0Z0OVA#qOhIbM2YK2s+-i{)iHB!=-dlu<^R-jp=p$q`C$6qPI8Q
zcb@a0d%)SZID&I&q<_vmn_7{np39lXA8Z$v3=fZU9R>Crv{o~c0TDVUr=3(#3<@{|
z6KK_vcN5NFdR(6E{dGOO;V}dodLeH`puk~}1@R4D40G0^GU!1+ccU{ym$p`_vm(mx
z5Elb+2rH%sayYDI(n70?i!%69Pb_KofyB^n+@`Vw@XY`P=N`4Y&FNbUrVvp>!`|TZ
zYoj*0^bp{6jAy21-BsCBOs6}dyB|Wpd<~u~OO2|PcLTpUGQ1vyLOB23R`;<2Ax9L8
zb{B&!303rbX7+slXHo!WuUoVW{8IT&0$l_%YN!u;!YglNsSdbFjx9>FfPQsC&Z2J^
z9YGk(y&i@*A8aF2t{kGfJ>QAQ`Odi4Qok+^`-bBD#P9Ww?4M6pp6HGWZG!g1fQh%&
zJB7uIKXfJXuT`>)ST5yK>5O~nXz11pg+nox$e%KXBau*cGuQ4}e%j~F&Y&Bniwh%9
z!`Fe&EhjhaZk*QX^FqGaE2J+4+LTNFo1U+ev>do#g3iYVcNWmrPx0AjihbUx2rg7g
zXjT&=#xD#Zy=>*L3I<Gb$Gw^K-g7Htd0N7|v7<eoWSNfK6%oBf>JQUI-CX?HfYbpq
z!13!%!@fzXp^`X*SIyXNm~FipKY#NkADjo;m*-`_bSO2Y+!-Fm;MCG>-S^;alE8f4
z_aARyUeUCOp17Q8jRwP>W1)5=mTGuqvWn4I8QYh(oNu|&!1T4bGgp0tt#5KVuVcLK
zO(t;sagWrmnvyCcPc`z4owFrStqL-dlPO*35CPJ9mZuujz=lMK29=x_{W>+`jSw-k
zNweN$IfgBSRN|f4e$8SqWtUjLMfN5{5eJPdjc2AtgPD?m%an=l3N3%ltK$)Kq^Rps
z5&1pLRB5quh^Gpb${=%S#rydT<=znUwFX3a{i2B*!iS@auaTjpF1Hxhe(GZ+)RO`H
zNpZ!RN|-NKB{%yAD)>tnKkmH=`sVMM0zWPID?qDGkvxuXZd9=J^&6N8RG`3P{hSdA
zTUPpwGRd9~aOyV?KdEBI?8te3#HQ+mH;bbXC#NzMxIi*m?<^7b^=M5N4{Y`#VT&yv
z-)fLI2}&f4n*c(Y;Y)WIce>d9yLUw=se%bGO48GRu9~lsZRdTedT+}3GUpW6)iTf|
zPbF8U;xHwVtbO$f3MUD={+yx-@Obn&T5ME0)M2#sd8W`JS)iYG8#^9M4sAl-ejq8)
zC%VPB#^FM2x<j_#WWwH5J~w$zn1f8h8a%=JcpkIAKxeK^#P$p-+dhtBiC)o*DB4vv
zM_Lp~bmI|zZMY9{eWlTwIkoM^g_<YB<~cXpr?bC9i$|cwg8abr7Wpe+qCKVIpl^f|
zSWZF+(Gcm}B!f7$<I+4zjeuDb!n_=)=wC$;RcE(q!9~}_D(w@bqcZW9-{kx#%t+2@
zo#l%li)a5TIL&7ImabmzszM0#iD@UIWn6Vb%PWO-b!<+VsrM0d{0zWk6`3iUZBQ?A
z6q}DEtv!LRC&}fxZBJ<776N!qw5l>g>9xI;_9jAN*Y^V2PpLn=3M$A&PqWhK!p&-Y
z6xxwk=akV2o}JjeXSwhE0o9U;ZG9Rkn*P`9jnQ+H^#Cj^$F21{3~^Pd^}6xluu;x+
zpf)q$VetRF8-FqQk`LBWo+@lLr(hOh6j5N8$0CO#6F!*vM^_1-rnC?v<Vuf3L<>}a
zFCpRjy;x{LKxJQ<shM1}Vht%li6!}%0!QjYYQ~k;3>Y9NtW$kH%fAUjkY-Zn$hMTA
z_&xjCHiiq(aYI};gJR!rWGcHEnt46*#z_pYWjMux)C)6L9%M?vFHS*Lt}S}t)&{wQ
zJxFF9wxq`co42Dk;>x3Lvl3ojX6(p0*Mk?Ckc8xDKQW*<zxxWk#|SZ!TxC{iTiM_`
zNjwMKBB1PQ$Syv<j}8LLVX)jldPO~J$my|hToS$$T36<BgZCqhMSD7mD&=gmJ+8!0
z{JvKoJycO~T9NCyV8<$Nfe7w81=>uMrFkxQBYFUt_Eai_HER_~wn2}+%I--IE+u<6
zG}7wnFPwn$`6H458*x1sp;BDD5|ha9WCjd*obPY^00i)}@K-Eo5|An9R*1<Pm+L-Q
zVF54D7MEw;zd^Gea3DMHV!eYH#z|~0lai%*SZQy>hwMugO@(KSZT;YwI=yfojd?%V
zBe2D{g@Tv2m=MGlw;TUJ2=YWqz**Uc^Q_&}`ONJ`F+MJU{~j{SmY&xqjp1W8m}F_@
z+G;V7xY5L7;7VPaMGgT4t06qkpB%?t#~${?*1-RziH?Sqp*78Q<s7Pu{tOcb_JWyA
z&mu|z6fkeSD64nW{YJV!F+&ZYwUZO+w}pHR%1cIwkk9o|&+Z|K>WQb~1FlH+4bv?M
zd*L(k5M&ct-E;dWle%)-|Fd6#PzAo#Z!E3{D9J_mgR2V-T^0Tt9E1IRZXHR%y+_|5
zN>O<V(+Y^X&n`TrrO{P_t$X)!=NSlKzfh)}ILgCHavbh9%veg|g!PlnxV^7&R9hc_
zGwP>LRO-+}9r6M{t9nt3Pqd}a{yAteKCkPE*7Iv+Q0t?eXt<c^&v!^Qtv2315fsIC
zX^aC1m5@ko4)S!#FE1iC5d>i#^89fEV)F)E9bcH@XyoroIw5Lb4VcX={E)T{-;aCn
zz7M)ZR!x$|`{vv6H^E@=wW9Hp-j=m#MrX(2&M|MpZWz@8U}fu1{CMUMbf#gJ?c*=$
zoB7B7lf=Xu?Eui2civ%aZWG6*wr~vey*~CU<yBE9*KHR>Ew}RgZupWYg^qITGp}{P
z#cQgBxeecq&3xiTs+z(~0J>&_kUue-UAN6&0h?37|3AFFWmpwj&<09(H`3iAol1yw
zBO%@0-6bI19nv6;q#!NbE!`j`(j9k$VjVr-`R?=G>mPq?p1s$aHEZUbcVa;_IT>$*
zZ^HGa>CRcr!AiY5XchqI)A-oI7R&aDX1ZTrr=cu~GafRck_=}3_58ag-G3%t?_k>t
zstm2dYT@t6u0<YdAg%)&Wuj6<_ts%9*@ecp@^|G=tYC`>rlrJ81Ob6}bd4GasyWn8
zND$rKBuVWdZ<q>;>8E!0{Gq|dNug{uTTxFW+z3=wmM#<}0YB5T`~(r7ha{zP8ZB|g
zqDp=IUS2AU5N0AP-|S0h2{LYo<$}mX-V`|&z>sG8(Iyr#y6W9@lM*dfwIY12oa%d<
zkEaQJ9@G@>0h!m&`UeMk8z;U&QAd`A2fk+_BBr%yDSbEw$RPoOq7YA)ZR)stTS?61
z05Y7H2@_Hw>bBfvs4nLasqU^y=nnj$a%UYy)IIr<`N~tMmq7=h`MTt`ksdwC5TCUy
zX1EMe>WYFcBVT|YxRhi_?OHf5lHRkZYUuN-c;E&%j!SoGI$3zl#p_T|QO1M$2ItW7
zFy8^Q$-7-gw(MahJb!N__t?$X4bU3#9Yp`+Km2<rjF8#=84&J$ON(nF9nMvK3h%h5
zbOukkk}FRr&eq)|vA}A1g+N~^p>RA8!0e~xz-K2=BTg9&-i|{o{)|6OLhh+F*r_>R
z4@PIbBS3$PtV65NP}v?Y96Ko<+?F#%%*3#8Y968Pb$%2cd(q>=Re6_n$kgPeMx`Mu
zcK$8I_yI!=gq}O5lihn|At`t$R&`VwL^5=VY>x|M)q44H7V#dhCl9r?Vn4o}cq(dn
zd(VPv5iZ3|@QOqWBsx7_Y1)0jym<!|ZA}5iE<N=ocLd|uUEk}6A3`<RSHuX1p(yxq
zX!pN=d(xFDyVsHsO?MFsaq+98r4+A-l-e22!qieKP2LGif!jO_=OIc^ng12Z^7Fqn
zDWhXrplX=JA>-b6;um-u^TgKF<SFBTjM^STJ|Dj*yS}o{Y}CFz!0h${Eyu!=0F*q;
zDdj8QxsG`>vkQ*xby>oxt+${xR4VA`M-5o0YMcTVNeUBYKP)13mpINr8)+;Ni0#jA
z=bngCgk=?a704!sFW6~taI3DP^hnznhtd{a2Pb-&E_oBGks1d$<pA`xnPmS|DG3i(
z<?T;r{)@|TeB}$`2j>fOoBF&}0pacOtm>-KbU_Bo$&Aq<B7?I7S@zWxz0ojM(qMqU
zvkBSqLk)cfLp$-BUFwA;ksUWfB2~F|#!^fY(d*V?(h;vl)9o@t=Fh3nkUHPP`<_bp
zt5VxHj?Gcu2HpI+hHpU{+N|@c_ad|SU|=4FpuAi=J*`}e0;p1=5O2y}l$-*az3jaN
zeh;SsbKtmcMur&G<Gw|qi;oa){NEJjSDGJLU!1OhwQhW9(Y)afdX74pYVd(~LcN6&
z$a$nY4r#}nb}2RxRAp$Ktz!a?bF$PQ2{xNoMphmM>N$5E%a<Sda4ydDoMaK*y2q9G
zUf@q>6Iw~^$pt6?@pei-+%ZbScqV%^5*HwyX7~cQ>J)7<{BN3dTlm4Jp{c`uYrz5d
zWgJCXN}7#`mq-Jc{$i2`xf%aq);18ZKm0hzLhtYgf_R!1Q@?2i+~=N_R>IV38?hIU
zT<Bl-YFq7lE%`ozJnh~qVbml%xy=M}wv$((*MFZ~p|`>$3PR~R+yN6Po%jd7`FpgB
zZTs}7=x}&KS=yvu>DYl~$DnX@5(hhm*DHKRFkQgvUwBe`m3_O=5~FVdLIOH}{vuCk
zm&<Fm$%9omj|W3OX{OKGF}UHC5>@}$0s$4=S|=OM!#<YJefEW$-c*h+TZQ=LPqoy$
z742ipSQd><Zpp{c(Lpl@=z9SHpsB(E99Gz{7}?_ILJ3m&C!Og|ubw~ZjN2IrfX*R#
zjiMUgjzkO^A{TW9fex2aORBm3wC4{UJo3hsUU-KgHL<aWaAB=WE!;k=Ba#XE@45ib
z{1xgo#j}V0&LrGNROEp?Zf$Jqfs&8yDyeu{&Mr`;)7X0%1g-(B@^bgSZ7#$`I)}R@
zLgPreRjg16$%~0;{0=wNUhRFV;vnMFJb^LY^7$N=&-C8%eHyWxI-u5{OTaPcJuf1a
zp{eA@*s>$@^5Ji@QNlae<UmtDd_v&`{kj+LJDem7MH6&Mm0o%jHE@;$C^nRg{o|-N
z%lvr{Cv7duGq8u4@l2WdQrjH9l^_JSzn-!h!g06^%<*Q%`)Y4QOljT*T*2%@V?10_
zeq`Mw6LtgCQ%^~D`3~t%!-h$93Tbudq=n7`qEihlj1OSdCi-8LD7@}KW}PQ~W^^Jv
zJBxKm4%ZhK+*7QR3IIOQ^CmZ!77iUXIxo?odp>%qtSbY0d4WHIKwIZyIC~opU^#xV
z9swg68DBh00FO1f25|snUS_QF=}<mS-mIS9^_&;Th>?Qaftx#MA3AuxQdsTbM2;j#
z_ENj6=bG<i9ZvFe4Kx}3c5W@;0)+xSu9t2NN76;<h7P);&LgHtpZILtRNYK4d~29T
zS9(GIC_ITLUnvHm2ZH{4hUbUh0Kj<hoKP?LSApVbynGvj)awBi0^ZjdP2OT`8t_t@
z7>VIKQK9fPkmy7eFLRk6hYGt<cH5@h^g^Ml1gR<GfGIM$x4x&uDYU(^B-oCO%P%zy
z;Jxg9ICg%3bt5f9)oh@gVS;O7UlSnMdB^if`FWF^a&;)+72Y{Z&mgOCwt<KD?!Hy8
zJ70Tz7$%qn^P@n9&km+bAk!Ibf7obM1LW{45pq`+Cmt~+RZzT?Y{1#J@h(4hW4WG1
zh@!e9*DS0)JoRr5GQLjxRx!jl!>zFu3Ki?O<$^!5@K0mLxU6Qk;lh5dJ3m2NR@;Qs
z!QZ|(w}_kQ?NG$#E&%X=f|vSkg<WbA;!U-_6wh89CcOuvw3e7JKzhTde00stg6v2)
zT-Y{DR=(e3fX}QkezV5F9RXE61x#{tU}Z!PY5iK|z3d_0s!eQBRC{R6<Nb6hmLs?|
zNi)0G#DrqUmwlkS<X!e^cP#<=gXI$sp5$UM-Bp|`!NAc4Q2iLNjP07s0`1N7>ZVcj
z<lIZK>0A<g#ABLOF+uoqc>I!zIV_v0fYHb^$VVI+t-6Y0)QNbI+p@>h?UY}*bPRTY
zi?E7#2Sjg2R|r9nTpfd|;2N+lya!}f0EGr}Jf{mKo-5jtqo6LVVH@9g%6l^0aE?=x
zheZF$1qu!wH?Dh2HF>q%deB-tPT>nM!#Z%t+ca7lmI};FM4OnZGKns~<<KrQt#Ggx
z=2727<IU(tLrN&k&QlVy^Qu>Y+oKW-dqU?9wmD@rtJB^}yfP}L(l8QyOD{Z1y-RkM
zzSyPq>{rdg52}{I-vZj6f$52&;GyXp+wF&drsa3Bne3gxZv26S`>cRm%s1OE0Mj~n
zoQSw@9pDSkJv}WxYcpQ4Mdi@2n0T$|rFip6o{AM3TE3UlAc(Ox7141mSyYS!ol3j(
z(t#DXp)pHsTN+jKk<74a1X)A&nQ0)IWF1vQ#5Am;!6<hipyV?Ln8oAxWZq!Ps=VpW
z?0w=jUPBETvDoxDdR41^pH%#gVuj2%+Tm+HQwwsF14f0}dZw!;`3F9~y^&mXmQBM)
z8LL^KtGs*5jEAt`dbE`%BckG%A$=@a<96yP@L+bM#?H+Ic6*spvqb{Mnwf)D59x1e
zK?xS)-AM#jbSH*0(Lo!Fvo2?ql<eI#7kE>wd(`{D2_J^FB?I5)bL+_j!e)390t25U
z;XN=Fv)!51*)_xj?su>UO?vnc3}vUN(GBulkJ^3Zu44%KBv0XsJXff64j#nt0tkyE
znNK{gu`U*`Ypi!7w7#^#K<0$jx+E3ZgpIE=Ok8D)>_rDW*6)GaS@CLFNB(pUVw7y4
zEbcy@ThgNlUy-)CH|p#%CgOQLb1(pS$tEHU2Fd(Dezt)G_TWq|I`<YZWy9t8Vi0>o
zQ=UcO#e#khvcHp|lyNPdUJHQUZQ&gh%0m?@TmKiW;2r=ZE}MtI;T-08CAGsnol|{g
zg0CY`H1{|*(30xHr>*o_^9>{7iJCdFGn!C28;CE|GbKcjSI3*X&B*ms&)>T2VCzA7
zLx*RK6$YOi-rzLeMkV6Y=r`Ctt6ht1;mQZF2roGN-iC&w6GA;t{MN?#4L(Fn$n~U}
zK(^x36m&oCZ+iM1#1eHv<IKJD9A4Id<L27s&6*ozE8hG&)7aN;1GT{)I|EP##BDBL
zpjU|@eylc;hl>HFr$e0a@47llvX0Vxt@e`t4Zw%CqWI9XG}_WKKGxMUUP+c9!6&-f
z+*RYe)G!*MWl$CS10KZl2%3H!@kARCK`Fv?)p%P<jM!YyXrch9EDK=2chH}tnJ-&E
zY$Lq64j1K@$}q#D;u7v^wP>t^(1t{b@`zcGVR|qMGCb0Xr(!ub(vEk<g-7*tS0_Q=
zrenQ!%@b+^s|Yf0Tf7F25#i)I6CpQ=DV2cA-8T)FVQFY;>&WRJotts%W23bCrtbqy
zhDllijr|mCQ+g!r^Hf*IdM}nMa!;|y%WyMf``#12(9aoDI;qK%9z>aH!xa#G+>aUK
z>4sV^g0(+XiD5C1mFBn+P~PGeF&hP^ZmxQPZp^`;2QgKamRP=eJI43Bm$<j&td2vW
zQ6H1CLIdg;W1%>^@tP6iP-7@mYn%63lb6KVi+3<Q{kuzb*c4zcUb^3e(K;7qu^8nk
zI+ibF^he>_!<+G0gi%?2G>BCI?I8w~n5<w2Eef}i1cMb@(xbDC=)0PrO4n%@NJ;lx
zTs>N7?W?(3W7_Dj9~FQfz`=m}z1R{khMKGAYJkh&1LBJflKiP*ASSB$67|bVxfsy&
zQ>cNPp4{TDSLKsHjJsfV8Icf%N1;0XWcjjX_<K7HrinF@;0qrb>tU?(+vqSS@M)yW
z<3$%57+utWn2XCVAZhwW>HFW5*p3sNOE|Je=Mr$4MwV<QySb;vQJ7zOX<n^f-%}{}
zw)?A`ignFFZLV+Y3en{<_#l9r4Bxfz&KQ8UDQ()RgLH%YfgCaTmiya!q8!E3jErr(
z>{KFGT<-p4+0D+>Fn+EWOy}PwLjsr?kJnhB>kS`~jHI<5p%&~GigC%SS=+bH444cK
z&J_^|zLK%+k!?B9G~3gC2T^__EQs@^UbgWRSP>=ghf1efhW6t&S4TrSY|xe=bGkCl
zX8817Vw4;l!X3Yx=Fxt38a4dl3n)dSV|;Yid%u3C?X#G;j~AkcAzTkD-W;i2=g&8_
z@n=)$HT6De9jgDdq1Ri2h!FxtY0!P>XRxHXHvLql`^&~nGK9Q`62TuSFTLK6#XT!Z
zfDY&nVQ5TsTgXE4Z$r15ycjKuqB%Ix3RXl1xYmG(5lENy&!R>!RTKpoPi8thlofo(
zI@J4hwuw^pj8MwWb^uc<p1xm}@F2vf(qU26Q2@f9G<meRRBGS|vdr86LgK|2sB))2
z4uiUl3iaB-a1Wn^JmxB4_rV$oFq3Y3P81GNB4%uy+7e*)0ysPOy~xw)%#r2Po7Dmi
zJH*-G(set^$I~*+JZT}@=g>@{B3H|6QBf?kFdVAXAqK@;H>kc^`*reqV8Oy^U!-d0
zOG2ECz=SH9atU>gq-`NB#7nSQ(&&!}0On^EG)#wn-%j<p50I|pBrp9<UMUj2g+Yq*
zYNqaeamEh@;tn>l%TVbJ%9vxJ=x$Egt3{1<z4EKV7+>lYhH$Cq(km64d*I7QQ!f?P
z!12=Gd_QrtPZ;qT0vhULUkT78C4E#$55@s0wv9`e_2RIYC+itI@JDN??K}Iymz>2w
zVK--0W~@7nVohX=1D|;;UlN7KT@AggamY|}eW4-tcOmkEu040tBbFKZtX%NiiGR)a
z!i}jh@~ty+5Nc~w{s2W+x-}JZovaLf2O|aD0Lh@1GDj<yuNMlr60%F7x~ThvtB&w1
z@+YcQ$SnB06_J8^E+*Yh@4TMTnJwfiIDS~aL{7y~Xn3?qY=pI&&o@92A${e~Z`Ng#
zRE}Tdhdx3y-h7KzzQ(n`RCnPuG%2K>b1KPd!bW2}DHVAcl{Up6PWkb(El?U{@llCx
z2hr8^h{z*=u*dZfz9jkppJyJ$s71)MRV7wm@3kIUip;)1n6K6c1wS>v<T1Dgl=<QF
zfG2(4DF%JUhJ14k>Z%<oEC3`MC%CIbiXTsVjA?DwnCJ*wp(&;ImGAiOR(~Xy?1`0_
zLgqwtM=Dv&X^@~lig{K-Jr!a8K>H#xJN(#&+HL$g=U9AbxqHn^d@RsN>&=UtWXKbU
zJus1*5Tz8U@uvbgbWeH$d!=lV`%)`K394kw81x5pBM32iIKpk+D`yzmh$~8WzdSN&
zKuy^=B3;A1acw*+7Cn-O*!w53@l9~d`Fp#PUTHYQ2h5kvMwXt$bn0KSP9jqi2w37M
zQr<%)3b%=}AHO(yZ(<X4(aDrVs6c3@jLn>6_)KKH*1F}=N54{;E5K$Oaea_eIf{b0
zdpTzfF;$agJNPtO{B6%z1O{6bQ7*VsbGrGozVcaC)dH20Z2vIt&*bhe>>z%;YvHz<
z9mbs5JH**B?&YKK_fhZgrkqq{@uW%P@D{TDKUW=+>r}R}o;VF@0U?5x=yJt8s~R{I
zXMCYCIe}P{+4Dv$_-VZ8)l}A=KFI^AG-gIy+1Kd`G*^eYuF}=i+X4(7@i!|9vHn^;
zN*Nx^vnu`CQWgnsjMw7y(t-GMek4kNSr;HmMmii=^EHC(&~GsTRPn_1)J7mb2{Dk@
z7XehDsAf8Bz1gyr%~nStYhhW|TS2C;LUS<+iP`m94y_Ht&n@-%EC3-i7!!|Sf|-;o
zh*F&xPo^>9=>Dy}=|1-VmSRFWS`qJi#9-<#)89_o(?fmUv0Z-@B;qikJeg5bLKI0|
zILdQW-Qbn20#2?Ew^~^Zp}F(f9UW&Qb@X|-pB*eo5m4<*Azq0@Gw{Gi_%>D>oaMDc
zb`)qHYvpO_A?i+BN%9<3dlNgZ;k-ui`G)%4s1%j87k#{NYD)Z+zz(3puA`S4S@V3S
z4WH5fa>)SCAH2xwT7$^~5IdG*hR$5=u_YUF;oty9*UAz4r0SE_z9XckpA{>RON^i|
z)*iM_TtV|u(>8PueK0!zgA^a)?6)*7+cY*#SZ>bBX^;NGe%%fc<1EuP!OD3FA9aIW
zUCQnB<=w#m=m%L1bon5OuyjdsLh!(v!?vzx{k{7m&EomEgXM?^v=LWnqh5Ov=~TjU
zy-m91JxXs@PsfQ-NEwsTh-IIfmyuyAiJj&Okr)$b8_wiH8pEEt>z@YgIn;Cr3=#dn
z>A#htaQTV%t11ItPtoghvSss|uEZ3Lb_bY|MJ~eXa2^1C3!-4REIa$y&(3K`QsN^Z
za2By8amI{<tI_ufQM~y$F5pesiCCuXk@Oq|+DC`GGVuML-(2B242jaWxavN~_|*Zl
zm@UAkMi`YpC$UCU)+vq#E|jpM%k*Jf2T`D$&A+k#z{OtzR4Du^(<51zC?F3@nIqu?
zpn;9=W!7~GsbBJNoqW?J(G{S4q$f{W0tRQ66&moQ41bZ(mD&kErHC>-J!<n<UG`*~
zN^%CjmWj)|iS&}W;wNrHh*^+-UeIm8h5F$Vy9d|qwnCntj{joe%#{RsumSKoa`Q;T
z&cqxbvm>&#$1*~xPlO+K6)7sM3g!#=(?`eJUX6cFgXs-C!Q^ZpM5$ILScz8rY-$_5
z^6ET9(wTyBYP-(w2x~O=p&=fm{2>njVmTQDxkat37m{<wTT)LaWJN}mXWQwa`D8wQ
znBIk4UDXP)T{dRw$(zW?>&YMsc4W5e*IFqXDD~;`Jm6F9ltsRA(C{k9h8}8<&^ZuO
z!YHN85B}?WG<oM%IN!Q}RXo3C_Llkx{ExTaBcHV~%jjSoj_olvIL61F<N4WaO+$5a
zz@jY6qXUK&gt3C|N}F3f3SU|6B&DMqAl?BMEH9?mT$vBlQnZhhN?<X$DRRa`1pEv-
z?Bo;keG~Ot9DQFZ@}1Qle)gOwK*a(CAP-WesKeQi!!r>fSY1V9!pb1KJ;T``ZY81y
zI`0{v_)j5v^ZTkQGyqCI$9Ma6*o{`+c9nG^D!s-A1PR+s6uy!U!8C&Vra3Ria2(i$
z^aVJGK)e{apb|z-n6vDL_o<3E`vg699ZAJUUov~Zh==izY9mO`x=MRZ`7;F;Iso1C
zM+Xbg0r{qZTt-A5ZNu5xfS1)MwJ>$c{OG6=Q`Zy`F^bsxl7^Kw2pJRrepMX?E@#WF
z#n$dFS0KDMz^Mcc^8ofQqvi#5Fj;m{ZV)UGg7(vbTU48n$Z=<1lv%UA;=sr66wGeU
z7JSpYSYYm(iL6UBM)Ux*I^avhRlm8B(EvNGio;USRqYm%51NRUSdqv6sv+9zFhdIw
z!9eUlF1(^NrwJO8f|6uyz3u~z&UZxly;jeQyiRfp&|h{m)OjVvQp><_E#z_xN*&A*
zafvp1CEXU9{Mr2J#Rc)x<&b7Vy!E^kHFX@fWA33fe?5Ehy4pDo(`~~H{?*+mJfCR0
ztH2zWrMvtzpdnP@7-T%CNso2#IPlM9i|96^3NqRp*UodE-D?ZLZSeCJtgBnoBt+Pm
zh8w*xIba%KT)vcV*d?n>V#s{fE@wNXg|OIc<=kECOj}cnrL9v(@B`QekxDI$>ifZj
ziu*E4$kpU5J|<=AOI7Xi5l!x2+F}{G0h-v@+NwUc*vo}2S`kCZ-9!^^vRD0EbAVc_
zj+qdP*#lMNY*=E3%J2D$9xyTTdgqgGg7ReAYB~kt_OuxgpZtx|`WhDHD0hb$Xca<V
zaS<Y}DKU|0ukpqU@t)5nIaQTop%Lzct+&GIjke>xUYbQ}P}vs2*ci#%Z15iz;yRzk
zNKc)X&sna>m*^3FmMf|x7jqaq+>J&F7?GED)49K62Y;pgSPlnyt*oh<52o9VQ-;Cf
zU1L`+PkXcLUF+lz2KEOk`@`*1&Y%`S?{4@yR-c&M)G69avJQJoyLRc%*FkRsGAlJ-
zGQt{B08}a*;b_X8c-Avk*p0+IaCigWfB0Q=yL5gC><Sr(?f_`wtpRncH7Iz+@j<hM
z+$5|O*QE3X;_X}p&T)2Iu8&O*B$^^?1XZ7P#SuvHF8^wi{%zd=dRmE7we5jR{w=0p
zC6~WB$-OD%1?fdrv-;yJ30Z-KL6IhCgNK$<me-$U@ZyXdk+O=IUv5K#d>HB+WaPNS
zSEbvV%GvcYJ!RDU0x*OkS_$kq*Huwb@bOIE;MXCQyN!TC|2`Myv^@0L)QB7pMYH50
zmP+uyW(B`x<bFGd$jBQxdpzzcK;Od2cp<7Q0x<n`U@y?v@rFpi`^J!ea38lO6PHoQ
zPUs68-Su;)D{M%Q4&SAX7%K*53kh_#?meF_9c6P7%^K6YOmY<G`&F&z7uB9Fxk!&+
z(@Fq*`r{bBYY`&sB$rnu$mQBRt@N;*cQ0`L=I;NV7wqs!ssoP(pK$ZPL{+@Gq~U=p
z?nGaJaJXr&X}rwh{cVHaT#P^Uc#NxlB=t`2yN6w3ef4(8CxiQAL+ca;QO6szbDcS)
zD?-T_OI~+QA-LRox|1UME?F|v%nDV^c8Ft2thb|p!I&%*{x`e)=N}FsNz-&4Vi5jF
z{3wE}3yCR~{&_p0iTVa!@#y=Hjsc7pZuyswZZzRjj~~2fC%_~`Q*!Z1*5KeJ{s+%`
z`@39`axDTl-2rV#@JKTG)G$$_MzWrO97VuNVa<mO8q1rzm@Hy~uE17?a_H{qi_i*}
z@bszDvXJaTo3<(>EM-7T#See?FJitA@5HE>-HME}up$Wy2+hJWwxM}MyaddcX&zMh
zcFkQyJ|f1txqitspNzogiEsbM5G-_RJVCw}@Txhx3D{BD`=~gNyFWv%tQ_reH9M0)
zDbVagKMvJ{B-yQnsb!~yP?o=gq$K5VN%q+FXeLePFWkrR6)q6Jj$rvE;sj*4|LQ7?
zNGO9UgMxttgQ(bUc4guYadlUi=ggHq9}<E6QhRsL+yvHQ%5g1ki@%o()AE?~YH6*x
zV+AY`x*tmo_u7Am05YVrpXa%uYB&dzA<fiHMDM<<zah!m&kHMkiBB}rw>p4(T#Wy{
zMdv>ok)g7i8|Cn7G;^^qQZy?|@OC%>!>|Qj=LzAMKW;IOsp#4d(4MGiy}<jL&*~BS
zz+FnvHnwT^IaG&QE>9_xiE`tsDWiCHbRNFcs+mDzR@nd?bHEIa+mKXxeD*{2@r8VW
zpV%#!+{4WI3;*$N>i)E|n&ZzoW5$CiU!dM`2ALdp%_>3gjdL`cA=5*Octn6H6XZ6M
zPzaXSe-61>c_D$pC8>0RJn?nTPhf%gC+4kb+f2QV>(l*s@ysWY8~-oX^=IG!F#p6b
zp-(yi;}r2CpmY)wf?uBq@R50c#aU{cZl0A?uu0m^kQ0e)#Nh1D96KaJ(($*Rg$x2x
zFG6C-Wejo5wS%|MWKn;fCN;e;75oDW^2Y=F1KPa5eW9h1K7krN&lD7oLlvh-*}vrM
zI$0@J1m?j9K}E1WDY>@&Iwc)Z7pm}sM3{(^8n+p`gfFKp&qB}CdMLtLYD(>xn}8SC
z2-nL6i+FDOFB-9*4b2~nOn_?%12hm#LW&J4$f6OF0FZ=4TyA*J^Uv4r{=5CXHw^da
z9cO3A_2z`8jBQtlha3~iQ-#-cgX2)MHxF;~vm)5+EPp_zUcr@BA@}1_T`eOWf`_d)
zWmyng#<EH*X&82zQHl8>@=AkNDO#ViuZEl21QVgCvJnUQX^QEk{XWnxPI?q{CP`;J
z78@9~li3!&E2Yp_Pi^@6AX{izoI_;CMAm)z&R;<DzuAa;1LAWLtJxPCz`;|k$g!!v
zqDi#@;reMTirEeRa9E<4bE7dXDN_qsPn%a>;Q<pQnNCo20KV+19gdDLMh6NfDPDUG
zuwqPBk{4fh9EU+1O9N}Q<iWW~-%!QdJ$oOFobsn0fV%%U^Y;Fh<*(&~coipG;6+^j
zsn723+{hjIjZ53FIQ9@52fQ$RAD9f0R>h~s)=+4VpN=qfe3v;`n#|5lCz>}Nv@c>B
zA(!e%HB9SF$7wgaIrX+Gs}Pjcw{W2H^ANsX0_^*eT-VWe=h*r}6tVFKj&26q=#n^d
zNuY&y1sf}Z=rX!fciqiMtSpq5$h}@Szq0RtLG52L=-)mhF1fkvU$pWXpW!p5h=C@!
zjtSY~W#xD81q)x<!8qvxFOCKjhX@rws!YKLs2n42qDHrSh|bywvHOV>LCoYxK4LBE
z|Dbb&UOT%^xFJMJ1Pk$0=;+~$vsgKxJiYx>+v;_|-4v~mPhKlp!3+#Cq01}@f90tE
zeX&2^?uRR)Y53=eU5gZ9$Oy{#_z)sRwt|rQYj|hFf^+8`V$c%%@rgQ8?h5WrP)3mi
zEDYv01j_=Ti%Ef*_{0$FBHVc_Z?G3=Y<(IWjn30xNM8*%MuRDk3`z6$BwTeH+}i56
z%!Xr8a=@H4W|%mo*a17*5=4HS(v7AXiE`Z<5slZfIgy)xrn3GQ2a}sz%n0{PdI>LB
z?rE(9Wm5fRXQ+PsBv=hq4v*j4x0p)eA3nStTdEbj;?>cTG9B-oKs1Mx6};X~JDmqR
z2evB$Hk?eg#On5K0ug$64V0Dw%&b#{ivs#F@u+8|->+mcZ1`4bwq)&^-w@x5H`g-=
z33D8AjR#a~((%)cx1eTKZF<E&LxOt~`BxhC`*^ZDfJ<Ch0V|@d@t7(%20@Feu3;5a
zFYonkM}kdyiP3fjv}d_yfuhfWqkocTqlP?Hm)7;0W4=uNnuq?$IxXfzAiJ!qfnyvX
z*9ut91rf$idtVrDK=*E{7VEdDBu`k(Q{7ex3SRJK-1X%cE*$nmqUd@rAGZE8EB<e8
z^N;SS2;11+^aIq;;!$nOP}F4VYxZ6_iguMfB|}vbbmzKUacFc3FUwJo2;E9E76xHq
zj68CZbwmqkpk1tlkL>T6KylJQ#TF{L<`V}R@$;7x-#T#*-egMV`uA|<pp~~$!LHm6
z;CFQDInlf07CiUD4F=7z{~TBS_X}`qj%8NpUs{MOQppuN3kwM~r@<wsa&Lc1rbQ<s
z7%YW&y|hZ2mApn!Z85UoV_|acFOGeQs$WEmRgOso>Nh-;r<#k7LSwVyhx>XT*_mya
z4IYn0I?bfUU9t$rzUyxI)q9!n!-!iAc;5T!Q+x{AAKwnTcSrxtk!@v)X9;)E#v}-b
zeIl7y?O$L}EK9z^7Bq2xy376imGEebaNA5^_QxHXUg!LVq1UTTHK@FL6QrXG@#RkD
z58qe{z_+I#gOeXY=UdO?$ZfiLUr{hr8#)8dy{BS@^=kyKpdS3%>pxDX_!kh1PeQj+
z4ph$o5f|sM_+|Ftdk;vy!<>A~mt;;l5;ka`-LAf<grcXJR;@$?Vn5oD@r{KQ3%CaE
zv+fFY5<kvY{uq*(%Nmmu21AKX?;tGD1JPpaI>g$@*I7=yL3!c%X5kezE;aI<d_lzD
zeXXUE|7B#^A2s%WhPL#&Ns<(8XbdV*WYtTYEvS_ySb2DWp{k6*q=O=hErf_b$FGdq
z>v=R~uy8|Lv^mP!mAWuwk2W`jqh(?7u9Kr|FxVA}(2+Cwl)J*l_dBc9n2+EHr-a{-
zWf<&|BPqGCw-V<DU5xa)<X-}+g#8Vc#lLs0{5jtJUnmJN*x3;%9OElR+^26fg7Sz8
zg)!Ju4D&b2+#jp4f3&oae%8IDjjzq=S-Xp{wYPM_D<bmD&&p4>bV~raD<+tB|BWSS
zh6(JPuFwo=>3&a^XjU%FLn1qYn=2A4>tMSUCgu+pZ{r%W++U5^Ke)-($mMD~^3GD~
zDH#KMAa&b)G?SI|<0-!XX#alpO}{Y~g)J&~_XbagL`G<$e8NPM^w?E8BT>)7L-j~9
zgH%u>pyhdJ!p>k9mSZH6<z|@Dww!VZBi@KYf?hz%ZLK#wp>*=g_-SVx^0#BSLgnDE
zQd^>u^bZLH-U4}~vI~7tJRY=XSR$0!j`=^p#NRfoordjx>&Jr2ZO7t=InDU7z;BR}
zSCM)LIw=kHT_xcMg7%-jwapHxR<zy}fQ)^+k>V}^n4*IQX3(8cSt+2I@t%;tvV;i4
z89E_{D3nD-VF@}06dlEV^WpTf$mpvfa=@bn{iNRi3&r>qOD?i1LxlfUt0BDonUerc
z;I;#E%sc^1DY35E&ePA^K!JB+v=?o()n<6T{bP})0j?(~<b>>;yT^v(_lMOGAN57-
z$R2seYf6uOW)u`o8X8~bf-laqk^WRaq4RQ{R$kb;M6k>nYGN%Pme|eUTng5e2JZWK
z+`q@hPj``L4aB|vbd|N!O!HSs?=0*OoQZA`2qKRNFiVK)0=>i9eGPuEP?GR{fxOgM
zs3j&Dg+Ztz)}wH2gxO-YWeaKB@k@OZv6${t7o<Mr$3?YYZmwcJYoFGO$U5+?L0H0+
z2>2$B$>q*{%xuw}Bx`V!MvmvYI9r*^9&XQ_$VqW}O!*~N6_BR?b=2TLbegemLmay_
z7+rnyuBP%gWh1FLjF)_EY4GZIPE}sw9f&#rN3mW$-f1hIfK6S%f0=kF9ke#1>PzL}
z6J(@r`h|OHj!&4D0y@f0qN{>&pGmVcOaw`TBGm=wYbT2-aV@GIT2TWZp9Zw91xpIw
z+#-Y#Qg~OMwV(SCZZFiKx>c=uQiZ(<O`NkE%r0?%d;DVO6D_ijN#NYZCgFF`=U*+o
z@CFU+XcGt{<!`&X^=icV10HYlo+E<c6Nh}As{B0^vn=F=&s8@M`PA_Yo=w#ftD@`^
zOf&`I8mIiSU0D{V5dzyV_nd;JSp#In3wJhrkWck~K)56U4D*kbC}uDKg<(sKgNM2x
zxV3AhHX|<G!vvb5Sen`r)n$i@QM&T94wq8<rit17Xap>fpxt!?{f|}=X&*o@D3nUR
z8(-jrl)Gq_=ObUaYl8cef_<+*f52)PY}Nie{`XftZ+DkhT6S|N>kRA*mfA+L2;szh
zUHAHH+<X6(q2L@MkK+@C)SGE49X3Rd%In)GI<Tj#J8B@f4Aqs41a=bDlqBD7z3M9z
z=ts>v^hsfEfS!uQN>`Zi$-S++YZ2btbOArMBOuQsYI3VI$MN42H;+`iwEH3?X~Bq5
zV-9C1L2#(NoX)~X8ep1Y-r!m>-^#iCT%lIw@7b#Fb~aXxYYr*rsqFpRzds+L{bV_W
zbVO-#EU<Z)x41l!lN0L)U%xR-t0RyfSME0D(Z<JEg1Y^rsfkS-JSEi}_M^Dt5T8X8
z*hg53fxd{?EAfYAQBl*Cp5sv(W%^hV`-y=rQO;BELkR+^k^0c#<FE{vgWl>vfxpu9
zziWPt?x;(+W*p-d#1kfl+6RZ6<bV1QPyQzIZT@(5mJ)`V)WPWLiV9kG?f3|rK>FX)
zPT#HGGeNlm$tqaEp4&c^pSK7A@8nb34C3+UVdOd8fhkQ94~)G5ruaU-zWrkXoPL3&
zO-b=l6Q*gr2in;V#uUVjLCeFEH4r2~-M-JLta8%z-}2e&a5pI+QY9J-Sqmv4_1lk@
z8=Sj$01|zGj=T*Le3Sr=A>*E+a1~hvP_i3=<ka)rjlvhpH;o(x&bkO|ulsikGjk;8
z4|^N@A9q=iUVdSZ{-3Q1v)Qv0t$7Zv%Ibta%mrU9_FPGM*z`6Z;F)cIwv^}(pWfJ+
zfNsbizLA&j*q8-s;k!H}IjwUjj$3(DtJK*<5-?z!c0(OfJ<ZQMG`MXCwoZV*5?aCg
zqq>LlLquHd#@uFf4?WSx5YtYISqpj|Am%dY)hcrDN4QA&nz3(q!yWx$bUv6g!MvFK
z-uUsWY=6pM2bViP<}|xl-E0~PF1sIL`*U!WE6ETU9_jjfPjgNlW80~2)1VLj;v|4Q
z_Ghj2X=0OzHjdEQ*oxv^;R}1T>x(G><e>wb0m!^Ff2!kl#dP*(P`*XI!B9Pyd&>=p
zrTEE`)IRPpY^7#X%lvWzG@6+Uqx*1<A^fl32KH>}$X6pTY$?qAm-__oRCtOq&rRZ}
zjST&Z8hzbrAX&_wO+4aPGUdnTJ#$s0ELyT8<=}$n=4BLg7HjUr^ZUh(5C{D-Ze@D!
zm%*y}AGF4BL{8DV@ydWXLxGcsxwTVlGd!CE>0qWc<WQYqq`$I*yjfD@KrpB)jwr7q
zi7(zNGDOj`ZKf*)zar6YMj?n#Qh;?&h#m>(wu(b~Bf|{t95a1}?eBt#CNXvPanja~
zcZ4_iNo&tL3l-l*sjVuA@a+Hjaycq*hn#W0WZ7;~O#@Z6g8V*@;Jb~<3ij#0XRGfI
z6i>T^I4)96rEiJr;gQvVcn}k%I&}iHWJ-cuI51Sdvr~ODcPFQTQx)ZB8tezupFY0S
z3ZS$&PMkb^H^~?LBt`8SVZRLQImNRBh5(((yuI>WhnAQ#gZC>b@2xkY=~W=>+1{5k
z^;_%+*_ew}U$=0(1$fsn)roR03xQR?!SOpsu6Vkj1-9OM+|rQUtjgc0t(Q0|`yeOm
zj_mzOE&qwhpY}3o0!9b=@as~BJr{fysb9tOg_&FKpO)nhQ5|)c0S?-yy|Or+xe-?z
z+*xKCS97~HIlQNNmQqE%13)6(jOH0c3xo1*Cg(sFAG~l25L8Y+ybQXIKT;`(d297F
zQ)Q<?$FB6s4ulDOr6&QAgw|OaOX~C4Qa`+>kYw(77?Mu;o(6sF8<+h8Le$aErYUEi
zq+ezB2r7&Em929BIXm{#LRp30yu;bx?y{jT|LhBMJQUTCZlrRQ@yOEH?<!cQzy$0g
zcK)XruIy5yKR=85>pAOfWqyzZ4oKQz;F+nHA*|SS^FQiKXg<DB6ZFCG>l-1|+q;Hg
z7g2l1AY5v{wLGm4(&b>bcXDzL`Y@{rOMQ>S$VtdoKmp@n^8<l%9_XcE?bk5&9$71S
z&%CJ#Y*s5r<lX4RZoW{M`?al}T*Nkji9Uccn~H@MR(+DOs;`+k@+tc-g+f2pDRK%S
z2C_!xdN*mTgLU64jfHBy@-3j5>jwh(Gc$shh!vEXIw;e`(i#Eua@%|^owq4>Hvu;M
zLI0ygpehumblXO|gvT~m7FjE=>U;N^!RjBc=;}7TAJgcap8vwQfunZ>&ASKwp%Z-I
zb>_@jQHFBs2$F4^1ktk;E0g3G0TkQL=nG{sS-T6aa8XO`A>-;N6)OU9Ku{n%yX%dF
z?%}3<K&tki=LP#y!SATTAG`X8+VaI<Jru=^V$@Z4!S==RgBzeF$m{UZ3PX<n5OlL;
zM?V?H<F1DFJfo(!hCQA4UoXJd55tWv$7Lrld}7YP51%y_$;ZUNkiReplI{(smljQY
zcugebA(qsqQY%I^_bvjMFXA;c<QB0JmV8YniOljoJ|1bR=v9J2RrkJ7^<a7cUD!bN
z1dBG2fyt7oSrV{{{{bnTha~I9mIj9KT)*p=(JwG{v8FNkPa&><IH8{`%rAgMRF*S!
zlOPK|x#j5=!Z7EfK5v>{uMRO*_wRt<Unn}Ia0E}A0$)c{cj#E3*^v`dYsbXao?&Ch
zPxHD4op@qCP$FXIShgN?5Y67(K+eQSg;}j2xmCE~wt#MkJDgkqha1P3w4}e#X;D45
zseCPJ&&3MYlC!c*o~3rZ&<tjD8Fo&(3Sw>yc__OUa{guI&+7HVJKP}_j^P+Y14$Yo
z3Opa3CEsZE%pX-1zag4m6?dpnM?d*l82G|i(|fD4f~^`LX$Fz?M;AUuKJZ<cT@}K6
zZ*ct2fZu-cvFOYW#0RY-J2an2ykAmubvxz}uT230rAW?`Zh7`K!Y7;yVsd0>lV_)O
zKxhhJUvxW$->~QAn7^%-Fa9yE?_VTs9`o4#4f4BYnd|)l=l{wA%NOWZwa<{nt$uXM
zgAp5Tq{|=a!PRENKVwiYSIe5FZ4;-U4ObgqNn`r4b_Q7k(g2rts2fvV0t(?Ge5R%B
z>X<i3digtX&muw#pJ9Zp4*HioyS5-V(?6SEhWa*m<zKJ8wx5>5%Tf%x9q=dWUVoZP
z@ux^h&VX2`1}8*HK)>mYAIjLIjcH6I>f-YDyiu*a##UBEUnhM{;*JjFC9PN*I`rPp
zL118&TMj<!Lc82yIp=3=j53$p4Pd)ya3G+CJ$l%Kr-LwbBaj!mv%kQ*pTX-d7x}pb
z$=qAzgIdazdsO-_$MjYG5ceJWam<@$eX`dV(pJ@>EtzpLde<uTUyWLBSCG4@%p^rD
zU?my2bel`!fc=tQj8n)xJ+*X-jfrn}VRG2RwWojIn*_5hFzF|_(d0*t%_unar+$%p
z#rwgL<2>`=!wn8qlUzdkKJEXnDDs=#Bl^?;^Tj65%zw^o;#7Dc2IV|D*FnyAW&}(_
z1MuX`gPEz+=<B?yE!;5NLk$r`K%dS%S=FPh1*BF}(2bFjjo<KI%rP|t{kMzwV`aZw
zwC4*ODYQ;m|6zpHx8K4MIZ^x2p~y@S7RlgWc7v&rZs8REGKd^*{@N9c7j&bQ-dhMu
z`WKlpEJd!a(<EC+!3@e96OfQ{MNBc!4pm#bsjjm8C9C~oXWzKb^n=mJf@l2q`~9C8
zQ4u_Z47yl`oOG22l61d)!jGOt#hVK0QI}5bDv~%i$m)_F(e=rt&w|N*j1Rg$AJy96
z$pqq*VDWdY-zEI-zxY^+j`R(I#OKrBasJ=(aDd^{bD!fp+AkvsQwcM|UtGw#-T(=d
zt9K$2?2iQhK8*}uDk)$X8HcRCTe!a*=Y5!nUz9ZEzvo`2b)fPe;<0a=B>5mz&oNpH
zcnE~0LnFxdXk;_76xgP*x%%dM_cP}3)7!ZIXE6-*eaw#is6R0q@gHCZKpll>UZ*HY
zrM3QVGRPb&vBygsu1M(64<2?3hp6R1@Bd>R!<<e2&xw;tC;z(^|GJTX^+bRVjXSJw
z5-bNExZI2PC-pR(?F=b(9K_xJzpS44#lTS?Eyk^~ybtYNyel*M<q8OIi(StTHCn{~
zxAE0~GV{M+kbl}SQuzd)kl~CWf+5O(cp5h2W*6;9Y2AN(@Q1JYMRWcqfq%FEAxQe_
zdg~R~GaqEyU;pf301+8Z1WKO^;S-P4BGBJ8^FM$8ePH)j=cCg`4$YN;4;~Gg^V_9V
zdcWMue?_eT{9pa)|0L)?N+`6cSEDYae$xj0N|i+8r$$BMHwY9r!!%9~>kIn-0-*l}
zHvcy#6x}Kb4F^SryR=3<_x%h)OM5Z`7P|^>8a98n3IB(Z|LJQ(B*+^fkT7-XnU@3z
z1^p(ozRF67RmH;tl*+;H(uH9ofo9{+<;H(2Z@#zo{~J*RXI3<`+EkL;J0V*fTHELQ
zuWtz8J>f}n^S?Gc3Cf6p7mpeRo67;tf>6y$5w-uW$N#gQ{j}RZSebuatGTLxQ3_Ts
zV#~qx6Cc)AC5hHA9|qOVC2Ag}l);%K_{dW))aaI7CH%R7>?d3HufOuY{80X_&Cvg^
zKluOAKK@U>mKzA@dg>j}?LWjPBQp`)*ON9iafH>4RH<xbBK7ZOq46#WOPYNUO7m%b
zIcA=cu*!*`x>Rfk3VY1-qjPDKk5ii#xS(ZF%9wLlo0c3~x_D%fA23vKT3LSa%VV%{
zxTLdp27j8$V|xiD`sB+l5fvqd)uGcwP)X`qVy6^=1iw4z{FiKAJXrhaO9kfWfcV)D
zM&hZ7>}Uqe2hs&A{ak@oj~zrf?Usp@IHBT1VwxkkJhiy;9(c6$HJl1Ohx3XF&jB&B
z#0ZlrgBUk&hY7RCL;naNZTSkuY#QNnk30}c)+Z%9lbuJOZ*J%`u2b?qNonX`udlQ<
zdOok;k>M%!?f|8O>DG5!Fvkz$Lbf|FI)44>ZC-^Of4m4n`MjXiTxXBUI7iX(fQO<X
zYFzfGV7*Veft;t!Lq{>F@HT#j9!IKDH#c#KIIQZ2^|k#MN?hhj7zNKDZxk)>#0muT
z$dy;hkbc}EDsp-;nRE+}T>imFZJaumC<(7xIhN}u2iN0O6O|H~Th!D%3cRDlF|iWb
z2^sI{c3h2s@%MpA(7H~k<hLGTlHm2MffLh@Klj-e%a;mSQ6&frS~oeH_dBNA6>#+&
z#_P5M0=w)9SJ}vLsYT?sH+V3x!rph)d|J_ugQ$l2;Gkq>Chaf<Bk*w`v|6U)C;fCT
zl!A-v4G+G!@w_c=4d%;KS~ia2aMj*~0%}{39Hw6Nrwvx_Zh?oRuS)8-78x}sF*bzE
z7xfs<kq*~dOqT5j`egQG3q|r#oy#m+(-scsq@`6<H)=iGtEewd0}R7ao*U4NZGIC2
z5af-~*1OjprZsi--TgY{4T;AwdiHJN@7lq<ncsFI^$Z>_xT*=ZqoqI2XsB!1WHbdK
zZ!<(|l8;xf_`=ERTgJM7i98meMFrT`qa58-GCw^~#)%&0&vk7S!pST#ba+l~1A9ak
z*nB*drpxbgQOC$Cjy#0QEjGbSXak}yVca*YJPeiw6)=4fVH84=hMEH#p|4oCmL8*r
z_Nusrm%~Wu%6x2x5w^=xPArON_rGWfjx0CUXQ;TbwPG$8YKA*&ZtG3@lIq3Bd6?qj
zG;%U<<iOwS51ffid%s1%|IFu?Z;X*8G1u`K*Q$U~b*uacjhY{RX*7DAp8?A&H`#M_
zkOz!m{zB2BY)Ol5yEr7WN6V8EIu9=}Tejw@18ncRGc81@n#&gN3Ripurm*;=McYmw
z1O=-Zxqz)Kz_%HbMcQt)^S^bXOgD5kE&`+8h*$5%d%7Nb>g>X{!JIfb{GcSpKeHql
z*`UuR*XYV()M=ucFvK}!&vu|FHUZ%fCJKb8LaWGoJv4rz0CH@eE<^8zjG+!9{QEAD
z=BjX4q_f1Adq-HjCz}rv`{_xYvQ9$ulteJP(qNl}y!=RgMv!-LuDJ~Z(Nr?>A!Tg1
z#xT8JsO2tYnk`Fq$T^J0ijco-HpAF{cJN?H3OtYrNNwo&=uzFCL3QyCNGGX-g#F+(
zRRJ^gN5+C{*J*K{H&T~j_&F_Z?hRCWwA7ojhlg<eHm#tI3K>Nx3hzi=l^lUyd2M)F
zVsBjSSOgDi`64_->#0X!UxAChU^%Z^@3eC^NKhiY-vflAKkUS<vdsW4#QdU-{+m+#
zkW^#Gb@nJ#q5gicYi=X=MAdT!SvP_yOlz=Yu-Cn8uU6qwtVa<1DJ3{Q+am0Tj2;})
z<h&y%h+cIUNB{#hjUR$;BA+G>ZFo5B%Bt6NGDn>ZiM)GY6PjCL!bJU!nmyI=xq>HS
zgU{R~B+JdS*A31jS3|6PBui7~$4W^$M%A1wjg*WYing?!o(~vMn(o&M1m9m@+?oEY
zmU>;6V9p_*9%Neiv&g>2(k8>DL>nWsJNVg*r&;8C#EV(3o*q$Yp>l$<VSGBSbb?FA
zy)?yh5dz$G5;T@@L`Hr*==~-WWX2VYb7S>LlG+C<axCfo5*nf@Tw?7Sf;_{564Z0H
zPE?BJo1fazqt2kN<gMmK+iiw~Lq<W1`rrDma>G9I2Fx~thSX>b%d@<OmSXt6O5m3>
zq(^>%FU?`!8-wesdd~wXZ6EIJjco0?Xs*WCU%V8A5t~%QA&bq3k!>W)#Hq)i2^ARF
zU4))&Hh)Sci!yTlvYf^5<)YzZQ6N<847NxWZbvyF1?(r)q1FO7B3N>V3PcR22SwYc
zuLLDw*E>%eZ=m*pUem;I)~})(q4rMp#UZ(DcExYx2Fen9%k#`2IEaMseqSEyYiA9>
z1#X*?LWwg80T_?fqTG>(LT8d5w(+=C{3a&v+sL|ZR20uQeLtw~?|pF+=bNy!5*6r0
zd*j@NM*^xG_<s8YnO~D|Oc6?mi+we+$F8zdo}*@%ZVEy0r5aYF71b`*>ZvYaul`k0
z+DY&uucu``lAG~B(nS?J2>z4Tfpbj0A5Y7>iQXq#X7Gf$4SB!J|Gqq6;LndcpTP+9
z=LkoT>)TlKkx)s^%x-OFw>l?YoF=pKJ}LBSj$*&|b9ix;@m8l)`l5>hidJWc4A2@%
zB-XY3QX&@|!Z2hdb^sr(3EfYsXgN6oaGYpY=n-Uc>WiXc19?cV#EXu5l4@99N#jJD
z+d5nm@rHaU-$ur1&oBj9){NX^2Hl)0XNdOjMe*ys7aRPOM(PK(>Ib8&m7fg^oHKUm
zMuK|9N;Jen$Mn&*twdp&!K&B67ooY7IK6iBjoz{zz2l)6S)sS=#;b6v_J<wS->6^!
zmB9=*o^WA?wd4-N=X$xqCLH;eE66j>uT7MBeAwQf?Lbn@wY?bYQOd<OHd-xg>h3=D
zdxx=VPTV!skT!b^noh#|^*lb;9UYsj7KmLmDRVBI@vc!RIXQ<%J<?ew8Q$>>Rf*&>
z!JTdHCX0Jd1g?};q+!w`MWi&A+>>G0s(J9t-c3ERUhoKxg$fz8pl2Je^a;6tlRw45
zFn`7N`Mcv>h{SA~#Ijlq`*jU7O`uBh7tBvwgZQh}uPZPk9_46%TE1HbQq)cS3yy3o
znPI<es>MefG3OdA^-{4`t!0d#L!Z=+Yxpq;Syb4xKR{m<3qxb@$EqI+m^QL_pf0h&
z>OC20jUY$qN!Q1Z5t1YcH@EgGx2L(!ue1iIs10e95p3_2#(gbzZJvU|;Zq6N?eBr6
z*1aM^v)glGDTRu=hN8kFMSar!rI&?+cS}SXSdr17zKXy^w%iCV7_u&haGRYyThT%w
z>G+)gyyy`+zU*7BLHk|e#UaLP$>S^(Zf)^J#K}gzt|yH`>4S_S6DjmkyuI%QnA~X(
zL~m-!2Z}e3X3K^NQOlj0JGYyQjukksy-hqcfq)=YgV2*T36Y5D3X?EKDd$l#65P(t
zFg*^gRoS;o$5(8aDuiY>2&wyCrk*{Du!xy<mc*W7Xz-3hbxrcFfJQv8U#~toZp?|w
z#P&lz!#&RS2bb?GzH)<S8ffYAtnhPT{p4cE{-6R(t@Igu#hK7bxWphA#7%-y6ariz
zUx+a@DxnkbzR0R3g5mRA@%jgB)d~^Tn|U1lCHS4o4@@N$LP%(=QXB+F-vr5v)S98j
z!zM?hDTI?P;_&I{k)^<mbdGdiJnV|0SE_XEdr<6XS;#dIkd+WC>fs`ML=(rgS#KL0
z4V@D2$Js_qmPpq3Of@!criW&Ojc+}qG8TISRym3-9Vp9CBjL;_^aP8e3PK3s1Iifd
z;^(7!Mvh7cVe&Y|swkxZyTAo$$O8WjKT+5~lFs3=m<WN~-Lrf-LY1@gh7U#ulJKnP
zscE5AA76BQW<)h<TbTOj9<wik4#T5S?$E5qB~X}iI#cCT5i9t4x`I{uRs)b4s)(m*
zHCK$12{;NDt{2g>q%&rfqm7$cnCfL5u~IL>bzl$q4KP$1(1S&#0_?a5^~^QVyy1<l
zcOLpZ?sZHVl1)VQ6NaGDDBoP)n2iFj;`8C}^UEv=s!qk)i>q}ycEYep+VjMtj3**H
z&F`)dzWr4opl&pXZD4;6mQPG>NV`vpGi^4r#>!S&l8@M&NZ{s6dLJxOZ1S{h92sqk
zTJN2ftCWyUw0TU1xUhVv7vLjUulCUl&rz}-soS&W442%$B%n64+wmgMZSy6tD}8d*
z2nXrz<my>Svn{%rg{zu>!GYUK9Rz-&t;1d09Fy89*FfYdNG;GQsDeePRdj-niUBL>
zhd)%-1XvmLr#Fi;(;aG~zT_n3+iyxIWwLp~r>XrSp3hTA;Cm}huQbz<EnW>+37tOb
zEY0hIvCt<m0k!s|klet0tnM>G<IuIuR^(q*eC1r3NK-al&%$i0-8odheV9WC9Mv7q
zrc4hE26!PtTIr%KJpEP47{!cJ2#R4MQo9sT<ScE(QVua5m~PRR7v+Mzi{X4w+~Wi&
zWNX5}Bnphco-l6CiVeAwr`pt~^~X@4$1gXRt4ym3+ZTX<fNhj>1B=aRRsbw&G!l^3
z4g-+O2uy_=MBckZHF2JBvTh=`R2;M#VQ&y@&-R99rYSnahRI1}F>Jj8)NW78%bW5x
zVRD{GCREFiHi2kcaDH|^juUjaV*I9R)@3-Ge2@8x-A!pr5R0i0?TjMN1aLSBedq@3
zw<$K8%wsk=Qi@NB_TCBVX1(%bFvuHcEAJrkRJ``#KW(O>dLO0`9x5k7|Mpypjs(a4
zq!*f&k&<>12@4d9_6>J8qc7^jW9q6%v)voeEZcJruw-mN16pejZ^b3<qlmQNIhFmn
z6(At?OTY`JY@xL7oczuQtq@iG0~A%MCkKoordpt)2y~ERnJ7c;uFF(pjh@@Ak`{!l
z7}rg-Wai^REe6>*1cyNAwamj`%se<<-fImEUFDdn_&nkXjDaRM)w?=iq`1ar$%a2m
z+02b)$g|JQ3i6X^p_Xm9cB{<qfIb~veG%_u=gKz8{5Y)%Xu>nY3QhPSWF>k7Y{X_H
z_LCS1YmX{!hx+PT9~9*O2X{b-zqUZI>dTyX2rg)^Y=6(NN~+211P$j_@so&o-NT5P
zh_s*=RXlNW%+5ROj?l?dHft^)skb-J0cd0wnSK*@cl50rbg#W;%^NeD=+`jSZ&tWD
zef?AZa7xRe?^&}(%;akzY7Y(Z>tR9F0000M6av@5nhgUHB1o?)W)T9Hra|Y!6=z=z
zecSqlVxq~>Y>m|-3Pk7MGSr7QxDbAt`AnCS<2V!pZm_kiCJ+C4XFK?$p~R6m+*xD8
z;UV$nB6~T3CHO&_AwyIkP&BZdoDbFTr{GdC0{1`jYVKNwJSvdz^*=fPiZ0$u*4;rI
zCc|exsT<9nr!l_jmJlLrzmv<*^i+YxnYOCw8r(R4YhRj3ij4f23*VqotY#5u`Pyqz
z$7%;{m~j9i^#ptgBvL?IM~b{-K9?q0lkaj%uV3!%p$A-m0TF_w1qD$<tzc^BKCaE0
z;fq%q&Ehn0m)K!Zd4@2m6iqV+LOqG0wBHaDGaTzflz|Yrs&&cU=>#B&DVHl4UQ$3>
z|BE_WV`L*Qr^y$D0trjaSp+PqPLKpY!M>;_c*aD(qIJ+ZpLtgOPoi+tf2@+x3W8!I
zPregGkwJGDr{XYC?gJ9t=-;ZR9NWhEH4%n7W4*;UGW;Pt)+p#y*B?#IXYI1A?og<*
zNFe3w5p3fB3*SONapuxp^F!lS_jRvo{+Y7R)^{#<N3{`V$BK|L(@vWY&H#(IXk+2`
z_@L=Oc>juGp9`KJDevp%=hCys4eIG!W8&V6pwyut(krHc-l=EyE_kz5CUa#kX%gNP
zj~9o)03i{^sXO9!K&*OQ_okHe2?-Sf%JM{Qw+UUK(yw}GR^h^A%K>u1kD5OL$QQMr
zL@ELJ=-3F=RMhzpD1W+RzmL8GzXFJ!UK~Wwcog6)4jAA|p_|6M#v`(bP`W5y>Q+!R
zYkNdk_c#gP)#xWs*)E%yyIG@DQ|Ph@TgpVr2S*}hzdy}aOon#wY<a+CTXePjHdD-<
z{kT2r-*v`hC)jswPIs{r4ag$@X1ltCJ;7uNASc#Rx~Z6SMWjVNP${MNM(AnJO0SU`
z_v$NIkMp9XxtQt8Zxedpz3~LtYXH@Kw8((;<}Wvq>_LcUFB@!ksV!>kw-RECl_@A>
zjUi#BtP#OIaUEp1oKh3__&1OpOkD%bI*hk@=^z{)VJA_y?vyf%0f%|IRR+jH({p*W
zE(#CUy@X#-#P$Q7!}ms%$~CQDombJ$*H$5!l+Dt~9x8Hw(6RgHE~~;p;~47>ofpK3
zebT|oY_;z$>U-8~(X%-k$Qpyge0tb=G=FrdlOO;94AQeGterMUG`nAu!CE409ys>g
zqGtOF1WHjd6geCO0er04$zTS(q8u2D+=j1H*b08>ybW{YD!6z{U?YPM!DzGxvQQi}
z_Areoo>b5V#@dtT_7cURgGH9$SUoi1=2)%OgW3_`dpVREg28VVA`M=PfXM|pSKh#s
zJURkk+i*cK+$*dv$Xk0uybGFpH}yPd6d!Oa_E5?aARj6CaRUGQEQD3WOF<aFDkmK2
z6B3TUv4XowQ_M~av(!jtc{Z)~Yy;4Ad;PbveJW0aqIH8eGDd8uKcga@3zZp{HB|N=
zrYv?Ce(pt=Qnx0g^2B7x<m6bv#4Q4ni&V{T$`%7!s{5&(0Ap^SvzS8q%pxLm$_zIX
zbfGhQmz`dv_82fDnmYs32AB0H8s5hhkS25Rj3Ag5J~clORjIK`aZSM0{##?X!2VSU
zUD4A3nsAb7*HHC1jLpP&9w6nNr|6HJ9C+*dVegBhWYU;+55(uSpnjeA<E!u&U{MLD
zqyPi<fuiaF_;TG=XkGVpDDEf;Au_m&!ug3eRP9n~e1YiL4FTTuOg;0vL82^Oy@U95
zupoYCYRpwPknU4lu%vm(m2Fyh?;y6W!A&JD25~24Zuz>ISO7G^*Lz{6k4RksIG(&o
z0IzDU)2xy&v%y3!u|liQvjgZ~sGFdYNd*1@Q*cEYiEq8qH?OE`W7z@9e|ad${LX8@
z9>dlwy=m!z`86Rt9{|cr#@&TPd@3RDc~+D5QNZr8t+2kn3o=eA-bGoN;d3JVL<`3O
zQqy^p{_=bAIz$5zk!IKHi)^04wf6^o8SllhRP0Mo7H#rw;pPM~rsC!7G)$+@+vCXr
ztxEeB@m)V=k4Tv*ZbyS>aIMwmpH=ca8~t=m4?M$7_v@FtJ)U|?TT`gvBEc?-e)D!@
zpeVt3@)Sn>3BNe+_SiNKMG0xDe&{=vf(64@E8Ri@zImX+!YSR@pT7W*oAYP~x>;FA
zIPi(A%I$|X*})&9nAdjIfh_>v&|AL;?7n^JV!>O{S7Fe~WuJfcx_6^us5Ge2tuL$b
zS{HzRJv5`h(trQ}HzkarG}W$sjJ)PNWuCCf^SW61;-EK_ULxwLyPirN+J+FQ=~5?g
z_=nB67q=^(0B1=5h_;aYv49aAXXExh+)`WKQ8quIjR|0cv+zXhvhSG^jQcSYx@zi1
zlf%jG6!)2Q2jui3(!CEa<@rwUX8kXIRtMh2N@EkNkjw_Kc$R1ypFx;nhB)RQBrEnf
zd;qH&LpH@0-JNl)OXub3F3#ku#gc?dKt<j?g0DvhuQe712}Iqj&ELAd19Ezf4V!k1
zf4CzhH7k9_MWw2OJdZhV3%d8RpUvDsCXoX5fngyE;Dvxbc}%q^9O&1|t`g&F4Y(r<
z2y>-QL{k`lGL|fE4oF3x4cGtsyykMqEiPH9Gue2GCDlaA1*fbE>&&qxmbd!I-W`Ke
zdhwFi4TP56OP@c0jk<w}S|@zZ;gSFpQ;^FPbabS)kmv8toLxlD9<Cu$Kfj==!2uZ-
zzZhgu-l6)nO-fbzm!N{Z8q3?U^|TttxmJe@3e8lq;h50Ln`usw?0$B8jg_c--zUBz
zXrkVx02Qb4hr&ENT#8f?$Q@hf1E9<;UE6_oiLD9SpjVd;u24##XJqSkv-tGoYD>iX
zbGAO3Zdw8+TUkU7(OAu{RKgFf9F$a3+--w`^29fZSMZFnk%tCP5H#=ln|R;DR~PA!
zR}SFI{QYslQ!e}fX;7NXfn7^vB9b!)OV0;P6$4`mWdQtR*g&fc|6Z4*1L8WkW^)7$
zuhE2jCCGMIYMh-KgIvy6Eje||YALiF6|PATNAY7El2-@7A4;orvOK}c*DpL=?IavP
z00DI6?G3Y6Hu<K0EE4B+<zmrxr+LaykR0CW#+yX#Mh1M1y;>->Vg=vZpVaG>3CL~_
zl+>7CEa3;;3)3Lc=<g997-&<l0ISBy@)uPmGIi@_4xd);8Ix$q_mWGhw#8NU_)iBi
z7T+P8m`nu5a@MVtq(=Zu4#HVMpsF+TLyWv!wj%Nt%~nwXQ*c(MTN9WYOYemsi^?~K
z4u>4Ih^_Wf>}P{Le+#2HBOu^}Qhi>1TmM0(3;vFMmPE)8rAk26!J+Se)srz3ZGRGF
zCpTbxf-%oVS(uHs<VG^CCC3t=jPJ<BXJRfSrc2KeX|f17qH_vN+9qjmOdTewuxD5_
zh3L>+CLDHF-|3bPq`_(r%hlVW(nrdT6L}_3PMqm_P$V}>Q=~Cns5~)Nd{I*ppB$a>
zUN%gp6v<cmIa>;nH}zVCCOFb<6ygGMFsal9$?SM<k2Q?EZSw?AOKOKvYH_!LJ5<dU
z%IrzVWyGYatoe(kz1D5uL#S}7)iuSs&rC^ui$dPb0Zsj~AQOW7!icMW6U1n=R?ln!
z#;KGCl_VCIx-+LUN~izLEyZio00002=*oA^u;(F?E+VEHFWX5#0rIodi|K#9<@)v6
ztzYeos1EpEA>ILRmm(r8>aF8C)o?@~wDfz>52!asrfGy&A!7Mp9%|2d{X1kt4_MU6
z%Qjc<<zR#qGi#Utdb*SMZ<&yqf|fm>u#}p-mlI*O$t(?8rK}%Qk|%Ko=bkCe0YGG=
z>S@7?P}Y!pEvDdIO$Sk0%+&$NCv23Ol8aQ%PSs!bT0JqjXOZU8Bq_#;*KsdR>pG*~
zwrt^qt$t}sSMl<lqLKPCsUMG!zaAv>^c5O*xG0Q<=13$z;1lOn3m-1TVeZ-0glBWF
zSuEglXm?G>-Ih|_lhibqc}*G8$-(MzeEv%!KMAf!oRrlDUh)wicmIhC38EfzBF~pM
z$iUG7PTbV*aI;P+_&Soly?_o@-*=~+$fqLhWUPYo1EdxX8qE?}0OnlqESG$PRfkaD
zU+XEwWUZ?al^N0`N0l&Uyw0sfCY+j*sGTc}+3X<+Y{9zU*=TQtZv>nuS<IZ+vN3O~
zS_wkg#5$BCa9ub!uDTuLSngzKyXvs)RtfF~{PcJYZ3)9}fe<+qP1gh%g?zyXzyW1W
z5x=6{_j7puromQW1BcE5AAJp0)z;|a>B;~-ZL~(=1x^4ixHtDN%O-lwbBn+r4vwlX
z{hQp|3xlmC>)nhr4$Gvba1^djgjbEe9T7Aq_XD6KJRjraM!CB`pa3jfy`kVVcV-bJ
zmgz8S(CGRh7sLaL6#DCZ9e~|+0sFnH1CY)kg}7o4l30vN1Fa~JAyx;Unorbux2Ubg
zP@_{Wp_*j3+f{K<o*TQ2rg8R#%0{*r-ljM77eg&oocYI;(CCxH4-1waTuEPNtdn`l
z$x092h~o%Z&TfcjZT1fMVpVs7`Bj}<4VZ057~|Z8<9PT}!$PZj7ppmK?}e9w@-)$L
z?=S%{5f?VNs&2*>i;_L$-VuJ!1r_<aAu;ipXH5w7n@h6-8x=if)@O!p&Q?H%>o+om
z0MaE?Jrf8*1aV9b-O+;)T~xorjw}{4=AC0!!#~(TDA`y1IOh93+*Sq*V;En!IhlRZ
zm3H-FE+n%zE@n1s$Qzni0=N0~)*-Jh)zYJtTdbyXcaLCw7%rvk#&v4EF?7{n((;~9
z@sXSj2B7kV#!7C%KW{cowaMGNnijUT+sAGfh~s>I2hKo+Th-D;rFpS2Q90$yXN*p<
zI0l-hX<d=&NA1Ry*70Nv{$2pUYbP!Wt~cP8>*I$@3mNzXOe)#gDD6)~=yzO<`yad^
zfwoyWWSa_R7pe3jKmY&%rn^q!<Q)1oXXt|LHqPPYi-V+ce7`$`3bYt67__oN$Qm*B
z;E=NmO$OI|;N)Tde_7&K^+sj_!m<Y*a~>V9`ed-8(}Y_NMQd?j8v&RnyhI>ghUR&1
zT;a7W2X}%=#9d(xn!wXfuDJ;sbak;)_Ocvqn}f+^>kWIzO#P-`yw(1Y5tJTOMe^c0
z+HeepN_s(j5sgX|*mI|1lu{r(ftA6|h$haKfujQmSo@ih3T9v4KL_jArQ5G%|0r|N
z`kcw{;#)SpU5LZz2HdQU?!wweCupPZ(jb%4sCtd<W4@i=3V>R<7fBS<8_c|T)!%l+
zj{gSHDu<Fn7-eu`MSZ4+Z2nkKOCa?}EfUGZu$X;Yey6~=KCIWD-{-&Jg=eo#^i0Rw
z{)Jaxx{o+C8B7yJIN~A*!H*@{ejsRy8*>zr3pJ_|B~6NzZ)BMu=KmqW8rmds9rr_t
z<yso#b_Bvl>25_76<z`~<Zv%F<Tqa2yt7&>q_T$9T#im~%qkzqSvqdtgW#Q3G1gkK
zCVyX^C1JRO1Bo-XsZ#dXZH{c!4~NyKf<D@_CZkV0d_CX(+f!;rSCHricmM%vw~lc6
zwOMNI2t-&)I5JCy^6vH-S&z~8p9(DYr{&RUm?jLr2|&?muvJQ?D{x<dE1+57Esqcm
zKMsOAWaSbX6b3+T@}2>G*bAl6nlW$8xfL%rJm?GK*>=xzXnxXPyJ6`zTLZ4N4@F87
z?SdUZPKY~km!9diZuWq*2s301#xtuk7D$DVqL;ZIGUhwh(rV39{R!0pbt^2**;KA(
z+lk~+LCabTx!?u?=PRrZwzU`cUPyIw(}5zrpyUoG!;^4bX}$%*?u=5{pFAP97fn^}
zCp*A`vKFX*3bVPPi0{orkguK;DP+2_U<NfbYIebz#1ZHAHB5JYl?P18L66`H(qA<w
z>5#kT0Slu9JaBEnI{B07ke4>*B=HmeHUPNd*i2##x&g4Zo2N;M=oO*e5-LQ~>x9`z
zaMzj8fO(hm-@E7NW8=foC)EIz|GZAh)77@fD?;Cz5cDOD#C2ty1W)2>+?{o6nfn(&
zjdJq2Py#Af!(vJz9=yTBShe~zX=c46TAVFrsT|AJC1=|ra|Ws|xC1wLk<^{97-!po
z-{!IXgLdKKvzAQr5zC~;`#oS+(Q6|CME2JMx|9V1u-`TUqNZuMGBvD)BFv7Rr&5c4
za2dJ8oFQF<sk>q&9zdikDn70TPfh?L%wYKSF~t5{DNozAwQKA9@-0DFNn-`{5xy)=
zg9q6K6{^c?5h0DhzyJUUJ?&H}_K=e}ICr9Zv1%XT*YSEfiFQHhad3h3{O!-HQ2=EC
zAgUf7#1g8r=#s^Nw=u{=BW{I}Fn$%!{3`{KRzS249!oLutfKXxgtT&5MEkp*T7Yj)
z%Gb9Xz(O{l&Rz2;=pt3mm#wsJ121={g09pweT4uZ$rwMke#NefUh9H^<x$^=*BBIQ
zpu0S7CyZPS=ph)A_|Fo_M|RXFL&r?OvxQ4y=OG4#8p6uMOP|m_Uo+zlhzpWt=!z}h
z9Js*T3x4l7HnCYsOT_tfa{~JM7lky@MhNA7rs49#C>={?#C*l9CrBus)OfSm)ZCKk
z=_yeHy1=TNoNgOelr&=*``+D;&tV&XG|bCRA3QClIxHFwH<-$X{t*=rICT^Cm={cQ
z=UYI~xAJ0^-!v{wtBSYs50oT(71)#H87cw!$UC->$}TI@<cd10zw&tW-=^!EUaWPL
zyGBGechy!y9=vDl+D$f9@!i~px-w`=X+zSa%g!|p8_H|jgf-<iT1kl<=AzZ$06QXT
z{Z-Ihb~|7VWtv0}UdV|4;xLw1_slSr5@>%hS*i%_8G=6u7JEW_-`svveF!J~XTZMn
zc6>q(oytS<YA7%xS^X#fTIrBH&~DMPIvna&stKI>j(Pb55IV1&ekFD+>3uq)`=P?~
zo?+l~RNsclbFSc_MPRcZtPK8`&a1aS3mCCij!>$2(jwq?2C*<O@tOyv7IBEGCiOuy
z!8mptQIy;d`kB@rQsUGZ2Br#$a=8fwQ#nK@pYn;RvZ08c1CU2xNOd~-p&kIxc8|Na
zRNIvH<s{X7s?K7MM2WKA`iyj{fE{E=-4y6ySxB*I*sUCYIlnCbOR}Z~YDd4JAH`Z(
zS{yZ#v6H_U68r?#B(+qpX8-fO0O|lLnc(g?Wimx`?ye7QUZPrUGoG0U=U9Pr?CF<a
zwJD#i!ZKxujB>o!-ZXqAq24UJ0}0x?c1*>JtvqqkHej{+{Q_?hfPXbo)#h`~`T^dt
zb9{I<^h@0cCsDl~`+P(vJ;z!s0Xd!a3tS)^Qsee3m5TLggh<E+Tt9@3^NrN%wZf0^
z6SS+a!?->VKAroFq3F&P^-ADaf`a{>SxF8$u^#{x671TCY1N!5CpJ{d<t8<?c-PV-
z;Oe}P19grs5~6w!7dBYHKc{`qn(A<~7G>drsJGa>AamZ&BLPIG9;mO&^PJ$d_^o~l
ziy)}_rK#MGTOXPx?Xa-hKmY&<nWfP74Kq}WuL5(b(t677=3_x%zu&RC<-!)dQN;(%
zlM`irK{(z~3_a1qQLB7wBZ%ba4_m-~W#|2K&wPjxRw4{>2lYumN>TvM&3!P(2hdvP
zB2Ipc?;vg<Tp^TMc4s_K|0bb1u4EjA#<f3GmJf*5F=uk0K?lYrF`03B^h3^}Ct-dI
zwcAVexCVlRCySVGA7ZP&_m$rljSL^<+xOR+c(l)_9Cx>H2TBW5ul$)9^FODZI+;Ns
zm3lQ6T9d2yy4Jw?{re9o?yErF&U|92ed2UYcuY#^cgo9pCI7RnJGGoCsOqCav5a@9
z&zS*CK<vcRp5h{*HyHCKUPsI}FESw49^ep|1z%S_c}@DHI6RiQa6q#HCmcGQ&<Y~Z
zOb^SMzSvOk(&!=4B`mCkIkn4oewS$hDiJpvv=;ffN!z;-=ms*P8kCj*sDu`<XEJsK
z>)efOyQ6N%-D0a9BV{gYKoATFm@4JD(!=#UJIA~13~+IoNDd_pg$Mu%v8&yXT-xo$
zEW`NIc4tP`wjTnYeJzsuEes0C08!yUl15v|+ETA;=v{t`0nS{&Rvs_#Q<ogl_O-f>
z%iqUO&M#C-__W;*_hlm3Nk;RRDxKNE?ob)Y-jA-L+OU*@bInde6XLwLML9VBYzQ(Q
zxVxKsqV$f1b&*uL#^xr4wCD-lT3)uWZuR5+n2?r(81q?;6+Yb{dH2@7h2>V}7fj9S
zuzZ#W>qD0<PRWsR0;{sxbky+HBHYdbiA9n`Hoz*l+FRT%z`7ZzL!|DY<RNBO0TwOa
zWba+snHFRV(|1=IM)<VfKJ{;CAsNDyxM&8hmC%%C23pH=dXXqgd#W_Df!YDNlfg#F
zFJ}@71NwHYg@9g|Gi^P(`oA+I02N)sNrBsjv3Sd)%n)7cvC1BV0i+IW`3;yW3MrwW
zu69y;e*b4vv_kUiZh4DtKL(0D#z0@eUaDw?lB{4+548do=)0Z0SA)o<A?w^{5`a7O
zZqc<T&$WMReOOvxaZ8WXX!Feziw@)97t9`Y=9nG(ljYk{=|!_??6vOB@4*Ao2_<J9
zlVvm=sQWj+!MuR#V&MzJLJ6yd{9UQUD#cVF$0+e{T})61>GN1TtJWbkiKCaq0003n
z3rI66%*X)c@boO<kK5D(ok*m6J*e*x3ipEpOh~uy1l~tAp{M@21bMsmsoSQu=<OEI
zEwvx>6vso#iyrQV)v%k)g@_Ar?h8a_+!IdgEw2_|;WHODXS4=|NwA$9Wx0yb-%6HY
zG&KgyI-FuC9HP6J>C|L)^lr0{<7L>^6!JRwuSn5KD^q7ej7w0f+EXPtNU5V+zy*o!
zqoBJgtbd_=`uo{K^O4ah@2x)F{^@eOMye2q$I~Zt%K#5Ft~t>jp2j03?t)N-5Y%%Y
zDr=!Um^4_U%!Yns!axLB&Ld!^fJEPumvHnJdGjiaMQnI^SI3kw<i#){xyT<_2M|3e
zH$qU%NxYC88$RY4%GzOEYO*H3BT6xdKOV9X8c0CgNnO#K%d<!pmP&1HfRmf44H~E*
zTV`|c8<t2Zbr)-8>gCu~Is%L1g44SJ^}s_U`qc!EI#20&r~*V}p{?m>sTkDah$kfu
z3HOGM_K%fYJpFW9xSMir{Hzy%AOMiFht#^RgK<P-+{<Is$O}4J3rCkoJyLQJO4*p5
zPt1t1rg%YmgJj%(Q+*|YsoGA<34?3O4z4FJ*^lzO>MsR7&>cqI#%@{a=M40B1d$!`
zRm(zHVA#DRMn=P5rh*wiKcnjMm)0jaHlQA7z-cZuO(y$%E^Uu5HSJ=jLsD&(J*1Bj
zpmJxle}?*za6jQ;5{j|5Frjj!xgh8r&KR3yj@riK&JoifQdg7JD>2{sIEo!r@Yt(K
z`vt*mu))owtdZ-;p&evQt=`E@(H5ddU+a^o4Q&lMh&`T#+nBtfnO2vQi9URILt4;U
z-a>K*=l(mAe<K^;Qzj%ohziUv%f%rM&ZPV(ZCQRF(u6uRNNGw(>`?FaD|iR&hp><S
zi5hBOSvkj!jijL!!W-fNzvaPaf0!6tM-++>d=)LuN<HetP=p0(hZGkO;hpBQi69&y
z>-%vgLae`!H1qCYo;fwJ{?o9DsNS*t+dFU+fODJ8gC`a}@jPldK~o;{H3aFebWKFx
zf<VovJ1_0ObfJ{Xi-1)8qzHaQ!+EtqmJt+-qdC9;0`V>bD4Z+3BqkE=cx2@FnMtd2
z60)*r(h)j;ucjJ0lA|GB2Kj>wxCI57O@agYrq(HS#;JB5WoyedPyoZ~`LdpneV`Z^
z{vGo6l-PyjMVmNaBS#{AOaSzxMR^7^bV#5wUVLr}Ks8;`Jb%SWCuh=UWnCt_z+AoF
zFIwOORu`A!<W(1%<=(}0;{0ol?pP$OS%o}EO})K_0`!~Sf<nP{16?B_?fb*F`mKob
z!4~S&pg5XHedVai4JSFpUJkfFq1Aosl2c^(^rS)OtXQGIWXX=6PxunLSgDZ_G(PkY
z#uWM*awYSF%U+&%6RUHpeyK6<Z$G@#kb(+i5ecw5x1{ug!jS=+${Q_|W7Cmo&Go`v
zewAtHjBaK?qi6&!piIg@GIoP2U=ZRB>y@lE&K@YY&g)e%F}DQzyNZ?>%w2`EzF@<_
zKC0Mx2v?;vO}bR>%EK9xWn8wv0VgCYF<YNg8CsBJNJB)bZmke~)B4H>1i3v$PKH)z
zCYh`nu07ptl_ScgO~^oo)B#bzO9!>_&b-`|nY=bW+LqY*r9eG6r4SRGb;cIQ(ts<p
z+kGiH{>Ph|Qmip1lfq+;q2s9p99FWXJ+HnP*@tchW&Tyz#hV}TAR5W><~pt3e1KIz
zEHTg*ui0lK^3zO)<O`@;4lL|tC&0b5%<V-+F{#rUpQAK??9w%ppv6H)p%L>BufG<T
zaiSH+*f;$@F}6EVp*$Thsng4*!N3r~LdtAFEMAXbep`SA8Kw?+zJz-QqBgPY^9{hj
zi!*7zd`UfIC=zj#pcVOK2!RmZ6dY&`682z`2mwG}dnJt|7@PFduhbf1EPLjK$)uMR
z-yq2+RSOolt>L*=J&9d~pfUTp#00R({rAuUVqbwgF|Q+_J49Ap(F>b`D^bHHB{G!w
zqd0dW3qI!%ptp6$Y)^Te>j1Z#9T9_vlt@T>I%7!V`l9H*VtnHsTq#f79+x;?PcHVB
zb|UcB%yFE(6^<}-@DL(`Mo@M+C4ZG-wWeO-yNv~pfh2K2-YnbDk#bHr=5;7FXu3NO
zsD4MkEj}%tdt&-ICAwN@{2Ti>^Fl%3NFk~e;jNO3(GBgtE`gyuR--yf^ZABFb6b$3
zgs-=9StnYgQ$@+t$Gpu_FTMm>;bzI=R~FqL2<DzVVgLXI22I-dty*pX?`*fJlUk~*
z_<K6n2)djB`c0_5+~je)Y&4wu^XQH=-vOOPV4aI-WS+ShaugojEv@MMwwn!F^QCk5
zjf^Rzjt}z$GPteB1~kWCZ!^d=7)ue~=L?jQm|!3uqX{S~jKA<#D7{1Gq&m+?gyRBq
zGwZSA8GcR8OB47|_b3A7<@5>;Q!~&~`CO_{OaDv(0rvrh>rhC2Qp0|TGGTmpf-ajS
z!cg2%?Z_Ls$ze)_>7`Yo!g}(88>`b~6B<m(Y}IE``L8;TH_bZOJ5TraTevR`XE1b5
z>VN?P1KW!qlm%hF36;|hGKqH}q^qgdc6988S<}5o9~6c_MiP{fVbYCMXYCzRygy*Z
z;g;joJR(t+Kuy|FE#Kfj+4OC~wQd{*O{{ljFY7nf{CF*12hfIW0!POnq3htoMhxGV
zQ{7ZQ?6`s?U$rC+lxkT$KVa5@012I?rV9mlrB&X^)6%Mf9zTW_kHU00-0Pnlw1%hh
zEM&*zViE0s28c;4uL`ahPM!3SkOzZQwL$!IL#afyho&eBo0j_8!9jb5bz2$HOk<{D
zT=bOznAcOP)qCv(=rWK^pLX=%<|*M6S#}TTervCklCG!{Rx|7Zw-nMKd>98915Bct
z<=nT!0!m`F3W}%mQ%^53!1Gni3M_227dLC~b1Rc5L+#lS$u!zNShB?Bo`g-itU+$!
z7eiaRUMm-I7Sy*aSNPm*dFs(n*I6f<hYdb<Nx8REUxXKpT?@>qpAqpazkYQvN{B}h
zlpOR_p55uDCch(|$DfkBv1a?pZw2_N8~ezJ{lFypg^uj@;G%WDaO`!LDVATOsd~<Z
z#zyW{6Z@Mv0;+TO#CmCrK(pYva$-#{BQoRm&-rTID8u!^J3C1*TfJUefrQbMEcla~
zfH*^}54T4L_HYs>Kw)IEs14Z-0#>u;642lE17exDea=EKyPZuenTt2LgXhH2j-I&*
z{TQpN;M`bCt57gU>pfai^N@X9vt|iB8}&}|bRH5*SXU}%=POrgL=(-NU;qF{@CtYA
zeD#X82j-m$tsj3om)izinSVUTnyygmz&bnoHP{9xFZDb5TkjR<kwsqabe3%B)S^yK
zy^{+X)zGWW6<%*hE(&+0a1Z)!#4<|7!tgknn}HK0v;){FYSx8EV_A|Ch$$Z7QMWlL
zjJ3K4BbTYS8x9e#B_Oqpx8v21X~z6BZYsHGDsus&bg-mA%vCjoi5Ij#y?c>Q32{KI
z!?cjURym5-SyCqC*8P!K7J|%ygCcQXs_efYnLVg||F;?G6eGvahjw%S-^v&OO7N--
z(6DMm=XC6bf&Lc8TI<2S<QhhS@mFx!GC;6zp*mgDcaHOV0HUC|JFOe*1Mn+m0;ee@
zmsaxf-t`?^8VI*p!DJ^~h~JWGLCOb*$9`au9hSctzq|QbbxaSF5V|t!4-d~EgFiHB
zRptYlq(Bj40a*y%&ksVo)reWfFjcM^u#~XMxN;BHJ_vi}-aZsw>INFJRxoR9j3gZm
z=c4d)jkeD%XAJ$J*|`sss2BSBzSTUmVm*S++YyAi92+~sAf%VLJGYLCrI}?!1Ku^?
zHeC=@;9!}F+}g;<I&k#wfVc|SOP-~guRJ-SeEb2pGX^D&t;TZ(#PQQgl+P*sJ${=O
z;9S&L=TS%I%WFQ(P85a*9yv#;Ly@2j<3ui4L_-XRyTM@1wQan~6rovG?Kx}vw52UR
zhdZ|1=DmT{!7Ta<$*yRow*9s+us7@J8z?od?)_N}0-hSEZqo2;Y0)D(&tYyr^tO(6
z=;=0v93Rc66R2k04e>Dm0000^6+?hJv}{}NgB#e%6SrQydsYktuj-|c{T{t7=sy!y
zi1t`5M9I%8(a6T|Lq46|V}KU>zbJQK7PU=@@Q!P<z8^?kXBYLrCTq{P-6;i-eF)Y}
zv$<6F)tKo#SKzDU7+gBZJ5AC3*oFHJ!g68XYv}l*eOKTE86XpS%EUe7C_aFz_&ufm
z{B<gUaoXy7wl54T8*aC#SM`ZUJwLo76LPnKI-==Eyi=YW3CBI}&#UCN7;G<ZL8yJ}
z<R&_Yt?d8+9v{#^-Z?cZ#lb!>M(?phW71RJacr4}5(8a-=hIrY<aliiykvAy#Ji?L
zP~4j~%v!R8@p9(88*iw*cab<?<_qxZ(j>K(^+s*pmUz7AyW`s-NEIpZMw%CM015l7
z=f->s>d<AfZ19R^h%NN5v-)S&uItrkq>&SqCQa&j9PnOkt33>yQ&xa1aSoBNGW;g4
z{3fUx=<rMY_q8mk?$*Zc@-v?e+4B$Li80GI1Jg4Qz62Fm&5GS7!h;Lu4Ov&;i|<WR
zp9Hm`Un$Qf&?Xl$I9!}1Zp64;7h?!NZ+vSHiPQ#Y`ZbXo1`sD<8$1dW!T<T1t_IE1
zxT!<yfW=Hf`L%)5cMu-DTBH%sJ@YS3v=X}RRDzW9{N;FM(N`-yyPhX0NIP$Vf~cZ4
zky6PEfP4E*-F3~r{Q{@Q8TBbbXh)>l5yA`mbSKdV$>iC=KQv<2sh{Q5dOnRI6SMPD
zS#mkR!rV{bB1Cs|aBWs{dr+nAXQ*acEiM0%fG?ABXCBE^s|vTqk^Hfk2j8ba@6+2G
zWQxXwd|TAq^_9(Y+{to@Yuwt|hSvgnb%^noP#QQAd=S3PwGvGX0002lzZ_fmp8y^v
zvQ-7DWZK+5tS8E1&|d?^)phrSDvOOLPC9npqf8UPPHNPxj6{h&;?YHCh~5%%3J#+(
z8juJK8Gz^tj45rV5~v7+Uq4*p9tSL$FoHshKnwIydIx+GI+0gTFvEQK(aiu3Wbz{1
ze4YBAnb!(me^5J5@XjXpvmS)d+6u=?G}gIAdrSq4Y<yZ;b7U(c@wv(I++g6IhV(sX
zF0?iik8lvO$Ns7r?bQGQVC4$An)}HOq&258iaoE*OKpX$tB5S#vLrIcB=y@qS=pE;
z&1z6;aTB)2j@Z`h?LX)X7V@xT-Ek9QsFNDu+J({|(prKof)zLM3f}qNjJ{h5Xcp_*
zVQ=#<+sn<PDkdsYq~neSC09BqdDAHSMmEP2?=4Frhxr>VH{%{AhSV<VqV)4>m=;|f
z>4p=)9*f+#T<`lf|J0}a5Ijn89;^|sS2G}aR1qEvb?D84X?4^VieW6lmgWhk{GK|c
zbs!@O;^pj$)1`#K!}TPG*j-4dRPmz>Os*9V8@35^#fJ0p+(@aWET#xb*v-NO7gh=+
zp+P`;wo>duQ4t!?Nmutm%phpzmZ>mZR!PyeHx3&C00000D23uwL7@R^X)3YJb%Jex
zovo5+L=INsK|cT(<F>9Zvqf|8CI=8V-mbSq!*xL}G$uzW&d*)D#XHa!>)=BDo~uNR
zHr_~fwXeCdK^|Cf1s~eQ?q;m?_wXm76#Na90MS~VjV@YocY5@_&XU)`3Po<2HdV!M
ztItIhb0XY;D9i~t5`((edkWZQ*V6^Z-*5|X9PH!!yZ|8`&A^5ML-BR!=CfFy0009#
zkoTL)WE(qb7JH=+tE3%<IX*HxcSX=z*Hohl!rWpS90>~@NtI}YkzlJmt0_l@s6@ZR
zS`G6=d7#-sjZ6G4&oC4)h`}PGgCL_`*MAZQ1`|;RAU`2P#z@!^BuGqYD;b{BuwQs#
z(uBMt_YC4y+xATr4T6k9POk2>_oXlZQiMcjHyk|OL6e=tGEd4CO(U}bNt)5pt7Q!8
zoN-wxlYm80Opx-00??f$F|qaXO&cG4JNGc;z#n6>wl-Y^SicK0`nej}&8gIie*?nx
zKs^~y69-VaTS;i3G$h^c*V?Zz6U?qB+Q`^oEi`etw&jZftabps^y;^@B{*7^H+OIk
zUx0b0-0b24W?_H;00xFbPCRDMl8MM`^XVXxsy!L%a0lrp*8AdYzYWo@9;Qz7`8+6j
zaPh(S!|$cEIydhmb)dbBh9+X2!ue82(p7I-E5w#W2hV^xuw<vxqj`&o6wicbwsH4d
zj1J(G?n8|4*okWPjfe$)uKqFw{YQkmaY?o(ZVZDr*J@Q9GywP4j%#t+&C|C-eX%!y
z>nAD_V}FnUQScvwf&8ao<A|(u6L5s*R4w8LOCv27YykjD<q4+%00EzEPyzCFc%)j`
zi;kHgu6`X~Q=ZAIw-qYgi_|GN3rM>>W$IF0@TC7+cO=LzKFa&+$)#rnPoJR~WuQho
zA3H1u552a7hOwn#t_0@~J}8zI`=C!R4J==!PAvtd2Z(Cy9hrkIx-edLwtGm1R&LXJ
z@OZXfgE6r@unl!Uw-^Cht@A(t0019I2h5j}6)G*HY6WG&5JKS!k4Eah8at5#4%N^+
zz)!H`Mou(X0pdCFeE=1bAH(iA9dun{`2*yif!(4LJ@XtV)tohgWRxUIt4-z@8I04H
znFS8Bo|6Q+NIgrfPHcNzI2T}8;i#I8ZK!?_1QY1~1ak3lUtLEdI+3ew4$Is-diAbS
zW2FH%r`HlQqt0!=dW8Xr7N@mXfbAZpulXYqQ(l$m!wtKd)~~Cv2BtE|025J(6pV=N
zm@ej!TwzFmsp>)Lfqh6LB(VcYoOprRM#qQ|6RixlAbw{46?uTRaHrDh2#OY~k^N=R
zb%M0O7(zcoQ<AQ0pH-Vg*@+8uu=ULLN;I3pl76Qsuto-<oY)AyROIJNc|=83jvYp%
zbp`ohHWyQk)eNZD*laaVDc75<hn289*E>$~%gaWq`yJT2wlV69Cv-I~Y+DLQKo>k#
zrIoMbYBxVfc-)O@p$t>hHTo5NauT8Hpke~qDJX^q$_7VbgeHJ+A{7cR(2hvX(2OTC
zLzJ{LU?jR7fB*mj;8bUBd7@J+J;8TI;yUMN%i@vA7#3typlQp3DdHzV$fGwf0=***
zUC?4qfw*pw#5yEom_%~p%YB@Vi4VGkd+aapng}64H)od@meFY|95A~w>oAxhx<WKh
zl;WE9C&l$T+>>DGX!NWOK1gID?*uGxj)Ky8a~4??mk{=^p?uS<wE-tLCx)LU_EL)x
zwT*vOjuWNJc7+4Zx`r)a0=Naj-|-r7d19bJ+lPV%LJZtG8O;7Y^nd|AHHG!shrD1e
z?(fe)>6cqfAGZ-6%`vsYz3E~LJz-d+)KwVdI4WqvbY#?Ee-T+k{)G+QCvGiU07ozx
z0cCPY?wKgXCb=r`{G}(v&lRFjR12mRVjkzQ4c-Ckl5$$mXRfnLUqmfQP9CKKcFMah
zBxleb13*-9lLiZQ<KzB(cb1EA+$9|<fa}}qn6cgS6PK(Th{G7-4pIlYNHTz)sf`c8
zdK=>*SHjJQ1*8zxniE;W=(O@C0+e`m?q|M8K#gQO<c~}%LzIU7GxlqIYM})G!+xS`
z`tQh8V49-~6x%H*2zmMRhWdAl5I>8WN_Fx=lA8rErR-f*T(Q3f5lQu3wjIjO35+m3
zLoTFX0003Fc|R|SV?f<l(9$V7M9yB1!J1ZN0SPRqDZ$J`&mG;;g37=`N*}&@fxHa0
z*V+oMP>L;eCEK)n$?cT}iTQ&20N04Q-0o1g93dc2_z>rYAWTH&Aq1(ySqt##WD3w6
zVg@1=R~dD47h>riaa6A)H|COk<9@k5*q;0c>RC%iCGNcoE@m+C9x4R3JHX~-Z2#_r
z0v8rCYq83vC~qv9ueU9Zw%9{*G7W%)RhPjLd%nVpi=+vSANT=Gn)^Ia04A&E|MS$k
zLPj(a=9I2Y$3OAVh@jPN%=mTBIY%t_ksTH1UeNIl?_O0hB*%2bXlFD|51cPUFJgV}
zqLifgnP+f^1KE(o1i`=>f58u3zr51pgM|!wEARr@*BjkCT_}WIrb>!g{}|H*7Mj_L
zW*#_V2?t%>db@{+c@(Y$VeIczH*ZfHmfvMYpC|;>1G`s9>`ouZMDH)-$`5Wpyz6U<
zQ;3tb=C1uljffA<EMoTWNOHTtv$Klbg)c+$#K%~8Q{ZItbjhGn0iO7i)cl(e?J~vy
zgo68`YF}`>`VPY;TJncbQVTNYf>!zEon(J9qWVR@r9Z`;Fg8vGZV$3Rs`RLIdEe3N
zrH?mn6Z(0Mx^hpOn{mtl000+2CubY$d2spM7UPKYp&knG%5S*Fy^}WS^P}Q$ZuS^-
zqXlVZjzh*m*Rx$=0|Ws5q+k(;M(f9D)euQA=p_xBld+1ggxsQg2Won*l%3tK2gmiT
z%wV`&&M$c%A+@I9HaLT16`ID#AtFL#G0GwPwgJQ!k3CNS`TZ}dYYy4?FdNeE?v;B1
zX~Lb7h{=@n{aY>tv%_6Od%|K;ppKrRa^aQaT#cx$`RYBCZ7sGuoY@f6AXpjTvIViQ
zxk=;RmM)`LCThDQMRLHKD$oEjqMD_jnv7YKunFh&oNvu8<kC%P>seN{kx89JOp(sw
zVRIt<!S~qpw^E2BM>cF;?7ahR3qq%u#G}VBLB;}gx#Mq}<D;pIBmo*r6a}tBYV`>R
zVOXa208K#mgUPl>BWUJ<9dn7jo23|;bkOIxct@HyxF0<5mYC^^$vAQ~Zrv^t94B44
z*EifU;1|4WMN(4#IZ<TQ!9eT$T@pT$@=$F~m4f@j4s!n%GH?g!<OvqQFnwIUd%hf`
zcgt4S0bRD%7mV~Sj?Lz_fB*mi5!6Qa*b$}lzP?ofnrT{|dvN;>rTRG~TKIC(Gn7>~
zH`r9Q2Dar*?UaAx)q7kWTA%T$78!zNhe{FNOiTJhJpkgV5sD#S+EhY;-pHveSvAZg
z3G&JW18*X2WV&fvoi<{RpnQ~r9X0c;c376yX4$ooF?E!dLWF~=Lo#4NzB_HBrM=bl
zhfK7A5SuXkjbFDx^QP#FFl^MoIl4rH0xZfX$dAJ|!2xOrh*WZ?FH$Ot=dCN^+GSa=
z4`9PxSvXqydN9U0E4T)z&{&h0ri3?!AUnhm`STkICGcDTff0Td!OE_@yjQT{f)bXA
z1Z4KcL1M5@%eG{j(bB1FLLi|$Bmv!VEln1%vY-Ux;r`P?<=W3`9{P@|ENN>+0x{cR
z09~+sMimKdi$@PFfCZ!p4K}3(%jPEgqtI#tQYGvvPS^CMAE8kX2;WX$D25Ql<wi3A
z0004y>CnbssB5&=z#?xEM_uZbXsl5};cQPf#L&Er>}R=FfUQ2a7jhm2VO@1M4UD?)
z*1$y4K?~fa%NH12kWz#2jGih)-xr1&s3;&w8OWWOd=rz$pt4^rGtiVM9+5#AdHOs8
zac^@y3q#Dz+RZ~$ph+&m?hdB-ZNL!W8%Y?yYC!zbV4F?q8esx_pr$|J<cJHz$Ah8}
z$FZemi5xWbr0FvxEqhdcg%J;+j?DZ8l0)TpM|*9G+0dn6MVgJwmU0FPh?GM=D4|%W
zYamPG0=has2CI6#v(xu)bPQXr`_;aMxS8-RuR>@V6%KY7o6G}o5xfEhCbXOWA0Pk+
zt6J>o6q4<e>GTtO#GjN&Il0|NOWvP`DMT^;e^V}o2(deRnW%QLE#g#LkuVT&htz`O
zJ=|HF8o0gHJ<-lC{XkQkGzsyEQwX)cJd6(3$9O)Q0jug~6tmV9Rh#zTAT!36QPsLl
z*|2%yiWPZ)x|V|Z%6>nmN+h;@=H(w-8PJ{15k^bUx|eycvqF##8xSISt6LaEn<(o7
zS~L4q_0Ut<68PqJj7`v#F+;kr*G~x38>rd<000cwmaB-ccp0c{gO5iUjbn?431~&-
z8w9HhCd6=1(mEFNH9D)-kypoXF=r-9G_@cn-oA0=Jzx+_b28nFuRh86?X|a-dG_m&
z%n3}(YiZihM@9W%#uxqWi}6ro_m1f(r(&&$U9W(Vw|1RQpNdZ#v0cQf)JgQFh$fkc
zdMu<4b*X$*F#5J<vbbV3@uR5(gxoN2gfZK^UNsTBsuypm4z>6C@%y8CZ{odwI&u+e
zQigy{P}#ScmJT+bxw(N#50ZtBWK+4~ELAUbSw`Y|LBpC+OAZ-dTo}EnVv=yVuvAty
zQ_ZE)8^WC7*b&eDc&^?`gZER^5WoPKwY{ku44|W;MHYm2br}P&HsSCZ)>@CHt3gi>
zWZ7XBoe}~D=4MxyKYN%jf}71;veI-14o&z3MVz(0I6L97uMSuo72T9s#;OMgLZrs&
zw*UDof1|3U?DIXO@nEqCh)@6k009m@>T|1$*{x;dHm;LZ6Icp~R$f5{Q<N$sc6*Gg
z1>h&DVm}gOi3dabiFH8tcmXeFMG329Y*$!P@wv9}32lp;t)=V<J<4ySTKuvZ;n3lo
z1%T5WRM#DJ?sB;!MS@XMHz30ZTJ#6Y`pDSDr&Rdn|D0r-ORR>$g8&^ySd^h)hXIa5
z&{R78@KVm?s&Dn3SQow6Bt(<qBH4d{n`WNcWIn+Y0xPJ1np2CEVfOB`QhVp*!GUWC
zEn01DLm2h3J}j;{#HbtF5>Ex1$nvPSodOwAp}lP;lZ3tuhrDqzj5wr*%F67qaaUOi
zb9QoRE_V=f&+(kY<$&FH{OD~3b`up^pq<qHk6dm~%Oys&C89(#-f<!_6f0ylvncpG
zkN^apL}OSf<i?3WEy;;T3ISey%U?m~TYhii8;zM=*gP#cvF~aGj+lJVtIk(VW2!1G
z0R!7107RQO&Y2}GA{G<gednQ66%PGmYfn<PDmthEwh0-0Im`oHPFXzqTc*Lkquzv}
zegwqKU=k3ok378nAOHXY6AM{;NHmCSl;h?WcCU791~)$!Zr|Fb4Y?Fcx%&Ce@=h1U
zBtj;XGWk_FHN9;8oF3oPmo+y33~ha@rRUE%ANP*0C}l}XUuwtAy_p%)9$dd9q{{v9
zdS7Jxf1;9vEAnb3*E$PcErf^$ndzsCG&qngr!t-cw?W3K&VOTv2MKgr5nQG0I9UaO
zQ2ny4B8phX^{T-Yn6d?thjc;t7+KzZZ;Je(!6%}$G}Xhisc_EqzC0kcb#&o(i7(TI
zc<sZwms>VSlDVX<-*&*P$vA;<eV;N+v{F4CEzc|7ol{}r#E%#B6>%u|v!Jk(JmN=_
zK?V}H{?m<s_$^?f17TbV*PICg#&T3W2@z+)lXf(G&YWpJZ62lR-AVtGYi#K~RVhss
zx6+X>gr_!S&2h)<{_6HwqBVSiY%t%`cGTt+!cz5Fkt3s!01Ph4q(0=oiL}_<B$L=+
z3#)gz9tyo*QUGMZ!j`iZWGAXp$2c1A&sA3TFIIBY_>Zxgt~fOH^y^a^hH5xxnuK29
z1Z#I#J7BW^7l&gzp@nd200019nNInC+dtlAR5huFpo$WPwuV*h5%55U>P#1d2kwDS
z6dyfZvM3vxCOCYdXzoO}Dg(-sd3=7gW^DLRBrU)I!c3G|Kj$2L?dMG@_zS*(3g94l
z=)Ehnq*raj6Ta|F_~#}vmewb^MHxS@NfZ%44x&h5{vGWpRJq!uy;CeUlH_EYgCL!R
zjM1?%3g84(dtT>c-Ic@ST@BQ!ZSdlB-)%tQ;_CJ`@GK=E{18}K=q=DTHd^Zs-BqR{
z_gE!iU1x*VYHm{_$_GQ7ut#wzsVi#}^CL{!q>i%uV%Ub$V!sgF_`MK%XK=_Kic{J6
z#{ghYgV?|n{*|>0Qcb{uaE!nJCzMkm35$4Ureg`GKpT@=Qeco>88+aUu4&`UBMv!D
z;AV9XJ(YGDBB=lcZ)LR&awtV%a;{c~6b!7Cyj2)_yka~=RPZWqNr$FwZOr<zS5(7#
zsovnMw9-S(K6pPOZPeYR7^J_-5;+wC^H7ZSZA=;mpLex#KHb!TT#2*8D>GJ0=u%!Y
z0&6(5K(P16{k}<4KpSfjDeMtNXsAaVvkNv#6UM}Fr=`6<fjyZ%=4NM1P)n$N%30pC
zibe*5*4up_5#F<kMg~t9y!%SCZyPXce(rpT@^=@t$9Ug^IGmSTxzoqx`P>UubKn@S
zfJfETpFF_xG5F;Y7$N8cXUd>DTO%}Mvqipt9FHq%P0g)F2lDnvrj!wYQO?IV*{w88
zN08slsWg#`RN+T6a+<aKhUNqGzU-{2HOG@P25^y^*zyM{M<P{F{N<APEV~!gg~3<b
zKmY&%6P4El1pr0+r<ywcpg-Sxm4xHF#nl(C>9m&>Gk7n`H(H${+*8RfIUM0)lnnMA
z?$DSr{0O?&5!WZ{TqN}kJ){VyhzE@0bs}Nnv%daMl~RX;kdJWu*324;FDz{?+#n=H
zbf`N*)-Lru7-9(Y;nw!Y-XQY9LtZ15DQr{%1y5P;wc2PUk{_~k@MpCm?h-<-@USKE
z%`5V!!dY3CeQlZ39i5h=rMX(5r!<oUUcoBEAYH^y^sL}^^<}Rennl8k_0k_0u-MJ$
zx&xElaa1kDQR$aTea)OE>6xXA^nId7MvS$G5^2ahiGik-=8fOs?Ho9Pe~FlFf?B;J
z!42vIc?Iq<y;NC0!NfA~VN+1OZZRon135o_!eh!HGYMlA_jzIC*yssSX|1kpF2`j8
z{)e~U7&a<M#ugS%J80q>n?q*5c#Z%_ieUSvKQQZ*m<<g+%>M82lh=f<Gv6ADxU>hU
zYhxy)y6eo~q>)CJnH0)0lctQ{PqQ|Eu`_%|wbmRR%?trSr<-rsZGz^;K6DT2<3@zu
zos@Vc#|O;4mvJm%8`zGwL_!mH7Bq-ufns2zq}kP4Qpmx#BDCNq4z9^@WZs7pJRwS(
zZBRT-1SymZC%3A~iw^FG;l&wOcd69i6WDhcM_AXhhcKjKYOu@1nw*F*M@T|zg!G3l
zIu8O?etUz9-es?)5t=YA@6T@5ZT|uv=JUv)fb{XH1C4rOfG+2H0Czx$zXSbAh{sG)
zDVTF}Qy5t|oQXH;mw$1GuR}HVu{YTzMk@02M+N-9=yr5+F=|G#bx}ENS<*)k@;mZE
zfaCKmK<DG3=Q{J-MCer_sxpH@qC2R4Rb@AvWS^jsz*D@l(zZ9gys^2SlR3w<3KkGk
zew_vSNR~*iCy<gQ0N7!E)qxc%)#KsWUb|*$05{bOIeH-Fj(|KXm7&E50Ku%(k$Y3b
zQS|`^cGmhIZaFCay^@&Lz{3h|8Ks3<CAa_p0Yic9%LB~~YTQ|2WM>2fyhREa+ZQ&y
zb>(*RDXp;s)x!C`1vpGaHsIHnz}WrAq^UWe1C4dH+!Lw#g)C%zgHEh)60||P>RH)u
zELsnt?F)2aX)8}ikGHKjhD|MxKQA=B8IiSxM=B+>)yGB-yE;mVK#EoTgi;WA@T`~+
zZ<QUf3gxN)GSC=^MP8=q00aFLVLdS2%)FRQyN~~gRJ<e4l>dzQ7t2hqM~*^Tn7A}q
z|8&<m=Ejk7xI%4dS<E64m*MUSHU?J9#y5Yst}EV3@*sa3T!j8=HSp0}&`n_{CaH4h
zs@FjT3EzhIt_F6+4meiWuyxr*yc6<bVGDMHCgs#asFXpPE3@PluC8xH@}L;XB>iol
zy+C)RQ(j6zh9_Z$ERRI6*q*i{0d!x-0vX0!iQN-XZCf%z8&s1nlaSL@nAE1K0AN6t
zB8-0j^OdnJ#ZE8400U5V2O&3ohZ>Qr&##W%bb3n0ON6_?pVgawK>P0r>Gs5q$EmwN
zB8zlg26bnm#M+Y%je5q9XY<2ahQY<40F$+Ok^l>wgpY$C7_|?o_xqCDUCLz)T7{#T
z2Q6mZj?Q4az70-1`2&A$QCl)<E+Micn1YfF9OD6Z!i|VB1{c(xP(Y#xueLA*%rk@p
z9DWo^fghX5ZIy>jt#&C=-5!dA+t0`iH&|bK;{kqG<$kn`gYZ`2GVye1(uUqZks*dA
zk1wOl=^HGMEZrgMh+u^+SvqC=iJD2sBb>-<ER7s>;fDJnmiLMCd=k#oqb#6Poj$-0
zr;Spy6cd&Y_9uEj^r<Ux7+c_?C?{pCiHl40L=RwPRF0}&=3YT`$d!-1bo0P1%iStv
zj@_&uoj^fq>wydn>*Bj_A7DIlojMb6OuGy&x@ta!r99xfESwZ{2Y)lw8*M1AiwQ!s
z9wwcko9|Eq^fW)527aI!Ore4;w)^wetFmB^qP|%}gVY!)Y$)GVHzn(>*iU>LA0yH*
z001ZhaC}{`_)Dsg?t2~(SnSLH*8}=RV_F*;-_}3uMxNgl!eqp_fhNOm1~5vDwqR^r
zrMevfo#$YuoN-7~NDR^D_as|s#M(56J?6tmSwQiC8o>xJ#n~FeB7FoyS&C?`pcab+
ziaxQfSbIi&6MJ%iO;e)hV~;wv9C>F6Ooq(1cmKHUXE9Jk;Mo7FYJlNP9L93>hd`@r
zg`3*fU2J8z)=(Z`{h_b~5-#rS!QrN|d_Le0ZGEgSkK`Q0fVzE*hsV`y#57hjMdvO0
znPtA4&MZtZ#I7xWQGJ*A1VPVIWt#07Vv>5gXaB=_=op_DRIuQMZu11`$8u#irT_(n
zB(fgN7IMd~g^fmwV!=d8c%~b~_rekQB%#!;M&A(#-huRc>YUcXcY`*EkJ<stsMH_|
zs5O%LN5bTvn={eJqt*!f$^2{CGRoGh4Cfat^;)(rQ<K#`1M>>n^%ZE3Po9K-q&U(t
zR;LODdW<8*hSsR1wdsT3q1I9hZk12$fPMI$s$7X3(V_T+8ubc0l(?M9Z}`CnZA#lj
z&cciz7u2SVJRR$a^`FpAiqmk!sv%ndV)s$WyI(GeRvd{Z^6EQa?=HGaqi}TeoU&o(
z)}%x7{(4vX+j2@_%SOF0hSb||G))1m;6PSF@$aZPMiDz>Hmr75`Zb}qfgIHnQJ=vA
zrj?N5v+h){4{$wXp+M~c^DkxGNXQspQh8T7XEyG!RrR<SiEW*{XF!xBJyh=^fG!GC
z6X{%X)jc`rI_J@(-l0gb^4BHrP1gKeA8hoHx92*cY(W5^oQU-CQ|+xin5FTmpg?++
z6zd0GxvzhIa@LnTN_<K3cK^Riw4&Wq&e#6X&d#GhFl6#77b)ew#J2{@)d(aFOR#1W
z`LY8m&N)7g#j;@xJZ^-7v4N-%%x_x{hv}FXzgws+B@|hP8d1uOBKnWj633WlQnhq%
zNq6tBK!BHXjC%<10x=797{IsX;oC6~cwUXtU;qk;t`dOIWYyK`bDAR6o#tGIt(+mA
z2S5zd!YZW`taV)=+B%INP3c6FNaD*gZEKCCJfle{2GR5)X@OUQrlhU-Cz?tR8=P=O
znLTPvJ-@m54(au*IFn5ZB|;Vx_oxo^s%yoPLZh@sN{iCx?_1-m0!AD~P+H$1RQB5$
zb=BJ;FvD~9LBVlG;2h)yh>)ojAO@y)^C0LM12Zn2L7Hq?JY|#Y(qvBE#7yIoeX9?!
z6=WCfQJ&1rZ(dWv%v#l01z-S&S&3MsjtMJ__RMG;GR*`!g&?%&jy-7fHrZYEML^K5
zPg0Q7Le8@)OFfWg#4B_BvAuUo-4@03$E=#J+;vkV-4&{PjV!+eV62`cKfoCefRfb7
zVcVcas12@izEW_6{y7tf-YGr7=FmaT76Z3=Ks@J06uwjx6zI*Vtg9E`Z`~wF?t^wv
zXCX{h%)}J-Och|3A^WvA>(EDb0)%uEvQ^**=&u;bl23syK|m(9l^jf~r!J_KSr%lg
z>N*1oW7vMVA+me*Y2=D`j@Ku~5fXYE5wx?6O>OO><e}LVr@=6y@Fw+M2B|WW4<N$6
z*IGbY9KmJG;C!_)8W>mRA$Mrt07gBwpky3Qo>timtQLa(dy9D}CH<PpV?MINDVAmb
z%`OGM{;y=P00BJtWZ6JSywcAo9dF4VO+Dg+5mO(%bx`S7UV7=$cTWwyA4ca{m30i1
z^VN>gvl4q4*ibt~aFm%I_(d&oVr5)tktQ9=hNyEga@_^)=`P2f5pbW2O+>;~ZUA!E
z8z`R@*;xykmP%S1hgNJmbTn|33Pg*WQ+fd@TIy`r_IxsRvqdaD!b94`P>=i?(!C_D
zzGjdq$JChIEXg~P2~RZZKfFWMhwYP?1lWqmHB@$~7^1mzOeP-`TK4UnhR3S;+|a)m
zCZ!VGbD^i$x#U;*)nLn8_;A$wHUIr8&@N(dwuOH9WI&&9DezI6&LtUT{omQejuK{^
zDt0DB6IXJfXkWN|*g2&%@Bp-zF^l=Zg?IG#mJGX2srB1p_Iv)4f*~LRxDH*)YQm~>
z8<Fig_b1YlA4B+%JMXW%OVon(yaV*9tHwA0A%J!`#jpIn)3PUeFLJXrL}T^vTSS9d
z>n>gd(x*UQSEh+}Gb4n?8;Hoq+q^B4YQQM;3)1iooR!vNLK$2Q6B#>Jytg^rZNxfR
z4-qvS`;@@6CM)=5%H^&eQqKDTGvpdJb{1ABX?5&%-id!rXLfTmk3Z(IKBTlV2ORN9
z*pzIU0%P<wZE@cs$@Cq}Z={`y;JfcQpe0VbzuEv1C>vNLh4>XFcOiWzgmA@+*PI|(
zS9g`D7b{#Mr#t*qv0OF7&~<?q?pe_?bxHuX?(LTlN`QIHqT=FAs7#KMLHa1mAz@bE
z`4BC3F8PHrjec(jG5@R(erEpTpB?0WwQQ?pN03jPisJ|pVCo)Sk_;ZvyuB#BU-5&>
z)FDX#?XL(AK%~g0^KZ8x0hf#Vs4k0<w7q3b6>8e6jT&whb#)TmUB+~h<bvJKsg<u|
z?~a$yRZw}R(xA5hf3mZ(mwU<%TDtzgZNrOl-uXg9c`hffa@(CTgPGBzrs(jS>b<g)
zSJvq2DR<>`sNFBi+v1qzlG3pLTVm9Ma#LV%VsQ)GB%-C%7vNMLlU(v4?l(y%0U#s~
z-FHoa&&Ocn#!*!hJUB6_@lc)Djk1cO*mkoyu12&TKGot#&jRd17>It~svbo$>KZzw
zsDISD+JscsAN=|0f-BvffaEnY>KZzwsE0)bntbk?-rGL2m*kY%lwdraEF~ZA2hn_w
ziTg{A&>kl6%jq6qr_1NvTj)8oSO-2MK_uh3n>DPnL?(Zt2QHH}rVr$0$2aNZO)Jeq
zXIa8B0nlc|^|cjqp5jAVvz~_nC`~NY$H@Nh(%WwVGJlQ-1{^&Evc4N|V0Fu3R@<jB
z3TH5PU<WV^cRnP-e<KknYG0M18+Y8>D$nEmUkaPdHUZSPfCH6zuhe^HB#&HhwjK?v
zl~y@PX44EAW8m>m0ALFPruu7y<lA_%FN1_~O(Brd%cKWxL4Zm3o5Q9mJ0kJrnUxkp
zLgFW%8_qiCHa@(0K~m3xSqM0nad>0&Aa*@ZDUY+lt-6W<nDYLQ>fN+dERPsvvXlP6
zD6S;#d=M*?DJ4Q!9`MVw4CA=>zGL3V<_gEsR{oZ1SU?=0d(vcX&}Pi4``#@3)$<?C
zUfZ&Y{vh3ffh;bc$=N~mif9gK6Q$DRXvJed<Omj{s>^36I`Y`EQ2zwEn8;@Lh@piH
z@T1{9HJ08-l`Gi_sYF>(xQoqo!lA`B9LC;S-UYv<(UH-DmCSAIOMN>Sp6{FhH53mI
zQ(e=q%8dDN_aVI!z7Dy7Zy`!-CPw?W&Bkr>Su|GQBa9D`6m~rF4$3d}@DH%8z#xf>
zVqJDg{Tgydv2?zjN|>GkfQq~Z;1ZT3uO<tpFKBoTDD0Y34<aEkRBUZD&B;oaMELDA
z^byhDv-CyoWRXhR`Sfc^j_0kk1w^OAmhf*-V^-6e;w*?Ln&>{fO?(+l-x*Fd7!C%C
z$^kzCz4mGfq(|K~M+(r=^a;(9m?{W^>s$4DaX&h>^vVzA{(;~HFn^z~Te@cP*V(6o
z?Y`}6WS##!8kXAgUW9Kw3V@gkjZy1ekJz<YQxW)`;2GP=)G^9a&&}_*HhecnZoQHy
z@SRppW(OH`NqO(PH{2t;GwL_~-6N&L0rFNQVr1T)F!Azy{>IJCD^f?gJW2vn+@I4>
z9v)8HP22${krwBG+|PACWL7NB4{0a5)|1HZ%t^*GE=5bl#FS5H{BmHma_e+vPYgOe
zMF~5g^EwRH?A-RrG{)Ab^Oag!UcC<qqDDm4y{F%{K+yQIwunp}+yOUY>q98m=fVtU
z{j3HDAm0Pa;`LBjPJ|UKR(#kDYxVa`?qf@NH}n;8DJ|k~(7?yt@<z5aDme7#q@Ebu
z*uFmyC`q0SbT#o5K@{MJQ#8i!(PtaL00w-uCw?*AAOSy-skPrjX9WY}R5>cZg`lx?
z74Pf(a>C3uAx88mgw#N*etQ4`OlDNLC2WFRVu;Qd@bG`($auEF{&;FC&wzb^FN&}F
z{W~JlZznZzQ&Q_KLmr@Hb7kdB%pRttXK3+hK5Q<HtU=8pua}@6DA1^u`CZo{DvO5m
zb!hAonm`~=lt~WOPox6=Qiz~V&@>Zx(pmW9gD(R!Y|-6Skqz_&snkCCM<)5y?4#m{
z|8bdZjp7=|HxeL%li)0aZuBH(8VH99Z}~VtV6M<;%zxLY8<;3##YdG@FI^ohs@%xA
z;BCY-R8#NWnR}!>1cF{cp(4`?g{_%i7UEw(%2m;;2OX57CH!pPRS%wlYjGalf7Avt
z_+!kCC{QRwVU?RvoWh_i^{+dq2d)+WZbDp2L_1T+qA&3SgN+Rya8SWo+8~+@*jVx=
z4fx(PpAWvJz{f}J<5*s0P&uV>CLbCHM&-iihb4~}uMEe|EPJsD4K^C~f$aM+r>QiC
zIExXc_`Z$&27)VY&WqGt@R#vZC=IO`@l~8w3g6*Nwek_}l*X0XoC~F!W*NB&#+H}+
z6Y|NhmpM#3>Fuj?j;HQEq<RkAj@#$$SS<;(O+U&*&E;FD8F6a}(ZsSZZ=5OPZKGDg
z8*$;whnO0lWOnt{-KV#ql_>zGBP3Tc2?V^QS+Pk_mJz-qY!cl*(7@h5BX78TInyYv
zUPWd?l~3H#I)GwLd(#wY)<Qo5qiZ*~gM4s=-%;DqF9em4uU)D%082)+XgQAA`0u?J
zO{J(Ss`DL(^C4cQE<==2(v6Z6tF%3soDK#e>#s>Q5oMmRtWJk|XRk8cEL|hY&6|oJ
zP5!1@aFs18lnWT5PFp~UeV&rTCGye@Vbhe5IK9ea<!XvsQq;>@-93yzW;aLQRk-R`
zCdW+)Fb9;Q(B=FwAd$xFy-P2^5F~UBYb^(_py>FTf(#jh<Z%<(s*&IeyRRs5R{1~!
zL=3+-NIX5`xnTLR+`UbQiwO0M1Ozy09VEB>s{7#5Rol{6c<NE(fPey*k7LU$N2+E6
zpeQr!=IL9(Quh~zHa0uBv;szp$1VW0p0*68f}kOQvu~!zIXsN{RoUxxx3V+8e)P;r
z5^(4Mr^f!!mXRNR?)7u+;R!{g7Bg%A_Y0LqJ+s**z8!G;SAQxipxy=Zck)It8W>-u
z2JLST$=pI}f^!w9Z&dUooq&h=&AN+NQ-C-dMA<jz`MzFFp{U7xWhL>PsV~>mB)E-i
z-t)5-uRiB!)$}Tgn_|<KM9FvfphPE2kRXX<$#+fXJl8)}z3wLzLF5%;+rNF8f_&Zz
zjFZ{pcBs%H?Ct>YUk5P{;bZ@%Pg>M<BOfhu5_|X5O~>9Ci6E#Dt?lfOR`CarE&j?2
zifQFkshF@O;`FWeRM#-^1>Hse8bSSa4?m7EihV)@Rl$N6+r3kFb+>3^p^mg`fySp+
zhDj}9TItuAB6&_9R<AA39&IOD6_|HFYO-{A-Il-|G<;k6{~CS?UcmF<R02acKC6{4
zn>9EeH@At|H=oUE!3e^Rxh|C|$XD#5j%#scj|TH#=*Xy<k4F~9(!dvlUf&`b4=|?Y
z%HCsIscdp~6GCgn6Em=c%Yv)bJV`D==aN_#lf!votLInn7Ev^q6Sn4Po*9ikWhMCu
zfLI0UD?l!)_u|gbCP;G8Vx)7{crXFRX8OYm&%vO+pxyfg&SgmuH~K1?)*gm!n~4sC
z-d2$w%uGAd!fxSLRTdXbN^*)tS`20D&MS8g2^Ns*76?tdzBwKau&skJoeFK&;sUX(
z!Rm)Y`*WeO;>wbYcYvE~nv?X2X%CTbq+#3(=7Su+>il~WDG%5SGDk=_<oxVc$=Het
zxTul22W~s?c>qRnzA@PVl935o{!muHX5nC2`EV&zcMi~fLf+imK(4&Y4Z8y(!94^a
zZxH{)I-M?U9&MZ2OV)ECUZyTX`$8fMBy~n)#3p3s+kpZkY5VykG8=eMWNVO}n8&{7
zg+DX`Q=K-E29ebf%rce9=kV^fg4BK^`H|h6bOVp7(cE$+{GPqdi)$ASM2la+_;-}P
z8-#$X^v+zTm=|5jN}xOoZsY2-d1bK3Uu%NzyJ)brm3`dkZCMNJZ3W55+0sJ5>%zvj
z%t2p^&J^~p-AcP)%#IB%-sQ_391YwR%x;Dp3W6S2VB*l`vFU-NC`oUhwSCczO|V;8
zHIb~S=e$f-U=?m6XnCmt%n(|}{li&Wm|N#Mt&Ci``U8TBgskltc`8ZRArPc<whr~4
zzOtKvb_9YsnOzTnBp2-&0#%H9#$HSf+1&e9N!qY^!>>#wRmvW($*BqIN*MW>Gy)1l
zI>87SEj~So>DilqQWp8bX<2jE)t31|KWxF&g>3#p@YdPSC012o6+$Cu09Umzu;b3w
z(@-IBudP?2$UUes0JQ`Xx<n&PdbPVM?B5#$e5OHfWF`?S*~`4;4eIzoZ9^&Y>Es^P
zQN9|uJc{&u3;+>VcJjezUn)^>Te7^=eb6ZHO}HKrh!N=RU{(xhmYQ@8iRa;`0Ajbb
z{z3>Tfj<hGqGl_Y#_Z>rLH9^GWOW&NFe9*DV_0Jiv1~pI$<x?x%l??pe98#dZ@clK
z@v@3{{c&&UnG^vi5b9wRubT&m@=2bnSAqe!2M%aY!0trs4l`aG9?vktB!IUFE7%Oz
z$PlWH32FC+m>m2@<AV-Cu$NUti~^m<TE^9ePMVwflcmCmA|*$uD^9P~Wsd@Ly#ZMV
z-~e^&*s93J*j51F<b$Pp7`odcM|7y4xc&FNU}#dO2ZzqJEYDuGW%proVNsavfVSC~
zquDh=*VQkc9}nOiV~nUc+*|`2s2*Ap+3UD8rQS2>{4+bB!ORKwtXr?m3hgwVtPA6!
zkUG?&L@`hY6y0oA8?g_mfl5+R3A>E^(6nW2l^W+P5B+L!+8o;MY}Y=`@%eRyOzGYH
z77yz8EE_ha$2eFGFE}Vbvx4shp&wIUeQgn*@H!wn)st!_Me7NL)lf8GI%7rp$}}-V
z>S9soUZc!aqaqze6lPee<RhgSnQ`<)QFfcSaH2n$!HFtg+BnO2szuBlRqLubYVbV-
zu1}-<3VmiY75VtfQ_SHE?{NA;9%?@}#S;l(y5Z>9{JkS<!y4c8qWQ#0i$8X1dhgcn
z%&xl-eQNJP*GphhGtxjEn$}pWKFeaLy~zY7oyb|a7H|b_IF3$~7(lOzmf8$CNAh5C
zH_5DrO5Xs)B5u+FW4$D=kR7_yDBp-C**Muh3hnOX2grG!DlTc#y}`JQ<>IM;a^%+1
zE_T;Ax7={5RWER6h0%W&!>Rhx(sW(RdrCt>@F|uU&V)$tkgg9j81_p80#BCF2Do$Z
zNtDbu?fmDbR=vXnb{-!~4Ax$Y4z=cg>Cv<8H&r_piqwSPXej{_N*nGrtIXl{bJGQ2
z$LJk7Dk+zmdvjw3UV319=!KrSk;y%$@rfGLrcKqP0gLjuXqQ6D<(^^;4Fq|>UF<W4
z`Iq}Dj|%_*768M!97N4cx&I|`QivcK=rV>8G2S;OmHKxXwjlMkG$4fT^E%%S{gPFB
zv};XG(w74AhNYPMK<^$(M?(-n%Hg@0RO#GVd-m4>8ow2#ICnU<DKL7~(v}AINIAUk
zOA#gDbSqVTgSMlh)h{A7<V^d74ulotA0+f`(>fA(9i9OC^Sz!PkA(fk758tBV&{Cu
zhSD4$d3W}LKd3WHY!5YKd8Vwns=EKdQ!-G*ojvRGgA?LoWs)gp1N+U#mGc|>%)NK<
z%R!A?8;OZhn5F9n%wZo9sH3<Pxo#w+B%PU5E996O;LNc7Sq=W)VQ{zjIHx0(;qG6e
z0W{K<>^-Ur-MC5%g9sFY0-C|#c5(#S%w)EDrNA_^7kJo_lblgO+)4=pd%w8aZma3t
zn2%tyyxeqDjkD97@L{y#kXnEU+>3it=_%2PJV=Q$zzD|isg;_U;S3|yWc6}V#{5mL
zXQBmQI7V2H+cnke3*beioFILyj1ikRZ~NUeVrl3q*QN{FocN_v{R>V$R4~r-nzOsX
zKAvW7A*-D^N|)bDw>2aBj?WEqL1Eip(+lW~IR8xEzzjQSmFP4n)a!Ppu?q23`2))}
zFAJtD(VoP+Qzf&$3~`QrB{KypO+x)?e?ykzFGEewvVEkv;q6bdoi$zA7@aO#FsH1r
zgBl<@Ro6M*ENqGnBvfY}LRi4;5Eo(UlS(kK=T_*eTA<0$rYWahmEq~xTJct>b56?e
zm|Tzox=~8C^i$(mMnItioKb$ENE{`97P(wYoHbZ8(pSZlq*0Xp0S+7+T(Kj#%X7kJ
z2vE@?qDKvkOb}QJdu_0R#3p#1Lh1=3b6OS@Q@>+2!aB$1zS;ESF%_LSBOvk%jbW?)
z7oF`I#2vCE7WIy{SLd5>!{-d9y&m&|{rG@WWLHo!I@btFY`N(SXB;05q#&E$=Ie^)
zMiVp%Yq$^He63F~q(x_$weVZP8bpoH;T=fU>z3=XA{($gV84evM?B(rzr&I!@aB`&
zqWn;$)uZ9!PnuR_>7EulfCs7AeRO`yxCm-pnf0nT0DG+dXaHGBK{h7vc?;d3;VmVj
zTO;e?>!kqZ`E^Mh)0?s{QVn`lub}=icPm8QJMgpCNPcw&apK;@tGtNQ%}*srS4p-=
zAsPvHRSmq9^eRQG^IBoB*5{$I3J~X=o}W90qyPdQ3-s8x0QjtRt`W}3y5bM{sg0qQ
z3jsgO=^W^-po+%44%@JWvC=_~C#Pk?B<K<;3wv0Q;As}CK&sMZ-3vxScsA#GkC0}k
z(C{YE#;AzeL5d+rzoAO3@}}lF8Z_imY<8lhI|V=BM%2r)mIkin2LKJBkQs+Ab?r$H
zb>B}uoQ5^p8cO9EN}ATyAXh*e6|b_CD!@DIA*Xnt0IT6MkvehjqN6$-4^EVe=JWHX
zOzRHFARsT3FXU-%8I$L~YHgJ3Gjf`(iwm1-FylJKCbPH!Y-$V%bh)>G{66a90toei
z8*6;m<#qDB!{*(#-Zf3=T!L7?PuXP@6vx4|t+WZ~p;h6s%*fnVKGFY!!ephe)Go|8
z=FTzks?LJGd%X#XXGb?dK;&8*MrsF*g~BUYO#*=O<58>R0jAwPX0AlRoaXt~*oVCH
zjT>buF00N&YQ4edplL%C=tx@QJ_5m#1(4UNkX4XjWO?oZ;ZGdg6(0EYd{Z^o3``Jc
zFWh;LvWucO>4?p){tO2F_5=D|`xE8;b4cN2bs(om>T@Qjnu;^KW|`^;{Rdt0ax2~W
z+6PdgkP8Mr@#^#6HA#oHy|=%}_-|2VYM#lzy7RygKm<0(R$_mn0$$chzTOvWtSrgJ
zX(Ku4aBda^zBXmZsd(Ki?9I1Dx_mpWptedgTimZ$OlO}pH?lTDHhl#2<eqp(LRa^-
zq*|YpXrtdAT7%<3vsM5ASh-;zGDj@ffA9^dL~Ue7v>0`a#(A5lEfphsf(8H2rH!D^
zDDhudnHORXx_~AjJpW?#5-9%@I{@o1p9!GkxAnPQH96_F&>q13!eAg&kaH~eCUcO;
zpkQ|gi@R+NNu%{Qe-~Utjuuu@ja}*cJQQsf$?9v?VYEuxZeonhl0+%2Fy-dZt3-g~
zERsq4Af+$dHtMoueO<tBKMGA?PdaV)BjM1Lx2WgtL>5%cjWI6zN6TkOT^oz+_EK*Q
zImcrxF0IzVbnYy00q5p{axLdR6JSf+d!z|U=F;K_tfHfdM)yi)5dS#6toas0U-=K2
zAqqC)1{Co400O8cUB8bK3=(9Cz0O={AdQP<hg$nPCaVE}5Ec|!4_qg@DZ`64A-vT2
z`Tzsh4K{vZ#H7D^;5I=me~WM{P&^_D(}D;elq;$CV0>6DF@*0xHalAnzR;8-F$FH_
z1V{C;4j`o0!J6%T_*^6<3Y<94d0WU30p^|yeeMBqp)SjUd?r)BAl^kdTT-ys8nw?>
zHNr1NH22Gy|79zrg_d<x3U4&~2fTbF@PDqz_>;Dncy>?@)jt2gA!2|xa<b^X)_tl?
zvE!2{=B07tmTj9y{F6ONh<DK4um1?{X1PI^rZ?B~s*tY;sEd5^xPRG^y^<v0n}2%+
z$$4fG(0He6A#@g8+@(Attr6Hjrj%tB>Xlsr>w<~8Fs-~?L_!g?RPDa!$dV)VHnRq)
z;i${Zx%F|BB#WMm-kB(wy6?e`j;DGALg$2%pVjG!v|od28;dR%4u!sj!!xR0=e3Qh
ziu-HUEFGm<CmuwCS2Pep*tRT{ok{ci>%H3iX##Y_=tf>oz-zI?p1AE&&@<cBw9V-Z
zgY;02V*Rf`ts|0x`BoxFU6{p?i`rDV2LGJNQ1-T{iP?@}{n)nJ=C1k1#$${wfrK$-
z<*Vv)BJg8h5j>&XE-Me-qpABMikoLeaY=?wTRFmM%7mEPJs<&H%-h4gyqY_O#bNQ*
zIy*YX7-gYAP(J#t$1(9J00$%1nX!NH_1_J=XWfcG)O>Su0@j|e<Y&=tvw=;7CvubL
z9S;!BSg|UlpX2Bj|KX<}C@ud-2c81l`A;8#(L%nT&nNdOkdZA})~BPfj(LMEnobBZ
zJ9HQTec7OGW8wFB^-{q#&FMBxS2f4>e<FE;*Osp@0v6O|(Z}tW56kUb@!aMa${{C-
zj0^w(1TdIy>bIT|`~AK2^`Fs43g+_Y2YO4+STd^>Uy2<_P}=t<$FP_NiT*#w<pnIN
zE=G4mSFLRT+F(ma#RKC{U~*DmBV>kX@FLBsSreShO@z4pkV&cgY;nOKv#9N__4ML|
z#ibfK+|CKUB#ID)MVzx6N5#JI{G1u698UJluuKTKw)OueE^Cti)QwA5?1XhVh`R=~
znzVz;(#~eQF;tQj@1Z5FrDYDqA1P4xY2<^`RdXmPmjM)Y@q>}&QE$p76Ip(6BG}fz
z9&FE(8;VJxt^$zy^~UbCF^!CU<O|0dV^*Qdr}jiWFz)js1lUY1$lJ7D<-+Yx@GDgS
zLM|*Bz(c@4d;Zxg?H=L?yeWwL7Z286cB6M0GVVVY<^~u*pFE1)gs>yk-4$OYKp~y$
zfOrSQIs8F+63Lyb%fXGzOok`PBZ^>yv|`e&q|FEJ)IE^ze|#aItwHU4ql;NTTriGn
zoj}77XjQCikiBc_aHr(4Hz7m6zNfqFZPUF{5K(EQv?f7xH+*T3g~{(wlR1a?>Cegr
z1MY6~#pLsm*+E+xwDx6Mg82h-L9&%tqYtxa0Dgc}EW6kkr`7sdT8sTTD4hYnNs&WJ
zvQ7DR-nH~{gvJ;E&dwt^?c0eASRM@-pNy;nBq&huQ4~vbf-BvffaAe3`KFz8yiAgt
zxLJq0d^+O)veS&Qb{<ZaGP!{u1Tzu%V-u*SwJedZgE+@8F-&4U366{Fz0qa>0T$n)
zxx=s|nv=_3lOku&U3m%&Dpu@QX&*B8G$pxC!EUHRvFG2Y>|*Dc+$sYmaT_ew$u6v<
zSs{!4JPl)}&jnc4VQf&#e6S<BdilE2BNO#l4xwnZU+56IuVj9=J$*jmMzWBO4HPY)
zzgzEXz27o_t;bgw#UR+IOI%Rc3DQwoOx7$ZUi?h)SO5S3T`7wMzlG57BG;)e_em<K
zjWX^V1Cj=5JYoU}&EX^M{bEJ^MXGc>q)tA$EpjXjod4`$zZOze4^O~l|EwU@{RBuH
zzMi>_0HXAfTgov8_T5O#?7PTPeA#Oli4u}d)KHVI0FzJ#?3p8q>>-Qo>k4JE2Xr5b
zXD#cv8pKEqG`x}E5A%6MqGkDj!9ue{3-6Y~Ma*L@CbvTVgAJD)-<TcAsKk+OVHvYI
zZ9vtxSGYX%vB35`^{2K&j$HR?_|ydGqAj(>ryXFPNvt9+5`_MSieJfLPZ;{EN2l=6
zc)Db6{;5kMF#sJAdDCZF0&jc+kQ2D_x%Ydz(vUx3XoPfFi^|`u4sT8l&)bDol>1=O
zlWO~tu5MrLdq_#Y@}L5%FAcM~E^7|?sh1GPj)Criv4BXE-iE7^DR#p7vQpJOc6*z|
zfvB{lP$OO2%8prBExOq|M!=k)ge^*($PBT##`%Bgt#4x$0n+6SYg$fu1krK}Ds!gR
zmp+Nb*->pz*%VaLY)@Bj1{sf7Hya=bg`f4{Bci8Li&Ps}?<>K+{<fY)#KaNbB_8ov
zt<yX2=3hd<rkpIGQ$t#B?Go5D;=s~Fv!^EMBg9G+1aF81!*lGanHUq5N+*RJfsX64
z{|(>zTaU}c1G%ei@U7d3Ve|Gfm!No{r(#<>lvZiDE9kCpZm@K?#a)yVOr=Bf6g@Br
z1)xTTxNxQC($z)iN`NVqez(h(I)hzS-p<EfBy$|ruUq!@Pfyp}BFr)ufDGDreJPok
z8DL8tXX1h);<&!Mw0qj(0>rw4V#l8IK950cr4#Bw)uk5qr||PStPhy1Fc4a7zqVO;
z`=-6?N#I}r0E=JNn>qDfc01?KJY?tJiV&<E&vp&;;X4>H;m`liF_i`-)<`SRt6s%g
zYc17>2L<ZR0`Tl*an$UkD^Nygg&L0E=Ib#mK4)2NtRfmMXNOJZs=K=R=jo&bJIlg0
zQ>I=%^!j`<xpshN+0BWRf*-O7>6aPSxW5$;(EDKw1}!&q(P;DE*4bCToH2n$kRZ`5
zF!qKjR4!{w=O9e<e7h7Fpi5fmOaA}$FJdB_HsS1^<Fl(bP?PdiJ3EcHf@+c0Q@X5C
z#5@gAQ`^MG&)wQV5lqFJ0X=(_MklS?boY>Co^O3s0A`2y@E;fv+3^O<4@4b3qz9Ek
zZlpo<v6>KBxvKIDNl>99_2qGaxOvDaAe!x4%-!?U_HwTYw>UK-tB{?TtmKcUFrv0j
zzLUm_nyR$7POq8kg+K2)MG1_O54O4e5JpoGoH^0i)$6eX^>s_O*Hv+A+o8Tb2Kspe
z0>UG%O1$*q(7j5p(oIF4I;7US)#^e2vyS(1&I(m-CDg%nLeTOgCFbn0%Ww{~N3Av*
zwuC)S8dJBV6Zg0p5j8#rPC+s+`4-bEC;dF=hb2lz41#NRrl*Ogq*vnazmH(5=KQ-6
zhrL6T@+dTg_}atIJ+yhNU?A%9$xzFTdVuZj<QxD26SGRxf?S4Qw(KQi+k%Tp|IoqE
zA&;AZSJT4kYtYr-vY#K$MwO9iF!I9{L90_*mVXL+cw}<knf@)Y=^XR&4MeyfL^G9H
z#q}B3pbZch2@d(VSTpV?;{*f0B!DimFJUxy9%z9kMS<RiAkwZiX%n);$c$!Cm)BtG
zTRJ`-B?F#$S%dx#D>d@Hv7NTO@^;7wL4wSNp_&ZtW#k@Xy)^C;dH89wRPHBe)Dniu
z)<1kjfakcQuALv%L1N@n2%sb!9PRXKKYq8v%Q}ZZlEw~|Mg>0gbvbCp35UwX=T*9|
zJvb5X%?~ha>SlcEP^sAa+iQQ~Wg(hZqiR9_^4UM%QCCpd9*lzKu8iFzYCTttcJs8?
z7*U7@2>9h)%+XecKmY&)HWsq3-r3>4ycs_>C6FD~dYTu1KRQ4YsYZwQPo;Oe#;pV-
z@wCD|LsOk*2Zm|R<BrBkK@b8m&ZMbBsun5T!c+{Yq_<L%#u!($8s8KPdvMbd)JOxI
zh%>&rGlzj^Ff^fP)#}*EklRL*gTVax(64oe2=e7d5xcLmpaZm>_J<x=T`aGmg=bK<
zO_=WNJ9;elXxC>ljt3vTY!l*X>rxt*<Jh}lCB_56Fl}sGdXS82+V=z(uxc;E%?b)@
zMVOk!sr&>WSik|yPrgM+8j~ac6Rri7$pixY=1l4XwE!zNBG*i;xy0Ox#wpZ^-e}EK
zz}hX=5uwUXjM=Kpu_;bqFPt|Qk0LDW{R#e@y|vHjqm#b;oRSYV<O|i2!+Bj?d-qz9
zQpT((iYwAe(fcdBKuhJ|Y07wq@g&VH;M+P~LaQnB3^l0F(zO;rdGdK;cG2AQzUPz`
zQU2dy-2(r@^i*Wx^j{M7MbT$LNr`MCe(6`IxFaIgMMY)`HE^%7DjYmXNccnw)YCU}
zz;yEqYM=tr5tVuwRi4XxQkYQ&Yh8#7L<!%IBtJo2L@hKM!$z#?J3Mrg;IlF6n!hwt
z!u}Q+8e$f+wn&r6bA|>NL0$W9`8pUOqME+Frkz}&mpM}EzPlBH^}JD?!D)Z}Qzy*}
zB8YFHNJ(kYe|b-Z>HvR#Pa^b*ln(!vXs*Jwz$*5#@Qo1NnV9ZHt@5%}NKRGlJ**ni
zJgP1Vs<0)@XM)!(*M-@lbh={1U+@*ILN|fo&6<1?NC2Hz_mLFJlF<G`18qC228nwx
zuLDV1V<r=S4oMzW4DPnatO=K~QNs?)CY09A5p|emtW6-W%WC<qb1rmCUk$QI*gp9H
zhS?)?nNz7_I%RmR;4=A96#j@8sWm+@ZLqXS)dM{e)Cn=um#P%)X!1;B6zCKStL#Fd
zoV>SaxPZ&>q;4%-&3qBm+yP%U2sptu)UFo)F?}3UWF!LFyag_61{q^j6Nr^4SAKg}
z)GlUEBxg7=wE+x7P7@Kk=zX~JP{v}lk6N@U^8ta7#ew3J6V!XkanC*QH@|3fnwj(m
zyuzE|CT<CKKhl>r3CDfv!4g5=!~2uR*x$VV^HtKSfyapBq<{bbEiN=^w<R7AfoElY
zpmr4RX8}-grclUogrNebM4YGOi$e|a`wJqN#Pc8;_*~M?KYS|7bYqY!bySr}44Wpo
znNItoiPU1pEBq2Ayp;QnfzTr?bx|+_&$+%RuEwpD>(LimyD-E)G?`PLUyFaf@&PQf
zlRyFF>4N%CjoTo^@S!OHfx<rNDS*i_7`aICCe1`^js)sFp@E-9bn2~G=0Mj><(nqT
zQTD(bhwB3ifN_Jp9^8Sun%8+i`K`WFG*UUL*4S!HZ7_3VesY#AX*u;F8*&j1Ev!WZ
zE>$t3zkHmJVB3%{esq%F-^F-qX705htB1pRU0iv-^wb#aDeEN-Eg-kVVDQF6X6^B+
z(pT*~h90&udpKDnfGfERX=Xa*og#&$&GwK{#$!;V`G_=?uOyCyYmQ>SFB(!+y_`wV
zP_>&TQa)nU2_OyZAHcka!c{5HqAM<MqMnd!=c~sTx)voAG~r<r0oC$P6w43<=z)0{
z4^c>voZ*TwYicq?ihA1H;tVSW@<Bo_#YVyjF`9E@$#_w6QZTp{zWVG^V7s;47Wft0
z;1Q6H-T2T7L3QOG+%TP0XXmf~Rdu3b4CSKxFZa95)0iz^Fg5<zU=W^ifk%VUQsp$q
zR3T~8*z=YsqyQtGoyY`svDi-LB81abbZY_kzU~WgrqaL}f(<0Tfu+Jte@PsigZYDt
z0F8c{#k&EMSl26pSM9QnAadz;b=ZWzGg+ed*cz={6Uvl(=eA&-?v7XPhAExN>~!*?
zUGvFOs;av^X+j|L^$%eqnGk%Ojk|+3B{2W>c}>o7gH>Ap1<QqzKXN5w#^ywIU-=pU
zZI^LEYs-=Mni=CQPB;U&m#tVy)%nC@F8t2n{*jo|jxK?5xM|Hp>n(0}Yc?f;?>H~t
zhy`S)($bot$<nq((-!bcq7BiPRD8^g^}9Ula0a*X)-CkGYkOkU)hTG#O&n%!sQ`um
zAlgAW!2vm|YlL<ichaqau|LZr!IBenav`=5Il7>X)A{79b<}FbKX;S$UbQc^>-H5d
zi6bbxeHt&X`ns>hg@Xw5C`4JN9IQL*^Uq;u^kJ~a12Rzonj}iBsrmrugwi=dJoifC
zPmV_kC?3tb(~450^#jdU6IH)*A~oKnJg@m*-W+@LngI_1g*PUUf?h7_2^W|#%uE5(
zy#?mA9Kx|zPU6JCH+O>yDuUJjd%f7ye22;-_GQa0s!RpYu%QYedC8vBUvY)Uq*QOI
zTQxWU06q<iBELn-!OgVDfy?&gzON~FjP!nqIl<R`(u?sR&I?#85Oq|TNxP`Uf&VT1
zE@$r)MCs@mN^o%<bM$toVca^h{qI8X#)CsHrpNjgS!}0|ecg`S$VozxxzJLCsVhs_
z1D4B=PMBLVLAOlg&;z7aFBl2H)w}7B7u)F{UG~P$O83*32S4Y;{jaQ$?GgC<4+bie
zqbgn9jK`?m$qH_nOAiWCr!hPGjYFCl9-s-V(3zw_mWzi>-<hU`O{ZZ=1$raA&QAI*
zky7a0jz6Rur#rO9t)%{RlHSp1)4ui0FHp`mLBn}nTzlsZbar&8z>TQ&{T0WqWB;nG
zg#7ef<D88<sSR{X?jl`WiIPU4HO-FO$dHu3pWTkrI?(vG+(iUKxE(A%S!n%(6vTms
zZ)P1vS2VvrN{fKetSV*X@Ng^9IK0#`#cQ1vPRzw>Yq(8}t?;|Cf$~*}ODA$7&IVTt
zH?(Z+zYA}M4@m89sxpkT-#&bx7$7>zr-Oft79c_8L&p-SUd(?Xf|&Uj|D&UAvW$H%
zN(>-W(%xSdAPt9Q#TBhfW)uB_lB#h%U(I(h2GY7>=1Dh2ju(=r!!48EHPf(riEJOg
z=2Lf4>ApoRRFAB5rnV5RHnyd>#+9yfbs-F8-QT1wj-RQOU<+mNfDDUl&a)4^CE)t7
zExqv?npeP-piisnK#d;8sy6{H(?|gc!x_xnTC?asCDh5Er=QlB*j#dM*(7U=SwYo<
zrD`a7*!rKUxK<N?Eu3T@V}0wu4##Br{%R6y<OTJ5{ivt4`c1_D84!;%Z6{=0``JTW
z90evCcpArH{|SN-@i;Ib0EHqaBfR;o648>hc1C5_3qchnw_B+ULU0xuJf3$#@4gQW
z*Xg1L_n_ZcXQi>gh!}qGut-P2?oL_7(07ADWO;39eamR8BY5cBSB{1eG?huVJmwRz
zMuww-D+9XU<lXP=T-Co#g=hhj&u~f!R%T|oAsP$1Bcmfl5QpjNtI_jYCLR_G@UgaA
z>g(Lj!`sQWYbd&y`sX1aJ&R{HAsoPt8_LObxPyxC<h74P<MTkbhnzWx319$v;^ltb
zq%lfrS{^F2S4!6=JX0zsqLlyhDlwYy7`kb1Z3*;k+9a$2r{wyqv^@e}G$ql?oAwGz
zz0DE;2=ddlPVXI9`@wkcrRLC9s@pI`ELH`9B}+JL!UrhAve@^JUM)8>9Q&R4Wyk`C
zR_2GK%RSSF-R%(y6-hBx*F^ueORP-YI}YZfS3ln78xsQka_ubgdQ(WYf$nC+WdyUa
z9{0)ft?m&~t|u|<^L|K-6mev!^SuVa*|Je@w09@lAJdItZ9Q?S$RqQ&*C2-kAa^DI
z#VN$s-I@L0?q09X2${;R-e7_LO{;_p>UXs{n^(+jI|N(Z&i%aXDy0AnAHZO^yUivt
zk7js}=0|nC!MDd<G~v-O)}<L*ZBi;*4^W}<n|f$xtE5<mJ<=kt<PM3DowB?^kB$CJ
zJ0+JB(7`V>D+H<KISp9?@^=p~Ql8u$3PXUJ(dm*RZo?rcS5Ho6CyBnF>EcZoIqWQY
z8HZzx12z2V&*t-DZcb|PeW~1d3MOSbe&XERO34u<D|*Q`#+FI!+7|HN^|&QlW3ILR
z@y9)j9i;_MT$3q0%b8d2WI;4!f{TXOZH3ZfY&OYFpz@NB{9pCJtj)U2)Zkt{DVFsL
zQdKg5LiX7^|B%>gW;*7$0M)YKZk$+h8WqT=kn6;SCDJiX{2C+hclIeT37AeL*2u$R
z9H5+hsfR?Pyk2%Yp{{dl5d?S1z+br={D7MngQ29<6w~~HnL}(%<gO;uMJ~xvSfwg<
z3PVt@b3Hz|@!^fy@}DT=O7^V?BV0xTn^{gO`!C1mRw>=NQ+~Xn+a9K8@ML^>4Rl1O
zvNTQD`ed<`J%{=|43T+&Q)uqo006=xCvH@zUe<}E*mc=*=GUw15-pa$zb3tkgNlI(
zF{aqIYfDyFN2)fs6fna+9a3;A4H7lJLKM5NCYY%fAAYa_Zss`s53Hbtj$JkIWXB@b
z-SNpN2!sWFmGlommU_anrudg?-0N$DXqfM)Qdkb6?#ElJ;o9{UQ2kq+N=37RZB7eH
z9^AKQNG|AYi~~Zi>FwU4&h1&xV+a9kS_!5rS7>pxj{3%Gdd+Tugm$}>8i|YXe`SJ*
z>mF4hTYl{$JO2LtB7Du}Nea2x`IpO~3~k?l02ChO9_YFiYOI){PT-!ZC|h6WAnv)W
z0U*h$E0TEQ`(fMqk)o{ReVR01ker(mUaVG0KSy8GRboQVK~BH`XWK%*W3|+M?+*O@
zcQr2c-#Ej!j3hHF^s{OgQg5qU{H#b68nt9bdnWjg)E3?{)*>PWIVL;hpBk20=8zZE
zv@WMzk(pjfR&8{^>z#VY8-l~48=K`={HrZK&oHz|+8e=I5Ro#rWc`1JUo#F5yH%n1
zOm75^CItx>d6zr<M4yOt&!9z<Qbr^wnlqXG4yN{b;rIpvIMoP^hn9>oTlD#B<nlir
zPvmJ+%@`ggg*eb&d)ukaZU&Ip!LNN_%TZW1qE4_O_Ht6_w>z#?nk%uVqm-3BKZ#1r
z;70ks#%Jv1%dyDwH8McKy{BnB@w3Su%Qhn?kHEtM6ZM2PAsK9PE+>lzrrANZm&Gdg
z!!;lRgjgs@?qdt2Hx|eV%{*w^9@<u?wP^#ak}8PMh{^_eq>9gU0_|?t{qU<}OjZT%
z-~b*n3fo3Af=VuAOJm|MA~pey!~HD_ip9>NmBZGBX}rpOL(|O+{GS6k%F$$h*C>qa
z&e|N&u<kW(V{mz|YlO(aDh!g0o}~q%<8Vv=n3}d!5=72o_LbbYhm&Qq6*VCKClN7M
zwSb|_MK)#_!uWszT0PnJQ{9Ut<yYj|SC$u`#X1mX+E!f`zDk#3Jl(#otSCmV{d?_*
zARA;pR**z37u)$NN5|RU&B3^GGQ8fDHmZ*QE#FGYjD(K<)yi&$ac!Kt-8?2p-~a%v
z(NPH1Y$z<=yp@nE>9qrJTB~x3pI3R<@ju%m;{XMLwoPWE?oz*C!aZ;Flw}Hb$Ft8a
zFE;~oukIA%$eX0Mdj=AHRL+aSYk%fvI?r?49-Mf+MSVUpCv1dxl6eyUB+KE|YsyD#
zu0&vfo``>CoiPBL(xE2+00I)jJ`id^i_NMNw77o*m$=Y;f(?w0x{2WU=(JF7^4ndU
z!!eIxxWNj3=|x^O!mefg7@cOLS^?@dT7Up8Lg+qW4;lxjuy*4YY#=8rxvwOx{TWTo
zc8b6f7<`cj>p1W9TPFMzT8u7z_@0bjlDGXPRlaDB$O&uoPGMp&H}hWx>COka=P;W)
z`+}6ri_At+vx+tK6~WZ$fXgNd4gC~mI$y@H_SMfCxaT-kB-%83FY#kj5)l|alKj{g
z&03_R1CSWrrLkQPRJdvx+H6L;c%Nb08QYP0+4bxC2(x-qY6VEg9-siLz=s&^l@yqg
z);c@)Rw-M&bCJS|S}g>kYKo=5Bvp^@RGq~W7WhZ)?7zEgUvu8<s}wtnj46ve+}-bh
z0Mf;`_$;sTdKBc-x&(d;9ktVUo>?c8BVQ%Mx2gEu_Z_2TWw|nn33IYXQgNS3A-JRb
zTGcim>Yy)i+uN<a=VzI5@DTaZXTmF!CI}W5D|zEIte8i0xW$sPo-idh`p6VPo(()3
zfD`WegWTRjR(d3Oka2fmHxPyFZP&VhWeX#+_EHz}b*(`LE5!#|v}+W{Ox5OKVmXIa
zLR`_}(JM%;3B@dLt<r0e*V*9jFM$p-2*%>BbQ0~&WEH_(>6YleQheycY6LE|8{v3O
zw@aKJKPrU$m%nr65CAdn3<rnr7Yr&2637^-0H_<aB>XVt^<Ho(`-P1?Kc@VDB8VMT
zXUe7?$2l)i@y;dL*_3Hm<c?weOJB6uMo<xo_5yfxxsNvi{*Ilh*KR!lqh?l)3Fybh
zG*3bR0;@P8+bNTQW;zyEfp5|yCmGVBN6(!6D`w71iN(K1+^#Ezbqej=^j&(^y2J!<
zb0Y{{vW&Ut0Q(;uTw(L`-C*hyh4vD5$cb0>k%!ll09W6tuX@X&B5fT{ykWsVAQ7h4
z<OnX%E(uukeSHb!rx@Oz(<%k0z4htRt)s(M?E?ir;iPpi!i+HMOCAYPpjeJ-8ydvq
zu-UM+?5d6CFO(F?iENbc;hGcdPOgFn)7FsLB#YRX>s{-zf|^90Rs`kQh8!BO@`Kyh
zV=7*j*^BPNLVGS<*}*4EDXOdRoV@0j9*n2r<cH}V3ce}9GjbzWDI9zZe@Jbw%4&Gh
zvl|335Jgw8nh;)3!|dUod~24xN+#AA)U}z&J)`dkKRn=tPJ*R7_g5r4&OXZy(3J@8
z62Gm=uB%%drNpX<k)f3(h?4eGdgVgVoLcBq1Y7a;g2<|SXdS}!{CI}rgd~so!1tjR
z3Z(#f`QG(<+E?203q$8M2+E;|3>H}EqPC|Vxk4wvj5ojoj1S4E<9=wJ436`UJiyk+
zp%aGsj?sH3Y2`S9;Tt16INAi*|G5-zI6mK1`J5T(-q<Am8a0+Jx9x-l+TzK-#hlmN
z7;rH#Z;A2_TFN`NBwYi0W=peuW81c!Ol;e>ZQD*Jww+9D+qUgwVq164clRII^{lGy
z>f(a5jnhCOo)b7yuEN%s^UsY{Qh8>>$p@sTN^IT3hHql$hDEH-0f6T1?cSaAsiJ`B
zRlyw*FbrCE^HaC$WCUEW2+}?+vY2LdiBdG{u*io9;m@Q(YyJ8YuuaF@5G^mEx>9BD
zgk%ItD)ImT=!Q**0DIc5X`3e?9GDvOvC#A>n!oZvY;y@2ER{LMa37jga-@6LJ16n4
zbr7fagYV6MQ|&hMx7g$NjUeV}fIb00m~g@EcL+}YX&OlygyB)^WvKI%351RLHGhaQ
zNJO+e#UHr~MbokDP+KjoOO2^DC4_<5n>+MQ$_^y7PY<S>Su2m0Hj>Tk&6YwdF^zBN
z>BE2`bY1`y_QI%}Av>=XIv+BaN@umMXH9%F)~tYHv5W%s@oMKCA6A&uZN71D6nsTP
zL-`QRT;I3^GQBo*s<uE@#=BhpA)tGO46u`F_}gC&>YSeJeu1d1pyxQz35VeO+p*x<
zbK1~Co$Rz61U)YP=|vE#=n1&TejVAKh&)8|>QMx~3g8lIM%_yrrA2!(i#>g<u!s#<
zIl%&;6)YcXo+TZB^jIn-kSzT=wdjIIe=VDsw>*~!G}x6&)n<jzn3U+?Xht@mk&z4!
zg-J6&bNk{Cqyk;F{)!ej5}5N$h@oYyJhQD|7qfa&0*JKNASE#Xfp{V=d-kvEyAJzz
zRDIu&kNp<dL5Ks^lKAv&^A14*VU3%Z?KbccMUfKs04$qM=Tgil{ekxg%P&AWwNUgZ
zcqg*OmW9Mf#MhD~hOEb+&uNPMC<wY@(YP=HT3~>IAdlUTQex|0ELpg;p?xV~%U9`R
zH?ngQepr>paBfMUTRyXOt5Q)qEcS1-<Sy;04LJnQ2gu{@T8(E{xABX;op~W~4EX$_
ztrJT@Kn3S{Bk(fb6s4%JX^n_`qWWbz>_gABK{)yl`ql@)QM!wz8-?Vjm!PqSErPC|
zuRntBqp3y&)`i0IXfJ@~_J$&Qg~rTADFA;+zP1bK3*4@7SaSuH#_x$o+(x54WGiem
z!)RLJkjfMSK-s*h>?kx+qd`75b_Zx=??TN~_7l-42mRS=;_R=RQ2#B~Yb@^=TNj)j
zpf*pUlg%GpKy$$fB$(p?8Algi1C7`?cuR5YqmCd~aLQ7pg?JjUJuqZn!;7YfO++#y
zqJhMr*R+OY7>T{N5q9q<0!I%3hgf4yMSbQJ(UGcsv=yiKG;=)>1R=;FGqR>JgCu|C
zi-59%_l$T+6x<H5izt91{SY(wMp|{l7!tY`TRfr(=9>^&lY)lyJ+M7_MB2w8K1Lw=
z=Z3?V45mRA_hKRc+>>D@GI8qtxcarbtQy<$m>$hcj(3F83~4g$;hPwiSui3V>t@-j
z>ViWfVX~ey_E9&*X^BJncz8CO^jHOFU`6pW!U<jMh9H{Bw&8N7vA|k{V-zc{4)2W?
zK9Pr2`Ot|l+1EGzx#Ub+(ml(T!TDw1P<Hl7Co|7EZx6&rVo23yw~EHjE+SZw^4Q+b
zoeiLIN!ibHZm&A?J{Ay=PMqk+%4ILSo(iC(tHquWUnN}#Nt}q5P&)nt0He8z7kwL9
zU)9SQfemAekrV5`!O{~-eUm@y%B3SNX)NZy9Wb@U^yZ8Mn#BFJzJ0;#shMhcovhT?
z408<#SpvHyUYxZl;y6C3Kv^34-XCEm>4Wsdv9|>P9Sf{gI06^0F-ahU`AS!Q1`;}`
z1}K%)hZIpgP5ZiSC!L_*1k!M|#e_xmD2i6gxLm$Zl+N9D|5SK%;CC&MO`aEh$A%>i
zQ6Sf%*ReFKl0(puh_|Jyw|t?(tH4wvq!88=J7t}uN2`9|87%zffSJzr5JgU05Bzdj
zAubQlvZn1Gk4(HtZ_BG$_@n~dkaiqV|3+f52n<Cwrc4<e%1QKY-@Z=1+xnXPFcid@
z;I)f1)?15lIlY-I2Z!Co&9{-IbYFPw=4+k87`nD2_9#w_k}w{~O1rmp)_)?3{(+RX
zAs{$cyxz7Z5JOU2R0Xc&Et8FZO_Nv$I=d^QCGO!d6O`UMUG<-nr9zg7AV~ZzTFv{m
z{%8>T18N^0>jbK^cY}I0rLU+603@lcRr=gF=)m&iCBX{kE2BZ%pX@Q)a`_kv*%uxr
zdUKYvG@i^3aNEn}PyzrP#7vFBS29B*d~qFSmywSg?#HEAPm5Nu3CC*7MBKzgcCd3Y
z3yl=;t-WEDH+V_4VD?r`cG_3Wf|Ny4JlRAYPy=O1q9P$IXU9Vyg&JL;u278+j8fDT
zQd+X18yeV0#fsjU9(RuF7Pkdf`GB`u8#Pw`-BKOO>mI^8R3X}p{At%0I1M<|$%cZ}
zc=B(WP2Oiyp=!=%F5_jSZ{XJdRKqLc`=E?no1FzA+en<h8g-wGMIkVlUIZUn7Y-{>
z>k=Ldlq&1~444}OsaOed;FrBW_=_yGT{IxaLaIvpFNR|%<)|}TZ9UhM-Ofr|NI%SV
zFtWMd6wMdW?sE+@VbQeL_!)Mep##8S-i$wa)<hx>i=@1A4fK(jiIjHYgaBgh#IunN
zwxtl*TW#_7h+40=f|X^(<S`Y5O`n`A+dAgZt0LuL-L7%#`@G}js7`9%j$uj0L987n
z9!BGfu}J@XB_Rsf9^Zn$|FtlMd6`Z(0Q}qIUK2d3_VfGuO5yV2D&vcHB_2GPC2mdp
zkF&!Jj=JB#q)4zfk>vy-W;KRagU!VR9FT?7Zga6aQufs%_fL*cCQL6Qr~{u%3n2&+
zjP!w)NI4caZ{RC>&b<Do9l`6>Kc3A*{b2Ak-3OY`*K1ch4?F@YRjl99<hqBCn$RYJ
zf)k1Zj7w<OA3Y<|L*xKtFfMdcZSrU9D@x$?yaXf23edpuNY%f<((SL^%W<TE0Ur{`
zxhI7n>qi{&n7v!D?&uiRVJPub@=z$Sz<&LPy0Ve&qK)*&Y2<W7Nz_yK;#qgZR(W)h
zL_4zq`q>;+ktRT|XnT$GCQ&yT(5~QCk9tH1WkEV}ud`mFWYDrk6`toeVf_}c)+>Kq
z%bvzZa!Al1k)@bNWW*IQsLG9`8}6CXi-x(5YvQ_Zm++8%l5K66Gxgd$Y8lvwNX{y;
zWaL$6aFq1E+cQon_+IFz2wQ|T*GRE-+|{$|C4x@Vc0?|(8w?LdN?wm`{=xsRa0k<D
z77G0(YFOz(OGS8wek9z<U1?Mov(pX<`lwVk!3qoc@|gR`j%zhq??7CEa2>^yBVZ$a
zJHUI@&15+g;u=+x0o2?L6;gxvK%139rlp9vG$*&FsiyvZ{6mfK05(5V601d4)_U75
zW=yCb<KN4^{|!B0DB33f`zCvJ{PK$u5r0QtMMWmj-fZv4s$CBZIobNQ<}QsKPR5*8
zdSPNq5f2_a*1@jhmqkV4B*(WMD>Q2HfsJvdV`Tyc4F8CMP)D4yjJE@VXTRUJk?h80
z?XPiEZ30T%5PzoDL><CI)2lGYC1`mA&`&{q3_EU$Rtxt+goA^>R7p&b8o?~OoC=f+
z*Hv&=+9|7oEAWSjaShto%BA%sWAo+cfiG<*Dh$qZllPp1ghlAQg;Pac+Lg!J*-Mx7
zS2BG?ed&9UwEu_}2ehfH0ySZ*)?#6#wBhmB>+ERjDU{n_@(I+93GM!R7mDZZZ`Zbg
zGPC&PNtx?yZHfAwDsUX3LWT;RY!A5iq9UY^-@3}8uf*D9cxlG86^@&G%6=|;Kjr}4
z%d<GAm~Ikj&{q+;X^QG%R<FPN{wt{ik-%&#3?`~W>Nr3=RANR6><!T$tu5+mExurm
zoB8r-T>Bm6c&I)14}9y|x#|YY*b76pZLOLK##?in|JJe&*BgJyW<TcR&l^w~dFNsS
z=clcJ^(IAex}GmspCWzylpp!eLco0+vdV=`kM)QKQyWEZ>R5fYnUV|0!uF3cT1X4W
zp(;j>oY2qGXWc117=DXA=uKiNoc+tl_~+s~kpUNO$r~gnBqO!Ez__1DK<WT##7&;R
zIMnvG(!H9&%fKd4{nYrTRb5p?w?_cSQWl<G-9lqXE=t8de}fTu$3&b)&Y*iI6hvwK
zsU0n}5H|SDpa_mjpXnO7#rOvgBsNZUsC`g*@CsLGrW}3MV>y!kE6<}g(t?+f2n6*U
z4eA7lY>8zM7JmO<b}bk6Yh9QY(_$8~@q2>*?8X?v=aQG(E7(q)<C5d;Lo&RG{`pqH
zc#H1b0C-jzHkoN#ZZPqwl?r>|!b<nH!@(67b3FEi)a930$ef!H0m`vN6^R#(3VO&5
z--;5YMV2&N6>4Q#7(Kl`KDTJvZh$WRSQ9HBm%t*A@=@28p-&FR1A_Nz+YJAV4Cz)r
z7chyZ8@zWV7X}~7=uWX6fcj0$qRX-vGVvzWaO6827aHSsqrLasWb3nvs;AkZllsqx
z1RhC9Wn+zj=wGdtE>Gh>ZbF8@96lTig6k=_niLAy?-?Bu__A73tO(9lq4bEJ$TjH`
z=!hAHMJz^)yroI+V8Ct6Esk7l03qJ@Ena_L=~wnEgbVdK9CeoQ7Av+~DgGtRS_BHk
z;v|<C>=fCeDfGUwZ@GI`21z26IhYpA<e1YVVSLpJ?2~rYl4`qxYU3_wO@^$A?#6p<
zLZGR0+@qP6B1sbaMiPz42RO_WX4cWCYhATRF)xXaV{csYK7Y02je1^eh0Cin7Mqog
zk~Pk9)mUi|<T;`I^y|;DP|~s>7JR478hMdc^3BpAo+-=#9p4l(_R1N)yX5sNFBt)a
zem40mNm=|HJ(F@=m-dX^sk98lGAmemV|-#J(rB|&m}lq*%0H}1=L*A;P+SuXdTkb4
zS_D^pi$&jPs=A~1q=2e+QjDj4dXky1;{5!Kl^SL;cyKCtRPhDQWXJy3*09t1pGK5s
z#XyE#9cy!+t+RhW3Uc$&RquA0I}n8Pj$s_stNd8I{dY1z9ObXTxiw*WHYMWpMHd~4
z^26XlHi}@_t0p_SnEJ~;UVM~PkkBRD?c{IrJ~fxebuClZO(I?VT0(-wc8ls(Q1AYv
z!B<uGju6&|m-59U80zvR?03XoNI9-#Q&;w0pd3v2$}9uu2vUNzMkDfeQn2C=RI!%Z
ztMNZ3KPOvAoeDroV}A|^Ecr|b1j5Lw5)u`EQ3mM-8c;)&cWNPYg3Z^08wJPC%kYI<
zp0@-yMdwLWSu-k|{9VxE%&ge@T&Ej%V((j&OUc&t{nk$oNOzv)wCNP3?gvFL#I<gQ
zmn<<L|K{A`qZMaA<JD(`B?KO9y4&@@<RQ^bRUms2Jy2u{;w7!4o>Yzp_{+za(aOZQ
z6)UAvH_stBp@;)`Y~^G*;{5O6(zSDrJzd^$T1`F+E(4&^0m4?J$E;_iR|UNL<Q;gp
zi@qY}W6`ZJegJqMuy$6UDrK9PZxlyDexuE3@;D(*|KDYA^X7~v*7hFql5;m9$P3MR
z!cf-S;rv~Gk~IssQ=c_DMoZ{D7}m&=KTTp!lqSU0d3?aB0S*8xj93+3iTx}o&wtfw
z*G2>jngM*ul2BLoOnIYyqTc(@);2oR#t|Yi<pl8zb*qiyphxQl;c+SYM9exKJ!ZsV
z;p>Xe6yWr9@CiiI$SrFMjFq$Y2><+5B*7ENBFwI&CD2wB(+CBOVb~2en9Q{2$7ZrF
z`L?5Nv(_B1XP3P<S2xQA2Im3@;J*oEG_CPkyq_-(m4|7%Zv+FV#7d6>7oM=>gz>*S
z)Myme8Wf}2USni}>r7{`Ro78vLCVB=|0>$n{|qbqiF6Avw7`kwg{3wd8LERh!+Tx?
z2uXCNQof3>)`A9n9~>09R44GK?W7?!(7Ks6UWM)c621r#eXX;JG2O0#A`GEaGqK*o
zgGk%q3n8a?(J45(9u>OpDojdEGyYa)2%?yhvQr_W*lUdOgc*{dM^FGC7&)g;qeoVi
z5I%ISgJXeC)ot(l&m*t|nQ$qyz`t5TR{kCC`6$4#N{90N^eneU7}><E*aA`<fU&I(
z<<d2Hrj5PETx#PPBEm>AOI$$G-J-CThAQG^Zt|{aV?bsatGYfrR*O?t%cAgEOz}hx
z)99_lPW$~@krGHfyL5wAGD2Px)p4&<=BD8W!C8#>jNI7b&y?`iBXQmdDI|??YVu`w
z*sdyACDV?n)3xe`{ckd9;N`fHnSqRvLNpM35Fplqf?dN&=h@`B_Ez-q7;awT05GYq
zSAB{7&?GpSvhQQRAfaIrKwJ*``?wV$Zf?jlGh;6p6LC+=p&M%xyckGGw-c<CH7w<R
zPl{>eSW&Md6uq%>9?b-Qkma-Y&R@A>_U)^cA7=6Vx3$7lLMw_+t1LIDGjPUXxGK1L
z?~l#&Zq?hK==fh!I=^wD+mqPVhj35+$d+s7qY~JZ9f-ykhKx}=Hp$QP(v`OJuw{kQ
zRF#VJ)N<Al+L}j7E~HJ29;$<aKl@0LJ|M;1S~9^5!=~tLGOT)MnYs5Np|1|lH$zWe
zjU=ve;x-P<(71UvOK9MW)`U;3oUmyUnKRT42%pk=PeB|+IiT-ea@`ww%u@U)EG=>y
zzc)_#<AXWHvkJbsJx*`lLMrk>xDJJJ^$CI!5~>z8ns`Al^+a$^FIx2}qq&|J>wt_7
z97i4uFLne|*LL*%r5LP^3&vS93Bm4}Pxlkl2FIfD@iXraW9rXLlYKh~$EiQD;3dn!
zkuc#XQ+Qj+mcZTY$OC_fzClr?tbO`M*pblf$T8aSSq49N>BCHHO?al8?M^fM$Q)G$
zMQ{=Yx`O59gX)gHvJne_pKoW-lx}5T|MFWHtlf;UuoEXt{Qwh<7G#O2tgqFad+^Y!
zR60?~h_LoN0DYn7jFa(^|CS?`Y$K~~WTl8p@S8{w*tj&g0JLC>#HJaEh>4usFh7`K
z{rS(Dks0&C*U_9|*jlgZ@}gmPl*-fT_)rx{#<#GEs>r2(SB(;#wxQ#rcPRit9p+2l
z8U-Wa^@!+*eZ{@9k$sAV3toAvgSsjI>P8rNS#OgVyD3hbuMQA7VXcGAj>yxu+s+Q5
zRHWSxbsJ!ZWBu)RP^%DwmtH5#SYt^Lko|TDtZ+bBC5NYqb=dcBCJ9o#lREclM%cw2
zV{gSKga63<p#7`k+_qbXb}Hjm9lJ8>@9f)EkAYy5NtBVd&AEz|!ykv=<@feJXSKfq
z&adS>f|KQvc2;FQt5~d)uqWT}{(fA|S(r=~_bPNGb|=hEWq5`XpF~3#xE~&dXI8qH
z6tN>2vfaVxKgsU^A<MSXz<I8KP09IK7v67?LOE|@OOuihPn`Mn3c2Ko(s;%F<5r5X
z68r^Dkf<5fyQ26>Ty6EM(#I3}m^i$|Ir|G3G>=Ef=HG6>?sr=sSd>Y*C`OQ<xg@&w
zaXP@8zJv8diBF?ybxt3}k!@X@=@5nFAjOKeqcvT2R&TE#S}+~t^y@=qjdtlWRy1g9
z638=bVn=10F>?cc)R%U2S1XNApQ3U7TD9eu^K?JMa{pYLrQO>vB5#)cs1EPZzKVbE
z{B6ZV!3-~#?WyIG${$xf;8iJHb#yTBH9fKkddKi9H_5oWgh$FG@ecmG@TL3h;IaxN
zu$33h`eo^k!P`m`W^ZOJs~LNVt|o9;C^?fI0kBm;>Sc~v1fC3@Bbdu*40Q&2wf#Of
z)0!=c8aZ%lW0YZgSHy|0t)zZ<{m%V{691-nI{z5TY6vbl%4V4d`htUPYR$jpdOX1;
zb`Cyl&F)>J+GfH>KR)^JI5FJOg^K8RIb4<TIC~+G$cHw(e3O+Hv^dqyayi$aI}hEk
zjeCo-+UcM((?X4|eBPR>%Q*nRQXI}r=~NrO;<zCBKGb`8S9JyfaoyT3d(aPBu&lgq
z&#83Uw@0<W;a>m%mFR4e<YxLrwNYf1l}uF{wJgh4ZVQ^(J{?dsk?=->&BJ9-Cll;Y
z*X4d0UDJk9(6}wlm!3koxwx=r29C_`nXeu_1%v9TV0BvtN*ZtszE>gunw9u%v{Yp*
z{8>J2LSeCd$b$t506BR1i~U-v+apvg#ku;*W*9H`uB3V-c|QmBXU9Ho0DdLThMUM%
zE^ab3<fM&sTnkJz5wrx3jJB&6V>H+w2E3*4HUYa(=7rnJlJi432Dw-H`R{$u-`A4M
z?iJ!+JpFLgC*pH)r5O2T1Q>W0vy%`yP{;nBwdM<<lT|l96%^wFOOnmY1c(fI^6Du>
zM*w-rLrRfCnP-<+4W_$XSrA&5i)=A-sf?k4ekTh-BHlq?KBz~P>uwq$Ma~}D@R-DI
zHblg=*`nL2srtj-rot<5=L<(Z{U&EoM4W+0!-Fg2bS>qa!MvfRo~n<0f_}lp@2@Sk
zpt`vR)dhO*FKwOxiEm1A|3Nca^%f2Ur&VdkrH@e|*cW+_g>;*d>$5u#d7bpd0^40q
ztD5H_$Yf=ZKKv|Q?j#k{UnpvTCwDA#=T|;Q6?d7-Izd;2<E*-n@Jf#BJp_R_v5wS8
zQpvxH8m$Yg=`QKot}^nGu1ci-GBr-AvnwT}8}Fl(Zyqx!SOKq-nAY*a3o!L4JqV4!
z5ap$~_wn(v$sQ7yiPQJUfM2T{p^ZkIB~OKqT_e-mc;Q&t(^*ickGAh)yA}EY06;@F
zekYvumy`F+uIvi6Ns@B}=J2<}@vhJ7LXZ!ow`xB<t0SL(X5{OxnVqB{FU$KzX*Wd=
zWp`NywMcqV;NF7Kwtys8E#qJN?KCf=W4<RwJP800+grHYb1FxQ(RlI=JMWtH1t)&{
z;(EIm4K(f<Ce~TVFY-rdF!gh<hI-hAV7|a&$1PVT0TSrZxn=;V<+8r8;~uyI5BQDn
z)B||A(ll4Ib}rRexxab>WYouixY%=!Y=<0|gudrx+X@g|r0?`4hMDU)?m{Jw3)HbT
z7h*3NX&TOEyDBpD2*Lmbk2UN1%mC*MlFHckJI{%%!nr6^F+(2xt{c-5<Ag>$OJEW@
zbn*BQU)950DqJRWZ5!J~@+%XB@6qt>V4S(mu&p^o6Q{`F1(84y_isF;P20%+@if&7
zI>)P<i}sV}uy;^}8hZzVx0N443~)Tv70uCkJ-rJxDUP=KIo*>5_OkRTM)WM|juRaI
z=Cxk;*WNyHuL*qK$h?(l$<ZTLf9ii~=-3-jYdfeXt>clvl~t8@cV&OxS>29*X`&z-
zQw_B2e$eeCvNU)44M?@7=-Pvs{#$#v9W_gNG!YlLmquRyR9IvM6P0zPTq-F7fV81A
zz594F@v|w1lVM2Bo1u3$2$1%p7!h(6OZv-lvcDpm{zHBsN>oz7hk>E-fb9YxT;_?>
z0m#im!+`ZW&*m_%$mZ}JXxAG?vl_~CA@Nim>S;?-Yc9RBc0uYhk_Ynd={r-i#C6sI
z&RObOA02rI=)C#n@W#$zKz9%WKMOa3w|9Yb6yewh<Dh5qpQ9)w4`27>z7c0jfDBer
znRaOtVHbi-9x=IPt(^5BYA9-r>cN0e?_$Z|Z0gUj%l~E;{lXm^qGHOA=scg<yOGN1
zy8g5wzPTO6%+i~v+yk#{B?h2BRT#QcM55H(<hhEo_xetUE7LON3)!`T4vv}2N|fvN
zC2O}TM!{)MR+tWc+2;js!Up<>7t(t<0e;k+-UI*u3kL_PNsXx>vSbz16z4q)sOC(H
zz=4kN`}e)h!fD)8I#ps!5PX@=LGut7pqPejdsSS^(t839iYFX>RG$C<2>x07nGf7Y
z{>2s82?$wP`VK8uZE|38MJ_h1Bqz=vfVn$)Iu>cL$g4?JUQI>bfKs_qO>yMO<>W~^
zj6ZAu9G#)8gPY|@uCKS|mXl$iy9BUMj%!jWgom62|AfV#T~dKIh#;zs`$QV&fi-{*
z_&``Pi5I5>@6ZIQ8C{vwZ3ENi@tU2`L2#42A~sS1WA{2yqf8_v>GA<nBAFC<ro%3+
zRpj~a?jPf#xiXx_vl$WFU{k9^HS`$}(I<FQNMp*fI2^D}`0O1(bL34D>Yr<Oj?_AV
z;u_s;lXcK2EzM8pkLXNz<LW$+1z)G#Q+(=dSNJu!$=uvvTXxi0PnuE>>#ypYF5z_R
zA1g-s#!bn}X;a!pmE0h$TsxN~I996@NYi$dGQI=gws42CB#^sS82&F3(8-<WEwo08
zOoPVGI_IG$*9|7dkpo6*$V1OFU<27Q%^7vC1Q6_O$pZ+_Kal^iT<&s@4DNs8(cOIY
zUaQ>-72IqDt(_uxKF$a%wZnp1<Hjhbm2A!^9c}*|1%RVTi*B$BUDWyA2+dNxS<$6m
z%NLo!_$g-(R|;%C>VS|X!``f_sgRDJNM`&dD6<RK+EPcaG-~6X?Ns-LyZKNNoEc!=
z8lAi#-GdG4_sNqvf_FPLQI>=9pLcjkA#BBVbgz0FDL9JH!Sc3b!ZZHLwal2P>gEXB
zP%UWYkK}(R%TErVVOUL)(<={BDHq2?mz68|;fo2Wtt%Oow<U078~;q~PVQ&TM%)9V
zq6Jt=xP1mY;6j)2P9d?-P2@@Z@#oczNCm*|x(x4$C{tmv@K?YvsZ_@0M(^`cF6>9z
z{{|Lb<+Q-+&`OiGhc5c8iG4lk?9G#ZU9l(QNy&ePJ7u&)d-~cX!^?Q$T`Vi*x@SeC
z%U-#$DQITEhrXu&SLHW-ebDSCI9|^U3QzdrZ7wA}r=_X0H(osgR5D~VE1P_BXDl$z
z?VQr@-%m17#5xZy6hQL<n6_)ZMZExG#qCnm3FEpFJB9xi>zCv*xBMbcszIn2<RrA3
zwXNzKWzS&V((mhb!A%@KV&azZzGXXpo2KqKh4@KnxZd3qP4~H%!Vv(V%o3_P_;+!8
zx7-EGwuHD{HABQ}<m>?NAun*fN^w)`ymwr|_uv*_GJlnyt-X$u8ctg#I)lB-EaxwE
z;+ud($8jd?ZvJhtsIhSD=V5am^a%>r0%KkuB{U`$38I{pJR9Bq33!R?uSl?JitqGK
zJMqeG?!OSV32g$)k<IiDo#D1vRKMpHg*M6N->QpN>3%1cr1eOGHvp`(lX=Ov@~nrI
zv}Kp=^#d6_`Ry^2>?3Gg&-S{vcLkB$9$V|QwYPL+3b|w2!_A4$El~*RjE*&wpalS6
zFR$>KFE3JDB_wBPUk*tzt3wOi+4=<a9DPQh<N_KkiYS_FjVq5Xu!vjEu0sA?!A-tT
z^Tg6UagRK5$_I`j1kMg!m02yRzVg{iSjilAcL7kRdiw-gH|@-BJ;ow=>+uoV?&yhB
zrsIVHAjBX{z2y3}N7jg2IS&Z|Uq*~4Ef1lm;(hPVEC9cy1~wr3QGQYPGE(HmfTH)Q
zg^l1%&A?e3ClKCC2-azGYJql+z)usW36FIe|9EEoXy8Cey&g|=W`SB%1_ZgQX3&>G
z9RO4x<IkAHvLE_VzcbIl5(10OpH&<S(Q|zJ4;b#w1p6Xw{YKFFU7D{3pMUWc<c;m}
zzx%aGS<jd8Ecq~D;McpwGE=RxN!#qepRV#5U|^<>X3zxUA^}kWwo^(H6pw9(wwI?U
zm2(4-JEF9TRX`<mini)J)Lc3N0979sz>mH$n822E2hf=Sh|kC#jd;h!0dsAa*W#gY
zD6WvQD&UyR;$|q&@jejBKrWo4qJw@xNh62beJfa5Z(#yXwB%fF&Y?IQn%-DV8Oeeu
z4Y1%!9O(>>x<A@T1O5pNK#9{sPS-B0@gUXs3x+Z)z~;}K&yn5KQ*i49?JEw+t@a6l
zu{*hZC-g=2Qo7o1cT(0BYb@y`O%QI`NE(ZhOaGej9%$ERnHDd4n$h39Z%GM%I@#!C
zC9mi{R@U}D7-3Ccoz$WGI~Gl^WO05N*gP`%ln_#UuTm8Jeb-5lbMgL5{|<aupS&FX
zP=0<c0|=-OOoy>o$z1htGG{BPy3+3t>-AtJe1hkLuJ{`ds@vXwQUf#_AfwE*k&nEW
zi9hHbto=p>MZ4aBa?5WtQ8G$pi`NfHqjOZDJ$x%adJ^EzCR|VJYs?%b>3(`=2U%d0
zj6X(VKY*QMOQG&l&WZzB{P`y-c){haIQf*u_HZBj%~2T``y`>-gpTpJ8mR?|V)Mw0
zLu%wdJxNjG;ViA~@i8Hjq@a~^c_z)YOMC?WClP>Gx?s{p!aZD}S+Z|To3I|!ji5D>
z_!~KNL^93*l)l2k`8YdiW*y5Ep?S9rbW$c$^Pb`QP07UY8C#;4rpB+cK#?R_A0OoL
zqV~5pOZ(puvPYxS++W@GMnTG9YY9#UZ6+WL1w70OQI<;L80GS<Ab*aQA-3`zdxRYI
zcSMq(OGCN+%US>6;jPi@X@X9eZYzOR8;$iQKRI5FHV@a`JTAR}R22yEOMoHALO;wh
z$UZ|%cDiD?bUz-OH(nojK9{Y>uD_hRsy&hHU$Wcuzk{imoO(P5FH><Y@&(VCro1={
zOR?EhMxP_|TVD*`vH2Ce&$a6eh5k;6y~s$2l(m4B>v#8l?8=z4@E1B5dYM!|`G06C
z1$iPNY({FD#zM617S`Y=L8sD1T+Pk+F6Vf9Q(8k6I{e0!p<ruG8TE+!jL;rU(YI0J
zo@?^~<=9OnpXRZT<-QoYhb$>jA!due>P(ya-M5=Q2`d6L9Yf@f>x0LW*Xz}<Z}Q)+
zi7FD?^y~<7hboC?rjUZwhM9vz>XW5WGT$(lU@W_6ZJ8d4_>X0beT_}w9V#-gVg+3c
zAZFrF?|(WYCLJpZVuQw9o?&f1z;?!+g0KeLo|{sU`tDiuhDTj8`S^<k^if7cd!<9e
zFP?a$-`;^E`89+6slExs?*+tMAFvaa+fQ|zj0l^GxIr8;%J6^P54HsBaw`?U(xZjC
zD%8y<QIyZ?nuHorI?ozhxpGYA3GX1yTa2$UPeF}owRcBFM7iCElH&aOUBFSeW%i-@
zi+yfDIb;-Va-tGS>Ir{Q_egc^qj`lxJMJBIs1l<Pdh@)>zkpQ027G*cwT>So1ZTAv
zj|V%`2`=|J`aVPplFc*{DByoO0Irg#(=LvHpBVr<9JfNKTtL8?>W?fl`w;Maq8fQL
z43VxV_@$o916$vIFRG$Pb)9}Ac~UON11z{g)0d&;4}88_N;>B7$XL46#EbtlT0(VW
zpU?3w&eE3MTwbK{hdVEZrGUc9AxwOvW4x<Ne$jcrU6}m+&&nsb{A(Zwi-<yagAwoL
z3drtpvs_5mb(EcXWn&b-Bgb2zy*+in%dh@Kd@NQFj$w5M(2NN%df3)*w$5-R_CTSN
zJaw*Oy-)7p5|?hcswn+<9Y$=#HsXeE-nKaT@+-&hpD2!cNvWenEQi9L3tLQeFH7RU
zYlYiQbj9M-jQ0W}Ho`~|N&RdvUB8ipPm%5NCv<k8h?U&GlAqEoz2Thg1Tz{Ap=lw@
zpDHJStK^0@Ekh43I5&biw*yc|leuD0bO~pAk#6%zIYk~_4BP$47?bSDQbgTs!h6NM
zEY92PHF6sM9-OjA2A!zGK5bhNMwb;oTsx*SO0T~EhaO=@kU>+?F+m9bW$Q(cS?RoP
zP%Cz&-i+gK=UHoPK9GTM(I-g^zzC$d&T?66DlEPGy)qTXx3V_zJWJV@9}#42jo01*
zxOq@CBloOw63`qHm*4Il)^GQ#1k8-5106r0ErA73^nTk@`=PrAUV_xo70)NL=~60g
zza18hlc=O?|FC?|S{BDwNi|b}F83JXeH&i8MhgrUhS(r9O|bYLuCpg8-fiIi*;-7z
zi#l1q`W1Q=$h%XhE^`W!l`&v61pT+~g}NvEk?P2uJo(4AR;(-XTK&hG8hc@uKBC#E
z8qW(!*+}&I2NQn1dqSG3>+k-HmAsDL{3(8%+czta8+7JXT9nTf?!4w9&*t~Q&{O@P
zA5=p1q^c3`1Q?x{mXI4d1s6&S-)PGfI`(rzgk6~1qL$w{D1kM_lS^P4)#vAnMFQcS
zBqWQ2Qe>)fw<5ZoV->tj4Qy5@uU5UdH`4U&1NhP!|HB&q!adehTH@S!jUJqkK^0kf
zmnm`U7Z!J}nVgblqSkvq_0eE}>Y#+;2P}F4Fv3GR`icaipx^PP?g8|JpQc(y3;7AF
zbE;>W#vYBLivJE{1@r}HMfEFnt*?WaO8%?{t?zh@4Sw-#*q_UtrKwf%Uw6(6pmknT
zlH-JUFRavz#RK2^(?+syyrz);iS*a1yR{wJwvkl7!E(nI>u83^vqsHs90H2>TFOu%
zc$MXDgS@1a`|49cHFo+Co1c9%;D6&V-^Y=2$UYTqiB7g2?RHx~gd_KzNUKQ{5x0sN
zH!Xh|xw<cqX7Yt+0=sFBPDMUa@NOrMN5Yg(-(qh2VSoSy${4Mv_IQ5FQ1Yc))+*aC
z-}=P<44%-)p_eI(-;z9e3LyP|u)tDC>v!jd>4&kvM^H_KAF5w4n7lyx{jSaXL=&sG
z2t*@Bf2i#W6xu)5eGZGiEi5{hB_FygqEIQFg`n|A>iMg%zMPgEKN4<S-+Xyp%Q$6*
z!`s?)$agkWT37*k$moTA^z?J%07yGZAYpwopQ&0~YX>HBwZ#szXJfMzd!Z~E$8CtC
znL`UQs90A&NHdwM=daoVAq!7m^w{^Bx_zMO09Dd5pIC`FtV=L;qV2JkoBE06$``=$
z9fbtDl$rO%yKVIfQ!9+_y1Eq^sT)No+cnsGHbCB)<6r`Y7H6wN@w;|g_le~5^N@*U
zr}Sm&m0J~-``=QPSg|*MidbnB?+uwU)xrGp_jNkS=BjZ+0m?77i{sl}3XYat4~LG>
z&e?z2Y0AMkvpg>h0!7NBK8m)V!&)?jel_)Buk|pWl;x$aMf8tguw$f6+LEKd%l}8V
z@udB@SDi>bj6-<o?`*wP`9_?CT#~Ps{E)^IW@oFyBr8>_GLvwAyF@&eW%p3P*zo(;
zIw#M3=z~v32EFH=QazS_2_26FGb?el{A=hJ=qRtM!HXD-q8gp!grB-HzCAEz!W^yC
zMvY*MB=O&v%ekLaD=B1OQTF+hqwx1aaJw~#CL0;&{ZX%;r5c+mE(Bptz3sZXobI$0
z_&_ZBmtMh-lL896p&Myrx`X#q%bOzuId)2W2%GZR&r0rV8^+or;oh53y@gx)LS=mC
z4Q7;haAI>8`*Hz64qjf~N9R2x_lBAGEm0Y0`wv(X2&U@GHWxa7=a~9Czky)!3coWA
z$_p-^QtM+2HQ33jgd0dLsa^V+m9$zc$#Ctj=L&XN=^7LFOU}e@5K4@uEs{(2lv08J
zfd^D+h&)Y)=(k{0j>4jr2j059#|Msz%h*PqZjjMx8O6GKD-@RE6YahpeZ#L{ZGIUO
z_b;kS;dSeO?deX5)3Ym})~^~Q+H#M0!X}P{(}~G`4pAd3>Cz$uz9+%ukWwE8Os>Hs
z5?9VI5kiUg0;IP`H#vuz{|6du5I6PUQakuI-Ih^%-OP_sK(5_v6Mo-&RRdS-rVKqt
z>?8!h50m!V>R7L4`T+iIglTNxeRg+f{1An|XOEcKw9XFUa7b^`<-AR;WkUj#yj8%`
z79twAgm@|J?AcGvRJQ<!fLrtA(+nV$xjx9U^I+KIp|zqULoM?0p-8j34buJ`8re+|
z+lE@aY55ib$rrCuNnOrsgCwGD_#5$m0D<^~%Pz$YTs^1N!5TAEf>7J8t#%hrWDsP?
zI=lLto6In>G(+K!G?ld6eWZIFu+@$irpG#kqM#!vb<ky3@pl<1L>6~K5B_VezCADi
zPm59{(=0m#%TXEZrGUh5Y<O>xNqrN(r-AKA><dE`3bP+%Z;^%47l7$iEQ@NRe9Pek
zV1~39IOL)8>fT1c`VdP@-)X{<L^`{OOHwV<;w=EAdCXk_VXCbN>ro71qD{JfNx^s0
zT5S2HB%t?HvC2A`!hk~5)vvj`W!n>buIUQl9z7w0{qx0A9A)BHm)n>wR99ye)vWe<
z1~B3|^+8msJe5Ssy02r8H&@v(>=+nD4`P+G9q$lLTp+3qXk=N`^&B0lnAj3dWO?*O
zWE2Aklc-AvNtRWC4}meT0U0;F_q^<^L6hr${qgCfZ{m?(K(+z@gA%bPRf4vY*rob+
ze4e35dGpP{(B|7B7rqd4?5<%v9OIY9FxIgVq-JtR48A+{`IRiMa@J^&9Ot<5X**NC
z|Asu{yb8tNebHp(83CL+a*q3A+jVr*e#Ood_)86PrZtLK<0sF5ttKmo4x$TWvcG15
za}FwdogW_Pa;alA=DVCfjlFec4O`$G#DAP$-cGHf4o@NIZC%l3Zw^0`kOQ(m9Cvz3
zbvdpIfTA(<K_&Jq&Jy5Z7X#$ZRp2jZ2a@U5M-BzyXTLbo|23+En++YsUf&tu7-n6f
zF^bf_`uq(|Zr45l^RiF*mm_jl-~?#lJy6>#=abqdsQ;`z2GPFkpW=Zlpbt~eBgCN3
zV0p#a6C!BE3`&>(#})nG2WcTqimv-X@)^}Bz3jDW39rB^UJx%;h{{ySkBfqmhlJZJ
z^Sg6N{g3GscG+lcKsL{0EEWQ_*k`<cGmr7>2S_ZA+!9K<*g!j6^S2JjV>)7zCd9Xs
z@}uX6&|hmWQ&%Gw_5An=1KL7QiwN6Qd_o(-)B&%^ovyOT$p=G}nS+H5mP?q(^wrt$
zQ1<);Pr9^sWm57^4}zXG2KctO(Cvg8Gn}rvHxG~hi5n=@JdJW^gEa$N%yv@bn|LYR
zNg-R&B$NnJ!HEwVMO|Rnh&<tSn@jD`*;m)&B232eOYkHGc{cAKp%0%5Y!y7rW72#E
zY7xaPX<=j+4TZXVSj#sv9x&1KwfVjkirHi`Sm!=q+rsLhe(aPxYFR*dK$EcHhOt;;
zGr@2|^3|(|m;Ni^TbuiDe(6>Kzyy4U(A}u!QOR9Tld+fi$#7dEzH!}GzHR_%qr?!-
zDW3LqX6Y}~s<>}0?V;3DZj0Ae_ui==SJM3)zm7#$bCVT`jYzy{?@zg_CiN@Zk&a~h
zfSKZh>1m=LXy*LqSLj8G6lWk}oh1SzoGKDO!sJxxyJk2ZKl#9+SAriG<>+WRwBqFF
zR4leo*q3T2Sy5d|2kD+UmJQ{AjJ1Il@nqFiZY_mEz<=1G&xa=BI<WO1RpGY3Ca?J9
zq%6njSRWlfrLpN(;MM&;GPxI61|Uh4XZYl!=9cKa+9<X!@{JI77e3kIfPIolRS4jt
z;P~HD9fGmrYD)@C*C{&=Hznh21hZ;ccA);7nCQ@~%TTP9@93J4LbhWIWHRaO1K72T
zWL%!%XZxF?1&lM`H3G-wsd1(u6}x1Qs#8IgYc?o6z(8{<()lQt?xb-D`hOMXhQPQo
zZ!yZ)rA{kE+L6~u70hE+N3s3^nrpo2#~DT%EqyAtOUe!!9mjRy?JBm&Lh}3olT&q=
z$3RPLx7iM|E^LKv*8Vr1zSbp!w)+MCudBmyz&CAs!BECf$*&&7*bjbn)KXJsVs{02
z_YACYA^pl1PUr<y9DA_H*@Ko_eU5bv=f1KPJazeoVf$Dn((ga?z`Rr|{sg9>;0?+f
zt(?1H6v%C?3^=dh(ec$C1lx-#7z4UzBW@5Y$k-WIBxH}eieV8c=|WDzi`?yH+T^{R
z8uQ6bqm&;aVY)mn-(BLg-5PTxPhf@rHi-d{Nr#qLRKf-o)oF>Us-GJy`#ThV-=2gr
z;KuiLk!=%r8UoHDLzhuQ&Z_rxdB0~s+1ojma^A>btQ^-QzDZ#gRBpsbc1&#u1k$^N
ziL|#F`|*BB;T~X!b+Q!uD6DN5qGaNHM_dy1_H2AjlJ)>8;_nbJ^*A>1f5t0BvH>5d
zOB2j)RI`Du_Y`sEkk}$%rS|~;&k@1NvpYkx5uzsH5$S_wTH$u=6g-+ipIIy_aZU7I
z1QN5CKN?Dl7v251PosG13JG8>&EgupIq(taJIPs;4o)W$&DWQzRf!$N(jv`*bYyF&
zo5Mg0gZkyKbEMdx=&AE^X~UsBwH<`|p@EaH?>|l;`{eS`_5E>|!dq@w<eHH>(CrA@
z)S#6*@8T;o&=r&``W0=|>eui>w+hdGvE8-)8~m^drx8l%$yD9t{1Ne(hl21UH#X^r
zSPcs;Mm!+W0_2;22X}B_Ow!QQSUmA1*4`X_^F2{SQ<y~qi#?)`3~8|s&ru#RT}&4@
zsh0b>F>Oa)6R~vu_HE0*cvz)pW>?p0Rl^rg;5&ZjbIyZb1B43KTT9^Y5!%kcBKb%x
zkM-Jbm98EXmm$X$$3p|UAX4&DV<9~;xO3k`7ki`N{>kZy`ueD6Q)F#LzC`UDA6)Xm
z0l2*u_U(EnD7@9K{jMZ5UZHkMnH-sG?I*o;K}HcoVRbjS5NbH=rs47hfl)y&MM9RC
z!&O{fVjmM^0nR@(^{GwBuzq(0keKP_iLu7NFo*fBwxm~PE8#ej@KxyNG)!jWPg;3?
z-F4~^O^1DvrdOmlMU4o?0vTZ~-o8TnEfl4nut9QHu}I(mSbg~V<yEbUJe(|swFvfi
z@=~SYE%?TBfZwCNl8VSr<<XI&Q}@Bp$gRBFNq1LBA&Y8EM9u2wAe{K42vsY{*|v`4
zQqzReSj8<!Wpg*EHDyu9`vL9aaTyF#A7*bN${hkmlz8_W?C*Y1PH6ufBOv>;+_5_1
zq<RgMi~W@oLTWIGVBC~6PG~?M&hO*D@3aErZQBjpPHpOAymvp-KtL%8PMAd7Z%Vak
z7nFfN^~I*-6N&$Ls<>q2cFbB*r1GJ>j9jurT;a+%>S%is)bv@bdQ=%yO!8u3CUL0J
z<vFuDuEcg5%(n{ME|i);taZu84lbpJZFS8Sn{cQeO-y2aB<UuzY6|NYF)M=^N^Gu5
zCqTyi?i*}xuG^(*4V6ukso28g5YWZp5%{V<lL;WiNr{(AhQ$~a&+X(L=yf%xfY{}f
z)<(MOIRlyv-Gh1$aQjHEp4aOIB{yLm#xX?;W+y+tO{TDceBFoR?G>3p_CRH^>Rr=&
z6)bzwqI+iDi`Uh-)P)#OT+g_By(Z3bg87X7E;$}o(wY@xsAPTH)R?AhYd07o79kmr
z5-qMsOASFl8)M`EUMM=MVyv%B`wb!L5m5XrW%r5OavU<-ZQz;>7$Q@QsR`{#rvCkx
z{L+Rk@1Y|?oHUCRpye#K(h#2rUrmzoO9kao_%jAUqTb8Zg!#^Qb1?UvznZ9DV-!yS
z<b#;_WC9TRvgI8MJ?k0beXYfua{yq1Qtm<k;S=Qn%>o1pl;3>@uB}Ih76o0f=E)&K
z=06&BAd5#nF>PZhUZeHA%$}W$IE6j2Vy$nWU?cgkV7bG>$ygKYc4Mgv`pQGI^r~L6
zR(DlgJ7G(rv3+m$xD?K{=-YJ2BH+fM?l;pWCBR+F`?+>!E!a0_wlqvYK&QH6z<)L*
zUe0hYiWZ?B>8d41!nP)+TFrDvRVuR{$;UG&1}t+RJx(F0mrf}biM4&vq7(<G70W7W
zcnoul`#clHFD-@uK}P$GQo{j~CZJ=1s6Usx8Po3L&)*-56cN2Ld`oA~gUtgXO7*Ue
zcj$*3e|Xzb=kq-aQB`XDN3Wyb6Ykh9J$y8j3<M#WTy=<(_rccdfRh`5^23%-d$Mn=
zhfk0CHlUA_Ep|Tq8FGfFr#cO)!d2Mp-{<Pv$zDpbRKU2+(SJB<B!DAQQ%^POCE^W7
zT+|T*gnJ98(x>T@%DE;R`XoO5FPn0uQt)C@X?@t5r}Qfb+gm@=Ch{zH9}gGUR{L7!
zjAp2i@f-Ew)Q(%rf9kLV;q=KV!-hx%ET8{(eXsCN4T4lV->}=NyCkrFfrq<b#Nk8&
zvau}JhTHFqSMj=|*y5Z#A8Db+rrnn%Ds{zn0EH5^I9zp2frJhBxp2^^F<io-bdq@>
zt)(S&h|YTZN0bYoMxx5b%?y8xIHCh8;^{$cXZt2wr;qjDUgck@=RZzh-Ef@T1!!LI
zgWUQ(OMvr`bi9Ey1@bFx%Ewl6NFO809Ne6}|MUmHp_koI*tfF@XWV=xW6oXU*W(Z#
z*HwxMEjEd{@hlytE4H`&N^h)|+N?$B$mOoiX;KV3tz>uUY;1drVt|)l{Z2m=@X21U
zFb7d#+p7f<amWSaE-xR-aW&fHpYDlQ%c=ClyS;O+up0i0^3k3po_+>eV)|MT>~vk!
z-64Z_i{F23-sDN=;ns2T4N^PxgSBJ$sy=c~(hrDsI!vL+)qVXjIYpe)k7xv=qckU%
zz50-M!6Sf|<Vy=0Y{!7cp&FVyb}+zv0|-hK<{#gHd5pd3%Du*)nJp>a;0OrkB84o5
zA4@T2csS^;S9wd3-ti5O(0Du?KC253C0vz(j!7f<^8{^wbvwkULybddF@%ofe$<t#
zP&2}ayy@S}{~mlu5cXDmdq$6@z`33&2A;XqB}4sKr8HC!aPQ*frSne*u|UAIJMZsI
zwt3>qUU(Z@z!8e7l^a{qJ^?}`&p>UzWP7zsZs^Fs=LR)Qv(DDp=*$BcIXKopAyXq9
zII|e?n#foC2-B3d$jbb(Vy^fv1DmhZ4%#mbwNhlY?(nWPpBv(woWz2R5Pzs~wZ9iV
zsg*igf=^^XylkuZ6ELI64G6Z=H-6Nqp0tYNpgIN#!r486JjJvu@7FxBh(Yix%Fuvn
z_3RXhj1(2m6n@4JHj`;%P6uaKmSRPQ&!BPijvo2Ket{!HINe|47@_|rrp$z}=$%D&
zzt0JlS(DC-bUo{?#ODQqzY052)V-!;?Z{7JjU0A;Eku`PWjo2s@OR9!ILVgaVcFV{
zwpKawdH*Q#&(KPZmVFF}gE<GJM68J;&1E_86(N|?nE*rFUf<HgI78A2P0Y#-i6ysF
z|Hy+Qz8S%_UG*r(@0{FGR58%7w_t&$<imACE${4TEWgZnY#8J!(A&_kS{`!ouhmw^
zFlqY{nI#f82j^{Mn|sn}Fmg{6J^TTUDs1DBMR<8(OFt%rODU!BbSrbPuOzR4-JFN4
zih<+}1%F|9v0W&C{LlC?Yp0wkrK#Fa*&sh}*j5DIpf`(Q+?Kq%nPhQTvbq&0Kb&H6
zp;9@*t6-vF-+<vZ^>$AK7$Vjq+jOnN?ml;S8Tjo=h4g#cPUG8jOEEn``p;;BI;Qr(
zeR;Xd7@^O}p-R<=CFCCZ_USTvs}$fBuBdTT*DPC|YYiP<d*7e1n{@EsiA{oya*uX%
zL(g#bGM#x=`0~@@HyZO}XiN1^KzrG0YyY@+%a+O|qrGPej1Btx3k%dDfYcmHXsDel
z>EoQQ##l$EEUy5=^D7FGc9chKBol=k>f*@vaNKsD6j5m<&4(k~1ghtinY9#nR+l7o
zeAVfvvNB}sj8gk)!!(ky9wi<h6EVm-EJ#wye#>eNeCRtqmgjxlSBBwAK$Lseaam+=
zPMqbsWr-Jb2>}hndTmmv_=ec4V)^1})$)EvcM`J3bBUGi7t<9F^WCP~!IC?KQ%|Pl
zNM)$G0MN2m8)1Tqk&ur90IX2sf>HYL>Ej)U!+!pk9?GicM;kY>U3;mdp%Y;U;ibp8
zXGyJ9t2N+`U-OD-E@0+D^~6+;&t1|2p>V!U%^^pCYL9s4vQRZh7fY;x*y2&$h<Gom
zjpaxjd^JlK?Ah|LKlIG-*c)gbZI^DAZ^)tUGK-rbTQ-4z*k3(K{U3lH_pH0ttMC#i
zB@mnjwv!to<qeZtO2YujtKMipYx-Mq2_5XYW}9IACh!WV&5~<h15G_Qh+Y}f>`|Sn
zZEL|@X!2!i*jap}lk?w)LVq<LWF2Z+d_hbOG_UR-Oew`P+b5|yhcet08IOJs81IK1
z(Wxsf2~abQ^j&8>KlM1jil4x~LSgR?YfR<o!|ZGa*>AZSN&xM*9_8tpWuT4(v_+*t
zCfRER+sU!cvvdPAKkS35v@S4^v`J}Zy<F`{e&>iYZ13Er+5R5@T|lD0n9R1`;?;N!
z?fE*)?u=TRm6D-H(KFny5H*rI2}f*d#Ol^S0dI>)=LDmzvCE7{TEd%WXvUBXV}fr8
z1RnsD@xO1Rb3F-9ipdJM=2p<7qqaTN)#?UADa`|<v}Zbq7VQ_obnvFM000000DqRf
z=ccE*8>Vu`N=^!Vf#qYe_g!Xa(2EtwfL+u;fYM8TlR|^5F3O|3gA%BD-u4WTY4PC^
zH{=lVgM&e5h^>50Y9r<Q<^<H5!l;7h5vpsbgSRE^5KE(7Tbi851tTWBY_)*^Jsra^
z>h`!CWx?vG^(_{AuqTFa6ZS?ICSk#5=a+4qaV(#44cZ-v+aGmIeML4H!4awj(QcbL
zWVnY-{wvtp<s2`Al`KGr-A8NlvWcb|a<ACD!tIb*-fhG{!kE@)97`qsm*WxcCv1Jy
zR~ufz4w&y7_>slgu71g+17<2C!&8=n|4{Qo>kf;XSy^S`v|B)KXOe^BT6G{U2?qh}
zfvcB|1jOTsibvigk)u<p=O~9MlqCW@FDqjf(!h0M|L?>#aw5YO3p$g3fj{tN(~oG8
z#2U8bL({9@H3r#QZyt>b12YGCLbbv}vh9%kNIbm5Tr*s;s{khx5pPwQ>e<VRHxZY@
z4YVJxyrFgnPlBBMTkd9woKFSdTA`uVl#m^qN;P^7!`AM;qZW+geNsD?qHn#%rQj1Y
zxS1y+ZrKlZ{R?p&$<yBx-CoaRi4+T9wVwA(pyECm;NpUM-r5)#el4j*S(WM+XokGr
zMh1X(Fqw5&o1+6svuI3{?VMKW$BKCdmt2GBX?6BfPZ>1p*bA&e770aq2A*SZ0c4g`
zgcO)c(f^wla^xAEaVNHZiiHZg6=YA!o&baFn}f;tjoj<VroTNGYq@MwP1+S8^@UHr
zVRXBrO<YTyH87VG;hGA#Sg44b{hMA{Iva}}78M5PgqfC2Cqu<MLY@R$uxKAaz%R{{
zy_zz|2o$O?CHk4GlbPT|P6#POG1q)=$g22cWbjXyc}u0+F79Dad(xyIRbGjHOiS4G
zMZA8J%`m_n=PaLt{oo#b4=q8y^yxM)jy6qbci$_B1bi-Th2XrmMLvN8hHxxA0=^GD
zMQzs-{0XJ5UEjpj7rw!LQ%kcPW=af;(r3p8)DtAD3RHV%Y5=kqP32<p8YI)+oL~rQ
zBs4z8_*aMmC4rxYN#(~SLF{qNWvfeYd8d=P5QJlQ4UkE+Y~O7_09EeOse1{b-~Vxp
zV7<yf=PNT@8%au*{(?4$qHqVo?xoqB`4T9hKIdGF<{w{{HRUoxoWkE+E39l0U+;QZ
zZ#L``0Z4@*V_4}Od}Znk;XY;}MiN76`<D_5Er0+Czyk3;bL7+AQ`W8k06=c7eSp0S
zbk4EZ5lHBR(&hl8y`Xz1W9_?2lyK&b`!@EA_8!*~+AQ@B9{%R!p%?`|$O%e~O)Pi{
z{oz~ygB;J6JqjLtOWSOC=dOb(dM^dBG+od#B%XQd9iSxtXN|h*wK08e3wu!Qr{era
zcT7g_HO}+LbC&uFwgD(^5o%R(eQeM`ZQ+J5EfDl7nncilaj4QH^xz2ebUZUFC$ATM
zGYGW=fi!K+EX{_B0C;DqVJ_O!eMpqPs*f%_C8FfgE#6I;n@u8x>&0T_N#}!(l(vPs
zFt1O-0YZABs(CvGHVDu8+IVdr;~s!mQwFhAj0h;?(|eiI5@6jx_NG&y6N7PW$>T3+
z1r3wirqQ0I?^S*nA^F{H%0WFI$}Hioa+Ir1A7=y8p0wbnuFweDMdy~|S30AVn=La)
z3p8~jQ1JaCyN5^m{Q+$9G0TY^(MJ?6ZrIwf39Uc?000XrQO6G&0Z+DJ+?dATD8E}@
z^ff6iw4HP*v}~7|z&2B?TmLePyWhC2q+5y2&#7vtKrwo3e}}2zjiJm_;y!oKvYALx
zXK%&b$c5Ut+ypKW73&a^1NvFPdkZR}Unwg7{TP^0Gwa-f*5}9^CMU!EBB95KO>Kl}
zD<nNe=HeE*kN!A)3kjWr1300hjk_f!SgBt!nc%DUZ7A4(*qx<yy~6`7hBZQV<cvZ#
z2P2;vLDfO??ea|;>IJT_%tA{X6Pept4ZyH%ZiViM8zcah|ItsaBDRP**PPcIBoCt%
zeqEYgO=)kKo=Q)3b!=O3qLvYgc#@sVjmXZbKWJ>9TFZIhuoQ7*SjcbdZ0EM^BZ@b&
z8E0Y4+Yc?Ne)pGOeP#tKlzr7dsppLcc}*p}X<xb>c?aicmGF^#2>2%Hcl*E&X7vY;
zy?G>RBQv~+01o@!r#VTWt&zs~Vu@<!lvM2$yq%S&zXKtV1X-EHlK;enb+>m!qNIG*
zav{)QA%eztg(=RAT+paMFvAOdp)X-gC`vh;6yZt<%qcUT%#k*88x%ab-gsN()WJx8
zL4L9uOucowrgU65({3-j;=jGkBzIj_kyAuzOh#MRpQ&rPG8v8lziQAG8vSmV;6L8o
za~WgfAO)&Q_|=u$e)jS^miv31Ir#VP^?Dir0wvfhLVDjRiSAtQd~>Y?o_v8S1lTNq
ztDv{2?P==_FgH_KnsTYYZr%p?LZOc_CWPE&y&$qJ8iocUg3;OQonu9Gl`m9i^@ji?
zPKlJs7s?}(?H&sgn#b~25E1<vAe5DNPu>IO?%FIZ*z&EhONrc&T$ij{pBI{d00K$Y
zQ+5LX(@q{L5Tdcm;MtTRJznyio%~xw;Phcz$zgLxEk=sShzC>01Uo|pf5TN7z-JsP
z4jNo!6>TZwCM~kj7FOx3&A{vnU}S$i&*i)S#||N^KBx3XAG@xX627ImhB?N=TCwB<
zkzw*?#!jdg65Q$8*odSi`!&HjpCu2h%Fc`YOiLM_PT3z8pQs5%Rbf9M!|};nrY82d
z=f8wGe~TF`Q>q4!KB*G`8-w8;HT}|Xe7{8;Ez2Syy7Dv;o;U^R`^VyyY&~g$6q;MK
zQ@fg$@idQ4r(No(j=bBFRya$n0<ra*b~lpIE0?>is(#u;2|v?u@NvT!m_$HPnOfH2
zK)iR0T`bTTwz0bxl@uOGI!RPBWiF0P^;c$>SyjfRgTM$7Xka^3!>^Dydukm=t%!rs
zsdKoVJCxJlV{F1w=l$%!+{@W}qSt+J0qY{gXBfuL!a#4es~}9N(|JLaR?Ms3p{iy5
zqt|rh#Xo;;Vtpm*ibi522l^?-klrK)_oHCqOw11-HMv6f@;KYzMi}t*oVN0uc-41e
zrLRQ?G@{-V4e<P_RiNN|w=AlA5kRFQ(gcYX1Ooz2LqFs?3iiUtiIG4OfeI>je?qbE
zgulxg`lMdc>n#|79W$fanA})37!@LCDcqUBpv8x46V&83o#M|9q*;4eVsh-zBQe76
zQ0Qh$B<#c2%I7E;c~ecsj-2CX@nU2n2*e0*>gBEhq^`Ez{yFMkR#+dup%_}pI^xJ%
z9#zh=mFl_};gWGaO1|DUrQhEYb!*E@^tG%6V$&t1j+Jv~%R4&KX>)(gc`4%RVHB?{
z2><{?2z}<JOAd_C=9q}Ya`-i0L6v5`cq7-UKP*V88D+&-*B6dY2prtNU}b7^E1hC+
zI7VUNvrGND2iO>;eYnmp)yCkoRPO(Ev|3r?3emlgNz6O6vU{%j!-WDv+6%p-t9d*A
zrtMYl!Yv<VUsk}~WQ{*V9aTdFgY!{uqz_!P@mQeX#5j2>BDA9h{D!3GJ0s*znS<FK
z@RU$f#WjUoO@v%oyxryP-}cz|7rk-k$EXAXhK2edV`c+UltwAQeDCC#V^rNxGZhR@
zgF2uIDKocc7G*~s)ttnmfnZ1$rMOqu4UNcH?v>=1GZkx#gwWUV0j+T7#~To<1?*G`
zEUn|3ZZHFj)p^5}>Hx+Q&s|UdvmKntItV{|N)B2ZvCo6LrSXnn<RVVZlE#3dK^E?i
zcp8h>K{Rl?%rc$x1p!#=lr!7#p3T@2+=c}alvQ~p%1ga7YSfdAKL7MPbBekZz%{+>
zz%4CBF&|Z|hGh9GkzKBhN(~_~#Tpqhsld&o{dVI*bPFMXCa0}%WGim-XlG->tyOi>
zAeyd%zZ%5+?+5;1n*q$l?Wh9@a?EO3#cPfu4@s}>z@!j?1K5fxP{NQv<D#W5JH=(y
z4DB$dnr&{~9&}p0I5woTM)J|1q2oep4rD(%Q6L;awq0m-_fR<w#g@vlCbG5v5b^Hy
z;xW_1i|XG$_%aRqg~J3Px`XoPhC|Ekq<yv&EM8J?!;#f97CAc>>G`ls##jPn>0I`~
zQmvR|a?==ts;^GWAT{~es*=>yx<QV%p*_m&2jp0;7q!VwmBxH-f8y?v002VPH&hzX
zxKXitq7z5{!gmE9<%ybG;HW{^q_6RisbC_z*XiD^AH>Q8Mx;}}5L04A;2*tRuOrO<
z-0J63KRA{oG}|-oaGdpr1QO`u*wr@M2Aq7lz<_57<a`zhiCHd4_m<F&4y7MV4Mcit
z8Pzr4rpGgoV{3Dz&RAnO2uaqm{h8nwq8W5>gp>NF^&USXn(LQlPuaJ;C1%}1gGcmF
zM9-@=X-B3(-l>YMla;k+ibny>V_8sPQwNP`x9Kkl$(2t+S#9vJs6r_$2$aaH8D!d?
ze+%O%1}s5S$?@i=_%ouSpW5<sM&2737ADeC<E0ZF2h~-HxzJU)N*)sM0M$nlvEg7C
zuVd_G{Od{!kVtp=<iL>SU{=v=ViYzmDZVnq6<9BDHzVa6j<Vgw$<8d$k`Ez&{Nb^P
z2!9Pt7C{r5`dIK~TbAr{Aw$vvgAndS^r0#mJvQgkiNQCVoo5@p`ck(k`wyj||N18?
zbe7BJz7p+6k^sRJvQ)rJS7|mRO#!6aJ2{U>18#+HT8bpJm6yH|%=#SZynKA2{hapZ
z<4Po$8wJKWkFK+7k+E%|Gy8`ujhMx}wk&M3-8r-b1mAWW1u#U61I>X)&rxu^JezR)
zeYSEj?}hnC&d``6s%`3ePP5hN&2g%AoS#&xYZ-~vqT>nVBxak(4QNC_yUBf@w}p}q
zLADZJ#>*!J*)TxC0RNTeoW}9>)BI#M2D&qt#N#Uy2yZl25gUNbe}RXpxk1GXC!lSP
z_A(0M=i-vE64PI-EjNcL2}s#VHoiE#$zp(=LGe=NTIw@Y9|{2$ixfhR(?9?Nh1K=9
z`UWmUnwftthfJ0r9%19JTenuJsBxdJ@{93Tk2ra2#A{Ate9Z(((zK7+mi`yQA&Y&O
zJWQknCz8{JqiUeKk+e%;pjTXqpz!$fiu^{x#-4Dj*A@+xY5L#mti~QLuU^wF>l7?~
zoDotuu|;Dz8vJWbgNX<;Zs(4=*k~5g%I11OCYh6&nS$&^XRP-j5-Fl@2xf9rU`1r=
z?7d%P1nW^<`kecU1mAbPl*WMLW04zWqp)gr#5kMhnZ5UV+SHQlJVzg?!7+30KDj6s
zB2v*<ivR`E$FpyX@q>@MgiCvv48ST?qdrik0kK0LtJtzr#N42)NsNzohGWw>G+_R9
zKgi>!szrLQ0~b1LY5i%&`{!YuRcfxgQRGwLfMU)aBG{(?Vd8aO`YY;DWOWux6f;7e
zxbV%38Yt5HJ1nGEWk@v$4_h`k@VptJo<awf?8EVox~*CLe+RZ90Y6mtj9fFY;=LJ{
z`9f^B;a}mS?-zO6Z`A1BFGf}Dq<lFG71{wli~Va&oWPEIZR48^bZ^j*DL)9(V1ofS
zS10<-p@o+1cwl3FO0q;#Rv7Gm8VAyQ4iW_T#wFr^w|Q_anfr&G;D!zWY5ab$jB3I8
z8EwV_LLoFY?gs=j*0AM*=S7n|085UQG66*AnTp$0W#_L)o{p}-l^d}$+@R>)(XAf!
ze1hQy>w+lpS9T4R^1g8^{J-dfmGR~n#w0Dps44#W#~&Bw$aIMtepPiuC+{*A@p(xC
zeOQJiEwwHRV!rrnAZj}$qA}}D6YWo+BLFf!<J&^NR%e&5CAceX9QY0LkR+0}W+q9k
z*}#Xt{5?C4QU<h0hGB`ZON=4rtPxxw=h`SfPb`vJU|IV7@36hRAF`jNW4=vI{FWhd
zYSeQS1*`s=es%_ne=vs})uP+dJXly#o#Mz&fjt%<OBj$3B8wE-7ONh<c^oVRY4DQm
zv}AsZCSV$y5{T_iLHsE=gl}teyi0Ym2kO+KM*Z6>wMX!L{qVF)f#O^43|oq3smeN-
zj7xYZh}~_#Hv@Oj5AQ5>)SL%Q!E*{ZE)Ot7nhOZ$jZ*L-0P|)Z%Afj@1ar6LN26`R
zK3;;gKl50^xLC@$xAi20qsF?q=QoOPDbdz!TbAG(m)l|j$+@jv;9mN=y4Y<p^dp}3
z+|JlLud?$*mlDT`ikOT?5mWcJ=CNz1Np2TVUnat$vUz~imLy1PT%w?Cb@Q;0p!Wog
zHK=$512IS@1=ti#&?DvjuWA#X+5!wh(pR3xf1=qqS4E0-G;7WdWm%lC<9|D#o8H%u
zxCLD&mWylkUrnX-arJqEcTyQD$niZ?=8}Bj36;1$4_`3%ckm<6C4qgnv1Ho^0)I0V
z_@Z2YRlrCgELL4z3v0z*yQ5I6uvBoxHu7Ya)tFHDuF!mvqbX$0H5t+)&XdflSxwQr
zIs(`>QUS{ygCK%juqflS-g8Hs0n7O=n=Z2-2z1iSWAW8+Z24kp<ag3qac6I-au~-f
zV%vkTa)$#7xG(4<-xX*bsCSL|Jp=;&4a+aSr(B|$eaIdG;<>G+8|7Q=v=^D=T)wga
zU)Q+Z8}JRliPj#UqefJwFTT(%P&KW2^pbLDM%M5mM(asA5_@s#5$^61M1m&U3=LUL
zc2(s2Y-3`d7WI75*k9?breogzQJ#4jJ~7<v4xaEj-WG2(OU}r$*77#}OBMZM_Kyp&
zy5m4fGc(4v`mZz@KpbkrCcJSiJ4CFRX4=0j3La-gd;i4dOHfTK);6QkADSd;Wrz%M
z!aGxYLrDW3EL`&JCsKA>Gq}>fQTJb7I<<vTN&$<vxsEvyEJq+O+o^xAK=aYPYKrQ6
zNg7_4%L4Drn;mBX%L}XbC$z*yKxbI_o4JZNa)h?%>~|lK@dNn^7|D?5`Q)tXdKI;<
zeovABYmSEn;CFz%yz9C1UaO-aO?g=ioNovd?wYR30AhXVW?4lX>@Nc07zSc0dltYj
z9|4uWo#=nrAtco-qt_FAnJcLXGKhIKaCB0-+-w_Or7GJW=Gw>US%G|OkU*BIi^>7K
zCx=p+n6_f9-Wx_$`a;E*jN!MgY<MnD{$jw`XSeo&_u%iU5jp&yCkI~Pl5pg33<hzk
z8rD5oEcsO}M(*^<EL9*rd8qHvQO+|D8jjsI=iyi2wdcdaDBmbBgsSKx_U?<#(?wT}
z8KN$$yy``fFKkwaMQ?~<&(|qhM<GU{iG2^h&CBG%)=J^yvvy>+2PYv`6iP03Ye?q6
zEyeL#4Vr|~&{J{AK=(ABH)h~}NA3VPY$hl3DTR2c`-GSB)qiAgC@*Y-%+=#AKeSWu
z5JNt!6W@H;e{KC?2BLoKIgkH^HP|v<X-;DpUZ=2NGrK9)ch$HJ)P6aa32FPSk#Pd(
z8*aDat~~N*I#vY$BFI&cu5}B2gYH*(Z$~SLrkcOLYMB=E<7Qfb0000Q*k-}2%nxIb
zDNM<{V}_}32QVluuE=7_;udvXS9tF@#qR3YWdVOlZ0EED%Y~DLMR5cSllFWDPSg@X
z+1$Lmf|LG+{)m7|gJpQEr-piDyJzbR=Fq*J>nXOO-QVKC1oYA8jTobIs+DeFy2l2f
zQl*F_aj?}1X0hSpAPH@(!kvQ>AN#7oXK7}34>p&nW8s{(#uIh+9T`Yq^R0pof}K1`
zy3y`}yAhWM&OC66ruIVQ$U@CiJC0b*QoDYvsJN$h#LMLUUNMZl;(8aXk0}?PKh97f
zNbn%u5q|egSeV|I0a?<yh<nHE-^ib^vpcR{H|vJnrYj>gFaLf`U@i<Bp_>jKfcD)O
zd3UBLZXFvkuYD)0d!o|4w3sozofdRSCjMHqcjaFMZe$V8VC5OVQc&R)k0hacITOGx
ze~ttiJ|!^=QY>>sz0#p677*>h%GYo+`=LZH1R~;Aou|Z-S24vySEKvt22T3wOrH+P
z2v*hc^ij5pxjZe<b|W3Zm<dvIOkuE!2W^aFNIg5XG|gco+DuMH-{u8*CNF^p)8f~$
z0DE8p&n)c5?HatodW1FLqJgyG#_!jfx7Z&5n>Xs+Pj79qsr>`7U~Udh!4vugb6-n|
z0}%TdVeK6>OktyN9!k75il4S+cEoNNq68_R+Om{*Y#K{PkRmqL8!MMSbB!t1Etlit
zTW6`vZ@CB2K>*E2o1>Y?@$DqF`S$*M-w}&Qjr^>(!urMOf8m*m4H}}id6nyMCAX@>
zVdD0WmX$a8zG!(VABeV71cVc3S8b2wEkIn;!^@PN0vW*YK~8w~N^xnq=v3$I`EZt>
zyo?Pe_xbs*ig18&t2L}IA|w8A{+n4`Ug8et)D^YzZG^PR{6DK2h!V+EY;!_$E)jp{
zYjVC!T&zxnIdh-})S0vPyw;p^_SXpdga>4lg(~fa`k+PxS6#d;;B?izfMpHS;h!uf
zn?o?0`pnmW7Yf*IvUU<FY;851T602Ywp~5h2Vd{OEt*XiAD#a5LqP<KQ);k=m$q(P
zDx8eIKKpUck0+HBtr4Z#*ICIFKMiB|d=>;kr|m~NcX`bBp%6GW2#pV15m*8i#w=`*
z)yY{%8CWXIgsH-X8=H}bGW&89O7*E3;4Z7U_dSEPGyN|rLJ9j~;1TaF%LS?{IWsk2
z+7~Ig9&#RB_UJVmpFnAwA)FemzDg=4bqw1@z@FzwQ}i}7yN4^9zTxzM#mJyTg218_
zac4Hjiv1A`mdOAs@T~as)yE%)iP5RN%hcf<>0hrjm7+W1K+o`Q@wO?|45xXo;s>u}
zRo@9<58WuWZw?txO~S99iXWC7Na~I948<c?K!<-jX&wpIqzOinYV`Iiro%x7-kywK
z`Sx(0Mvy5JI@F*Cr!DztwzvW1oiS4}lRqKHD8SO!4kt?AJM4u%sk`eybXr{BC&SYX
zH<u2+_;P43GNKV`WB7HisHk#9ZH5&qbmF&BMdQAR?h%?sCOw=qcKh5qOr-)M@)QOd
z|KVVDJzX{<tnpAyYy*@LLC$To<tk?3kEBTP{0P?bwH78M*PF}6n4C$U(>VtWc|-85
z(oPa-<9H`MMGey0^p9D#=0tREW=B24Fh-~41D%E{oGyy8#~SeRBOs++v>DUfKaF;8
zu?e9U!6d$n#Kk;jxIh2^SRfOjG|FT$hc{|kWA)>cZ@3imhijEIpL60M4ROVshW-$Y
z%WY~oq>}Pt%X(NNF@@ciUVAzPvMOLBx+bi>F7;qBVSjRTC!tAHF@XNe+Rd3dw~bnh
z_NngwYQli%I6tH4{Xj_L880sX3r=U?edSun_+!_8+j(TkoY&mUHCtdn;*kGdOwI&w
zn+D<sv)<V#l8j~=9j1tkE8x-B7u$nyXkXcfW5aqLuHF`_L+~tI24^E$;!Fv4b*$yc
z3vW8)H)I+4!-$i{$V{}?aYmG1ia}?Z(-k~?e0+a~k;oXiYlu{uW=+W~7>=s=YjBFC
z7nru3=|srFt-N6*0o?&agecyg80Gsqa^`qUxt8UxlzHJ&d}YoPk*f&@xxvLXRtJj=
zH@3o^J97VQx}=uaVkrI%(XxLvsC`I;Io%<n<@7oI$^KnJ3{^ynXW%K&TIK=ObB0ig
z;T$qm#_<A|c#^oxk-Ut^0w1&PUT8#tg+anx9*t73)Ta>{Iw~-@QUgZ0jN@Ilvk~d_
zJ~SO-A>cc#Kp0Todz-c%Gte0yUoLu1<a_Ha-^s^mDz4-C+PdaU&*1k6JY6Cb0UY<7
zsqk;T!beBhM&8VxiY}Ttd&X}WlR-`hI1->v99*80P;?Gob_mhLa-CDwQfDrjHeI{8
z&v<J=;^z0um+k&jDxpc&A>R6IcDC1^1zm`29j2jyIPB^;nF$ZA#elCrGod`vs43+M
zR~Hdwa>X|15eg(=-=xB<^s|rHeGd8%&3)FHe3m=3i{vyViM|;j!wNrKEgnwlSCV+=
zZ>@7%>uUL)mOaMl0EJOfhagJ}k@8Ivs=Uc?RwtDou||QWJPA#*wq|qqDWEPc@1Zx-
zCp@d-S{UN%mKHjVmSUJ9r#Igr&(u6-9QPL#kR(4!)wp&ytlmYn4pGte(*hxS1y3iC
zsyD>}1{>uJ*u4hZKm+u6f-53~NIg{j1mvpYT?3a)i*fnWluDK-REO`#QUC^QmJzLe
zS{v46TjSX-!pA>HO@D@;V(VobqY&W!<wG8Q+!&s+1_t7(UQ#}R1?;m$POqZTN@y0P
z$E9f)84zvPY$fPeTq{?4pQYObVagUOvvgr~8ZZ8G4QPH+1u5c)g@B_P!~j84!q$A)
zhmmKUHM1>^H<QfSw*S67jG7?o_4NE@oQ_jBWRa#6$hxiHM6owwXjmtgrfaOj0R7G6
z0|4E#^jl7@m?$+*m|W=-zX1TfkPJu;e03yamF}yOJJAq1To9IO2i`1e?VM|QT-%fL
z879VX@nkpmb)_XIAD4agDRcva^2Yz?oi(+qul}zVKN3wD=5^LS1(E@uf?e{jI0y2`
zSOASg$l->wuG+qw%j`WYwM8mcT~?XrrRxZS@cO;#HG+`6P=;dw1IdUbJHgJ*J=UQ+
z&u0#<(I6d%o6wT)e4U(<Y^}Xwz?vd;%$UvVpJAY87h)|HN{>-7U=>lS*Q#%A+9CPW
z<I8M2)pB|zqJGB`vPWDL;Vd<&R6ov^A?Lnii??0*b^XeS2QF*jpDDE4fR{^1nt7A?
z#NcibOawshm;Cl5!Gw0NetYuXKJNK-TL2$;gN*>~6!1lTW68iw5ZC}2(VfT-nPfL0
z+*FS*D*#u;Htq|c_2DwJPE~f-l0-LA>V&U?A&4DCBP)M%tx2jS`cu;Pan$DDXujD>
zhxL@KMjnHw=yfiqFZ}E(z%lcYq45zL$Ff#J0L^d`DY4U+DMp>1%Z?O>)@Cs_3>p1}
z5wS{Ibhw!QAT@zLcOWc1pPJ7wUMpqp4tjl;DOS7F;q0Y@OVf^1N$pL<6S)T%lFx{-
zWbLe7O2k1pB%t=eWI|*P74xN=Hj%qxQ&>Agx3)!JlZZfbxTXhf@Xj}82aCUI)!e+T
zXUn66xbv5niG>Eu!ig+TYU$Xav_rrs_nch-Q(#K5Zo=kQ;cuf2B6_+v3_}A8ZjjvP
z%sEqJa1G(oxxiH@tKn~>4I+BJqV7}U2-H5E$<PNTtFVTydR~`m#B7Opi5q~}oH;<=
z@i=lW7kj3XJ&eLS=Rad$OfMn$Oe6tE$Gk55igW<G^%^(Zc^QsDXe$NbcRC7(e*uIZ
zWAMGcLghSiTXef8aM~0^cG2yKX;f7Q7G_o5iv#R!v<Jyp{@#!%U-)ill<^9*dE}Oz
zN>wuh@9SQM0l*p|;0;O{2UmqdbimLL`?iVnw7`opvj>CukCGX|x;FG$s@P4co7pu0
zVMgXPXeW1JB7cO*74hUZigQ6AwPn!3RWyQ&ljzTXNN?<E05xO5#aO=RAhMXDFD?2q
z0+O9n@Os1oMC#L_l@f>y?0)8;Vh$(hK6#;oU|BH=(x$W(eqq5-+Aggs94s0u#?W;5
zlBcohPWn5d;Q?&oW@Z_8TNOY(xA-#avNmRe!iUvBD<`um?fm1o>lt!3tm9nbykm+}
z=DgNfpMU)MYF?!qX#eH3XD&+1GDe;x!8bY?F><JBWul1b_kaS%p7xO_3>B^G`7$2J
z=u+z*1yi7Uz3HUfL5H&tBKTp{{y<TC*2(0CJyH`APImX_%;wtOQQQJuF(mnXd>qz$
zrKa@>b;dui_bnY&YOe2^ojlQj0)??=R-2a8>@#b78Mc$I!qg*8gVXAxwF6EAgIFP2
zqlkIt>HQScoGC+9M9%1YzD|-*x2ySCDbx-QIFZ^|VNJXajZ+A(3$U8@74$v`0+E!=
zHT_$VNrO)8xjayLa^|N36qRuj+c`miX}HbHK8eJ1F8Xg{wd>}6FbP4%c5<*FbCc6q
zG-ZXQ>~v0s9WPxFU;xB@&z9&}f$?OqD8J{a3@UNl(uPgXIc(-XkUudW*pYRXGcXI)
z%=sY;|1+Wvy!((8K*gJ&Ak-l@f~YUHcg>yOz28#`OxH`ycN6)2i;kr{Q}(_}X<7mD
zTaq~2MZW<&WN}>p#@BdL9X|K)IGq=;SND$Swpq3?7D;qiyZhqw()~wvm?aTD5>}5g
zYa?l>(V?A3LXbkr^Kgjpe`}yQ3_~sSS+$>)svYb_Hw;cHkAol+x%W8z0FN)#tFmu+
z8eeHVYZJ*8^ypW?Kr|Rwf_G;OSPn>j5G#56k3+>CZJhpCI)vEFR%v7O)nPJG$O(JC
z5F_(Mg%}gzAs;}(-1AHuw|*cmTOJu4d>8EqE7}_~X$~Vx)$=2R<;Qp)=}v#XAl%gW
zV>{YPmxw((aSH+Ov8|}<Jbm}VwkK`efeOuQ%vpAuOxIh>f@dS@j;6W^aN1$>hM(IV
zWs)cI4sRf?m{7aOF<W-&nG(`dcT+SJS%6%h=SnS{z8yMiosH7~Zq|rIQ`g9C?NCN)
zmfLN2`=v~aQf6o_3)aFNJ^&?Xi5);4k|FZ{9(?~v$k|jX$B3}`>X;qVRNf4yk=B&{
zTZhuxrGU|lGh@3}&Yzd60O2VbigF61^VRPk!)c?r>L(?)MW4ENQo5?aH5i(zDUL59
zOJpG(!CJyLfbI92;~&Nz-$g!=h7clY4HQLdglpSMDf;O9SL@$%YowJD8J18AS4*4>
z7OH!W+lT6ng<=OM2YJ-@2d=UW#m2}g&1Hr*ytI#G?y8U7BSY5THs<(`0|=+)GWmss
z`YdB8{Lw!ETc@`%d7=^erJ1uZX8+LC8t-AmKM<sS?6p}!&H*v)*oKw4g`QcR-3#sX
z#2&Kn4-q(-qgviU+6nDeRyuP0WX&zJPA}idUZo}y*EW8+=$1N4CWgZ@Ere|N>fvV&
z(*yPI(=d$$lf!)wH3ar8o*}utJQeJnJ2`?Ww*kf^z$fg?WdDuzZ>PK;S`X<QHQJfa
zBRaF4H;p0)^ZHC2jBjiUudN;uC6OvYSIMn$TtVK=(-`<ZgXS-Z6y<=9GFTm21Nccz
z*?R(-uiO9`+2>MplG0x68w}mjEojHJ?nClwcc?+4pUl{LSn^&rYy-AxNcq8lX65?7
z>xqj_w`@N~8FNg%uto^b3D4G(Bp?HfxIG&^Cs;xiibrN92nkzWBedwo;{zz)h3&5b
zcRWBMEd=}*Pg4ZUS4qy5lEnXf1UpjVpBP&t!a+Ssz3%*~IiZUBmt2SIAXG&(d%1XM
z)Vh*|VQamjq(W3rM9-+uX@KESNQ@Fc(CAdCjG^0%oT1KG8W0!n`(}RS75EcQBbE>6
zY1Ka%VHh18e7_)`7`)@$W+62TO|t_rd)uYKr2wZNkQ7@{Kl&ovR=V?i4OI8iD-#PI
zrbDA1;#Sl^?|6@kT(osm$6#Ze4G@OQ*=boUOdVTQPoUw2Iv>;u+-soLH{Lm|MiF33
zO;MlOYiiBSJNe)-h-8~lNC(g$Jg9F;uTqXBJFY9G^eFkJ?O+c$@Roh)ww*H{His?+
z)+X{(Vdaw!4$ABn@2xLktSgX$TyC98h1VGgzKVQmaB*f~E}vNV+RppZKZQ(=bI})Z
zIq{PSfTk7(I$SMRo?+e2C#GA}61QO@`2=lBHb?G)3DAMUiIi`cDKapOO-<RULSCi4
zCPCAQxV^Uh)iqM^695zWN?|7Wf!($wGkc|tm+8ZTDIf5wi)tL@umAYffuUV5D91TN
z-AFD_lt&hkD#SK$fN1}iW?_#)vP?_EKIVAmgd$K-(1oO?&SE_opnipDdZ?xd*dh&3
z8C<ut#$&tGxvYzR^n;bz6bevgtpET>HH&AP_zBzhrMudAYGDOUX^&pLpPqdJTRdZ|
z9Q@55fjfk>$>>8E8{6d&+X)?(BG9W7pkkq#X>mz!X8;p5k_4+Wc?7i#)P5&d+y!nR
zNG8?ux?o8-%bPwGcP&OMYTQy44c9WwQ9_xoh-e!@L#~iZU{d@&rBI2M4gNKSQ!&69
zPcQ4vpgja`Y+dEu%TULKC092r?xpN%Fd?~M{H06;_%2!VG3&r2)H_A7JwnMz#nnLU
zXR-AW&z50W59B{i*w~pu(boeoOOiQ|3N#s!T=uAtFOq+7GV}1Awn|lLbq9bBJ27RN
z6A9ZzvIEjYLe_3}li&?Avs$iyFs)B}0QV#IR=V9nKmAR|W$7l2<f+fjf7y;`-^<4h
z_$$O|WF8Z1<IXNwm2E=9d$T_zyQPzKL0y*SAg<S2mzV^3$bbUs)tOcGMh>OTvRahj
z5--(}%~GZ&4PE$7wmdWwUjw&l%3cBPv-yZM{l=fsD$cwE5a&nSX~-Z)0UTrF!}qVB
z1;CNUy#lSJ&Nvv~*Rq8&5fVR88<Z~nr^vgF{5`96Ko?B5hNSL#y>O=o&n<oSwNB!I
zjOU92%z*>ekng$;?@N<}4<IhGk3Hp8fv^Q`tnFTqjy_~@Z{o{zGM?(`Yxj7_T)}uY
z>;-HylFI@<$jv#|GEPa4%^vf7&~+eBvH0@*C28!xN~e9D4JXkf*8DsnazWm=q5Vya
zhMq^dIGZPrs^YK_-hst3T*(cxr^zUC0xG(^b?_#fM=T&3+$hR=6W4N&UGm0pzzU<m
z{gQB+Gv$><BHEPuF9D8yd$;+BNr@btgc(ZI|0>=zv~g3#np``8O!9Ab;<YOhl0?^*
zX6lL(u{KgogDKM?YLl_LQdKoF$Y`E84in1MkghRp3jMBq7UZ`vDf`I4(tlwbIK%7$
zhP^poNtY|!(x{0>$F$~_wdbe}2r?5e$%4#<nJwrU1ay3gEkcr$z-4f4sNbFEwQuA_
zk4m69+GZBcA0<c%FUv&EiI;nZutitH(>jUD>|+}IsKA;4+-0Y7LOue)<lH?LLMq~K
zcvs1~X$b;c^Olz|Qh1U<R2RZa=El}$y~IJrd!9a9^St<tyJjY>Dk&ydi)OmD3cxLx
zn47nr+$MiBj&P_#e(gweSHioblVZh(v*TU+UeE9x!8Nf!c&6zpOaL9B@f@N&G|^c-
z8F<C@S-Kptm>Hs3zOM+j^h_Q#Xdb|cJ#(BU2C)t|qC=7%EGdM1kf)GdP0?^4>6QQp
z_|od<EfAW~cVo~>8W<9M@eZSt*+-l6iU3pL*zH<fYU{YT)nW~?6lss%x{eL^0+Gy-
z``K)qtbO%0k#Kp!K;fB&ugt`!FyC%-C9N7IAs+{3j?WI>oa11Q=DUfL43vgsSUQ}Z
zoT)5Nbc5K-vBnW#x%D8Y2&qp9dIe?i<sX9Ct_$SinAANSyZ@r_7ygXGV4E)$?$mYT
z$f!Fd;jYb&!g7yXBj}@|5LM~^PPrT!%LS<^l!4F~SXoj`r&{H4t<lCpPnmnjwq$Ai
zivj0aF-a#w^@(q7U8W?u>5R|SSEX>U_O}U#N+;9~`Xvhy^^SZ&7FPRfaLMLDv&y!F
zmb!zi*ai-uJ$oUL8L2${iPCVI#_tH(S5@Z3JpjM$3I*z#!P%dW2l99H7lGPJ1z{lZ
z)cd_f*6@}<Q5Ji{ojZ_?g(|O{Z<R`SZUVuu5F2*nLYTn<55sn4tEHU)9YYqbD&g={
zjQm5KoTyIeroW9;sAm`apv({@(3AAk`?{0)EruFj6szA2t~tE!(pjBY?qQ-)YWsBv
zCL57Z=y{MM{YeY+qdHB|`&KwX1DZeT>x*xi!1x|}7k#EVd4t{F#7)RI8paapQ<~<?
zG55PdCTt1z_r6!51oP$4-<hljAjG;jRU0QSeg*V}tEm?kGRJ;gZ0a2^G!o<J%m;Bh
zS4Zs8TJm*t07f}?)faH3(4^Oq1rBGkfEDPsWsQIp$K2{USaLyak;lIEt`-9MRo`$F
zxo)7eQwZ{XP1H)>3h=+l1*WtoyDPhF<|L5BW=@WJo4wWVG6ZYKc2Ga%$=iEYRjP0f
zOF*J{ExpetL@%2g3`Pb<Q(6EDw%DCITAnRR{h?)6wV8Y;Qg%oZM8xx&B*xNnMssqO
z+F{DWB{U#gk7O9HcO<W2#DmlU!y0$(`wH~w7JGE(2s-i4xi7ZT9&USiiWIFcj%w4>
z5C^%N(s~1u_U1#z6|WY4H{TJ7SDXZ?sWn`Wm-fA?76!(Tdi(c|)(g+?M@8;uSfm={
zHFN+0U5OF$rvpW-xc~Ttj+;4iG5Pet#1f81r{_X_vvxc=n&yM~YO3!Dr)nM!mlLXb
zthpuf>q&Kh2}|VwEM>gUB*S7SigTmK4t+<=04q3`1|;W8h$=2T5+a~fPlz?cww#eh
zJ8l{XLl}e<_fmzLZ(npUo?S$VMyee*XPc0CLvuoS?_g`dDom2KtFuq;6?zmTnuldf
zlyPs*qJc2Oszr~f(EVw6wnR1H?Y)~?p}Lcsngpg$%hWI_8z0%1>m%+P=7{vtrYW%e
zo8UlW3w_&sC236&s&<FOJ(-_m|A~IHd{{P#WH|!(;UqOm>M6C_+%Pz-bkP)#QC-R$
z_mtMvr~B}`j(9YJ6sGPCww?`nv1uioenuh-=2P>+#gs_33iOxs%-+i6?jCIMHy<L~
zDK$n|;y{W??ij1LM|V$rxKV)%juNchWo@!96EGczP8mH{*?aIoP(XkkwTb0ALK!3c
zIt<N=+oi#<<6)@8HUl_k91KG1fS0A?tFl;{$8ty=?Oytqb?*s39H%;MXnwP6x9tFx
zi?5ZpQAtzdhLC)`oM}e7Z-_$o!QIr((~K3*tzfU!?8GHQ@$oHIC=>6#6f+}rSFWU)
zDU_k>W=A_)PR^;3LE6l?lyBLT+cTf|tlRcps!_OlUYs=Inpx&ZTZcbQw{r^u8IR<p
zU(<<nZEB<%98eY{H4#3$14((i_Fae<fm!Vo5XEuTtoE`Md6!2b>T@r_fK=g^I|C1g
zs`%cC9ikC@*$T;Czv9>ks;PC~dhk3)?n0`hVAMh~EOuv<5Ze|;XhIK`SfhYmac_%L
zWa$kZgo~Kud`pkgpeTsyj<_%r74bnWsbS^?!rAG}a45<TfE2|{!Be697-~K)cc0g#
z8&VnhjS{6gZ-CD2g;ZGOOGKR7R3uo_C$0?=ocN8L&2wC|^(uf$Vo44KnQR*gHK#nv
zMTEM=B0S!vh)Ab!ZS%c|#uO^*BZ$$H5gOUe^dTUk<_nW`;EkA|@H$hLbK-mE4;r$)
zY|uY7Hx4PBJ(D=RiOkBR;JRfM_O!qN0A*w<yks(Iv8kYiC(9en=uy-|w1b|&ogmWG
zR<xKDUNw9<&@5jqq$$c5W(@r_sFL`bt)+2f?ufqpmelIz>D%q7pw3}w(WJ=f>VF+q
zDs>&bkjxsnjN&WRi$duAr{{nKc(|oW<!}#*9DA*=x;>`AnRcSWi%N0)co-DVnDiB0
zZ*A(r`+o^bhJuqcCsg@Yzue2vVNlasGSHYODS}ymVN(Y`ES9pZb~LrOE+H6{h4?pz
zKxeeCw^uKQt?>{6x2f99+{TNKu#Qf|ILyMu{@ndXh2#&b0<)zU8}zC9tsJ8bBkqAP
zN&Oeu;;kAl0P7UqapznjT(~`Wl4u8<&|mIQq^<oiP^0RsQ>9a>&0xaaBo0S}dJ=cV
z&5Vv#I}=vfibE6>X*;em>sZa4pO)TG?~olh&&*I%yv^m64L`6a#M|-FQd6|SB+RV5
zSC0#iVKFZ*rx*F4_{QY(&sM)r!U3Pfxuyo}@7>ZxQz?rK0F9d@CxK~pS^7@boVnmw
z9i&LquuOlVc2>7k0PuV59Go5t)MP^(JExB(EU-UC&+K?FoWlAgsNna`k(fTV6i4u2
zHK=EgREQ9Y!K)@bM**trzEi@`4B+@dz~dBJ-(l!0H|uSnr0mqtZ8EQsyWy+imRLgR
zRkF5|uIW(zz+|1N6Ja^jx{Y0y2lJ(3HIl>C1K1M@ehA|(I|&yUII5FV$#iXLqCS}m
zZr%Og%1_`1a?u}J*G;>hmOmG;f)GxPS!&t0fyaEkB|bVJDz@f$|ASxl=(e&{`1Kd6
z`WW?ONQ&6ZcYE@zPapy)DAj$q`Z%RpUswDppTh5SBuX(Av6$7?b9kW8><sZoT=rxL
zmigK|G%YW_%fNq(VxsxAcTXlMfO}m&Ih0JuhHpI3z4_Kq0dMJ*RpGCZ+!6o)VY<;2
z<_>3xRm8I{CFDZEj_T*3Uwg*^?y>BKWmddd@2<s%9IFefS5=MZ_iU;m>}CMIMR3LV
zkt8rutEO8mG>j)c=xgN%-tQbgt4&j{_NnU)()PBpqqn9WCbRTSIrXLe%AvnI`>n0_
z40S_T1;Jo2U$2ZPgmw-wWHNJa6gkMB;KQyvY_n<rGrQ;H02XJG95u31?REi$FmT8U
z+o7CiaUdn`df0}vGb7}Vjy3$B;=!_Y)%^*FyCZAe=}NNt#rJnmyihRUX_$};TVq?B
z4_<%<#Ub@Jb*d(*z|R4;xUVg8?8cifZjR1-*mgZGM#s<!y=kE2!QLwaI=fe|wl9wK
za6Tm_87*u&(aM%9j%{f3{g0kPo7t=2s4M@}!G9RwO$^)z4o+T1006nn=9Da&n#)()
znb11z@7HS^R-|pYBa5h}l4*TYV%CLW`Z)nt#SYA-n2py+xJt+-n3uk24}Rq;SRIZh
zq$qJRpoC+MFw*=V$d#Kc0mo&YtNQ|)S{+Mfk*ul%Lqm{LTHYFmgTj99gJKj3<z7N$
zrJ>}(qFL}XQj(Wxj>|Q#U%dyL3}gu2-zkSoz@!ET{UfP;GtD~SnBBtSmyRR@ZCjBU
zKGxGNm>saj#~LDShczX)pxv)tSjyPgCJH#=wOeN?1j<k-S3=){A4oeasLT?sieOy7
z5>i_{!URK*gPgX2Ki)iaO^bb6FpoU%=8e6LpL_Gt%@o?M@40Nr*_x=lL24Mt5o+F?
zm%l5d+Bo4j3&)G2xMYm-3_&CXTBwI(0Jj?mYN8IXcSbt2*>9_Q&e(rw%Rg$6N`4re
zbH6}KkJk^T0Ht#H+AYY;4@kPNb11ela;>ZRb6Rt!*?6@C`^(-hDipY=Ckd7`Q`)u@
z<e6#cetNXi6=$StQ}B~MW4hezupjqPmk+*vTZ-AYWI5YQ_=7_f--tcb679`$n5ve{
z+0)4?Ju?;UacOwOB1@>^PMrS%p%pfir>K!a7@9Q33We$J%R)yu?-c^>y|q4!YjeUj
zOZt!oM#fz|?28!NKKuX;NL@|{Xm*ocbfkwMXJD$k2hM_Pe}x3%7gL6Pct6ZU`l!)H
zNF|M4WL~A){Zp^kTe`R>1#=A|7DJKFN2q>l7V`I1VoQRYeaTklG{~V9SWZ*|!Z|FQ
z{0HrE6)IDP1%vcYBZHV@+fV=7AZuKfAI58?8I%W0%c!JHc*R$ghPvES7c}~UCNR2s
zvZ+rI!UYZCstJ&hR`=s@tg{o}AmZr$<l>!aN%bPT3BomKx+r)n=tx3JTJTYZ1U;6_
zq^Q}>AR}P{Ueed3$eEx3C+_j6jQ-6bZoBAq_cA=f7w14qD4HcvLl3zwaZvTEVpsp;
zVhf2QRE#7A;#K#zf|YCR+42ht>W2Wk0yqd+E8$)9Ryzx#;NnG?wkjtfk}bcnWH}Zm
zQ;O_<k@X92Sbc!rAcITh-XR~};qgJx#gBte$>7Ov&XppVp3(an_$jIkF^L^W;+#mx
zi@{vJ!VV#ohXi`@+C3}Ty>CFJl2AyRHE*l@vjZ!t!#B*xgqxv1V)T;YD~Wlg`of72
zE2v%7w@3=MEjg?#vv6Y3srN@Q+WA}t>i#W$j<H)@p6!73%7P=!WOWh%S4ThrFz<;}
zlY1u(g4f3Bpaj{~pZK=bp@pP%Bt`^Hhp15YQ!?c%Ny`ZY>`4MjYW<0}fJ<g58_GdQ
zwZA1)8HF&9j&x@u1Y|zN0ExV_UAosL*sc%~O_v8w-=@kZIt@$07COm8w_CsW_kCfu
zt8900xK%H|m|3B*+)MS(bB{f<w&@+|__;JrND*Z~cS5b7yM9$&;_p%(Z5#oy6PsoN
zI620+BI8|vTNUEs?P=Ce=b)zQoV4RQ6R+i2v}Oly!R{%u&l=SV79Lm%B)DKndyku(
z7wf+_hBO>l0ZyS1;tC0uH|$q%Yc{ti-el~Eg_-~W0(||PiX4W8;qo9O4a*Xq7S|wo
z;~uxC&U4)($p9wMKPF`JDMMG}X6JY8jL=uwU4OXm%nt6g3KNSGPI&t{)n+x771uWh
zH6$bjEz;zFcWE(5i_6jkHKBNyo>yjB2Yt!f0RE>F4n;9N9=(z-cA;AqP*vQ(Tv#vb
z7%tWX10qdajZV&#1`-%DC#r7skcX<tR^&x*o*8VLO1c4k+{2X(Fo8Z!lQ=^qNI6JM
zkM*GMGy=qS*d@A<bnpzQzZxXOXhB6v><51P2MoYBk1oS-G;M;v^i^`U-2AFX3hG}$
zf##d$Q$1PeOna3IV`+1Vv$D;Sl>kmT#hVzSgs|47Q2jXWI!q)C{$KOhlS4Q@dinV`
zZ+=hBt`OU!RS5OM90V|<4&;)#-z`u;0yTlk$#0Du`&q@QA=TGjC%$u2|DJ|m_TrT)
z&X?gJs_NR;u6@mG@g_FT)cdI-`VXbj2rydud3HF2&%c~b7}f}KT1;AcXGGRe!caQX
zWHgBi`{+#}a5YO)W|<5_!E;2XjSJD{a#k6w!>kreVXna1+7fhP;1h1+{P6t~7-ZuH
z(st=-ATsUyt=AKOn2LDw@zw!|qJ7%qzE1_J@f0B38sU78sDvr(HwYi`Il-Rk!CA=j
zs%=PWFf)1hhv@&oUeGa<-|}1<=V=BBS}gDde9Z<Fpb?1B@ck2&ND9*K4_1Z|2NRa7
z<xP8a;qi{)Zme_h`kKLdSC$ZO{HX<Xm~>kML1h^9-05}IR<RaRqiwB{D)rt{DJx9!
zVl^YdUDE@0x0_~F#e2+V*6~0ESIi#iVC6FC#c~}f7<mH%HR&RvbzpIKc%TXhWGPu?
z*cH2-z_@*5KL1b52P>>O%b5??5p<Wa*C4}2X(QB7f6L2j*}ckh5iJqamlD3ZjxF)t
z;felw^6#sMoD$U;pRnT9fmi|eB5>b{qk<CZGTgR$>c;JnAMw(C&-t5~-hFdIsl!Im
zc|KU%Wr{x59fB_s^`A9n%AETj1Sk~x*?(MacOlTcZ+Map=+CS=xK05{<V^CzWu!-7
z000vGU;u`h?Qun}V8HVfkDFZEcp{fuRWO%Z&)7y^TY`8vFD>@0D~+?xC}*0ydZun0
zAxZNPXr=8bX;(fc&YQw#UKb-HPZR@&RXQ+f1vJj1knPkUgu~abh)D2NM)Z7)XJW3J
z;(CE;mp$*wj91pt&E2{MQC$7!(onTAbk0fPbj|E1ArXy1H2jI{`PQmCZ?L-1gO^rJ
z*{xO4t%ayp>|KqzhTNjclp4E_=VHDVo;^RH4a9J-W$CEU0in2w!~i{pO~yL3zy$eH
zJP>j8-P<42Pxw9p9>YLPL1+aCt@7G>W|KG?A<BFIjHwN5^IxYv`YoEmwD607SI|O&
z-s!Moc2*bzox7eKBWj6&4?PzsxJv#_MX}_sSBWvAL+wCeyg1~L&|Z__Aum2hrEam^
z<!EaImkCiFm~PK24gXB*fJZW6KEs=qW06hLx5E!IzqU?{EdY2xhrbL3%Ep%hRn$!&
zlyLC?ow-~zPd&?}3_NhcPJ;hxN#Fs%kjfSvN=ZH76%Y+I7O`u@T+iwE!aD6REI(XJ
z(C0;1o(N?2+G{Kk=y;4P*7!_NHEBLxzVrnR64B2i@KujAVRfWTU+AUIrLCQg{TjAS
zQuzoUWw(EmPsK37U%bffK9!2b(eqXCE{5=gJ%T^vPlAoBgl5%B@fU9o(>?akuiTXx
zQRQQ}7o5lE%af;RPR+ojRu$9hFKlY`&aoezk%Bv;7WiJO!!+9==8YfxvI(N9J)$DQ
z8++M+c<+G1tZ#MmSRVt;oj$fxEu9mxw95rRv)clI{2@gD`aO3pSGluc0bSkEPw$e=
z)=Do*m-_cCknt(`bDZQeS-3B4>oNYKtU%vmc~I@1TXLXOYAGCL|9!N6kyV-^@B-o^
z3t@eoN8Ig`CNQhDyzUHAi*|<_Bd-=t-a_SCz2LI3njD5Sj<igFLW>PTX;n^~7C2Ee
zx@^V+<&kO%64q+f+(ZM49;a1L2%O+nw09~XUgG&3MX$NM&;&FEaAe#wJd=4?6pwS_
zW%ly|wZFvfA~!>Y2VEklv^F}IMDzQz?U$E>QEFmVq0mK-GO>{%9p85G7wd^>9;{)d
zTM@wpq@w6)ouVH~A;vb2?L4g8!B0)vHNZh!xB%lH16M;GS65m}mjJ*30q@s7fN-Ws
zB_y3`uFQwh+tOzPY<=7$fHz={MRqSEzRlTnVA1nlW%U<tTN<$5#ss4JOF{9ct+sK5
ztjo2Pce1H}?<E}!qam2@Z?C5!kh(L7j<<qA5p`DGaWNJVXwy(>)ZII!lJtH&`asX(
z!kAu}PV;0?hrwpDa3(0Mt(~bCd_G)Ix~l0rdI5cXjMH^!N7%1+d&_Jm5GH%o-Dzld
z&c-t01);?`UTn?~YO5OnhB|*=Z=^BJs-(I$h(SG0?dEEFsgLN%_pN-2z^vJZ=pu9#
zB)FWbVBaTx<)b+{>qqG6BA;^P4u`PW@}Kdim(b#XovvSU4lMgVG9~XRP4xx(hj8Q!
z;QII+F6WyL5LeHQ+vcW&USwWmOKpmQ{Dj>!j?tuHwTVtW>o4FS58E>;k}Wf-CPuNE
z=X7@T8ojL{+giT^g{=C%K<1rti8Xq88WTJwtufX(l|5F_eb*a{53??lP<U4AcC00R
zLeplhbG!gDF@A`O>OF{*!6^f*pt%tz7V0xi{sWN@T$mPr5gCu9xn;6-?OI)2|9&f+
zKza@+o0;izu^-JIPj={@HkemWs`;hVS#4y`X7vxG;@0BDcVKi1h^CNs5RCO=HrINT
zCE2Q<oy$TE6OgIukisTQk8k1<f#J6=x;DD<1VO^EB+@h7ps73Tgu5jiYR2JVadyK?
zxi1wIy?zW8&u_TD(!JVtbxVq6arPaKn)yhpB0m5<9W;oueP${Sk$>o{qVyEr{O0*r
z)!nDEc0a`66II?GR-NVC-ch?9GylI03flbuFB&J60MBFb*EL^b_8JpL7Ye?<26=tg
z%QrWOK*`khp2_W_0H0PB{8UW_)3bmZNyrwA{JXz_LP}Y<;><#@VTDaDZ>44mGpzId
zV^WIDtHSi&=}s2H_n}a`b+}nA7ZP$-s%im`ftkRN0000%YG(D+n5-?B<Tf*ykgTdn
zB%3eQ(djLp-8N2!&O)|+_!)!|N8X$Wj073F{S=I0WEj#UUyDb}iYC(-l?#^$C5>h9
zXEBhPXmd6$_*)8vb)}#}q!~W~*OQ)RM0@|l=Nn{gR+W#~I<)F_kky6RrUA!LfQDoV
zYcC|y#HpO+>w{#Su0$@_|Mmm?#S3((QKkYm26^Fy#6!C*cTid>iR>-w)O0L}VcpH&
zYaO0_^5FDrza*$1N2FQzw!C+O<I~*|nbK*jx21kD*k`#KtBTWh3WDD<KLjg`)19nN
zEU~tcz==ZuCPmI*&S=4KctrX>Po=ThyK!lBWyB06cckLv>;xs0BQuETGlXN6dd*p4
zmR$t<7qxSh0JwvQ`*+QG?}a8bH|jX%PARk1n|)?g;_#|W$E@nYEiUP;4K^t%R@hF9
zNAo<|KT(xMS>b?|C&}`()Sqt5Bf=`rlp8aqK`zO{rtW-1N;E)B0otbw%}PGj9l&DB
z+xI@`$aVrUXj_97Xb;XeRFRKhU98el6>2F3l3P!g@%Q$2F)k<cr`SlcpkOFPcwHqj
zAgj(huQ3H=fR95TdQiBg8wdq+XL|Nj7%q;WtNm)qU`p=s>MWz43_IV6Q_2=4g+6Jy
zC`0=Cjd0n$Ai>pI_~_yCuVe3#d68yN^9Z1RqaF5C!6PCw?h^m$BJ`;qeOywp+9Mjr
zU)(wc&Qe!<okUN@cN(kqr1yCJv@^w=nALU<c;*1P<vQp3fbBC=(ztNW%>!wqb>vr7
zYO$^4g1r58GCCob5`&!xw)A@pU=3~m`l$PuwV(P|{np(mHhH*(z05R7kY29sGK&(_
zRDr^Qwr$^PA#sbQ1&CI0Pw*z#2?-@Wm1~-Q`&+Zu_mLCOtzCxVwXsoi<#5oQ_kylb
zxyw9tVPox@igAK6UmqQ|nV~jQk8ZQx!LHo~V;rA@n5S*m8&)HmiyvvP<(}it&5UMf
zQCjQ|Lki7C65%F)wpi1uzJ}xi8sJxVm3Z6Iye9h0Y>cxYr7}c9<;&`Vc~tj&d1Dgk
zSD?zTGCwS>A&dcR77YU4JotT~w+QIpViBS#_s{txn7JF|`=Vs9Ccd8y?`zj`=Ys=&
z8Rk9@*&UoWyy(TMU`?@<Dg2*hko>n5O4HZ?00ZQi-9;9CSWu93zA||$t&{OH8pXV4
z7mandAO4S5^@4}8ZmWm#bW(YUBSAOXmT5>W0GYuZd_TJY#0=(a;2CGEDzb|D{s|ir
zUqyP=B`Fo909`!)DCOz<*OJ@^Q?Qk)H7D=0^FTp6`65&4yb2)OWiKJ&?WyNuM$Y|*
zDWGaa`@CS>wutKHU5(5$d}l0G14}gLamI>WRcbI7f5K8S2fj8nXk1#;A1vzon+i29
zDTS`$D5#VJv8nH#As(Mkcw!TI_zeRbZD4=3BWBgU%itdJD7C}Qz_FRidfq}O(70c~
zeQUqeKO08rs@Mh8&wMjzI@dO`v_HZkdit;`wL%%6Ltj@U)nM%1${vs=1j@fCVfhP`
zYCW9Cn1t2qBzG)^KVc!;E85YdCna?NdkMMR9!CGX-7=`w5kRxgP3T<XEAdFybno(S
zEstzqX*YE!NwA<J+p%n?cWcQn5>(beb!9@XSyA8JV4Fb^U(&R51AzJ;shH}h<RG_r
z_A?9+lo@eC-JGeN`~3{S0d<O{?u#hdS8K(;w8PU?vvH6!?bqbdQv|Nhkm}dju{r{>
zxIY08AZNU!3+qBMRcFXj4Mt_0G-1P+DQkK>G?}}hLw@`J+;zlAk!C_g7!!8&+RS{a
zAN*!p5iQ_L#@JBmGNg0yE4BKq1B*shUYCGJxaB{_pA0+wO{+8j82!;=zWCMmd)Dlg
zj>i2g9y*4N?+m8AJe@}RNdN1?3^;~MERjfx<Fe-c_Si!Afsk_w8gTz1qtOqOkF=~F
zDy13L>S1um6qZFLzb1D{w0c>Ho8aPNxK#0CEC0-C2y_Z#EcSGTT;h-t2;CJ9o~&QL
z7SFiw9OW?rKUL%Tk>2NL&Y{3>W)lx(h1ByQsoJMmUW9B`D+qqd_;|ct*M~p--?eHo
ztRxAaKFo!MW0Gqf{{zV*3@lm-OsZhzLiaRO(o5&_e+p5;7A7xIOP&c7msq5C>Y$#K
zd~7~{ce*e&!nN4W|J+Fdcg8d&0lHoaSJzAsLO+*-TzrnL<?08#Fi{a#V*^RLh3E=<
zzC(vV#c)WT%psx2B9IXCOB>``UEQivu3tC@eQ^@Z_i!4J000B_JlK2VT5Vbe6+No=
zI25vINqizZ!G5>7kI9liKoMtm*PG(REra*kS9MmY!M@?J=TYNFpkV-_EUOicH(I6;
zSUVXypT;ebGBfoBXj;ua0!Q@rj^=6VQ5Z9K*D&u^@`eX3BT8PJdqIG3vMs1zek)$E
z98~oBuo`>(MththwYFud`6=!9s7pWr9|g^Wkp`GHmfa(u^M6qnSgoII0L?<5v5LP<
z)@n@_H7*MyNl+JtrIkb!(ObOd#(a8vErRzcw1v^+fhw0s@n<qD_@__{z1|@5wxoY8
zUXIU{!iHI03peMi4if)3H~{K0#JpGD=Opx3ZoMm2dk@^k%v-xQ1NE^L1={zGn+3;<
zQrTF23&Lik@^F3mCPDBx-%qW!BttD42l)918aa{%i%EKPx!P<NxjE4EtJS)8xxpKB
z@`%q~<7M8moYGDTBQ=qzBa$g=eMXURP83loH(vS|t|Ik<5;o%h&ZxS&AmrDe%-JF=
zjh{pz`gss6YklLT*N2;G7cFeqP!YM8|7D_1aNxF@2*A5>F!<_GHxt8^pCZkOE^#Pe
z4W8B#{B^_3-X*^xA0`p&-4}~O-eSBWtsExpRCBI!<cNigm3%gwF~s;<IvSGd`<GHN
zFbDCB@|qA^!4Pq`zv~@MAh$Q%1$gvQ)|DUMLvPj#DSLDlOsuTP;C|h0wGLJ}%ovts
zW-)UjbVkw@9b&7nL9W`<2J*_7OfoW7Bh(Xb&{k9#CaH1ITI*g=_gP-T092(<cnIs<
zLY(_#y~c)2Y3Bavr4Hz6*#4nWDLhl}A|biG-Wv^NWM3|%2oC6Fk7>miP)9FrD}(DV
z0u*tMp@!wmecRt4vBTOnC7($}EIaIgsfx9IG81;|l_9m9|3?mP^uxyNQ2~5tu4y=d
z!%0cyY*@-|2j8_r?Kcg;j%RaXX7kJ^VT<d&RxWq={OFTP$dFDv0008e`8$cPKCh(4
z&(MFW`cydGf7>ykPZPNVLas1%_!_g^D<n6^^$Frg2E&ZGIAG{DJwC77Lk+24Dnggz
z<@om?`_ri?L8vxYOZG7#_nN8PoQdT@q}i|_Gc}ZQa|~Q6#t4#`PgexflQxpPc5vUb
zU}5vYtilncUYFk}NNadtmOwax7`y?K-)%erw!3^67;ubuXUH{XFJ3yd_P=6a1=^|C
z+=Sfc->MJ2H<M~~s2>Nxk8cS)r#Sg<wzo^mmALdF!&V%}LiIa0Au>qnnSbP{W{o3e
zD9kPa7piMCRP}7yhwV%;mT|9TGAk>BM7Xe3_f0M|E~=<StZ0(#kobbad=2oN+}fTm
zprW->j44Z3h<x75+e^~#e1mB$*7Jr_NXVr;Q}~ZLd{FRaqNEebLE#eU6vAL#b8yFg
z7L6bOsoq2fNXFjhFN<h;iPJ?$_JKW%b;bYFGWA#_(aBgO2%wSTjF*g!(>w@_%!mP>
z6y6F`sd8ftrU-R@m+d}2{imBWjf|GPf#*lc>uH5brt((6sO4oT^^Z&q<{z|uJTgr@
zHQck@!WK0Ow@tRB?0|aw@12;M4c2_eMP$hgk3bd|6ZuDSpL9wYWZ7?~RhvWJ3z^Df
zj=;mZR}Tg7boUp&3t@Wwc({MCqT}(wH1PQnnCJCS(GZ-AK{UZ?@U&$L`l(=IlzfNY
zOrs9qN-sr)4<=ow@+31stPhAZq;oV9x2fkLN)p}xsZuQo_=&|7#~)NOd~UQ<nXe7i
zU+7iEaSAVLSUbz{Z6kNzyA!1758yazx2(MiEpw(r7SR#b*+sy>L7GuP&l-EPoqnWC
zCo6`Alt`-DlA_tNigfx3#7cO@iRc=_0E(448+Z<3Uadd|a+Q*>P<wvsb=H>`TG6zU
znjH8;3=@^j!=!<|I%?F5o^ts3smFbHRA9f<C7*M%LCmG|Ym%lS^95y?a|$)=aHGC|
zL!Y)SNDnt|q;+huK)-aKqJl1t(`N=7o^%QbMMA)ds{v-o00004cNuB$Pl~~A$Q2|C
z0}WaA0xYMifhWG|SIwG<h9&T27nPHm;y(0~whLO99_VaaF{|hr-4CbTL*4)VAt-o%
zQBwQO#<qKpqJs;rts8kXNqG8gv%C3Rfe^LtE)rxwMjMtB3*TVDcO&Rvm8<kIA?9+)
zHGh{L(CoRr$e!mCKz|49&wAc!$>B`afCiELd{uLwn<#ylQ&U8cGcX!H4(6B<k1hR_
zh~DL?t(z+47+F>YbO;Cn#c{@T=N#Bnm8k|=++8F@&C`3Th{R$&frZ?`gTV+(hCN|c
zm6_LmP+^mC$_3a-{hP#W746P06^&+F67`P`U2{OeA7h7pv#s-nJ3^%c><fTatX*B|
zgu!>&_3lAY`0Uh%lX;CH_)a-X;eLskLvSGL{NWu^7)0!p>-x?0H)LIFc6i{4B-)lG
zSa4M`tyx}>FTJ3z4Doz_r=8h)j4%c@%vSnFAQC|Plxx95m~*R<9P)+tj#axQ2!Kd^
zOY{)R?M88w3v^n=uf_*d*m1~Wby~BdN^9?FjJRO}ipmlncyEj0fAjTMW(rJ^IOfA*
z_OE;5LNxb)Ygz&555s3Ce5JMj%bdi6`!NPKP2zmSxQHox(k?&&dY{A`vB;u8`52!}
z7__Boz=YzBOFr-yYF94z^YMDX%{v^!Bga-)RVgnQw!(-Bu^5iw@JOXk(&<|gwABCn
zP^IqY>Uor6Jkr7Y>6uMf;Iv#U?FMYxqTUBJw^Hmrd(maf2L5-+!EgV_gZZHgL70sx
z14B(2Z?1xInG~@>TjU*_BxC6{W#_&I_w5jAJa$%w!g-)4o#Q5&DQVif@PAx$Nj<{k
zgi8H>=f*(^A?ng|q}sdqKQTvP*}rqPYAR7Ts}>lsCmuMkO4|w}ODg#Ma7{%s7>`?P
zOS(8xr<)k=n6u;te_F%?pa#%)W$6uyaT9pYnUvL{2-_C9zqL1u&uC%a5lvQ!gYiZt
zcQ}G|mfas54nQxDcu2xh;_Q;ua|bxI>kKcwk6Xp6>W!Qopj^0y!cG7H0OMs^<^b{=
zK4=DAFij9M0RC&698V-*S(RNGRE3wU_>`UvYNzzu8I)R??p%c^DzYD#U=rOQoIr1p
z6jQ<zLSRch<bp_z^cA1_93;+oB4ZogF#Q|0+dUY*$8IMR<kggHI{b|q5dagb*l?Bo
zKHK2%LTsO{hs#vU0{sbFRL`&{HTC`eD=XA1_ZJapP2%%Duz?z5#~4?Zc<jS2W_Y02
zoegj2o*18?-QuS{qc-D?XkDqu=3l5NW5_!WJ<#UQWH9Vtu*KfMq(dbtu$liQ432v!
z;z|&^dWH1@RQ|ozn$+~1?z8yOA}(3de|%5R<O{?Z0q1chz=#Q-XHMQXWi;S+QDP6U
zqf9Nn_o1+$5B<IUpK+#O<~b6J#b%r9y}pIA8{}v~Hzd`^*$!ztl=ABP3pf<04?6n2
zjKt`L_c0a@NJ>5oHK-&`t8KeFN=2SCqh4nAWp>u43KFIwCbo%4H)y@W$z)CU8rOp4
zBK`NZ@RA)L&>7>3rWzp4tob_B3N81JP#VpP!b|^F*NmnNkP`v8VT_tt;JN&`&RO9_
zC83Ao>3s<WATVj!<kPC6S?RLXCFge_I=67|EQy-r^xjMip#=`43K3Cr>9<BK{wo89
z2y&!1Lsge+wUyBz2bHGszF^k6B&xa)zxS_E!-<y<9JkJC>JCMW5Uea<x21&`;|Vb*
z?=Dgh!+O?aXe!fb*zP_=@Kjt89p0~3pZ8bvnoS!)y)A&8FOvSHMPZ3`4J>p)0}^xU
zj-G62Xn?AW31d#p6GZ^hYP#ZoAjVihthRgDAnw0{Q8FTy_NjKSZ&oLb>uOHO12Q+~
z;<X#1%&oqFw%4YWgIQ~albi$;hp5n&Td=Ng6f4j?-6%KoIFns~CbCP3RsuskN*4t$
zKiUnM2&02^wra?4lJk@zD>lVzUQ=z=lDBL-O>84|l|)I|a`8Z=DS^f$=dl{RjM~6u
zu-}<*g^|qJ9ev@YBF05M6u)$y9*;x$Z{6ix#K=LCqg=e{EQB}nVbasDzQtqn%k{I#
z$4|yUf2j;F+(YJ7KTo<JwdTbOY^(@D+1<Yl#@09mY6V5jfy)S((i{JIV8@UP>@5s#
zk58da+jY6poAZC<OBC<J7;Q8wWk3J`C!X(GWV9un5C>%4gD^qs&YQ4sHGL7=>~0X3
z5jAvQka)5;?$#{k>QT)b&rTF0`zbVrXAgXXFN728b_6%2)y{MAY3BHmv!PQ9dtq3O
zUO8p?bPwMfo}2kpwA5M&#1Dpj0fBp^fghgcLo2Jz2dk_Ng9_sIu@pgGxAMVL)tcV`
z#|m<H9<%SdndNipoWYA3Tk6b%36#uib5-LDAkN_-Bbx4@HDA?A0}qdm9llNmH!i*&
z#zST$G@H~1X%G8RC1^|q5!-;{{PqE5#j^|$vb8gOCi)&lDcs2t5ztDM$xgZwPy+~Z
zMAIpso)>T_tzkFB$UO1zeA%c(ieIE#|5_Hyop@kPGb>huBe~(qm-%sHGuRK94E6vC
z81>*FNxwUE`qLeLSS6uCbstGswXsBmCR;&y8SLl@sAq`r4zDs@8mRE2?tG4i!0PTA
zy-Zq^3@%#Y>$Vh+AE_Mn{f&j_ZDc+=NUzFg(0Uln^K_<f8q^OKI1)IVyW}xo;WdSI
zO&q?m!`2%*7ey{r`mvUo92)rLmh9%FrQAS&ha87mZPxvS+edw+0k@jhdbB`s=0JxM
zJ@}Zy9&9XTb);u^FhT=%M)(IkA<gMl+5y@)nfao8+BF*7OZwPTVd)zb-FL@@>N4Oj
z`~p?Q=zck=wvA3|<=)+>9A6b9(HPSAsREpFn;M%POfx6aUhgH-9GH5`y=cqI$)2Zu
zJYBlNqw>}!T2(s`Z1UQIt+t|X#x%xC=)^d3V!BAT%AQ#Ba31?J2TBI=>Wi^^lOyuu
z(!OxfbD782O_&n8Mcv(<{a3CA#{D9teLsYY8r$oR1+$br-`9`Fp3!6-5<RhOPK%7w
zopkSn_a6!N5vYO7qMh)b<Ka61k>)N+thrgK)hcU1W_!U_>rF9nM^1X>cbw7`hweJF
zcl?W-z!#V@ifrw(wZHXip@s2-ieZl6zVjJ?f9UGFiV+dV(+5HyOeuRz<Q{2lJ8z2b
zyA2K9UMp}@iE!wNp)ngR%MgG70Op*|b13QTQHN>2NKVeF_Nez6;!G+p+>@v3dvB_H
zO3XDcMApA?X-f(7ZmOZ1)08B6*s7w1jKpsg&#nw=(b_`()ks)40>RgBg;g&mqkkeA
zry4`rr?AP#dI+B^EAQeax<Z3Rx*SvadF|;=lVbRX3n{Q>r5huz460{Dh>{XsTl%w*
z%FhYq?=O|?8Z~7UEAXo=>-fX&T+#HiQd^hgR&f&~=DL)>N7uj;$N@*@bd2Wun<BYH
z<Ob+YHq#`1tXS<&#55x=-@=y^ce+oV=N)8uJk#dH_f2cqoX7<2ey@{aHoQa`*7O#K
z@Fwxlhmv&tl^zt=EYH440WLJ<b+$yE^mCSl@I+zq--S>|RVA;+_xD)hWn88d_})El
zMMX=O5OqnHkbD1bUGSoMf6LTmhxdx$5Q9pDlG1ZENDDUips^o#mNu6-xeF>ED-Q*j
zxyl&qF$UY+2dr6yF;d9dd4-dy;_4~kU0>T_k%wH|Fe(lT8x)R5;2A#6A^uSUdn2f~
zkFUv|>8nX<r}Br`->(v<0Al}8&}1h8zOa6kRvmCD)Iu#$nfx0%5h_$0S*X(ps=JTm
zNC5TF1Z#g7)*fXelae-=jRcwEOld&KT7`qqO?74<DO%CN)T!nWto(kF_u)VQ090s?
zdhIc<yQ=_ZI`@7Sv4JZs9F$(q)5(?r_3o#vE>Oteq-ZD)Me>y8hCvR<ybBzWmwH;a
zZ=aOaYRooz9-?}8oR{9Gb6TzAlnYUu5EpA8JlY~p%y_V;I&D&md37*ndkZhDJkb5v
z)L<D{o;vM{`UlbF*-69wV3(QA`PDfKPd_yZ0|--9p-`ggHF1)YPr<?<iV>Rns-lty
zEU=WgbKn2~SA88K5d&QLtV-~2?H^c%mC5TYCOeky+Cbd!HU@vq{XlJ-D15Wudt<=-
z1g9qA{>HL0rzxdtus?%6s^e8#`9r|f<HrNK|M}k?tH}<lveidz#Es%zsiy7ZXH%p?
zJp|BO{(pJ8iPFBU?M!r#lPBM;(?N|?uPmO(P-w!y6)d#R+JG*0AK(kRXnO$jWA+N3
zmgEx+e`z}{$P<$PzDupmcm#EJ5q?3LLsr4W4w%B5@I;7Ru2*_1wxXz`UuB*ES01A$
zPsC(Io~)PnQLW;MX6>V-R<&g>`3dlYzw#5rvGpm|1qT-Cf&6%5y)?iE@9H*#2#$+=
zLUiNM1t3hGZcZGFedW3^4*;!?wMJX{4#3kfi^YpfPYnpH59dtIM|kF-7c+<7C{lEN
z$0iC)$XH=&TMl~cgH+YU8^K$ByVbOY@inS}j0ni&)pDR0M{G9&?0-=Mk4aPVOR&+k
zP?5Szq$)(wF$9WBff}HHhL*P~f&vDO{lkMovtwaqsCo)jEl?CMy%&1<rig$KNVV$z
zNc{gvZmdWF%&{jfc%mhn!i(IaU54$F+#8L-Fm9k>V0v&a;5|Dh+Spp2vV5B0{{7;e
zbkHxHaH{{0dlXD6>Zl>=&vw7ED<`h`uIN_V0rkFJBh8ExP>*f;AXUS}(2)u-TbH{@
zNH3!g5P`o>DBuWQKqu3fs5P<{Na*?%rgEELmSrJ+S&P7`#!2%A>df(2CI>-zKXBZI
zG=u;E0vcx7I`+(*GrG@=iXfc9-|%Z74mq6vix!b9xkOKScd$fnI_jw{xBn|qimL8a
zv8J#j<U<&k8&KzUh@`__9WY1Gqo#U-ZW-vaFLc$Hd}fEP{&qT&u3sd82+kwjY447E
z>xg*?!Ara)iM252F@kf;XIzmHmIz87)dQf$j-m!|wk+dZvCLRJOl#15tsovgT`(lC
zfXehXZ=!Kc-ZP(kSLv^pl$Af1*QO~8<noI%ybtYV0itD$6Sn1`hL+5t&l%SeYArMr
zR)m@w{AxbJ(&L61ct`G6lDqncKx=rV)lLZ?S)9=`R}IG-Vh|QbR%jz~Om~RKlLkJA
zoSymWn2g!?*xfmSVv+iGT+=!?=7Bx+mkF@^ao91P_x^6N0ynCX?hMt<e3u^J^DF7=
z{ELGit$=~kFWx$SO~*g+&-R`?gmx`G$A}fi&;Q)Jih<iVh_^~O7IWK$8HP1@nb#&5
zn0UNjw3T;z!O1NFdmC^C=deg{pCuT8^uJiK+CLdGyeo(=d$!v$FgxL&DVW~c3?zS|
zo*FU|$(?rBF6X$GJ!`dcj2$55(}aHWRFbdbt?LIg5g>s>Sa3sam40N2QThGTJxKS&
z02p5XawCtly0iW}Ja<!by}(QwMCfDfp^zDeE_gdARYBGO>(p{L!F9i+ScG5io=K)z
z2^%ViNwXfZER8v2wK)=iiZaKZ1BLfJVAAJ_*$U1>_<SR|lJ9@;g4ML{Vxi%6`N{Uq
zUQv!!>uoW!BhZeNk%c995?3I&cO0f&V7O^9)VS4;G8Cv%N3VT4u58trNOH8N+B&(^
z;x+&wumx_{pBuWDp=(X8scDu*?qS$RG9MmW-45y3!zVcosQ#uOKmY&|02wm7ty=mb
zLYC6V#d!s!O6F#<^n({sJ{0TV+&~FU{VNmZ|IwIuwo7lCAm3&85UAUm<e9mP3Dlqt
zC+WRvf}9k<fXPu{m~tT&WhNNM6X%0wXwYJ`qs57ZWo>eB)t1l?{$eD7ruct2R8Ot}
z={qE;m>8iQF~uIY1k-}q4Oywogm|~^u|}{%#>lLmVS{WG$-jzcI%bMH9$1$N_AC3j
ze8u>q_dTjijN(=gbez)zc5PSG#5qaH6I@h{6U~Xl*!Is!H=epDlpNn+WI)K1SMJx}
zU2b81qQ%FA|Ky?RF%Ybtb_r-NI6>hi>k0@)l8?MfL&*xy9s*pmV@CF|iOv_#PvNbw
z{P5%Qk$30d*{Q0B8Zqdim-f*r!bSAhx2=Hil8M2mwI^(b^KK~%fau>s0bjk<5Gx-<
z;@(iN-Kc5HeV9B>f#^Zl5a<q21SM{#Rr0MB)exWbbTv)dA)4O|Z6|3f_$HJ#kNT!U
z#mZ678mfpTd$@%x6VG?|717InZpEiSa#w`>!#y(+<@ZP8Og^StgJgkWOt-`=mkdj&
zYX1!Lv`6FnJ!GzjFuDuinJd7B2#r2|FwL<r%kT>uKAQ;tf=uWhkGWqCZxP=z{N4dq
z)Z03t<22Gol|xb~rj*0KTyjQjd;^2Xc?6rt^^amaRAdKJ-2|3AEa|!U&U_dQUrJ)#
zopcKOmqfQBFjd#=ZK7@5Gwx(ZM`{Weg{Os&5GUNlL$`uFkIv&<82rN7d0RIRWB|fw
z>YS~nTjSOWtj@IZf-F)pl^NJqjX(eZ4|-X$qP_$WHzP$c?pcFU%iNF(gV0+q4T<Qn
zCEvD~(9(}Mo<_l|1AA8X07?mB_m|dr)%_P%k(kXRd1)o9J7@t&Op^)uGV7(5YF|dL
z^E2vykn>y;e7hwL0CWWmASajEg5t)471hH_>c6^VXycq~i{Amo;KIN+R`#*}KDlB@
zHax@hR_YVX$21?fg;E8p&Z?LmIJxf&sNh`7(XXXSV2G#*m+bVh=O0|e(Kg;Cq9t_k
z8Jx;qEe%-Jauf!Vq$$(!TvHd|wC1H?&p}c)N4%JGm3-}>mUT=T7-Kq!n!Mb~5=W|<
zf7>e7im|EV?&3B|fSVoy3t^i9!1LJOp>AH?%eEEnJA667nZqmZ*p1;H*MAZ7&LF39
z%-*hup;hGPZCm3J_tguEd&Z-8hV$5h{}+}s__G!9eQ2Y5s2iPLIK@oVK6nJlsq}~!
zSX{Kmmv`mJO?ZHpH_z=oMnX`uS2~ak7$$;nI%ZviP8`rd(ls}PW;{h86#jwg4QG@c
z0;>R6%Ey>eo#dP6bG@x{%OY=6P(j(|@0`C#MKMtYl*`R(8lzI51lTb04&*J{Uz-m(
zEEwu?IvYgX2DUGz)5L`J&q0knIt&gZBrV<n*UvdIH9SY##&(Lug{`FjA|dJWFQPaS
zWB7B5VQaQ3=+O1+;u4t{fmvdL_M2jQ!>wG^w%LVJ+bCL4%EK!9WKM`*<Qb`6Os5kd
zLX{}^w)!&3s^evsS3f<;0n^6_Zy}1(&2u7lcra_b20d>5y};6I^_zfT#={~38%)5>
zfXe!?CA~L}&Szmle@6QxoPXPJKHawm&pdH7sle*WA&5{Uca>Y{x_>8pTG1_p1KXh!
zy_n6UYyP3sHqO5m?Jovv9@c{MDLO3E_0nzwKP1;|W9XjVBKCJ4mzY;PfPBebX8$ZC
zfjiWZ%H+$`H%HXnsJTNoN*sawHn$5~eqkqTr~m*Y3R1XIOtN`&39}G}rzKa^X@X=7
z!PIjiYkJRFbg=4|xrLMtE09XEsIp@7=RrQf2_IFd*-X;oD^=HdH!Azg(H>I6lnk56
z$8yX$+%fy|{4V<Y!ZEDW@i*wY0^eGJ|1E%-)|VaAFqRYEmJ+iS)I3yTs%X8iE}&Wo
zD-|Uj<1@76>~;ij@g(=EoE^<ojz9bCXI=Z49JY``{g|^iWwt7`5oJhj6)zgl5+Op)
zd$WZ4MjgYEWUOrug^{f0`~SEr<>5Qh3$tZ};?+NdB$nWeLDyJ={S$`fvG4q2**f3F
z$@O2bVhCoCH9O$LA52sfO@_q272A&w;fbv(s&iuGOa}80BhndM-KZ#hLCDyf0yK--
zL;>%r4h;>imFle4@XgKW+qPZKuX{PEdA!ARP=ZC0<wkg3ATGOW6LhCd3TzXq_#DXt
zl%)Ew_4U#p1>{`Uc7!n|Rqsf4j~;PgRN=R;)wurh*#hrh5flWaE4@;aU^4slJx4jR
zv6oLx1M3F#oLoG23A-<w?YI!Vzd8*Q6)1R8seJauo#wmFJRbBlw6-zN59T6=eZg_!
z85`t1X5ue(ZRolhsaSUW_d?9B((5B8V(GOUv7bC=t&_xOSvHGzY5+3Di<iU<SorR)
z5>}FlFd`U}C-scP_0RH0w)w%4D!|uq#bJ4&c*ojEQpej55!3IIM5tlL5Pb~K3m7KN
z8@xXTAlI2orIJ~g=(lO4*`5giax-V;x+fN+cXZ472w8`>yKLTBZ#mV^2h_RZ>W6cz
z=$y>Iiy=pMjf5a48ld-gFHk~PC>qgl!Pd$Ou~dm#@vqtlmxK*!S%Ma}+BI@0O-_IP
zMI|hZomc~X>F?ek%I(j?-=KmO17Acr9Ue(n<cJ06K@Uxt0S%M#!lYQuR!~%!$$>5>
z4@nghs|S97UB+XN_q154)d%~90t!|+#Cke%XR)V2`07%nuQ3&V#(rw9ohY4*=vbrF
z1P9<Fg^hF5lxpH-@1cm?r?6n|c4PJ8C}i4u!&?A}%xho~IKBi9rpBg44wJ~EuRLQ}
zLOR;m-(ui2)p+hZW>lnl_NhK@ZrJY!*%gMbT6GVaNB@gy3D9od5Hb<9B_TNj?VR&B
z6=-}x^|h;+{}DKL=p6{)000XYVLdS6>EIGGkiP$jOH8pGa(m%n&tGXo2cENU74?_l
zy}EE?ztOAI3%+1!tFRGX!sA^WK*edKi8|1ST|HWf;uU}=+57HPLO5uUH$HQgFbiOQ
z_1$ewfgC>Dp}1R6<5{Pm)wfrA&+*MOwF^V+1(l0qiHwuwm7&8*>dSSd&+$=3G_&fu
zCK$0RXjL|l!(CYSnT8^RB!~{g6)5#UIg+U|@yao=b#M=V=we(R+0I759nkufeYRgD
z)Ddwc8IfohKdHTDw&dd^HJTYK-Rw6ldzqbYJlWGAP`vC?j4<ppG#f;(EcaG#Rr?;r
zgKu2(#!i4x7ylMK+A5R}*B2$c@U^a5N5FF-rqR+D)Z^z#gnl;gz>~o@S@+5SBZo>B
zKj{#v+l5#1`!*=YZdgc$4^F8c`aJ#q-J#S6Ts!!tb-I-*>wL|A-$$^+U0F?bX<%aW
z54K8CKH`gcT|gyt;b<71RyMazAsEb0RZ2=B6(5_ijzMu6UQsE1!tELk2VR~M-9Eh7
z-y$Y*;HL?Y8fMIY=Ufm+5EMVLRl!boA=<}g`5+BFq1C8y+5+-=f+MX?FHi@Ze7j;_
zvlVG1s!H}2|K=R4J~oj&?BzU5p==iA?%+D#=4)vdgcfV?2TD<qoyJsWYNpB<*1_oj
zIn*WOKIYqka9hs?01=ZCRef6<w7%D`euRH{%@RE;FBx3txuy(Gv4f2eHDVS!MEmT{
zznY#D?#)Z@3Cw06O5;6bH>_@hVdi_wK94A2D!uw&*Y`4fKffJ@%tP@UCdpRHi>6%M
zX|)YQc!Xn25kgV79)mL<xrwsV`!jsXM!gorZy5CZx3LxF|LfE{hK<;+?d2LZy7Ukd
zrM*3$VUuRCbI2YSoK%Y&)$Ptx5*=*qYM)IiJXZV7U7K`CRN4PejtK~;L6e5dn`2oC
zcW`{LyboU0=((|K5m5nAnwrK;tp&x#*=0V9v1Xo0^KBb$gIPBL(^CM}v61BT-2;9D
zy24qRA6<1V@aRh!&u9BE?Yq_hkM1|U8ln|}1i!lQ5Gm~B56h``ZP{ECDc*i32TjT}
z(I$C3kXqDMWQj<X)~KSsX#a7eFwL_fj=deR=>~zN8(Wa^sovSN6r8O%T?_(2GaW_x
zsek^>o&$(^Be!KwQ*ANoVfnAEyXuf&^oV+3IX)i1_svB5XC7sd7fmr4He19ATJiVW
zp}>DqIA2hp003TA*62wUXZkZq>&ci-sP@eyBXprE!t{b(0!=s-%0)oCNkSppV?SKm
zu*}*{KiG#O<9B<Ipy@rc_G{~_5!VnKcheDPzKRwrn)JEc)!pw7#bUq8P<-6pbC8N8
zuEtA$(hTxHXDa=NnIeKQn~rk9*f<Wd3$rCp5`H7h+xb_sXv&{fQ=gY!5_u@*Z4JxV
zUo+QBUo?v91cuYgF_yTo!XrN@{$(ej!T`xDfi1QnA$+gT)bax0Da!#Zr)A}_flk}s
znb;K7$5L<wm6Dn{pr?w}nd?(6q_5Rr^<H`odmTnhpeT%Qdub)^XSiy?-=HdBDD{Q@
zws=3P;Yh7l!GsiS>}%<fgR3dI%?ZoepJwMhC#G$tJ8Eu&gHxu2f9a6nl~51OI*>q8
z;eCH~9pQBc(Oi<_Rl3o1ZBrw9;sT1#(H*wPa;#BR|9ucIWb`L6i&bo3DnZd-N9b|G
zT=Ls{S82)7o4Vd}#YKlD$!V}AWwHPc>3KfZ5US+}ZOgeP8q9mmDFEAHnlX}wIm7Jf
z8&v|G?M3$Bx98~VeTHJ#Y@bvo!he4j^a`0>e0}SJMJDS?7iX@_-Jq|%4i)ssoi1_*
zbJ}h+Cehj7f^9Fn<xOcvV0R<oTM5ORP*gjRB>3CCMe5=T1~B@bTbe2t5>*}@j|yIO
zA_ua5x~5Ztp#**4kJSq^5sqU9gQzi4r4o#oI9gy`Z@3qCsFp3#U91ChH4Y97*EfCH
zB%2YSwO!=WZi;0(A4L92pHM#pAt#P*llwnv@z>;ww@?d2Rw9kb@_Y?ea6nAR<w_Qd
zZCx)uYul(EmGqB^eZl@c=F-LCmx$eF#vR}1zrtzL$8V--evIlwFdYDF!Ld!3U@F#D
z?qo?nR;86{K)&-X@8~MxQd{!A*b`?1rU|xv-I@m0GdBnn65^_KgGY>xCJJ@$Fxr11
z_oa8){s?t5N`-9szc3mC+>RfYZLzgCHhg9|NPbV6E3(=vBoi!g`tEW(lUnqr4-MW$
z>mRa$A6MS9!~(7>y5pt)X9ycFxI0*<Dc->=rgYbNik(W$f<1#e)|zelM_jZbXSN1c
z;Hk&X^GxK@i52Un>ub7ybW`sQzK&cr+w&e9(LTl6DM!l{DCov(I}TzU=T}yH)wK42
z00J%Ot{+)0)ejaIJf@yz!dWAt`$8L6h?=6{j!XV}y*F@v@@ll`$-4Pn`^B%|Q;qRS
ze0O^N_dcYn%#m_&Nk#Jq3V=2YI7?kaB+TRN9&)7;^1(59(P*?I(iIvC#ws$kGQU@s
z0y>xuDBxJ%+NfX~c%c`s)D)vu)W?|^R(@LL#L-2Q+dpMjYdQ7TD5-mzJnna(G;mb(
zWY^-GhS==q?FT3si`2x)Hr$uct6fO1hQ*~`SkZW-MkFyrgITYNIE0l<#O1PL4kI>r
zlbApNF~Hu8*y|6v8c^j*c~)vju6-Ov$u4P+h_La!m^uXN(@OK_>y27O?nBp>M|{UC
zP!3{<VKqu#)8LI<CFN{f)cZ>70-dUGHwVSr9z~CwdfIC-O-%mriifT>?(fFXBSJP$
zg3b?X60X=YBU-vtH8|#+=pshUxE28r%l^Kz9ZfIb0If{xG6opk+A@aQ`H4ff{Ye-{
z=tS&c6j*lN=6=;d@&0v(0ov00jgfpXr}$1luq|a)@bn2OkMTsH*K@a0ZGUt<W?^I_
zks0B*Ku+OH8)w#zg3kpOu>Mzsn`e6DuKXSt7;NVovUN%`Jr+2L&c?v;)7rba*0;YT
zOy$ZPANy~$2P*g*&)8BpU>#Vmq)emkg_;hv@&|!g*JG$nD`-quM{{>1otAPeYXhGQ
zMx)hvb?O$?oLn6-aQw2<j|D|#+4Y2#^HyzOV3%&80|7{Eqb>GF(A9Ur`|$PasTe5d
z`H=!N001P}dXR>pA}JImn>0mUQ*vtMR@;(X?eB2jt7qKQp+q)D^ZO45W;#AtNRw(c
z)Mr9Wy%<A*ap~;fDtveU;_j%b>pFmk#-`V0cEd+QS{c%8(y2{3CLtDn2DA2O#Gmj{
zEZN}xNvdsB{R0oevDB~febw<&Ygu_AXay%}E$fj(q_O8iQnSij9;^+8HbP;C`J|jo
zaR#(BmWExLM9Aq!0+F`k(CnzRRwM*Q0G}!Ib>LYOH2&_$5Tls!>dwiY%**W;Wlc*w
zD7v32u7e$UOdw+IdHkFH<_A;TP4DmSqe5aMS~P?J00Hjv7P9yc_`ast@QqSHNSko6
zb=>Ipu%lB2eS{X7<x2v+;${Znk{%RUrcg9hap|*+>rgzopONkF@D;T49X|F8v^6Z_
zgaCXDDuwCF&21HZaJr4E_veaFmQyy6$AvmGi3vK8*24Vs#in7#622sg$ZH{l3~%i<
zm}cH6b6Ki#D1zBTjQWmvNAJxoTEo!R<KkONRm(@fkKcmj0kYXOlzbRhmkk@I4*i0o
zwm!@u@-^8xLGpA@8O8Tey4aAGYsf@_o3JJ=eWAA#&pSl>hl?s6lIi1SE2wy-gv=EB
z?RCes(tJzSCXl{r?tbjupIid#@T*aUeV)h5Ku+}Ys01C-UHRnK7EHXs7#JLUIy9?F
zV=~K-{Stq28aweupgt$wmy<m7De`IxRJp#wD)t{B4$W)UlkgMa@85R$A!Oh)K$&sA
zT6>kjgk&4d%ZzGOqE3!mb0LNzo*h&E3fd=DnHE^2t>+UJb=sfYRnI(JzeC_uBjplH
z9)$&BA(XB3n0m=4vBp#Pcgx)hyL8TiO5rq?adR;9At)y;pkhqyG8l9=b`*HLj3sXS
zx}cXB-!FW8q?VQ}s67<E<x6}p)9!J@CtVsPbAyM|S4CZ*((H$HeMTMg$6nu0AWDQx
z(??AdfNang<rbFpo%vd<3gyuIpALwc6a05xU}ZB~|31roXlQ9dxjERiUjzS_XdW-4
zJNth1JQ9GLnTmuS+8r5m#~P07ImAUdC*YJv{_I5(GBYtjaz|>H*_*oqc0X)eqnj+>
zY>%1ix(FPljJh}n5)H>MXyq38aNwA347Zke>LW%jgeYBb|Cj?D4-;o^AcqYe#;6AX
z!J>bDeTCqDF>~&(3%+nd+dP>+GwfU0-SkgH`7LziX$01D_In~YVQ^BTg2y65*%NR%
zM_dPnjg{&<#q(t<;A8VC?B!ew+D>zbR%-TmW+cLSgfbqw48gCIga9Nha2eq0x=#@v
z58ICHbf4DJrd2D|nEkt1b`}gyeLcU7qeYcd5;or!7-BO6TNQoTpluVQ|6W%dCRv^Y
zP;i-MccnVX)?YV;ajUt?+-ml1%VtN{z@96{_^5>S+v{%B`In$TU;r7>=|*wq%zSi8
zCP|0l{g#UXbA`;w?^Nj6bWWp?SO=cP1+o2Nyzv_^%r<s-olC5g?W!HZ52goc-|Sp2
zNh0nAkd7V!PveD9M<B9Vz0PrLtEHnu5zAqG=$Yc#$dr-M20ou)PSpm0+2pP&?|!*-
zE<)qZ05YxM>RWVSf$WaB)ZrrYG!_dgjtsg{UU%g3fuAYr;D~`&kk2LsyBMiU;qTWk
z#A>v^;VRq>=!ZRvTcaR`Y5=$AMKWmQ?Sr=^o+tnS0U59s-V<6enSv5LvVYGlhaIaE
z@4K^gW=V(>#>(Nl7;pMsb<bJrrMK-gGi1w8;CnlW8@FNq$?$Wl3zR%|<>X|A$PCS>
zZ(gHnoAr09n*7FuuWGJOA0O2xMFMqc`$J5O7W79-5rqkh0{4ZAZzQ<SCXm6Be`+@a
zPbLY8SC=at>@phD_apXwpY8Vn033G;->RM}t?JYXmrc;9-0HEwMVUj)FddOIY;RK(
zDh5A$h_uj~WH6XZViNeytydDSD&uR5GEC-S6jsXQk56zf@dD4B4Ks1Xa$~H;G|)m{
zP6sC6WlHBI#ddTK8BX(P?)88%UoKBUAVLI+;lrcLInj1&Qp@~`Sx#SCx>NZRzq%Id
z0aEwM<O*X^)@RBvY_pf(6@f$7l!dD2#NkUqcavwZHHzErsmwIxWJAnph3cxt`%Mg3
zf1EQ1xl&j>q@F(CSew|_vX<VoH5DbBGUEs(&h=|Fp=aGf?j|thUGfdW!ti3Ze-@F<
zj@?oF_=ZSIM;N3bt$xre7||exJLCK{f#;lsA*sD6V7lG0_0>}mWOYFKEju6z(^ZlD
z3pxf&ac!nnO8;%~4A&5e!8kB?B!YAX4nJ>)+|XE2QjtcyS$>A|z@h*E8V$r=>Zl+%
zIn$eOCo16UEdGIN<oJNhA||4qtJs7v1_u52FOg!yIvQ*BFuu5>+lm4TfUqLc`o>B0
zN(6Ue?neit)#l95fh3Oj%jH-Jdu_059XY&Ht2xkci>tS+8*gN^5X88?l^Hi=tB2(c
zKrQu^#zD+{Y`7o0O=|!$Iw=N{$wTQpA8`g8pcd+gvg|7&C{1?8u@1NcV<mkDbgn72
z(&RGxd_GC30x$`4YrOa&JZ93P_x9be8nW?<G>rF3Vb{H+hEh1{-q<r8#nuqczM#5e
zoG=`YnWm<q!n%vYFNrPSRa|9mIGV<x1i?fuSiKv-aPdsZyO$#iW068?YNt*6(yc1D
z)+~(v#sXY>%I0SkHT_L4cy+SCkSEUCf$kpndT}Xf+LH+iKoheEY{56Wo7f8Qbo%YF
zdqGpRJcv+?MF)pD@Q~vWpzx$vv16lZS7jFV(pwASnW+89!=qmtzn>*!HX1o`e!soU
zjEl<r5C9zM`zj0VPzXwfy#1513O=fP1G!%y+Lkl`tD=To7_J>^3_ArgO?+dSa%{Xp
z*++k$GrkqeaI7Bo<?mo!2m$GO98u-Gt4OmRB`Mv57F3|Mi}!37^4FCb`#$G%d6>|f
zJl-1o!at*5JWrrCuj*VwJP~fiFeYLu=7elhpSWA+C3%3EHe!K#crws0`5uzR(UTRI
z=XqOVNoa5AC#Q|N>}Dv7o!<e>ZD^tvGO@Q)imm*AG|uV3vUHE&jMX%33>P+(HR%QX
zYaJWqyHSZP2w?N|0d{{YS&PjYdd)bzr!k6_7%O?@^`&=D;u*Maxsgl3L14y6g$;3S
z((<bGbHio4CNJxXx6(x+zQwd<7VfslNhmh3YG+!yPE+T(Nn<(;ZS!xLHX06#i8?Bz
zg=uB`j^TkyXL@bO@&@W#VsC%9PfqK04~M7p`+g;He3^45^?ve{_T4?08lI77sQe(m
z_=VAx-Cb4*S*X@m#td=V(f*`KRbd?em)w6iUrMzI#uC1!*n2kGdiv`5*o1!S+V}{N
zG@>z_H3^~8_qs(v($D#$Wr`LQ*A2Ae{4UL;i=0CyJW_#AC;bPd)qQE~VQ+j))}5a1
zxM7dmK(h>%$`B`RgmA%%Uk2TCRoO638&bOx5z3V73<v67M;|Wv3iPi$3O^lU;!Cu5
z?ZNX<d|sWzEgA=e94d`fn=Sy9(|BNP3yyNM%T&cFp$)W~;4%~HaPJDl8u-uBYwSab
z{n&y?F+ZLKg8Fz52`yx7EfRq>Xxc?vz`5RtZc+bm?rOG8^9;+FyQD{D%p(K4WSQCI
zJ37I$7A$MoI4)TnBhNf7vck)+WGu`r3+cMSYZTuHd*F6rzRKl&vD)c=iG-aZlBK#c
z(Ru&?004iOaR4!^VT2WN{^7BQ@@hv_GelkhnLsAwh@mv9xgz|7*BbJcfN{(o0MA@h
zF<ya5Wmsav-de~EqDoYJkQpMVAa@7&_F`M?YP*v6vllgnFcgM#I8=w+o5P3&9f#lY
zjn=M;E)4MfMN~tJ1=2t4U>?KL2MH*ZS#eS3bq1+%MvMVAf5;~H7NkQ(mdB(D>Mhwf
zPn_#Ik3HoG<FN{n&O2GZf8V|{MR2Cr1`{DfuKhCredBfPg9zV4Xd)Vy=h#EM2$h_6
z-T^654eUT!<BdNTS(DLs{aG-M9}k6!u?2Q85oN8{+BO>>)$QA08u*vY`VW_mbZTmH
z`rH*KP27!;QTo-|X!`>>NSUV7s32#I89e9`niLQRg{<|=@440Y;E1`Qj)qoylP~*I
z-8_ZSQcuvc&3OQ1K%2jNA=-$5SH966y|68syjP{TSYNJpdK1#UKkz4|<K%T_MJrro
zV}yYgA(9@GFeZ;ezY9Li;OQug9HO*Dbj;~OD~tDUW2oTF3-AW4e4T(<;8kv6A)fd@
zoIR-kgBKZ+>ciW1LZq8uafT-567Np|rj@O30*vbhYk?_Ry*aQWxsUKE!QSf9$KEF3
zma`Ldqg&dDsfP)5Mn5|js=Jw~%!TNuK(_VOrMEUWX1Oz_GEgT*E=ny`u<DqRhwQ+q
zf+KcAW<6Q5B}6>8Thmnivfde|2;g#}p`|7cl?0;Mc~fxT?8tc9qZoe^WeMl8_+8tv
zDZ1Vx{MO;~z}isXUX>6@AB)&Q8#CG<Ta&Fb&B&-9dkW~OUvfoL2O;})tvbDtHhrPS
z(E^j7hC^>rEB8ZrIEy<~4IHW_d+YIN|I$9HrK8Xag=e&57Ff_bB@8xrz15X#k)9;b
z+F5DxH($4bv>s_B<a+-^K{p~s&F@!y-9}AZgH?iUDo*X}00&akPqza+W651APVI+(
zbHiwGAD@!mt@PhPN=riVb#i#XrE^mi;>mr5`;?!-x0&e=ytq%kOJsKmyEqs((h5*k
ziv`R#k}?eS-b9YE<As3r$0X!Zl)c4#+=5Vs<yXA(+cbtSXhSj*9ruG8dyo-TCy~}-
ziBoe|=BtE1n+5?pyV!ZCD6Zxpq#E0vr<r^)A#4s?V&Q-VxK{#-4akQ6#+iPkB;~>I
z_IeRo?2o{Knvk{rfmy(^z`I*>z(DzXBNCM)aFlt@9^5EmKlZf0sxa8LguespFj~)c
zXJJTR4)K0p>w9l+1RXRHDtw`JXpxh3W_@N%Z><`D7hd##A*JJ_<IZ_k?5doL<;dza
z_<p}@Sjb8|Hi>M|^T<1n0m{*@lcpcw>PJh1z7#<h3b82ExLcHK7|$>}t-;xvB#bcL
zQC;Jb0NuVRw#jOf?9Ho>1KjpKj=XlM79aqkOrk4kHs|l|l6po1Bzlooo3wyedr@SD
z@mN!3IZHn@sq-7%lQ9Fb;M<OjB%?d`KpJM!Bu8O|!hf79i#W2swTSJ6iYG9U)O$@s
zB^{wT0*2~~LmW+2!2T?t(^uWy8pBfRlU%$BMeBx|u2hD*G?5=MB#nb{=teN~B)riX
z?9EzV_(+!V0d^C@n5Lv@tyu~oq?1v$i5Sgx7AP*E#xi=|#|0$ycr>Z^JylM0adm33
zaZ(;v`pP^m+z;6^6gFceN(5Zc2p4EvROXq02~Xc`Y(*MTPS(Du5HJ?r6Iw)Fxm^&f
z%&tv?`i;FPNZS~@KkwQRT^fHr=@iMEP~(M=&N?54wE{PA!0kQGNJc;Wm|)lcxvg<L
zJaQ5aE=mZm5k~%L0z*yOHcGKg-6PL2;XNR%)&Mn7Ccq!>$%rn%haT>J51ct+;UB)8
z<LpbW_yf!*&LK%zb{QIY-tzIXwX)~=xnko*$m2){R;55Ei5|#@_I_MPnq6S0@I+`t
zbakI*A{@8xfoUl=kjR^b6giU<n2oiXv^Iym*ayLe5@Gts$Sv%q3&dDGo9gFKU_%Zq
zqqK-AyY{kH5F!(XQZRmho+P|x;GL`}UUO^93K(Ou<DITn5ND4T)~#iJD|xl!MUl?+
zeuD{WMG@LFU*YG#rI*@_+9?4Oq|DSYJDcidDOYt{aQyP>PF~+62`0~za0IIbbl9Y4
zafChhn>H@Fb1@+%6Y6l3ul|5lZwuV1XoSoEow{ESDq5zvmy{lZ9|h_jYr|108{xJG
zE?&Cv)YHJuZV!JPRv};=EA2%!t|L^=t^M~8sNm>VWVP7#3_|%E;)V-YvLYf9MvO?%
z6NFbu*5AO54;bjEYYu5U!1PP`9*X#GP59Et<N%3w8i*#W@&YJ?vzW+%zgcJhgy}kB
zogU;#UnM*=b}jVGa73bv1TY&j=?7n60fYSQ?8{C2fcloFdV&}L#g7CO=5k}sjit9i
zIf!I4t=`7jznRJI(}}U*uJ<qrEeTPMwBJ65Bme{$qD4oVot3hL--?)Fz2Eqzo1KcH
z1j1$7c8+9|XY#kE0VrWuVERuKfB)faZtb`ds2q!y5%VN;oA4M$@s|{^!fn`HsDaff
zqy0AIQk(9iBcRm!_(ci#rO8Q2%o82=BS9Ts6WoMA*mh*v715GQf8O%cC^>fEor6_3
zFcAj65!$sa2T-^*yHlz8;_{{o+-sq%ytzVeJv?C`J%TFD_7ATe;?-ul0A60Y_QJmW
ziWnp<AaQ~a1`vm{r)5D<E4idiBwsR?34Jo@0?+$~z^0XIC%?oHQvzusgXHFlZdQ{?
z>oC<~n*VLC-PaM0Q=fb>2L-a*L&xBPmMrXQg8T@SmvQ8nvgxzxBBoLp0N&#=KYs?v
zRDELz6v>g0*Bc&Z3D(7YwJa4Z{*=B-#Y0_7Ey#_5L&C!cM(?zObT{7Yz*PoC+Pt2!
z^T&F3%@!&bz?eF!FDvDZ!jQBo?^a>|S+A9_r~TlQ$slZ=1B98`djd5^Q&vKOCmL$~
z7Y{cvkL9NrQ0qXEjqfe?FnmvDNJ~f~qvXS6)pLlN$cC)b9(+NS27U?LV}^<OrS$eG
zP#<A3p&PIXysEcnVpT@o6Iz3eTc&pVv?&+I(`%K+0>@o6df1f=IJMlN;vA*`8HZ(B
z&CFaDMf7mBm96=)OIkBc`n8uWhEStlHLsj6f`L%#6lg2u5v}e@#4nqhjpMvH%S2=u
zGllfghuCn|AaWhXUopvu8}u=1d=_YX*CBW6MwZtM6eM_ZrPl;+15Edcx!ve4PWWY(
zZ$)D751ln=sz0|9oArSO>s^VGXA)Hn=SuP=Yj&Y%2E-f4M;)b5riN5SQ)Gn@Y-Y?K
zjOQuGhD8Ps#(6>?n=IZvWI0beGZi@*pyHECvP}DQ`smd{^ubIJ#G(J<jvS6zGj-Ft
zHLeSwr7m$vl*15vTjNzQJX~!%kr~MIQ8)K(uD*ta7A5c&1Uf(blj$)v1laz>+?q|f
z)s@fy47gLU%FWm}oHCCOE+-mebMv7{@hkt4EjhobY)ALpkSIAut3U_DqLg0NlSIw*
zId-F3ajcrcO98bjuN5uWg*Y#Bi1dBONyG1RnixW<CMM=4z+hz>w;n3%oRA)|7ZOt?
zxWF6D*n&RK9+~-&|0MrvGBRcCl&n?b!1m>V;6)vrEjh_;qD`%>eT@3!bsMf8-BXQn
z7BCdiXjDSKIVW?L<T?>pWHoz!3c!{4eSmuwxnV_U2uf?sQ(FYw?j))8IU&dB%C}Qc
zPBh$${_VzZ=MXEN-5lT0JXwSmg;8&Ip&|PVa!}TMYXHeBUNm8*X{9t(Rl8ET;Fkv|
zf>Zq=7#hmWRB>@y;btptDijKf*Z&Kz<Mb)f<(XnT8HHHYGxmlgx8>FabqXgig_Qn6
z`CZzBQB^`m@~SLw#Xrj!B&;@ayK(B}9K4(a_C7&Y*n!vCAYDWGO#quG$H&g~#jFV&
zv|QD?w>6~l?Ie7*c^+uh1kQ80VpGdLZKRWHG?l2|pq82a?qdY7U((}3N_&;gMTZGl
zf@NMca4`!fY5t8f@wEaq^t42D&2~+@@3jpMG?E|tDy|&K3i6N%-iRA`LshI!n!=oE
z=Tf0uaeKM7_Y?`Hw|e9KU<<TZ6t46G8<jPy#b!+dVxE3P8OZJUUMW=V9{)Ef+F>nu
z3to!_d#H3#%~08@pS?Bd1X8-b^$w%e+wvt0vO7Fp`tr1N4ON0}oTL*_aPT<q%P>M7
z{#z;VnXWbcX>r0xU&xRAQ>uTlFU7dZ6sVu){Ce|V;d>2}ou9oy>3r>FC?+U^OsBF{
zVptAM+|>CV#%h3_!;?4lx7MfS1tD5@YHY@t<Yg}e?l3#nR?!gsMF^LzY~<CSNSo~*
z;t0GkkEDSG?~+NLbQv@kX!RhhT)9nRZ0$S9#<vDzXq$OBq9>GkJ{mIws~(9_s1f8O
zdp59z*e;T`(NDyXkO|#uND%J$Ahg?`$w#Lt`F6%0%u!aUR1{wM;@wmNh4dv|u*=5V
zy|Es}-JjEOdfDZD^w_?r3jO-D|C4?`u7nZTKjZ}H3l)Dbw;~7df3#LkV;x{>=cyE6
z1TRlcJXp5ImbLsUD2|)Awaph#)aB_nfxl5U-ogmE<{RW4EKfSRmKSO`KIC7)-NmVv
zu9n$^^gNLL|7}YZAWXtQ08LcPik_uj_vloDlOsW$hoTBk;klA|2e3e-OEdJcQ7L-a
zY2|AHqytIMsvs2Lm(c(KQ$5-^oI%4UnQS5q3^{kl4L+|}0=q%hfCc}@;~AVwItfr5
zfuO-eca!M|B3wKDDS5d9F|hZJO(})q0WS1jkCyNRdE>GIPek(fupwg34^uAe8T50+
zWJ^y-nJ3eF?`A^py!zx^2Fg;J@;dHv4ap38^7bR|TSXI?QfEE2HZH=$%^M<u(w0va
zZc*h51Pj+jGxM3=>KJa$J5b|gT!Hh@oL9})!a=q)rf>>g8zh{n&R+qs;xh`3wN<xM
zxW`~)0YN=y=F1!`CKUzLc8tqwQN7rd&n=4<EM!(FV~#Z>ylLl9rg!1uAbJ=|uv3VR
zIv(WaH6N4N+<rKNvUxM{3vupiAUtg-3in;FoUrX!==L5iXU^t;LFKBKg=Ps>l0yM#
z;-W?nathb(i@;^Syz8leX-5#-x?hxg4;!iz7I*+NbBPqG+NBkxuh}L&@SIs#u-4n$
zF*~c02>hSFBneMGa4fCC4%2kvDh)z|L3$>PprR=oYGC--k7d4j?kO_)i>N^*Ap~oQ
zaLH);X}yJKT{!<Q@MrbNsQ>SgSE5VdX(3Ghi--(}p3M`|H^=chRao6YvFY>0iw>@C
z1=)0-a&*<nlx&7_%%d9lAiF1h&K>FP7EOaAom{ECigq?ux3(Vi(d!O2aAgA?lno46
zGZ^>%=7ewHPTw85D;5%6Z9sqde3qm|0r9y^(a9fK$4RQ`=c%r%giiTDmlBL}x2)wi
z;Yqwj&=xytq9egcvh?WZkq0$e9?O~pQ4%y934Vz$GLwiDkyrNJfO^^LGnI$U6&|cs
z$`0+Lksw=#Nu|Xj@o{?m8+EmHMBz^ot=eC4k-RFG%xER+K{wYVFqb2DH4IgQX={^Q
zC9w$q#FR}Qy1_E!_5ZVNgu>E7Q<I^S2g^o7bP%?Qas?@2sPw662lD}|=(0bqJ&W@k
z_^1Quj>k^zQee{-g1bDGg5_+rUr&f^T!#OaEefcHSzw`AVQF$OkxG9+!K3#GdaV3I
zoSek=cKugWu+#ulu5jgpTH}~7-rBAKCtRD&(unN?MM?DEi!|Se9G=C`qHm*&7;LyM
zYDiwJ5l83GW-fv~YlRU*aXUM}Ux{?EBYvDI>b1CtB;rZoLd-WnQt0a`sTReh;IDVg
zI-{HqMJk27=AD~xr#Rh1M*ZX_ezu2b!a2_9Xj>lZp79B}1Ofx-q{|4r3*n*5E<t~Y
z<w&3UdM1A_8N%Hla^Sp}Ok%F2))g^E=H#YTpH{<ITmupGGC_LWDBga`zF+(=ytC}T
z!@r!T9)HC{jEnUc3HT3X82d&_a4!JRJRNK50s_p?cxbA~#J)#v-3g40Q-17B(t!)R
z+L)?P|6@oKTWvvFpT?R_-N?HgyrQ1L#Bj3k5&#SiI40+O8J78_y8KnPl`lJy00v*c
zW7BqntiBz7uEIRb5N4+f^6Ez%>v8)iCQb9BqA!my#r@o59}_3vaosWk7(jO<9e04`
zlHobea&Ugr8WZv)ing6gM&_2{Yh9`B<LvyI(bv8`R!`?BHo^4J%MPsN%n4*iV+EZr
zp2E@JwY#;6L0%Lz$C{_34QSplwa&hJ4^vsalfDL@IeTX~4IY_(*AmJoo#Zd!B34mW
z<=;)i&Pk-YnEvRD(l*y9kYbS{zowecPXb6563h%KjvSd{pn7k;ZlCWEuti^DvbSux
zS+0Z#|3?!_@>OPDyk;KBt*wnvW4t6^7BRpXBMWEcN>aB&V}GMse9AnL$A(q0#N`jM
z0l;v7Ksrbsl;98P-J!~>_<adlXxL*(1*ksAwUfnxU2G0UT&>8li5^iB4S~Mg-|#}D
z6J&{B@WHy)yYu__@O^Tj=kB_I0F&Z(fKC+UbknH4*$cBfMCd<CFUxpC7S2m$lvn?*
zyW9vb(x|U;*kaMou1eO7=03~QU=_B!OF)MZvdxM<7qv<Af%k2ePpr$u01+cJ{jAvf
zLuTJ<{>oPLL<7Swxs}MMKq|_0p86Bi_pcWMB53=wtXuMi8m0z)!EhTwGyl}OtxI7d
zmkdArj@O9zZo(ub!Mybb#9q<NR$&AM91ZmR+3qI-09WMS;YKkP)1>X?rTl?8_E*hp
zLArC4W+!C^dEEBqarF@2P*+K>n22Ipg;T8p=8O7r*N3VGc=4PlVt~YNjjcgjNCUWy
z_L}yJy{r$(|L_R(6l@Me@|f~mpfpPXn1LZhF^mF1xocaGQyF0b?GXA=4kES^DQ!)>
zPvWfHM9dsdK|0x88c6kHJyr<~(RG-&wiXT%i{6{MKzv7pp^JkZ;U-fB4R=Lq*5YZ4
zEOI8Fk2N5JT*(S6sWR)ftKp5_qVp_+yT<ROd1^%xD4CByZ>*ytWf{w_+$Y!%ONaYK
zpIlW|NNh|nNAZM1?xqpirBvcanzKt_|1RK*vvrgb!KR)wxQ$tJRyv6KO9!rzJNvKK
z;#V3nO&7vQ21CGj|0T);f`5CPyzzCw2@o=sjP)){HOJ}6Q;(o)9BN7Xg*T2s!Ln$N
za6hpteM+mjnK^c-jjVI<c$>K)%Tdbe8lG7hpQG9+dcx}u{cwlOgzWvMY(c_v@5~4*
zD_Q%WZOr{8CqeVIfDmFYrxshatf?LytWCM_lMn*50UTU>EzUk7@nys+7d-23aXY&g
zyQK=v0UHj_Rq%!V4Sg1hd3EKm5`sX<>-8o9<iuiKGjQOMwExhe(#;Op6NJIb7|T!q
z0&<g#dPBmu+;C0>4zIXQygQ8wqHR3tTL`<pVHf6Xqv&N~C<@XVKWo;}ARX@)j7e1F
z()?3W)f`EJRk#>qRdLeLFYwWN^QMWbly}e4S$5A-9yU%Q45!d7fWO~~V55tx?iOaD
z+UVM?6}CD{jBcwbRkRa<u<ry#wT>jae!MfJ$-F#ElZ`_MU7NV4&_ALFXT!%Hs;R>&
z&4SyTJJAs<>Tw%Ca%b#{DCVwY9uf+dk>~kuOw?rLRN+{)O2%UgAXWpB*Gw~IA(QnY
z9*WI-B>ZmcbF<bDH?m9GqZ?`%8^Z07IU2VeM1gijn>}%0Apgws+eJR2f^d6THg-<J
z45TiY7d>`GXf^^1W6ihU7P_9p4gi9c>1zYUl`S@0cJdHh)V%80f{ZJS0fmQqJr}gu
zmUNJcAXftR_Imgrn<`v#m-I9yqbrtG0(xg(TP>8};pS{$4xmXaZreF0t$ueSCTzi#
z6Qa@l(X?ZAJZ#w2%9&=Zy%&?N-hKYn`6ikY&2OqnET`2ZmQ(36t^r=gZbj>NzycaW
zQ+ylaZXb-k3q%jMnYALa`_f>dA|Ds3@&Au3osgcuB$t`N^M?-z22pFb@FRo!E8TX%
zwx;1LJdJB4D_E`g7|EE!TGROZ7eBp7)93C+4FyUNmJ;cSpQmS8B(0SPM*@oae?sQ0
zfmsSlWUn9OGK$~4$!|i&%3eoNs<8O57%$%%K`}T=gcK#f=`xL=ZvQ4OYmR(2j12r`
z8Z+tH{mpJx7R}W$eFds#HcFWyDp$hk<;Qd$>I0^Ft_N+)x-zEPYY$ND7>JH*6@;Kv
zzG@$~bcuWsusQsrh94B+e_Sr@`li`IP2SLxnvY%eg+PdvBh}=w<;aG1Lr4aBx|dJ6
zLFyg1!C6!bM7ydQK)`R`ct;?X+!OgV|A&<b+0oQGQ<bnx;WB=#-Sqa5+`e0u_&c*n
z?IVTK>4n4g!GNYRnr<0rQpuH6-~d!R?vZET0k7-TP@yKc4%|WOHK;Fd#_oT1ux7r5
zNbAv%fI}9UMM@17aqWB#WO)H&h0}5{5f)7iq}^RyO%%Dq*#Ya-qy_Y_Vatp4<6&SP
z_rqrRPrgnHpBLABUm!&Dy5F)ZUs-tkBLLjH?>h;_xRT@&R3$gK$C=}RJuf<&EvG7>
z=!R%nhJzT2_68J3wRaTgt|rs7kiZzDtT^ZxWRgc3r8ZI@$yS!~TvmIJ+RK5Ilbh%>
z{HD(X;0nOLa^0M==Fg~DBDR25Wxj1Mn0Mb!J?OegU$uBZgQoz|7X8KvFAEpPh44na
zcMHlyAIXAZOn}TKl9V_?MeSKc7F{<ZrT4#lZ2&?Q@fKfJOdy5r*%MT4Sq+t$B51_8
zd7BsmrcTMXIm$}8;M%bJp5l+RWM&Y@7uRaU?B6z?<};NgYT79zjNxTgbSH3)?(!sP
zXe44iK+6Z9Nr<tbd>xNvQZZuKqDVGrGlU8psY1)vr;X#NqY^PkskuHTnG-ko-j`Q8
zzoP2k#7h@(O-TMv4R%ADp6_Ke3^(4ucem^ik}eun-VHJ;e$1lxkHfir&{2CLux3#p
z9h0G6j+H!97d5Dt4!{W6RHU|_yo?Pe_qJ={H)>COc(9ibvwiE8fq(;W&6+Sj-YBib
zjao}0Y-rj}b`so`fCPmzYN$vwgz|GHmQmzT8}+c><)tsioD5mgAolafT>LzF`-?}N
zHP5U))JN<eV`mlM2GSB6b(r5oD8w*_Q9hQ4vKSH=-IUF#MMC!I{1am+t@a9BO_Qm7
zSCh@^oTiKlWPd4b5V?_uSy*rXFxDQ)2i%9yd}W46KqQ-d+TSFusA*47&b|$bdP>c9
z!e}+lV~cWTR*jO!&reyV4?udVgOi*75Jq1tdg9hEk?qpgRerT}0;4v~Cn;hyh;Lgl
zC<<$jiw%_8Yn!BI+{Ge*02EI9q=yV%Y_mF>SZ#f!ex{e;F|;_MmZCX&vak=V*pD*=
z2HS;iQqoTy19y6h$ZUEa#<57ezjSU?#{jya^)9$BoDplQ_b23ZQ`$3GNAGhYb@RU@
z5JR%j5x1*a680pS==D+`IqPoqYAo?k*~}22oFQMG4H|hZm)0?eDvxS7u@h&O9*(sV
zhoVhL>`S;d1kT1&Fe-m?$m-BfQQv|DCi^ODj<Ok(M4R%nq;$&^TS*Zknh+b!Wt-&y
z?VSz(=gab0^=y6-DwXi66`7PUZNB7aXAED%M$;WyYVJb@NgZ}Z5P30n(!mFDcmVR7
z*_FjcDczT~A<M>5>;t2bGJB(<Fw-s&X!~Shz9y2cq6F-I<_NeJo^Om2X?Jx#-0}qQ
zB(DLAxE~$CqI~pMaTGS;Z=vw%fNx8;GoO~36!R`At1IpQ`};hsLoaBqk7*`r;@&7x
z<1{Y&x~mJm6g@#W$<E!JaXSpJ-~nCCtW?EN^V1=Cq^HiphY1t6|NZ>;)kc0$p^jM;
zMl8`bkk4$l>f0RaHruIZ<w#aLePFOrtmzSmXc}{!#h`1<{4Wuqiq3V<=>ZS(?{pN=
zh*3hV^1Uz7X}gi{(U)?6_a=S8zB3sJ1t9sSLk)}Rw%&7x_=!qd<s<&f?e6V2l86F#
z1kV~7TGGN|;GXAz%4&{MCJE>GOHK4`Kw6>_Q{P3pX1TWp4bMT&4RFQP*udyIt?=!r
z3$E^+Mk~T=kch1s+F>J9T7lVKdhlRT%R=>pgLKb_Ouzs=zsj7D7d=fmkBQOOa`#N2
zcbrlM6$<f1EZT>o>@6?~@RyHi>)VO5X~I7quS0&8VY)gwoO_IEAR~9pLo#S>G@_7K
zdutdU*LV(C^kDs_E_BPwrM>mF^rZVLj~ZJ6(uZnz8B%X<0Xe^;D)f4i>gkUu6=vwI
z>Dsn9_`at@=lkh2cQ;CoA}AZ*K_(7d3)Hq)v~RxSJFS@vMpZbj18W4j{PBsWxysvO
zD}Gb$K4Nz8?$H<@N4vj$<|<P9qUIqHiuZXI`5*Q+n;w`0OCnIcZBHK-CBz+8I2|g7
zWTCgz)!|tStd~3wNDvXx9x>UEZr+^#7hsrj8mdC%S>&k?Xr9716XZ|{vPtT&^hp%x
zrN<p$Gzvjg6IcP|(3iCJ3cQRu%dOHlz2W!=r3e0QvxvJe#;Z40L>G5EKmaEHbeZs6
z4+5(H7OVk!<VSi9OeDsb@0XaE$+bhBKDN*63#D9?TEn_tqAK%*Ja5=lRKBBMl(eo~
z>&8jp#358EglZfL;OlhEnQa^Wt{MqbLnzH7C8Z3A?j9SdPD9jq*cZ?CrBtevm0j+T
zgZb5c9PM>&zw=NNdz(}lVF*QAQuRLhtYjm|w;A#Chjs$#<yi971Y1@e<W96h*&*Qc
z7J0#(U#Ri$wSZr&^YvX|^u(@sDrjK0w?d7H@Vj{WtsYtM^2okO9_L<s6=6Mqbvi0I
zVc7}PO9Sa5hciR~0EA?h!ZN_5#;+;+&T<~6f6TYIF4W%t0RhTN5+h`U`0_5E0T)sw
z(0MC+WdNdMN9)YIk?O`mSxTl{K)U2ybc5ANbCZJO3Mm1Ok;9{g!I~%an%e!wZo!e}
z#tHHOWzG-Z+ALSp7IvH+@#I*<JEQI-4G%$wG|_oyHtcOr$-zz`>Dw2Cv&kd5sIl#5
zR^Z*Zda+|%vRz-^Yty*<jLnmqorl+1Im5x-<~G#fpYLAM%6=+Ewdv9$=-va{*9B}D
zIfgay*}vv~yclX1Rq4|12pucv8l4@BRfY|teWjI3fY-8A)bSUen^T`~`DvU_#wQOh
z)r&Mn=BxF2NVby%*3bf(&9#nSVxRjydvkEA#RHI=<T@W^@YhPO>43n6&~Q9;Q7x<H
z4s9WxdkQCQaTmfE)4zppN4#E7q<0VY-`J^}%W7q6>b)k7)nZKo!`deb1pAeIq)&LG
z$TlO0&tl7@)8Ur#c$^ji5M+=Bx!1mhQq`Q9@$%?iz8oE>Imw*z5kL^Jvm>M`WdU0h
z27a}O?ZjUcG;xZD!ispK$Ru-->eUW1w(g8f8^(M+F{$RX@REgu(iJC7+>N@A?lw4N
zL+4)&2;d24VMSmTED3(`ah`IG!x8~i;FR0ecj3;Q)YdA{Kwa-BgH1uRF6aA1jcTR?
z_QRG(CIA>41Jq%!$!eiBAy-}jkmgZ3bX0b|kpX{Em?oOO8$%q0iuq8aZ5MYq8!Cy5
zLpx}7lryV*1VI2_PM1G}gSn)-b`6mEpE;=@afyvkO}iJ5tS(SP-%W9V=#ma1?^zA3
zhVo`UYa#^=;OkLDY%KEE{@W}c5qb5(J|7s9jj|b}=2KS%uA#U;yW?nTB7JrfR@L9H
zR)`134_Kv{WJlt=fdP}Gm1okbPOCQncxh{FoFu<F8Bk4`&LGLIPdmlAaG?mPp%0qg
z(l{meo}c(Ga}36>m;eFuSUmrJfWz@tF(@|NTH=VUKq)%sN643M7p};Xz3*KT*|-Yu
z+pHlU2`t)Y69Muk-u?zUOI(jUsyR~o%_|ila_O3Ug9?)MH6S%-(<@UHLr@W$9?E9+
zJ^Fff>O_>?$Yv!7oY^mUU~~rGbR6*S-tQh_vQlg(1!zqw#l3Q>O@wln*M`PaML6fY
zHfxHUyr|4v3Lw)hg?{_#+J5dJ*^+S7T{}6pfItcy8(W{?5NcamvRLiXXD*utUH(?G
zWXZSdOR=Af=fX;7``_?Q5-em1QSsJ#830-gTN-csLV0n71H}8+21@LFMPdNx@O?4T
zLt{>6$%Yq6Xx6^|tr9RxW8>BmtTrg;KBQfGN(-T5WuCvci`HfQrp$}@H(f?#@jv3;
z%#y%K$XDOnml9S$i9<_X+r#JqbyLU}5>qASL0dW#i?8MG^8Yg^m7KdH&0;L|T7*<i
zaZkT@k!vCakC<;hIvv#hu^Na-m3-p0N}6}l5_II#h!<NvPSd{V;HQ<UKMn+thQ=Y|
z+^VwE)#o`Hx_S)w@Iyb4+weff_Z0oOX#pfZmYo4lao?>BO=&a+a@$QRI{q#-sCL&S
zl2i)$cexbu#Q*@(XugT<Ccu-Dd9p6Ex!tv{Gn<C)GUV%e*4<Es>8C1lyJXf7zx-TJ
zIu%#=JwcMuaheYq4r=q6W`baV4bq$by#xRm$2W>py~~|YD}R%6pj|UI#Z${qT`4N<
z`@*vHCtM<ui3-hq8ov}<2`$MhZh5BMt^EjiC+R0+4xh`gUu3x%H!Z3SkcW+k+>WK<
za8NoQ(tEY<Au8FVRotfo63aDC<^UA_PDe79va_n@^LQojF{*H)Jl)D2)aw%Oyvn_-
z?_B#C)!QDUGufvLoXEtHa8gVUg%M{SRl7&M%NY917>T$L>(~4CMNzDe4!o%V00ipN
zd4-Q?in|yI+B5{tY%30q*^kkiCdrO1E&5Ob@>5@|*q8#l0z{)*IJjU!)REC96D2I6
ze6qT5Ww$5|+J)q;Nz;wr9B=jgWUPYoa8-JcK5+Q2;zPcL7-<e4<~MKi;P_|P%ANZ&
zrzL;fG7q6py1`SGe`_mlG-afuRA37uqK7J?VQ>nH6~a#($wD5Mo$T55o!aUT4bBHp
zm7>iGzRwGtytL@hx4VEVk!b~Fw~%DdC?HuAT6Xg_w5zPrP@g^e6K{CUQM(1cm;*~9
z%Yn_VwGf2#mDee{96tOA8@>ZLW^9pE$T1ewx%(NsB<ZtG_hrhp0`|UDXd~O=C5H0U
z6bc-0KH^cc<lvsq6V6N7&ybFC=8E-vXx%Wlj9*<<VOsWr{^Jz0Aczvoov+SRK~{3^
zZPhr|>2c@^Q;i)|(9|@9;-Y-fQo@*nEjB+w;4}W%>2=>9-<CA9dK4v_*`Guz0nIYF
z9^q;)WY?l1%Wa~oKz|_#<g1$VF`W|ODW7$G_eo2*k<+9hTKM=sXYd^tLIp$D48H)#
z1<Od~oVU+rJprD%1T#df_%B=Is})3-8I>4|_<4{301B^NL&hyHz};J&YjWq2e0GXL
zZ04F8?ZtcVoR;i+Ne^hsmX0Ub`*`tj6dZo2)I1E>iVHQ1yN2JBtUz9%L}rKeOmCXl
zZ}!)yKQOI>SlU!dbIs}bL&{ysa4~B^&Ydle`LCsSGT(E%efV0;l%yv3bx-%&WJMi*
zY(14PxqbKSRB*SN)>=BjD#pP-gexm;?mkO#2^<8A<Gtpyc2xS0*ZE!!63eCt7v*v^
zW~->l0008pmX*>sNmU*IW)P)RT4@_KmSygn!K0nOoGf7<QygbPPyFaZITf(*(4=3&
z7g&1cRxI3NwqpN=-w!nSjFZq{c_K0NsA#c-<L}m=db_9hzUKyqCv37`vwyZ>tS?us
zhvq$~c$r-DTA~Wi@}7%qA+PNe8c3$b*mIM7!M>KV%$+h)(J46Y;)k7^APo7mG6zkA
z$>a`l>49F%qp`klv@sm<)W1K|a4wJ{#Q;DkHXq2cvO)}3va>RmajPpMXq9KGf!2!L
z6?Ub((HzZc_9|V?OwZ~`9{B;Kjeijt%uw=P^Hd1I&GMn<r!|-SQVczCWUj_Vj9)ZR
z3_18cNj8hN^Ebk38PU6hRH=FaJCU~Y%JnQfRXda&tOA^lQ6S23Rkh2{Abdq?%9>dO
zX~=fnmUv{FUkyN)zAA#gKJAUF{DVom?PIf!2)?--D+}E3w6;VCU){wdwI3pb$n@1Z
z){(Nh)pfYuIXtA**9?&=Cy!VH!Mtae@0OFXLG+OQJF(7`_(*N`_=n6YVAr`M7Vu!^
zGonBkp#i3&cu&!mRL`|q9vrJiwT=GgvWve^;3Q+k)n2`0*ZMwPoJ?<nnlmETAH4?f
z4i&Rk^flJd001Z7gYKR=*?^gR<n1ifRXZ@8dO)?a7<ZS^iQq;|{d1(*$iU_0U+FdZ
zmNawLUfN(2rJ!i&I+9rn9L&7D^6;PnkXkyQczrt(w~e=$PFCq+0JKu}<OQqgRaQ<k
z0+!b>+b|sHycjjzcVjnhCCmB@zCjnpa@o!gKG`Yi6c_=6UDtGzbwNX?MiE@6EWRZ0
zS+Dw@?}1iW!wv>yh4sKIX)>^tkfVJLaBCz{J~R)I2O@XB*<Io_U8=Xur~m^%?{(66
zY3{C_i~<X^7)-*e{Ud5F&pSoen(h7jl=PwXPBLKWmSSRwdE_Mnt3%f^%!-`LfyPE8
z9H5g7<wuVo)R{7Xno3tA%A%&@O2_A__&H2{2!h+43bEuQ@L5If4zy%{g21s9T|vG|
zoa**h>=65F@k05aT>q7O)Q5UBBC^>~`)_%C6A1?V>}F|Jrc(H8A|k@`@`dU*{Y9WQ
zlaLn|6hL!`yww-n-;yXK-{chR1@9EBumccJxF*tIYgHa!26_$WFbtJk5ytRLye8oK
z*^%7&IP-R%t9t9qNN~nC9N3Q;nKp-zV}fVGD~a$|>hGxU_+w`QNnoJToG-P+vWCGH
zr9^S|_+igMT`@7yv1oz`BrOmub~<e}fp^Y}+`eOy+76+1GkD3613l`$j83s>N>A6p
zJHaNWqikgI>f)UO4<9asX}*VDem~Xl$D%yeaYGpe0m>95i3hNo|BNV#nnF!wYW#vM
z98ym-t*;j!;An9(>#jRY8u-!4=^WIyT~D$kxh5MkloR35xk0KzDVI4dtgO8>t48A|
zk>r4ff2IG~_n)`IMakpU5utp}pM9fjVR^LllI?6WjrSC7uBi!@K_}1l%oLm+200yb
zc$l&R^gN;Rl<_TK;cZ~zFaQ82#?f(7kXIBuKIa!_O9O3Q?y=b!@zKfFy*SF$R`%Lh
ztC`#LWt(v>nnc#t?QdNUTk}lwzc;@g$s`HxtlybsuoarMD=vNfieQCU`&DNB6W?P;
z_4Fow(z{eq?~pB@I2&IaQ==b*z-W);@uRxdl+EM_yfsmzOd(g$VE#&F6?jYPeVlGh
zt2-RKF=lev&J#{lB*xlE`8i9%twvWb=r@3xY!Bs03zqx4wwusle{AHr$dw#5N=DT+
zsScC?0M&EP5c79M<-%;V38#8yw(R#j0|A_lClPhvceH{@*b?ZbMipAul0bDl%K45J
zpo^O~T7O2)8m{fn+5*Lj!*GK?iv)}p4KU7Bc<aVTi9awF&}5oGj)-Ce)w=cIOm=%}
zjCD<>2*<V8ezpQhj4iX>TWYZYgQ0?X*?YD~T!|h`yU|ag8yWO|8J~g2>8|A+(T=?Q
zXfXdjTNQ0TJA{8l^X2xBsdDN=U5f-x{2iF}3Q-rL9>W1ep}>*j<m`qthwd1K73D+{
zVlcaEti)NNGug^x7=O%W{}t;@|6(-u@%HFyoyoBOpLfv>HW0F882P@8#ln<~YinLK
zhhDAJFlj`r-8RaFKeU<d+S=FH&sO`JQS}ZFJu#Y|FJcjmo>p6qF*pVS%$A=~{;wcb
zZdmV?$vUp<>GqOmL3N2x{iTGbwLzT|WWxCFZ3x;t?f*3yt^y3*L#nye3~|kM_zq1h
z7K_Lp2s8CD-|1#-rCIZY%D_u2&f_ON)3TQ?@oZ*4W!=9HDk^rg4inZ$pceS1IBUZ%
z6AK9pdZGbF_t$aw!l4uy;MCWRkQ`014Jo|0%@Q#9Qu-Kd@Q;T~_oMFTPpWSEvx}$!
zv<;=a()KeIjrGL#5xAz`8D)I4TS~=T=Ofju@}tUIGB4oRw<C-aCK8~Qr-b6R)5vCz
z-drbk=+HHtku-7EapPa6#o8q$JQNWA;}XfIvYyyUswMhUk|MYVJTY4Lolyq0Y1ie7
z98Vow#{`(80QGKmzOtYx3dx1>2;8>%UQ~rED%3h`uZS+MHP3+)i}O{a6`Yk6kIPJo
zP^{Ui<}MNbLjG9e;~|=I-18=?$rc;lj&JG$m=>=Yn9GVt?}2GL&-{;TuO#dl$~nkg
zq)oq0X_$1Nl0)1x(>(wJX=a5>OPnpu*Y0gM(#J53VG1u&1cTD+jOBo+7Hq6)>Q=7>
z#=nr(Xo^^JHKbD}CEg<?Vd(DH<J8hXtB5xN_tJs2&F5yMWl?5O*lI={a>f{E&vBo=
z`!bzLvW`5BycFNQ^(X}T02}LO0dU5Q9JS-~3&+I8Us=<w;fD46XT3XnID1g9gKv!0
zBrbB<&JQye`A9Fa@t*YPZ!C4ONtil@`=6iEcYJzc=hp~hRtSkUV4Mt%tHI_gD%wyL
zf50JO1H`0D(QGg#m3!mF00587+C&_nQYD)|{idp!VvhaFU3;2w<g~D)e8E-mRZXPl
zGw0|Xa4~^cOS$!8XWH2rN^=AFUp<iKfz&`I9C2GQmY|1-rh9}vk6~}?Kv>Q;<qizj
z?bKl-K%-$uWz6`3;!h@Ic=LJ3$S0ZVfh+t4KL;jPv$mYLtPdIdA+S;(`m`D*NP#pV
z&3PuGy*@Q0V4O<R8JxCP4h?urm4zwrr3R9TY6k<Y!*rUuvr5=KIa5BL4ULeQC;(|@
z@;?r&G>du6dTL+)44i4MTo%$8us}&kneX>T%Pl1bAgbVyWG6}KMPu8gKL>EwsO%*B
z{I|B3b$A0Pz?J>xz5GQkUc7}eE{I}(LO59r09<!4U(kISV$(;Yn}8Iw7lmH84vTS6
zr_DGB;eCV_t^LHG(}$q-nZ${@jo;RzcJ*#Nnp)C(fk?_bcp7;WkMb}QEZKb2nEDkD
zg7cRUbo_-piLq5j`*FGwT&R(ao#<~?DXmS}$NLGz?4V{w6GM@<rbt}(e;eY~G^T?D
zOg(XTHr#?5NWP3krn7sa=~ABKvJE&KvQ$V@@*wQbsTfo<M?7O*1~=k8b%j0v2di0i
zusYt>ky@AC6eT4*Z|h|3MLPQmm-%v2){iziyt4TFFIwMZU~*FZZj>*TEn%btYum8I
zUfAQ}`FBg^_VX^Vw(2M%(xf!aH68Udog#<SgWuV0Y0Occ@xctWYO$2CciJ2Y;KUdO
z(XZ>!7zp8#bNpTUhAQvwJbnxV{1`++XB#6-w{8tHjKAiL;N&)Xn+7r!Cfn@pk?TS?
z?=+4)H_Lt^jEq^*S(p^{MIWx}d9A`rxi31MQpNX+_1<)9tsD*u721Vme8V#Q_=X&I
zrgE23DVObmq%tn})~f@?-*jcn;-lZyG-mSdc|H#^MR5m0vhMbunWsu}!u;R4KpeXm
zuXbEyfh>~qt2Iwd#t8o5-CgaYu}<9<&^PC$9+7OhjeMpUz(Xm3pgIK-&}7?xw*@Nz
z8fhe{Q;Wv4k*bwiGLoM&71SbNL~>Z0c5TlS|I8Om72dv$MMJl267c7s7L?~r-WhrD
zf7@~#HFkph7X#Hh;_22a&<(vD-S8+xS&*v_%PO&#-p|X0QI%g`DvQza<}8TzMJJc=
z7WM60$tQwC)K(xV?wtOR?J@X`V}0MkXeKazVp|g+M?Xtd%GVZahHlPRz+yC@lJHgh
zo`;15Ru8;!PwIl|61xj$eC;Fc^=1{uGGJhqzpRqX-gw?@K9qWQ_Hz?zyoaXV8+1YI
zQa`5g>%;TSxMA0%G+llgqsq&?S4}7brnJ{yED3yfEvaD<)B{QV<gZE73)G-e+_xoj
zA*7B-zgK@JGSlr&d{}yFD;zj8@PR0%t6$miV%p{}n62Mk#5gek00j;El)CqJ-TcF*
zey@9M^`G;!@Wrf~T_@2A^024ZgBJ?tS?mL@1RIXtZ&Yg#fkiI28;kT~N{=ZEzBFuq
z>_(p5$sH}Oi1;?(dl|C3oYLV=!_GJEB~e)!%_oLK{=SNn1*J$0h-=nDh+k6f3Au#3
zNSo?^KQ(dah~W6%id8v1UUQL?TeN^aAz-=71KxPThHMYy6fM40FVm<aJn;LggPNY7
zXdeCw3smmb$lE4U4S%d>H_PPO2|=GW+Jx{lCeyKW={c1*sn^*G_$8*iZ4}Zbs&cX5
zl+*3%cK5jF$h$DZ<cP1NZKa0si5A^y_bu9rMEf;~Lnc6|RdDd5wn}AAZDdGYtbzKf
zdduXTA}}Zru`29|E9?GCzCVnM0rb!W3<%R&S2*O~8pM!sn^+PRU&MGj^|Z;s^1q;~
ziAk#z_7)E_fzv+8<HM7r<8VL~<v=8rPPDkHk_cG7SGZ4LX`2Cpty8@A=!vY`kZ7`7
z)FPE%HdxEIwJJ*wzM^0hjQ#OyZ1EMgoN)Wq(+ShIHNIe#dn9A7(3=LLEq{|IEk5U!
z(`e1ZJp5=vz~L~jTQD4(gfD(!M|=#2?D4Lr949Nyxc&fx9?_|uUjIvY{XowCuH!A`
ztaAcr@31hvM)TsM$G14oj-S!-5!9Rw^z=TvK*y7Z!gj9F2@C-vu3SUZ%w8kd@K*S`
z^4Nbm{Ojg8k#R-#s9OMF!{>SVEdu5U&@PG;O4S_HMo3#iyhV8{IWbs90|3M+h=#wM
z3?m7nihIdSw1QStvIb|p>hD492eAvh^1J*wRVPr<f$I^}mTM!MKZ)(6=mcLu5UdG=
zXDEwYKG61uuTpKT?n@{QG&ay)J2vf~5~E<AwWRK%akmSu-tV<zSsAM*1B?^Q2F+@^
zVA96`r7RI&I<MSoDf#}EzMAnU${wxuheu?ocB||#@#v@kh|v{Rma4Z|b{@1<ioxph
z5)&3P)N%sJvLGyCIw063)0CL+Ff^0!L-T&}rzHx%_WVtUWiLIPC~8+o39B)S9zBoZ
z=ZqEu<+fM2XAHnggm5F?vlH+K(M?-vY`o8(i}Rh&23*RIqPY39&HXSRsh_*KcZzR*
z69xo`$XYnkmv}bnO<qXaMEpsBeQX6fA2UlorZqQ-uCe}oNT|zCUNoY!$HL~Mc=rk2
zOppKoOMhZC_Vn^Cc9ejPCudf#T3z3C38!v*IWt7#{FHiCB^GzECZ-ft2imoVbRQjU
z^el2yml>R}e_-^&T?<3a(^*KXxMMQ15V4Z3-k6Xxd;*ZNPLuUjmi!&{usNlTiVq;&
zs3ADAE}pDRkR3HSBQAr@mqY57;*C|pXRlmW>r20;;d}8&_-8DWGZt>PV5NXNW6@0Y
zujm7e5|qSM)lEIqeZRdrnyYff75Ga(i<rWj;|z24dzOh|;d3AtG9eGswS;EZ*uKt_
zfv`*ZRXYG$B89Mg`S6rZPFd;~-<|BeNd?6s=)|h5AtiLC%ijL4SNqd`A!TnPI?V6a
zE|-g)$Npdkn20xBfz|?m^Vx^OJUesYu0IJ6XkaY#)V)_yjDAMgZ+$4WuY^)0C>@g<
z2a-N?s$L&Q@x4<2nv8ZV+KLeYzZkpy$yEz=%YZtmknkr9%mHw|4@=%TLBSQ4VCaLc
zLVq<8DJi{5J&ety`2skQ(ATzz;nc9VMxix2HKR0nM!+Zq^hMlGi62%1gHwgB@P9XP
z-;BP4OaLhv6k>*mYFeNS3A^>@dBydk)utYzB!s>~R(D$EfOD-r`#q}#P=gJ~w<<&N
zYqNYFF=PuyraxgNgZ?`hzY#r0N*pY@Tb+MO2G8j3<3mIbUW|+9rKb-2IS{AE{V)2)
zT<6m0D(M?I6wlo>caF^P-st04=!o*lM>4!>7uq+t_jGQnc!FH`f9nSxb+8w}CP&ne
z5a($=b|A*`oBvxNnzRTV6G-Cw>Zg85K`>-r1MoWncesc)((sXxdQb86U09TwRe*E(
zkkkPUl0VDrsNedOgOfH@!}+rJA4C)-zA3O^*HtD#iHzo=)leZ6DqD2aA1jI{5s=H0
z#gl0sStaA=FW8oqSkV0aNH!`pUfo1H%tC?#B$7DbkQjz`yQOw|iPQ0Bf;b-yg=Men
zx&j15hzc-aY8hx>Jzt^rm8)3(a+@-2sJi$GJ=odeQ+q>~i)nq5kDW22_N<tFTG^Jw
z1s84;HL-m1RYl&nZh+h~g=dL(`zY<1=uPZaQ~IfCCRT<w8CpjN#OiWa)L-X<ENVn7
z2t2WkP~(+xpjNJT8g@rqKz!2iA|jx5Wn?8SpaHCMABACk2l--`lbq}WVf^Pcz4x4<
zJu-dnhht%cPd{Q^(TFezT?*?=q<tjVm&m~;sYG-$@?$kbmF#(7o-B+J1YLG(;p}8K
zaWZjz$b>P;5=U29=x9EBi0}@Txu!jy=HCQx#fD8L2ljWkQ#`-fxRt^p&9sL-(lRYI
z1O9NG!~Znf_HT`%E<O(vcS1ekb|E|MtX?{oM?#T)sTMW+-J-tvnlzTEEW)}T1Fay1
zOA-&`SpZa8mSLFso;WzCn+%^Sf}p5mUHb-vN_VVU<6Q4Q_<JpTh&6f%gDNX6;A<`H
z&2GS)zDjD<)W-&m=>9VoAxH6uMwYM*cWA(zFuR0ybqo9&zyNmb_m&E-R=>dxKsTEC
z*RarZS}0d7wCr@q8O>=A#wP80+N(8ZE}sg~?uyk@$jX6bgpuu|(Ibpz;i0BE)skB%
zsGdFQAtF`tig>pTZg!%TM}tSEZCa<Eg1diz`HzkA>feH>v&&K9I1<WZmT@#Q#B$dt
zP3NajPiH@Oa`m6uDy#IxP^1`<ZE%s*XA_mSe`TOIlrY<UWJ}0>M6GdjaEQM&$$}?|
z9<#A&%3On=+cpwA0+1fWC+-B8*PE8kxOzy9$+6I0b?`}vw}{h<%q#}mhg%O1{{#<|
za=9=L*_{m~$7tw@5C+q=T`T;=wy=~$-JubW<rZ01KYt9MzAVwHMZkR%Pnn)+w&RyI
z{w2jkcwx&f%({~RGt44Zk1{<-vqd7*7Fz#l_(OYG4#zsirci8!w!~+ch3kp`po*BN
zQJ_Nsf6U*Q$#x`_?gxp3^+4?iIi8eu>FuaAncc_kZjEWz-Q&J#&!T~6g$!U^uBM<n
zvje0|LY8aCa~ZcUpd}glgoSVl#bLzJ&1qmX_cYVtnJ)qpO^`}i>yLD>a(tv0(r^-P
zD~M5hQjdd`owpz>{oVTXt%&>R#c~}>{Y>*MPG$8QU#&`@p<Ey$%)k+#;EXY|&;MIG
z=pU<0tLXt7M%sDYlgxo00#8ageK5kB=euEKOD#uT89W%yc*u+-QlHq}YZW}dy^ZfT
zld3J*?T(#6M4jp8J~2QYnAz05vjK=rP2LpIK<6%I7|{+V)uOxzHnm`GF`#m1TfqGY
z=laT;u3Nyd<u35A6e!E~$#hX8B;XAbY&HbTh*r@+U?d!$6Gg7Kd_M32dc&IIQ^TPV
zsA_YDIC1%fmfd!$!#5)G@f>>WIzOT|y5#+A+K3h9_8JxdOi5Q9TJC)8zPY8H+uWoi
zy|5f=QP|u7bgaFX7m7X*90nB&BgPbc4s3w@(jATKaz>+`Opmj@6)g4&ag&D7l^v<Q
zD<p6t=LpryVX5;v^MajZirjvgUQg6m$2h<#&p#^U6iMA^3q$vu$_pg@i{~O=6`nu7
z<_;M_B_;8#ZQC+8lcPj0zY$QICKshV9d$|`O=S$s5TW#63)AWXQGJ6kxY<kZ4Tzpv
z+Fr$apK;g9VarI=@fX;I@-&@BG!9B!wVwsJ;yE}N*Z#RLvH_`Lo9;~bjM(xkt|gX!
z1A)jtET%E#l3;(kSWq}+Qm_<U9iOf8G61d!<D~|;Nb3TJD^c5}13`LSp&eebe@x73
zLI@s?MOT~@Pm)=w^i28{GYyZA6?u^3s9xkk9S?uA+Ot3#g4TuT1zdI>fAun!QgfAE
zEA@OdaJFU9z2QtKo)R+$5896&X!HP}s`wKRss4-T4<e)N*HVuYo+_l9yKMXO`1{#l
zvgNrvWCyB0>=2PTV{j!(130gl8AENMu_}<Ws8yly82cxxAM@W{R^Lv8LO-aZiQ|V0
z%0Ed~iGj8N8)mKv@tFq&Gk!f=41RF6rQ6I$=vI4I*5ZA+bRHdFOK#H(n2TYqdstaP
z62LR-o^mBsCW*At)3C$<Qb4W0mwl<)W;`ZkxEP)ACS&hdhg91Q)#Vpb8otW(fN*nh
zDMa->hTJi&ClsCksRAwH_F5Q?n*lJu1yPK^Oiv1%gy-5u1gnE2rK<v2ZnE22#Q<Y7
zYAX!lsI1^?xM6W^Wj#xBFacS?hcDG-*)JRsn#3O40=}`oU$1(`cvg?lniMA$^L6l!
z>Ti2@y{w`jm|^D|_bGMnP+rCHgzOF5+&#9$!dX(|qMgVL@jD@AFyl+^M@B2EFLVYJ
z4KI_*3HRQ-=OZShrn1Z&K^+{=P62T?>~NYL5`q{$6M2RignIiYC8QO|5w_?lk7epT
z?#89@8CWZ>hk0_o>cH$fCC03_5rNs&a77-SicqEA*KS+Iq`Unw-I?I-%eFX9nNP>2
zfi2?kAA`rMmGaR{#z?kNBKSevpDc69-id!rXLfhczr$$4wO$cVn8XooSE{ZvQqKZ%
z!;VjXi-@q`{VbA^haVOa+CGvMcQ#)ztq1&eNYR7ZC@G^{KURM}olF`_Fs>x8Rj#ln
z8zOgehT&Y#QiafAnWRF#CFJtKyMJm-X9LO#_C>spmVQ^T)JFxL2~%Na{|yAube!vF
zP|pn=F!1yY%rVW~io>8Nzcu;(2tD)evw%etdK?<k3f;N?$xyf)ksAHd-p48t;~J>F
zT`;w@tzPIR(#T;ygY=Adsms(C>c_#N_ebf~nxnnq-xO7ODSB{93&GqVOYZdi9xW(y
zdCjjbC)afZO;Ati*kX2Rl(~TBG7M}{w1pbvvvR6Xlb{lYEMqQk9a%1&S&sWIR;PI)
z&a51kTh@#~E^9y)$&J?$dR`2=a)d)F?w*v?SD8-CLd|Erzw?;5_<K4=)WlG=7u&F%
z4`?QNjqZ<f!Cg!7pk=VOn-dvdiys+*=KG{3AHcmSTkWz{^9C{sH_^lo{gODThszbA
zHW-mDoss@ALr%$WLh3aXj*0+UwwfV-yQ^R1+3RBrBHsCisQOkY_{<hN;lfwt<*^&Y
zNJj%EuC^4ym3jZj*7td*Bwn8wI0@`}kx!e^XYGA74R3f^B;HNvBCeYiW<PqzXzg2S
zg-JdDNEMnX?~=mmUp>F}pTUwXRm_>jB1Na}KsUzR&Z~Oz_0L1q>Opi&o8Y~kDRr7F
zP(d}XmmsMGBXQ?J%Jk7#wc<cNK`sr-yJxVFu^Gl@1^)bbSODXBYp9K5H$r)F45gDP
z;;ga==;tXw=`d?WUje23vVkY(=7jg?UH0?$XeF?iWH(psR}D2~BDm}IZa5qQ97h=Z
zydfOp+Ec2zmLpb1g`ZqMIp`DYU9cE)yt?TJkXckIPv54o<%9$N4=oqKKL)qt$g)m}
z<pZs`o*frk@X<Pd^_5_(?J)YttOpP;n2yw!Bj-XSnk1+C3qA<_HN0;=?pp?vV5s2u
z2I(d3*ko6)qP@%cim)5vwxi6#>@v8@WSqbrf9&n*!Xp>^{%;cMQiqjfNzOFBu>=Ks
zXhKYp03^Sa31pa|d#-ws^JLT6F4p5(`{j8M*L@vS6&xi&`~3Y7(N0(|hGUfgqA#DG
zn)%f_C;%zo++~B5pyN-O8l7qh@v+Z}AccFoMJm>lgMxJHfDC1<;_1L+fF_?|)RHcc
zP@8!^1s)QeWp+rK&>1$S^x`rWoD*krN=D@pbuNPdf)5ka_((tOH``J<l{Ut<9|ZV0
z9h)|`Yvr<FZ*p&S?3XeFIuDAO{gOY+jd_CnZqj+<*^R<K3H`t)3*y~f_q6ENtYpUV
zTF#lOsi%g5kNdD`qNs@Y*0YmvlMo`?nui3@^-5XjaFEynV_$$*bGRp09D+cn;GrDq
zX>L;gh1(())%9K6s%lQ!!T%AxVPLODMJO#ZC3qacCPcrVxX#Ua&1Awl!(}(~NBDu!
z#w$aZyPn?HUui!u8cd{g>c#mN-@~%UeKfQKNqpZhQSvsy4?__eaF_ctr*CJd(xdTf
zlVZm5p4m~6Qm{Z?&AmQXO9zd`@?P_RQZL~EXrRc!y$vB}Cwj%MHPShCSr{k0rKi0W
zUOTyf61Bz`9`?U|RB{8RT;6$NV94yc-^fALX)_L!|Kof6zm=y{&gIddY4q!ubcdRJ
zNBnJO(^k%DtwUn*k|t%V?<A<w^HE1P5C9TeL3oUD=0y`wy)79GS+6j`&T!;7q3bDD
zZ-8WIrF`RGYe6q$zvrTPPnb!Eie9BijmyUhqj6?46q|k58!|j65Gnblw1|d}QeVuO
zf6=z8$rr@_J%f%DyI<lY{B*ti4-}h~9pNcDz;$b;vx}MD(%-BNNGT}IkyKgNFm(aE
zszFIZxYGrrkenZPdR<5Uy^ydL+s$RG|JW4I2BHiG{q_U;UHum-te=ewx@NfHJGl=%
zo7Qa&fFhd>D(q%L9OTtu!$xy6N3rqW2|3eka?@IgV?mC|)dZ+~Df{)Q+z-bQNZ&|x
zZ#SW@7CxrZk%I6LKMrm~4_8Y-jL?y)t;fg9asG({zPdTmu#oBkW$hAiNL)xM-dmJr
z{K6m6`)Ni`2G;rLK&nXgr4cwmRB!5=&3%y%j1^&6xEs)M0d<;$8n%*(w=y8J15piS
z$;tc#*RykZD(@UW&14`rAZh&#kl#zmzH?<_Wxt_17fUA>nz8|PC#US4kHlv3cO*b<
z4y7qmP?lFh6X#mBI6yw8J<>c<dAO&gwf$#JS@N~|B>rchT#))t7uC7{^8fRfmxIjX
zr_lNE`g<5M`HnH3mHt5Xif5S6SVS#yf?3?a;CL47eCcZMcT=!%`}zMSQ`^EAiU_+F
zamYJjRXq#b%JS5WOU!<71?ETuTxxYjvqvuabhBhF1+~5FzJ-~MU2}3tR_OG$_gJQ}
zfUl?^HBe=^Yj7IuVlKh_o9-86REV75g*w?o!aFmSEga7Cla&M#esStc@nWXW+1NO}
zIO#<&-U$17gnd1#3=bs=KISKuug?aL0=uEXUwSURD-Ukt_Cwd53QXjBlU~_KY4P^n
zWhl}@hal|cYAO~}kXX)@aP>Rr4awhIK~=qYIU2X}DpKk|_^v4<bJ4=J%x8?}9mKEv
z7cemValLO46{87h*<-m+nq5M6lTQe#OQ{hnO_53$fc|SH(XNZCq6W?(?9%4OrH<W~
zX5fz79fOzu2J0nvlXLwvGzP<GFLsOH`}vcm!onB@)8GQQEBlR?PTv?n7ZAeyrH6JX
zTel@QNN^O<^+EB1;IY{sO;$%~BdN-}87r6ME&H;+p%lT2=0Jyyrm=whBsd5^wXI^z
z3xT=w#VR0(u!BIXh=I#rgQu<gPvRsku@xap$4QO61DfX$U@zKIt+W+OBiPH$Fyti+
zHSgoB7nuFPv`eLX%=)Kyq%4c_l9h%xzg_R?p-VeGOfI6+Q%FFT7gUEnFtJ?+ll&1y
zHtXMRfteP~F-EfVbt&;Q`8@Tmi*=Mpk3Fz5NAy1LHU-ba2wEa(PU~F)!)}_!pV*>r
zM?bw&tmEvBy@dp5(OEZ-#q4b_d-*`AQ3@No+#`eUwAk>Qp7r9uBAaYz8G1o(U}o{3
z2!baTLFDV0ZEu9d`nzEwCi%NC)YJn>?=dM>bFpX<NxKi}uQtfoq<7CaSr4t@J}G=U
zW;#PHJh#2wtUGBv<>vE<pEh;%=tVzUzf)W1<r3*h=KDZk1_s`^=h#vzz3?14zPzmk
z3V{$>+KQ=~%265C7DW@fEw795|3af0;$n8ZorPM~!)lgaPerBKD@1E31B*!2_%G9A
z6jvFe&u!^MI9cN!clRpOO|@d7E6lo+)ktq|`tV8?3iM`;Mtp=2yKG@ZDD*+&oxs*B
zGw=(;+_>n#@gkqM$rf&qKxi=PRZT^5DEJ<fm)OaZGcH_K^A=*}XyrBG711}+kAoPG
z;R+)s^xn^*R9UXu?$-M1UW<UP4)>4rw-Mb~a>q&fY9uSTyct%$I6XG2?{~gLDn4+&
zyn97y2)GwIKv1koNQeAB6Zq{~Twr^R5iNnRY%|rw^)9Cpvi|WC_XAlI3&IEYX)s@m
zbtlXke|_egc90dgIS_5Orv24)a4epZdX;<Oy7k~1h@V}A*c#3pz%I?}qDyujS;AAy
z;m*A;>xVz0Ku~S2PB+Cv)h6A2EgY3&Ndj<VuqV=LnVpsWp*Amr0HWXkEEYP$-1mTU
zQ-F>?l3~Zo?-f*uK<W!+jyU+L3N2@!NInzdYqB)*aBxpN{BI0zD(vthCWHJRez~BP
zTkbXUeGd7U?Ep=TMHR}F1|n2#S37VVfI24>mX67InLvfiYHo}wqfnJgJ&5owMXP7>
zBt)s*k%4-qa7ag74Sw+k*uh6|;<vArJ5lp{r+bc{@TYFpKpo*?zmL)CfOi0zxH|6J
z^c4IQD=Uacu(K3@!BN#=osqZd4VD=FaB#yQ&DhOoc_6xuykBXU6z{014Za3X%mc%`
zi`GASa23yKcqRk|HBnzkJkb^=SOh-9o$4IKH6~|Hf|#*I%E<eR3%*I~s>KK8l%UF5
z>p~V~AzLs;J_wqa3a&zPv0if-2Xu3_D=R!@yb%v4N8aveX?@MPl}77A<l@N(^|6t!
zKQhv5=Z1>e)|*>W+#Pl$eSP&WeV6#wyLg(<NpO1D;L}`T&9IZgkYQNAfL4BFPS|%I
zkfs`>W8rqW`rpiK_9O4T&Be@Kfb<L{;^mP~&iR#gm<JhKp<mGrOg^noZ>j?Pj2&WH
zUQa87Td03vmB4O_!M${OO%PN+dUFqxAErYAe{+Fb#`_#-vvz_294)6i<Gwb`hX>Kh
zCfqSL5sLkrL3l_x=0)~f9cpo(0kk~Abpx#}=9jUT@87_$Z$9OHZ9@|2EpBD^QvhjY
zvJK)O(ofn{p6%r{d7H}qe=mP{sgfhvFuQdyZcO<BdcNziG+NWEdlC()Tc;K{r}!Q}
zQqL2?N7vn*j>He6!129udx~U7$CQlFB%M5ZDU-K2$Gi}YOqab^`SAb%2VBs*?(3ej
z8`2#Km1!$@O6wp*h#V2oO{mC?v@mNGzi4^^sVSXmrcBZnb-piqpx)Iwf{d&Cba9}u
zl4x4J6ta9H2TsXganH^L0s~AKGG+8(`I_;f6gRK2v{9|SxjL*A;cclezQhPKhqEoA
z?uJ$bch)epZ8rt8OnQ8tE=JcdMAy#HO01LF$RAmCI|*XcGq^I>rN_q!^S|=ONs9|d
zor?EQgNN2fu5y#kJwi^t!pdp{ZwMCe$F|yyt>&NECwYDfDo)r>I@m<Lrol#-rMjXL
z_b<(ZOIe5)WhsCKKQMn99Ah;89b4Wl$9}(QXKUy{wTcW@!&{G=8_jz)#mhGTGcF>7
zszcjsy`O+*;u*qt4=IP|rle4tpEd&ybSvEYh;p%#72bx7sivNyb(${>pM#tUgpoS2
zqm!n~np$=cgPv^s4P^n#NVSd3DyG9-zkdQ()D}j+lubK{A}C%SNo`;;W3eFw(KC{v
z-JqTYU&GH^xP$}v^%WN-^Wz6snUc$`^z~m-ih-)&wT9a7F&O<(_Il3Th1&wDq;dCu
zMH5i&#gR+3PHLh`_Gvz-$j&M^AkP2r@3eW1^%7R|a2Dio)z}Y*sm7$HKA>MiwYu^%
zWq^Anl-`V;&#(^P|HC81=ZdKYu31>erdG)|`%)fRdliU2qWL!ml=HVA6C93Yt&lb~
z!V|}Fz>+U7seLEAyKxN2<=(RbaqqBFwrfQD7_$~qx2`C^SKD@thwUCFzNl_p2bUHz
z(V^C}gdmzp6)Bn8;zMUfULg&&=SU}4^K>&h_I57H!obXIO^eyh+DsRx2G!Q{L1&kH
zb6rr(;3eM;w0Aq5{p0b<Ky=HS&n!({%{fr<Q<wEG5J3Ry_=JQHqv27(#N17R0NBlV
z6ZEn?`SC;YM9d@`x>C5V`{AqNaN8o301&(m55$L+>!1$E{uAWBpl%v~p2x_K<W9+m
z_&0C60X3x(eM39TU^PYslj)Onm#eN3g(wt(Df$aQ5N00tqjP_-D1pFZfjOhqrrR|@
zsey!=-w4YoSqnyZH!!vIXIeATwcN?=)R*a%*j2W9=7LJwyKV-LG|{xC>Pj<O3slwp
za`wn$N|IZTS3et2Oh9VW-9Sf~tn%l5vBL2$;T7b{*VYUsXuK;rDkrMHIOQ6Ob$_hG
z8#jvEx=hS%?~pbdDeUSCUZE2Y?;x3LEZ{~#TNj=L>qQk~d;Sg<TuK7}4E2OXJJGf^
zUq-b*HZ#PAW>$=0kpmEC>?B;p8@A3j<~^Oy=>W3ULq`wsEAI37=EKL8QZ|Z)f*^iJ
z7X<|fgdsqsl22qr(zVc-^k=);sb5{FwB8GTb;h5wEoz13<&hy9@~2vL&BUfEiuxYi
zU$xqcU@#Ema-&kZOF$pTD&A=#-dkxij$2S(NEsy;uljv=RJ1v!x8ANIrU6>5kUn8k
zRKw_|NE{&kn!BlcZwYDhSDMqrdHyP3YVaYE*Yg26J!HooJXlmH5;uP|U151l!c5|f
zwWn01hjDYEGmm0Bu><6s*;%c0<d74QB}z&GI04@AWFmfDnh67P5B8nsa<*yM$!gN;
zg!%3A=_$udME(1Y+uA4OoWP)MLTI%i`?+xUrpdjN!5MIS@8xLM=~4^K*^y_mW0a^e
zpSUzSPZ|l|nUTPXP6WwsmHpwk(h=<xY?=i!IfWrq*5D}{M05k^2P@(9!V6QT!uahu
z#eu@YdQOU9YFcdb8Vgn7`!A>f0cGRdkU3ax2_r@fMtvNoc`Y9mn_S}%Wbz}MLFRb{
znazWEYTzJgAZd?(k3_7l=#Lij4E@p0B<Y1z%0)BI6?@g(hR6uZSyocU7(hYH!d-p<
z)6R2z`7%yx?4s6gNNPCZknjRF`!k7JC%ztz>UvdS!8#*A8qAOdQVTZ#OTFx!%55A*
za0ZSII(*E<O<_sicT=!2ynM#BunmgT8_X79Hg)V-5zB+F3>?SZ0n?7_@&mGnxoElW
zeEmMK;=Cs@6vJSZ2_cbJDjfQ^V2(Mdmq`c5iv9_M$KsM{5;D5#3_@pA5`HAx-y5x|
z>Zf<^30P>-yG!Q_0kCEf290s^jGOlxOC@?@T>f70^-VufWF2N``6;WA<t5X6fnjBh
zSark7S$-J-DdW?~<7*kbaxLkdQPb41=)YQV7TN79Gvv58+;U`=O?LF^l0jTDX*oNC
z0i@A@9D+IItK+=P;L+#(0qfYU#5?WID|dd%m{qFbR4kXg&3`$&A~VOCfl73<;-N5(
zhfP}a^h4DWehz<vL}@L)h*2WTeT{LoSQ4;eh(c-R?-ST%ksMya2tj_{qSfY52zK%h
z@4zU-fW=lF>nH_UcxIirpC<qX#&qKiG``KiB79wfQle)$;-{p&r=BRv**d)bazGUE
zig43GXewFoOC>0`NYXWxwV)}yGI6Ylp7y}sF2V<MwU9qRn-;*>NI?$wnADZkIDtnQ
za}laZqmq6;RJcIvIPtI^H#(iXq&8B4h=jlzSk^&uqED4Zn`pKj?8$ixa&mueio21k
zfLUs%whC)Z=u|6j$RUpvI9K4k?%bY>#go<CdvZ-}sS@N5goDdro6Ax0>j_pD7%|OY
zP91@_r|oX%#?6rqcAQQdzl)?Mn5y#lmYdpU35(hbqRzZk7kr?LEhqFNNcN^@dLU?;
zy%O__qwMS4@zRd+&V)fi-@cU1GZB+IypqCNJO{A19sq}y`|{&wR8@kO3?+zb-q9He
zsNSsoed?u$O06U{(-Yh2g!mfbms~a4z_h~s>@7&T2DNRRf$Y*F<JRx7i;d;2RQX)S
z%>jJr`!zB_mY6{7*60O=y$X*UZN6$J)7!J@)%et_Xsk<rDm%>6IYz)XJkKSE`Dz&(
z3;Ka3RjzXx*M8vF<@G_T6>)dh?`kbJ5%b4JxwUB0vkPKyLrkQjBatB2C3!ORw4Awf
z2qYUhPYM47!EQq?2PtEn6qvIg?Kr9LRXh4S1E8Uc-0%W|0&v*iS)UDR@i(jIxjJwo
zkN+XVQ4+&zEx~1H<VCXX;-g*`7|-Yvb#XXvQX^>?{(CJe-5(EQ3u(spPz^n4-tDat
zbwE(FfLVrQ$HbWl+{u_3$#ue`<gdI<{dHwYr^6MvGPb|d7W?I$xyf?BXfzH8Zb-kH
zCMb9@ONL|Op>9uVpP9Ujg#P`oxr{w)5)7WVFszC(ud~$ZvESX4Atx1Ex5KJOkteX<
zp$guj@REhIKmY+$nr~f}%u5Z<o(8<=Q|O)GHnpfP?WwGubbZFyndo}%7p@nCRgPAc
zp)kK?H_KD}xsb5Q<zGLd806=Bzqs#2ud<T*TN^URGc-;Ftmn>QL6uj8>)FuKEc{0q
zovQvtoXcYMp;RF_S}!8}y(%6W=4;1b7o$d~&i=`~iE^uzFwE2#_$M&;xPxxjw~ji=
z4W`tXaIs&o9f)tQjYG!8vzn-!uo3RxIkyr`^i6V<7eL}ac0qFs;|Jvmd^Oo!f0UFs
z#dzTCa;}^7S(@W1lDg`&N1@$e7oQle!-|=VW9CZF!@=&kym^efGn%RN!!M9fmRlC4
zm73mr)^kHawYI-dL_bH?Dg`V<DJvwlghrO|c(kk(SlP_#)<j!9z7ceH{ZV=&n~q<T
zyjbHK;g<#wIrsVqStE;zt}U2gg=tICH>R0Qr-?LzQ|6GaIXWmt^la9R(HLN1KYT>a
z1;<2Axc!v5%kX*UNCH?H!i<|)R>-Cm)9Z!Iw)_NC|E4zotxoMYPc+R10)5tfNc*jF
zE4zw7N>4Ya1+?Q_jgUFd^2~Wq-RH0CWUeFW1nLQAPUB%zJF+6@Vv&$wa5)JNW*dTb
zs61#ffRZ%dZ_>mACF@lRR&&Jzq)HUs1j+<i?WFFOj#`{xkP~X`M?u3Hd*E{3%`tS7
zW{$it_D>z+n4M<gsPGn47ScI3TgPBxSzt_u5NrltyOj4NiMbv|iifl@4odTDt23PQ
z7N7J|@!M^sC++g!MNZA>oqW4VFxH$HIj6@ELTL$7WYD7}+-Z(FKEnP9=^_jp5Hk)=
zdv~I=+tG=fRj8u8BOM~c!9;cLAl3C8+tJ^~H#i|0%|n6VJ^U87e-x|V4cE2-uFY6(
z;Q>jMtfF;jaQu)*IkP(9Hak3`?BtsF3xe-)uEGdGewV}!F`&kjyDqo#5OrEp10-SC
z_<xpexUxV17k3}(4V_ekO_*E>%XwqxxQ2AnX-%;}1}(y0QFEbJxl$238)>P>G~8Z2
zuI@9d0|);u4{#6fTNe2)cfy+q4?W*!sf+8ee7qlUcZHBZZ(3o1$go@EP!3hGSg&2?
za)rthT7`RLGpqWe6bMs|`FLTGenMt6<7u&#bqM~XAHz~^0E|@`U{S7P?a?9hs^%T_
zDaSdsYO&g9;tSO5EvdU+DZuLFrxe+C*7=wdzzGCg8s{MouX6Qg0CZMNm&Sll!Ltaa
zBmF*a6Y`?uUL=n_g6w7nVx(8IYZY%Xx(NmhaJd0&!jtV7(~lj_Yk&`*3zgSYk?IOI
zOe8s|*wH0~6efd!hQWmON3)%!E}`iT0VR-jSLO(q4GT7K$YUbEsB;WEb|#N@y|HS6
zPw^dlS(EhJP~G-k8#|>3mBu&YAmn=vF={^@aI<9_O1sQ8aNvxl0j&qUJr}5bP|T=G
z&HtmqBw=q*T70`|KzYcIPZga<=T*p|MVPkzoVI}iTGU;rjA6BNrIrx1$?fQDSnlVN
zDmB<K{<~F-FH8x$a9nlEpdrGaSkID4f*ye5yWdG~4xH{?*(b=B!Vu_tK3(f3t@%;Y
zg(<))zX@xnq@9R$``UQtf_S0X_#!w%)^9*^g;8c+Tr;ddvFCj&WHNVa03t8E5}Vzy
zeuvbonmrm-KM~Q?gdh^ZLVV?S1gk>W4;GwL{&Qsx7^rwF;8d0*b~qV3zG?Ta&?olU
zFaQ7nx|>@o9Xp$sJy-XUH?P9)h{`)MGX_)O<6eb;^1ZRMc8K_lIS8iK{<1NPwUrS!
zK<9%rh~g&iKf71!3GC3G_dE|S$Ls27XmG7W(?tWJ=Z4VV3$XLqAi0983Mu(4wo{JF
z9sLD9Mr#C(N7s(wpIAqdK>J`mmQLza&ucNnR<7pWZpcyw9<jLUE1#EcE?Xrm%t1&|
zKQx6#P!65g%wbeu;FRQmq`(Ouxx9ud6HM^+7d@!u`%W#i`Zx^wo6wm?Rf#uHqjI6-
zqKe^Kd9nv|T$N(S$@<JT3efKI*}yr!LSIYMekdcX=rj~K#Wnmn4RUA2YN=L*s&JI8
z05i(%qpN*T_s2@Py2)rUX12ABy9b&3*Xp3+GXA%{+z&qq+%N%F-HvDoAI+IgF+&t`
zOT=+|rLVXv)@gHl<oY%cgRc58yBdgA#^LbiS5O8K-DQ&c1gl?d@!8E9d3@~nB8pHa
zF`a^;gh_@gsg<VaMjL!zi~;gpfU=E}tQ~OBS_xu2y_@4-Qgnajg#Xa1S2F@P2`=gw
zZ|>)%&grRkx=QB5H3Yl;H>Brp^9VeIb1hyB3{rqS4^Wzxh`ga<%jwNzP0gJjuJDR)
z@ufbn3JMk}WVA)(GJmIaDBNP(66_u}N;JedL5qGRe!%OgK|2Fa&o{toojx1S0)5dj
z$cI?b=^5gw*TTD969^E(i+hu$c~6Z!$kwn4ge#jZqXF~QaI**g6$y@rEp${q>X*oU
z^U9TMu>=p60G7`Ix#pjs`R0Yc`R}hCb%=^TG}sVM3{l2hu&g<fH33G&cg{`<l@BI1
zLo+=Jjn(X#By=gg?fbV`FYdnt@KyDiVSrAnN9D93D=L-q`CGOxhATwZ-_5!e;wQd+
z$t$PXGEEnYj(V64Gqby?Hsg7t(z1lmVLp>qh~p$~(Jn|k$>vMVyt;q@%09%Q^J@!{
zoOS%IdtBB$!M7Q)&E4QmZja*ylZ<+ICX~T_bhELJ3NHtt-Mn(d_PHu2#>2k>hl=bp
z>3}q{3tsS2(r}f>o<_rQBGf`D;L>P{E~!}YyDGo`qQZ1mcK~~qE*@=EWw+v0v*<F4
z1<h^Xgb^tdc?GE#<=DFJi)-ceejq#rv50%+-fPXr*D>&5unH9VCVe>lc?2!U#O9vC
zRtq8e6x17D#oi`Asgq~^a)whzd+}^V+G$kr8Xe-fNVGB4Q02Botz;;L`8X@5!YEc5
z(Y^~{pwOd0%ala3|4UC-oaAcwTq=!dFfOoh<L~`EPZeePS3DC^!7U5A`M{}0S29H^
zKR-KEGCI#EC0=WuGQk43bEdQ`o^4?9SZSjfoB6L3PD6o|=h`4e(g^1^NJ2x3C$1O9
z-Gud1HJ|C}oO(`d+<y?AfG<zdQ0AnURQu$|IW+{c^i2%8`z)We(4SmyhI05U`)=%`
zCOaPx#G7qF6?bcB^zP7pEo5FXFU`ig5I5Y2D+wY0z}FB!o>N3spFm+XOL{4LC3Px#
z0lqEK47mlw4UPGXSTGPVCzx&#SOU+5jbNSwIeT1rsO_58S)wRQ>26U0grs6%&!f2U
zTRoy@|J1-ZtaQpd5D1MyD(pk|!%3;{`K{a-Yw}rawMka>`ov$a`eXIZCIP;v;wJ%b
z?dW205~3vu8;=)}PdXXi5y7j!TT%h>PyaXHaX09;Uy}`W?g=)gq}f2(U$kqA?W{ei
ziAGeInKADJJ7}cWu!CbD9jp}3Kj|UGBD{ELpw^aPUH%Q^8+!Q|t*EvHWl=K&OdQFX
z;bQreM_bdK;D(HyOU*l!a2*8IAx+FG%<^i;dMMB8@Ht!rt3<>WW6-NKb>ROW;=F3I
zDS_~>fB*=#km-i3k*>5!=MCBvbDs!tJp4KOknK}8G=^IVd`m2mT4vhJVg82LGd*~g
zVUU!9pk7b=F5p3FvVqS-&Zs@`HQarRL3%K(uMQsPGw{w$RY;nW`4R+%h_*5#<tkNg
z2r$kcijMkTfRA1%^P*>OGl{hgRFRTd#oaT2Rh{Q>CT@EIG!eSwgsvJiQ}moo;FGvj
zTX-_ax>c9jZ@lZ=)a?vu0CQHkxoyOA9V;VWlO%n@d*c;#CeH~i>5icXz^%nDqQXG1
zz<Xk;V``0xv4WrZfWBHPGwvX>dy-r414v+|VHpJhU;6fIvI3s7Q=SNZ*<n|Bv!*S*
zDLk!<7gv8Dkb_AK0iRtBBxZ@)>fSZ_!6*ny-S>439j7T3YXpSJX*xdr`%nl&aa2dR
zAUHPwBe0|DtA8>p)@ITm<Wq7pg4ik=iO!BaOqUP)>t{!=G@S?UT2NYKs=6mcW}TH)
zmIB{%j0!SZx@riznT|C57?9p>AGnd76D2YPZq%j*afF_AO|iw|9p64qL;cpKPeuMJ
z{X(4f-U8eoc5ecUC=ekCR<(q9{8aE(g>FUE1}QCV5zZxsW5m=!hvDGwzK}tx)em}Z
zO0HwiBnU4XX0}JGko5#Z1gOB#V78<<CP4fgHT@uXDzXS~5M$I$?6!D)6cO$MvJ?q%
z#z!K0C*Al4+p!@&YqPu6s5koeb9w%E5uRwmz1-~O)iELVpo9V#7v(=GitmkubsvW2
z=jnkT!7k-jb8e)Up&sQ(Gy=nvNq-&wXY>+_H^a&+E_MGTD|-Rhn$8{N`bx302KazY
z_j0qP7kxmzR@XiNWIQTCCpaL(c@rGh+$AjQ;K&JKbJ`k)Zkic*4})vVt0(1^;TqKM
zB*68q?$9{e0;hP!?bq)iG61_URP<iv!kG>X%xlCmbi-3M22Z!5Oas`O&C;a(VBFFM
zaI1}?XS2_cCT!I8;3ER`zTU{GXxE`&Khod$8E{s_M!prF1{~!hSj+vX70pIM-2a;g
z=cW9`g-pk7T|;!Zwy)pHn@OcIYEF=w?W|i5Sm8ii)Mo3MaAHLK+~cPECr=&B*||y8
zaweqIQ1VhoMc@-F(0upd*cdH=OBg0|3|{&rc>4rlyHmEva)BXNDM4@cMZ-RBO0<zG
z!eHspZL|y)KmZyia65=2v!CP`=A@2q^H`-Iy6FbAh{WN;uPi5c3N}zaKPQW1*XcM;
zISaJD4MSvH!byDEgCjZuqvbJzi_E@WkH40OF+T_KLx84Ld^lfgpNf+bOb?H0Q>mqW
zkC$P?&wQy+p^h9P*Vg)!hP?DRJK^4+>z%9Fzy@&e016U3&|6R|zDA+AsAaC>D;ZG?
zUb|2N)u3dNETWd&&r(A<Pfu8gKi=rpKtnZmiF5VjBil2piFr6a8q@dFqiug4ZMTki
z#qoX=y<!w4g4`6!;ao^KAeUT1d#N~4AF<6yh6r&%n`r*voZ5_SV8QS1$?5(M22%8x
zxAzVpGsK2&Cij_Q7W1XG>EL${#890C342Mi5!rb_*Ru`dSG@^#H{vvy_OToHlm8#Z
zmoi17`TU3|LJDE`wUjy95CKaCmJOcGuuT+u<X9O%{hn0#kK@^;o%91LaU7DXt!#tA
zn_PXV|1O}Khy;*fcS)gp?#|CYTe1g|B<>JUmD2hAPger9lVWH)Wk4jf@zJkTXU78J
zj#WbRs3YLxokTr`Vh)SZdtjY@VeTYxr`$q1+2;uXK9knof8(g5StOoKF2+6E5h+wK
zH#ChUo(LobRR@i}=*yX}m=Q}rMB1K;1B?o~^$j7stbbfEI?}DZ;muG%M^8A~u54PC
zsQEL5hy@em56CYu%yUWY<8;`jvSBO&{>OoYk^SZQmxiE142a=e+VyM|UOG<)Z;h#^
zzu9nyv)3HNLIVi}IYM~wR-E{Il|CnH$vSwI9krM_k}=MZl~I@+JvEcZE&w@G%-pI4
zI!eK8HVUnC17_2~lfn{TV1)_{2!a?g9<wUN_@L$2;wwqS-A#;K^+ono{?|e&!!FKx
z?6k5)B6teztHp`>c{ifscvH?xF*f7fiU_P`H+Fk)Q8|~xrg|V2r{=8xY+BJZANdO~
zw9svL&JSjO6T{f^(&QL<aO>C!V&oK-uD{w!9M)yB%v~8v(hAIUM{eor(7|QW3zAlM
zfh}UeTdAmaKp2Gp00W>Etm%4)s|)}WOKupKDdjm0LtaK96#G`KC13}GFhzU^^k@%#
zZ<9Bb9&e`~zOrc}2;r<hTWzlB2D{37OuwQ6RV=3H-UN(lUA7e8Ju#h~P(CTsdcn1v
zRAfdfZq-uBn?cY!kHvY)-OEx9+tQ(?yKYIkJF9^yFG^xAWsz5xfknMfd1#0%z*Hmq
zvX4?y$kd84i<mo-aui2V&yAykZuhW9IPl-Wu{_6E;=wMbB9lbyCG_TaFzqnYLEL8$
z?3Ii1d@p&nAxGJg=bsh~pFm1A`X(*3R2uXI)f>aOiXwjG5#;KAiiPQvQci!Ql#~h^
z{(9eTzWO?Ptqta%X{Zl^5)t63?v(WVEGCmw{yMYNvv~jgUl0SF%_=E`!U!Q=jtMDz
zs7man!4P%?Qt1LNQ3S0C-j(T`&4;#qk<fHXV+`EMCRrvlZUZwcK_2+TT(>l0bNccz
zhg|>)ApNhXLhJ+A&z9`!wVyHh958zEEkPuH8pz3*U6{z&mvNO)c7lyK5E0>8)7U2f
z*^(a(CXFcfie5FrK_W3|u~i@Q1IAeRoUCnihnY>##LWKd4{T{bF=8Ui;Lej#W!Nf{
zY_J|Iho9b^_WR6mdhMen{kdk;@>pTN{VqK)HU-aNW^z&pvL(uWQ|~H-07Wvu^siUs
z6*scocgIte=k%$g3K~&Vk77(FbO>pe6bTL-s9gN`adrAcwDR%JsqSfy^0xU&w~}KK
zfgqm<9Ev$+(<%T4^7pfWQZc;KL~S8Z9&G-zLQy8jHagg;>!*tz=PjkR&~DYjgr%={
z(%t9M)beuv-*p(Nfo?kX`|r5-@8zV(N?jT9b;n3z!0~b}=N@6f6XteKNR!kqptKWZ
z*X6p?y<O#gi!_7e<;XmdDUj#wVP`tK;giRH9f5+@tBA@znLZkI$w;XXM+js909!I&
z<`P+L>p&u$I?^(Q0XipGzNRDslN4KxUElj#ObeXAV2~}_oa1EXnCB#pZYh(GH)#^#
z{VL_D^yzo~r^MKo20k9RR8f_K@a)&j;3oZS;iww8OLg<DXEDihgael0x}LE165Y2z
zEmH>icUh>}<#ztg8{x+;UYcbIX}A~M?`eNol){&mq~2EdzVvt2H&6zN<7l@6f^EbN
z9-Qn#u^8%Yza1wN+%W2yM=^~{uhSzDxX|5J3)$=3z~7dUwYkkz%N0gkh^uP9K9(DT
zB<Qjc=}ONyiHfq`RQ7swCu$&H9FPA(H!PTgp3}Tsx1Tl_ER<=S;0{k$1huM$sF;)S
zy*MDWPNoY{!+k+ZW-(iI;euL_v!#Q)G{NKobsWJc>y#G)?Dn|7Vt|i(3=pd=y(g(k
zVN%1JOb8PuL4vtKX5>wJwDx9GR;5g267@d~cZ}9m=8(NfdG^Mr4cUkyfd3RF)ug}f
zSPYh2m}zF0<+{VY>!r_ng$gh9W@+?-^EeFjPhE&|tqX&Nz`sj|Nb{Oi17TO}?_T*)
zqGsi^;!>&xY(D>!Jr9>>?ATiYpYO=n|7B<6p>rk*;#*mg;?~0=e8(KGiScnM-jZ?l
zb<RoNf3jJB%{S3dv}Xha%UWJp_zkP2=gyjlh`(B|)l<Uud^{k{p9jqp>^$M`@?iep
z#~T?~GvCf`iOTGBNW2BT6+yz$R^F04skGAE(B)V9Zw9S0{3_n)=o|#jt2{YZg1V7@
z9Iytu@7BOcBQXp(rN`^0JJw6BZHq{@C43jo`Q|~>H$cW}&R*x_K~QRg;l0|DO^#q+
zVZ2YONBH+^xT$k&3%Bt;aLFHalPSGyS#|X?Z8;}!qexmqK7>w1DLHn%%J1<k=5I!G
z{SGq=>Axqh2ji)hDR2RLsK3YcuQ}C|3;n%S#Kh>>EHN>)009LPei0<Cvjng2LxSBS
zH=9D)HKNviG48I$<KloNxTmh@(BD?2jIZZg)6pla=~NFiDEw+AMOvxhwA>oGsqDC4
zrB<qtyBGsIgBN2}3X{<XA|4kT*HbCpZ3F@(_GS7dbtYvfkFvkrz}f7^l~p=}Vah+R
zUT_NtVwrg%!{8urUO!W0`wS!CyLw_zjNum^RO$6DWV?i}J@)$k5x7*9{hZ62RcTxz
znQ1(uqnP+50ASQAJ&mMx<}<fV7vlNV6#<93zp+$ONk%$%Bu0lTVI|j%e69@Ix8<AR
zGb(Pc#lqc`*3qki!8sP#9`dCJw%}>#c!9Sqi2$vh>UrLMBzZU)pjzp8)PB`0v13Zi
z^mn~?<?YZ2D}o%QOKacdtAJ`N1CpUwrF-}1ng6@~ZM*_5ZwPo&Z^Qz_y3@AkiQ!|g
zNCAH&Ha%)N7gOv?I~41xpce!7HFPw@H>%-TmRt-b7Pc6wnD^kxBAl8yobMt<m#EJb
zo6q^QAiI+W5H>@z6@%9EZ)>J-Z0Mf|C4Ir?X0y7r?_)=Kc455k?Gw!WQh65Srsf~#
z^oyjj62149t8H<VpoxEh=8EWHof}v4O>dh$njxzey2vh5vj1p~nplU%kptPXf=2?t
zd(M3YKX;Sb=r$C&7fIksp)$SNZj!3ylUP`7An2g?ba+6o{b8(6bI+I+3~l6t*LcCd
zGkU?PkNq-a@%|p-Hs$9iyTI(>Q5q9Qm(Ti#Gqv1h*85?Gca=#rOnOcITTSs&Si*Vb
z=$1!TxoL5ZCvlIeN;{h|oiQCTK8lp7=f<TF0%kJotP-b`1_9kWzhkYc9M78`eS3|L
z^Xo(Y{goifk@mQ30-Xvh0pGlzYrd%@m&YCxW~!?olTTNk_4k6ibX~j60I>L0tUwYM
zU(PKkBx2csJE;xGd-hcIA*WL+kTbmMjkK@;07(vj3mCC-wyW$TgY4;9k82b`<FH~o
zRoFb%BF|N*8?+W9Q3*I1uz<lx13yXJTIng%RDt$^F5|a^v(x<BIeiDkRrU1bEGNGW
zH(ZDxE0=nkEb$9$JxuN5{uot|q8n9b;WEd>Adpe=6Pg>VsQKvvr@fz;?4)Elh^`_u
zIK*O^i_3nTHQCrlK(RN`diVpK%DX;sWnIOl>YjrAO;;&-(XIsp<pWocqPYTG#*Kj<
zrl()_Cez~MtRVuUSfLAZXZmaN&KZJBGyYL0!a=!V0<_b%6Qu<Yp}N5fQ0hHuixKA6
zh5>E^@xQXapBJ*!GzEz2xvTN5KCXv+rs%!h+gS0B*9{KaO%fL~P9}+ie^RI)bUFY`
z-O7%mafgBe?<SeKYsPkzM-6o70C?&}pTZUWgb+^=z`X5JtCFwh81d+h2Q?>M3qf^1
zb~?$%iNwLS(v`Z-IWJSxl(D3Vzb49S0D>@cLF5xHMB4SuOB*Ys@<3n;KR@p;HCKM<
z-1{%5k++f4H$xZy*&KE#84^ItLvp7GNrDU)Uw{*}VWwNK6+?tloZjJ^^66q3%4iaw
zE8gA|c+Gj=UFC_S(HRadx|_~HW(e($sQRhYw@##(4e3*$E4Y6)QLlmI=}f%%k0jPN
z?4OA?;Ya`NdlpFC^!Qh9)aayMvA9E;S&sWehCm-d`^C=8a#!h&0u2|PYE+?l`g-=S
zMc6iw^si8Vn^20H;K1Y5z*s2Oh!fdM-M0;RT&R7_60Q2oe6v+c7|#wR6(~jkMCyEF
z;*argBZW77U|p1TM8=%(e_dj0YTg+U?`1xxc&#%_TKmQ|eKRK6DAv}bg~rGT2Zz(d
zDIYC<@4*wHdX~R8tyc-br@crwh-g;|-w`-HABifK)>9r(m6&aske$~Xd9EW}Ltr>>
zFdyb7z;>q)w1K|%-9V)fMsNTK(C(o=RrG~S;$W-r_afbl$YGWeu%ZO3A8+EudR?Q=
zlbKXDx(B;o3X|75caD~dGFk4kI+|MfKGXOz3J@}qdo&HI(yG0sC7@jc-UZ|0OFgHj
zeI>Ualo1J-U#F1DZ*2;IS(aC&$Y`5~Ox>&0H-TwQ?tqS*^@dhs?Z`iWXw01mvO-82
z#3ZOdI8}*+Xy<K)LU^oM9o6eKbhS8)!e6^&s?J$rccfjl7&qx;?=PMz6QBUm(Dx*g
z#Y7GE(DZ>M=0VQk7doHV%!FgAGZy&$2SF}oD#^YGnw-lGL79gC(io+MkAV&Uo2rC;
zvEtF<A7>BW^~o!?zcT|6@*2)Mz3b1FG7$X)$Erf7A+qCoW7;;d`D*CS`_+Am&1r40
zOIM_3{=UOkq;-q9Cn>Dxlcd!WBGw-cK$m|9UPN6-ebT`Zt3&;PmCpR%3w7n|0VDN`
zqIVK^f2y$2ugvQT`&!RP*b4N931n3qyNmeRc9`7ai!`fxiPtz}lv_J%aAtFJ32DvW
z!FU!=W3uAm*hz#`a3w+TT0}|<33ax(upo8P7x(x+zSCIT4gYK4uANexfoPn0X23(k
zi+L+%r&7nWhTe@X*<wl1!<M~uT3pMIcu{jp)i2La=cp}{?hRmO6gyVE^5XzCaApVJ
zORnXbMQ6h|a}WjaPSsp+Twma#ulKJ*TMMbI5FCXG!R~DOQo?=s#zZyixj&9#h`uDt
zE2<<fVO0!=AT`wm2i_|_4QBNr@B67MnGHrb^H$i!Xe5(r^6!k);P^!L|K(<yE-nf^
zw<qD;%AM6pZGQJl`2-KiO}rfqe^WE>LAV-WDzA0s$1=NWTKoF6;<v4&;;`zbZG9~I
zqQ3=BSxsg@RW<qCdPIQ!(q<hE@!t=?>q*#>#@7}hz*yHZPIbd%wC+<$M?oi$000Qv
zXr<P1F^O`V&riuKDHCB2yyG`<WoDj!B}QPd9$7h@TdPar7?F<>&6-4Ui##;8wn_@-
z<n1zL@DXp|LBzbM7@juQ80}4f>l(wcpC>C+XMs`j-c5ga2Gq7Ibqva^-;fIj$hAxq
z=_#*rJxPA#A!F+^^~o#uLAKRY81L)6-ggI$ijxr;Q^G1eC;M~m?(Fj*$QZUV<fuj_
z#%Di5+ED5ze%bIekHkhBrWOFNQ#Is>O2iJc%cKL9Mq*7FPbbsArWHawfyef~s33+A
zNy_b68$4v_h9e+U=P`z-jGa%jU<4B*=Vjx3uqcyY_fGn`o&bNit}DvC9u9An%}_7w
z*g2&%?sB8Y<hndvXEkdLayN8woI-0dC8?8pQ^xeSj;I>Z8@d<=6yn6VvANDsIy;Z-
zv&KZlQ(}f$z=q=IRB*yE=+e$xK$^h2k#tzN%oiUc$_E)qBQXib<AQ0&Jp#|0^cUIh
z>oobdjTA{q$siJSDeXt}CV_D*eQ&%;`E^>!rk+gkXPK!6t#+3Ox|DXP2alHLItiei
z3BL#VwK%r}q&0lKB99w)ZNLD|vV%AT`Hr{y)QTfxs`h_2yry9gHo0+7ye6!BMljCk
zKT5<HmSr1%d!0M~#Z66XDgt2Y9W8F=4-+S34604uuIT(7zD+p^+yw8Ptmw5Cxf5}C
zMt-)*lV@KwY4ap^cC>h??KUF4At8;~qv&wui6(%@0;W}gev#H(*+VacgXaLSmf#?8
zV`<yy+fWgPNK@aWRS=dM;SEeD?TO^qX*;COh|#gvm9*gCQ`uHO`u+v3%Nfz-Ry#~&
zy?}BVi=!bkCx6Sv4yW7QtmM0N=cEP;+A|ovqXfi&!X)Rg1G+MI3Tf3R6e~M#?T~M=
zgq&#eL@OFp#9NyElV3&wyI0hJt9P!SOH)gB#%}0@ycZ*q7|jx-5#~WrA3n4m=#od(
zX8jlP5U@${BXc*tV8Fvq<pYIWWM9KM>h>pFQ^ly=!RmARk=t1Hd<$1fdBxQ{oxj<A
zulW%sgSf=!nzYCqzU(}&i2yV)3*64U&tVPX_R0!rB5LZ_nSh>uTTl}|440uL&lDr;
zf3g8Evg%y=2JzD#ID@soTbb(2DmFN{l#*CC)VhU2@m|re?qDaHl$K;8WN;V&MC_up
zA7{92F4GV&;SG6f&P#KyU-p~=7n~ds*6>-2Fs6*+pMPK@(9{Dv*g8tb+vXI)*I4_e
zKx!7!jnPW%2&-yY-!2Y_?wRRFd2Hi!+1VKYB?!yZHDJl6KHEDP_vRXshlzkGJ5!ns
zF+;YJ8(DINe0N7OsDC4<aDf{M1C{9XGz}p|YVl}x(nD_XNq}<df9PinP8Q8M2l*D%
z=E>3jp1IJug;HYLO4;0xniT~(h|I3<9Hx9qZUNf+y|vzZFHMEKS}JgTLZbkmH4<&W
z>7M^VE=_0sQ16`5UWgq54-4ouwHQE8vDw`Kal~P0)-Qrk0G0o|QzZU2+EsmIfTLn4
z4FHQ1I-2FfD%$W11+1pGzZrC$zTx+0qsdfty$hu5&^CaP=_E5;X@y|c^5)qYhUP2@
zUKHNx&}6M(02_#KXasL5k^f!g#GP9vx9t(#Lo&@eP}UH?YkXVU^zENkZv&L|wL&b-
z(ecZu7ahWRXV1q0YVrM9i$_BwGJH%$$WUr#@0MsdPSIzj-efGj=D(`Y{g{V}ycZKR
z&xCffL%J$YV;Vx`xIEZ4%CACJq(xt$C0D+<$6&jA;}o0;Nkw3#yYy+uKcBm-u=&pS
z2^*aR*NpfVvmTx*7=kG8B+sX~5(mVJ6i=UeS?iNDMchr`I(!x;m%AQ$`B9dV1l!{e
zIfnpA8k`Q1ZWUG@22b)HMsPU&1(shFJzCObP^|W(1Ofo;Gd0Qi5zb@ao)G?=i5~Y!
zgV8r3LBGoLFN0bCt;_Q``#{BaqcY^MppTnu1N(e~rX7{A_TmvH*ml+KamR^4*H>4=
z2@aD+MQd<O$#VM5L(^qP{vsUp6hn$kF8>NeJB49!WGI)GVfh>6va^F+gq<J%AR0!c
z>H1jjc<3S3ITP<E4OUG+zTI=qY;W)GcORVUkA;C>-&j<@6GkiAkN`CRN|u4I&|6a9
z4yK`eurklAJfANIY(ko<4Wmw{u5|AmFb$yOZLj!wrH<-5$q8>Gv$RD$4SP-QAYPsb
z5|T@LA5VnRZ=P57hM(<V$gP%qFL(~{$>*_F?S(@yk5Tff?-r;}!PGjPsGa`bCv>oH
z*BTtyq0UXH$7ILLHR%?g=XOyMhm6D~&D+M1gI%{aJ&kqp^d12rF9an(%<*$A62T+i
zCB1AMV+B6D1az!bNbToty^CFSJgJ^}HTI@W!|L3uS2oDtqmk}d%e+k}#pf1KMou)Y
z?$Qh`$w<i#!z5-%TiGvhVg)x}gvsXe^t2P;&<bBaa<R5;&h_trC4uoy?BwsMnzp84
zp@P*1XqHt)qFKyu>^XKhvM_Q@INfppp;S=Kl=&s+7e$F>?M!1h_Fp%oZ$W)t(~=rl
zo+R)njlfX^k#mG3#Gq#L{)s^^m1I2hQJ_O$V_;))59156tI{l`#{hRc&bJ+zyU!|3
z^z@I-TTb1pR{}FD=4TMDN6Ca$M<D6vr+x#K2(jn?g`_JC_H@IEYh;*NS0m@MpAfN*
zSu=?~aPsWGFIMr`_9ybo<EU{T87Y_LN^*!Fu-yVWMvAEE<Ut!?TmJ~(HJgD28^{0p
z{3)lG`F0tQp+I}Ch>OgNYDkg_woc`?;3O{E>X0TUlm3kp%=>iqg+_a)a>FqNCAO~H
zv0^r*j3@PD`9Mc~Jvw_XrRIpwW@;#nSgSKQl3Dr0)4q_CZDHc^a+vFZN$1xGUy}BZ
z_I$_15ajHoAU%~lz`Fc6aJNZs1h_vx76`_Tf&~yUPHp?i5S%o_khPeP2abhMFA{*f
z%{kcsJHmGJ?Q{j+gQ+4A%c?5wUMoNV2S(RBpv#xgXy;SWtz{ivDCGSg*Fm72x&bpz
zk_G^wKwiJnLy|8m9Z&U<J8M4Dg6rbm*QaoP<trfxFiIk2P_JDPtz_VdIxU0Tcc`7<
z9nZsU!q=Z2(H1RD2+8y0)i?NVtvT620)4C{7_&_L$Pr07g7qqkw}!k7mn{Q>A3G+V
z%2T`W`!*M|3$8atlggEE6k>bLBO_wJ45&ep!UdVH4;Q(i5va3%4OYoSnlZBu^o;ZM
z`H<^2;dOr?1-P@knb*6os{Cc#q6a=~1H7EKg_7Gg1|IU)om+xNZf=!ubEPlb$Cg@m
zLkjPQF_Cz+HUiK)q9F=yiyvYP2(b$R7a=zL4<eUUdUq~D^U0VHCjZ7Ei)D-p4jmn$
z#&*EDwqW~yGAk6eZF4esBH@9*oBM^*EyWQu(pEHFkM(nBJU4r9Mx*P3l|t(GEMUwC
zxLo^cKZ<~EmPH2a$sTF)FECr&;hU+F3|Kg~lw_Xy6c&@d3w^f@v7#4ev`*SVt8v8I
zUCH>kZ{b@-q=R2$**bl&xl%#Cp3ObMs{{L~ql8E?;rjnnd^|Hu=!cb%+2IZ_2uE5t
z-xc<Rp2pHG{=f+zb5|z;|ER?aChO9Cdlf+L$VL}m$<qe<brLTmY3K7iJJv`<9bWNw
zaN`1J-oiJim~Ay(H>Q3nY{N!O000I)wx*&NcHt2CT{i7{PZMkJg08#2AWm{W<mCFZ
zfkce;&Yk3JOUu#1EibrD#}P5hy7Mh^#e}bH$~c6bXMieO9RAmD;I4Ll(<c(!s)}S0
zMP`qS`O9NPcv<d=F`csV)A~pQ$T?{met`DkZE9URLF21@WBf3(p$6K}TLnO1ak%AD
z>YQCr0Tjg5r%S+ROpiU$9fX$IOWLdy-R$KYl8TwdK41@)zW(4f(&*r&(=&cuKNWX%
zD!;slmsOV$C>Q_6*<or~RY?0kb#`uQK{m%TFl4c4{wGd*e?rwH;q$12e6IVxA0Sg+
zk_|09jECz(^|zC`zR>+<7!=HL;eTq=nkEbK>A7nAXZbw$KsPxsp&+Sok!jMyw!tb#
z?cbtjr{oJw1OuAXf_*n21bU(=3{Zbumlf|zw<PhO#%ZeQsYYS$U_Qz6ZWcDq^Q64h
z{|wTT9C%7CZmvp69KSi=&%~p*OOKjkw18GwS(;E{9Fue&la()%(;;_3LFjSZ88fLg
zFQuaHi!EpFjpc)mMq7$vakfTb`KDM@MyJ9%RHT+W!S}mQ0RrmUu-em8auB4r7zP*k
zpUoCTRqu!Cv@UWsRM4IWzsut|s{<#ZTMfWZbummHv*x;?RZi;e#Dih{z(9Sx`(Yl&
zvCyYFZA(b?DqE`$+CluzNS}BS92SRSSjP`J3}NC5Qobta<-r$q^U(^fn5q)9)LF$@
zlS>sw-fbH#VCn=z!q#6OxWka<LE@tyk#g@98CRb@VChD(RgyaT`8_5_;DoaZtVl~;
z#wH!pr?XOy5Au;u#JD(h;xzW|9p7OpSa3#_uD4t>Q?_+QB+~bhK5{e1O#Q&>Le?G2
z_H?`{3}ToZ`K3?u!;r2^qqt-#9Z3<85;<WA`%R_IH{bbC!uu=0?Z|)tSn7Ktu3le;
z#~LyH;%IS}Z<!zHFe01^X|D7jXnz&%oRn;f>%=43>adL)w)9ZAO0BWCPd0l)yN6h_
zn~E(*M6DyoFq%c-FWl?;Ps6#GK1U-3u3&GYJ+xY_eJajDfy7(^v`OzZNFC6^X|ukI
zsek|kHfG=#uQWYzuPF<u&aL}xGoI*QS9{{=7Lg6QZ6%=q;qzidkGp?rQ3`s|?l33e
ztE>>!qLG9FU29@KSo~Mx%wQ_@5h-h=0k_rL`$88AdZ<a2ea=ZLRB(!mAeE&MF9c>?
zk8;M2v2*IKScaXR@i_twx2!h~Kv8ZDc1n-@BFpl$^MfL&w*J!4tMpf*V^8WDA#nvm
zkCuO{j4%KZ2?(Cg?~7Ec^(&fKi8m!|TM6@WfF8(!%HHdZ%2*pdcZQ+h?;WR7Eas=K
zbng_qm$AJY%b-KmK-jNH-6<@k_(MCup4gc;!CVEmBE3M9x1<_~7>@JrF}pS|hOy~M
z<h4T{37l*`Bs86chm7`a-Y;^qW!d%%!oMGs5eb-U`^_*ko427;sQ`$aj8#WyC<;>$
z2jiV3q$e0&lTnx$`X1!SSC?P9&yP|KZo)qfWdWJ{AGatreot>m=3){waWsnrB+F0V
zvQ>}5tz+)I77av&`?N|p1r`aa9_Ct&BZ96N021*7!MHsqqiYTH#wUE*t8tv}?tZg0
ze_YXrnWZMC-<EsZ{bsDZ|INXC<$Ie?0my>`*L*q(22rdZ=EYyop4ser9TDY^lIt^^
z7Z$2X+mS%!gi>>9j}j_0<7DMfQ20-j7<ySAB0Fp~Yj_cb|8g8gVms}KoJy`uRUlt&
zX^aB7G^_4ToywFWdB`d1<S-v-oXY%c?);QE=VwuLxl1nPMeYD>tD9gBiFILaEU_I>
zs78{#T8g`j+*JQFX_6o}bDKyAsa?ie`ZE7E`g#Ry$Q?-prBYE5)TNuQlTgV{+hNKL
zXr9d>!eV(njEnZ4$l0K6V%Kk*MP5xS@$LfM&jmeD@UlP5Lz7G#m+c}SDe&D5MsNSr
zx<~-Qy&$%nrEj{F;XD;y(u9)}SJ7~FOdVSJ7-uNwVF=A_*D<&}(<)ddDwTRig2$U>
z{sFPrS>Q4wTFGbfr(S7Xwv8^PtwfbSLCfn4AA5ufJ0-{GsFSYlTEiHJ#wj^eImx9!
zBwUcb_}St%C7=@6S$#+V0QiOh<@b-IAphr0a{gQ{6-o_Md#v9kx(apHBQ5rFyDdIP
zmORlT#^0Aa=ce2?BIrhd0Ma5n73TJo+Yt%;bLuGNHIJTm3DVjtB}HL8k5-)zgAMYm
zjmm@C>jFQyXq-axxYJPVs33^w*<DhY4)v<uyZSGu+e&`5xU{2-gNmidr;0rD!L-A(
z-3|_b8xRZ8N(&91DZuGRIERxUJuYIyN~KH`n!eM^1!JX98`c+-XATkauoOTU<nSn9
z&zp&8J}(U<tov(9gOLVWVyP>9Gt-$x({S?&IAe#mEHy!u6a~n&_<tkIgYqEi`dwe%
zN5AGD$fKnHLEO&d%QE;<G>}mH5ZXhP-IdB9V0xL(Jbr6^Y>ukodh{&9K0`;aX~9TW
z56ZR&<u!ZCWqO<U@CkidW_CEjrzacBHjW+!CF}#BOj@^eEC9g6dj~$=AaOMR#wHVC
z8y@#I&dB!RKiQW6X#6QMNHJFMIZ*j@Gog%V-#ID-<alrxFCeV|fE2A!sd-QdpHwt5
z6bBt_c5Fv{A6|q9yP*PImuxs_3ltY9mrr3(Tqu@ezAO<9GVVd0t4Bx7`_NtgtkL@-
z4`*Eu(5^(jlMtoidPTUQivb|Cl@koAW$VGiV-{xOhb81sEln?Iw}dld%y~z)eu4)s
z9%{v)2tlr^nyNp@HeT))cVH2v@F(*LcL$@|F?*{sCO-d6al33UoBUd$S<`OxF4Ah_
zfB=BC`Ju<RIs7P^_Aq+xa{jt0BB{#|aM>Sr;)no|!j#uINtYLDFP8SqhGsp6rQ{S)
zMv<Xw8hN4=DWg*cU0o@;W!;v3N4$^S&((i}Ft63*^AQHjzemzoFQ9S>LdrA<>*k&c
zhy0A+^xQRX(O!(&uQysWWJsLP<%qY1&M8%R9+=UcyFxz!-wCl%>-Km35U3v$Y9y8b
zFO>oO@kNrz=k!+7Q0#i32VXym*0c)CNIV|mu5=fi7!Q75-OG7uH(p+13HrNBPwJjd
z&I~JW%?I2E5Dr@+WK2;1$8suv5GNOa=x0CKLtJEz+>Nu4o0l6gEoY5{Qd|5l>kMGU
zdARj_%L0RQe(d&_ehkM${)ysxhJN-}q*gn2VD~WX9`tscA5v;6j*euXtQZ~^LUsH3
zYO)CVdGQ!di7?miOrtq3pocK~zb2hLZqUtZmxQzPgq8+>mK||ghdZ6Wae?W+9)M=s
zjwaHWPd#-%{=9-M-5~Hqp~jwZ{FHa0sCW_56B(enToRIbW+YtpY!`+HFhqBY5~f2I
zo@rWAhJMTclQZM6k(ZAtE-Cq2Wg+=%7|by4;P|Pv!!pk!DpC^&6J(oRt&ivExqtVq
z2Jr?O8R)g8TgPI(@V#8xZ&r7meoI<dhuy>TTWQZIW46eGjNvqpp3-kQ2*u&rsnq2l
zKcyA0Lg_3jn~lPlaX*CiKk`gcx_`EEFeqH#gHl^NS7y8+%GNBqSvZj+IBn5o<yNq+
z{U-(?X|o1^rU7C!_5Es1#VoaFo+OWoyq*bi9fy<+A2eD>YNH_@OI>vDY0lDZpp?&I
zAWzA4YDP+22pTY_RN{KwvhA$UJT}O8O#Ke+#^vKr2KKr)3nH{6=r2FIz@a6Y)kC(+
zgU#RL!;hPpMrZzD$9aC@BpUE`2qi4|81;aW^=I|9ZEJR3aWy+u54iSQlUn<2?T~^P
zU$(P>Z^xyA@j(u8LZcw(=UO0P58c~hvO6j>dKI0NAJ;tZ8gN}&gh};*N3hXLUy2+;
z_ws7PHLp=R#3xmUvQ|Axn1tyIgWF)8;%~pqW(x+XxfwOJN#5Z;cSMI=dIdOPs`nir
z(M3Ht005(e@V2|m$Psh>=HgmYy<>%0AUnS;td*=!r`ujtFIDy`ckBBNnlw=AqafYY
z-R9@AecZq*x34NDfYJNv6q}}lKMv+@Vw5I|+1UrSS1^+X$gv&cYx)2K_ERPAS=(MP
ze=8Zm=OE?$?0!27(6{+%+*@@eA0yV7*=lbG=6=`w^zjKxkZ;-m01<vkhu&iD0lQ%N
z;>ElLPa*zfC$lA|p@;s^fqlYNsu}=C9!MhpYPyV4#}xqi6Q%+NdSn(F?BJ(0$e_4r
z%L_}@uN<2TeM0ij4R5gLt>!>t0+bJQ>IqxRJ?RBql_A}i0n3TFNjir!-q|n!1$6!7
zU}-;<pQ*}+Cv%7xoSO5KwhDE61@k0qs?r#CvVjZm>bg~hBgH{Ff0zTrMSsN3cpwtR
zn3ue3J6k+K!Ja~4(r#m!;;(9j#3UknKTW2W`YSNSdzuUI)oavi?b1d1Bbl>@Zd5e8
z;HL=+&qGdvK>2JW5^PoU+#p`SM++L^kry!f4QMo*akOLE#d{3#n#?d}%=!{BtGk?}
z<tVv?koA7*&T}Eg#%x+voJhWrYV6=tsE5lbC_5St@>92S%(2Iqm64qMoI{pH{}yxc
zwft@-yJ-$_kwpl<!-~)rA<p!;NF-d{wM#g?90q9iWTVLLc3~fU_$3^3zBmx4JUk$j
z6G779Sk;G*rex+jM%Nq({zE*@MxCv*S=#s*Hns-#^D#Rb8!q+x_@`AQ{ZA6hDjh4j
z*w=G*jni`>^a%3TL`TM|k>CJO>e4)sP8H`e!Sm@v(nfrfKVafsndYZt004%8kK)jD
z{9u{$&V#)st&H3<4{ktAE#MvWt@jdLCkaoK;>AusF;$1lZk3QT&!1{zpW0HbyJJc9
z13S0EAw#pl1F)XGxz17iqIPmbs}-4N-Io6I#`zqPj_u9oE?d^&J-F!(Q$8}l@xJv>
zYHDRy!`hl7b1Y}$Jm?+}C9@JKp?)I=Q&rO!i2VPjeI>^>4y?=*>s-WYyU{1yQfRR_
zII1$l(G)y-_m8~ynF92~gza5Xqsteg3^L#}b>L+;-a>4u+;fPY>W{~xNAG<jXMM^N
z`vX)kH%$0-4ub!aUGJ}%pShy9o3G93Jf1PVP1|*)3U1eA?cEM&!yde4T-d~M;JWE4
z4)#<$QGjwCAYl*1vBxJ`-O5gnOvqye6zv8-1J&YSuX+ZHW+79sYsxlx3?-=$iNBHk
z?Ui%HPW1&W^fv9DK@2u5MqK<BLiJ>Cu!c_J(g+3O({@Om(j<cs^-jRcaAs}f)b9}u
z<or*RdIV_V2tgBQx4ihK5^+2b-++a*M>27X8ZkIvu!tfU?s_8coOQg^!xEdBW|J&P
zRFR>kCH)Q!FyvRjLQpJ8>g+`L%zyw;__^Lq$cHV#@2N;H=7up2JJN;v<L5=hAMHEM
zOy{N(E^4zGcqz&Hcsq)sCzFIg6U!wJr17At7%3{;bcSC6D(!Z95#&8cslkcuZq~Om
z2}jOJ;Pp9vf?Qmh^{sINslZ>Il|UO;Dd9yt9b4Z8JH<^I9kBLO9~-o}vo_tO3lSj7
zZ;6N_2cVXLBUMucK>45KY?+T)J_>~AO8Cy3t27`J%^^Uz>I;=tY&mC?@T%5s^A0$t
z=W={~5;Q^gzrxBuEX-#oI=vi=@=gY7k4>vPPtEYgxNc%rmy4&j)KHo6hT5(hItp57
zPs*}*aJQgC?)>NuliQ-QmC*LDUT@Pde^M9p;X42mf<>(t$~NGQJ5v_KC>@Lp`oAB1
zyP^Wn>2fH$FlCP;38I%R*)^XgiwP2&kcEfDcHL)GcDiicel~i=Pc>6e>lvXt>FeYh
z8ml0~n4ls`+ZN(3<m;Ld0h`WdzlGFNy_<?=k&2!UZWuEUx_|ga0J?UZ86D$TO<6Cw
zhL<_4Zlb!<yu9{NRmB3qs6t1Q^~r_UvB_5Mb5GR;EWYBRN=Id^Fvt>D_S=d0?RNa*
zYP}mFYu3zSmCxZZjKjg$OmMuP#1xx%#ct-CZqLZRJ5%)Hgbk6{6SZQ9fR+Y8ib{&8
z|IyZWv=5b`A6T;!I^R5^lTLoz+G)_kp+sTmXX1fcb8g?lMB~>VDyr59`kpn}{OV_$
z1T$8E)-ySxPFyX`q2Asu<QBn2!X>Orw0C<JyB-UuXy#L?r|_Y?i7-%LzSPWZ#Xqt)
zM1nKp!ZW^;i)=-#o;Dm`l~J;xNE6Td^8e&LwkJ4Gwk(hY=t)_V?i`Qs^mXPq+mon5
zCP`!Tqp=dQXipdUPz3L?F9AY>eZmmO^||o&@j;akjkZ|xKO&XHKUkD`4g&_Bas*U4
z23}g%fiKaWz1?@RHyjpck_QMHIJ})n&!rnemf|o?%^f$+^JCCFfzFoT11HeHgPCqZ
za8ECDOuT-)uHy6PweJMI9=WLjY42FIF=k@48P%SXH{wvc4&5qE6WvmmBVhI8!iz{r
zzU_oxxt;;5HvQ78)a-Vn;Zk*{*#!2?F~q4Ri6wQ3m;3c6<RE>qy*Gt!<9}yyx4=QY
zV)qGECD;p8Km%dceK-}2wo$w;uaWB>wCmzFc^rYOL9;;d+FHnxlG|I`paEP%nX64*
zveYz+MVM36;#xM&ehkXIFHP=)AO$-6=^|I=hlC$yf*#Uy_4J_9BZBAc(QRM=0El$L
znN*7#PP#<&<w$;OsoYy}L{to)5zBRyy!}{1)E@w|2lf0r;H&@(HV>!>Nu>Q`BHuGx
zRuH99S<%?q5N@rW5xTMo1p!xuCYUw?Z?Gb(s6SjTkI9M^xJ<C8$VYdLY7CTggHn`T
zC71qJN&s$%8ymLU0iIk|M5j*FTWR}KvSp5TTzbeI!dxNeyx#Hlnbbd9qL;^m!i{Y}
zsU%Itsa6ia12Wm9>j57o#}sujY$4j2=dsxG{o}YdwbC=hGt9ygwMgb>**i5uzV|wJ
zy=2haXCSuytXy8PQt1G;hIaCiRS#S<y}d5f#>4G%5IVM|314dHnHrC~iA7WXB)3LW
zzHKv%g_s9^@Q!3g0=R!oUz|QC!}Lw`7wDReiLR|xT3tJ|AWaPgbY9W4%i~Q9FhL5T
zhYj=O6Lw7|tUQ0NvdGfvzSs>YP!%tw8n6k`mXX)7jUSds9VTqEm~J-{DQXG8JIFvv
z*dBwZ#$<NG<d3a7pJ#l+Xp6@kl@eGatFE|XKh%s73SvAqmv%T_0zV(M*HtOCSXN%B
zS$~;SEvgaqB}q}ZbM{J%))rzCG;NvH4o)2wWrq>mo#N7RH0t69e`|dIQ#htHs8Ry3
zQik_yqI~5m=gqi!_*bMBNC>&~5OKC>d@`1m02mHJ@w%{JuHRvcS$o-N#AwKmSavs3
zxY?zNDwMN_Q?Z<F>b~PZK3$+mHy>`gU}SyoWvksVJ0_za$Af+bq)D7u10t7TsVg4i
zq`Je{qj`;#ahrlBDp{+W9~-5QYAmrXE;`Y6Gs!3W^=QeeT|}?PJ-?Av6j2u;+Qz_t
zL33ziLI036&*6>lwpW(c^YYyx=W}@EwLwf-PoQT1^Fji1TkA0Cbb6ox;ydhcQ%?TL
z5kqcmkGt%@G?Zwsby(%Hy|fxoc3LzG;j(KmnFx1-QT4uNT8w#*M%s%XFUEgHYko}A
zfFq6dx_UF5NyZ!>B+v>=#L&!|@~Ty+K{(AtQ2GCX?H~XE02ApFXMo#%#EQTiP<95s
zK9QVZ<RSPoV%lILZHJ3*00T&l$-q}tsaybFsT|+M`NfBATIRIx<eGn+Jp^f(wX#p$
zyPBMe+}*AsU-b&;QI873o*0iNFr7g3^`Q*=L!0--yYFI`{rTf<9q%J~!?%o|UQc$}
z9pd?n!2ke%T6NMWy(u|_H#oR7IcXXl7DC&z#YSAf1AKRwV+;}(U@fP$msy1htWrDF
z7K?ao*vh_a=GZgvOrUpW#>dA=JS~qw-JCWLQ<c)U10BVM?bo`)1l3CGV6>(ieOtdp
zT!@z5aCKeEZD~+n;(6`6)sw3ukaex;C_9DV2dRQ%qAsv;W|knO^B;?EsB0jtDyb3F
zfQKlWkO+aU9!MsXJmnLp21$DXG;VD|ix)-ZPQuHlL5P;Gez$>AeUZJsRmH*Q<U;Lj
z1@b;dLe?F6Tf~*S2^6yu7_VS&!|pZ*l!)=it%bC#3_`eJzENOJr>W}KtuX1MshE0c
zJgfT%ySw&j1j-=7ZcJAk5=eV2&H_foMH6)j+VME{sV>t^(|nsUF=mbLipyu?P6}{+
zJ8Yxd=Kg+JO?Nu;fAzVTs;#?mB_@(4=8n8GC)ltL;Uu$}IhM@uaZPDmbx5cU3e~M<
z-I|R3G4={jQYpVHqV#1MHUv(~5SCKpyIPh{AqgcX9mG_s16zgSVgg>oSa<yhrGbp-
zadQva|Di*Q%lStY1>R6TYt+{U%Cp9hLoG`hDgrvLUJmh5aD@HQoWoC7A89xaXPn9!
zFsi_SCj#L3VKBy-_B1y#AOHXW0A@7%1aec|AU1SzNrtOBgZ=#4K1j1#!uZgz7x-$l
z`<LywM7P*sw(ZW*hf@$qZRZsfT){K+_y=C`LxX9oFk5-bV@!PO00&+qsZDl{)9hLJ
z`tK`2CEnX_cv+L;9n2eJ4JU6n$!o&Y!yz;v$aPD~?l6cmLMlr4AxJ!gucAPiz;Zd*
zGEUd;{kd-&_YM*k1^@zB&a&!9m9?-v*#~oB>U#UiUc|K$2c_kpFIH;4?*PciqX#Cq
zhAL7F{fKq|+Cv@*eP6=PJ)vt9kf%;@-r8UNex&T)X}c_FF^cWKFvxZYiCqn{Q7ksR
zP_5~kkr)lkhhnX+dn^qNz>@5wzyk$Rs^HA%{8lshn9b*gYW$#1ym>mBf3G===Hz;1
zH|2Hwndro7LL}z=hk)dv8-O2$<l(*R=UhEu;$1STC_rEc7cV>@A84B=7UoIppf3rv
zjCrFF#%pMy1Ah}Wz1t%`-o=g~{20-B?Z=nK>gIWP5d^}-@`CAxJ|0RoZjg@G7xGGj
z1(mkARR8H2%@8w{r%ZI1f(kkDUv<{dNb@p1Tox7o%|@>`n)i0dE&t9a$->SsXH1Ox
ztih)MdW~hlRo;eZ^BSW^=iLJh7><0|8|pzxH=5@&`(&JR{l-j>+3(Fy!!&A5QRGC(
zszK!C%Yx0q^(t1>E~byr9**Xq|BBw$9xe0u_>P&>J^PKK^h5#*DSvK`$4ESXYq=R`
zXwaZK5Ft@iZHzeFa$2B3jY@42QVw5=Nk9Mq0B0hxwrcr+)Lw6*gOE0vX_6F!_T6C4
zi}34nmnqr1-7!X?|E~E74J$Wf*l=tBX?A_;O^hB0>49FD<gv|zU8bjEy1O=bV5Mv_
z%>C(FN;t+8tH1CCRorMY&sbNr;w%T4rCLPph}O+&Q~X{3ub60OM~MPe!kCZSclOXj
zDSp;Jx#guff$p1U8}!Y<-WxC9w9cE}(-yDl+7pdgm2xPaC>Rxvh?gC500Rv|Soidl
zh+Hu^<W=7YDxO)ghr>s=7-=1i+w#runU$Sl@YAn}EIcU<5f7NJP;Cbu$Wa{%gu=tW
zzQxeJTs{*Crt^->Ek&ktO3cx&FVw?vqLY@TWyXp$M~d{atw-b-@m%pmG+t6R1w}}N
zq%MOY;iK$2L5TKKDZ(%INX@mQrlPl`SiJOGM%W`@_2a^(=AO6U=WKl@ic?PIE?wiz
zwPsgK8UDYCGTBK%Na^>(i%&6jFIj)fypL0TMgCNvj@H+RL$j8-l6^<0Nt6CMc=dtH
z)t6tLCS&U=5HCj~W@VbAod@l=UO-I^%+xmn)0*X?Yto~Sgzj%C=z41TnpOv3IPU3J
zai&N|PF|LbF#IF%Oh1wT*QlNW8VnUW0(RR-6{F5nh6a4<mhgK2+ZW-eZW)cq#LTEt
z@Vrwb*inE0007whg3GO7o<45{fu0y~N3E9UQD1EPSOCXe7_hehZPNRvk)Jr7fL2mx
z-M@#zlJvt77x0kwkYJ9O6hT+VjS;tas!u4Nf=V^hAcGzDJUnC?lE9ok<USRsUGo54
z3*z3-1tN^010fM24Dyy@O}3+Ta$n=j-HYc@hN9T6Aw}&+rvbKWj<Aa;M#0yuVF@SK
z)|}hC+^*?h<u+RP8&~LpEz@I-iiT?AO9X*^#11ou(youaYY-Kmt?;38G-ZGQ0Tzkg
z4yRXzfjaG=<N~6U*<CozM^!bIVglS<MBd8IhI;$57L3b}RLQIF#_yiIoJdwp++{NI
zZV|!~0I6Q$yb=m5rl2?0vfPq?w;KhbRrveJZ_m}Wr-AAW%FaJHSc%<zLgcu+PcFG4
zsUkQ1J(6Zx!9X~@oQ-$T*1rpUvpb}^h*%-;*aHyyIX$4M=Fd;^$7ozA5iKuBZzCLt
zzT7z(kI@qC{uE5pH)E){jv#uTQ_xoVvn%k?!?Nv^t8*Ta?YPXo_p&>z<UpagdW>mI
zSqUf~9}r$bhwGMBSc?>;k`J7=%~0;@gS_2}3c>BePLM=u^7Ls1vk+;m8}fLQzn3DT
z=<D*jo17Ez2FYG9yx6=X-2zLmvk8OC-t=k-gOFypJ#6b6t%8%USG`Dql~&+}ew5Zb
zzh)GG00081cbTl5ZL10LQym}@9Kckz;U7^UC|_3Gf+uOlVZ$0Vh=jjj3bvZ{{?Bpo
zK^f+(+>1kYmCjq;Bzh#YniYf6+`+h>1B|jp#ukL|p6mvW%5#mlOkblmY7*F1Rij|P
zp@NRQ-h(k@J5b$Vjn=t~TPDpCd+Mbxa9-?T(mVqXiA5=dT)N4pQ|gMaCY&VwYYWiV
z9k>y)cp7z3O9$0Tsw+U?EwrFyJ*8~MdN=a@o3#H6q16UNO^8aR*#w~(Gdce$#F$m4
z*&})^*x|v$zw0$y*Is4!&V@*kjU1J0v#_K|q2gkWX$RO9v-fYxtGrXtS8NNluQ8PG
zn|rp$Jt;*b?I+67A3-Q)n&>_A3m@{C(By7jqOuVOcf2lqe@KN}$8lsxH!unkJ|J@K
z@(kG~0u(V7Bff=D-}b<RCYiuT80C~5%m6F%6q;OXv7t97WMUw(L&r}hB!{xL4g8G5
z7r2alR<h)$ePtnPU;|Z5SK9MMOoD0%g98MKW)sA^&ox52yhVVz9nd%y8B-NAbH-jG
z88*vG(>SxnQ%`UUu%3cQN+<f0y$}kU{}BK4<E=N?=JtQl!{<0$ullR+&Mides4cDm
zL#>dEVDT*1oXIILsY{0JO#ZaH%!Ut%1_~L<RIxjaiO{l<6E!5f#PNCHJ8W50nCkTq
zR<rdTB$Kd4ROQgh794*D4rLf7j}5<Ikd0oYbMa4p|Mo0@BFk^4D_{Ts00D`7v8O4Z
z|Hf8<+y9!P7$Nl;GSe@kvdcu&PGdG{p2{QZ1TdYIu|Z5?i48g;1~T9fE$l~%(4dPD
z*?Lt>pOuQ8@gjLiElItCS1_9+gjuE}|DC1sT=IQfyQ8^{Y#9_?QfdOri8!Lu;)7r-
zvF^=q=5wvxt(ky8o&leL@gJI!&6ZbcMKv0>&>fe8;K4_u*GU)3o>(K&?Yrpi;r;E&
zC4RfA<3#~bmY6<0QZ5<CHw<Mu1Nw`arMDsrLG7=_O3809d@5c&XEYuxw3ya<SEZ==
zn(S=?!`dgtdQQ%-80qR>Hf_u#u^79GT+C}~c>ORUkbSb00Ne3YC2m^u%yh{3a7HR?
zVh2AH9^f5uz^(#7_(O&eGI~4c3a|9S>OQidzuXHqIA8_$fB2~VR8BA{vk~$at+`C(
z(_p`nJN4LUg_Urm?cvzu*zV@SX*2TguKE1^fjO~R(fNnmth+`TzI3$cc~Nk9p~&N{
zZ;kfhFariPt(=ZB6NATTB>)BPtBHC+dLv=a1X@U5d<)xG15f)E18B^sKzw@HV`5S;
zLpw4dz`po6x3fupZk^gZ#vUF!Yof-dR4s1<5U<>ku74!S1JJc*l3<#)sVG;>bK>U3
zJR$pa-QVJf;?PEna93s4tV)#EHa9L8C=D?nB6OLWi0GG()pzbXWJ4UmU^oY}aG7xL
zBg49YL{hUNeDhF=hixDd0nuU>R2TF0wvhC2`)7w<5vXTVx03{GDkj9iGYL$xbA*dM
zfpXyVvh<sdkUjS9$?B8{b&I_v;d~wy)-K_?YRp+c!2oHV!lT83-q5E2aogsr5Rx%2
zS1i`g2~^#Mws5_RfKW#puooZa27(YW5)$$bCMndsz>bxXKFn(!S)G*ae75aU0MvCW
zHaTOI00000000Bg?BMnGrjS`;;9VeBGq3kbw%OuH3k-E{T^>^OEZ0FxvbtOztPR~e
z<=)l;T@O*Qw9_{wCNt-x^!yY1cH_2NKOQB8cgiuF_vjMJtKw5V5ZJIkXJe`lNd8I?
zQ#3TsQLI{6^X=>mIm_d_W+AIR^9MoWR78l7O|2MF`?$1yyOFm}0KW=$kZ0P=*8l(p
zjs-2Cl;KIRSN30{muBhY@~YD90=%<fRy#QUDeX&sPMJZFjaMS^xYuPh5gXJ$)cGo>
zng*Ko5&*LS!_K@Fag6yfAdkiBh5~qo1nLj1o*Cow4Wb;S+QWCD1Q@;>l8lvKj*J|q
zHR_pU6g_vHff6t6ZdrE#ps_cMJlMQ0WPRxgaiEaS)|1)NBJ}n|LKYvNUkqP;GZfH6
zR0d|+=oP<4=CR+M3W@2hav+Fd3hYhs!!9C{RsamXg9q_DO4e2U)0x6zyf);|8=n`p
zz*}B~_tsn{!|}|JP~_E>T|Y<=7t!DW3a)bjW+fz6Aks8`4t)4i9sZV@7k;1s000+7
z4U}8^?Fnds-qW#2<zNt^aJ8~hM(V|3RtLUaY~l)}i-BOgeCf`&fSe;0Pwz6fYK*gn
zWRDv3K08(9|Mu~v7ycCum1s-tITfZf(*HXR;dJwE>_zy1en)m5G`B<JX~y6+*ebJj
z@XW0&p1jT;DENCRU%4Lh`aR^1Z($Y}5Ws)rX#+54$qZBoEa5RQ3{}ZP^}SY6fF~t@
zoKMEnNwYi%ht<N(d;f7)YH7)T)aHO05ARJsx#c&w001Nz&F|lnZ@y4$V7by+9EoJr
z1qXtk4m?FkVJ2HLo`wz98Z1TfEwYTb+s51+vDrh6yUJOwwsq&8;p>6-v_QTsm+tlS
z%`46-I>KC}Q^HWKa&O&+fZO{-s2&Rz9M93m8x?<|T07*?sf`h2Zb|~aqEdv$#(IaL
zs$2))eH4+3h=<zqJRy8#Tt!IWsTj2E6hKKjwUwYNT;fZcnVwfLw6Oi8M23m9%TL~K
z$^etf-Z4i9<#w;P+6bMN``YeG7!R@@lJx6VWLHiqUHy;17^Zdey|QwVMCOS+$Hc=}
zg%Y=~Y($P0#TaF)=*vS>kM$BBp|`DPm*qf4pK-Sq+S>4($I-8MH^CtynkwAJ$Bi5@
zCoFzb4tp)wbU;td`RLN~s>k06r60VUq?d5VF5Y~ro`gHq=7d|#2EEoEoAQeRZgQeZ
zhl8e}<vKx>v9{$Uy;(6{V!I1ecwFwm0d$5bAlzjBAFHKP!~g&Q00005qwgKNPL42~
zs)rHDE4|4`d$t5RmX`MVpRtjF-1P1hdJsTLP@BGzC;E@O4qC+Wogm_EAG72o#yf?l
zS8(oyM(h`w96w8b*QnOtJqn{a`M_2wevB9A-zPZtrZOz>leU6*Rt-Q~rD_KR>fdwE
zWpZ~b7k`T<J-|rgN37kw@uATr28Vd#qs&;7gj*TwN5HD}5lut0cy^!S3vdm|0xdxj
z#Ia4&Y%0TQ!}nGu1V-Q|a0{}_33^5y@|C&MYAO0qH5^LSOsr~i436R&R1shhC9Wsl
z3ChS4#h1RXz?oWiwu!vyj7?hnolJuyrhCpLG__>^efE1H9DWHw%-`gD>CPevNAm%|
z0000000X{0R4k0swb-suT@SSj36h+9fk@+Q=3alQ%)=L&7;|h!rrhkK@rVaFKDpVf
zu6@)5z1kuou1J`L$FiX8s$SU1sUEJf`xJ-vVm;M{%8aIlR)|hFy6h2@rTIO@(a@zP
z1yE4Ui6)7P&rS8(5rx!k%p?<$N)1X37|j;Zb(R(s592H_j@v)X^zc14uKo|qAAs07
z3lN(KStH7NhmxE&_MD{(Ji^^$`>p8eB)`Aaji`NqVyH~4V4f|7Cr0!mc7ouAu-}Dc
z`!}1|KwY`;QbX~JAkgZ2VfWF#g1Z4K1}FVAM~-%Pn%WKZ;7j8l(%;9R@bRD->@Hl*
zs#E=-FL&%VvY}MS`vxBbDzvHte~F)-Wx(W{oQK7N4r;)u$AAC;00006di@(QJ|%N3
znF2B18zR7I6~C67=o2n`+Uu+=E^~<ven9X`q64Ai2OYs=im)`Vq~P?q=aKPuxy=h4
zsnoC!yt-pu@^$Q_Juizbn0nfq)MA+-VzrH1f%MJE1B@eqmB%-$4fziLM%T0^Nt!tb
zac5bCTeeZ#mSy9qc3uKK7}!ODPzko^L)-%x#yh*-$_Yy-XIpBXhQSu@;C5F-H1V5y
z%TpI!S%Q+DpLUS_2I^3nJSdwUNGL<2x67}Yi=!M*!Z~>>{jow)=b@CUt)){DgWPk*
zVHECytqv&2FqZodj~Sxfr&90b`jE!Q42xlOE(7s!KtFCvI;omR5RKXfK%o5tV0K5X
z>Uv3a#GTA+QGaSbxxw3;H#&+8jhOO~vPsufQEA2~UqQ8TKE;TPR-nMq{x!hl4sh$2
zTb#rZgd3F#IOaSSG>?qKbJ=z5)zXDvJyR)t#0nKF+=t@rZ`@#`e;<~KDMZzw%^HWD
zkRcB~g}pgNOigf7ARa`NZx3NB9{hqWr%I$hp%N_3ZsV&-P(v5t<1y2~0sBwwTCeNP
zzNEg(81R&Gi~=6T<hh%ErEFc!+K|VF!J4kEI&fVP&^IxZG$X!fL7&F3#-&-Kh>zS$
z(eRl#|6k1bldojwAtnitmL$gEf9rz^m%ZxT1>_9bYQ<4iT$)2w4G6oO2cJ>^1$0fR
zNm17D8wHh+)1wO8K8P(!N7XS!O4mMtjn9njmcd_g1i^=RO-!fTbSFK*&kaM&tK4KT
znu_<w1mwPJx_i#k`G`j(UL^eS!b$hqJo9=<Txb9Q00002k=B5_4`PNB0IdAspf-PU
zwcs&y&ny%(^KyWsI-Z^c<c%_8DiQC4xC2=u)u_5A3a{JdiqE?d9dMXk)_}A>iWG@&
zC9Kk0XibhcW08DZuJSgJbpbmJZ`b||FO&pW+>7iX6#6Qb?=do^H(C{UhH0VCxiL6x
zoH<of2joo?w;GIgi(`Us?f)^y5B|c7`m>>8<j!^HbNwE=$qjPDZ9<4FHYx$xk+_}U
zeN~(mSUqApnpUxpM2xo<ZfVxZaEb2dX2iMYb~OmBLTk8vurSg1bjcaYTc`-1a4X&&
zpHE86xyq)vB(FmtD`0o9TDu-~l~x=+y45`UaCokh5;jvnVc$DW-rH3$MLTKBF@y>P
zlYe$%W#AKnUPs)^dQJJ*JaP%4IgJXfM#Mcu)$dqr8x*S_sKGu%RHVwY<dDFaMD7+5
zbp$^I%gegzfT0s(YcV^n%`gYlGBa@vx%75$-CEWCJk0M&D-%=eDbFQj=wYv9A$aAO
z#Z<$mtabUsDgu;r>H&z!L|&dxf{z->9-P}qLy(e0f6Ln?3u1SLdu5^L@&*H_Jh5X(
zPcY(ODvR{h)jD4qoD0g~K;heJ`90Wns^W*StS!;j(`2Tcc;U$VCQCLXq9h>O=1}qm
zh3nj$n_}SSe(xyv(=ADevO!gV{CVL00$9U`oaIOXMl1e)4@Du2oE3}F)Al0@`e+hI
z8)q{2SBDa@Q@dM_B5wnS8a&Ag*>#~V@fo6n_7J^%7E^R@4>eR+(fFjlaG=uLs%LVG
z(A!e?$KS2>NiAtJ(`%5tF^gp*3i>}PI#VX7*2bm&c>xM<pCk;^Ad0X600000d4hkk
z3Uwou@kMITHzr7bS)whgp(KW?qW%VYun+=<h?28NWVK~@EYRNRpQZ#@Kv&Xjx|c{3
zM}Osrs5Tcu1+zSY7N25?x|^g7tX&}w%B1`4hyR<#9_hbWEX6=Ze0Wr`znan(jc<Y=
zG+DTK0%p+22yK|pwW9qRKoS{5gzEdJJERfLV!VPPHUM-BMXIi;(dE9gy?ADv;1(18
z4gi_VoBgr|m*~GjKmua6?ff2<Sx0N-8kf}yN&{5TnpSTQmx3*|U!CdasBmJkoEt=R
zN3&P66BW6<cYz$0n$vRP)eU$Lg|G5H&efG_Du#nzxdb*s#he9@I7b551)~ug3IT->
z)3o2T1ngqG&vAlGj~&V@7NN0HO>C}|)zr%hAn;_6wvjlVF*;CiJ5v<rT16+ZAiitP
zT80`!3Sl)!dakgx&i%Xn%^BrF<nxEc2BHd#@wKtj)OP8*Kft(rA?;%PcqBaZ#VbL=
zxIB^;7zI}PSS1p(M=jjF;d%TP74`fH351xh>YbOZ{qougs*EBQDX#JI$2Q%tj7SB>
zx4A0-uR0-QUgsEvEvGh~bZ|W~o#)qqlFk(>_h_AK`mCe8g&6=Vqo4s_!rPxYIy&=E
z3z@_Rc~<UNW`%eBNYb#=uja7IgrY`>b4M{Pzgx^&!Bh!2h=>3H00006PNBRrqNwJN
z6Nbd(j)aO5O<G~aTz&_tsy!y7=wVt)1lY4-piCw;&Y_}0DAxn8!0Oke7vbY*g@6+b
zvw%0RO~`D_#Uy~h&=$0e7?>R6QBO&dNk2Acks(xlaFnO4<xjE|a<P!B6N^;(ozM>~
zjn4Bje5&91mG85IsN1;Dt|0kaLBe3v`P#QI(!4VJb@vrEA?gAl?PyNDVj{&UU^$iA
zwzBh9)Z4AO8@SJF>Oydr)n!wj|ED{LSIdgqb}KCY6~Jm`GpIEvWDtBvan_;A3?M}R
z-jE4TjQOc8@vP`TwRrD0JYzY|5%*mU-0b*o&|I~Q6qPgB0v6ExTO7pMOod4PTYpdc
z-56NfJy9o!aU@ZtrbZn5nmF67QtTKc=Fb}n(*rKT0F03%H_iHA>vPq*@14P;kQu|_
zb}QLU+Suk2P(D4nANNVyauNeuUwhkSc;B$%C-!asn?G67vgVoAd9CpaTI8YNVx`Zl
zj=l;Xwnm?sh`^tn(3)%xSqjCotmc}1-NG5AqYQzJ#uI$62r7yb1LF6*q)`K6ff1d|
z(0ud>V{VHEJ6>PLx`35|&@5~j4i0fv{`6)uw#4Kzwm!{De*lHAKlb(3P@PJfu9^B4
zaM(}`C#y12n_+9a99%Oc3H<Z`<-|mUrIpQPN!964PSO=qa00(GwSLsQhtpAmnQ{f4
z2Hk&KD?;iGcKMVUPoyVZ*Yh!TBeZSt&~qLYfq}Q3np8JyyHWMC*dka1HuBg+00000
z0S(nYPQSP969*~tE+r6oXupqd^FJvtm8voc>qKpy!Vo2;IHs?i9!=+GauV;g0!7Us
zI2M7x(@2<O^oW9m&h91YPsCVmiXWgy8GB>jxPl7oL1-+qe(ZO~{CDs)pw&;d0pmZ%
z5y9cU71!G|smxwulK$T)ZNTfR_zdG%Sj20R40g-2#`QWOea99*_w)<H^b>~~d;i<}
z0eE}G-Mz@_;Sly}IuG>G$#fRov@yaM0i^@xSS~71BrIxcm=N#q%3qTvFC{I5L}PnF
z-}vJd%ldV+q-C<dfe33U<fN|JlRriFIg)|8sTs&%J7<^8J;lFePL$Qu)wAKhL2}kG
zQdG}!W~7dw2oRaRkR&srn<&<DxV7h)^o{$1p{^nSSd+nq*l680uQkck-xUunBxmE-
zPKDiFs&t!%jBbDbVbx<w#&Evbk;V5>x#&|VQ6Zl}=>y3htG8p1MK{HdftjdbQ;!Nu
zvYT<S2TIKePf#-?dO~YgR&e-7X9M33evm>+iPW*mCm1;j3p%B$J-v|`-alw87gY|j
zLcsG?-ft(7f~_VZZ3RRa?V7`u(e{Zj_&<<oTucWa0eS@O=nG7v&&EgnGP=v%WYw}f
zBO;OJv(+|8{dLw+dhfZ#t`z;b5xwu(D24nIAZw(3hrj=aKr2xR<BHZAWKv4lTeM!o
z>^bizekHw}kc}b@n+1cN=`jER00002Z^cDdlk+YApl^*K0)PMGk3+Qo?Ec-Wq4Q(4
zPKt{HZd~TT$RgZ84(?IKYF6rI1$Z_8>WE7`fC$QPbwONuv@%~)597huVJUIk8_HC{
zh>iDnwM?ERpnx0d%J5DT5?P|IDITBrf#XKi81O!`Sw_2QIZBArF<s;oT+}a(5jRe?
zpu2H`m1p}Ar?*J#cfyL`SgUReb`XHnz`;1)Ebi6*sKxzrfvq-ZUbn)9*%S}4C0Uz3
z_~8>`5Pa2u>VCRAiCRT%(bt)d$AK;G(rlgdON!WeMoB;URRA+DaD6xI_Uz9BX8QUj
zhWAY$Csn~bk#l9f=;&p&fhWA?PuERjt;Jp>R1KON<R{Rc*_o!7TEvyj@rm&qJAXg-
zp$iw_)?=2-q<u1F*Y9_fMh&+7h>baK5#wWvYedb$I?p1)>=5lev)7-ixgIC>o>il}
zK9wr=LQQ3k<CybAH3W&x!xof8%bxu&pL$7i2uRWN49Uq@8t+?nPG|{yyz;_`Yr^Cu
zHwuju_o)iAes&?#dK~>R4g|MU$FU=0#&88Mx1JQ>Elcvo-tXW^+4A&NFHcA}aDar$
zUhm}VE=oo7%<VjBVA#bz3ww?Z5D-oS$^@}7{Ws8fSVU3Z(b)r9zy#FVVTX%C&Y?V>
zjgDu3jT4U)neKYbPst*5FoK~bey>fsQGG<tMcr)eksT>~Fm>@#b`|cOVV&fLbRi;(
zrsY5Lr2LEQjwQ{*Ji^Xt@ET~=Y9*F~GzHO8sILKQ9gp`%>;@;m-gog3Gw?3E)ZfzP
zO7JH^CeB*jw`7cGp*JVM{y8F)_$MjC4@_HzS*<i&U@b^ek%YnZJbop|<EoOD6c7U4
zzKC(Kxz!)>Vu9&Ju2$F_&!B1B6f#xOAOHXW01B4RBrG{jquQIf8Zj$RpT1ZWd^YN|
zGx<D8`7oMt(`6+XFIqU3#AKc9Ywxy#TLU@K{iDFa2>>lGEdQ)2?aw6`Bfg|2P9d4Q
zZi>zCBgWPu?SG~*Loh?k;v{9IYbH(QmmBH_dFG{~Cnj2X?=mCN<4YGQ*fP$xO6|~A
z1o4QFb5t;~NsGd$OEJqt89)N26xFl$k%6TCHFEZvb7K!IsrwuN27Ye)R+%KnpH6^2
zbBNRwLvy@%p4(+XB`ir<fp%|3uCwJpe&932VDQ-%%+|Yjo5Skl2gS5AWac8vG4pPu
z?iR09?9n=E?~P$KFk(jpLeC>QQC&dE;x92%+Nz!s4M)(ZWb4NAPuxxaq|AG6-Sf3F
z;|Fnva#PA17aCDY-~k-^Lu8BhW9dXR5KVLaUnomuH$$w&hG-SvfLKCHO_lfC!S|<l
z)ZOHjsJ2qe10-cx?X>S4ou(85!d(i!Q~nKWHHe$8jF}&uh-GA%2v$M1{$z2kU5d+4
zy1U0N;UM#}g`OJzVdf<>53AzB>maig7pMp#_>5Gf*_tv4<ksStk4|E3DZQJbgljZl
zx2WjXy&6mmNHD<M#14Vz=>c^HkMB0sDieTEEL3fnw15orA-+ogi8{U~GVp)jAp<o&
z*A9huFCM8x$){a0-If>Oq|%*PtD=+P<pP^bvRw6i>Iav?2HBXfML=7N0EkL#E~L~u
zby_pUiLo+qHd0SvJ{mJ$E@^t)*<oK9m-4z^X;d&ZI!2{F3D*-tEp495#jM)XSo&EC
zVtqM9Ik5kyhAadd<oP1i5mrKF8)rksJ9ooGRrW%?%{F^@1(AvX00001K|otMR~7hC
zWPL27EylL><xQQXJIE>5H;bi9L<5uf{6qCPKFEbK2b~k9FVXIkg5AAThF2Zs_l&bf
zzfQmnRsXS^i)ZbAOY^Y!Y4fwzwnmZeL4{bnvlXrTmHuhgUros}nL)uqK9JvA#<hg^
zrFrUc^&TJs)z|E+Jj=6UX+*Kb_?Q{F-W!KNm8@(pe0F_sZJP@bn+YkK-0EwE(k{o8
zC<m!Tvx!vb+o2PBYS&sT8ny99SUAy-w{%Eq&=XzDl=QD*z`!2XbP3Px+aVrl_Krb1
zT?IZ6R$x8u%Jt}!c+pSDgM9v{mQD{18C`myXa0+8(f$Gf)%hnumG+sGh&c4DoL#Ol
zPtz4s9`+VF0jhhH7?UfAV!In1ooNCqb6q6mip(k?K9u)4=#wz$Z|!FvF-KKnY)CuP
zN6NU;@FtSlN2Y-Ay{st`@HwRTSwk_#uD0sK_@;8|gk<H-YY{u^u`I#PqEMW56@sQF
znmbM1OBWqb(@IB#YG)uYWL+GiEU44iza?ur!0nyD3tw7k?gy+{gfcDDs2=I4AH;}&
z0kBLKQaT~1sN&j$n}71zv}q9HSLMnOuQ_z^kLQb{Kdh}E(oBH4A)o!*n&(2LdI<0n
zvuojx19%KEQvqM;6V&KO#sgihmuVK|dG98<bux<dJJtXI0000R*$|lJ)o!<H5_-9!
zwQ?9nQHbSSyIvZhU5BD&ElMhWLMY{#E9)Zc$vG9DOx>8+k-83Gs|XfXUVsq!o9Fdj
zNtLe)1O{=V>~`fJ*wa!MOn%9Ht{Gagyx!-_c|BX9#jcyRFvx5^+6m@AIQqk+g0Sdp
z{Ll5z7F!uJaSyUZ$wnDaRHxzc;R8DF)uNud!bZbaW4vkjzsfra6s@Brv2k|T{CPFx
z<I)_`<luM5a?>@?)pCdl7t>%ar?p)gP$?#M0j7T6U|Z4aef`u{is#=gCHBh@x0vc+
z_a<tU5O!96*Kw2!yRmInQvBF$ZERlvW4-4&+r0^EO&*ylJX`o}m(b(RW!a@N93xJk
zov@TW_2EiX%r9Bt)sr#X=u|09MR{I2I+JYgNJT1(4+W+&oQ4n>0WC%(4qOJDb47&-
zbPS~~$bm7n2KoPfv%Pa*Ljh|2Bc3ll)WhOX7G3BECgR+QFq9dgfdA;KTy{p?uJIcb
zm*ts^f5bwvoEt6d(IqJ%082u%wBP_RU}8(w(h!^Gsy=2=L{YcS-1E8im66k26x&&?
zUMOVe74c1JQo2{FzIi}xgS*X6aBoGjn%+C)`=5#wV=p~S0*<Q^aNvi%K4Ag90bfM$
z-~v96IRw>!s`X2G%Ztdgk)+_)`j}Wqf$sb}2k|#^=$O8>zbo)B#xAPeJP-=~OaK4?
z000Wx$9Y2S!e4AJ8%wN#0FOX$zbKlcJJ5#)TxGJwD2=kGyMsh7ekptAbSp7R^_08N
z(piGTYpc}!uJZt@xR;*On_jig{2&KrY_)Loxy4b3c?lJwxKs|Iv`AH=1_ZdS<!UD+
z`W+)>E`3ta?Y`2V+?AW7c=7LV0a{K|kYMuru%R+`nmB{J@<;{WL*=J@fn<9s`a_FW
znMlO{)_wDm=LH(BF(~lzXJvD#6s$wLk<ae@k$OWTbLERjVmptr1J=t$LJY7X%jwQX
zdB2mkMWDTV1vfJa7)eW3f)K~TgxLtgTeA45KLby08WU?rRmWar(2G`)0GVodoo!et
zpC62>7l$}YlWh25u~QljXNy|PjAJ_G%>0Mw5Nfmcu23L5xVfdZJ%@K8{#NFz<L3{F
z@?w_i$w&-J=t5N=sNdgu#8TECT4fa1gF=k25y&i_!l&!1Eqe;;A^azT`ab2o3w>}M
zGqZE{^NZkcVoj&!!Yt$^ZAV2id;rUm^)*i;YL;AFf7n7%Dp31v?}+|+^b4-O$*08>
zJe<&-y#3Is&;e5_0vW@0N)m4VNye)<1gA+74T;{O#DTiJhLH;Y%bxZNfw|alz&&@7
zMgq_x&;S4c004W&CU`}}TL(q#OBWFZ>6^&Ge$oH)A~F0tXH~_gXd>>B5CH!Yc4`Bj
zhYJpneT8GZ+*V0+PTrQz2FoW$!1CGNfA{ps!vMa}n6Q|pwXrp*maJ=WVKqWkjl+=S
z(+VsYult52-mSk-W`VObT^NZ21$^s8*vvR)jB1i@Ci)mvP$y97(06YoaKhG21a^O}
zCzIRVtX=eS;m^ni_yzsDmyo>Wo)yaea9W`98KE@JNG8PuKGI9}rz4&`;c+^bxui&Q
z?oqr`t2Q4W3_$|Vw%kRV<SS-6NU~M+1d)duIM;;l8?}XrJME|g&;NPjsd8~^Br;ve
zj0Ex%aH3FY@ob$IBy4+I>7w-IU|>$Xcny^tOpU^4nDi9Llo?_Me73J!YD|$(y%(`Y
zwKwvTf;l+J2Ql5wcw2r%U@Mp2KQZ%%#RhdEs!{}b!U2HMxw*0QG%GZ{px_dr7?fmn
zufKb#7&A~}&Vl<$TiokeI5v3=?dsTM@2SprQhd3|MAiEmKe(KH7rS^)`t`IpNTyu%
zt1W8-7ytkO000R#fy?iaP9kVoVbgr4Fv}9$xr+WN{W%VF;aKp+{-jTYMhq8*gsZ0g
zij2hi1l>W~-f#`1P=<t%z@8jTBeFV<T)(w=`dn=weW99;(OKFuJB-SVa$uy)IWo@z
zWL}F%kJCaU9xHT36}@~POI0JOL${O0H>sh`#D`=DoH~Y#KJB@2welE<t#AWwj%nah
zvbH{^{_T#*rhyhbbz-yfygKuQ9qoX4#z(M<fE!a40VZk%-Q2$s-#MI8(0bb#ZW0Bc
z5W;|MTVdK;Go$}0UCBN)G;m=tJ*TP(L;Nz_@ZPmPIb{;&&Rt*ZTj5+O@3eb(zpWKU
z*mfbQYInjQ{o=Y5RqG!r%cpSZm*aiJn`BLKa*X3_Wfv+Zd8uMUzRe0F`3k3`*}v5L
z{jiW86wS{ZT3IXMKcbEtK%3L>ei*yBN<23~IewC@Y;)~De#usF?Cit&=Y*5ts%k?y
z(M+!JYKiNpJ%7m6a8_U^{HWijxQJ{a?!+ljRg+9{n3Z82iz5Rif#8d;H!E`RPwkNU
zC5?i!WIyNhCIG#?000000003nbZrq$0{nI-JqTQ5;LT!H+2Lsc1dKDfUF3qArs?<I
z=T7mmAs+B+p7sSIKuu0aR2I93Q-v@gpsz!n(P>d(f)Kn)PLPNmGd<df+E05iG8fSV
zRp{BrAA{qvHdhiZMNp8shf-%a=E)CDQ<J=?xk=7F%oaYXHvu5#Pi37~{nFmMJol4$
zGtc06z?+F80Cx0ir%oXmcpSF<HkwpvK~DQy9EgS@=d&2pgSR@|a2FHs4U!3M`$khR
zY;xKt)a!U3pT|?o)W{!tG-c=o`|oKkmTY00nr|LxEG$HSMD(e&P*$*Cci()4X}%aW
z-Br4rVudg1P&ixdty@u>3+>Nf?=YrYCtWs&OZBlv2c{UQ_UteH=<nu9Rv(;wx7hsU
zoQ6oZ<@7okx@x6*E-FTBzGHO+uHDr`0)P>AY`b|laE7(Vmn7HlPnug&8~$=%8$66w
z1%>as7bbstMnqco_&fh_H`ECf3X{a$Q}ObQv%0%CMwqUL`I<d-DxrA$t_{iS2uYg^
zheE9RqpLDLp@2Ljq4V2a`nWAX(LGTQg|^knR&f~SvJ@wgdCKU+p~=3*06{80%xi{@
zXwu@ce7T3(+KD>k&5Zm|i)+8VPews_R9FpfRGvOO!6mm?o0Yo}#-|=u7Kl+&Va`-`
zI2)1iFx%R3K!wSmMDVNt00000001GruIxacT!H9i71Y5&2v<(y4X~S^s>d?2ezXP&
zn50aA1%u*lmV;z*4)bnF78VvmK#L++uCGxGr~x|QA#FzQ5UWk7jzQm^P@=TcljaZ(
z7mH7dfmc)f%)p&E87j>`AHrMnVs9z()aV;UBMhu@54~ecBVo`2?QGH3!k4&BLT&ma
zC<W#f(d{3X9qqkE;%7k;HYME`pzbbXtwdt`d02Tz_1(N5UrgM*luiizKt!s#KLt`)
z?Qz#Olwa~Vj>wxZs!xq?MT#e+&G?i8e&yJ7x`6HYZOo^-59ll-EbnNMH#kzo(vF(+
z@9RdP+1fobomX$7TyZzQJIJ)Mvu9m#v^m9#CqNi|{p|$Ed4H;EjAb{;G!lGH?IW}3
zvTTY=w8*4ire|Pb$LhWPQ}PT~=jI%Ff!Ux2SpI&e6{O12@(-MOGeL<W+Bb81Dx4!u
z1vJbb)J+!ls6vVy9}#<~!}ZH<3(S<Mmv{)wH4Kwp0c>6VOpdKxdbR8C2H!zWqPs+9
zm=_Oa)v`h20Il{y1e4wGCdl&d964zk5IOTt$sW<oG>{quIZdj%Pexo(s8gN69V)Ql
zme>iqDe)B-UOKo$sl*I)p1$(}`X*CWyDcaPwK36|S%5m5Pua9Kcv!S0pePnG*NL@v
z1gR$*z5?wfeD7n_5z6Thavegx32{nPyA6#Fff}u#c;%;N&HG(q9v?O(1XwELEdC-T
zL?8`}v?r<R)yT7;=C=qY-{XTt+rp%?%X0c2A&1Ms85yoTL8iSWHx{Y3q~3i2YX4ON
zQMZIqEJ6@fWz9#Hap!$M{_nu%85hhkg*rj2&kf+{00000000n*>5%hQRI1Yrf;t^k
z;LLT{JO!)jpi)PEjy!nr*9T7w3E-f=O3kH^BRU7u@cpSe&XYRJsS}>F{5&fg_;=!V
zo<a{+Zg9UqsDW7@#hHn09Rmpqq=vC^<c2(K$?-lXQxDE7-4h=@hNG9^sn$X6(L2g>
ze-W15HVt@f|JpGF+cW@Yk>x0UL7G9+(OT$wGOwrX^1BH&iHGZo;5#A#rK>X_5X`wB
zth2bJN%>MA8iD3YEQX!6+f2SWok`ZnsHeM|Dgjke!;9<2;9|YuYC_lNEhgk#VFSjF
z!Gpye=u)w?4b9<?5o<<<2(9APzWMhkfucBoTZ0ylRK5~Wiv5lrGs&Oxa5yL6bzvUG
z3Nf+l^7tT4Ru&f<-_~;o8m^)2l0H#2QT2oc(YeQjL9mFSpQ3K#*e3LxE6OhU?5R@}
zd=7@}&rPb!`NL%x2NRv^UD)u-0+`FjTOZFgM5bHQS*$!ZwkSN5R65ICb?!t0I%A_U
zvn@Z&gobC!B@(8%)Git8)`XSJTRfBUDtrpQW6t~HcJeRl;>l~Y196=!YF(FQs{{f5
zig@DIEdUh0do%2QX_zQlgr)=c*xfKEM1La!t2Gk~68QE(4t-K)#bj}Pao$hMfTsoj
znF885{=hxIK>k@mPH-IOT=%*3!A%2-wi@;0dUf72)aB>;M)d>oOn6^{DEW#e;AHzH
zujDIKJtLC8mQ1#D00000000h}`CBF;vbLOqUDLFa2+4<op;S<bSEUaNKga{GTRJ2M
z#7IK5!wW7lD{@-wzJWF04fTp0n3P)A@iYJ`J+05P18ceP#uKyIEz0sq`s2tz8hGB2
z|3=X*T;Yz<qintfT!*&=;FLLp=*(<75CGjWc@nzup7hj5Rw!5G^gd=Y+=yD~UdxJo
z*YGD?jZ$3U=P7C>f7*(=c5R+$bwm&CR}osd$txu8zoszLRM8$UpKR<g5il>^YyEO^
z+#{Yro&x}mr5@=3000ixo6I>DJzO($iTdMSq13unl8v<W4IY`}PUO0eE@<lF<jk{V
zB+idrOt>k&B>Yv?am>g9{&H3Xv`yxH?1^tPa|>uOsbj^{Zw$i{XU%?ETRH$I-(aiB
zdgz4Egc9gd?=Hc`XUh&{)^Nxf1@9T6r^tqmp5|4pu(LKDRkQZ=)xRWD+f95^^)6R3
z3;QCI_gf-}E?bBxjuRHxVYeS0V-Ey>w@Cu$VM<Q(X9zK)*#W_jsGV!`g5*&yH=ESs
zx$L&ma4G*toa?fxbc_h3J9B=B2AS{iX(FhdfnzDs+%E7r-%`lcX=Tpi^#Qsh00000
z0NqslY=7oo4HXZdj#^bp+pDjT;&&1yOXCuKpWgxK0*b<Bb_TQTGK}a?Ys@hOk2%%O
z5kWBnSaQH@K^42;OdVAhmGZ{d-_}ptXwHo~x0H|9B-{Cdz6ufvEr(YVcxhe$74>i7
zZCy~7vK!<?NrXwL?_gy$XvZNPtC}`yVz`767oMqlI@>6;<O7M=bb}~Do9itB^qHbz
zu0R6qdo3z~%NpPG7Wa3J7R{n2BER+i#tdV9AGs~_Bw-pJr_=Q&9*qO?6_i82oZ6yc
zs_WK{CDU&0@dXjJusS<oOCE^L&mq6e&Pui~=3sqGf-^wW_VF>+fP#YInQ{?o(F$b#
zo2%z#sx9O*TpSDxK8D*gJSO1Jry_y*8y2yoiiy>N`2_K6G_%$f=c*nxh8w?qqgYqE
z16OBrL&9!R#kk~9KO=x>N3M?cF=VObTQoQm<>BJ#w31?mxJa2DmCUSUTr;~(ee3wu
zv({-2apH1^Ae&*JK3+RQYiTj-z{USUq<tIpAiF?Z4Q=HODlFm8CaD|OvRyfij+paQ
z7lxQfNXd~KVcQ{tYU<I_P^1xa%8AU6EP!zl$D%QJBgF2vy&FY9Tg|BvB5+-TRLFZT
z;(JN#U_MvZ^_$az(-)2{AL|I|?GM*<Va#trW4R*Xk&n{UItyaF?(UovgA=8=g5r#^
zc9?aph7Eedi)xfFC*7E#M<VdWjyh@p001nqMD=b$dA4oyL}eq&qTOaQzxiW9YNDXY
zMWPD*UgvO9*8_h}5|7O4+uo21@g6qmzKkFMpR6|=QYFl{olTK8mfJW$(Ul+P1<ezt
z_nTz}<qE=X5C}7lu4}0h!4H|5JwKO;Cs37>rzc8rxB_%Jq9R-%rq0S&0}Ev6bd~fJ
z8QNHe;}8VF6fJ%V6U(KF_2BwT8v9-xbI&K>2`M8kHxvyeCVoTevHc|?tm}{S<De>1
z%$`gQGt1+irf*~6Co>lHWp2XKM%lJ<Jpf=pe@qOKi+~SRYQ#sNq~XFE*E7;ci4l~S
z_QT*Fq!#sUaqhUcDU&ndGzDaqM<zI!*5>LpLP0Xtx(<VexdLp7k}F}*m3-J42cpt}
zc)L4sw7#UkY<$sO3`$?*c{A|GZ?T{m`usFhVdM-5-qQQs{Rnqbz}BdwD>OUXIrA-C
z>-6}|nyd!3JP|>`V=5|4vr}%|bloG)!eH3GvD9H$ub*ns&`|aXT>pH>Zfab>Am!@t
z<$yHJtWNJx9+0uaOGJK`0rzlyOU%B0wA+MDU@8aO_gk*HPdm%txYzko5!GLVz;bn(
z{xw+hQCe%%_K>KV=Q&68^mg74t<3>T{+_0|hyR}*EyPM`<Iw76F})C7#|c2D(8^5s
z&tTrx>=j~jL3eGn2pdXh)4P^9$;lqr&K2V1vmLnohTM{ZZG3H+E19d=3(=_ji?PPi
z9zUwT){OAQ9ODz<l=gan+P7TGp#qqQ)4x?5M^eg1kWIZNC7ubFw?=$;9yi6AZC20+
zy@DEqN~}ysKZ4fXO9aj-WQ2C^kkT2B`n`B0%;<ms0w139aLxx3OoQNXV6Ce|MAgOJ
zg4VGFwhpTC1PkZY0%~|BbHzZAEx@njSKPWh00$a<(ruDWeSyfZUX>LR4An_z2JxY%
zxGu{0`b!CFO;A~KA$;q+Qe>;;HLU;uWMa;t@7U;#u=1N?XksL0dnJpFT!DEssT9)U
z>_qEfWv7bct|`d6VYcp(SYu#t1aJWfrB=*2uY$V|Zs{%1$+ZwMue96&gep-A340SO
zvdJUS^iT1qMn%C5;lh4%LoeJvS~my{CbFFBW*;6EmR${9>sgT1Re8_FWY<W>yBics
zw8jp!x)&xCZWAIw3n9#HnQZ5jOO-1`B6KkB(FgeIPbME@;+|Zae(GWEY`LMEJ4#mF
zm1l{xlaIvxb4kK1mLsx;w6&z9dqwatMD$b<sOkhn%Ss2&ljxKw=wc0g${!<@3yP(4
zOlfdZjDH!}1$|?mlE~CzRP2NBqjNjC)bMPXE`USjih!kV%3%$pM2zV#49pV4uU&>^
z^A-GyPH`D4|9qD&za*A=ht>|XbGCB<A;NJ0ZVd$G^9jh?i4hz^5(sG$bkHqL5MS^~
zB-X%$K&8u6u@Gqn5JS7xsqRo3Ug%=pTN_Lx^)~V94iB$%A2x4nQu!sSwq(J7pwG2A
z6P=_}kATYKM?xwN6ZPw3Y5lBmz0spzE{8zes@d@5GPTCM7y%F<GmxEuY06EI3E=iM
z)CRdfe{1NQ%df-^r(dK{Rs;ox%?_bmOd2_M%kWiWW9pg@aRfzrC2!{jOXUPPBF?4A
zG-)U2H%`mh;wmdQBdgMvxH`8l>y%za)OT*=B(6eB5A=J$>HBC!yD)yzBk24}=W-iy
z`ez8&4{Pn$%t-D3b9!lY1F-O^P$ATn%x`2h4FwGV$vyr`k~QVkE1t)^y@&&t^o0ZS
zpuzchYj!ia-rrSIHMj_N8O`DJ>;Z_NrPLnKgI)JgnHv~GG^Pv$4wy;-azhmB9}@zP
zrIEtXiabdSwe#Oi(X2h)7be^G1S(y@EuNSdGf9P(fBJGT@{4w~B3X3@xdlwx>#<+}
z4G{1LDRS`Ex|;0HRiFR>4T^$E*o}(q3D_OzNeVl~dv-{6SWF6h0Q7-YmKI2n^t_ay
z0BD5n>MCH#RePalp^%kV5MyzYe0%FSBZx=H%;diNT-rvlqy0hksMS3i33sOl4>g$e
z!bZu06Li^oR`Vn=4e6u;H?wsiOdQ{)MaJrlT-Q=1YA$a1iQP!q2m6dYm=kKE9SJ&j
zJ(^JwBY*&^$lKG++E;1EtF66R+Il8PwQSVrQ=K{DoLfO%K=8ewj-+59E!Ej2ixbSL
zuQ~BqR7pz|ODre!%Sb6=gc*>n>ACggure3CE_WCWbK0!m8X9SOegN|eQ`HX-8iy8W
zD6WdxH<gVxG}T=>;mMo`lCmvPQKSbj={LFRMVsVavguq>)CcnI1c%WMNH@zKZ&3DY
zDcxg?kdt(@k)mN8s#x`cWC|7($hwmyl3@d@=?k{;C>oCqu7R;rqq|IjKP;+OyUim$
zr2*odWGMoZNr0c>kyj+nl63NM8dy;2D-WYZf9zY>V2_S=fjrC3J6gD~U|00uq|s>z
z_cJ0iD^1B}I3zfNzhYq#ldhf2e)T$17>cO<1*stj2UgvU6^TyK%J%U9wHB3^(S+%7
z&@<U%8r>DmtD>&X?vyC57P7C{Sj3lw$}fM>GzrOwe~DlG+s%e1>pk6P+)Whxu&e4<
zuVS+WBwg4wzbDMDj-rU&*ah@P-HJ(4X=#(*?4Drnq?%O8-H3fN7~RXcP(scSfSrUb
zcVr~n{V$b$Gg6h_7P78&@1j2VE4^>^Mwoiy?qq>8X3Yn5ca6yOS|4!YRuu~#F0flN
zk8je}*GnXc8fHp|ckAVci0u1D&x(I7=ofZd_ompJ_p(Fh!T-k#Z1xgWDkSJY-W`x(
zXLCj2n>9NnE8;=vOO4={&<;{Y<kAb0F4QPx@pL!TqaD=2nbc@aP?Y4$6d=Q7m2*Dp
zxoz3{dl$Z!VKPgq5Zt|tbWP_v*&Ijo^klVcC0(Q=V)x05HSfk*x<lEZR=ME-(t@Cl
zRF|>Hw{EU^$vCxc965VKLg}PPHD%d!K<vX7b8J#Vy)C+fH6Ty1^Q-=e0000=${;%|
zk{~-VOKD_cy2ah=+^eEd=@VDqbJgTJV6s*lig4JYB`=svQA%(CU}xL16(yfF5r}@>
zfR?brnr1<PdP6KiAhpI!i}`^wGdW?ndD@$+%<?qIV*s2wXLZWs0b{P2pJOctTp)?D
zwVR$`svN+LYs1aNVW=6S5uw539%$5FxEpxcKm(rC!v1C|*=U_p{)s%q>fiTSAA#jd
z-@wk~tw8BEFU3{Lzm@@0Eep!Cd>=iif(AFUz_{og^Z?19tw~_Dlk^f{^o$i_@pj-0
zwh@pz6m@j~_AN~)3MzMI-0F4bb~CLs&-^(u#9;(<<$~FdBjOrzpi=JkT;ULsS%>ar
z02#M3SKko;4n#6T(t|J$x)-t-r-c(2{)e6oh$T<fLY987QE8{(GgQG~1N-H^-jaL7
z-T+{x;#z6o&VqM>opHc}q1UTFZL7;*c~<^kIzx4Jt%fA8w^rK)ol>~ndM<soUe58!
z$sAqXd`p6B4U2vyY}KB7Yhuhy#f1U9fwv5?Aq+{44uKl2pp<qF(TuDnE$g!35?Zc%
zRn&6@H{GIT5zZzn4}$S4%<&GMF?%7oKn<HpXf@lw>m-*dDJ3=Ye{DG1CGi&RoZ*eN
zxeyU`+1mdjr{p^4P--T+yk6%?^igK^kZ+P$fUew@b1q4f8Z+)zCIFww0d@w3LY6F}
z{I1?k+3?J5<t%8tFNjw`U*!rsNWXC^ir3V6;wN9+mTm#g7EJ<`)3RXT|1UOrB?r9S
zwtTPB5)NhboCuV~ej~+$g+0u5)mNN$7I<o@CG3=>0lf-5kVX=k@d)11h+N^@n(b?e
zQ1x1UD{a)3r&rkGhg=yarD^;KPbBavS5STz{5esnK9?b7sA0Xa^#n!!hJGQpD+d(}
zT}6h`4kRRL?tU=Mm8yL>p6hNONC)*}nr_K%O2*OhXp+n56|7gLQ_L+-PB#(C))nnB
zM^Jl|bc5*svVqJf-UEu0U~upTIX;MjAo@=NdA2_PhddOok!jOnIQ;F4dqGX*XmbF$
zV_mVP>jYg71||ai5YYioBdx?S{xG_dkw^dl8E6HFpw%5dp+Y!=QdRFFJ$@QI<E5J&
z>$DIAIjgs&zzpbe?TM<g5tbDbk+QRZiGFz>0df)_qYwc}m*V_nlscHhYho)d=unzs
zi{rksr2;AJ@p)Lb1X0}!6E}WZQcw;3pQ|{{u$-iKvT9G7v`UAeNDqMhX9gKt`MNv0
z49FCgs;a$2cRy_N$|4Mho^Ae{;Eip?w|Qmm^|z}rEo5dFwno1}k>(MeIonH(Nl{r5
z$CdT5VKaU1@{dz3)OksS5`kcTvVhGGOy%(|SydY_-E#;dLXWt-FaUb4_tq?7psSuO
z-8}<qCHLWfa@3ajuPGHnl|FUJ275IPq?nO98sr`Cavw9!LyRUjT`|IZm)^@?!`QGJ
zK~GEX;F%*Z{~Xd2Gc1;LXCME8rpY|A0l0uJFkWIZ$J~8eFyOQN6Z!+5P_JwsG|-Iv
zvN3h4`d^lt2)`1!Vi8q<w;-h{4gUmDO}gt$y>%T)kX)d!nLYU!(68+yMs;?gmSN$H
zq)WBw+&ut-7dEZtn>UY0W}0p!`xAl6%y+jq-=0oKuY-Qzi+Eqz(M(2HnUc#UQ>YrI
zVqULAfL=z-t&#6=DLKY4<$FJt<Vy3D>4|P$Rf=+ZRRBKb?iO?&Z1=$OCj-48b9dyt
ztAS8)Wc3>-DpT!m*r0@b<-qErZ$Bq}XQdCiYR<d{=3l!0Qt`Tt#4ZqZz{2#!k~~#2
zkl8(Y{PSZ+qS?l8cYL5rW(POVljWXVCOugCI>_lE&;dewGJOYk0XWppXtZ5z3SUba
z#yD_)o5BK7iRS(4s(^{Xpa1|WaOYmu>r*fRSn69$`pE)=uR|8D1T%B3GEn$mG4*Rb
z06-u@cp8p90@46h5?=sYvY{TM<yGA-tzMHpfAA%OPLy2G*Wtt>G9u#1r{f2Z3S?5|
z88zhEV+pi)+F@-j>^%ja%Zo@5DYLk~Jzt?7*~+)JdGa{p+^KgZMUe4ZhEPw8JVH9E
zbtndgf*;{!kBNB!st91Wcv3q=-nV^aTiWA|gx;<1(HI~6yGZ6zd}v-*>FAMn`bEuC
z?`LqbMn?k}wh%%Q8*R>}5}@=YdCdPmPPs6nF(8-q0Y}r%)SZ|B00lgn=6ae$pWP2H
zh|>i!J9K)L0ub&7hxVl#<ghtfPHwfAz3;~BY`_8<8AUf~LLb|nTjh&Z{mgzJ@)<?Q
z{vdc!4@3``1^8+J4t7+#sc{w!aqLDn`0!0@-3O~aR2F;Vj`o$?RwaXCEhTmtGmYvM
zK9tL*d)NGU?Wej&a^(%GCLRfI0zUucBh`rDtaDQ9i-~+0#-8A>Ge*<nqZj}n>6K3T
z)ds4lK`U^C@U=|dTD(-{c$ilp%ud?!`HxHz&B=!((owFjj9Cr=q7;g7q<1RdU|mCa
zzJ~f~pf;9%+t-kL(2*+X^A--5R%hxuo$i!9jiOq)ge{i3NQZtv5Jtq^&dA^eHUuiR
zVCq~Y)_K$ZxC8fnY&F0P3~tcShS~1(Ns?)%jt~5dAtGdP#mca>P6gQw4nHU&6EG^E
zKnJY6lvAM##VacXL&*4ozDj+=!a1t^(3;(%d+vogL*#{C3-zeY0dWiHJdh|oJnG_X
ztM((E62>yq=4L90HkmEi6-XO^CT1?<d1DovokUm+mc;n4dUgZ7^*!X>5KYl~P920D
z2>w*cXzu?>ZZjN`iyt;n+C4A>fGj}(37Vgjm)J67L01*HDT$LB;@#`d-Vd)d9|I_V
z{G<Bew$84&hfgXIiEbUhlykPzUzt&o2kEag2hy8-G~ldVh^5!CVu_Cea!2ww1Qf4d
zdJ7ZyC7RIa+`G6ij<yX!<zLx{93swz@CG;V6w9#PeEX(lI!kzXgN3ZC@hObFkB50s
z<)sN}FzbUhi$kV5RW05p@c<{`rfwG66)YFoSP=@*UtdE7T}&Mh<C4dXx*V?M7G{Md
z=v|ZnC*KT>h0zjlLMrS6GcNr>)}r>C7{`E|(v#x_G2&b;`w9)>Bl~addC3P<kFZaF
z5TF7@MR-DU@Qmg4yV&MrarEfiK<cB}ZaNfBGEN#(AzF#XUWP$>mwqirt5D9*p?V0C
zHC#FI!7`X&IW@Vub}mwuBeo`4jkW*)0K*;nxdYI^-^DqfOK?PuWM`?5uhK6=5Pgf9
z?vEQrO=@~d0;jDTfS4B}-8hwVJhlBE@N1zq24@VV7f@UBu5cCYcMh%exTBz-rv7Dv
zgNu41vzL|t6A{+z9Tj{Up-@c?9)}1QiF>Y!5KX^}g7Zt%5|*K`${bvb9jr>^INc6+
zdayxJx9OFFC<AndwSr}cQNG6-EZv}h36n79HbUNb9b0PO%r#lNu$V8YU_Xw-yWRA^
z`8;zPi^gClJPT_skwW@Y9%B0P<~{GqP+NHdvyi#GSO9j_?l!Guv?h;+ol=Ny{cBhB
zxma2SQHfQlmW`Q=FBFwGk3$EvTbk<VzKmoSy8Ch-Mb=x)BCdALzmcAqL&0UO>`=#?
z2!4ohOU14Bz_%7aB1Ir!3jLR7_@^$9ko#up9QfJ&@U`ngi1Z{S*$F3^)oMfd+c#RV
z$ki?k<r@TP@fSiM7h&k!ZIJp!88#O)emK1I{{0~%c7{+zc2w`3kBZ3;0~2rHltInu
zODY~8Js1G68$tkI=S?kq*j{c6N4r_^&hj1aHC>*+^~I=O>Gii8*-{Fzk<M2XU-_u5
zN4y_iXgs6(_1EpdtvMEKcfWvMW>0_(ReMe*p41L4OuE6tk*77yl2*APr`L#k8&A~H
z7%T;|PmGy?3KGMIsLUZ+=hhyIw+3C=%uQHM=R{3aWbA|<iA`wG0~DCoWG1LL6K9>W
zZ~t5lmQk5oQ6b}g(jH-`)pzm<I9y&)+~J6<_QnTcyvnT@WHKVW1`V<T0tgw0^&$%I
zA_`<HNktpmg;~j|63|gi|I#1qv_W?0DLrqcf+-Auj3E2Q2FXmEzPu;;19p;qfC!3=
zrQ-1b00I|J7;j03hol6PD?_IjpKJOhTO?$xExGDMwta2?UxNRtwYE@IbZeikEN9jv
zX{tth;M5vRHmL`sMUp-kK&h6$Lh|@xDBxteyX&kB-CE-Pabk0ZWk0CU0E3V^i5a&*
zW&AcSP^uooK1jW=yp0K@^YV%}85Ds(+yDRqQ8JS(VFFjblQPLu89pWe4hZvgGmgAt
z)~@KP${lDc?jg>YmI;vdc$8JcdQixK&*ygRJvc+-MjiLWr13I=fV-on8)ryCE8d4C
zMJ3UmqA+$k_j-EVlH2tlR&Ne#LAQ84g8)L_kZ%+=P3nHmcv}xKD1Kp_8l&I|m47x#
zQO}?3cQ6xTH3odt>Fj|ZZ0Pa&Vcma_)eaaXR=n}N7YBxuSLp;YOPF?gIToJPd=Q?4
zF9)XY;NRY$f!C6mJ-7OLn1O2T8Rl@9R2V{0XW8}?Zbe~7e4Aw^e%htdu;`?3K)tSr
ziYzKQqM7{Bju^1_kq7J~92_0a{Jf14%gvf%;govV2o^Da{x70gR_)>pZ@)1W#*ip_
z?xQ;$>);L}lj0^}qRGg~`4dF$H?}JSmg#CW?wah>R-GERfs^@1_3O?7VGLe8*^1O7
z&YGWHEu7A^l7yXm#_DTs5z9xK`o=5BW=pQ3wEkluvYE({A!@3f^f{-xNigG+@S!l*
zM^c7|E$GU3rIO{gR?;H99NmmRD}vIp3~w9e3$!YnvIMUPv$?lvHzeC3a3x0!5Okys
zY_>pvQqI}J60$wLwyI!@tipm&f5l0l$)kfmVU(t6FT%kXAvV~a@9a#VMLqLjNc&i0
zBWNj}*ks@U0M53Bey4|}xFku@m9V6efGmr`hA!M7VGyAJ7f-2LP&TjMBwYseYhy?0
zU6T0EW|TD{7!>x+!GLs7Zw$}L^4eiHlEsCRYYBo7+S0QZ$>QLzAdl%zZBHvTbBjK0
zP-TQgBIwR=0e|6ay;~n`ckzn~Sy08_3~K$|^D3SyQ;K2LY41GNUU3Jdvw-VMbZDuV
zRI(nx$PndX21C5>Jw2AmEd-Q1OnKHI=8ZJmdbIy}_Y9Ty*Npe44lH?YHo@ILo$X2{
zA|Ccf47NXS>EBRNG`7ow(XGs<NqL1L*7*ik8-i;sh?yG6qaH(=*7Lo+u+N;YJbKw2
z9STv)M~fiVPYOuO8<ED>@F>=K(D#A#L<XF!s;s5KS_HuNw`f4v?0B<Qz5p_1;qq(L
z;x(^5sSG4GQM{=WE&(~N!VDsRd%=)xF9Qs!EM72jPAf5Z#kwDPuNT_-JaLJ2PrgnH
zy!9-d=wk#U)?&o`GmG3qlR5bZB&e9x4G41F3x}!v#ZF`M9J|-HU#=n56sVzI^thoo
z0+irK1?sDR?_;izSjP1nx-dB}F}oMl%@)Fb7d{D3#)pIlNPkLxI_(FjYTyqhegMLT
zXepS?uE2iC)j{f_iWimAtTnGO4QU=cIc=^m=JeV}lyQXhg2f9!0Lq2%Gd;#zEl%oG
z3?n2NSm-yqF+T>gS6;{LS&V^(W0DI(c2$t>h^|h*Kk>w{!-yUT^}~h2TGhsEdhX%0
z)Q#x**sYPn^;?g7*$QOs<zfiGZPo@jST_o2G1VA34e+|Bw)1$f8fP9xT-|*v<<bl3
zOw7VzLoZBols3!APF8hk(|~8Ix?|{&r7ZhxCLH9VO*p2MRRfMrEkTIAuOi*V50atO
z)prs-Vwb=r=0ss%%F^X%Y9b0%8<@!!fk;)lKNf4m8gsx|6hu2lDZ?A*;19*wW@ZKy
z^EJ1lGqmmze_3aFepGN+NA=rEt=}BeC4FCrY8E3+V%yO3T+e=7bt7pSnxFvkn<b^$
z90*?m6ntoE0!*XAcArpX)ZJ#9RR(cFK)7&yMu#~h_?2IY;oZc}a-$BA000Eb7UVRu
ze2A&eFy_KYKEWkj!sg_!>>JBF$-VM<^k9Ym54O4eG;8-yCU9u$y7N+TE0<svOmQWv
zCbTEkaAT<gq+vQ9iEOK*##H%bx&#`FjRC;CnuV~A_8s>h0HFpT=O^g??UJT>-)mJ9
zVC`OpTzxLi@Y}Ee00hf<sCK$IIaGZ_m7mztZaBP`q(_!h#nM?_Fn}rMZmshRnd_}_
z0NkbH$UJu(PTe>cK_?BB%p6G@^-^2dg;mVyE;V*s+U;%Vf-Vs7O?qU@S7NKFqGf$H
zO0$n@YNokAj88<)f#@RYyQP<&=zDS(E1Cc{T%vRl!q4wIC4mP8EQZY{Idcd=!A_bw
zR>u_dyH3bjk`+N+-a~$2g*Ioq`=}fs$_$LYn<~V^??|uo<}Jd3tdVXxsC%h>OvvEb
z)h}?GOc^Vhu{7EH!wng%Uk{X_D_b*tzIiX^+}IfNY*Mm6qKVe0pHXj3;ZiP71z%S3
zIb3T#&G$g=eW7BeM@W+XqYvvyt{PvEm91Ym&97vX04Ko0Py#^GXbdw&;$d^@dz%5;
z;mk1#pYw#H(qBXHY<Y(HkN~Jk8Y>w9F<W?4-LH*1^_d>k)Yb_`v&}wuIzS4qYWPLN
zODA|>O23@zs;J^gEU8PunV(7Kj~}R#EY{Mlx!gY;O(iY#{U$${86|S#;eFcvt60cF
z0@1V8i(Mj~Tcb<`Qh|$s=xyGnO(X7ZpeLHB<}sVDoyvHFqs${mh}Z_<QO!geBi9IT
zSynJQ>1z#tR5Zj_FZ2RHC|b?x9;IxE_l{lq??Wqsf_X3!v}C~A6e+0zzO@N+MgTjP
zYrePDfU|Pah(FMNd%qS=M|Clf|3c};nPZ_0ReUIjA{cVzw#430S=#g6%UxHlq*1z{
zKaX0+NZyw=N0cU&n(qZDm!O0qvFDPiDMAJ-LE4;OLoRgGB-~lv?j3x-0tUqDC@R&?
z!Hzc47_dM}7JA7L(VJR{G1<p`D0(Fa4-c@9b96FTnMe{b-NwN0MN!x3Nxl5Yb*hJ>
z;QuI2^;(_~A(o7>H<ID(0ky%AKeF3Cb`k@FEuV6tv*GaA$pfxWQ^jiPpkSF3BFmmj
z4N&A>8M{v+-+VHJJqq`U%uV&c1z}T%GPRdyW=TXZT(gJ7kp5k<z9lyB=Azg$SYL39
zF04K^{18tqhf#Q7r+lH~Frt`t@Iqu0PPL1p6}pP5xl&0DTUX(XZLD;)SRYpY-<<ET
z8vG%@9g(wywI|N-4Cbei+*3+hjIq4B9oi+V2mk;ByW@^!v@-v32%PQcqjDxA(+>K&
zd@>f*)%FJ3YnwqeGbhx^DkDEYabAaBH=lZuH)BBc*tKedr3~ZtB13{5z{ODpzr087
zZ9pUC6%t97lsk)zzp~%*M9Ga3c@V9)5ftb(i)^P7kvpj;3@h8o3GLbSMxmm2z{hjm
z2w`MI69z^bmeF@zorHD?2gBdiv^|6@h3(5bm6dilwvUu|Ib&!DRXji`uwIX_Q~Y~^
zeRt0ZO6p9^4gdfFNhq^{mq}QQ8vROtxAcddLl)K&IT69#A&B6rx-Czmn4y!>wW%16
z;FAG{#*~W!3a^Lrt*Ij}k*YRE#jH%1NdLu*K5MJYKce2S)~3qU*RF)9lc;aN0R6cj
zcF;DmY?tizOgj6?PIs{K7KhH~_G8C1{K6W&%{`1K*rKgm?P-xGg8sC?;c66w<Wh3=
z+bxoMdgVc+1Qf*=Ka?Mr{`u@ahE{8)gVbupO#ES!`c#@Igv)S;yc$JE-+Rf?YN6ZE
z5nWisy`)cr1mz9?G=k5UZ0b+po+K;C3$^HN2(&jFI}^c8T&%?Gprok!x9aS_rSH!z
zrzi6IxP-)|Rme8i?e_1D7il??`q>B`09~(YUDB|d?dDh8>&w%OqI{&b5-u{*2<J9A
z=3n$flyD}idc-K6#(NP$x}ONOrup>M6;kDHO2jsqzS-ZLfqA{3fQ1!BItlGF{8!DH
z$NmNY0F23B`|RO;RJ}DZOV0^bAvAyq=oxt*SS;cZ+rxYYoPi^qS|1-fsOSP4>XOHc
zu)S%IHicy~N1L+O4zt1u2KO)9E~hiI$bo|-;I;U$MYY)j{1d#s)&;tG^N4!xD-BCc
zX0vtC$x(KveGhLk2DzHzXf0wPqR;QVGY~f1Qzn8_ZRCFN+8ZGCgwF2r5p2qYijlG3
z#!BT^<-`21{6{Bipl<VVxq+1k5uJ9efbLW!nnh%tni{;qo<`QB5W7iS+O;&4?$~YU
z((RS_h~pT<u-rmmwl@wRDguQ9qPQIWpje+OWW?hMR)i7sdsz=I-Iw}^EuNpX07+GY
zY!;3-fFv=PT*thE0`dvHKeI-MYpu`*8GlF~-y(pCD`5e6P$7Xcsn1az4y!l3=#g5P
zXaE2giRJ~@;mK<DoGZ3z*S5B_kBG#O4WdDb=urHsY3Nxp4Qg;^HN7j<^|!?U&od-2
zbwg?pCa2L)TFZ(DvOAGz1g8skHJJ><na;*NdK1WUO{7kz`;7f@;={u*=cld$KXrc9
zau5l9P0LO&J?xyqP;7pv(k;k`uKh__#tiPQw8X}2#=`$f@0PQGP=3|Zd$@WSbyVqe
zm(V+oBV8`o=b8@dq}+njqAwNC5z9^53GOsPVk*B@w4-VIX8^BMM9y7BUoUK=(NZey
z$KXU$0E*-39Xw(m+_5G>y({y!gQ6aI!rb=dfo5>_K^N3te1(xGQS33C{QlEy0qbyE
z!*Yj#`#$8}_x(M&i;$_l>ZQ%c_zNVot_)+5Jqw;I3_FR&s%iEj1^7r0a(a(+1gTuT
zz4l<n1*O#_sTuUeBm~PDGr#)MrfNymxK7oX0C+L|+blcr4}bsxFkKnx>oo#QoHDVO
zZAIRwk^n7b5U6}X`#x-qqN>4{UPH+Hr$<X}yIO)&X^<w5O^4B$P;Q#e(8d-}O24@j
zsZaN}#O+Hn#^@D57NKdh%L*o;1mP4w^Dz1XY4REfXLPD}f4i!bhbMlsXJ9+)ewd!5
zS!wfui!od(U{b-?=1m7=z1k21zrI?+!3JxIp0{MuMC<-w75{w-S!GJ`{V;{pIRsU$
zT`yS!#E|49xVP*s^MF6T8cWvOi5R++5VTz*{}w9I*4Y`=#9go2=Kf1pc)i)6N}s_i
zlRP)?{X8%A?sRwtC8zY9CWskCWV*C06_M{g=KxqrYmgNZ>QNTsHrFbAFd*mKGX#{H
zQ8{HhBt~Ufii(k64N{#QAr9f|`FIgJ8d0YppH&qiZ@kjF6U~xn{w;Yraz+H%E@NvU
zh(5fr!{F$WK|`#xGIi?iMi-r<#e7YgMkkpoTu!*kkq;$*wk`zT9zXEq#0dLN)l@ql
z$67__V?0$H7qywd@k4fLGY*6P1LPfpw(hI<pAy3|Aka#n3tEfd_K<!?iNf)+MjvRf
z_L!cUfE2lDbM2Q%<bCn$0;F3G)_5?$M8%Q+9GR&s-O!ve9YS+uZu56K)8_D@$Vq!P
zTNxqsbmY$xONEt1kV_wke*l=A2^ygPt)fhW#Z8c&0AnGYNZ^R4*I1wb<f7}%IB$+o
zeC{FmtTSsh-aC&jPn83i!H(D1fazq(9?=`6CHqZzt&u8yL2hM?G2i16;cK#p+?`zU
zti|X8>#m3M=EE)bM8)`0wxT&-8AmJmkW}~+KmY(o`yFHy{{W1wIHF#-*WubjzOQ%Q
z!gHFMt$v&+vr=QjT>bmBd`CpmTLyKxG|IAJ7DrF<0G%9hCz+jhSO5S48HVjq-h1U}
zHNSjW`vZQi3K{Qb0ZGY?d&*ieQi05iBG89)=Yr=c5cBk(mlZJ}ay(|N7>b0YM#q$M
z0000u!;X0Y=&70HCxW*`2~EK2c)`RSDxx{&*hB;58Czx&_YJlR0C~i(x_H&lC7KH;
zRn0;i6gC&3ZuxvkV4+0vjovdwPyieJGjh*ZZA-p!0+KGF)m-KwT(GC<R!6Cs#dP+H
z>O{N|8t*;iHA(ILz_)Dn&OTQ`?46u!RJ&z4)Da9MqUT#L>S4;4>A3%Q^~n44$3mN=
zK<2f-zJ)(d{QSDHJ2OKS7DL?dmY%9!&w$cRwrj*d5WL?SqtIsCh54?L|BDz{2-<Et
zq+6~IEK;6Pjj~HxHwh~Z{}uT2LR42YS)|aKZjAH}Vjp*r4hJ$)`^$+#9VhNb$HJ_P
zDYFo!6!0MRq>go};(dm;2*<l|e1*=(cM;B}Rh+z?+M_JtnR!<<6UE=}0)0NOFE8Aj
zgYO~5MDm~*<PWK>^^A^JzN0-wh${f&!>qdh9u7OrlH089oGz)2Is$=}%!(hHl!i$z
znclekW|-2rpC}b<NeIwqjJFyCxiyzrJ8!zoH||<lOn*mQmj?Aul;q7%(F=;BN-r&d
z1u($?P=N+}12oiK>L07>_1yw3<+th#%7jyw&3{@}dfeeB^fUe0)j12)E9GSCdK?fS
zGghZ&-va{L?mA?yW{ju11kM1oF44fsh2!z*)sSMq@IaA7I1mcOCebO%=Jybf-sO0V
z$q;HqaJhv^K_(4h?&z)C(TXh5dGS)z8%;j0%g3ot3$oDYe>L`X&Vlpaya<iHaze6q
zDhhthutJE#InOK5%DA`mFR?C`J3XLe$+D}IVSOGM!2%TwgV#*LSECCzy;!_mEqW#y
z%G!2^catP_+h_G--1-{Z6J$BjA5D|p5u+#nK1<#d*BJ4OhQsY)bP@9n6N}t1*1&TH
zm1Jgc1m=lLodcyeLf!$7_<8zNXN)9>0009Ss~l^=a2j=wLTGszzpbD~EBfyg1ViQ|
zR&Ii>t>lhWM7%p1o@0C^QC%zjBZv+PG)dd#@jffpJ6q``M$w|gNw=fTpy4LxQ#@!P
zXms#u^TVHrUi|V#h*Q-n<O&MFW<XoC`D@`k#|+zlizbiqW4u5JbBhq@496GdOhX?{
z^<QYb1&5f*#+ah@1`NqiN!md6ZIq6>0EUYQkJG9x-^%{-4((C?MLUqTiKLBWp4@6=
zb;pHJM<Yt*0q6NS;8yMKT(Q&)(B4pLC&<cXI*)$*n??HAO9T(a=;s*g4Qg21wazD9
zX_wGFI@Z095}LYnE%5=hA2%%pI!1O?_clnk2!m__>OUEjK>ob0bxE^W9zsgcGJA?u
zYai!2i99q*b;!wk2c7N;<R=mkIq+GUI%V+n<owN40mSg&0016VaJ)u1SqO;}vq+E1
z3>oUDV8t)YWqqT`#MIq?n})_qDcXEL!0n(^#wxy5@wE8`UScgE444}5xSEgtL?ahi
z>NI~?25gls+Y?P1VIA|~W+7juWENp$?Uo0%`6{ghjSL-Fp>tiSI1g`?gLwV6;~9My
zFZzpZNIw**s6>F*9;${fzXrm!EurCt9R5Y3v#@X>>>kRBB1Pv{Ji!kGs8%Ex>IxGE
znB#5XR4?!wI|@=mdRVDk+dp??E#@F{O!$cp*4{3kYwb>vzYcS^VQVjs&Q>GQy{{)R
z6L`nR&Ya9Z-mFL|d;(LALe9zM%HNc;Vu8}z((`?5N|977%pg$oz?+CAGI~_i!SyNH
z0gDV-Aus1yo0NYs-ITaJ8#HN<8V)gRB9HTcJ2fhV$8k{Ua(}VA0d7kP`Ex93f#@|~
zNJC3u(WvBwJmaQ?@aoN+#4c-Kb-k@e(I~P7g8?PpJetwqlW}6!9K`Ql7Q(`4pXZ+Q
zfB-cP7Ac6nJqA)uhnBaHEh=&U)ti2rKi#-WVv8i;0H>H9nEe5c)zxFfrn&XUMX|Wq
z%MBZ;$ZRc-D8~0LjJkq8Veq$OagbF^p@4zY3J?SrzP+pwUB6f)t8QY=mQ%kD5D<`)
zMncx%LoA6Z`=iOwT{Q@tZ1B>y?7~)!TFux!3$}g8uO5<MXCiDlRrmcAJhNN{{0K<^
z;RKcH_kecAmPum|q<SYcryV4oY9luio(X0FjTHBfj!`c5l7k%URfc{QNrE+zi!Ss~
zh|^k_v4(BG+W(8obEFsFLc8=GV%gM&AfLHg`j!9y01)LQIRfF;*v&&@uKw(7gL(Om
z(mm<|4*=7km>*62o|i`Sv!c#L9B7=l&e_`9G3sqOsI=ZU14dilglVT=siM|rJEW6W
zJ{;o;os&g4(kb8UcFQB5@tv1e9<LaW5n#z`z^sJfG{9J8pYxzA`A;uL6?epxv#Y%M
zG%ZfgnbH{?sUqbk`PZ%|p$HG!lxUOi(mw*0d0%F;;ji8sV5H&hhdv82Y3&A4zyJUM
z#yWm%cb__{%<mFETr*4khWSB#%jg{km)<7xRr=^5@R!_A_DnHE2tmB}{M#&?20BE8
z*An+zB<iGC+wyg{B{TsDJ&S>qWyk4y6%p`TfWwlGI`nCty36T1DPY*1oh^R$?EW=y
z@Ofn*B15?ZUrS{2p=&XamGv;p(t(?d&gEodzh(+}HuWU-vNH_$dQ`dVDN`%>+?F#m
z*{Y|-^#J@7zgHOgSdSV2$GV+BP148lb}K=~G#<OuogwC*5&m~CW?$d$jZ<w&XQy%v
zq&TIOIJipt3kW1nDgmCSiNx#AdhG2BV;Q@xYPBLY{~kds^B805;pihw#j@vpcH!@e
zE6BU;A~0z}L8|Cv5rbgK-ZPJj40S`pqP0UYvB2v*GwizK4CPGt_X=uOtDB|ULx?6o
zbmKp7L$Y=n4D`nkHuhvnuOb$E6RnD2%GtS=>40tBO*{E}J05TWfqNTA;B2vJED*Ws
z{Y}VI700Tu8hU90Hgs|UL;ixBIOvX5BPsGU(^u|U!h?~!mN>c3PK9L2aRJt4kdPOY
zfNIqCXDbnzT?TURUS)^!#|4+J93nB6x*Zv{Qo|#8`F(~`>ef3h;<qdH!i;q}+wCZ8
zIB-XXvz~M#bI7N@F+-ZL%GM_~%6N~1(s@0ByJ<xJhc8`NQhfT>$j&jMdTD`rd+r<?
zl_{8P)q2Vxpo8a~FY0<Ap7xd;(38)46xCwXwv%{icT?~t55nsyr_^XGP*B^}L|GO=
z9Oirt7>b5O9L;DCKN;OcL6rvja)5?6B}z1Z=U4y$0b|2@pwFa0aYZuf`V&QC8>HWJ
zhkiB)-3B<;zd|o$g#TztjGiq>rw~k^{HKOM^k0LTV8eYsHh?Xn{vn-q=56PMs+E@H
zFQ9%zYUaK_E$EdWI%`0SCs$qc+)Gb3n)xA@Q;`l_@g?^AGkfKY(fhnwu>2|9-a@Y<
zYCwMule_)?zyJUQ%$(hRqjNU^?}4BB<0al7<JW?qHt0FoVNbQ<VI2X{z?jU3$b&>t
zIlvUS+?*4VP_DM17N>;Y#zyi>#a`tkS0u`N%lxa$vj5zdHb#(BlSNU1Ki^n>ptgIW
zMA1XGlRd!nf6>nNFe^qU6<LPc(@}BsBVm?nkJrwOXov47gk|O%Y7^l47;+OP385;k
z9CU?Dg-~?iYbx;lX^-V*IxG7eT|^-yvkz}k1pC^J)<K(jR%HDGaVBxP;{dNpLZdKx
z$%u{n(Uh#GE{2h5q8c|@a%4<CR#419J6eB4KQgy>F_j!~Zy5JXqm}&P0FP?M65t+=
zUryi8=$$-JM;M~|ZCzzt6im0@rMtUR>F%ywN<^f)q&rmF6_=GRDPigEl12~-=>_RV
zQo6hDKJR;<`{~Y?`7*!xpE+mp#2ngsHL;Xn(8>vk0IYTmQ?+UH6vZFtRI*4KCNFf9
z(5rjd`%bCBiH&FCZ}L}aNOIqPjO_6P4+s0gb*d*pW{zI3IL7g$JJVi6Qzlnli(L)%
zTP;W8S^`$HAFtJdQFq)`B0rXrZWK4$70~kKd<&zXu!@rF>UDw-XS3_Lj;s^PFo8Bh
ztA1a2|A5>Hxs3}7N3Y_Jf|NiG<g(%8hER(MpVw7i&t8%xfZu`w2rMSF!ySYuYvEvO
zS==`svL1Y)n}JN2Kgv;vI!-!vH<Yp>^yN+ZUmgoJao=1n@Lo|>&sGbv3E;6xPBgyc
z8q<#bjMfi}dyvm*jG`h!+9NH@Bu_ucJ2y5_5Rg3}{7riSXGCu0y|C6;eXf|EpG?8#
zj~5(i4}B@xp^7)<a}?OY^He=R;@ekPp<ht)zQ1{{L@(rL7}8C}GoZ|<dRNBOz6#wf
zYkhvOoiiSLhDX~kB%M};RXc>DJW_((R^MK{RzmBZ;1!qG>M)>gdA@Y6CG4ib7>R|?
z?kMNibW&VIcX}79!iyaoyM)4=i<mO^D#$@8oXP3;o(@Rt)^lM2s6xj+n&C(5ycI}%
zliOT?ZsC#^<pqHj&VC!;Xo7>XV-R66!+KV+BNDDHG>>{vnC6}>SyO|jcMM3mHL4?E
z(oIZ0&%cb`Aq1gU{mwRPt*FZ_<GM<?+bX1Ne5%aw;chM`x)uBox9nAcO$aZN#Nmps
z_NcUS!#_!DG}*Df@Vs_m`8i`RLr;7;Jm@;P{|u&dc{J?Ps30&BomT39up`mb?IIU^
zN0lWq<Ezm_-k0aPzDezXA|-T*^0nh#TpdiYN(}{cNEKR~IuTMUSRuRr@XctHk(2QK
zpaqH9slG2>mY}JQx_17C$sjLQm~IWpn?`7t6)o4!>*RShv2s7w^1BrV5qD+6(v02f
zbBY7p9_@zlu15KyKx(8pD;v5F4RN<DI;A)<*<nphzCf7ylbqq&;kJCq?$wwR6Z(D}
z<<XKV$>(rs*u27DgLp#wUGg1r7uWp$MUgeQAk}Glm@StQ3tJjHFjbcm>@u?SMR3Kl
z5kwZYByz?Ao%QMQ;y^iOu>d>nrv$5p9IH*+Fo!F$C3j;TfyU@QoaO~31+<?l{)qEc
zCNZCQ$!iwpQG<?@J{CtDgfLSp*wjLuravF%^iyXGGkCGVB(-7u6N`M~RJD{LKgqk5
z<*Fw~@KLJI5hFMti&npHf~G-u2B{{bJ2&s@(%{E_KE>4KZgDVX0!=ubMb0U@u_uO!
z7pYa={BilZSY>T-vlpD#2+P|3?7^UCiSAocm@v`XpX_n^&Br-OBA?|*r>(}MR}AH(
zTd^H2GSSh?JH%T_gKWJP$VlyYH^qyiUFakpR&PF10&(n%f=aRWjZB8tLp7JkJqHDU
ze9&)?C@-C+7XEV|o7I)jwgn%Ds_yFa5N2A|7&|foo$hb^_X|W;VG@*TEvw{ohkwg8
zIz@cuLv$P}<$U}%MMv0vazIj9N8eJ+F(~m%H?)II4Mg*Rq~&>vAE5f2o?ciuBMb)>
zemvTU4ye0SngM_Nt_E8x+$6m_XZQROxftx}^Wus240DSkFpq8PlWfZ1fGD+h6K<TY
zP*Z_*_vKroJ_zZdM#;+;`>g0q7%2Td7Ij+~&aBBIgEdr;jj?@?x71amDLWTB{SCG5
z<e`7NnvR0}3>sF<LT>6$M$k9U-zn-BF(<ZdWhuaUbZtnxn$Piah7w+%1n7DF_(&s7
zNp}*xdxJ>S<n<M7y|#=Y^GuVmuPG;Bn0qo_kV`O5VUz^NmVM5+d5Cfmqg1(gu`dwu
zH6j-0-aelHqeS8HK9Fj@Vg6nq=`C#suJ3A|_(u1`OQawH+46&GCbzJY!)E^PNdp~{
zZl^O^^9C-=sUGAhI#&~3mZn%&j2z+7LW^CpC_EW|&p>(234?@E&HY)XuiTmhvo7L4
z@W@h|@rJ?0NrugZTabOC3OZ-w{gO;#N%&GybOFRymlB~e(%#}~e*DCTjTw=DW!oT4
zxtH$h&3m}h|0;UGQ%)ZlCoerr+ohiH&4(PSnI+B4oChD{WJxupKT}GILEy7YCEj!m
zM~CYjFyQfPe1MgbFHuI7hU*Q>5p02NDcf`n7hIag!*0Uz^gZ-l(wlLEFc#4Finzkr
z>60mFdcTsAolV(EuCS1#nWUHf4uXrS{u3H>p*D4XEo1lR^S(@(c}E_3gyJQ{7E+_u
zm6cGgyZ5QS^inOC)khDTRc$3);No0rVU$RM3jcGHQs&=JzYnyQYFje+R-#LrC+plN
z&jHDTNcDfFbT2@Z5f62GIM9D9h+{jDtx>PA;^0v3B`;q$9gW-xg0pUWg20l5Y-a=>
zS&X@NH!dqnPsS~K^%sO#$Rny$H!vL{o9rAHNz=D+-n11$k*o^0<FclUdh)(34(ghZ
zkm%?Y`fzyOAc>lXHx-r;HG9DmG+7h?>IGIOJ{$cUV6i>(ND<f6&z!Rn!(Oyy<EV6Y
zz^zbCm|zk*oH@G78e&@g&cij^o2V?hgNmF&Qo%K;r7%&u(2l)f#iN?~q3E_NIE`ef
znuwgO3H^wl)<tL0S;J^`TZd6N8g)*UOaA98q>S-<ei_q@l<XUkcMHt6N+?(lQdbbx
zw+04prazW&V80m)w^{VgWzXGUo9j4HnMYBHAYWS-OORV7RR3p&d?0nl^|o;XU&$XA
zNV8(P39XyEUF+c)%ky#R)jaZlI#v!&<EBo;Rn!+pj0anBy3S{#wPBC*)1QI+v{#G|
z*AtrwyngM>%#PH>YciQ;?wX9V;@pQ)U2W+Dc5JSddPtmyAsVwZ&oU}a-KK^jxp;5I
zyxjXWr(9XKy`v>BtdpGFv^=gb`86_+UXcjqSWQ%?i=8mCcYLhgfV%q=Cgs103rcP7
zw6}5*6CA&)ATb+ju`aG4q%dx=+hF9|KYc6tZOt3c;=ARUNxWN`WTt4bA2jcezv>yS
zl4OR5iUv^fn}N}KGU(Nyof^5~cYXZ5(HtrQf#SA=eyWX8p4a8J6`X}lk%__kw-e4N
ztPlyY>r;0k4`mr+z+}L|P5YPr#j?EdKh!e0re*dTOqs(mWX#BXxc0Zfeqx+6UigN;
zX$**Aq$ZVx9F*!n2P981aja&2QrgUwPe$W$BS#&JETjVY2C{v9#-rW1k8^YU!^S<Q
z;thU@Ukg?RA+7Exx_SkgO<zAt{T$bm38`=9atQo*aa)NrF~v0WF+g{_f1#F;2%Uj2
zI(Nu%NMZVMUSG^Z6(;0i;vI7qCK5Aco{Ch7jJaU0ugjMkt7v<^zOHF7hg;h-AZigF
zIgajH+|`K6Y~|q9g?TvcExJ(QQ<sPpaM}>{tX=Tzxpw>6=>m~NZ_X`{nT3-%;G#l!
z2z?GS-dK-QJC^tNlhmapRMazSF37I|HS%2Q<a?JYfTI1_ONU>VO!wm_CfG*Nq2cJW
z6+VwX&yW!>O`<O|GK72(02^k%1NH+{<A>%H^qA&`&4^z6O}Zv~k9GCELv=<?ubD|S
zwTwrDF<Maj^^(8S-QeV)s;rzVqso+85d3|-O7;Tb`kuVq)@hf7M~D?%nlg{bt}}68
zmFToh7p=N%ac8H{c4>W6&m$t3!rSfDS7K~?zM`DmKNte#lzW`kLMld~=#1}(1lGeg
zxYTD(5o^ovX2i{X9pMD;I^J{?GTNWaDal%iIG-kdt|WSDUDCRW+8F`>l!ji^tFVHx
zrd{MJWX&E)mcIJ1-<@4pwD9}PLjw5fRstv$DY5!%z9ZYB+(;YQ;C#Mw3Jxr^qts9+
zRz}0E$-E~OY{AcDZsmQLXW&l95ScfXT+^8c-!51a2}$6ZTF&MVnL<o(!Tl){4dOnc
zjkvmx;AJf>(hht`JIBm7|B-vl)U0+afOKfe5;&iP#MAMN??tB^B-D$f<O#U82Bf1R
ze!^mAfiSS&>z;(I-dTsjx72H;h~WxvKX_`%t@l(l7V-k>9US{=fi6X6!<u&6KSp8$
zSos&AdD)YPTzZ3hQXOmdegrkDQ#7zBS^_<UPUN&!E_Tak)vBV?w-U(XLB&r{i4_3X
z!m>s;oE~04$~IC_^7i_Melx){DhQcx6!5a?AW)BoR`5M%zTo#E3-l1xvS|V{`h}EJ
zL2rLnUbc5s=KuWcqT3kc8QAW8Zrj^iyJ@z^X;EJAo~h8Yn8uCTiNPkH_bTQO+8>ta
z4f@RMH!#zc)RMt^A|qXaK}L!7*S0tzx`Vq+rfBbcC&u)Pv`Mejm#h-w)JuCo?7dZU
zSJpyC4ADsSK;Ke9JP!f*Jyqz9L`G1ycRNd4c-!K!Oe+A`{;Is{r2&RLq1(udH~1vX
zbs!;(2mpOG(v9nWo>&BVeE^{9N8D_};R$g+-&5{*5;bym?8Md?TgJtGmX}xy^RRry
z|5r)`dr*IsgCyW#(1DrgB}vK`bi!oP4aMzO!wyN)upEsjMk<leF5R(HmLPQ|q|bXu
zd|_qKkDlz;h5pQBAD?2<#jg)f_{jSWX~U?^)n-81<`h&e0acg*o|AOfAZm2`SM-7v
zgKg(yMnyTE4XNcyH0nUa!3%-O+dJA%GX(dn!Nj$O56x?C{B6Z;SsU%xvLU69Y<pV_
zk%^j5FX6qs1MQ#2CO8@fS0SCfrC0&qGCx?aPA4QHYBa~P^8BdV?edCq&^uocKL-e*
z-4${xqBj{{#sa%zx+)*IsJ-OuStxv>{^3da3YtL<06<dfYmH;1tAfHf3Yrd=%+W(i
z5*W;IJpXYLW_*f~Ays7M=4U8kp|&gk%>8O2R8nhqv)voZu0J_R%IkhKkqd2x-NS?}
zeUpbPIX*WNbgs!RO8$GK$5XhsK^js;ncqqS&yZ<neswqHj4{FJ6;iGU0mhl<>;CD>
zpCA$6uN-T3OYPAqR=oL9K#LV0ePe3r6v$FK4Htr^;Gvsv??}84R{k{Vi6rYE%CNuZ
z{Pk>9h{4ic+e>h8NY}vO-Ou1byEsZhEb|d6Wp??tO?p-O&;c+dL|6!=Ziirql31Uh
zBVJc@a8j-k*E@GW2GdDeQm}vEZiol<=z$0zpl?AL6yh!`b7AHw!C9&BA0Pk@XjxyO
zDa;JFDJzK$oFhjNdi<8*8+L9IoyLW1Kgn3B5+2kRZ9OZZ7XiS$ibL?7B}6pYy0X3g
zQ|yn5;GhbOGX4E)?GpF9BlY1pd3+5(dbRq4m(2!$Dd(w__zJ$*n;V8&W0v~8sryaj
z$?%_oma8BGUmdmZ9W&g-9s7c2lwhZRUDAm`PcZbtXA(`q^Z{>m!0c4I2f*7sO1s?!
z4;Wr+tCLsTQ}i5n=RBIJQN>j@{`jf>#*_`Dbv<s;ky&p^YdrKR@t2(G&f2+~kBP!f
zWNX4xwbB8>a}pf)AOD2~w#t)#pJ*CGrBIO6{iLAj5t_wQ8Inln6Z(?9vpKFzk<#)=
z+s1X^BRc?axD%KGlO)=2r=ltfDn>~pum2nPV{^E61PBFt%Zpp^;nqfmE??*ZycI)7
ziaoMMX3CeN+<oW7{qElMOx{}6FV8B3QS|&582M1n=;EFS*(^lb@iU4x#~Htg97@X-
z^uV{TlCA^c27YgMs?SG(HU>Y9*a9+(hX=O!yv*y5j|m_(X}lCOlN@;V<D<5Vu4QKG
z26qGgn8L-H&z!ao;0=@aQ>6pzWi%P>M?+u;*F+-htrRQrm#KeofxElEJse8=WpJ>k
z$+22x9#&7K(}#|eOI7v>vW}&eDLh18qASin$6V-d`}G4ww9Y!P%WS~E7=fZQnhPx3
zI9$k6bSbJ_YuPK5xa@pgt^Z3G;7D(Dz0Hn;O06~%UjS@OVa`}gUVeO&>TINmK}N~V
z;BqnfFFbbbY4F1=0v&C@)4eEdub$aD3G2z^XhLR^mDps@@EtGKue$l?PXp2EdR#1)
zCY_Y)N74E&Pokn4NdJg+*`3MECN??*-DP8ri0?LC1w&-LxuWB<q3WiJ%X+(dZaOu>
zc5IY9VOhtdvi>pnX?edQspI9Sw|G`g?$0WE4E_TV*Eyow>p+!|ca8;P+O=8=|4SJb
zV>E9bfqI^_+-?g~QlxFG6lYh@B#i@8+->pXZFkyd&k2FiR*EO!Mz^~#j2~4%4ltu?
z70F!_oj!8DW5@|+;coO36>*H)pIz?kz^raZZ~hQM3d<K>L^F1%lzo2GT_eCF#UOIl
z2Tzkar>P*O_01P0e70Q9zBT68xm?;g3v(wUS68LtturavYMM?AgMMmtXME1+bpLbU
zXH6&jRQ(nTGO2OB7>kd-2J~#6b#1$LPm7u@oVy^d(J-%s?q3%3&B2y}1qgODKGXSL
z|DDA*$ntt^*p!tEPNC?X>(_*UQL(xf8)x5ZU)tzd&~-M<(v=uI2Qj^%>F#>=TM8bO
z&gWNLWWmH#^Un1BPqMXkguRqR%^n4W_fZ(d&(t|uC`_SeR@#+Pk93i$?us5m61z=U
zNv>4i94A~R80%1ZC3n$fJr<&qxx}JmY^bce{&B^bW?2dRYkSBr3t$B*ekM!9TKGZ2
zYdS&M?Fq$`IQrz-PCL=DND4NF98-LRh}g=5=nF;#6PLU~hUQF=!wV9}y?*M}aH2vv
zje@gRbdMMw_eB4W7KP=k-*1a3)vI?Q(4dE7j`BCt#vwTdPCfRT-!$}U@V9KtUros>
zyvG)DYM`w%cuY{@S-w5)g<VP{Oc)L6b4{lxVI4`9Ze0b?bj`>-gfHxWwv0YDH}GJx
zCpq)>$fcbz>d2o5!!j28U=QEM`M_?4`b>JvMRUxhUr798;j~_eaWxeOw*iO$TVwyy
I_W#uX16-5|rvLx|

literal 0
HcmV?d00001


From 458381fecff618d39ddd2e18364fce0cb511ee1b Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sat, 22 Nov 2025 09:12:10 -0800
Subject: [PATCH 04/75] more implementation for ldap

---
 Gemfile                                       |   2 +
 Gemfile.lock                                  |   4 +
 .../sso_providers/build_sso_configuration.rb  |  17 +++
 app/actions/sso_providers/create.rb           |  20 ++++
 .../sso_providers/save_configuration.rb       |  20 ++++
 app/actions/sso_providers/update.rb           |  18 +++
 .../sso_providers/update_configuration.rb     |  20 ++++
 app/avo/resources/ldap_configuration.rb       |  34 +++---
 .../accounts/sso_providers_controller.rb      |  75 ++++++++++--
 .../avo/ldap_configurations_controller.rb     |   2 +-
 app/controllers/users/sessions_controller.rb  |  19 ++-
 app/models/ldap_configuration.rb              |  44 ++++---
 app/models/oidc_configuration.rb              |   1 +
 app/models/sso_provider.rb                    |   2 +-
 .../accounts/sso_providers/_form.html.erb     |  98 ----------------
 .../accounts/sso_providers/edit.html.erb      |  36 +++++-
 .../sso_providers/ldap/_form_fields.html.erb  | 110 ++++++++++++++++++
 app/views/accounts/sso_providers/new.html.erb |  43 ++++++-
 .../sso_providers/oidc/_form_fields.html.erb  |  70 +++++++++++
 .../accounts/sso_providers/show.html.erb      |  52 ++++++---
 app/views/devise/sessions/ldap.html.erb       |  67 +++++++++++
 app/views/settings/_layout.html.erb           |   2 +-
 config/initializers/devise.rb                 |   3 +-
 config/initializers/inflections.rb            |   1 +
 ...251121043926_create_ldap_configurations.rb |   4 +-
 db/schema.rb                                  |  17 ++-
 lib/devise/strategies/ldap_authenticatable.rb |  58 +++++----
 spec/factories/ldap_configurations.rb         |  38 ++++--
 spec/models/ldap_configuration_spec.rb        |  20 +++-
 29 files changed, 687 insertions(+), 210 deletions(-)
 create mode 100644 app/actions/sso_providers/build_sso_configuration.rb
 create mode 100644 app/actions/sso_providers/create.rb
 create mode 100644 app/actions/sso_providers/save_configuration.rb
 create mode 100644 app/actions/sso_providers/update.rb
 create mode 100644 app/actions/sso_providers/update_configuration.rb
 delete mode 100644 app/views/accounts/sso_providers/_form.html.erb
 create mode 100644 app/views/accounts/sso_providers/ldap/_form_fields.html.erb
 create mode 100644 app/views/accounts/sso_providers/oidc/_form_fields.html.erb
 create mode 100644 app/views/devise/sessions/ldap.html.erb

diff --git a/Gemfile b/Gemfile
index 16758cb9..0a958770 100644
--- a/Gemfile
+++ b/Gemfile
@@ -114,3 +114,5 @@ gem "actioncable-enhanced-postgresql-adapter", "~> 1.0"
 gem 'flipper', '~> 1.2.2'
 gem 'flipper-active_record', '~> 1.2.2'
 gem 'flipper-ui', '~> 1.2.2'
+
+gem "net-ldap", "~> 0.20.0"
diff --git a/Gemfile.lock b/Gemfile.lock
index ed064f46..3f80664f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -355,6 +355,9 @@ GEM
     net-imap (0.5.12)
       date
       net-protocol
+    net-ldap (0.20.0)
+      base64
+      ostruct
     net-pop (0.1.2)
       net-protocol
     net-protocol (0.2.2)
@@ -724,6 +727,7 @@ DEPENDENCIES
   kubeclient (~> 4.12)
   light-service (~> 0.20.0)
   name_of_person!
+  net-ldap (~> 0.20.0)
   noticed (~> 2.9)
   octokit (~> 10.0)
   oj (~> 3.16)
diff --git a/app/actions/sso_providers/build_sso_configuration.rb b/app/actions/sso_providers/build_sso_configuration.rb
new file mode 100644
index 00000000..c84c164e
--- /dev/null
+++ b/app/actions/sso_providers/build_sso_configuration.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module SSOProviders
+  class BuildSSOConfiguration
+    extend LightService::Action
+    expects :provider_type, :configuration_params
+    promises :configuration
+
+    executed do |context|
+      context.configuration = if context.provider_type == "ldap"
+        LDAPConfiguration.new(context.configuration_params)
+      else
+        OIDCConfiguration.new(context.configuration_params)
+      end
+    end
+  end
+end
diff --git a/app/actions/sso_providers/create.rb b/app/actions/sso_providers/create.rb
new file mode 100644
index 00000000..764fe9c0
--- /dev/null
+++ b/app/actions/sso_providers/create.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module SSOProviders
+  class Create
+    extend LightService::Organizer
+
+    def self.call(account:, sso_provider_params:, configuration_params:, provider_type:)
+      sso_provider = account.build_sso_provider(sso_provider_params)
+
+      with(
+        sso_provider: sso_provider,
+        provider_type: provider_type,
+        configuration_params: configuration_params
+      ).reduce(
+        SSOProviders::BuildSSOConfiguration,
+        SSOProviders::SaveConfiguration
+      )
+    end
+  end
+end
diff --git a/app/actions/sso_providers/save_configuration.rb b/app/actions/sso_providers/save_configuration.rb
new file mode 100644
index 00000000..3ab6efc2
--- /dev/null
+++ b/app/actions/sso_providers/save_configuration.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module SSOProviders
+  class SaveConfiguration
+    extend LightService::Action
+    expects :sso_provider, :configuration
+
+    executed do |context|
+      context.sso_provider.configuration = context.configuration
+
+      unless context.configuration.save
+        context.fail_and_return!("Failed to save configuration", errors: context.configuration.errors)
+      end
+
+      unless context.sso_provider.save
+        context.fail_and_return!("Failed to save SSO provider", errors: context.sso_provider.errors)
+      end
+    end
+  end
+end
diff --git a/app/actions/sso_providers/update.rb b/app/actions/sso_providers/update.rb
new file mode 100644
index 00000000..0949674c
--- /dev/null
+++ b/app/actions/sso_providers/update.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module SSOProviders
+  class Update
+    extend LightService::Organizer
+
+    def self.call(sso_provider:, sso_provider_params:, configuration_params:)
+      sso_provider.assign_attributes(sso_provider_params)
+
+      with(
+        sso_provider: sso_provider,
+        configuration_params: configuration_params
+      ).reduce(
+        SSOProviders::UpdateConfiguration
+      )
+    end
+  end
+end
diff --git a/app/actions/sso_providers/update_configuration.rb b/app/actions/sso_providers/update_configuration.rb
new file mode 100644
index 00000000..1f089171
--- /dev/null
+++ b/app/actions/sso_providers/update_configuration.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module SSOProviders
+  class UpdateConfiguration
+    extend LightService::Action
+    expects :sso_provider, :configuration_params
+
+    executed do |context|
+      configuration = context.sso_provider.configuration
+
+      unless configuration.update(context.configuration_params)
+        context.fail_and_return!("Failed to update configuration", errors: configuration.errors)
+      end
+
+      unless context.sso_provider.save
+        context.fail_and_return!("Failed to save SSO provider", errors: context.sso_provider.errors)
+      end
+    end
+  end
+end
diff --git a/app/avo/resources/ldap_configuration.rb b/app/avo/resources/ldap_configuration.rb
index fc4384f1..72cbadee 100644
--- a/app/avo/resources/ldap_configuration.rb
+++ b/app/avo/resources/ldap_configuration.rb
@@ -1,21 +1,23 @@
-class Avo::Resources::LdapConfiguration < Avo::BaseResource
-  # self.includes = []
-  # self.attachments = []
-  # self.search = {
-  #   query: -> { query.ransack(id_eq: q, m: "or").result(distinct: false) }
-  # }
+class Avo::Resources::LDAPConfiguration < Avo::BaseResource
+  self.includes = []
 
   def fields
     field :id, as: :id
-    field :host, as: :text
-    field :port, as: :number
-    field :encryption, as: :text
-    field :base_dn, as: :text
-    field :bind_dn, as: :text
-    field :bind_password, as: :text
-    field :uid_attribute, as: :text
-    field :email_attribute, as: :text
-    field :name_attribute, as: :text
-    field :filter, as: :text
+    field :host, as: :text, required: true, help: "LDAP server hostname (e.g., ldap.example.com)"
+    field :port, as: :number, required: true, help: "LDAP server port (default: 389 for plain/STARTTLS, 636 for LDAPS)"
+    field :encryption, as: :select, required: true, help: "Encryption method", enum: {
+      plain: "No encryption",
+      simple_tls: "LDAPS (SSL/TLS)",
+      start_tls: "STARTTLS"
+    }, default: "plain"
+    field :base_dn, as: :text, required: true, help: "Base DN for user searches (e.g., ou=users,dc=example,dc=com)"
+    field :bind_dn, as: :text, help: "Bind DN for authentication (optional for anonymous bind)"
+    field :bind_password, as: :password, help: "Bind password (optional for anonymous bind)"
+    field :uid_attribute, as: :text, required: true, help: "Attribute for username (e.g., uid, sAMAccountName)", default: "uid"
+    field :email_attribute, as: :text, help: "Attribute for email address", default: "mail"
+    field :name_attribute, as: :text, help: "Attribute for full name", default: "cn"
+    field :filter, as: :textarea, help: "Additional LDAP filter (optional)"
+
+    field :sso_provider, as: :has_one
   end
 end
diff --git a/app/controllers/accounts/sso_providers_controller.rb b/app/controllers/accounts/sso_providers_controller.rb
index a9b95045..f8d7b62c 100644
--- a/app/controllers/accounts/sso_providers_controller.rb
+++ b/app/controllers/accounts/sso_providers_controller.rb
@@ -2,22 +2,44 @@ module Accounts
   class SSOProvidersController < ApplicationController
     def show
       @sso_provider = current_account.sso_provider
-      @oidc_configuration = @sso_provider&.configuration
+      @configuration = @sso_provider&.configuration
     end
 
     def new
       @sso_provider = current_account.build_sso_provider
-      @oidc_configuration = OIDCConfiguration.new
+      @provider_type = params[:provider_type] || "oidc"
+
+      if @provider_type == "ldap"
+        @ldap_configuration = LDAPConfiguration.new
+      else
+        @oidc_configuration = OIDCConfiguration.new
+      end
     end
 
     def create
-      @oidc_configuration = OIDCConfiguration.new(oidc_configuration_params)
-      @sso_provider = current_account.build_sso_provider(sso_provider_params)
-      @sso_provider.configuration = @oidc_configuration
+      provider_type = params[:provider_type] || "oidc"
+      configuration_params = provider_type == "ldap" ? ldap_configuration_params : oidc_configuration_params
 
-      if @oidc_configuration.save && @sso_provider.save
+      result = SSOProviders::Create.call(
+        account: current_account,
+        sso_provider_params: sso_provider_params,
+        configuration_params: configuration_params,
+        provider_type: provider_type
+      )
+
+      if result.success?
         redirect_to sso_provider_path, notice: "SSO provider created successfully"
       else
+        @sso_provider = result.sso_provider
+        @configuration = result.configuration
+        @provider_type = provider_type
+
+        if provider_type == "ldap"
+          @ldap_configuration = @configuration
+        else
+          @oidc_configuration = @configuration
+        end
+
         render :new, status: :unprocessable_entity
       end
     end
@@ -25,16 +47,36 @@ module Accounts
     def edit
       @sso_provider = current_account.sso_provider
       redirect_to new_sso_provider_path, alert: "No SSO provider configured" unless @sso_provider
-      @oidc_configuration = @sso_provider&.configuration
+      @configuration = @sso_provider&.configuration
+
+      if @sso_provider&.ldap?
+        @ldap_configuration = @configuration
+      else
+        @oidc_configuration = @configuration
+      end
     end
 
     def update
       @sso_provider = current_account.sso_provider
-      @oidc_configuration = @sso_provider.configuration
+      configuration_params = @sso_provider.ldap? ? ldap_configuration_params : oidc_configuration_params
 
-      if @oidc_configuration.update(oidc_configuration_params) && @sso_provider.update(sso_provider_params)
+      result = SSOProviders::Update.call(
+        sso_provider: @sso_provider,
+        sso_provider_params: sso_provider_params,
+        configuration_params: configuration_params
+      )
+
+      if result.success?
         redirect_to sso_provider_path, notice: "SSO provider updated successfully"
       else
+        @configuration = @sso_provider.configuration
+
+        if @sso_provider.ldap?
+          @ldap_configuration = @configuration
+        else
+          @oidc_configuration = @configuration
+        end
+
         render :edit, status: :unprocessable_entity
       end
     end
@@ -67,5 +109,20 @@ module Accounts
         :scopes
       )
     end
+
+    def ldap_configuration_params
+      params.require(:ldap_configuration).permit(
+        :host,
+        :port,
+        :base_dn,
+        :bind_dn,
+        :bind_password,
+        :uid_attribute,
+        :email_attribute,
+        :name_attribute,
+        :filter,
+        :encryption
+      )
+    end
   end
 end
diff --git a/app/controllers/avo/ldap_configurations_controller.rb b/app/controllers/avo/ldap_configurations_controller.rb
index db3b9ff6..947dd25c 100644
--- a/app/controllers/avo/ldap_configurations_controller.rb
+++ b/app/controllers/avo/ldap_configurations_controller.rb
@@ -1,4 +1,4 @@
 # This controller has been generated to enable Rails' resource routes.
 # More information on https://docs.avohq.io/3.0/controllers.html
-class Avo::LdapConfigurationsController < Avo::ResourcesController
+class Avo::LDAPConfigurationsController < Avo::ResourcesController
 end
diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index b5199475..9e53ad09 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -43,14 +43,31 @@ class Users::SessionsController < Devise::SessionsController
     @sso_provider = @account.sso_provider if @account.sso_enabled?
     if @account.stack_manager&.portainer?
       render "devise/sessions/portainer"
+    elsif @account.sso_provider&.ldap?
+      render "devise/sessions/ldap"
     else
       render :new
     end
   end
 
   def account_create
+    # If account has SSO provider with LDAP, use LDAP authentication
+    if @account.sso_provider&.ldap?
+      session[:ldap_account_id] = @account.id
+      resource = warden.authenticate(:ldap_authenticatable, scope: :user)
+
+      if resource
+        sign_in(resource)
+        session[:account_id] = @account.id
+        redirect_to after_sign_in_path_for(resource), notice: "Logged in successfully"
+      else
+        flash[:alert] = "Invalid email or password"
+        self.resource = resource_class.new(sign_in_params)
+        clean_up_passwords(self.resource)
+        render "devise/sessions/ldap"
+      end
     # If account has a stack manager, use Portainer authentication
-    if @account.stack_manager.present?
+    elsif @account.stack_manager.present?
       result = Portainer::Login.execute(
         username: params[:user][:username],
         password: params[:user][:password],
diff --git a/app/models/ldap_configuration.rb b/app/models/ldap_configuration.rb
index 49f78280..428d3a94 100644
--- a/app/models/ldap_configuration.rb
+++ b/app/models/ldap_configuration.rb
@@ -2,39 +2,37 @@
 #
 # Table name: ldap_configurations
 #
-#  id               :bigint           not null, primary key
-#  base_dn          :string           not null
-#  bind_dn          :string
-#  bind_password    :string
-#  email_attribute  :string           default("mail")
-#  encryption       :string           default("plain")
-#  filter           :string
-#  host             :string           not null
-#  name_attribute   :string           default("cn")
-#  port             :integer          default(389), not null
-#  uid_attribute    :string           default("uid"), not null
-#  created_at       :datetime         not null
-#  updated_at       :datetime         not null
+#  id              :bigint           not null, primary key
+#  base_dn         :string           not null
+#  bind_dn         :string
+#  bind_password   :string
+#  email_attribute :string           default("mail")
+#  encryption      :integer          not null
+#  filter          :string
+#  host            :string           not null
+#  name_attribute  :string           default("cn")
+#  port            :integer          default(389), not null
+#  uid_attribute   :string           default("uid"), not null
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
 #
-class LdapConfiguration < ApplicationRecord
+class LDAPConfiguration < ApplicationRecord
   has_one :sso_provider, as: :configuration, dependent: :destroy
+  has_one :account, through: :sso_provider
+
+  enum :encryption, { plain: 0, simple_tls: 1, start_tls: 2 }
 
   validates :host, presence: true
   validates :port, presence: true, numericality: { only_integer: true, greater_than: 0 }
   validates :base_dn, presence: true
   validates :uid_attribute, presence: true
-  validates :encryption, inclusion: { in: %w[plain simple_tls start_tls] }
 
+  # Returns encryption method as symbol for Net::LDAP
   # Encryption options: plain (no encryption), simple_tls (LDAPS), start_tls (STARTTLS)
   def encryption_method
-    case encryption
-    when "simple_tls"
-      :simple_tls
-    when "start_tls"
-      :start_tls
-    else
-      nil
-    end
+    return nil if plain?
+
+    encryption.to_sym
   end
 
   def requires_auth?
diff --git a/app/models/oidc_configuration.rb b/app/models/oidc_configuration.rb
index 3928992b..d1b14a4f 100644
--- a/app/models/oidc_configuration.rb
+++ b/app/models/oidc_configuration.rb
@@ -16,4 +16,5 @@
 #
 class OIDCConfiguration < ApplicationRecord
   has_one :sso_provider, as: :configuration, dependent: :destroy
+  has_one :account, through: :sso_provider
 end
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index da7a3f84..3d54dd02 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -31,6 +31,6 @@ class SSOProvider < ApplicationRecord
   end
 
   def ldap?
-    configuration_type == "LdapConfiguration"
+    configuration_type == "LDAPConfiguration"
   end
 end
diff --git a/app/views/accounts/sso_providers/_form.html.erb b/app/views/accounts/sso_providers/_form.html.erb
deleted file mode 100644
index b1b7df1f..00000000
--- a/app/views/accounts/sso_providers/_form.html.erb
+++ /dev/null
@@ -1,98 +0,0 @@
-<%= form_with model: sso_provider, url: sso_provider.persisted? ? sso_provider_path : sso_provider_path do |form| %>
-  <%= render "shared/error_messages", resource: form.object %>
-
-  <div class="form-control mt-4 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Provider Name</span>
-    </label>
-    <%= form.text_field :name, class: "input input-bordered", required: true, placeholder: "e.g., Company SSO" %>
-    <label class="label">
-      <span class="label-text-alt">A friendly name for this SSO provider</span>
-    </label>
-  </div>
-
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label cursor-pointer justify-start gap-2">
-      <%= form.check_box :enabled, class: "checkbox checkbox-primary" %>
-      <span class="label-text">Enable this provider</span>
-    </label>
-  </div>
-
-  <div class="divider">OIDC Configuration</div>
-
-  <%= fields_for :oidc_configuration, oidc_configuration do |oidc_form| %>
-    <div class="form-control mt-1 w-full max-w-sm">
-      <label class="label">
-        <span class="label-text">Issuer URL <span class="text-error">*</span></span>
-      </label>
-      <%= oidc_form.text_field :issuer, class: "input input-bordered", required: true, placeholder: "https://your-idp.com" %>
-      <label class="label">
-        <span class="label-text-alt">The base URL of your OIDC provider</span>
-      </label>
-    </div>
-
-    <div class="form-control mt-1 w-full max-w-sm">
-      <label class="label">
-        <span class="label-text">Client ID <span class="text-error">*</span></span>
-      </label>
-      <%= oidc_form.text_field :client_id, class: "input input-bordered", required: true %>
-    </div>
-
-    <div class="form-control mt-1 w-full max-w-sm">
-      <label class="label">
-        <span class="label-text">Client Secret <span class="text-error">*</span></span>
-      </label>
-      <%= oidc_form.password_field :client_secret, class: "input input-bordered", required: true %>
-    </div>
-
-    <div class="form-control mt-1 w-full max-w-sm">
-      <label class="label">
-        <span class="label-text">Scopes</span>
-      </label>
-      <%= oidc_form.text_field :scopes, class: "input input-bordered", placeholder: "openid email profile" %>
-      <label class="label">
-        <span class="label-text-alt">Space-separated list of scopes (defaults to "openid email profile")</span>
-      </label>
-    </div>
-
-    <details class="collapse collapse-arrow bg-base-200 mt-4 max-w-sm">
-      <summary class="collapse-title font-medium">
-        Advanced Settings (Optional)
-      </summary>
-      <div class="collapse-content space-y-4">
-        <div class="form-control mt-1 w-full">
-          <label class="label">
-            <span class="label-text">Authorization Endpoint</span>
-          </label>
-          <%= oidc_form.text_field :authorization_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
-        </div>
-
-        <div class="form-control mt-1 w-full">
-          <label class="label">
-            <span class="label-text">Token Endpoint</span>
-          </label>
-          <%= oidc_form.text_field :token_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
-        </div>
-
-        <div class="form-control mt-1 w-full">
-          <label class="label">
-            <span class="label-text">UserInfo Endpoint</span>
-          </label>
-          <%= oidc_form.text_field :userinfo_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
-        </div>
-
-        <div class="form-control mt-1 w-full">
-          <label class="label">
-            <span class="label-text">JWKS URI</span>
-          </label>
-          <%= oidc_form.text_field :jwks_uri, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
-        </div>
-      </div>
-    </details>
-  <% end %>
-
-  <div class="form-footer mt-6">
-    <%= form.submit sso_provider.persisted? ? "Update Provider" : "Create Provider", class: "btn btn-primary" %>
-    <%= link_to "Cancel", sso_provider_path, class: "btn btn-outline" %>
-  </div>
-<% end %>
diff --git a/app/views/accounts/sso_providers/edit.html.erb b/app/views/accounts/sso_providers/edit.html.erb
index fbb4b760..4cdd0f3e 100644
--- a/app/views/accounts/sso_providers/edit.html.erb
+++ b/app/views/accounts/sso_providers/edit.html.erb
@@ -5,9 +5,41 @@
     </div>
 
     <div class="text-sm text-gray-500 mt-2 mb-4">
-      Update your OIDC provider configuration.
+      Update your <%= @sso_provider.ldap? ? "LDAP" : "OIDC" %> provider configuration.
     </div>
 
-    <%= render "accounts/sso_providers/form", sso_provider: @sso_provider, oidc_configuration: @oidc_configuration %>
+    <%= form_with model: @sso_provider, url: sso_provider_path do |form| %>
+      <%= render "shared/error_messages", resource: form.object %>
+
+      <div class="form-control mt-4 w-full max-w-sm">
+        <label class="label">
+          <span class="label-text">Provider Name</span>
+        </label>
+        <%= form.text_field :name, class: "input input-bordered", required: true, placeholder: "e.g., Company SSO" %>
+        <label class="label">
+          <span class="label-text-alt">A friendly name for this SSO provider</span>
+        </label>
+      </div>
+
+      <div class="form-control mt-1 w-full max-w-sm">
+        <label class="label cursor-pointer justify-start gap-2">
+          <%= form.check_box :enabled, class: "checkbox checkbox-primary" %>
+          <span class="label-text">Enable this provider</span>
+        </label>
+      </div>
+
+      <div class="divider"><%= @sso_provider.ldap? ? "LDAP" : "OIDC" %> Configuration</div>
+
+      <% if @sso_provider.ldap? %>
+        <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
+      <% else %>
+        <%= render "accounts/sso_providers/oidc/form_fields", oidc_configuration: @oidc_configuration %>
+      <% end %>
+
+      <div class="form-footer mt-6">
+        <%= form.submit "Update Provider", class: "btn btn-primary" %>
+        <%= link_to "Cancel", sso_provider_path, class: "btn btn-outline" %>
+      </div>
+    <% end %>
   <% end %>
 <% end %>
diff --git a/app/views/accounts/sso_providers/ldap/_form_fields.html.erb b/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
new file mode 100644
index 00000000..03a9f6e8
--- /dev/null
+++ b/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
@@ -0,0 +1,110 @@
+<%= fields_for :ldap_configuration, ldap_configuration do |ldap_form| %>
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Host <span class="text-error">*</span></span>
+    </label>
+    <%= ldap_form.text_field :host, class: "input input-bordered", required: true, placeholder: "ldap.example.com" %>
+    <label class="label">
+      <span class="label-text-alt">LDAP server hostname or IP address</span>
+    </label>
+  </div>
+
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Port <span class="text-error">*</span></span>
+    </label>
+    <%= ldap_form.number_field :port, class: "input input-bordered", required: true, placeholder: "389" %>
+    <label class="label">
+      <span class="label-text-alt">Default: 389 (LDAP), 636 (LDAPS)</span>
+    </label>
+  </div>
+
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Base DN <span class="text-error">*</span></span>
+    </label>
+    <%= ldap_form.text_field :base_dn, class: "input input-bordered", required: true, placeholder: "dc=example,dc=com" %>
+    <label class="label">
+      <span class="label-text-alt">Base Distinguished Name for user searches</span>
+    </label>
+  </div>
+
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Encryption</span>
+    </label>
+    <%= ldap_form.select :encryption,
+        LDAPConfiguration.encryptions.keys.map { |key| [key.titleize, key] },
+        {},
+        class: "select select-bordered" %>
+    <label class="label">
+      <span class="label-text-alt">Connection encryption method</span>
+    </label>
+  </div>
+
+  <div class="divider">Bind Credentials (Optional)</div>
+
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Bind DN</span>
+    </label>
+    <%= ldap_form.text_field :bind_dn, class: "input input-bordered", placeholder: "cn=admin,dc=example,dc=com" %>
+    <label class="label">
+      <span class="label-text-alt">Leave empty for anonymous bind</span>
+    </label>
+  </div>
+
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Bind Password</span>
+    </label>
+    <%= ldap_form.password_field :bind_password, class: "input input-bordered" %>
+  </div>
+
+  <details class="collapse collapse-arrow bg-base-200 mt-4 max-w-sm">
+    <summary class="collapse-title font-medium">
+      Advanced Settings (Optional)
+    </summary>
+    <div class="collapse-content space-y-4">
+      <div class="form-control mt-1 w-full">
+        <label class="label">
+          <span class="label-text">UID Attribute</span>
+        </label>
+        <%= ldap_form.text_field :uid_attribute, class: "input input-bordered", placeholder: "uid" %>
+        <label class="label">
+          <span class="label-text-alt">Attribute used for username (default: uid)</span>
+        </label>
+      </div>
+
+      <div class="form-control mt-1 w-full">
+        <label class="label">
+          <span class="label-text">Email Attribute</span>
+        </label>
+        <%= ldap_form.text_field :email_attribute, class: "input input-bordered", placeholder: "mail" %>
+        <label class="label">
+          <span class="label-text-alt">Attribute used for email (default: mail)</span>
+        </label>
+      </div>
+
+      <div class="form-control mt-1 w-full">
+        <label class="label">
+          <span class="label-text">Name Attribute</span>
+        </label>
+        <%= ldap_form.text_field :name_attribute, class: "input input-bordered", placeholder: "cn" %>
+        <label class="label">
+          <span class="label-text-alt">Attribute used for display name (default: cn)</span>
+        </label>
+      </div>
+
+      <div class="form-control mt-1 w-full">
+        <label class="label">
+          <span class="label-text">Filter</span>
+        </label>
+        <%= ldap_form.text_field :filter, class: "input input-bordered", placeholder: "(objectClass=person)" %>
+        <label class="label">
+          <span class="label-text-alt">Additional LDAP filter for user searches</span>
+        </label>
+      </div>
+    </div>
+  </details>
+<% end %>
diff --git a/app/views/accounts/sso_providers/new.html.erb b/app/views/accounts/sso_providers/new.html.erb
index 1e0fb228..0cdc690a 100644
--- a/app/views/accounts/sso_providers/new.html.erb
+++ b/app/views/accounts/sso_providers/new.html.erb
@@ -1,13 +1,50 @@
 <%= settings_layout do %>
   <%= turbo_frame_tag "sso_provider" do %>
     <div class="font-lg font-bold mt-4">
-      Add OIDC Provider
+      Add <%= @provider_type == "ldap" ? "LDAP" : "OIDC" %> Provider
     </div>
 
     <div class="text-sm text-gray-500 mt-2 mb-4">
-      Configure an OpenID Connect (OIDC) provider for SSO authentication. This will allow users to sign in using your organization's identity provider.
+      <% if @provider_type == "ldap" %>
+        Configure an LDAP directory for SSO authentication. This will allow users to sign in using their LDAP credentials.
+      <% else %>
+        Configure an OpenID Connect (OIDC) provider for SSO authentication. This will allow users to sign in using your organization's identity provider.
+      <% end %>
     </div>
 
-    <%= render "accounts/sso_providers/form", sso_provider: @sso_provider, oidc_configuration: @oidc_configuration %>
+    <%= form_with model: @sso_provider, url: sso_provider_path do |form| %>
+      <%= hidden_field_tag :provider_type, @provider_type %>
+      <%= render "shared/error_messages", resource: form.object %>
+
+      <div class="form-control mt-4 w-full max-w-sm">
+        <label class="label">
+          <span class="label-text">Provider Name</span>
+        </label>
+        <%= form.text_field :name, class: "input input-bordered", required: true, placeholder: "e.g., Company SSO" %>
+        <label class="label">
+          <span class="label-text-alt">A friendly name for this SSO provider</span>
+        </label>
+      </div>
+
+      <div class="form-control mt-1 w-full max-w-sm">
+        <label class="label cursor-pointer justify-start gap-2">
+          <%= form.check_box :enabled, class: "checkbox checkbox-primary" %>
+          <span class="label-text">Enable this provider</span>
+        </label>
+      </div>
+
+      <div class="divider"><%= @provider_type == "ldap" ? "LDAP" : "OIDC" %> Configuration</div>
+
+      <% if @provider_type == "ldap" %>
+        <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
+      <% else %>
+        <%= render "accounts/sso_providers/oidc/form_fields", oidc_configuration: @oidc_configuration %>
+      <% end %>
+
+      <div class="form-footer mt-6">
+        <%= form.submit "Create Provider", class: "btn btn-primary" %>
+        <%= link_to "Cancel", sso_provider_path, class: "btn btn-outline" %>
+      </div>
+    <% end %>
   <% end %>
 <% end %>
diff --git a/app/views/accounts/sso_providers/oidc/_form_fields.html.erb b/app/views/accounts/sso_providers/oidc/_form_fields.html.erb
new file mode 100644
index 00000000..b87f9ec1
--- /dev/null
+++ b/app/views/accounts/sso_providers/oidc/_form_fields.html.erb
@@ -0,0 +1,70 @@
+<%= fields_for :oidc_configuration, oidc_configuration do |oidc_form| %>
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Issuer URL <span class="text-error">*</span></span>
+    </label>
+    <%= oidc_form.text_field :issuer, class: "input input-bordered", required: true, placeholder: "https://your-idp.com" %>
+    <label class="label">
+      <span class="label-text-alt">The base URL of your OIDC provider</span>
+    </label>
+  </div>
+
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Client ID <span class="text-error">*</span></span>
+    </label>
+    <%= oidc_form.text_field :client_id, class: "input input-bordered", required: true %>
+  </div>
+
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Client Secret <span class="text-error">*</span></span>
+    </label>
+    <%= oidc_form.password_field :client_secret, class: "input input-bordered", required: true %>
+  </div>
+
+  <div class="form-control mt-1 w-full max-w-sm">
+    <label class="label">
+      <span class="label-text">Scopes</span>
+    </label>
+    <%= oidc_form.text_field :scopes, class: "input input-bordered", placeholder: "openid email profile" %>
+    <label class="label">
+      <span class="label-text-alt">Space-separated list of scopes (defaults to "openid email profile")</span>
+    </label>
+  </div>
+
+  <details class="collapse collapse-arrow bg-base-200 mt-4 max-w-sm">
+    <summary class="collapse-title font-medium">
+      Advanced Settings (Optional)
+    </summary>
+    <div class="collapse-content space-y-4">
+      <div class="form-control mt-1 w-full">
+        <label class="label">
+          <span class="label-text">Authorization Endpoint</span>
+        </label>
+        <%= oidc_form.text_field :authorization_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
+      </div>
+
+      <div class="form-control mt-1 w-full">
+        <label class="label">
+          <span class="label-text">Token Endpoint</span>
+        </label>
+        <%= oidc_form.text_field :token_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
+      </div>
+
+      <div class="form-control mt-1 w-full">
+        <label class="label">
+          <span class="label-text">UserInfo Endpoint</span>
+        </label>
+        <%= oidc_form.text_field :userinfo_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
+      </div>
+
+      <div class="form-control mt-1 w-full">
+        <label class="label">
+          <span class="label-text">JWKS URI</span>
+        </label>
+        <%= oidc_form.text_field :jwks_uri, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
+      </div>
+    </div>
+  </details>
+<% end %>
diff --git a/app/views/accounts/sso_providers/show.html.erb b/app/views/accounts/sso_providers/show.html.erb
index 8a86767a..67b0580c 100644
--- a/app/views/accounts/sso_providers/show.html.erb
+++ b/app/views/accounts/sso_providers/show.html.erb
@@ -10,7 +10,7 @@
             <div>
               <h3 class="text-lg font-semibold"><%= @sso_provider.name %></h3>
               <div class="flex gap-2 mt-2">
-                <span class="badge badge-outline">OIDC</span>
+                <span class="badge badge-outline"><%= @sso_provider.ldap? ? "LDAP" : "OIDC" %></span>
                 <% if @sso_provider.enabled %>
                   <span class="badge badge-success">Enabled</span>
                 <% else %>
@@ -24,21 +24,40 @@
             </div>
           </div>
 
-          <% if @oidc_configuration %>
+          <% if @configuration %>
             <div class="divider"></div>
             <div class="grid grid-cols-2 gap-4 text-sm">
-              <div>
-                <span class="text-gray-500">Issuer:</span>
-                <div class="font-mono"><%= @oidc_configuration.issuer %></div>
-              </div>
-              <div>
-                <span class="text-gray-500">Client ID:</span>
-                <div class="font-mono"><%= @oidc_configuration.client_id %></div>
-              </div>
-              <div>
-                <span class="text-gray-500">Scopes:</span>
-                <div class="font-mono"><%= @oidc_configuration.scopes || "openid email profile" %></div>
-              </div>
+              <% if @sso_provider.oidc? %>
+                <div>
+                  <span class="text-gray-500">Issuer:</span>
+                  <div class="font-mono"><%= @configuration.issuer %></div>
+                </div>
+                <div>
+                  <span class="text-gray-500">Client ID:</span>
+                  <div class="font-mono"><%= @configuration.client_id %></div>
+                </div>
+                <div>
+                  <span class="text-gray-500">Scopes:</span>
+                  <div class="font-mono"><%= @configuration.scopes || "openid email profile" %></div>
+                </div>
+              <% else %>
+                <div>
+                  <span class="text-gray-500">Host:</span>
+                  <div class="font-mono"><%= @configuration.host %>:<%= @configuration.port %></div>
+                </div>
+                <div>
+                  <span class="text-gray-500">Base DN:</span>
+                  <div class="font-mono"><%= @configuration.base_dn %></div>
+                </div>
+                <div>
+                  <span class="text-gray-500">UID Attribute:</span>
+                  <div class="font-mono"><%= @configuration.uid_attribute %></div>
+                </div>
+                <div>
+                  <span class="text-gray-500">Encryption:</span>
+                  <div class="font-mono"><%= @configuration.encryption.titleize %></div>
+                </div>
+              <% end %>
             </div>
           <% end %>
         </div>
@@ -49,7 +68,10 @@
         <span>No SSO provider configured for this account.</span>
       </div>
 
-      <%= link_to "+ Add OIDC Provider", new_sso_provider_path, class: "btn btn-primary btn-sm" %>
+      <div class="flex gap-2">
+        <%= link_to "+ Add OIDC Provider", new_sso_provider_path(provider_type: "oidc"), class: "btn btn-primary btn-sm" %>
+        <%= link_to "+ Add LDAP Provider", new_sso_provider_path(provider_type: "ldap"), class: "btn btn-primary btn-sm" %>
+      </div>
     <% end %>
   <% end %>
 <% end %>
diff --git a/app/views/devise/sessions/ldap.html.erb b/app/views/devise/sessions/ldap.html.erb
new file mode 100644
index 00000000..f02e5a58
--- /dev/null
+++ b/app/views/devise/sessions/ldap.html.erb
@@ -0,0 +1,67 @@
+<div class="flex justify-center items-center min-h-screen bg-base-200">
+  <div class="card w-96 bg-base-100 shadow-xl">
+    <div class="card-body">
+      <p class="text-center text-sm text-gray-500 mt-2">
+        Sign in to access your account
+      </p>
+
+      <%= form_with(
+        model: resource,
+        as: resource_name,
+        url: account_sign_in_path(@account.slug),
+        method: :post,
+        data: { turbo: false },
+        html: { class: "space-y-4" }) do |f|
+      %>
+        <% if flash[:alert] %>
+          <div class="alert alert-error mb-4">
+            <iconify-icon icon="lucide:alert-triangle" class="mr-2 text-white"></iconify-icon>
+            <span><%= flash[:alert] %></span>
+          </div>
+        <% end %>
+
+        <%= render 'shared/error_messages', resource: resource %>
+
+        <div class="form-control">
+          <%= f.label :username, class: "label" do %>
+            <span class="label-text">LDAP Username</span>
+          <% end %>
+          <%= f.text_field(
+            :username,
+            autofocus: true,
+            placeholder: "Enter your username",
+            class: "input input-bordered w-full",
+            required: true,
+          ) %>
+        </div>
+
+        <div class="form-control">
+          <%= f.label :password, class: "label" do %>
+            <span class="label-text">LDAP Password</span>
+          <% end %>
+          <%= f.password_field(
+            :password,
+            autocomplete: "current-password",
+            placeholder: "Enter your password",
+            class: "input input-bordered w-full",
+            required: true,
+          ) %>
+        </div>
+
+        <div class="form-control mt-6">
+          <%= f.submit "Sign in to #{@account.name}", class: "btn btn-primary w-full" %>
+        </div>
+      <% end %>
+
+      <div class="divider">New to <%= @account.name %>?</div>
+
+      <p class="text-center text-sm">
+        Contact your account administrator to get access
+      </p>
+
+      <div class="mt-4 text-center">
+        <%= link_to "Back to main login", new_user_session_path, class: "link link-primary text-sm" %>
+      </div>
+    </div>
+  </div>
+</div>
\ No newline at end of file
diff --git a/app/views/settings/_layout.html.erb b/app/views/settings/_layout.html.erb
index a14ce47e..3d8e6274 100644
--- a/app/views/settings/_layout.html.erb
+++ b/app/views/settings/_layout.html.erb
@@ -1,6 +1,6 @@
 <div class="flex flex-row gap-x-4 items-stretch">
   <div class="w-64 space-y-4">
-    <% if current_account.stack_manager.present? && current_account.stack_manager.stack.provides_authentication? %>
+    <% if (current_account.stack_manager.present? && current_account.stack_manager.stack.provides_authentication?) || current_account.sso_provider.present? %>
     <div class="rounded bg-base-200 pl-4 pr-2 py-4">
       <h3 class="text-sm font-semibold mb-3">Account Login URL</h3>
       <div class="flex items-center gap-2 mb-2">
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index d74342d4..79f49a1b 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -287,7 +287,8 @@ Devise.setup do |config|
   require Rails.root.join('lib', 'devise', 'strategies', 'ldap_authenticatable')
 
   config.warden do |manager|
-    manager.strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)
+    puts "Adding LDAP authenticatable strategy"
+    manager.strategies.add(:ldap_authenticatable, Devise::Strategies::LDAPAuthenticatable)
   end
 
   # ==> Mountable engine configurations
diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb
index ad5df37e..ea25935f 100644
--- a/config/initializers/inflections.rb
+++ b/config/initializers/inflections.rb
@@ -14,4 +14,5 @@
 ActiveSupport::Inflector.inflections(:en) do |inflect|
   inflect.acronym "OIDC"
   inflect.acronym "SSO"
+  inflect.acronym "LDAP"
 end
diff --git a/db/migrate/20251121043926_create_ldap_configurations.rb b/db/migrate/20251121043926_create_ldap_configurations.rb
index 48ad11dd..dc3f0280 100644
--- a/db/migrate/20251121043926_create_ldap_configurations.rb
+++ b/db/migrate/20251121043926_create_ldap_configurations.rb
@@ -1,9 +1,9 @@
-class CreateLdapConfigurations < ActiveRecord::Migration[7.2]
+class CreateLDAPConfigurations < ActiveRecord::Migration[7.2]
   def change
     create_table :ldap_configurations do |t|
       t.string :host, null: false
       t.integer :port, default: 389, null: false
-      t.string :encryption, default: "plain"
+      t.integer :encryption, null: false
       t.string :base_dn, null: false
       t.string :bind_dn
       t.string :bind_password
diff --git a/db/schema.rb b/db/schema.rb
index 924d3720..a75d0e98 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_11_21_024136) do
+ActiveRecord::Schema[7.2].define(version: 2025_11_21_043926) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -333,6 +333,21 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_21_024136) do
     t.datetime "updated_at", null: false
   end
 
+  create_table "ldap_configurations", force: :cascade do |t|
+    t.string "host", null: false
+    t.integer "port", default: 389, null: false
+    t.integer "encryption", null: false
+    t.string "base_dn", null: false
+    t.string "bind_dn"
+    t.string "bind_password"
+    t.string "uid_attribute", default: "uid", null: false
+    t.string "email_attribute", default: "mail"
+    t.string "name_attribute", default: "cn"
+    t.string "filter"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
   create_table "log_outputs", force: :cascade do |t|
     t.bigint "loggable_id", null: false
     t.string "loggable_type", null: false
diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index 1587cba1..e140029f 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -1,41 +1,48 @@
-require 'net/ldap'
 require 'devise/strategies/authenticatable'
 
 module Devise
   module Strategies
-    class LdapAuthenticatable < Authenticatable
+    class LDAPAuthenticatable < Authenticatable
+      def valid?
+        true
+      end
+
       def authenticate!
         if params[:user]
-          ldap_config = find_ldap_configuration
+          ldap_configuration = find_ldap_configuration
 
-          return fail(:invalid_login) unless ldap_config
+          return fail(:invalid_login) unless ldap_configuration
 
           ldap = Net::LDAP.new(
-            host: ldap_config.host,
-            port: ldap_config.port,
-            encryption: ldap_config.encryption_method
+            host: ldap_configuration.host,
+            port: ldap_configuration.port,
+            encryption: ldap_configuration.encryption_method
           )
 
           # Build the user DN for authentication
-          user_dn = build_user_dn(ldap_config, email)
+          user_dn = build_user_dn(ldap_configuration, username)
           ldap.auth user_dn, password
 
           if ldap.bind
             # LDAP authentication successful, find or create user
-            user = User.find_or_create_by(email: email) do |u|
-              u.password = SecureRandom.hex(32) # Set random password since LDAP handles auth
-              u.account = find_or_create_account_for_ldap(ldap_config)
+            email = construct_email(username, ldap_configuration)
+            user = User.find_or_create_by(email: email) do |user|
+              password = SecureRandom.hex(32)
+              user.password = password
+              user.password_confirmation = password
+
+              AccountUser.create!(account: ldap_configuration.account, user:)
             end
             success!(user)
           else
             Rails.logger.info "LDAP bind failed for #{email}: #{ldap.get_operation_result.message}"
-            return fail(:invalid_login)
+            fail(:invalid_login)
           end
         end
       end
 
-      def email
-        params[:user][:email]
+      def username
+        params[:user][:username]
       end
 
       def password
@@ -52,22 +59,25 @@ module Devise
         if account_id
           sso_provider = SSOProvider.find_by(account_id: account_id, enabled: true)
           return sso_provider.configuration if sso_provider&.ldap?
+        else
+          raise "No account ID provided"
         end
-
-        # Fallback: try to find by email domain or return first enabled LDAP config
-        LdapConfiguration.joins(:sso_provider)
-                         .where(sso_providers: { enabled: true })
-                         .first
       end
 
-      def build_user_dn(ldap_config, email)
-        # Extract username from email if needed
-        username = email.split('@').first
-
+      def build_user_dn(ldap_config, username)
         # Build the DN using the uid attribute and base DN
         "#{ldap_config.uid_attribute}=#{username},#{ldap_config.base_dn}"
       end
 
+      def construct_email(username, ldap_config)
+        # If username is already an email, use it as-is
+        return username if username.include?('@')
+        
+        # Otherwise, construct email using mail_domain from config if available
+        domain = ldap_config.try(:mail_domain) || ldap_config.host
+        "#{username}@#{domain}"
+      end
+
       def find_or_create_account_for_ldap(ldap_config)
         sso_provider = ldap_config.sso_provider
         sso_provider&.account
@@ -75,5 +85,3 @@ module Devise
     end
   end
 end
-
-Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)
diff --git a/spec/factories/ldap_configurations.rb b/spec/factories/ldap_configurations.rb
index bf7e136e..928fa10f 100644
--- a/spec/factories/ldap_configurations.rb
+++ b/spec/factories/ldap_configurations.rb
@@ -1,14 +1,32 @@
+# == Schema Information
+#
+# Table name: ldap_configurations
+#
+#  id              :bigint           not null, primary key
+#  base_dn         :string           not null
+#  bind_dn         :string
+#  bind_password   :string
+#  email_attribute :string           default("mail")
+#  encryption      :integer          not null
+#  filter          :string
+#  host            :string           not null
+#  name_attribute  :string           default("cn")
+#  port            :integer          default(389), not null
+#  uid_attribute   :string           default("uid"), not null
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#
 FactoryBot.define do
   factory :ldap_configuration do
-    host { "MyString" }
-    port { 1 }
-    encryption { "MyString" }
-    base_dn { "MyString" }
-    bind_dn { "MyString" }
-    bind_password { "MyString" }
-    uid_attribute { "MyString" }
-    email_attribute { "MyString" }
-    name_attribute { "MyString" }
-    filter { "MyString" }
+    host { "ldap.example.com" }
+    port { 389 }
+    encryption { "plain" }
+    base_dn { "ou=users,dc=example,dc=com" }
+    bind_dn { "cn=admin,dc=example,dc=com" }
+    bind_password { "password" }
+    uid_attribute { "uid" }
+    email_attribute { "mail" }
+    name_attribute { "cn" }
+    filter { nil }
   end
 end
diff --git a/spec/models/ldap_configuration_spec.rb b/spec/models/ldap_configuration_spec.rb
index 22dd7518..33c0c2ee 100644
--- a/spec/models/ldap_configuration_spec.rb
+++ b/spec/models/ldap_configuration_spec.rb
@@ -1,5 +1,23 @@
+# == Schema Information
+#
+# Table name: ldap_configurations
+#
+#  id              :bigint           not null, primary key
+#  base_dn         :string           not null
+#  bind_dn         :string
+#  bind_password   :string
+#  email_attribute :string           default("mail")
+#  encryption      :integer          not null
+#  filter          :string
+#  host            :string           not null
+#  name_attribute  :string           default("cn")
+#  port            :integer          default(389), not null
+#  uid_attribute   :string           default("uid"), not null
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#
 require 'rails_helper'
 
-RSpec.describe LdapConfiguration, type: :model do
+RSpec.describe LDAPConfiguration, type: :model do
   pending "add some examples to (or delete) #{__FILE__}"
 end

From 00d4650a6a02b03857188146ec8a55420b769b3d Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Mon, 24 Nov 2025 14:45:16 -0800
Subject: [PATCH 05/75] added teams

---
 app/actions/add_ons/visible_to_user.rb        |  47 ++++++
 app/actions/clusters/visible_to_user.rb       |  38 +++++
 app/actions/projects/visible_to_user.rb       |  47 ++++++
 app/avo/resources/team.rb                     |  13 ++
 app/avo/resources/team_membership.rb          |  13 ++
 app/avo/resources/team_resource.rb            |  13 ++
 .../teams/team_members_search_controller.rb   |  34 ++++
 .../teams/team_memberships_controller.rb      |  31 ++++
 .../teams/team_resources_controller.rb        |  44 +++++
 app/controllers/accounts/teams_controller.rb  |  53 ++++++
 .../avo/team_memberships_controller.rb        |   4 +
 .../avo/team_resources_controller.rb          |   4 +
 app/controllers/avo/teams_controller.rb       |   4 +
 .../team_member_search_controller.js          |  78 +++++++++
 app/models/account.rb                         |   1 +
 app/models/add_on.rb                          |   1 +
 app/models/cluster.rb                         |   1 +
 app/models/concerns/team_accessible.rb        |  10 ++
 app/models/project.rb                         |   1 +
 app/models/team.rb                            |  32 ++++
 app/models/team_membership.rb                 |  27 ++++
 app/models/team_resource.rb                   |  27 ++++
 app/models/user.rb                            |   2 +
 .../accounts/account_users/index.html.erb     |  10 ++
 app/views/accounts/teams/_list.html.erb       |  40 +++++
 .../teams/_team_memberships_list.html.erb     |  34 ++++
 .../teams/_team_resources_list.html.erb       |  34 ++++
 app/views/accounts/teams/edit.html.erb        |  39 +++++
 app/views/accounts/teams/index.html.erb       |  55 +++++++
 app/views/accounts/teams/new.html.erb         |  39 +++++
 app/views/accounts/teams/show.html.erb        | 151 ++++++++++++++++++
 app/views/settings/_layout.html.erb           |   2 +-
 config/routes.rb                              |   5 +
 db/migrate/20251122223743_create_teams.rb     |  14 ++
 .../20251122224404_create_team_memberships.rb |  12 ++
 .../20251122230641_create_team_resources.rb   |  12 ++
 db/schema.rb                                  |  38 ++++-
 spec/actions/add_ons/visible_to_user_spec.rb  | 112 +++++++++++++
 spec/actions/clusters/visible_to_user_spec.rb |  91 +++++++++++
 spec/actions/projects/visible_to_user_spec.rb | 105 ++++++++++++
 spec/factories/team_memberships.rb            |  27 ++++
 spec/factories/team_resources.rb              |  27 ++++
 spec/factories/teams.rb                       |  27 ++++
 spec/models/service_spec.rb                   |   8 +
 spec/models/team_membership_spec.rb           |  26 +++
 spec/models/team_resource_spec.rb             |  26 +++
 spec/models/team_spec.rb                      |  26 +++
 47 files changed, 1483 insertions(+), 2 deletions(-)
 create mode 100644 app/actions/add_ons/visible_to_user.rb
 create mode 100644 app/actions/clusters/visible_to_user.rb
 create mode 100644 app/actions/projects/visible_to_user.rb
 create mode 100644 app/avo/resources/team.rb
 create mode 100644 app/avo/resources/team_membership.rb
 create mode 100644 app/avo/resources/team_resource.rb
 create mode 100644 app/controllers/accounts/teams/team_members_search_controller.rb
 create mode 100644 app/controllers/accounts/teams/team_memberships_controller.rb
 create mode 100644 app/controllers/accounts/teams/team_resources_controller.rb
 create mode 100644 app/controllers/accounts/teams_controller.rb
 create mode 100644 app/controllers/avo/team_memberships_controller.rb
 create mode 100644 app/controllers/avo/team_resources_controller.rb
 create mode 100644 app/controllers/avo/teams_controller.rb
 create mode 100644 app/javascript/controllers/team_member_search_controller.js
 create mode 100644 app/models/concerns/team_accessible.rb
 create mode 100644 app/models/team.rb
 create mode 100644 app/models/team_membership.rb
 create mode 100644 app/models/team_resource.rb
 create mode 100644 app/views/accounts/teams/_list.html.erb
 create mode 100644 app/views/accounts/teams/_team_memberships_list.html.erb
 create mode 100644 app/views/accounts/teams/_team_resources_list.html.erb
 create mode 100644 app/views/accounts/teams/edit.html.erb
 create mode 100644 app/views/accounts/teams/index.html.erb
 create mode 100644 app/views/accounts/teams/new.html.erb
 create mode 100644 app/views/accounts/teams/show.html.erb
 create mode 100644 db/migrate/20251122223743_create_teams.rb
 create mode 100644 db/migrate/20251122224404_create_team_memberships.rb
 create mode 100644 db/migrate/20251122230641_create_team_resources.rb
 create mode 100644 spec/actions/add_ons/visible_to_user_spec.rb
 create mode 100644 spec/actions/clusters/visible_to_user_spec.rb
 create mode 100644 spec/actions/projects/visible_to_user_spec.rb
 create mode 100644 spec/factories/team_memberships.rb
 create mode 100644 spec/factories/team_resources.rb
 create mode 100644 spec/factories/teams.rb
 create mode 100644 spec/models/team_membership_spec.rb
 create mode 100644 spec/models/team_resource_spec.rb
 create mode 100644 spec/models/team_spec.rb

diff --git a/app/actions/add_ons/visible_to_user.rb b/app/actions/add_ons/visible_to_user.rb
new file mode 100644
index 00000000..a63ded32
--- /dev/null
+++ b/app/actions/add_ons/visible_to_user.rb
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module AddOns
+  class VisibleToUser
+    extend LightService::Action
+
+    expects :user, :account
+    promises :add_ons
+
+    executed do |context|
+      user = context.user
+      account = context.account
+
+      # If account has no teams, user can see all add_ons
+      if account.teams.empty?
+        context.add_ons = AddOn.joins(:cluster).where(clusters: { account_id: account.id })
+        next context
+      end
+
+      # Get user's teams in this account
+      user_teams = user.teams.where(account: account)
+
+      # If user is not in any teams, they can't see any resources
+      if user_teams.empty?
+        context.add_ons = AddOn.none
+        next context
+      end
+
+      # Find add_ons accessible via:
+      # 1. Direct add_on access via team_resources
+      # 2. Cluster access via team_resources (includes all add_ons in that cluster)
+      direct_add_on_ids = TeamResource.where(
+        team: user_teams,
+        resourceable_type: 'AddOn'
+      ).pluck(:resourceable_id)
+
+      cluster_ids_via_teams = TeamResource.where(
+        team: user_teams,
+        resourceable_type: 'Cluster'
+      ).pluck(:resourceable_id)
+
+      context.add_ons = AddOn.where(id: direct_add_on_ids)
+                              .or(AddOn.where(cluster_id: cluster_ids_via_teams))
+                              .distinct
+    end
+  end
+end
diff --git a/app/actions/clusters/visible_to_user.rb b/app/actions/clusters/visible_to_user.rb
new file mode 100644
index 00000000..245a701e
--- /dev/null
+++ b/app/actions/clusters/visible_to_user.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Clusters
+  class VisibleToUser
+    extend LightService::Action
+
+    expects :user, :account
+    promises :clusters
+
+    executed do |context|
+      user = context.user
+      account = context.account
+
+      # If account has no teams, user can see all clusters
+      if account.teams.empty?
+        context.clusters = Cluster.where(account_id: account.id)
+        next context
+      end
+
+      # Get user's teams in this account
+      user_teams = user.teams.where(account: account)
+
+      # If user is not in any teams, they can't see any resources
+      if user_teams.empty?
+        context.clusters = Cluster.none
+        next context
+      end
+
+      # Find clusters accessible via direct cluster access via team_resources
+      cluster_ids = TeamResource.where(
+        team: user_teams,
+        resourceable_type: 'Cluster'
+      ).pluck(:resourceable_id)
+
+      context.clusters = Cluster.where(id: cluster_ids).distinct
+    end
+  end
+end
diff --git a/app/actions/projects/visible_to_user.rb b/app/actions/projects/visible_to_user.rb
new file mode 100644
index 00000000..87e8d8ad
--- /dev/null
+++ b/app/actions/projects/visible_to_user.rb
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Projects
+  class VisibleToUser
+    extend LightService::Action
+
+    expects :user, :account
+    promises :projects
+
+    executed do |context|
+      user = context.user
+      account = context.account
+
+      # If account has no teams, user can see all projects
+      if account.teams.empty?
+        context.projects = Project.joins(:cluster).where(clusters: { account_id: account.id })
+        next context
+      end
+
+      # Get user's teams in this account
+      user_teams = user.teams.where(account: account)
+
+      # If user is not in any teams, they can't see any resources
+      if user_teams.empty?
+        context.projects = Project.none
+        next context
+      end
+
+      # Find projects accessible via:
+      # 1. Direct project access via team_resources
+      # 2. Cluster access via team_resources (includes all projects in that cluster)
+      direct_project_ids = TeamResource.where(
+        team: user_teams,
+        resourceable_type: 'Project'
+      ).pluck(:resourceable_id)
+
+      cluster_ids_via_teams = TeamResource.where(
+        team: user_teams,
+        resourceable_type: 'Cluster'
+      ).pluck(:resourceable_id)
+
+      context.projects = Project.where(id: direct_project_ids)
+                                .or(Project.where(cluster_id: cluster_ids_via_teams))
+                                .distinct
+    end
+  end
+end
diff --git a/app/avo/resources/team.rb b/app/avo/resources/team.rb
new file mode 100644
index 00000000..35963c65
--- /dev/null
+++ b/app/avo/resources/team.rb
@@ -0,0 +1,13 @@
+class Avo::Resources::Team < Avo::BaseResource
+  # self.includes = []
+  # self.attachments = []
+  # self.search = {
+  #   query: -> { query.ransack(id_eq: q, m: "or").result(distinct: false) }
+  # }
+
+  def fields
+    field :id, as: :id
+    field :name, as: :text
+    field :account, as: :belongs_to
+  end
+end
diff --git a/app/avo/resources/team_membership.rb b/app/avo/resources/team_membership.rb
new file mode 100644
index 00000000..591d19e2
--- /dev/null
+++ b/app/avo/resources/team_membership.rb
@@ -0,0 +1,13 @@
+class Avo::Resources::TeamMembership < Avo::BaseResource
+  # self.includes = []
+  # self.attachments = []
+  # self.search = {
+  #   query: -> { query.ransack(id_eq: q, m: "or").result(distinct: false) }
+  # }
+
+  def fields
+    field :id, as: :id
+    field :user, as: :belongs_to
+    field :team, as: :belongs_to
+  end
+end
diff --git a/app/avo/resources/team_resource.rb b/app/avo/resources/team_resource.rb
new file mode 100644
index 00000000..d88b0445
--- /dev/null
+++ b/app/avo/resources/team_resource.rb
@@ -0,0 +1,13 @@
+class Avo::Resources::TeamResource < Avo::BaseResource
+  # self.includes = []
+  # self.attachments = []
+  # self.search = {
+  #   query: -> { query.ransack(id_eq: q, m: "or").result(distinct: false) }
+  # }
+
+  def fields
+    field :id, as: :id
+    field :team, as: :belongs_to
+    field :resourceable, as: :text
+  end
+end
diff --git a/app/controllers/accounts/teams/team_members_search_controller.rb b/app/controllers/accounts/teams/team_members_search_controller.rb
new file mode 100644
index 00000000..df88087c
--- /dev/null
+++ b/app/controllers/accounts/teams/team_members_search_controller.rb
@@ -0,0 +1,34 @@
+class Accounts::Teams::TeamMembersSearchController < ApplicationController
+  before_action :set_team
+
+  def index
+    query = params[:q].to_s.strip
+
+    # Get users in the account who are NOT already in this team
+    users = if query.present?
+              current_account.users
+                             .where.not(id: @team.users.pluck(:id))
+                             .where("email ILIKE ? OR first_name ILIKE ? OR last_name ILIKE ?",
+                                    "%#{query}%", "%#{query}%", "%#{query}%")
+                             .limit(10)
+    else
+              []
+    end
+
+    render json: users.map { |user|
+      {
+        id: user.id,
+        email: user.email,
+        name: user.name,
+        first_name: user.first_name,
+        last_name: user.last_name
+      }
+    }
+  end
+
+  private
+
+  def set_team
+    @team = current_account.teams.friendly.find(params[:team_id])
+  end
+end
diff --git a/app/controllers/accounts/teams/team_memberships_controller.rb b/app/controllers/accounts/teams/team_memberships_controller.rb
new file mode 100644
index 00000000..beaeac93
--- /dev/null
+++ b/app/controllers/accounts/teams/team_memberships_controller.rb
@@ -0,0 +1,31 @@
+class Accounts::Teams::TeamMembershipsController < ApplicationController
+  before_action :set_team
+
+  def create
+    user = User.find(team_membership_params[:user_id])
+    @team_membership = @team.team_memberships.new(user: user)
+
+    if @team_membership.save
+      redirect_to team_path(@team), notice: "Member was successfully added to team."
+    else
+      redirect_to team_path(@team), alert: "Failed to add member to team."
+    end
+  end
+
+  def destroy
+    @team_membership = @team.team_memberships.find(params[:id])
+    @team_membership.destroy
+
+    redirect_to team_path(@team), notice: "Member was successfully removed from team."
+  end
+
+  private
+
+  def set_team
+    @team = current_account.teams.friendly.find(params[:team_id])
+  end
+
+  def team_membership_params
+    params.permit(:user_id)
+  end
+end
diff --git a/app/controllers/accounts/teams/team_resources_controller.rb b/app/controllers/accounts/teams/team_resources_controller.rb
new file mode 100644
index 00000000..a97009d1
--- /dev/null
+++ b/app/controllers/accounts/teams/team_resources_controller.rb
@@ -0,0 +1,44 @@
+class Accounts::Teams::TeamResourcesController < ApplicationController
+  before_action :set_team
+
+  def create
+    resourceable = find_resourceable(team_resource_params[:resourceable_type], team_resource_params[:resourceable_id])
+    @team_resource = @team.team_resources.new(resourceable: resourceable)
+
+    if @team_resource.save
+      redirect_to team_path(@team), notice: "Resource access was successfully granted."
+    else
+      redirect_to team_path(@team), alert: "Failed to grant resource access."
+    end
+  end
+
+  def destroy
+    @team_resource = @team.team_resources.find(params[:id])
+    @team_resource.destroy
+
+    redirect_to team_path(@team), notice: "Resource access was successfully revoked."
+  end
+
+  private
+
+  def set_team
+    @team = current_account.teams.friendly.find(params[:team_id])
+  end
+
+  def team_resource_params
+    params.permit(:resourceable_type, :resourceable_id)
+  end
+
+  def find_resourceable(type, id)
+    case type
+    when "Cluster"
+      current_account.clusters.find(id)
+    when "Project"
+      current_account.projects.find(id)
+    when "AddOn"
+      current_account.add_ons.find(id)
+    else
+      raise "Invalid resourceable type"
+    end
+  end
+end
diff --git a/app/controllers/accounts/teams_controller.rb b/app/controllers/accounts/teams_controller.rb
new file mode 100644
index 00000000..f87b59a3
--- /dev/null
+++ b/app/controllers/accounts/teams_controller.rb
@@ -0,0 +1,53 @@
+class Accounts::TeamsController < ApplicationController
+  include SettingsHelper
+  before_action :set_team, only: %i[show edit update destroy]
+
+  def index
+    @pagy, @teams = pagy(current_account.teams)
+  end
+
+  def show
+    @pagy, @team_memberships = pagy(@team.team_memberships)
+  end
+
+  def new
+    @team = current_account.teams.new
+  end
+
+  def create
+    @team = current_account.teams.new(team_params)
+
+    if @team.save
+      redirect_to teams_path, notice: "Team was successfully created."
+    else
+      render :new, status: :unprocessable_entity
+    end
+  end
+
+  def edit
+  end
+
+  def update
+    if @team.update(team_params)
+      redirect_to team_path(@team), notice: "Team was successfully updated."
+    else
+      render :edit, status: :unprocessable_entity
+    end
+  end
+
+  def destroy
+    @team.destroy
+
+    redirect_to teams_path, notice: "Team was successfully destroyed."
+  end
+
+  private
+
+  def set_team
+    @team = current_account.teams.friendly.find(params[:id])
+  end
+
+  def team_params
+    params.require(:team).permit(:name)
+  end
+end
diff --git a/app/controllers/avo/team_memberships_controller.rb b/app/controllers/avo/team_memberships_controller.rb
new file mode 100644
index 00000000..302ed147
--- /dev/null
+++ b/app/controllers/avo/team_memberships_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/3.0/controllers.html
+class Avo::TeamMembershipsController < Avo::ResourcesController
+end
diff --git a/app/controllers/avo/team_resources_controller.rb b/app/controllers/avo/team_resources_controller.rb
new file mode 100644
index 00000000..e9e2ed4c
--- /dev/null
+++ b/app/controllers/avo/team_resources_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/3.0/controllers.html
+class Avo::TeamResourcesController < Avo::ResourcesController
+end
diff --git a/app/controllers/avo/teams_controller.rb b/app/controllers/avo/teams_controller.rb
new file mode 100644
index 00000000..76d7ecb0
--- /dev/null
+++ b/app/controllers/avo/teams_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/3.0/controllers.html
+class Avo::TeamsController < Avo::ResourcesController
+end
diff --git a/app/javascript/controllers/team_member_search_controller.js b/app/javascript/controllers/team_member_search_controller.js
new file mode 100644
index 00000000..a42087fc
--- /dev/null
+++ b/app/javascript/controllers/team_member_search_controller.js
@@ -0,0 +1,78 @@
+import AsyncSearchDropdownController from "./components/async_search_dropdown_controller"
+
+export default class extends AsyncSearchDropdownController {
+  static values = {
+    teamId: String,
+    addUrl: String
+  }
+
+  async fetchResults(query) {
+    const url = `/accounts/teams/${this.teamIdValue}/team_members_search?q=${encodeURIComponent(query)}`
+    const response = await fetch(url, {
+      headers: {
+        'Accept': 'application/json'
+      }
+    })
+
+    if (!response.ok) {
+      throw new Error('Failed to search team members')
+    }
+
+    return await response.json()
+  }
+
+  renderItem(user) {
+    return `
+      <div class="flex items-center gap-2">
+        <div class="flex-1">
+          <div class="font-medium">${this.escapeHtml(user.name || user.email)}</div>
+          ${user.email !== user.name ? `<div class="text-sm text-base-content/60">${this.escapeHtml(user.email)}</div>` : ''}
+        </div>
+      </div>
+    `
+  }
+
+  async onItemSelect(user, itemElement) {
+    try {
+      // Add loading state
+      itemElement.classList.add('opacity-50')
+      itemElement.innerHTML = `
+        <div class="flex items-center gap-2">
+          <span class="loading loading-spinner loading-sm"></span>
+          <span>Adding ${this.escapeHtml(user.name || user.email)}...</span>
+        </div>
+      `
+
+      // Send POST request to add team member
+      const response = await fetch(this.addUrlValue, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-CSRF-Token': this.getCsrfToken()
+        },
+        body: JSON.stringify({ user_id: user.id })
+      })
+
+      if (!response.ok) {
+        throw new Error('Failed to add team member')
+      }
+
+      // Redirect to reload page (or you could use Turbo Stream)
+      window.location.reload()
+    } catch (error) {
+      console.error('Error adding team member:', error)
+      alert('Failed to add team member. Please try again.')
+      itemElement.classList.remove('opacity-50')
+    }
+  }
+
+  escapeHtml(text) {
+    const div = document.createElement('div')
+    div.textContent = text
+    return div.innerHTML
+  }
+
+  getCsrfToken() {
+    return document.querySelector('meta[name="csrf-token"]')?.content || ''
+  }
+}
diff --git a/app/models/account.rb b/app/models/account.rb
index 1112e036..6b9bd68d 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -26,6 +26,7 @@ class Account < ApplicationRecord
   has_many :account_users, dependent: :destroy
   has_many :users, through: :account_users
   has_one :stack_manager, dependent: :destroy
+  has_many :teams, dependent: :destroy
 
   has_many :clusters, dependent: :destroy
   has_many :build_clouds, through: :clusters
diff --git a/app/models/add_on.rb b/app/models/add_on.rb
index b45459ba..94e30861 100644
--- a/app/models/add_on.rb
+++ b/app/models/add_on.rb
@@ -24,6 +24,7 @@
 #
 class AddOn < ApplicationRecord
   include Loggable
+  include TeamAccessible
   belongs_to :cluster
   has_one :account, through: :cluster
 
diff --git a/app/models/cluster.rb b/app/models/cluster.rb
index 58571a27..033a4c3c 100644
--- a/app/models/cluster.rb
+++ b/app/models/cluster.rb
@@ -22,6 +22,7 @@
 #
 class Cluster < ApplicationRecord
   include Loggable
+  include TeamAccessible
   broadcasts_refreshes
   belongs_to :account
 
diff --git a/app/models/concerns/team_accessible.rb b/app/models/concerns/team_accessible.rb
new file mode 100644
index 00000000..8d9e1aa0
--- /dev/null
+++ b/app/models/concerns/team_accessible.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module TeamAccessible
+  extend ActiveSupport::Concern
+
+  included do
+    has_many :team_resources, as: :resourceable, dependent: :destroy
+    has_many :teams, through: :team_resources
+  end
+end
diff --git a/app/models/project.rb b/app/models/project.rb
index 6cb47e2f..4913f38c 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -32,6 +32,7 @@
 #  fk_rails_...  (project_fork_cluster_id => clusters.id)
 #
 class Project < ApplicationRecord
+  include TeamAccessible
   broadcasts_refreshes
   belongs_to :cluster
   has_one :account, through: :cluster
diff --git a/app/models/team.rb b/app/models/team.rb
new file mode 100644
index 00000000..20803e4f
--- /dev/null
+++ b/app/models/team.rb
@@ -0,0 +1,32 @@
+# == Schema Information
+#
+# Table name: teams
+#
+#  id         :bigint           not null, primary key
+#  name       :string           not null
+#  slug       :string           not null
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#  account_id :bigint           not null
+#
+# Indexes
+#
+#  index_teams_on_account_id           (account_id)
+#  index_teams_on_account_id_and_name  (account_id,name) UNIQUE
+#  index_teams_on_slug                 (slug) UNIQUE
+#
+# Foreign Keys
+#
+#  fk_rails_...  (account_id => accounts.id)
+#
+class Team < ApplicationRecord
+  extend FriendlyId
+  friendly_id :name, use: :slugged
+
+  belongs_to :account
+  has_many :team_memberships, dependent: :destroy
+  has_many :users, through: :team_memberships
+  has_many :team_resources, dependent: :destroy
+
+  validates :name, presence: true, uniqueness: { scope: :account_id }
+end
diff --git a/app/models/team_membership.rb b/app/models/team_membership.rb
new file mode 100644
index 00000000..7e2ba12a
--- /dev/null
+++ b/app/models/team_membership.rb
@@ -0,0 +1,27 @@
+# == Schema Information
+#
+# Table name: team_memberships
+#
+#  id         :bigint           not null, primary key
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#  team_id    :bigint           not null
+#  user_id    :bigint           not null
+#
+# Indexes
+#
+#  index_team_memberships_on_team_id              (team_id)
+#  index_team_memberships_on_user_id              (user_id)
+#  index_team_memberships_on_user_id_and_team_id  (user_id,team_id) UNIQUE
+#
+# Foreign Keys
+#
+#  fk_rails_...  (team_id => teams.id)
+#  fk_rails_...  (user_id => users.id)
+#
+class TeamMembership < ApplicationRecord
+  belongs_to :user
+  belongs_to :team
+
+  validates :user_id, uniqueness: { scope: :team_id }
+end
diff --git a/app/models/team_resource.rb b/app/models/team_resource.rb
new file mode 100644
index 00000000..27fa33ce
--- /dev/null
+++ b/app/models/team_resource.rb
@@ -0,0 +1,27 @@
+# == Schema Information
+#
+# Table name: team_resources
+#
+#  id                :bigint           not null, primary key
+#  resourceable_type :string           not null
+#  created_at        :datetime         not null
+#  updated_at        :datetime         not null
+#  resourceable_id   :bigint           not null
+#  team_id           :bigint           not null
+#
+# Indexes
+#
+#  index_team_resources_on_resourceable           (resourceable_type,resourceable_id)
+#  index_team_resources_on_team_and_resourceable  (team_id,resourceable_type,resourceable_id) UNIQUE
+#  index_team_resources_on_team_id                (team_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (team_id => teams.id)
+#
+class TeamResource < ApplicationRecord
+  belongs_to :team
+  belongs_to :resourceable, polymorphic: true
+
+  validates :resourceable_id, uniqueness: { scope: [ :team_id, :resourceable_type ] }
+end
diff --git a/app/models/user.rb b/app/models/user.rb
index 4248de9e..d896b989 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -33,6 +33,8 @@ class User < ApplicationRecord
   has_many :account_users, dependent: :destroy
   has_many :accounts, through: :account_users, dependent: :destroy
   has_many :owned_accounts, class_name: "Account", foreign_key: "owner_id", dependent: :destroy
+  has_many :team_memberships, dependent: :destroy
+  has_many :teams, through: :team_memberships
 
   has_many :providers, dependent: :destroy
   has_many :clusters, through: :accounts
diff --git a/app/views/accounts/account_users/index.html.erb b/app/views/accounts/account_users/index.html.erb
index d623b00f..e387186f 100644
--- a/app/views/accounts/account_users/index.html.erb
+++ b/app/views/accounts/account_users/index.html.erb
@@ -17,6 +17,16 @@
       </div>
     </div>
 
+    <!-- Tabs -->
+    <div role="tablist" class="tabs tabs-bordered mt-5">
+      <%= link_to account_users_path, role: "tab", class: "tab tab-active" do %>
+        Members
+      <% end %>
+      <%= link_to teams_path, role: "tab", class: "tab" do %>
+        Teams
+      <% end %>
+    </div>
+
     <div class="mt-5">
       <div aria-label="Card" class="card card-bordered bg-base-100">
         <div class="card-body">
diff --git a/app/views/accounts/teams/_list.html.erb b/app/views/accounts/teams/_list.html.erb
new file mode 100644
index 00000000..c667322a
--- /dev/null
+++ b/app/views/accounts/teams/_list.html.erb
@@ -0,0 +1,40 @@
+<div class="overflow-auto">
+  <table class="table mt-2 rounded-box" data-component="table">
+    <thead>
+      <tr>
+        <th>
+          <span class="text-sm font-medium text-base-content/80">Name</span>
+        </th>
+        <th>
+          <span class="text-sm font-medium text-base-content/80">Members</span>
+        </th>
+        <th>
+          <span class="text-sm font-medium text-base-content/80">Resources</span>
+        </th>
+        <th></th>
+      </tr>
+    </thead>
+    <tbody>
+      <% teams.each do |team| %>
+        <tr class="cursor-pointer hover:bg-base-200/40" onclick="window.location='<%= team_path(team) %>'">
+          <td>
+            <div class="font-medium"><%= team.name %></div>
+          </td>
+          <td>
+            <div class="font-medium"><%= team.users.count %></div>
+          </td>
+          <td>
+            <div class="font-medium"><%= team.team_resources.count %></div>
+          </td>
+          <td>
+            <div class="text-sm capitalize">
+              <%= button_to team_path(team), method: :delete, data: { confirm: "Are you sure?" }, class: "btn btn-square btn-sm btn-danger min-w-max" do %>
+                <iconify-icon icon="lucide:trash" height="18" class="text-error"></iconify-icon>
+              <% end %>
+            </div>
+          </td>
+        </tr>
+      <% end %>
+    </tbody>
+  </table>
+</div>
diff --git a/app/views/accounts/teams/_team_memberships_list.html.erb b/app/views/accounts/teams/_team_memberships_list.html.erb
new file mode 100644
index 00000000..a2fc2c85
--- /dev/null
+++ b/app/views/accounts/teams/_team_memberships_list.html.erb
@@ -0,0 +1,34 @@
+<div class="overflow-auto">
+  <table class="table mt-2 rounded-box" data-component="table">
+    <thead>
+      <tr>
+        <th>
+          <span class="text-sm font-medium text-base-content/80">Name</span>
+        </th>
+        <th>
+          <span class="text-sm font-medium text-base-content/80">Email</span>
+        </th>
+        <th></th>
+      </tr>
+    </thead>
+    <tbody>
+      <% team_memberships.each do |team_membership| %>
+        <tr class="hover:bg-base-200/40">
+          <td>
+            <div class="font-medium"><%= team_membership.user.name %></div>
+          </td>
+          <td>
+            <div class="font-medium"><%= team_membership.user.email %></div>
+          </td>
+          <td>
+            <div class="text-sm capitalize">
+              <%= button_to team_team_membership_path(team_membership.team, team_membership), method: :delete, data: { confirm: "Are you sure?" }, class: "btn btn-square btn-sm btn-danger min-w-max" do %>
+                <iconify-icon icon="lucide:trash" height="18" class="text-error"></iconify-icon>
+              <% end %>
+            </div>
+          </td>
+        </tr>
+      <% end %>
+    </tbody>
+  </table>
+</div>
diff --git a/app/views/accounts/teams/_team_resources_list.html.erb b/app/views/accounts/teams/_team_resources_list.html.erb
new file mode 100644
index 00000000..221a08dd
--- /dev/null
+++ b/app/views/accounts/teams/_team_resources_list.html.erb
@@ -0,0 +1,34 @@
+<div class="overflow-auto">
+  <table class="table mt-2 rounded-box" data-component="table">
+    <thead>
+      <tr>
+        <th>
+          <span class="text-sm font-medium text-base-content/80">Type</span>
+        </th>
+        <th>
+          <span class="text-sm font-medium text-base-content/80">Name</span>
+        </th>
+        <th></th>
+      </tr>
+    </thead>
+    <tbody>
+      <% team.team_resources.each do |team_resource| %>
+        <tr class="hover:bg-base-200/40">
+          <td>
+            <div class="font-medium"><%= team_resource.resourceable_type %></div>
+          </td>
+          <td>
+            <div class="font-medium"><%= team_resource.resourceable.name %></div>
+          </td>
+          <td>
+            <div class="text-sm capitalize">
+              <%= button_to team_team_resource_path(team, team_resource), method: :delete, data: { confirm: "Are you sure?" }, class: "btn btn-square btn-sm btn-danger min-w-max" do %>
+                <iconify-icon icon="lucide:trash" height="18" class="text-error"></iconify-icon>
+              <% end %>
+            </div>
+          </td>
+        </tr>
+      <% end %>
+    </tbody>
+  </table>
+</div>
diff --git a/app/views/accounts/teams/edit.html.erb b/app/views/accounts/teams/edit.html.erb
new file mode 100644
index 00000000..930314c6
--- /dev/null
+++ b/app/views/accounts/teams/edit.html.erb
@@ -0,0 +1,39 @@
+<%= settings_layout do %>
+  <%= content_for :title, "Edit Team" %>
+
+  <div>
+    <div class="mb-6">
+      <h2 class="text-2xl font-bold">Edit Team</h2>
+      <div class="flex text-sm">
+        <div class="flex items-center gap-1">
+          <iconify-icon icon="lucide:building"></iconify-icon>
+          <%= current_account.name %>
+        </div>
+      </div>
+    </div>
+
+    <div class="mt-5">
+      <div aria-label="Card" class="card card-bordered bg-base-100">
+        <div class="card-body">
+          <%= form_with(model: @team, url: team_path(@team), method: :patch) do |form| %>
+            <div class="form-control mt-1 w-full">
+              <label class="label">
+                <span class="label-text">Team Name</span>
+              </label>
+              <%= form.text_field :name, class: "input input-bordered w-full focus:outline-offset-0" %>
+              <% if @team.errors[:name].any? %>
+                <label class="label">
+                  <span class="label-text-alt text-error"><%= @team.errors[:name].first %></span>
+                </label>
+              <% end %>
+            </div>
+            <div class="form-footer mt-6">
+              <%= link_to "Cancel", team_path(@team), class: "btn btn-ghost" %>
+              <%= form.button "Update Team", class: "btn btn-primary" %>
+            </div>
+          <% end %>
+        </div>
+      </div>
+    </div>
+  </div>
+<% end %>
diff --git a/app/views/accounts/teams/index.html.erb b/app/views/accounts/teams/index.html.erb
new file mode 100644
index 00000000..45d7b9cf
--- /dev/null
+++ b/app/views/accounts/teams/index.html.erb
@@ -0,0 +1,55 @@
+<%= settings_layout do %>
+  <%= content_for :title, "Team Members" %>
+  <%= turbo_stream_from [:teams, current_account] %>
+
+  <div>
+    <div>
+      <h2 class="text-2xl font-bold">Team Members</h2>
+      <div class="flex text-sm">
+        <div class="flex items-center gap-1">
+          <iconify-icon icon="lucide:building"></iconify-icon>
+          <%= current_account.name %>
+        </div>
+        <div class="flex items-center ml-4 gap-1">
+          <iconify-icon icon="lucide:users"></iconify-icon>
+          <%= current_account.users.count %> Member<%= "s" if current_account.users.count != 1 %>
+        </div>
+        <div class="flex items-center ml-4 gap-1">
+          <iconify-icon icon="lucide:shield"></iconify-icon>
+          <%= current_account.teams.count %> Team<%= "s" if current_account.teams.count != 1 %>
+        </div>
+      </div>
+    </div>
+
+    <!-- Tabs -->
+    <div role="tablist" class="tabs tabs-bordered mt-5">
+      <%= link_to account_users_path, role: "tab", class: "tab" do %>
+        Members
+      <% end %>
+      <%= link_to teams_path, role: "tab", class: "tab tab-active" do %>
+        Teams
+      <% end %>
+    </div>
+
+    <div class="mt-5">
+      <div aria-label="Card" class="card card-bordered bg-base-100">
+        <div class="card-body">
+          <div class="text-right px-5 pt-5">
+            <%= link_to new_team_path, class: "btn btn-primary btn-sm" do %>
+              <iconify-icon icon="lucide:plus" height="16"></iconify-icon>
+              <span class="hidden sm:inline">Create Team</span>
+            <% end %>
+          </div>
+
+          <div>
+            <%= tag.div id: ("teams" if @pagy.page == 1) do %>
+              <%= render "accounts/teams/list", teams: @teams, cached: true %>
+            <% end %>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <%= render 'shared/pagination', pagy: @pagy %>
+  </div>
+<% end %>
diff --git a/app/views/accounts/teams/new.html.erb b/app/views/accounts/teams/new.html.erb
new file mode 100644
index 00000000..4e46c15c
--- /dev/null
+++ b/app/views/accounts/teams/new.html.erb
@@ -0,0 +1,39 @@
+<%= settings_layout do %>
+  <%= content_for :title, "Create Team" %>
+
+  <div>
+    <div class="mb-6">
+      <h2 class="text-2xl font-bold">Create Team</h2>
+      <div class="flex text-sm">
+        <div class="flex items-center gap-1">
+          <iconify-icon icon="lucide:building"></iconify-icon>
+          <%= current_account.name %>
+        </div>
+      </div>
+    </div>
+
+    <div class="mt-5">
+      <div aria-label="Card" class="card card-bordered bg-base-100">
+        <div class="card-body">
+          <%= form_with(model: @team, url: teams_path) do |form| %>
+            <div class="form-control mt-1 w-full">
+              <label class="label">
+                <span class="label-text">Team Name</span>
+              </label>
+              <%= form.text_field :name, class: "input input-bordered w-full focus:outline-offset-0", placeholder: "Engineering, DevOps, etc." %>
+              <% if @team.errors[:name].any? %>
+                <label class="label">
+                  <span class="label-text-alt text-error"><%= @team.errors[:name].first %></span>
+                </label>
+              <% end %>
+            </div>
+            <div class="form-footer mt-6">
+              <%= link_to "Cancel", teams_path, class: "btn btn-ghost" %>
+              <%= form.button "Create Team", class: "btn btn-primary" %>
+            </div>
+          <% end %>
+        </div>
+      </div>
+    </div>
+  </div>
+<% end %>
diff --git a/app/views/accounts/teams/show.html.erb b/app/views/accounts/teams/show.html.erb
new file mode 100644
index 00000000..3146c6f2
--- /dev/null
+++ b/app/views/accounts/teams/show.html.erb
@@ -0,0 +1,151 @@
+<%= settings_layout do %>
+  <%= content_for :title, @team.name %>
+  <%= turbo_stream_from [:team_memberships, @team] %>
+
+  <div>
+    <div class="mb-6">
+      <div class="flex justify-between items-start">
+        <div>
+          <h2 class="text-2xl font-bold"><%= @team.name %></h2>
+          <div class="flex text-sm">
+            <div class="flex items-center gap-1">
+              <iconify-icon icon="lucide:building"></iconify-icon>
+              <%= current_account.name %>
+            </div>
+            <div class="flex items-center ml-4 gap-1">
+              <iconify-icon icon="lucide:users"></iconify-icon>
+              <%= @team.users.count %> Member<%= "s" if @team.users.count != 1 %>
+            </div>
+          </div>
+        </div>
+        <div class="flex gap-2">
+          <%= link_to edit_team_path(@team), class: "btn btn-ghost btn-sm" do %>
+            <iconify-icon icon="lucide:pencil" height="16"></iconify-icon>
+            Edit
+          <% end %>
+        </div>
+      </div>
+    </div>
+
+    <!-- Team Members Section -->
+    <div class="mt-5">
+      <div aria-label="Card" class="card card-bordered bg-base-100">
+        <div class="card-body">
+          <div class="flex justify-between items-center px-5 pt-5">
+            <h3 class="text-lg font-semibold">Team Members</h3>
+            <button class="btn btn-primary btn-sm" onclick="add_team_member_modal.showModal()">
+              <iconify-icon icon="lucide:plus" height="16"></iconify-icon>
+              <span class="hidden sm:inline">Add User</span>
+            </button>
+          </div>
+
+          <div>
+            <%= tag.div id: ("team_memberships" if @pagy.page == 1) do %>
+              <%= render "accounts/teams/team_memberships_list", team_memberships: @team_memberships, cached: true %>
+            <% end %>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <%= render 'shared/pagination', pagy: @pagy %>
+
+    <!-- Team Resources Section -->
+    <div class="mt-5">
+      <div aria-label="Card" class="card card-bordered bg-base-100">
+        <div class="card-body">
+          <div class="flex justify-between items-center px-5 pt-5">
+            <h3 class="text-lg font-semibold">Team Resources</h3>
+            <button class="btn btn-primary btn-sm" onclick="add_team_resource_modal.showModal()">
+              <iconify-icon icon="lucide:plus" height="16"></iconify-icon>
+              <span class="hidden sm:inline">Grant Access</span>
+            </button>
+          </div>
+
+          <div>
+            <%= render "accounts/teams/team_resources_list", team: @team, cached: true %>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <!-- Add Team Member Modal -->
+  <dialog aria-label="Modal" class="modal" id="add_team_member_modal">
+    <div class="modal-box max-w-2xl">
+      <form method="dialog">
+        <button aria-label="Close modal" class="btn btn-circle btn-ghost btn-sm absolute right-2 top-2">
+          <iconify-icon icon="lucide:x" height="16"></iconify-icon>
+        </button>
+      </form>
+      <div class="mb-4 w-full text-xl font-bold">Add User to <%= @team.name %></div>
+      <div>
+        <div class="form-control mt-1 w-full"
+             data-controller="team-member-search"
+             data-team-member-search-team-id-value="<%= @team.slug %>"
+             data-team-member-search-add-url-value="<%= team_team_memberships_path(@team) %>">
+          <label class="label">
+            <span class="label-text">Search for a user</span>
+          </label>
+          <div class="relative">
+            <input type="text"
+                   placeholder="Type to search by name or email..."
+                   class="input input-bordered w-full focus:outline-offset-0" />
+          </div>
+          <label class="label">
+            <span class="label-text-alt">Start typing to search for users in your account.</span>
+          </label>
+        </div>
+      </div>
+    </div>
+    <form method="dialog" class="modal-backdrop">
+      <button>close</button>
+    </form>
+  </dialog>
+
+  <!-- Add Team Resource Modal -->
+  <dialog aria-label="Modal" class="modal" id="add_team_resource_modal">
+    <div class="modal-box">
+      <form method="dialog">
+        <button aria-label="Close modal" class="btn btn-circle btn-ghost btn-sm absolute right-2 top-2">
+          <iconify-icon icon="lucide:x" height="16"></iconify-icon>
+        </button>
+      </form>
+      <div class="mb-4 w-full text-xl font-bold">Grant Resource Access to <%= @team.name %></div>
+      <div>
+        <%= form_with(url: team_team_resources_path(@team)) do |form| %>
+          <div class="form-control mt-1 w-full">
+            <label class="label">
+              <span class="label-text">Resource Type</span>
+            </label>
+            <%= form.select :resourceable_type,
+                [["Cluster", "Cluster"], ["Project", "Project"], ["Add-on", "AddOn"]],
+                { prompt: "Select resource type" },
+                class: "select select-bordered w-full focus:outline-offset-0",
+                data: { action: "change->team-resource#updateResourceOptions" } %>
+          </div>
+
+          <div class="form-control mt-1 w-full">
+            <label class="label">
+              <span class="label-text">Resource</span>
+            </label>
+            <%= form.select :resourceable_id,
+                [],
+                { prompt: "Select a resource" },
+                class: "select select-bordered w-full focus:outline-offset-0",
+                id: "resourceable_id_select" %>
+            <label class="label">
+              <span class="label-text-alt">Grant access to a specific resource.</span>
+            </label>
+          </div>
+          <div class="form-footer">
+            <%= form.button "Grant Access", class: "btn btn-primary" %>
+          </div>
+        <% end %>
+      </div>
+    </div>
+    <form method="dialog" class="modal-backdrop">
+      <button>close</button>
+    </form>
+  </dialog>
+<% end %>
diff --git a/app/views/settings/_layout.html.erb b/app/views/settings/_layout.html.erb
index 169ccf8a..84feccc3 100644
--- a/app/views/settings/_layout.html.erb
+++ b/app/views/settings/_layout.html.erb
@@ -27,7 +27,7 @@
               Profile
             <% end %>
           </li>
-          <li class="<%= 'underline' if current_page?(account_users_path) %>" style="text-underline-offset: 0.25rem;">
+          <li class="<%= 'underline' if current_page?(account_users_path) || controller_name == 'teams' %>" style="text-underline-offset: 0.25rem;">
             <%= link_to account_users_path do %>
               <iconify-icon icon="lucide:users" ></iconify-icon>
               Team Members
diff --git a/config/routes.rb b/config/routes.rb
index 34020f20..d505e985 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -19,6 +19,11 @@ Rails.application.routes.draw do
   resources :accounts, only: [ :create ] do
     collection do
       resources :account_users, only: %i[create index destroy], module: :accounts
+      resources :teams, module: :accounts do
+        resources :team_memberships, only: %i[create destroy], module: :teams
+        resources :team_resources, only: %i[create destroy], module: :teams
+        resources :team_members_search, only: %i[index], module: :teams
+      end
     end
     member do
       get :switch
diff --git a/db/migrate/20251122223743_create_teams.rb b/db/migrate/20251122223743_create_teams.rb
new file mode 100644
index 00000000..63922e5c
--- /dev/null
+++ b/db/migrate/20251122223743_create_teams.rb
@@ -0,0 +1,14 @@
+class CreateTeams < ActiveRecord::Migration[7.2]
+  def change
+    create_table :teams do |t|
+      t.string :name, null: false
+      t.string :slug, null: false
+      t.references :account, null: false, foreign_key: true
+
+      t.timestamps
+    end
+
+    add_index :teams, :slug, unique: true
+    add_index :teams, [ :account_id, :name ], unique: true
+  end
+end
diff --git a/db/migrate/20251122224404_create_team_memberships.rb b/db/migrate/20251122224404_create_team_memberships.rb
new file mode 100644
index 00000000..c8a07547
--- /dev/null
+++ b/db/migrate/20251122224404_create_team_memberships.rb
@@ -0,0 +1,12 @@
+class CreateTeamMemberships < ActiveRecord::Migration[7.2]
+  def change
+    create_table :team_memberships do |t|
+      t.references :user, null: false, foreign_key: true
+      t.references :team, null: false, foreign_key: true
+
+      t.timestamps
+    end
+
+    add_index :team_memberships, [ :user_id, :team_id ], unique: true
+  end
+end
diff --git a/db/migrate/20251122230641_create_team_resources.rb b/db/migrate/20251122230641_create_team_resources.rb
new file mode 100644
index 00000000..9f98ce71
--- /dev/null
+++ b/db/migrate/20251122230641_create_team_resources.rb
@@ -0,0 +1,12 @@
+class CreateTeamResources < ActiveRecord::Migration[7.2]
+  def change
+    create_table :team_resources do |t|
+      t.references :team, null: false, foreign_key: true
+      t.references :resourceable, polymorphic: true, null: false
+
+      t.timestamps
+    end
+
+    add_index :team_resources, [ :team_id, :resourceable_type, :resourceable_id ], unique: true, name: 'index_team_resources_on_team_and_resourceable'
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 71cdc21f..6a7d8603 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
+ActiveRecord::Schema[7.2].define(version: 2025_11_22_230641) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -488,6 +488,38 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
     t.index ["account_id"], name: "index_stack_managers_on_account_id", unique: true
   end
 
+  create_table "team_memberships", force: :cascade do |t|
+    t.bigint "user_id", null: false
+    t.bigint "team_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["team_id"], name: "index_team_memberships_on_team_id"
+    t.index ["user_id", "team_id"], name: "index_team_memberships_on_user_id_and_team_id", unique: true
+    t.index ["user_id"], name: "index_team_memberships_on_user_id"
+  end
+
+  create_table "team_resources", force: :cascade do |t|
+    t.bigint "team_id", null: false
+    t.string "resourceable_type", null: false
+    t.bigint "resourceable_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["resourceable_type", "resourceable_id"], name: "index_team_resources_on_resourceable"
+    t.index ["team_id", "resourceable_type", "resourceable_id"], name: "index_team_resources_on_team_and_resourceable", unique: true
+    t.index ["team_id"], name: "index_team_resources_on_team_id"
+  end
+
+  create_table "teams", force: :cascade do |t|
+    t.string "name", null: false
+    t.string "slug", null: false
+    t.bigint "account_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["account_id", "name"], name: "index_teams_on_account_id_and_name", unique: true
+    t.index ["account_id"], name: "index_teams_on_account_id"
+    t.index ["slug"], name: "index_teams_on_slug", unique: true
+  end
+
   create_table "users", force: :cascade do |t|
     t.string "email", default: "", null: false
     t.string "encrypted_password", default: "", null: false
@@ -545,5 +577,9 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
   add_foreign_key "providers", "users"
   add_foreign_key "services", "projects"
   add_foreign_key "stack_managers", "accounts"
+  add_foreign_key "team_memberships", "teams"
+  add_foreign_key "team_memberships", "users"
+  add_foreign_key "team_resources", "teams"
+  add_foreign_key "teams", "accounts"
   add_foreign_key "volumes", "projects"
 end
diff --git a/spec/actions/add_ons/visible_to_user_spec.rb b/spec/actions/add_ons/visible_to_user_spec.rb
new file mode 100644
index 00000000..0e7686ea
--- /dev/null
+++ b/spec/actions/add_ons/visible_to_user_spec.rb
@@ -0,0 +1,112 @@
+require 'rails_helper'
+
+RSpec.describe AddOns::VisibleToUser do
+  let!(:account) { create(:account) }
+  let!(:user) { create(:user) }
+  let!(:cluster) { create(:cluster, account: account) }
+
+  before do
+    account.users << user
+  end
+
+  describe '.execute' do
+    context 'when account has no teams' do
+      let!(:add_on1) { create(:add_on, cluster: cluster) }
+      let!(:add_on2) { create(:add_on, cluster: cluster) }
+
+      it 'returns all add_ons in the account' do
+        result = described_class.execute(user: user, account: account)
+
+        expect(result).to be_success
+        expect(result.add_ons).to match_array([add_on1, add_on2])
+      end
+    end
+
+    context 'when account has teams' do
+      let(:team) { create(:team, account: account) }
+      let(:other_team) { create(:team, account: account) }
+      let!(:add_on1) { create(:add_on, cluster: cluster) }
+      let!(:add_on2) { create(:add_on, cluster: cluster) }
+      let!(:add_on3) { create(:add_on, cluster: cluster) }
+
+      context 'when user is not in any teams' do
+        before do
+          team # Force creation of team
+        end
+
+        it 'returns no add_ons' do
+          result = described_class.execute(user: user, account: account.reload)
+
+          expect(result).to be_success
+          expect(result.add_ons).to be_empty
+        end
+      end
+
+      context 'when user has direct add_on access via team' do
+        before do
+          team.users << user
+          create(:team_resource, team: team, resourceable: add_on1)
+        end
+
+        it 'returns only add_ons granted to user teams' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.add_ons).to eq([add_on1])
+        end
+      end
+
+      context 'when user has cluster access via team' do
+        let(:cluster2) { create(:cluster, account: account) }
+        let!(:add_on4) { create(:add_on, cluster: cluster2) }
+        let!(:add_on5) { create(:add_on, cluster: cluster2) }
+
+        before do
+          team.users << user
+          create(:team_resource, team: team, resourceable: cluster2)
+        end
+
+        it 'returns all add_ons in the granted cluster' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.add_ons).to match_array([add_on4, add_on5])
+        end
+      end
+
+      context 'when user has both direct add_on and cluster access' do
+        let(:cluster2) { create(:cluster, account: account) }
+        let!(:add_on4) { create(:add_on, cluster: cluster2) }
+
+        before do
+          team.users << user
+          create(:team_resource, team: team, resourceable: add_on1)
+          create(:team_resource, team: team, resourceable: cluster2)
+        end
+
+        it 'returns all accessible add_ons without duplicates' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.add_ons).to match_array([add_on1, add_on4])
+        end
+      end
+
+      context 'when user is in multiple teams with different access' do
+        before do
+          team.users << user
+          other_team.users << user
+          create(:team_resource, team: team, resourceable: add_on1)
+          create(:team_resource, team: other_team, resourceable: add_on2)
+        end
+
+        it 'returns add_ons from all teams user belongs to' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.add_ons).to match_array([add_on1, add_on2])
+        end
+      end
+    end
+  end
+end
diff --git a/spec/actions/clusters/visible_to_user_spec.rb b/spec/actions/clusters/visible_to_user_spec.rb
new file mode 100644
index 00000000..98f00d4c
--- /dev/null
+++ b/spec/actions/clusters/visible_to_user_spec.rb
@@ -0,0 +1,91 @@
+require 'rails_helper'
+
+RSpec.describe Clusters::VisibleToUser do
+  let!(:account) { create(:account) }
+  let!(:user) { create(:user) }
+
+  before do
+    account.users << user
+  end
+
+  describe '.execute' do
+    context 'when account has no teams' do
+      let!(:cluster1) { create(:cluster, account: account) }
+      let!(:cluster2) { create(:cluster, account: account) }
+
+      it 'returns all clusters in the account' do
+        result = described_class.execute(user: user, account: account)
+
+        expect(result).to be_success
+        expect(result.clusters).to match_array([cluster1, cluster2])
+      end
+    end
+
+    context 'when account has teams' do
+      let(:team) { create(:team, account: account) }
+      let(:other_team) { create(:team, account: account) }
+      let!(:cluster1) { create(:cluster, account: account) }
+      let!(:cluster2) { create(:cluster, account: account) }
+      let!(:cluster3) { create(:cluster, account: account) }
+
+      context 'when user is not in any teams' do
+        before do
+          team # Force creation of team
+        end
+
+        it 'returns no clusters' do
+          result = described_class.execute(user: user, account: account.reload)
+
+          expect(result).to be_success
+          expect(result.clusters).to be_empty
+        end
+      end
+
+      context 'when user has cluster access via team' do
+        before do
+          team.users << user
+          create(:team_resource, team: team, resourceable: cluster1)
+        end
+
+        it 'returns only clusters granted to user teams' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.clusters).to eq([cluster1])
+        end
+      end
+
+      context 'when user is in multiple teams with different cluster access' do
+        before do
+          team.users << user
+          other_team.users << user
+          create(:team_resource, team: team, resourceable: cluster1)
+          create(:team_resource, team: other_team, resourceable: cluster2)
+        end
+
+        it 'returns clusters from all teams user belongs to' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.clusters).to match_array([cluster1, cluster2])
+        end
+      end
+
+      context 'when user has duplicate cluster access across teams' do
+        before do
+          team.users << user
+          other_team.users << user
+          create(:team_resource, team: team, resourceable: cluster1)
+          create(:team_resource, team: other_team, resourceable: cluster1)
+        end
+
+        it 'returns unique clusters without duplicates' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.clusters).to eq([cluster1])
+        end
+      end
+    end
+  end
+end
diff --git a/spec/actions/projects/visible_to_user_spec.rb b/spec/actions/projects/visible_to_user_spec.rb
new file mode 100644
index 00000000..9cf128ee
--- /dev/null
+++ b/spec/actions/projects/visible_to_user_spec.rb
@@ -0,0 +1,105 @@
+require 'rails_helper'
+
+RSpec.describe Projects::VisibleToUser do
+  let(:account) { create(:account) }
+  let(:user) { create(:user) }
+  let!(:account_user) { create(:account_user, account:, user:) }
+
+  describe '.execute' do
+    context 'when account has no teams' do
+      it 'returns all projects in the account' do
+        cluster = create(:cluster, account:)
+        project1 = create(:project, cluster:)
+        project2 = create(:project, cluster:)
+
+        result = described_class.execute(user: user, account: account)
+
+        expect(result).to be_success
+        expect(result.projects).to match_array([project1, project2])
+      end
+    end
+
+    context 'when account has teams' do
+      let(:team) { create(:team, account: account) }
+      let(:other_team) { create(:team, account: account) }
+      let!(:project1) { create(:project, cluster: cluster) }
+      let!(:project2) { create(:project, cluster: cluster) }
+      let!(:project3) { create(:project, cluster: cluster) }
+
+      context 'when user is not in any teams' do
+        it 'returns no projects' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.projects).to be_empty
+        end
+      end
+
+      context 'when user has direct project access via team' do
+        before do
+          team.users << user
+          create(:team_resource, team: team, resourceable: project1)
+        end
+
+        it 'returns only projects granted to user teams' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.projects).to eq([project1])
+        end
+      end
+
+      context 'when user has cluster access via team' do
+        let(:cluster2) { create(:cluster, account: account) }
+        let!(:project4) { create(:project, cluster: cluster2) }
+        let!(:project5) { create(:project, cluster: cluster2) }
+
+        before do
+          team.users << user
+          create(:team_resource, team: team, resourceable: cluster2)
+        end
+
+        it 'returns all projects in the granted cluster' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.projects).to match_array([project4, project5])
+        end
+      end
+
+      context 'when user has both direct project and cluster access' do
+        let(:cluster2) { create(:cluster, account: account) }
+        let!(:project4) { create(:project, cluster: cluster2) }
+
+        before do
+          team.users << user
+          create(:team_resource, team: team, resourceable: project1)
+          create(:team_resource, team: team, resourceable: cluster2)
+        end
+
+        it 'returns all accessible projects without duplicates' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.projects).to match_array([project1, project4])
+        end
+      end
+
+      context 'when user is in multiple teams with different access' do
+        before do
+          team.users << user
+          other_team.users << user
+          create(:team_resource, team: team, resourceable: project1)
+          create(:team_resource, team: other_team, resourceable: project2)
+        end
+
+        it 'returns projects from all teams user belongs to' do
+          result = described_class.execute(user: user, account: account)
+
+          expect(result).to be_success
+          expect(result.projects).to match_array([project1, project2])
+        end
+      end
+    end
+  end
+end
diff --git a/spec/factories/team_memberships.rb b/spec/factories/team_memberships.rb
new file mode 100644
index 00000000..fb1479b2
--- /dev/null
+++ b/spec/factories/team_memberships.rb
@@ -0,0 +1,27 @@
+# == Schema Information
+#
+# Table name: team_memberships
+#
+#  id         :bigint           not null, primary key
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#  team_id    :bigint           not null
+#  user_id    :bigint           not null
+#
+# Indexes
+#
+#  index_team_memberships_on_team_id              (team_id)
+#  index_team_memberships_on_user_id              (user_id)
+#  index_team_memberships_on_user_id_and_team_id  (user_id,team_id) UNIQUE
+#
+# Foreign Keys
+#
+#  fk_rails_...  (team_id => teams.id)
+#  fk_rails_...  (user_id => users.id)
+#
+FactoryBot.define do
+  factory :team_membership do
+    user { nil }
+    team { nil }
+  end
+end
diff --git a/spec/factories/team_resources.rb b/spec/factories/team_resources.rb
new file mode 100644
index 00000000..c9d742d0
--- /dev/null
+++ b/spec/factories/team_resources.rb
@@ -0,0 +1,27 @@
+# == Schema Information
+#
+# Table name: team_resources
+#
+#  id                :bigint           not null, primary key
+#  resourceable_type :string           not null
+#  created_at        :datetime         not null
+#  updated_at        :datetime         not null
+#  resourceable_id   :bigint           not null
+#  team_id           :bigint           not null
+#
+# Indexes
+#
+#  index_team_resources_on_resourceable           (resourceable_type,resourceable_id)
+#  index_team_resources_on_team_and_resourceable  (team_id,resourceable_type,resourceable_id) UNIQUE
+#  index_team_resources_on_team_id                (team_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (team_id => teams.id)
+#
+FactoryBot.define do
+  factory :team_resource do
+    team { nil }
+    resourceable { nil }
+  end
+end
diff --git a/spec/factories/teams.rb b/spec/factories/teams.rb
new file mode 100644
index 00000000..ebdabd80
--- /dev/null
+++ b/spec/factories/teams.rb
@@ -0,0 +1,27 @@
+# == Schema Information
+#
+# Table name: teams
+#
+#  id         :bigint           not null, primary key
+#  name       :string           not null
+#  slug       :string           not null
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#  account_id :bigint           not null
+#
+# Indexes
+#
+#  index_teams_on_account_id           (account_id)
+#  index_teams_on_account_id_and_name  (account_id,name) UNIQUE
+#  index_teams_on_slug                 (slug) UNIQUE
+#
+# Foreign Keys
+#
+#  fk_rails_...  (account_id => accounts.id)
+#
+FactoryBot.define do
+  factory :team do
+    sequence(:name) { |n| "Team #{n}" }
+    account
+  end
+end
diff --git a/spec/models/service_spec.rb b/spec/models/service_spec.rb
index 251f1778..6c39f1e7 100644
--- a/spec/models/service_spec.rb
+++ b/spec/models/service_spec.rb
@@ -18,6 +18,14 @@
 #  updated_at              :datetime         not null
 #  project_id              :bigint           not null
 #
+# Indexes
+#
+#  index_services_on_project_id  (project_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (project_id => projects.id)
+#
 require 'rails_helper'
 
 RSpec.describe Service, type: :model do
diff --git a/spec/models/team_membership_spec.rb b/spec/models/team_membership_spec.rb
new file mode 100644
index 00000000..8db9862d
--- /dev/null
+++ b/spec/models/team_membership_spec.rb
@@ -0,0 +1,26 @@
+# == Schema Information
+#
+# Table name: team_memberships
+#
+#  id         :bigint           not null, primary key
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#  team_id    :bigint           not null
+#  user_id    :bigint           not null
+#
+# Indexes
+#
+#  index_team_memberships_on_team_id              (team_id)
+#  index_team_memberships_on_user_id              (user_id)
+#  index_team_memberships_on_user_id_and_team_id  (user_id,team_id) UNIQUE
+#
+# Foreign Keys
+#
+#  fk_rails_...  (team_id => teams.id)
+#  fk_rails_...  (user_id => users.id)
+#
+require 'rails_helper'
+
+RSpec.describe TeamMembership, type: :model do
+  pending "add some examples to (or delete) #{__FILE__}"
+end
diff --git a/spec/models/team_resource_spec.rb b/spec/models/team_resource_spec.rb
new file mode 100644
index 00000000..0af69cfd
--- /dev/null
+++ b/spec/models/team_resource_spec.rb
@@ -0,0 +1,26 @@
+# == Schema Information
+#
+# Table name: team_resources
+#
+#  id                :bigint           not null, primary key
+#  resourceable_type :string           not null
+#  created_at        :datetime         not null
+#  updated_at        :datetime         not null
+#  resourceable_id   :bigint           not null
+#  team_id           :bigint           not null
+#
+# Indexes
+#
+#  index_team_resources_on_resourceable           (resourceable_type,resourceable_id)
+#  index_team_resources_on_team_and_resourceable  (team_id,resourceable_type,resourceable_id) UNIQUE
+#  index_team_resources_on_team_id                (team_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (team_id => teams.id)
+#
+require 'rails_helper'
+
+RSpec.describe TeamResource, type: :model do
+  pending "add some examples to (or delete) #{__FILE__}"
+end
diff --git a/spec/models/team_spec.rb b/spec/models/team_spec.rb
new file mode 100644
index 00000000..2b2ea8fc
--- /dev/null
+++ b/spec/models/team_spec.rb
@@ -0,0 +1,26 @@
+# == Schema Information
+#
+# Table name: teams
+#
+#  id         :bigint           not null, primary key
+#  name       :string           not null
+#  slug       :string           not null
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#  account_id :bigint           not null
+#
+# Indexes
+#
+#  index_teams_on_account_id           (account_id)
+#  index_teams_on_account_id_and_name  (account_id,name) UNIQUE
+#  index_teams_on_slug                 (slug) UNIQUE
+#
+# Foreign Keys
+#
+#  fk_rails_...  (account_id => accounts.id)
+#
+require 'rails_helper'
+
+RSpec.describe Team, type: :model do
+  pending "add some examples to (or delete) #{__FILE__}"
+end

From 5c036e62971168b586e358e042ea770621ee43e3 Mon Sep 17 00:00:00 2001
From: Celina Lopez <marisa.celina.lopez4@gmail.com>
Date: Mon, 24 Nov 2025 15:34:51 -0800
Subject: [PATCH 06/75] fix some specs

---
 spec/actions/add_ons/visible_to_user_spec.rb  | 10 +++++-----
 spec/actions/projects/visible_to_user_spec.rb | 19 ++++++++-----------
 2 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/spec/actions/add_ons/visible_to_user_spec.rb b/spec/actions/add_ons/visible_to_user_spec.rb
index 0e7686ea..0154c73d 100644
--- a/spec/actions/add_ons/visible_to_user_spec.rb
+++ b/spec/actions/add_ons/visible_to_user_spec.rb
@@ -18,7 +18,7 @@ RSpec.describe AddOns::VisibleToUser do
         result = described_class.execute(user: user, account: account)
 
         expect(result).to be_success
-        expect(result.add_ons).to match_array([add_on1, add_on2])
+        expect(result.add_ons).to match_array([ add_on1, add_on2 ])
       end
     end
 
@@ -52,7 +52,7 @@ RSpec.describe AddOns::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.add_ons).to eq([add_on1])
+          expect(result.add_ons).to eq([ add_on1 ])
         end
       end
 
@@ -70,7 +70,7 @@ RSpec.describe AddOns::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.add_ons).to match_array([add_on4, add_on5])
+          expect(result.add_ons).to match_array([ add_on4, add_on5 ])
         end
       end
 
@@ -88,7 +88,7 @@ RSpec.describe AddOns::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.add_ons).to match_array([add_on1, add_on4])
+          expect(result.add_ons).to match_array([ add_on1, add_on4 ])
         end
       end
 
@@ -104,7 +104,7 @@ RSpec.describe AddOns::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.add_ons).to match_array([add_on1, add_on2])
+          expect(result.add_ons).to match_array([ add_on1, add_on2 ])
         end
       end
     end
diff --git a/spec/actions/projects/visible_to_user_spec.rb b/spec/actions/projects/visible_to_user_spec.rb
index 9cf128ee..db607fa6 100644
--- a/spec/actions/projects/visible_to_user_spec.rb
+++ b/spec/actions/projects/visible_to_user_spec.rb
@@ -4,26 +4,23 @@ RSpec.describe Projects::VisibleToUser do
   let(:account) { create(:account) }
   let(:user) { create(:user) }
   let!(:account_user) { create(:account_user, account:, user:) }
+  let!(:cluster) { create(:cluster, account:) }
+  let!(:project1) { create(:project, cluster:, account:) }
+  let!(:project2) { create(:project, cluster:, account:) }
 
   describe '.execute' do
     context 'when account has no teams' do
       it 'returns all projects in the account' do
-        cluster = create(:cluster, account:)
-        project1 = create(:project, cluster:)
-        project2 = create(:project, cluster:)
-
         result = described_class.execute(user: user, account: account)
 
         expect(result).to be_success
-        expect(result.projects).to match_array([project1, project2])
+        expect(result.projects).to match_array([ project1, project2 ])
       end
     end
 
     context 'when account has teams' do
       let(:team) { create(:team, account: account) }
       let(:other_team) { create(:team, account: account) }
-      let!(:project1) { create(:project, cluster: cluster) }
-      let!(:project2) { create(:project, cluster: cluster) }
       let!(:project3) { create(:project, cluster: cluster) }
 
       context 'when user is not in any teams' do
@@ -45,7 +42,7 @@ RSpec.describe Projects::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.projects).to eq([project1])
+          expect(result.projects).to eq([ project1 ])
         end
       end
 
@@ -63,7 +60,7 @@ RSpec.describe Projects::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.projects).to match_array([project4, project5])
+          expect(result.projects).to match_array([ project4, project5 ])
         end
       end
 
@@ -81,7 +78,7 @@ RSpec.describe Projects::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.projects).to match_array([project1, project4])
+          expect(result.projects).to match_array([ project1, project4 ])
         end
       end
 
@@ -97,7 +94,7 @@ RSpec.describe Projects::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.projects).to match_array([project1, project2])
+          expect(result.projects).to match_array([ project1, project2 ])
         end
       end
     end

From c15d8014466d85a0ce7434e536e3bbe64ffb0e23 Mon Sep 17 00:00:00 2001
From: Celina Lopez <marisa.celina.lopez4@gmail.com>
Date: Mon, 24 Nov 2025 16:04:46 -0800
Subject: [PATCH 07/75] rubocop

---
 spec/actions/clusters/visible_to_user_spec.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/spec/actions/clusters/visible_to_user_spec.rb b/spec/actions/clusters/visible_to_user_spec.rb
index 98f00d4c..2c22d202 100644
--- a/spec/actions/clusters/visible_to_user_spec.rb
+++ b/spec/actions/clusters/visible_to_user_spec.rb
@@ -17,7 +17,7 @@ RSpec.describe Clusters::VisibleToUser do
         result = described_class.execute(user: user, account: account)
 
         expect(result).to be_success
-        expect(result.clusters).to match_array([cluster1, cluster2])
+        expect(result.clusters).to match_array([ cluster1, cluster2 ])
       end
     end
 
@@ -51,7 +51,7 @@ RSpec.describe Clusters::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.clusters).to eq([cluster1])
+          expect(result.clusters).to eq([ cluster1 ])
         end
       end
 
@@ -67,7 +67,7 @@ RSpec.describe Clusters::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.clusters).to match_array([cluster1, cluster2])
+          expect(result.clusters).to match_array([ cluster1, cluster2 ])
         end
       end
 
@@ -83,7 +83,7 @@ RSpec.describe Clusters::VisibleToUser do
           result = described_class.execute(user: user, account: account)
 
           expect(result).to be_success
-          expect(result.clusters).to eq([cluster1])
+          expect(result.clusters).to eq([ cluster1 ])
         end
       end
     end

From cc1415bb05365d4dffe74026319251f5810ffad3 Mon Sep 17 00:00:00 2001
From: Celina Lopez <marisa.celina.lopez4@gmail.com>
Date: Mon, 24 Nov 2025 16:34:52 -0800
Subject: [PATCH 08/75] add logic to clusters and projects controllers

---
 app/controllers/add_ons_controller.rb  | 6 ++++--
 app/controllers/clusters_controller.rb | 6 ++++--
 app/controllers/projects_controller.rb | 6 ++++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/app/controllers/add_ons_controller.rb b/app/controllers/add_ons_controller.rb
index ab7911ee..c2dd9905 100644
--- a/app/controllers/add_ons_controller.rb
+++ b/app/controllers/add_ons_controller.rb
@@ -4,7 +4,8 @@ class AddOnsController < ApplicationController
 
   # GET /add_ons
   def index
-    @pagy, @add_ons = pagy(current_account.add_ons)
+    add_ons = AddOns::VisibleToUser.execute(user: current_user, account: current_account).add_ons
+    @pagy, @add_ons = pagy(add_ons)
 
     # Uncomment to authorize with Pundit
     # authorize @add_ons
@@ -118,7 +119,8 @@ class AddOnsController < ApplicationController
 
   # Use callbacks to share common setup or constraints between actions.
   def set_add_on
-    @add_on = current_account.add_ons.find(params[:id])
+    add_ons = AddOns::VisibleToUser.execute(user: current_user, account: current_account).add_ons
+    @add_on = add_ons.find(params[:id])
     @service = K8::Helm::Service.create_from_add_on(K8::Connection.new(@add_on, current_user))
   rescue ActiveRecord::RecordNotFound
     redirect_to add_ons_path
diff --git a/app/controllers/clusters_controller.rb b/app/controllers/clusters_controller.rb
index 93333935..f3f9a984 100644
--- a/app/controllers/clusters_controller.rb
+++ b/app/controllers/clusters_controller.rb
@@ -8,7 +8,8 @@ class ClustersController < ApplicationController
   # GET /clusters
   def index
     sortable_column = params[:sort] || "created_at"
-    @pagy, @clusters = pagy(current_account.clusters.order(sortable_column => "asc"))
+    clusters = Clusters::VisibleToUser.execute(user: current_user, account: current_account).clusters
+    @pagy, @clusters = pagy(clusters.order(sortable_column => "asc"))
 
     # Uncomment to authorize with Pundit
     # authorize @clusters
@@ -171,7 +172,8 @@ class ClustersController < ApplicationController
 
   # Use callbacks to share common setup or constraints between actions.
   def set_cluster
-    @cluster = current_account.clusters.find(params[:id])
+    clusters = Clusters::VisibleToUser.execute(user: current_user, account: current_account).clusters
+    @cluster = clusters.find(params[:id])
 
     # Uncomment to authorize with Pundit
     # authorize @cluster
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 1ec2972a..7bd0bc42 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -6,7 +6,8 @@ class ProjectsController < ApplicationController
   # GET /projects
   def index
     sortable_column = params[:sort] || "created_at"
-    @pagy, @projects = pagy(current_account.projects.order(sortable_column => "asc"))
+    projects = Projects::VisibleToUser.execute(user: current_user, account: current_account).projects
+    @pagy, @projects = pagy(projects.order(sortable_column => "asc"))
 
     # Uncomment to authorize with Pundit
     # authorize @projects
@@ -86,7 +87,8 @@ class ProjectsController < ApplicationController
 
   # Use callbacks to share common setup or constraints between actions.
   def set_project
-    @project = current_account.projects.find(params[:id])
+    projects = Projects::VisibleToUser.execute(user: current_user, account: current_account).projects
+    @project = projects.find(params[:id])
 
     # Uncomment to authorize with Pundit
     # authorize @project

From 1fbbf4af84eee6c7b8b5b54c8b93e61abfc66575 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Tue, 25 Nov 2025 17:44:19 -0800
Subject: [PATCH 09/75] updates

---
 app/controllers/users/sessions_controller.rb  |  2 +-
 app/models/account.rb                         |  4 ++
 db/schema.rb                                  | 38 +++++++++++++++-
 lib/devise/strategies/ldap_authenticatable.rb | 43 +++++++++++++------
 4 files changed, 72 insertions(+), 15 deletions(-)

diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index 9e53ad09..604242f4 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -19,7 +19,7 @@ class Users::SessionsController < Devise::SessionsController
     super do
       # If the account has a stack manager that provides authentication,
       # redirect to the custom account login URL after logout
-      redirect_url = if account&.stack_manager&.stack&.provides_authentication?
+      redirect_url = if account.custom_login?
         account_sign_in_path(account.slug)
       else
         root_path
diff --git a/app/models/account.rb b/app/models/account.rb
index f41460f0..a636d730 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -52,4 +52,8 @@ class Account < ApplicationRecord
   def sso_enabled?
     sso_provider&.enabled?
   end
+
+  def custom_login?
+    return stack_manager&.stack&.provides_authentication? || sso_enabled?
+  end
 end
diff --git a/db/schema.rb b/db/schema.rb
index a75d0e98..89b59789 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_11_21_043926) do
+ActiveRecord::Schema[7.2].define(version: 2025_11_22_230641) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -528,6 +528,38 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_21_043926) do
     t.index ["account_id"], name: "index_stack_managers_on_account_id", unique: true
   end
 
+  create_table "team_memberships", force: :cascade do |t|
+    t.bigint "user_id", null: false
+    t.bigint "team_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["team_id"], name: "index_team_memberships_on_team_id"
+    t.index ["user_id", "team_id"], name: "index_team_memberships_on_user_id_and_team_id", unique: true
+    t.index ["user_id"], name: "index_team_memberships_on_user_id"
+  end
+
+  create_table "team_resources", force: :cascade do |t|
+    t.bigint "team_id", null: false
+    t.string "resourceable_type", null: false
+    t.bigint "resourceable_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["resourceable_type", "resourceable_id"], name: "index_team_resources_on_resourceable"
+    t.index ["team_id", "resourceable_type", "resourceable_id"], name: "index_team_resources_on_team_and_resourceable", unique: true
+    t.index ["team_id"], name: "index_team_resources_on_team_id"
+  end
+
+  create_table "teams", force: :cascade do |t|
+    t.string "name", null: false
+    t.string "slug", null: false
+    t.bigint "account_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["account_id", "name"], name: "index_teams_on_account_id_and_name", unique: true
+    t.index ["account_id"], name: "index_teams_on_account_id"
+    t.index ["slug"], name: "index_teams_on_slug", unique: true
+  end
+
   create_table "users", force: :cascade do |t|
     t.string "email", default: "", null: false
     t.string "encrypted_password", default: "", null: false
@@ -586,5 +618,9 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_21_043926) do
   add_foreign_key "services", "projects"
   add_foreign_key "sso_providers", "accounts"
   add_foreign_key "stack_managers", "accounts"
+  add_foreign_key "team_memberships", "teams"
+  add_foreign_key "team_memberships", "users"
+  add_foreign_key "team_resources", "teams"
+  add_foreign_key "teams", "accounts"
   add_foreign_key "volumes", "projects"
 end
diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index e140029f..35621fff 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -4,6 +4,7 @@ module Devise
   module Strategies
     class LDAPAuthenticatable < Authenticatable
       def valid?
+        puts "Validating ldap authenticatable"
         true
       end
 
@@ -26,12 +27,15 @@ module Devise
           if ldap.bind
             # LDAP authentication successful, find or create user
             email = construct_email(username, ldap_configuration)
-            user = User.find_or_create_by(email: email) do |user|
-              password = SecureRandom.hex(32)
-              user.password = password
-              user.password_confirmation = password
-
-              AccountUser.create!(account: ldap_configuration.account, user:)
+            # Determine the groups
+            groups = get_group_information(username)
+            ActiveRecord::Base.transaction do
+              user = User.find_or_create_by!(email: email) do |user|
+                password = SecureRandom.hex(32)
+                user.password = password
+                user.password_confirmation = password
+              end
+              AccountUser.find_or_create_by!(account: ldap_configuration.account, user:)
             end
             success!(user)
           else
@@ -54,14 +58,16 @@ module Devise
       def find_ldap_configuration
         # Find the LDAP configuration for the account
         # This could be based on email domain or a selection during login
-        account_id = session[:ldap_account_id] || params[:account_id]
-
-        if account_id
-          sso_provider = SSOProvider.find_by(account_id: account_id, enabled: true)
-          return sso_provider.configuration if sso_provider&.ldap?
-        else
-          raise "No account ID provided"
+        account = Account.friendly.find(params[:slug])
+        unless account.sso_enabled?
+          raise "SSO is not enabled for this account"
         end
+
+        sso_provider = account.sso_provider
+        unless sso_provider.ldap?
+          raise "Account does not support LDAP authentication"
+        end
+        return sso_provider.configuration 
       end
 
       def build_user_dn(ldap_config, username)
@@ -78,6 +84,17 @@ module Devise
         "#{username}@#{domain}"
       end
 
+      def get_group_information(user)
+        return [
+          {
+            name: "developers",
+          },
+          {
+            name: "administrators",
+          },
+        ]
+      end
+
       def find_or_create_account_for_ldap(ldap_config)
         sso_provider = ldap_config.sso_provider
         sso_provider&.account

From 65200e1c32e52f5ecc76490f60418c38371c0d28 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Tue, 25 Nov 2025 21:16:06 -0800
Subject: [PATCH 10/75] refactor namespace to be tracked explicitly

---
 app/actions/project_forks/fork_project.rb     |  2 +
 app/actions/projects/create.rb                |  5 +-
 app/actions/projects/set_up_namespace.rb      | 15 +++
 app/actions/projects/validate_namespace.rb    | 58 ++++++++++++
 .../validate_namespace_availability.rb        | 31 -------
 app/controllers/clusters_controller.rb        |  4 +-
 .../projects/processes_controller.rb          |  6 +-
 .../projects/services/jobs_controller.rb      |  4 +-
 .../expandable_optional_input_controller.js   | 17 ++++
 app/jobs/projects/deployment_job.rb           | 10 +-
 app/jobs/projects/destroy_job.rb              |  8 +-
 app/jobs/scheduled/check_health_job.rb        |  2 +-
 app/models/add_on.rb                          | 23 +++--
 app/models/cluster.rb                         |  2 +-
 app/models/concerns/namespaced.rb             |  7 ++
 app/models/project.rb                         |  5 +
 app/services/k8/stateless/cron_job.rb         |  2 +-
 app/services/k8/stateless/deployment.rb       |  2 +-
 app/services/k8/stateless/ingress.rb          |  4 +-
 app/services/k8/stateless/service.rb          |  2 +-
 .../projects/processes/index_view_model.rb    |  2 +-
 app/views/add_ons/new.html.erb                | 40 ++++----
 ...ng_container_registry_credentials.html.erb |  4 +-
 .../create/_missing_git_credentials.html.erb  |  2 +-
 .../_new_form_container_registry.html.erb     |  2 +
 .../projects/create/_new_form_git.html.erb    | 12 +++
 app/views/providers/_index.html.erb           |  2 +-
 .../partials/_namespace_input_group.html.erb  | 30 ++++++
 .../shared/partials/_namespace_show.html.erb  | 11 +++
 ...4503_add_existing_namespace_to_projects.rb | 20 ++++
 db/schema.rb                                  | 83 ++++++++++++++++-
 lib/portainer/stack.rb                        |  2 +-
 resources/k8/secrets/registry_secret.yaml     |  2 +-
 resources/k8/stateless/command.yaml           |  2 +-
 resources/k8/stateless/config_map.yaml        |  2 +-
 resources/k8/stateless/cron_job.yaml          |  2 +-
 resources/k8/stateless/deployment.yaml        |  2 +-
 resources/k8/stateless/ingress.yaml           |  2 +-
 resources/k8/stateless/pod.yaml               |  2 +-
 resources/k8/stateless/pv.yaml                |  2 +-
 resources/k8/stateless/pvc.yaml               |  2 +-
 resources/k8/stateless/secrets.yaml           |  2 +-
 resources/k8/stateless/service.yaml           |  2 +-
 spec/actions/projects/create_spec.rb          |  6 +-
 .../actions/projects/set_up_namespace_spec.rb | 26 ++++++
 .../validate_namespace_availability_spec.rb   | 53 -----------
 .../projects/validate_namespace_spec.rb       | 93 +++++++++++++++++++
 spec/factories/add_ons.rb                     | 22 +++--
 spec/factories/projects.rb                    |  4 +
 spec/models/project_spec.rb                   |  2 +
 spec/models/service_spec.rb                   |  8 ++
 spec/services/k8/stateless/cron_job_spec.rb   |  2 +-
 52 files changed, 490 insertions(+), 167 deletions(-)
 create mode 100644 app/actions/projects/set_up_namespace.rb
 create mode 100644 app/actions/projects/validate_namespace.rb
 delete mode 100644 app/actions/projects/validate_namespace_availability.rb
 create mode 100644 app/javascript/controllers/expandable_optional_input_controller.js
 create mode 100644 app/models/concerns/namespaced.rb
 create mode 100644 app/views/shared/partials/_namespace_input_group.html.erb
 create mode 100644 app/views/shared/partials/_namespace_show.html.erb
 create mode 100644 db/migrate/20251126014503_add_existing_namespace_to_projects.rb
 create mode 100644 spec/actions/projects/set_up_namespace_spec.rb
 delete mode 100644 spec/actions/projects/validate_namespace_availability_spec.rb
 create mode 100644 spec/actions/projects/validate_namespace_spec.rb

diff --git a/app/actions/project_forks/fork_project.rb b/app/actions/project_forks/fork_project.rb
index 1aba5db7..fe83ed08 100644
--- a/app/actions/project_forks/fork_project.rb
+++ b/app/actions/project_forks/fork_project.rb
@@ -10,6 +10,8 @@ class ProjectForks::ForkProject
     child_project = parent_project.dup
     child_project.branch = pull_request.branch
     child_project.name = "#{parent_project.name}-#{pull_request.number}"
+    child_project.namespace = child_project.name
+    child_project.managed_namespace = parent_project.managed_namespace
     child_project.cluster_id = parent_project.project_fork_cluster_id
     # Duplicate the project_credential_provider
     child_project_credential_provider = parent_project.project_credential_provider.dup
diff --git a/app/actions/projects/create.rb b/app/actions/projects/create.rb
index 602db875..468af95c 100644
--- a/app/actions/projects/create.rb
+++ b/app/actions/projects/create.rb
@@ -6,6 +6,8 @@ module Projects
     def self.create_params(params)
       params.require(:project).permit(
         :name,
+        :namespace,
+        :managed_namespace,
         :repository_url,
         :branch,
         :cluster_id,
@@ -68,7 +70,8 @@ module Projects
         steps << Projects::ValidateGitRepository
       end
 
-      steps << Projects::ValidateNamespaceAvailability
+      steps << Projects::SetUpNamespace
+      steps << Projects::ValidateNamespace
       steps << Projects::InitializeBuildPacks
       steps << Projects::Save
 
diff --git a/app/actions/projects/set_up_namespace.rb b/app/actions/projects/set_up_namespace.rb
new file mode 100644
index 00000000..fa390e49
--- /dev/null
+++ b/app/actions/projects/set_up_namespace.rb
@@ -0,0 +1,15 @@
+class Projects::SetUpNamespace
+  extend LightService::Action
+  expects :project
+
+  executed do |context|
+    project = context.project
+    if project.namespace.blank? && project.managed_namespace
+      # autoset the namespace to the project name
+      project.namespace = project.name
+    elsif project.namespace.blank? && !project.managed_namespace
+      project.errors.add(:base, "A namespace must be provided if it is not managed by Canine")
+      context.fail_and_return!("Failed to set up namespace")
+    end
+  end
+end
diff --git a/app/actions/projects/validate_namespace.rb b/app/actions/projects/validate_namespace.rb
new file mode 100644
index 00000000..c26a522e
--- /dev/null
+++ b/app/actions/projects/validate_namespace.rb
@@ -0,0 +1,58 @@
+module Projects
+  class ValidateNamespace
+    extend LightService::Action
+
+    expects :project, :user
+
+    def self.validate_namespace_does_not_exist_or_is_managed(
+      context,
+      project,
+      client,
+      existing_namespaces
+    )
+      namespace_exists = existing_namespaces.any? do |ns|
+        ns.metadata.name == project.namespace && ns.metadata&.labels&.caninemanaged != "true"
+      end
+      if namespace_exists
+        error_message = "Namespace `#{project.name}` already exists in the Kubernetes cluster. Please delete the existing namespace, or try a different name."
+        project.errors.add(:name, error_message)
+        context.fail_and_return!(error_message)
+      end
+    end
+
+    def self.validate_namespace_exists(
+      context,
+      project,
+      client,
+      existing_namespaces
+    )
+      existing_namespace = existing_namespaces.any? do |ns|
+        ns.metadata.name == project.namespace
+      end
+      unless existing_namespace
+        error_message = "`#{project.name}` does not exist in the cluster. If you want Canine to automaticaly create it, enable <b>auto create namespace</b>"
+        project.errors.add(:base, error_message)
+        context.fail_and_return!(error_message)
+      end
+    end
+
+    executed do |context|
+      project = context.project
+      cluster = project.cluster
+
+      begin
+        client = K8::Client.new(K8::Connection.new(cluster, context.user))
+        existing_namespaces = client.get_namespaces
+
+        if project.managed_namespace
+          validate_namespace_does_not_exist_or_is_managed(context, project, client, existing_namespaces)
+        else
+          validate_namespace_exists(context, project, client, existing_namespaces)
+        end
+      rescue StandardError => e
+        # If we can't connect to check, we'll let it proceed and fail later if needed
+        Rails.logger.warn("Could not check namespace availability: #{e.message}")
+      end
+    end
+  end
+end
diff --git a/app/actions/projects/validate_namespace_availability.rb b/app/actions/projects/validate_namespace_availability.rb
deleted file mode 100644
index 9884c200..00000000
--- a/app/actions/projects/validate_namespace_availability.rb
+++ /dev/null
@@ -1,31 +0,0 @@
-module Projects
-  class ValidateNamespaceAvailability
-    extend LightService::Action
-
-    expects :project, :user
-
-    executed do |context|
-      project = context.project
-      cluster = project.cluster
-
-      begin
-        client = K8::Client.new(K8::Connection.new(cluster, context.user))
-        existing_namespaces = client.get_namespaces
-
-        # Check if namespace already exists in Kubernetes
-        namespace_exists = existing_namespaces.any? do |ns|
-          ns.metadata.name == project.name && ns.metadata&.labels&.caninemanaged != "true"
-        end
-
-        if namespace_exists
-          error_message = "'#{project.name}' already exists in the Kubernetes cluster. Please delete the existing namespace, or try a different name."
-          project.errors.add(:name, error_message)
-          context.fail_and_return!(error_message)
-        end
-      rescue StandardError => e
-        # If we can't connect to check, we'll let it proceed and fail later if needed
-        Rails.logger.warn("Could not check namespace availability: #{e.message}")
-      end
-    end
-  end
-end
diff --git a/app/controllers/clusters_controller.rb b/app/controllers/clusters_controller.rb
index 93333935..b717153f 100644
--- a/app/controllers/clusters_controller.rb
+++ b/app/controllers/clusters_controller.rb
@@ -89,8 +89,8 @@ class ClustersController < ApplicationController
         %w[services deployments ingress cronjobs].each do |resource|
           yaml_content = K8::Kubectl.new(
             K8::Connection.new(@cluster, current_user)
-          ).call("get #{resource} -n #{project.name} -o yaml")
-          export(@cluster.name, project.name, yaml_content, zio)
+          ).call("get #{resource} -n #{project.namespace} -o yaml")
+          export(@cluster.name, project.namespace, yaml_content, zio)
         end
       end
     end
diff --git a/app/controllers/projects/processes_controller.rb b/app/controllers/projects/processes_controller.rb
index 9b245219..373d3c13 100644
--- a/app/controllers/projects/processes_controller.rb
+++ b/app/controllers/projects/processes_controller.rb
@@ -13,8 +13,8 @@ class Projects::ProcessesController < Projects::BaseController
 
   def show
     client = K8::Client.new(active_connection)
-    @logs = client.get_pod_log(params[:id], @project.name)
-    @pod_events = client.get_pod_events(params[:id], @project.name)
+    @logs = client.get_pod_log(params[:id], @project.namespace)
+    @pod_events = client.get_pod_events(params[:id], @project.namespace)
 
     respond_to do |format|
       format.html
@@ -30,7 +30,7 @@ class Projects::ProcessesController < Projects::BaseController
 
   def destroy
     client = K8::Client.new(active_connection)
-    client.delete_pod(params[:id], @project.name)
+    client.delete_pod(params[:id], @project.namespace)
     redirect_to project_processes_path(@project), notice: "Pod #{params[:id]} terminating..."
   end
 
diff --git a/app/controllers/projects/services/jobs_controller.rb b/app/controllers/projects/services/jobs_controller.rb
index d5e6277a..b5472f40 100644
--- a/app/controllers/projects/services/jobs_controller.rb
+++ b/app/controllers/projects/services/jobs_controller.rb
@@ -7,7 +7,7 @@ class Projects::Services::JobsController < Projects::Services::BaseController
     job_name = "#{@service.name}-manual-#{timestamp}"
     kubectl = K8::Kubectl.new(active_connection)
     kubectl.call(
-      "-n #{@project.name} create job #{job_name} --from=cronjob/#{@service.name}"
+      "-n #{@project.namespace} create job #{job_name} --from=cronjob/#{@service.name}"
     )
     render partial: "projects/services/show", locals: { service: @service, tab: "cron-jobs" }, layout: false
   end
@@ -16,7 +16,7 @@ class Projects::Services::JobsController < Projects::Services::BaseController
     job_name = params[:id]
     kubectl = K8::Kubectl.new(active_connection)
     kubectl.call(
-      "-n #{@project.name} delete job #{job_name}"
+      "-n #{@project.namespace} delete job #{job_name}"
     )
 
     render partial: "projects/services/show", locals: { service: @service, tab: "cron-jobs" }, layout: false
diff --git a/app/javascript/controllers/expandable_optional_input_controller.js b/app/javascript/controllers/expandable_optional_input_controller.js
new file mode 100644
index 00000000..43ec28a0
--- /dev/null
+++ b/app/javascript/controllers/expandable_optional_input_controller.js
@@ -0,0 +1,17 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["container"]
+
+  connect() {
+    this.containerTarget.classList.add("hidden", "opacity-0", "transition-all")
+  }
+
+  show(e) {
+    e.preventDefault();
+
+    e.target.classList.add("hidden")
+    this.containerTarget.classList.remove("hidden", "opacity-0")
+    this.containerTarget.classList.add("opacity-100", "duration-500")
+  }
+}
\ No newline at end of file
diff --git a/app/jobs/projects/deployment_job.rb b/app/jobs/projects/deployment_job.rb
index cfa040ef..2c0d9357 100644
--- a/app/jobs/projects/deployment_job.rb
+++ b/app/jobs/projects/deployment_job.rb
@@ -108,11 +108,11 @@ class Projects::DeploymentJob < ApplicationJob
   end
 
   def kill_one_off_containers(project, kubectl)
-    kubectl.call("-n #{project.name} delete pods -l oneoff=true")
+    kubectl.call("-n #{project.namespace} delete pods -l oneoff=true")
   end
 
   def apply_namespace(project, kubectl)
-    @logger.info("Creating namespace: #{project.name}", color: :yellow)
+    @logger.info("Creating namespace: #{project.namespace}", color: :yellow)
     namespace_yaml = K8::Namespace.new(project).to_yaml
     kubectl.apply_yaml(namespace_yaml)
   end
@@ -124,7 +124,7 @@ class Projects::DeploymentJob < ApplicationJob
     kubectl = K8::Kubectl.new(connection)
 
     resources_to_sweep.each do |resource_type|
-      results = YAML.safe_load(kubectl.call("get #{resource_type.downcase} -o yaml -n #{project.name}"))
+      results = YAML.safe_load(kubectl.call("get #{resource_type.downcase} -o yaml -n #{project.namespace}"))
       results['items'].each do |resource|
         if @marked_resources.select do |r|
           r.is_a?(K8::Stateless.const_get(resource_type))
@@ -132,7 +132,7 @@ class Projects::DeploymentJob < ApplicationJob
           applied_resource.name == resource['metadata']['name']
         end && resource.dig('metadata', 'labels', 'caninemanaged') == 'true'
           @logger.info("Deleting #{resource_type}: #{resource['metadata']['name']}", color: :yellow)
-          kubectl.call("delete #{resource_type.downcase} #{resource['metadata']['name']} -n #{project.name}")
+          kubectl.call("delete #{resource_type.downcase} #{resource['metadata']['name']} -n #{project.namespace}")
         end
       end
     end
@@ -150,7 +150,7 @@ class Projects::DeploymentJob < ApplicationJob
 
   def restart_deployment(service, kubectl)
     @logger.info("Restarting deployment: #{service.name}", color: :yellow)
-    kubectl.call("-n #{service.project.name} rollout restart deployment/#{service.name}")
+    kubectl.call("-n #{service.project.namespace} rollout restart deployment/#{service.name}")
   end
 
   def upload_registry_secrets(kubectl, deployment)
diff --git a/app/jobs/projects/destroy_job.rb b/app/jobs/projects/destroy_job.rb
index 021ae7ae..20d61768 100644
--- a/app/jobs/projects/destroy_job.rb
+++ b/app/jobs/projects/destroy_job.rb
@@ -14,9 +14,11 @@ class Projects::DestroyJob < ApplicationJob
   end
 
   def delete_namespace(project, user)
-    client = K8::Client.new(K8::Connection.new(project.cluster, user))
-    if (namespace = client.get_namespaces.find { |n| n.metadata.name == project.name }).present?
-      client.delete_namespace(namespace.metadata.name)
+    if project.managed_namespace
+      client = K8::Client.new(K8::Connection.new(project.cluster, user))
+      if (namespace = client.get_namespaces.find { |n| n.metadata.name == project.namespace }).present?
+        client.delete_namespace(namespace.metadata.name)
+      end
     end
   end
 
diff --git a/app/jobs/scheduled/check_health_job.rb b/app/jobs/scheduled/check_health_job.rb
index ec6cd2b0..1603a653 100644
--- a/app/jobs/scheduled/check_health_job.rb
+++ b/app/jobs/scheduled/check_health_job.rb
@@ -3,7 +3,7 @@ class Scheduled::CheckHealthJob < ApplicationJob
 
   def perform
     Service.web_service.where('healthcheck_url IS NOT NULL').each do |service|
-      # url = File.join("http://#{service.name}-service.#{service.project.name}.svc.cluster.local", service.healthcheck_url)
+      # url = File.join("http://#{service.name}-service.#{service.project.namespace}.svc.cluster.local", service.healthcheck_url)
       # K8::Client.from_project(service.project).run_command("curl -s -o /dev/null -w '%{http_code}' #{url}")
       if service.domains.any?
         url = File.join("https://#{service.domains.first.domain_name}", service.healthcheck_url)
diff --git a/app/models/add_on.rb b/app/models/add_on.rb
index b45459ba..3dfb8f02 100644
--- a/app/models/add_on.rb
+++ b/app/models/add_on.rb
@@ -2,16 +2,18 @@
 #
 # Table name: add_ons
 #
-#  id         :bigint           not null, primary key
-#  chart_type :string           not null
-#  chart_url  :string
-#  metadata   :jsonb
-#  name       :string           not null
-#  status     :integer          default("installing"), not null
-#  values     :jsonb
-#  created_at :datetime         not null
-#  updated_at :datetime         not null
-#  cluster_id :bigint           not null
+#  id                :bigint           not null, primary key
+#  chart_type        :string           not null
+#  chart_url         :string
+#  managed_namespace :boolean          default(TRUE)
+#  metadata          :jsonb
+#  name              :string           not null
+#  namespace         :string           not null
+#  status            :integer          default("installing"), not null
+#  values            :jsonb
+#  created_at        :datetime         not null
+#  updated_at        :datetime         not null
+#  cluster_id        :bigint           not null
 #
 # Indexes
 #
@@ -24,6 +26,7 @@
 #
 class AddOn < ApplicationRecord
   include Loggable
+  include Namespaced
   belongs_to :cluster
   has_one :account, through: :cluster
 
diff --git a/app/models/cluster.rb b/app/models/cluster.rb
index 58571a27..e28a3b4c 100644
--- a/app/models/cluster.rb
+++ b/app/models/cluster.rb
@@ -58,7 +58,7 @@ class Cluster < ApplicationRecord
   ]
 
   def namespaces
-    RESERVED_NAMESPACES + projects.pluck(:name) + add_ons.pluck(:name)
+    RESERVED_NAMESPACES + projects.pluck(:namespace) + add_ons.pluck(:namespace)
   end
 
   def create_build_cloud!(attributes = {})
diff --git a/app/models/concerns/namespaced.rb b/app/models/concerns/namespaced.rb
new file mode 100644
index 00000000..501552d5
--- /dev/null
+++ b/app/models/concerns/namespaced.rb
@@ -0,0 +1,7 @@
+module Namespaced
+  def self.included(base)
+    base.class_eval do
+      validates_presence_of :namespace
+    end
+  end
+end
diff --git a/app/models/project.rb b/app/models/project.rb
index 6cb47e2f..63b19a57 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -9,7 +9,9 @@
 #  container_registry_url         :string
 #  docker_build_context_directory :string           default("."), not null
 #  dockerfile_path                :string           default("./Dockerfile"), not null
+#  managed_namespace              :boolean          default(TRUE)
 #  name                           :string           not null
+#  namespace                      :string           not null
 #  postdeploy_command             :text
 #  postdestroy_command            :text
 #  predeploy_command              :text
@@ -32,6 +34,7 @@
 #  fk_rails_...  (project_fork_cluster_id => clusters.id)
 #
 class Project < ApplicationRecord
+  include Namespaced
   broadcasts_refreshes
   belongs_to :cluster
   has_one :account, through: :cluster
@@ -54,6 +57,8 @@ class Project < ApplicationRecord
 
   validates :name, presence: true,
                    format: { with: /\A[a-z0-9-]+\z/, message: "must be lowercase, numbers, and hyphens only" }
+  validates :namespace, presence: true,
+                   format: { with: /\A[a-z0-9-]+\z/, message: "must be lowercase, numbers, and hyphens only" }
   validates :branch, presence: true
   validates :repository_url, presence: true,
                             format: {
diff --git a/app/services/k8/stateless/cron_job.rb b/app/services/k8/stateless/cron_job.rb
index 5d151101..c33718e7 100644
--- a/app/services/k8/stateless/cron_job.rb
+++ b/app/services/k8/stateless/cron_job.rb
@@ -18,7 +18,7 @@ class K8::Stateless::CronJob < K8::Base
   private
 
   def fetch_jobs_for_cronjob
-    result = kubectl.call("get jobs -n #{project.name} -o json")
+    result = kubectl.call("get jobs -n #{project.namespace} -o json")
     all_jobs = JSON.parse(result, object_class: OpenStruct).items
 
     # Filter jobs owned by this CronJob
diff --git a/app/services/k8/stateless/deployment.rb b/app/services/k8/stateless/deployment.rb
index a7a78a98..a5d4ed55 100644
--- a/app/services/k8/stateless/deployment.rb
+++ b/app/services/k8/stateless/deployment.rb
@@ -9,6 +9,6 @@ class K8::Stateless::Deployment < K8::Base
   end
 
   def restart
-    kubectl.call("rollout restart deployment/#{service.name} -n #{project.name}")
+    kubectl.call("rollout restart deployment/#{service.name} -n #{project.namespace}")
   end
 end
diff --git a/app/services/k8/stateless/ingress.rb b/app/services/k8/stateless/ingress.rb
index 1291f99b..677cabfc 100644
--- a/app/services/k8/stateless/ingress.rb
+++ b/app/services/k8/stateless/ingress.rb
@@ -15,7 +15,7 @@ class K8::Stateless::Ingress < K8::Base
     return nil unless @service.domains.any?
     return nil unless @service.allow_public_networking?
 
-    kubectl.call("get certificate #{certificate_name} -n #{@project.name} -o jsonpath='{.status.conditions[?(@.type==\"Ready\")].status}'") == "True"
+    kubectl.call("get certificate #{certificate_name} -n #{@project.namespace} -o jsonpath='{.status.conditions[?(@.type==\"Ready\")].status}'") == "True"
   end
 
   def certificate_name
@@ -25,7 +25,7 @@ class K8::Stateless::Ingress < K8::Base
   def get_ingress
     result = kubectl.call('get ingresses -o yaml')
     results = YAML.safe_load(result)
-    results['items'].find { |r| r['metadata']['name'] == "#{@service.project.name}-ingress" }
+    results['items'].find { |r| r['metadata']['name'] == "#{@service.project.namespace}-ingress" }
   end
 
   def self.ip_address(client)
diff --git a/app/services/k8/stateless/service.rb b/app/services/k8/stateless/service.rb
index 00a3ea6a..fe9baff5 100644
--- a/app/services/k8/stateless/service.rb
+++ b/app/services/k8/stateless/service.rb
@@ -7,7 +7,7 @@ class K8::Stateless::Service < K8::Base
   end
 
   def internal_url
-    "#{name}.#{project.name}.svc.cluster.local:80"
+    "#{name}.#{project.namespace}.svc.cluster.local:80"
   end
 
   def name
diff --git a/app/view_models/async/projects/processes/index_view_model.rb b/app/view_models/async/projects/processes/index_view_model.rb
index 448b1bf5..7944ed72 100644
--- a/app/view_models/async/projects/processes/index_view_model.rb
+++ b/app/view_models/async/projects/processes/index_view_model.rb
@@ -19,6 +19,6 @@ class Async::Projects::Processes::IndexViewModel < Async::BaseViewModel
   def get_pods_for_project(project)
     # Get all pods for a given namespace
     client = K8::Client.new(K8::Connection.new(project.cluster, current_user))
-    client.get_pods(namespace: project.name)
+    client.get_pods(namespace: project.namespace)
   end
 end
diff --git a/app/views/add_ons/new.html.erb b/app/views/add_ons/new.html.erb
index b9fc3ca5..0222b39f 100644
--- a/app/views/add_ons/new.html.erb
+++ b/app/views/add_ons/new.html.erb
@@ -12,25 +12,29 @@
   <div class="card card-bordered bg-base-100">
     <div class="card-body">
       <%= form_with(model: @add_on) do |form| %>
-        <%= render(FormFieldComponent.new(
-          label: "Name",
-          description: "A unique name for your add on, only lowercase letters, numbers, and hyphens are allowed."
-        )) do %>
-          <%= form.text_field :name, class: "input input-bordered w-full focus:outline-offset-0", autofocus: true, required: true %>
-          <label class="label">
-            <span class="label-text-alt">* Required</span>
-          </label>
-        <% end %>
+        <div class="space-y-8">
+          <%= render(FormFieldComponent.new(
+            label: "Name",
+            description: "A unique name for your add on, only lowercase letters, numbers, and hyphens are allowed."
+          )) do %>
+            <%= form.text_field :name, class: "input input-bordered w-full focus:outline-offset-0", autofocus: true, required: true %>
+            <label class="label">
+              <span class="label-text-alt">* Required</span>
+            </label>
+          <% end %>
 
-        <%= render(FormFieldComponent.new(
-          label: "Cluster",
-          description: "The cluster to deploy your add on to."
-        )) do %>
-          <%= form.collection_select :cluster_id, current_account.clusters, :id, :name, {}, { class: "select select-bordered w-full" } %>
-          <label class="label">
-            <span class="label-text-alt">* Required</span>
-          </label>
-        <% end %>
+          <%= render(FormFieldComponent.new(
+            label: "Cluster",
+            description: "The cluster to deploy your add on to."
+          )) do %>
+            <%= form.collection_select :cluster_id, current_account.clusters, :id, :name, {}, { class: "select select-bordered w-full" } %>
+            <label class="label">
+              <span class="label-text-alt">* Required</span>
+            </label>
+          <% end %>
+
+          <%= render "shared/partials/namespace_input_group", form: %>
+        </div>
 
         <div data-controller="card-select">
           <div class="form-group">
diff --git a/app/views/projects/create/_missing_container_registry_credentials.html.erb b/app/views/projects/create/_missing_container_registry_credentials.html.erb
index 85b6724a..6ae6c506 100644
--- a/app/views/projects/create/_missing_container_registry_credentials.html.erb
+++ b/app/views/projects/create/_missing_container_registry_credentials.html.erb
@@ -1,7 +1,7 @@
 <div class="flex flex-col">
   <div class="p-10">
-    <h1 class="text-2xl font-bold">Missing Credentials for Docker Hub</h1>
-    <p class="mt-2 text-gray-400">Please provide your Docker Hub credentials to continue.</p>
+    <h1 class="text-2xl font-bold">Missing credentials for container registry</h1>
+    <p class="mt-2 text-gray-400">Please provide your container registry credentials to continue.</p>
     <%= link_to "Add Credentials", providers_path, class: "mt-6 btn btn-primary", data: { turbo: false } %>
     <div class="mt-6">
       <%= link_to(
diff --git a/app/views/projects/create/_missing_git_credentials.html.erb b/app/views/projects/create/_missing_git_credentials.html.erb
index f87fd93a..d1ed7671 100644
--- a/app/views/projects/create/_missing_git_credentials.html.erb
+++ b/app/views/projects/create/_missing_git_credentials.html.erb
@@ -1,6 +1,6 @@
 <div class="flex flex-col">
   <div class="p-10">
-    <h1 class="text-2xl font-bold">Missing Credentials for Git</h1>
+    <h1 class="text-2xl font-bold">Missing credentials for Git repository</h1>
     <p class="mt-2 text-gray-400">Please provide your Github or Gitlab credentials to continue.</p>
     <div class="flex flex-row gap-4">
       <div role="tooltip" data-tip="This feature is coming soon!" class="tooltip">
diff --git a/app/views/projects/create/_new_form_container_registry.html.erb b/app/views/projects/create/_new_form_container_registry.html.erb
index bc15a365..db8248d4 100644
--- a/app/views/projects/create/_new_form_container_registry.html.erb
+++ b/app/views/projects/create/_new_form_container_registry.html.erb
@@ -55,6 +55,8 @@
       )) do %>
         <%= form.text_field :predeploy_command, class: "input input-bordered w-full focus:outline-offset-0" %>
       <% end %>
+
+      <%= render "shared/partials/namespace_input_group", form: %>
     </div>
 
     <div class="form-footer">
diff --git a/app/views/projects/create/_new_form_git.html.erb b/app/views/projects/create/_new_form_git.html.erb
index abc671fb..7d6fb586 100644
--- a/app/views/projects/create/_new_form_git.html.erb
+++ b/app/views/projects/create/_new_form_git.html.erb
@@ -31,6 +31,16 @@
         </label>
       <% end %>
 
+      <%= render(FormFieldComponent.new(
+        label: "Namespace",
+        description: "The namespace your application is deployed to."
+      )) do %>
+        <%= form.text_field :namespace, current_account.clusters.running, :id, :name, {}, { class: "select select-bordered w-full" } %>
+        <label class="label">
+          <span class="label-text-alt">If this is left blank, a namespace will be created automatically.</span>
+        </label>
+      <% end %>
+
       <%= render(FormFieldComponent.new(
         label: "Git Credentials",
         description: "The credentials to use to connect to your Git repository"
@@ -105,6 +115,8 @@
           <%= render "projects/build_configurations/form", form: form, project: project %>
         <% end %>
       <% end %>
+
+      <%= render "shared/partials/namespace_input_group", form: %>
     </div>
 
     <div class="form-footer">
diff --git a/app/views/providers/_index.html.erb b/app/views/providers/_index.html.erb
index 94c98b6e..0fa3ad55 100644
--- a/app/views/providers/_index.html.erb
+++ b/app/views/providers/_index.html.erb
@@ -29,7 +29,7 @@
           </td>
           <td>
             <% if provider.access_token %>
-            <%= provider.access_token.first(6) %><%= "*" * [10, provider.access_token.length - 12].min %><%= provider.access_token.last(6) %>
+            <%= provider.access_token.first(4) %><%= "*" * [0, [10, provider.access_token.length - 6].min].max %><%= provider.access_token.last(2) %>
             <% else %>
               <span class="text-gray-500">
                 N/A
diff --git a/app/views/shared/partials/_namespace_input_group.html.erb b/app/views/shared/partials/_namespace_input_group.html.erb
new file mode 100644
index 00000000..2268998f
--- /dev/null
+++ b/app/views/shared/partials/_namespace_input_group.html.erb
@@ -0,0 +1,30 @@
+<div data-controller="expandable-optional-input">
+  <div>
+    <a data-action="expandable-optional-input#show" class="btn btn-ghost">
+      + Add namespace configuration
+    </a>
+  </div>
+  <div data-expandable-optional-input-target="container">
+    <%= render(FormFieldComponent.new(
+      label: "Namespace",
+      description: "The namespace your application is deployed to."
+    )) do %>
+      <%= form.text_field :namespace, class: "input input-bordered w-full focus:outline-offset-0", autofocus: true, required: true %>
+      <label class="label">
+        <span class="label-text-alt">If this is left blank, a namespace will be created automatically.</span>
+      </label>
+
+      <div class="mt-3 form-control rounded-lg bg-base-200 p-2 px-4">
+        <label class="label mt-1">
+          <div class="label-text cursor-pointer">
+            Automatically create namespace
+          </div>
+          <%= form.check_box :managed_namespace, class: "checkbox" %>
+        </label>
+      </div>
+      <label class="label">
+        <span class="label-text-alt">Canine will automatically create a namespace when the project is deployed.</span>
+      </label>
+    <% end %>
+  </div>
+</div>
\ No newline at end of file
diff --git a/app/views/shared/partials/_namespace_show.html.erb b/app/views/shared/partials/_namespace_show.html.erb
new file mode 100644
index 00000000..39224ba6
--- /dev/null
+++ b/app/views/shared/partials/_namespace_show.html.erb
@@ -0,0 +1,11 @@
+<div class="flex flex-row">
+  <div>
+    <label>Namespace</label>
+    <input value="<%= project.namespace %>" disabled />
+  </div>
+  <div>/</div>
+  <div>
+    <label>Name</label>
+    <input value="<%= project.name %>" disabled />
+  </div>
+</div>
\ No newline at end of file
diff --git a/db/migrate/20251126014503_add_existing_namespace_to_projects.rb b/db/migrate/20251126014503_add_existing_namespace_to_projects.rb
new file mode 100644
index 00000000..d31f7add
--- /dev/null
+++ b/db/migrate/20251126014503_add_existing_namespace_to_projects.rb
@@ -0,0 +1,20 @@
+class AddExistingNamespaceToProjects < ActiveRecord::Migration[7.2]
+  def change
+    add_column :projects, :namespace, :string
+    add_column :projects, :managed_namespace, :boolean, default: true
+
+    Project.all.each do |project|
+      project.namespace = project.name
+      project.save!
+    end
+    change_column_null :projects, :namespace, false
+
+    add_column :add_ons, :namespace, :string
+    add_column :add_ons, :managed_namespace, :boolean, default: true
+    AddOn.all.each do |add_on|
+      add_on.namespace = add_on.name
+      add_on.save!
+    end
+    change_column_null :add_ons, :namespace, false
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 71cdc21f..bde52ed4 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
+ActiveRecord::Schema[7.2].define(version: 2025_11_26_014503) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -71,6 +71,8 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
     t.datetime "updated_at", null: false
     t.jsonb "values", default: {}
     t.string "chart_url"
+    t.string "namespace", null: false
+    t.boolean "managed_namespace", default: true
     t.index ["cluster_id", "name"], name: "index_add_ons_on_cluster_id_and_name", unique: true
     t.index ["cluster_id"], name: "index_add_ons_on_cluster_id"
   end
@@ -333,6 +335,21 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
     t.datetime "updated_at", null: false
   end
 
+  create_table "ldap_configurations", force: :cascade do |t|
+    t.string "host", null: false
+    t.integer "port", default: 389, null: false
+    t.integer "encryption", null: false
+    t.string "base_dn", null: false
+    t.string "bind_dn"
+    t.string "bind_password"
+    t.string "uid_attribute", default: "uid", null: false
+    t.string "email_attribute", default: "mail"
+    t.string "name_attribute", default: "cn"
+    t.string "filter"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
   create_table "log_outputs", force: :cascade do |t|
     t.bigint "loggable_id", null: false
     t.string "loggable_type", null: false
@@ -375,6 +392,19 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
     t.index ["recipient_type", "recipient_id"], name: "index_noticed_notifications_on_recipient"
   end
 
+  create_table "oidc_configurations", force: :cascade do |t|
+    t.string "issuer", null: false
+    t.string "client_id", null: false
+    t.string "client_secret", null: false
+    t.string "authorization_endpoint"
+    t.string "token_endpoint"
+    t.string "userinfo_endpoint"
+    t.string "jwks_uri"
+    t.string "scopes", default: "openid email profile"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
   create_table "project_add_ons", force: :cascade do |t|
     t.bigint "project_id", null: false
     t.bigint "add_on_id", null: false
@@ -427,6 +457,8 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
     t.text "postdestroy_command"
     t.bigint "project_fork_cluster_id"
     t.integer "project_fork_status", default: 0
+    t.string "namespace", null: false
+    t.boolean "managed_namespace", default: true
     t.index ["cluster_id"], name: "index_projects_on_cluster_id"
   end
 
@@ -477,6 +509,18 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
     t.index ["project_id"], name: "index_services_on_project_id"
   end
 
+  create_table "sso_providers", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "configuration_type", null: false
+    t.bigint "configuration_id", null: false
+    t.string "name", null: false
+    t.boolean "enabled", default: true, null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["account_id"], name: "index_sso_providers_on_account_id", unique: true
+    t.index ["configuration_type", "configuration_id"], name: "index_sso_providers_on_configuration"
+  end
+
   create_table "stack_managers", force: :cascade do |t|
     t.string "provider_url", null: false
     t.integer "stack_manager_type", default: 0, null: false
@@ -488,6 +532,38 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
     t.index ["account_id"], name: "index_stack_managers_on_account_id", unique: true
   end
 
+  create_table "team_memberships", force: :cascade do |t|
+    t.bigint "user_id", null: false
+    t.bigint "team_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["team_id"], name: "index_team_memberships_on_team_id"
+    t.index ["user_id", "team_id"], name: "index_team_memberships_on_user_id_and_team_id", unique: true
+    t.index ["user_id"], name: "index_team_memberships_on_user_id"
+  end
+
+  create_table "team_resources", force: :cascade do |t|
+    t.bigint "team_id", null: false
+    t.string "resourceable_type", null: false
+    t.bigint "resourceable_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["resourceable_type", "resourceable_id"], name: "index_team_resources_on_resourceable"
+    t.index ["team_id", "resourceable_type", "resourceable_id"], name: "index_team_resources_on_team_and_resourceable", unique: true
+    t.index ["team_id"], name: "index_team_resources_on_team_id"
+  end
+
+  create_table "teams", force: :cascade do |t|
+    t.string "name", null: false
+    t.string "slug", null: false
+    t.bigint "account_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["account_id", "name"], name: "index_teams_on_account_id_and_name", unique: true
+    t.index ["account_id"], name: "index_teams_on_account_id"
+    t.index ["slug"], name: "index_teams_on_slug", unique: true
+  end
+
   create_table "users", force: :cascade do |t|
     t.string "email", default: "", null: false
     t.string "encrypted_password", default: "", null: false
@@ -544,6 +620,11 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_16_091324) do
   add_foreign_key "projects", "clusters", column: "project_fork_cluster_id"
   add_foreign_key "providers", "users"
   add_foreign_key "services", "projects"
+  add_foreign_key "sso_providers", "accounts"
   add_foreign_key "stack_managers", "accounts"
+  add_foreign_key "team_memberships", "teams"
+  add_foreign_key "team_memberships", "users"
+  add_foreign_key "team_resources", "teams"
+  add_foreign_key "teams", "accounts"
   add_foreign_key "volumes", "projects"
 end
diff --git a/lib/portainer/stack.rb b/lib/portainer/stack.rb
index 4c1b5ce9..d4d3b657 100644
--- a/lib/portainer/stack.rb
+++ b/lib/portainer/stack.rb
@@ -60,7 +60,7 @@ class Portainer::Stack
   def logs_url(service, pod_name)
     service = service.name
     container = service.project.name
-    namespace = service.project.name
+    namespace = service.project.namespace
     cluster = service.project.cluster
 
     "/#{cluster.external_id}/kubernetes/applications/#{namespace}/#{service}/#{pod_name}/#{container}/logs"
diff --git a/resources/k8/secrets/registry_secret.yaml b/resources/k8/secrets/registry_secret.yaml
index 99613e5f..83db9cc9 100644
--- a/resources/k8/secrets/registry_secret.yaml
+++ b/resources/k8/secrets/registry_secret.yaml
@@ -3,6 +3,6 @@ type: kubernetes.io/dockerconfigjson
 apiVersion: v1
 metadata:
   name: dockerconfigjson-github-com
-  namespace: <%= project.name %>
+  namespace: <%= project.namespace %>
 data:
   .dockerconfigjson: <%= docker_config_json %>
\ No newline at end of file
diff --git a/resources/k8/stateless/command.yaml b/resources/k8/stateless/command.yaml
index 5ae91c8a..91b0295f 100644
--- a/resources/k8/stateless/command.yaml
+++ b/resources/k8/stateless/command.yaml
@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: <%= name %>
-  namespace: <%= project.name %>
+  namespace: <%= project.namespace %>
   labels:
     caninemanaged: 'true'
     app: <%= project.name %>
diff --git a/resources/k8/stateless/config_map.yaml b/resources/k8/stateless/config_map.yaml
index bc800211..0a8c4089 100644
--- a/resources/k8/stateless/config_map.yaml
+++ b/resources/k8/stateless/config_map.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  namespace: <%= @project.name %>
+  namespace: <%= @project.namespace %>
   name: <%= @project.name %>
   labels:
     caninemanaged: 'true'
diff --git a/resources/k8/stateless/cron_job.yaml b/resources/k8/stateless/cron_job.yaml
index c15a1e43..4ccf104a 100644
--- a/resources/k8/stateless/cron_job.yaml
+++ b/resources/k8/stateless/cron_job.yaml
@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: <%= service.name %>
-  namespace: <%= project.name %>
+  namespace: <%= project.namespace %>
   labels:
     caninemanaged: 'true'
     app: <%= service.name %>
diff --git a/resources/k8/stateless/deployment.yaml b/resources/k8/stateless/deployment.yaml
index 24103552..97700da7 100644
--- a/resources/k8/stateless/deployment.yaml
+++ b/resources/k8/stateless/deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: <%= service.name %>
-  namespace: <%= project.name %>
+  namespace: <%= project.namespace %>
   labels:
     caninemanaged: 'true'
     app: <%= service.name %>
diff --git a/resources/k8/stateless/ingress.yaml b/resources/k8/stateless/ingress.yaml
index fa519406..f3a23b63 100644
--- a/resources/k8/stateless/ingress.yaml
+++ b/resources/k8/stateless/ingress.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: <%= name %>
-  namespace: <%= project.name %>
+  namespace: <%= project.namespace %>
   labels:
     caninemanaged: 'true'
   annotations:
diff --git a/resources/k8/stateless/pod.yaml b/resources/k8/stateless/pod.yaml
index e7c97c79..37ca6e5f 100644
--- a/resources/k8/stateless/pod.yaml
+++ b/resources/k8/stateless/pod.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: <%= name %>
-  namespace: <%= project.name %>
+  namespace: <%= project.namespace %>
   labels:
     caninemanaged: 'true'
     oneoff: 'true'
diff --git a/resources/k8/stateless/pv.yaml b/resources/k8/stateless/pv.yaml
index 2d7f294e..4a036293 100644
--- a/resources/k8/stateless/pv.yaml
+++ b/resources/k8/stateless/pv.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: PersistentVolume
 metadata:
   name: <%= name %>
-  namespace: <%= project.name %>
+  namespace: <%= project.namespace %>
   labels:
     caninemanaged: 'true'
 spec:
diff --git a/resources/k8/stateless/pvc.yaml b/resources/k8/stateless/pvc.yaml
index 1d1c51e5..9dcbad4b 100644
--- a/resources/k8/stateless/pvc.yaml
+++ b/resources/k8/stateless/pvc.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: <%= name %>
-  namespace: <%= project.name %>
+  namespace: <%= project.namespace %>
   labels:
     caninemanaged: 'true'
 spec:
diff --git a/resources/k8/stateless/secrets.yaml b/resources/k8/stateless/secrets.yaml
index a35a0e55..5fe21f69 100644
--- a/resources/k8/stateless/secrets.yaml
+++ b/resources/k8/stateless/secrets.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  namespace: <%= @project.name %>
+  namespace: <%= @project.namespace %>
   name: <%= @project.name %>
   labels:
     caninemanaged: 'true'
diff --git a/resources/k8/stateless/service.yaml b/resources/k8/stateless/service.yaml
index 7ac0a221..0ebc673c 100644
--- a/resources/k8/stateless/service.yaml
+++ b/resources/k8/stateless/service.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: <%= name %>
-  namespace: <%= project.name %>
+  namespace: <%= project.namespace %>
   labels:
     caninemanaged: 'true'
     app: <%= service.name %>
diff --git a/spec/actions/projects/create_spec.rb b/spec/actions/projects/create_spec.rb
index da3c9d1e..c72a83da 100644
--- a/spec/actions/projects/create_spec.rb
+++ b/spec/actions/projects/create_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe Projects::Create do
 
   before do
     allow(Projects::ValidateGitRepository).to receive(:execute)
-    allow(Projects::ValidateNamespaceAvailability).to receive(:execute)
+    allow(Projects::ValidateNamespace).to receive(:execute)
     allow(Projects::RegisterGitWebhook).to receive(:execute)
   end
 
@@ -156,7 +156,7 @@ RSpec.describe Projects::Create do
       it 'validates with github and registers webhooks' do
         expect(subject).to eq([
           Projects::ValidateGitRepository,
-          Projects::ValidateNamespaceAvailability,
+          Projects::ValidateNamespace,
           Projects::InitializeBuildPacks,
           Projects::Save,
           Projects::RegisterGitWebhook
@@ -172,7 +172,7 @@ RSpec.describe Projects::Create do
       it 'validates with github and does not register webhooks' do
         expect(subject).to eq([
           Projects::ValidateGitRepository,
-          Projects::ValidateNamespaceAvailability,
+          Projects::ValidateNamespace,
           Projects::InitializeBuildPacks,
           Projects::Save
         ])
diff --git a/spec/actions/projects/set_up_namespace_spec.rb b/spec/actions/projects/set_up_namespace_spec.rb
new file mode 100644
index 00000000..9ab81eef
--- /dev/null
+++ b/spec/actions/projects/set_up_namespace_spec.rb
@@ -0,0 +1,26 @@
+require 'rails_helper'
+
+RSpec.describe Projects::SetUpNamespace do
+  let(:subject) { described_class.execute(project:) }
+
+  context "canine managed namespace" do
+    let(:project) { build(:project, managed_namespace: true, namespace: "") }
+
+    it "autosets the name" do
+      result = subject
+
+      expect(result.project.namespace).to eq(project.name)
+      expect(result.project.errors).to be_empty
+    end
+  end
+
+  context "self managed" do
+    let(:project) { build(:project, managed_namespace: false, namespace: "") }
+
+    it "raises error" do
+      result = subject
+      expect(result.project.errors).to be_present
+      expect(result.failure?).to be_truthy
+    end
+  end
+end
diff --git a/spec/actions/projects/validate_namespace_availability_spec.rb b/spec/actions/projects/validate_namespace_availability_spec.rb
deleted file mode 100644
index 6d782bf3..00000000
--- a/spec/actions/projects/validate_namespace_availability_spec.rb
+++ /dev/null
@@ -1,53 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe Projects::ValidateNamespaceAvailability do
-  let(:cluster) { create(:cluster) }
-  let(:project) { build(:project, name: 'test-app', cluster: cluster) }
-  let(:user) { create(:user) }
-  let(:k8_client) { instance_double(K8::Client) }
-
-  before do
-    allow(K8::Client).to receive(:new).and_return(k8_client)
-  end
-
-  describe '.execute' do
-    context 'when namespace does not exist' do
-      before do
-        allow(k8_client).to receive(:get_namespaces).and_return([])
-      end
-
-      it 'succeeds' do
-        expect(described_class.execute(project: project, user: user)).to be_success
-      end
-    end
-
-    context 'when namespace already exists' do
-      before do
-        allow(k8_client).to receive(:get_namespaces).and_return([ existing_namespace ])
-      end
-
-      context 'when namespace is not managed by Canine' do
-        let(:existing_namespace) do
-          OpenStruct.new(metadata: OpenStruct.new(name: 'test-app'))
-        end
-
-        it 'fails with error message' do
-          result = described_class.execute(project: project, user: user)
-          expect(result).to be_failure
-          expect(result.message).to include("already exists")
-        end
-      end
-
-      context 'when namespace is managed by Canine' do
-        let(:existing_namespace) do
-          OpenStruct.new(metadata: OpenStruct.new(name: 'test-app', labels: OpenStruct.new(caninemanaged: "true")))
-        end
-
-        it 'succeeds' do
-          result = described_class.execute(project: project, user: user)
-          expect(result).to be_success
-        end
-      end
-    end
-  end
-end
diff --git a/spec/actions/projects/validate_namespace_spec.rb b/spec/actions/projects/validate_namespace_spec.rb
new file mode 100644
index 00000000..bebaa1ef
--- /dev/null
+++ b/spec/actions/projects/validate_namespace_spec.rb
@@ -0,0 +1,93 @@
+require 'rails_helper'
+
+RSpec.describe Projects::ValidateNamespace do
+  let(:cluster) { create(:cluster) }
+  let(:user) { create(:user) }
+  let(:k8_client) { instance_double(K8::Client) }
+
+  before do
+    allow(K8::Client).to receive(:new).and_return(k8_client)
+  end
+
+  describe '.execute' do
+    context 'with unmanaged namespace' do
+      let(:project) do
+        build(:project, namespace: 'my-custom-namespace', managed_namespace: false)
+      end
+
+      context 'that doesnt exist' do
+        before do
+          allow(k8_client).to receive(
+            :get_namespaces
+          ).and_return([ OpenStruct.new(metadata: OpenStruct.new(name: "test-app")) ])
+        end
+
+        it 'fails' do
+          expect(described_class.execute(project:, user: user)).to be_failure
+        end
+      end
+
+      context 'that does exist' do
+        before do
+          allow(k8_client).to receive(
+            :get_namespaces,
+          ).and_return([ OpenStruct.new(metadata: OpenStruct.new(name: "my-custom-namespace")) ])
+        end
+
+        it 'succeeds' do
+          expect(described_class.execute(project:, user:)).to be_success
+        end
+      end
+    end
+
+    context 'with managed namespace' do
+      let(:project) do
+        build(
+          :project,
+          name: 'test-app',
+          cluster: cluster,
+          managed_namespace: true,
+          namespace: 'test-app'
+        )
+      end
+      context 'when namespace does not exist' do
+        before do
+          allow(k8_client).to receive(:get_namespaces).and_return([])
+        end
+
+        it 'succeeds' do
+          expect(described_class.execute(project: project, user: user)).to be_success
+        end
+      end
+
+      context 'when namespace already exists' do
+        before do
+          allow(k8_client).to receive(:get_namespaces).and_return([ existing_namespace ])
+        end
+
+        context 'when namespace is not managed by Canine' do
+          let(:existing_namespace) do
+            OpenStruct.new(metadata: OpenStruct.new(name: 'test-app'))
+          end
+
+          it 'fails with error message' do
+            result = described_class.execute(project: project, user: user)
+            expect(result).to be_failure
+            expect(result.message).to include("already exists")
+          end
+        end
+
+        context 'when namespace is managed by Canine' do
+          let(:existing_namespace) do
+            OpenStruct.new(metadata: OpenStruct.new(name: 'test-app', labels: OpenStruct.new(caninemanaged: "true")))
+          end
+
+          it 'succeeds' do
+            result = described_class.execute(project: project, user: user)
+            expect(result).to be_success
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/spec/factories/add_ons.rb b/spec/factories/add_ons.rb
index bdb8beb6..9b877511 100644
--- a/spec/factories/add_ons.rb
+++ b/spec/factories/add_ons.rb
@@ -2,16 +2,18 @@
 #
 # Table name: add_ons
 #
-#  id         :bigint           not null, primary key
-#  chart_type :string           not null
-#  chart_url  :string
-#  metadata   :jsonb
-#  name       :string           not null
-#  status     :integer          default("installing"), not null
-#  values     :jsonb
-#  created_at :datetime         not null
-#  updated_at :datetime         not null
-#  cluster_id :bigint           not null
+#  id                :bigint           not null, primary key
+#  chart_type        :string           not null
+#  chart_url         :string
+#  managed_namespace :boolean          default(TRUE)
+#  metadata          :jsonb
+#  name              :string           not null
+#  namespace         :string           not null
+#  status            :integer          default("installing"), not null
+#  values            :jsonb
+#  created_at        :datetime         not null
+#  updated_at        :datetime         not null
+#  cluster_id        :bigint           not null
 #
 # Indexes
 #
diff --git a/spec/factories/projects.rb b/spec/factories/projects.rb
index df1091ad..58d6cbd3 100644
--- a/spec/factories/projects.rb
+++ b/spec/factories/projects.rb
@@ -9,7 +9,9 @@
 #  container_registry_url         :string
 #  docker_build_context_directory :string           default("."), not null
 #  dockerfile_path                :string           default("./Dockerfile"), not null
+#  managed_namespace              :boolean          default(TRUE)
 #  name                           :string           not null
+#  namespace                      :string           not null
 #  postdeploy_command             :text
 #  postdestroy_command            :text
 #  predeploy_command              :text
@@ -36,6 +38,8 @@ FactoryBot.define do
     cluster
     account
     sequence(:name) { |n| "example-project-#{n}" }
+    sequence(:namespace) { |n| "example-project-#{n}" }
+    managed_namespace { true }
     repository_url { "owner/repository" }
     status { :creating }
     autodeploy { true }
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 5e7b325b..a2ca4809 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -9,7 +9,9 @@
 #  container_registry_url         :string
 #  docker_build_context_directory :string           default("."), not null
 #  dockerfile_path                :string           default("./Dockerfile"), not null
+#  managed_namespace              :boolean          default(TRUE)
 #  name                           :string           not null
+#  namespace                      :string           not null
 #  postdeploy_command             :text
 #  postdestroy_command            :text
 #  predeploy_command              :text
diff --git a/spec/models/service_spec.rb b/spec/models/service_spec.rb
index 251f1778..6c39f1e7 100644
--- a/spec/models/service_spec.rb
+++ b/spec/models/service_spec.rb
@@ -18,6 +18,14 @@
 #  updated_at              :datetime         not null
 #  project_id              :bigint           not null
 #
+# Indexes
+#
+#  index_services_on_project_id  (project_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (project_id => projects.id)
+#
 require 'rails_helper'
 
 RSpec.describe Service, type: :model do
diff --git a/spec/services/k8/stateless/cron_job_spec.rb b/spec/services/k8/stateless/cron_job_spec.rb
index 2a0fe2b9..efa7069a 100644
--- a/spec/services/k8/stateless/cron_job_spec.rb
+++ b/spec/services/k8/stateless/cron_job_spec.rb
@@ -60,7 +60,7 @@ RSpec.describe K8::Stateless::CronJob do
     before do
       kubectl = instance_double(K8::Kubectl)
       allow(K8::Kubectl).to receive(:new).and_return(kubectl)
-      allow(kubectl).to receive(:call).with("get jobs -n #{project.name} -o json").and_return(job_response)
+      allow(kubectl).to receive(:call).with("get jobs -n #{project.namespace} -o json").and_return(job_response)
     end
 
     it 'returns job runs for the service' do

From 41fb9b188daaa836d77f962cf3d9a726a3606f59 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Tue, 25 Nov 2025 21:41:34 -0800
Subject: [PATCH 11/75] updates

---
 app/views/projects/_layout.html.erb           | 40 +++++++++++++------
 app/views/projects/edit.html.erb              |  3 ++
 .../shared/partials/_namespace_show.html.erb  | 31 +++++++++-----
 spec/factories/add_ons.rb                     |  2 +
 4 files changed, 55 insertions(+), 21 deletions(-)

diff --git a/app/views/projects/_layout.html.erb b/app/views/projects/_layout.html.erb
index 1c531262..a3e28ce8 100644
--- a/app/views/projects/_layout.html.erb
+++ b/app/views/projects/_layout.html.erb
@@ -22,23 +22,39 @@
         <% end %>
       </div>
     <% end %>
-    <div class="text-sm">
+    <div class="text-sm flex flex-row">
       <%= link_to project.link_to_view, target: "_blank" do %>
         <% if project.git? %>
-          <% if project.github? %>
-            <iconify-icon icon="lucide:github"></iconify-icon>
-          <% elsif project.gitlab? %>
-            <iconify-icon icon="lucide:gitlab"></iconify-icon>
-          <% end %>
-          <span class="underline mr-2"><%= project.repository_url %></span>
-          <iconify-icon icon="lucide:git-branch"></iconify-icon>
-          <span class="underline"><%= project.branch %></span>
+          <div class="flex flex-row items-center gap-1">
+            <% if project.github? %>
+              <iconify-icon icon="lucide:github"></iconify-icon>
+            <% elsif project.gitlab? %>
+              <iconify-icon icon="lucide:gitlab"></iconify-icon>
+            <% end %>
+            <span class="underline mr-2"><%= project.repository_url %></span>
+            <iconify-icon icon="lucide:git-branch"></iconify-icon>
+            <span class="underline"><%= project.branch %></span>
+          </div>
         <% else %>
-          <iconify-icon icon="logos:docker-icon"></iconify-icon>
-          <span class="underline"><%= project.repository_url %></span>
+          <div class="flex flex-row items-center gap-1">
+            <iconify-icon icon="logos:docker-icon"></iconify-icon>
+            <span class="underline"><%= project.repository_url %></span>
+          <div class="flex flex-row items-center gap-1">
         <% end %>
       <% end %>
-      <span class="ml-6"><iconify-icon icon="devicon:kubernetes"></iconify-icon> <%= link_to project.cluster.name, project.cluster, target: "_blank", class: "underline" %></span>
+
+      <%= link_to(
+        project.cluster,
+        target: "_blank",
+        class: "underline",
+      ) do %>
+        <div class="ml-6 flex flex-row items-center gap-1">
+          <iconify-icon icon="devicon:kubernetes"></iconify-icon>
+          <div><%= project.cluster.name %></div>
+          <div><iconify-icon icon="lucide:slash"></iconify-icon></div>
+          <div><%= project.namespace %></div>
+        </div>
+      <% end %>
     </div>
   </div>
   <div class="flex flex-col self-stretch mt-4 lg:mt-0">
diff --git a/app/views/projects/edit.html.erb b/app/views/projects/edit.html.erb
index 8c5fc80e..30588837 100644
--- a/app/views/projects/edit.html.erb
+++ b/app/views/projects/edit.html.erb
@@ -4,6 +4,9 @@
     <div>
       <h2 class="text-2xl font-bold">General</h2>
       <hr class="mt-3 mb-4 border-t border-base-300" />
+      <% unless @project.managed_namespace %>
+      <%= render "shared/partials/namespace_show", namespaced: @project %>
+      <% end %>
       <%= render "edit_form", project: @project %>
     </div>
 
diff --git a/app/views/shared/partials/_namespace_show.html.erb b/app/views/shared/partials/_namespace_show.html.erb
index 39224ba6..37cdbd0e 100644
--- a/app/views/shared/partials/_namespace_show.html.erb
+++ b/app/views/shared/partials/_namespace_show.html.erb
@@ -1,11 +1,24 @@
-<div class="flex flex-row">
-  <div>
-    <label>Namespace</label>
-    <input value="<%= project.namespace %>" disabled />
-  </div>
-  <div>/</div>
-  <div>
-    <label>Name</label>
-    <input value="<%= project.name %>" disabled />
+<div>
+  <div class="flex flex-row items-end">
+    <div>
+      <div><label>Namespace</label></div>
+      <div class="flex flex-row items-center">
+        <input value="<%= namespaced.namespace %>" class="input input-bordered w-full focus:outline-offset-0" readonly />
+        <div class="mx-2 font-medium text-lg">/</div>
+      </div>
+    </div>
+    <div>
+      <div><label>Name</label></div>
+      <input value="<%= namespaced.name %>"  class="input input-bordered w-full focus:outline-offset-0" readonly />
+    </div>
   </div>
+  <label class="label">
+    <span class="label-text-alt">
+    <% if namespaced.managed_namespace %>
+      This namespace is managed by Canine. If the <%= namespaced.class.to_s.titleize %> is deleted, the namespace will be deleted.
+    <% else %>
+      This namespace is managed by Canine. If the <%= namespaced.class.to_s.titleize %> is deleted, the namespace will not be deleted.
+    <% end %>
+    </span>
+  </label>
 </div>
\ No newline at end of file
diff --git a/spec/factories/add_ons.rb b/spec/factories/add_ons.rb
index 9b877511..a0dad5f6 100644
--- a/spec/factories/add_ons.rb
+++ b/spec/factories/add_ons.rb
@@ -30,6 +30,8 @@ FactoryBot.define do
     chart_url { 'bitnami/redis' }
     chart_type { "helm_chart" }
     sequence(:name) { |n| "example-addon-#{n}" }
+    sequence(:namespace) { |n| "example-addon-#{n}" }
+    managed_namespace { true }
     status { :installing }
     values { {} }
     metadata { { "package_details" => { "repository" => { "name" => "bitnami", "url" => "https://bitnami.com/charts" } } } }

From d2b2de01c44ec4ebb4194887cbd0032649b6fa15 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Tue, 25 Nov 2025 23:25:36 -0800
Subject: [PATCH 12/75] lots of refactoring...

---
 .../add_ons/apply_template_to_values.rb       |  25 +++
 app/actions/add_ons/create.rb                 |  68 +++----
 app/actions/add_ons/save.rb                   |  10 +
 app/actions/add_ons/set_package_details.rb    |  18 ++
 app/actions/namespaced/set_up_namespace.rb    |  16 ++
 .../validate_namespace.rb                     |  30 +--
 app/actions/projects/create.rb                | 186 +++++++++---------
 app/actions/projects/set_up_namespace.rb      |  15 --
 app/controllers/add_ons_controller.rb         |  26 +--
 app/models/add_on.rb                          |   7 -
 app/models/concerns/namespaced.rb             |   8 +
 app/models/project.rb                         |   7 -
 .../add_ons/apply_template_to_values_spec.rb  |  22 +++
 spec/actions/add_ons/create_spec.rb           |  69 +++----
 .../add_ons/set_package_details_spec.rb       |  31 +++
 .../namespaced/set_up_namespace_spec.rb       |  26 +++
 .../validate_namespace_spec.rb                |  12 +-
 spec/actions/projects/create_spec.rb          |  10 +-
 .../actions/projects/set_up_namespace_spec.rb |  10 +-
 spec/models/cluster_spec.rb                   |   4 +-
 spec/models/project_spec.rb                   |   4 +-
 21 files changed, 350 insertions(+), 254 deletions(-)
 create mode 100644 app/actions/add_ons/apply_template_to_values.rb
 create mode 100644 app/actions/add_ons/save.rb
 create mode 100644 app/actions/add_ons/set_package_details.rb
 create mode 100644 app/actions/namespaced/set_up_namespace.rb
 rename app/actions/{projects => namespaced}/validate_namespace.rb (54%)
 delete mode 100644 app/actions/projects/set_up_namespace.rb
 create mode 100644 spec/actions/add_ons/apply_template_to_values_spec.rb
 create mode 100644 spec/actions/add_ons/set_package_details_spec.rb
 create mode 100644 spec/actions/namespaced/set_up_namespace_spec.rb
 rename spec/actions/{projects => namespaced}/validate_namespace_spec.rb (83%)

diff --git a/app/actions/add_ons/apply_template_to_values.rb b/app/actions/add_ons/apply_template_to_values.rb
new file mode 100644
index 00000000..a388cdb6
--- /dev/null
+++ b/app/actions/add_ons/apply_template_to_values.rb
@@ -0,0 +1,25 @@
+class AddOns::ApplyTemplateToValues
+  extend LightService::Action
+  expects :add_on
+
+  executed do |context|
+    add_on = context.add_on
+    add_on.values.extend(DotSettable)
+
+    variables = add_on.metadata['template'] || {}
+    variables.keys.each do |key|
+      variable = variables[key]
+
+      if variable.is_a?(Hash) && variable['type'] == 'size'
+        add_on.values.dotset(key, "#{variable['value']}#{variable['unit']}")
+      else
+        variable_definition = add_on.chart_definition['template'].find { |t| t['key'] == key }
+        if variable_definition['type'] == 'integer'
+          add_on.values.dotset(key, variable.to_i)
+        else
+          add_on.values.dotset(key, variable)
+        end
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/app/actions/add_ons/create.rb b/app/actions/add_ons/create.rb
index 44b01691..5994d24c 100644
--- a/app/actions/add_ons/create.rb
+++ b/app/actions/add_ons/create.rb
@@ -1,47 +1,37 @@
 class AddOns::Create
-  extend LightService::Action
-  expects :add_on
-  promises :add_on
+  def self.parse_params(params)
+    if params[:add_on][:values_yaml].present?
+      params[:add_on][:values] = YAML.safe_load(params[:add_on][:values_yaml])
+    end
+    if params[:add_on][:metadata].present?
+      params[:add_on][:metadata] = params[:add_on][:metadata][params[:add_on][:chart_type]]
+    end
+    params.require(:add_on).permit(
+      :cluster_id,
+      :chart_type,
+      :chart_url,
+      :name,
+      metadata: {},
+      values: {}
+    )
+  end
 
-  executed do |context|
-    add_on = context.add_on
-    apply_template_to_values(add_on)
-    fetch_package_details(context, add_on)
-    unless add_on.save
-      context.fail_and_return!("Failed to create add on")
+  class ToNamespaced
+    extend LightService::Action
+    expects :add_on
+    promises :namespaced
+    executed do |context|
+      context.namespaced = context.add_on
     end
   end
 
-  def self.fetch_package_details(context, add_on)
-    result = AddOns::HelmChartDetails.execute(chart_url: add_on.chart_url)
+  extend LightService::Organizer
 
-    if result.failure?
-      add_on.errors.add(:base, "Failed to fetch package details")
-      context.fail_and_return!("Failed to fetch package details")
-    end
-
-    result.response.delete('readme')
-    add_on.metadata['package_details'] = result.response
-  end
-
-  def self.apply_template_to_values(add_on)
-    # Merge the values from the form with the values.yaml object and create a new values.yaml file
-    add_on.values.extend(DotSettable)
-
-    variables = add_on.metadata['template'] || {}
-    variables.keys.each do |key|
-      variable = variables[key]
-
-      if variable.is_a?(Hash) && variable['type'] == 'size'
-        add_on.values.dotset(key, "#{variable['value']}#{variable['unit']}")
-      else
-        variable_definition = add_on.chart_definition['template'].find { |t| t['key'] == key }
-        if variable_definition['type'] == 'integer'
-          add_on.values.dotset(key, variable.to_i)
-        else
-          add_on.values.dotset(key, variable)
-        end
-      end
-    end
+  def self.call(add_on)
+    with(add_on:).reduce(
+      AddOns::ApplyTemplateToValues,
+      AddOns::SetPackageDetails,
+      AddOns::Save
+    )
   end
 end
diff --git a/app/actions/add_ons/save.rb b/app/actions/add_ons/save.rb
new file mode 100644
index 00000000..a3b0c522
--- /dev/null
+++ b/app/actions/add_ons/save.rb
@@ -0,0 +1,10 @@
+class AddOns::Save
+  extend LightService::Action
+  expects :add_on
+
+  executed do |context|
+    unless context.add_on.save
+      context.fail_and_return!("Failed to create add on")
+    end
+  end
+end
\ No newline at end of file
diff --git a/app/actions/add_ons/set_package_details.rb b/app/actions/add_ons/set_package_details.rb
new file mode 100644
index 00000000..dc42bb10
--- /dev/null
+++ b/app/actions/add_ons/set_package_details.rb
@@ -0,0 +1,18 @@
+class AddOns::SetPackageDetails
+  extend LightService::Action
+  expects :add_on
+
+  executed do |context|
+    add_on = context.add_on
+    result = AddOns::HelmChartDetails.execute(chart_url: add_on.chart_url)
+
+    if result.failure?
+      add_on.errors.add(:base, "Failed to fetch package details")
+      context.fail_and_return!("Failed to fetch package details")
+    end
+
+    # Readme is too large
+    result.response.delete('readme')
+    add_on.metadata['package_details'] = result.response
+  end
+end
\ No newline at end of file
diff --git a/app/actions/namespaced/set_up_namespace.rb b/app/actions/namespaced/set_up_namespace.rb
new file mode 100644
index 00000000..d8dbf164
--- /dev/null
+++ b/app/actions/namespaced/set_up_namespace.rb
@@ -0,0 +1,16 @@
+class Namespaced::SetUpNamespace
+  extend LightService::Action
+  expects :namespaced
+  promises :namespaced
+
+  executed do |context|
+    namespaced = context.namespaced
+    if namespaced.namespace.blank? && namespaced.managed_namespace
+      # autoset the namespace to the namespaced name
+      namespaced.namespace = namespaced.name
+    elsif namespaced.namespace.blank? && !namespaced.managed_namespace
+      namespaced.errors.add(:base, "A namespace must be provided if it is not managed by Canine")
+      context.fail_and_return!("Failed to set up namespace")
+    end
+  end
+end
diff --git a/app/actions/projects/validate_namespace.rb b/app/actions/namespaced/validate_namespace.rb
similarity index 54%
rename from app/actions/projects/validate_namespace.rb
rename to app/actions/namespaced/validate_namespace.rb
index c26a522e..88f29656 100644
--- a/app/actions/projects/validate_namespace.rb
+++ b/app/actions/namespaced/validate_namespace.rb
@@ -1,53 +1,53 @@
-module Projects
+module Namespaced
   class ValidateNamespace
     extend LightService::Action
 
-    expects :project, :user
+    expects :namespaced, :user
 
     def self.validate_namespace_does_not_exist_or_is_managed(
       context,
-      project,
+      namespaced,
       client,
       existing_namespaces
     )
       namespace_exists = existing_namespaces.any? do |ns|
-        ns.metadata.name == project.namespace && ns.metadata&.labels&.caninemanaged != "true"
+        ns.metadata.name == namespaced.namespace && ns.metadata&.labels&.caninemanaged != "true"
       end
       if namespace_exists
-        error_message = "Namespace `#{project.name}` already exists in the Kubernetes cluster. Please delete the existing namespace, or try a different name."
-        project.errors.add(:name, error_message)
+        error_message = "Namespace `#{namespaced.name}` already exists in the Kubernetes cluster. Please delete the existing namespace, or try a different name."
+        namespaced.errors.add(:name, error_message)
         context.fail_and_return!(error_message)
       end
     end
 
     def self.validate_namespace_exists(
       context,
-      project,
+      namespaced,
       client,
       existing_namespaces
     )
       existing_namespace = existing_namespaces.any? do |ns|
-        ns.metadata.name == project.namespace
+        ns.metadata.name == namespaced.namespace
       end
       unless existing_namespace
-        error_message = "`#{project.name}` does not exist in the cluster. If you want Canine to automaticaly create it, enable <b>auto create namespace</b>"
-        project.errors.add(:base, error_message)
+        error_message = "`#{namespaced.name}` does not exist in the cluster. If you want Canine to automaticaly create it, enable <b>auto create namespace</b>"
+        namespaced.errors.add(:base, error_message)
         context.fail_and_return!(error_message)
       end
     end
 
     executed do |context|
-      project = context.project
-      cluster = project.cluster
+      namespaced = context.namespaced
+      cluster = namespaced.cluster
 
       begin
         client = K8::Client.new(K8::Connection.new(cluster, context.user))
         existing_namespaces = client.get_namespaces
 
-        if project.managed_namespace
-          validate_namespace_does_not_exist_or_is_managed(context, project, client, existing_namespaces)
+        if namespaced.managed_namespace
+          validate_namespace_does_not_exist_or_is_managed(context, namespaced, client, existing_namespaces)
         else
-          validate_namespace_exists(context, project, client, existing_namespaces)
+          validate_namespace_exists(context, namespaced, client, existing_namespaces)
         end
       rescue StandardError => e
         # If we can't connect to check, we'll let it proceed and fail later if needed
diff --git a/app/actions/projects/create.rb b/app/actions/projects/create.rb
index 468af95c..cc18d813 100644
--- a/app/actions/projects/create.rb
+++ b/app/actions/projects/create.rb
@@ -1,93 +1,101 @@
 # frozen_string_literal: true
 
-module Projects
-  class Create
-    extend LightService::Organizer
-    def self.create_params(params)
-      params.require(:project).permit(
-        :name,
-        :namespace,
-        :managed_namespace,
-        :repository_url,
-        :branch,
-        :cluster_id,
-        :container_registry_url,
-        :predeploy_command,
-        :project_fork_status,
-        :project_fork_cluster_id
-      )
-    end
-
-    def self.call(
-      params,
-      user
-    )
-      project = Project.new(create_params(params))
-      provider = find_provider(user, params)
-      project_credential_provider = build_project_credential_provider(project, provider)
-      build_configuration = build_build_configuration(project, params)
-
-      steps = create_steps(provider)
-      with(
-        project:,
-        project_credential_provider:,
-        build_configuration:,
-        params:,
-        user:
-      ).reduce(*steps)
-    end
-
-    def self.build_project_credential_provider(project, provider)
-      ProjectCredentialProvider.new(
-        project:,
-        provider:,
-      )
-    end
-
-    def self.build_build_configuration(project, params)
-      return unless project.git?
-      build_config_params = params[:project][:build_configuration] || ActionController::Parameters.new
-      default_params = build_default_build_configuration(project)
-      merged_params = default_params.merge(BuildConfiguration.permit_params(build_config_params).compact_blank)
-      build_configuration = project.build_build_configuration(merged_params)
-      build_configuration
-    end
-
-    def self.build_default_build_configuration(project)
-      {
-        provider: project.project_credential_provider.provider,
-        driver: BuildConfiguration::DEFAULT_BUILDER,
-        build_type: :dockerfile,
-        image_repository: project.repository_url,
-        context_directory: ".",
-        dockerfile_path: "./Dockerfile"
-      }
-    end
-
-    def self.create_steps(provider)
-      steps = []
-      if provider.git?
-        steps << Projects::ValidateGitRepository
-      end
-
-      steps << Projects::SetUpNamespace
-      steps << Projects::ValidateNamespace
-      steps << Projects::InitializeBuildPacks
-      steps << Projects::Save
-
-      # Only register webhook in cloud mode
-      if Rails.application.config.cloud_mode && provider.git?
-        steps << Projects::RegisterGitWebhook
-      end
-
-      steps
-    end
-
-    def self.find_provider(user, params)
-      provider_id = params[:project][:project_credential_provider][:provider_id]
-      user.providers.find(provider_id)
-    rescue ActiveRecord::RecordNotFound
-      raise "Provider #{provider_id} not found"
+class Projects::Create
+  class ToNamespaced
+    extend LightService::Action
+    expects :project
+    promises :namespaced
+    executed do |context|
+      context.namespaced = context.project
     end
   end
-end
+
+  extend LightService::Organizer
+  def self.create_params(params)
+    params.require(:project).permit(
+      :name,
+      :namespace,
+      :managed_namespace,
+      :repository_url,
+      :branch,
+      :cluster_id,
+      :container_registry_url,
+      :predeploy_command,
+      :project_fork_status,
+      :project_fork_cluster_id
+    )
+  end
+
+  def self.call(
+    params,
+    user
+  )
+    project = Project.new(create_params(params))
+    provider = find_provider(user, params)
+    project_credential_provider = build_project_credential_provider(project, provider)
+    build_configuration = build_build_configuration(project, params)
+
+    steps = create_steps(provider)
+    with(
+      project:,
+      project_credential_provider:,
+      build_configuration:,
+      params:,
+      user:
+    ).reduce(*steps)
+  end
+
+  def self.build_project_credential_provider(project, provider)
+    ProjectCredentialProvider.new(
+      project:,
+      provider:,
+    )
+  end
+
+  def self.build_build_configuration(project, params)
+    return unless project.git?
+    build_config_params = params[:project][:build_configuration] || ActionController::Parameters.new
+    default_params = build_default_build_configuration(project)
+    merged_params = default_params.merge(BuildConfiguration.permit_params(build_config_params).compact_blank)
+    build_configuration = project.build_build_configuration(merged_params)
+    build_configuration
+  end
+
+  def self.build_default_build_configuration(project)
+    {
+      provider: project.project_credential_provider.provider,
+      driver: BuildConfiguration::DEFAULT_BUILDER,
+      build_type: :dockerfile,
+      image_repository: project.repository_url,
+      context_directory: ".",
+      dockerfile_path: "./Dockerfile"
+    }
+  end
+
+  def self.create_steps(provider)
+    steps = []
+    if provider.git?
+      steps << Projects::ValidateGitRepository
+    end
+
+    steps << Projects::Create::ToNamespaced
+    steps << Namespaced::SetUpNamespace
+    steps << Namespaced::ValidateNamespace
+    steps << Projects::InitializeBuildPacks
+    steps << Projects::Save
+
+    # Only register webhook in cloud mode
+    if Rails.application.config.cloud_mode && provider.git?
+      steps << Projects::RegisterGitWebhook
+    end
+
+    steps
+  end
+
+  def self.find_provider(user, params)
+    provider_id = params[:project][:project_credential_provider][:provider_id]
+    user.providers.find(provider_id)
+  rescue ActiveRecord::RecordNotFound
+    raise "Provider #{provider_id} not found"
+  end
+end
\ No newline at end of file
diff --git a/app/actions/projects/set_up_namespace.rb b/app/actions/projects/set_up_namespace.rb
deleted file mode 100644
index fa390e49..00000000
--- a/app/actions/projects/set_up_namespace.rb
+++ /dev/null
@@ -1,15 +0,0 @@
-class Projects::SetUpNamespace
-  extend LightService::Action
-  expects :project
-
-  executed do |context|
-    project = context.project
-    if project.namespace.blank? && project.managed_namespace
-      # autoset the namespace to the project name
-      project.namespace = project.name
-    elsif project.namespace.blank? && !project.managed_namespace
-      project.errors.add(:base, "A namespace must be provided if it is not managed by Canine")
-      context.fail_and_return!("Failed to set up namespace")
-    end
-  end
-end
diff --git a/app/controllers/add_ons_controller.rb b/app/controllers/add_ons_controller.rb
index ab7911ee..3b804349 100644
--- a/app/controllers/add_ons_controller.rb
+++ b/app/controllers/add_ons_controller.rb
@@ -39,7 +39,8 @@ class AddOnsController < ApplicationController
 
   # POST /add_ons or /add_ons.json
   def create
-    result = AddOns::Create.execute(add_on: AddOn.new(add_on_params))
+    params = AddOns::Create.parse_params(params)
+    result = AddOns::Create.execute(add_on: AddOn.new(params))
     @add_on = result.add_on
     # Uncomment to authorize with Pundit
     # authorize @add_on
@@ -58,7 +59,7 @@ class AddOnsController < ApplicationController
 
   # PATCH/PUT /add_ons/1 or /add_ons/1.json
   def update
-    @add_on.assign_attributes(add_on_params)
+    @add_on.assign_attributes(AddOns::Create.parse_params(params))
     result = AddOns::Update.execute(add_on: @add_on)
 
     respond_to do |format|
@@ -123,25 +124,4 @@ class AddOnsController < ApplicationController
   rescue ActiveRecord::RecordNotFound
     redirect_to add_ons_path
   end
-
-  # Only allow a list of trusted parameters through.
-  def add_on_params
-    if params[:add_on][:values_yaml].present?
-      params[:add_on][:values] = YAML.safe_load(params[:add_on][:values_yaml])
-    end
-    if params[:add_on][:metadata].present?
-      params[:add_on][:metadata] = params[:add_on][:metadata][params[:add_on][:chart_type]]
-    end
-    params.require(:add_on).permit(
-      :cluster_id,
-      :chart_type,
-      :chart_url,
-      :name,
-      metadata: {},
-      values: {}
-    )
-
-    # Uncomment to use Pundit permitted attributes
-    # params.require(:add_on).permit(policy(@add_on).permitted_attributes)
-  end
 end
diff --git a/app/models/add_on.rb b/app/models/add_on.rb
index 3dfb8f02..fff705b7 100644
--- a/app/models/add_on.rb
+++ b/app/models/add_on.rb
@@ -42,7 +42,6 @@ class AddOn < ApplicationRecord
   validates :chart_type, presence: true
   validate :chart_type_exists
   validates :name, presence: true, format: { with: /\A[a-z0-9-]+\z/, message: "must be lowercase, numbers, and hyphens only" }
-  validate :name_is_unique_to_cluster, on: :create
   validates_presence_of :chart_url
   validate :has_package_details, if: :helm_chart?
 
@@ -59,12 +58,6 @@ class AddOn < ApplicationRecord
     metadata['install_stage'] || 0
   end
 
-  def name_is_unique_to_cluster
-    if cluster.namespaces.include?(name)
-      errors.add(:name, "must be unique to this cluster")
-    end
-  end
-
   def has_package_details
     if metadata['package_details'].blank?
       errors.add(:metadata, "is missing required keys: package_details")
diff --git a/app/models/concerns/namespaced.rb b/app/models/concerns/namespaced.rb
index 501552d5..ebdf8dd9 100644
--- a/app/models/concerns/namespaced.rb
+++ b/app/models/concerns/namespaced.rb
@@ -1,7 +1,15 @@
 module Namespaced
+  def name_is_unique_to_cluster
+    if cluster.namespaces.include?(namespace)
+      errors.add(:name, "must be unique to this cluster")
+    end
+  end
+
   def self.included(base)
     base.class_eval do
       validates_presence_of :namespace
+
+      validate :name_is_unique_to_cluster, on: :create
     end
   end
 end
diff --git a/app/models/project.rb b/app/models/project.rb
index 63b19a57..c377e8aa 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -70,7 +70,6 @@ class Project < ApplicationRecord
   validate :project_fork_cluster_id_is_owned_by_account
   validates_presence_of :build_configuration, if: :git?
 
-  validate :name_is_unique_to_cluster, on: :create
   after_save_commit do
     broadcast_replace_to [ self, :status ], target: dom_id(self, :status), partial: "projects/status", locals: { project: self }
   end
@@ -97,12 +96,6 @@ class Project < ApplicationRecord
     end
   end
 
-  def name_is_unique_to_cluster
-    if cluster.namespaces.include?(name)
-      errors.add(:name, "must be unique to this cluster")
-    end
-  end
-
   def current_deployment
     deployments.order(created_at: :desc).where(status: :completed).first
   end
diff --git a/spec/actions/add_ons/apply_template_to_values_spec.rb b/spec/actions/add_ons/apply_template_to_values_spec.rb
new file mode 100644
index 00000000..736a3d8f
--- /dev/null
+++ b/spec/actions/add_ons/apply_template_to_values_spec.rb
@@ -0,0 +1,22 @@
+require 'rails_helper'
+
+RSpec.describe AddOns::ApplyTemplateToValues do
+  let(:add_on) { build(:add_on) }
+  let(:template) do
+    {
+      'master.persistence.size' => { 'type' => 'size', 'value' => '10', 'unit' => 'Gi' },
+      'replica.replicaCount' => '5'
+    }
+  end
+
+  before do
+    add_on.metadata['template'] = template
+    add_on.chart_type = "redis"
+  end
+
+  it 'applies template values correctly' do
+    described_class.execute(add_on:)
+    expect(add_on.values['master']['persistence']['size']).to eq('10Gi')
+    expect(add_on.values['replica']['replicaCount']).to eq(5)
+  end
+end
diff --git a/spec/actions/add_ons/create_spec.rb b/spec/actions/add_ons/create_spec.rb
index 1a7d60d0..ff821b1b 100644
--- a/spec/actions/add_ons/create_spec.rb
+++ b/spec/actions/add_ons/create_spec.rb
@@ -2,7 +2,7 @@ require 'rails_helper'
 
 RSpec.describe AddOns::Create do
   let(:add_on) { build(:add_on) }
-  let(:chart_details) { { 'name' => 'test-chart', 'version' => '1.0.0' } }
+  let(:chart_details) { { 'name' => 'redis', 'version' => '1.0.0' } }
 
   before do
     allow(AddOns::HelmChartDetails).to receive(:execute).and_return(
@@ -12,53 +12,40 @@ RSpec.describe AddOns::Create do
 
   describe 'errors' do
     context 'there is a project with the same name in the same cluster' do
-      let!(:project) { create(:project, name: add_on.name, cluster: add_on.cluster) }
+      let!(:project) { create(:project, name: add_on.name, cluster: add_on.cluster, namespace: 'taken') }
+      let(:add_on) { build(:add_on, namespace: 'taken') }
+
       it 'raises an error' do
-        result = described_class.execute(add_on:)
+        result = described_class.call(add_on)
         expect(result.failure?).to be_truthy
       end
     end
   end
 
-  describe '#execute' do
-    it 'applies template and fetches package details' do
-      expect(add_on).to receive(:save)
-      result = described_class.execute(add_on:)
-      expect(result.add_on.metadata['package_details']).to eq(chart_details)
-    end
-
-    context 'when package details fetch fails' do
-      before do
-        allow(AddOns::HelmChartDetails).to receive(:execute).and_return(
-          double(success?: false, failure?: true)
-        )
-      end
-
-      it 'adds error and returns' do
-        result = described_class.execute(add_on:)
-        expect(result.failure?).to be_truthy
-        expect(result.add_on.errors[:base]).to include('Failed to fetch package details')
-      end
-    end
-  end
-
-  describe '.apply_template_to_values' do
-    let(:template) do
-      {
-        'master.persistence.size' => { 'type' => 'size', 'value' => '10', 'unit' => 'Gi' },
-        'replica.replicaCount' => '5'
+  let(:params) do
+    ActionController::Parameters.new({
+      add_on: {
+        name: 'redis-main',
+        chart_type: 'redis',
+        metadata: {
+          redis: {
+            template: {
+              'replicas' => 3,
+              'master.persistence.size' => {
+                'type' => 'size',
+                'value' => '2',
+                'unit' => 'Gi'
+              }
+            }
+          }
+        }
       }
-    end
+    })
+  end
 
-    before do
-      add_on.metadata['template'] = template
-      add_on.chart_type = "redis"
-    end
-
-    it 'applies template values correctly' do
-      described_class.apply_template_to_values(add_on)
-      expect(add_on.values['master']['persistence']['size']).to eq('10Gi')
-      expect(add_on.values['replica']['replicaCount']).to eq(5)
-    end
+  it 'can create an add on successfully' do
+    add_on = AddOn.new(AddOns::Create.parse_params(params))
+    result = described_class.call(add_on)
+    expect(result.success?).to be_truthy
   end
 end
diff --git a/spec/actions/add_ons/set_package_details_spec.rb b/spec/actions/add_ons/set_package_details_spec.rb
new file mode 100644
index 00000000..09be11a4
--- /dev/null
+++ b/spec/actions/add_ons/set_package_details_spec.rb
@@ -0,0 +1,31 @@
+require 'rails_helper'
+
+RSpec.describe AddOns::SetPackageDetails do
+  let(:add_on) { build(:add_on) }
+  let(:chart_details) { { 'name' => 'test-chart', 'version' => '1.0.0' } }
+
+  before do
+    allow(AddOns::HelmChartDetails).to receive(:execute).and_return(
+      double(success?: true, failure?: false, response: chart_details)
+    )
+  end
+
+  it 'fetches package details and saves to add on' do
+    result = described_class.execute(add_on:)
+    expect(result.add_on.metadata['package_details']).to eq(chart_details)
+  end
+
+  context 'when package details fetch fails' do
+    before do
+      allow(AddOns::HelmChartDetails).to receive(:execute).and_return(
+        double(success?: false, failure?: true)
+      )
+    end
+
+    it 'adds error and returns' do
+      result = described_class.execute(add_on:)
+      expect(result.failure?).to be_truthy
+      expect(result.add_on.errors[:base]).to include('Failed to fetch package details')
+    end
+  end
+end
diff --git a/spec/actions/namespaced/set_up_namespace_spec.rb b/spec/actions/namespaced/set_up_namespace_spec.rb
new file mode 100644
index 00000000..714db2a6
--- /dev/null
+++ b/spec/actions/namespaced/set_up_namespace_spec.rb
@@ -0,0 +1,26 @@
+require 'rails_helper'
+
+RSpec.describe Namespaced::SetUpNamespace do
+  let(:subject) { described_class.execute(namespaced: project) }
+
+  context "canine managed namespace" do
+    let(:project) { build(:project, managed_namespace: true, namespace: "") }
+
+    it "autosets the name" do
+      result = subject
+
+      expect(result.namespaced.namespace).to eq(project.name)
+      expect(result.namespaced.errors).to be_empty
+    end
+  end
+
+  context "self managed" do
+    let(:project) { build(:project, managed_namespace: false, namespace: "") }
+
+    it "raises error" do
+      result = subject
+      expect(result.namespaced.errors).to be_present
+      expect(result.failure?).to be_truthy
+    end
+  end
+end
diff --git a/spec/actions/projects/validate_namespace_spec.rb b/spec/actions/namespaced/validate_namespace_spec.rb
similarity index 83%
rename from spec/actions/projects/validate_namespace_spec.rb
rename to spec/actions/namespaced/validate_namespace_spec.rb
index bebaa1ef..e9f0b644 100644
--- a/spec/actions/projects/validate_namespace_spec.rb
+++ b/spec/actions/namespaced/validate_namespace_spec.rb
@@ -1,6 +1,6 @@
 require 'rails_helper'
 
-RSpec.describe Projects::ValidateNamespace do
+RSpec.describe Namespaced::ValidateNamespace do
   let(:cluster) { create(:cluster) }
   let(:user) { create(:user) }
   let(:k8_client) { instance_double(K8::Client) }
@@ -23,7 +23,7 @@ RSpec.describe Projects::ValidateNamespace do
         end
 
         it 'fails' do
-          expect(described_class.execute(project:, user: user)).to be_failure
+          expect(described_class.execute(namespaced: project, user:)).to be_failure
         end
       end
 
@@ -35,7 +35,7 @@ RSpec.describe Projects::ValidateNamespace do
         end
 
         it 'succeeds' do
-          expect(described_class.execute(project:, user:)).to be_success
+          expect(described_class.execute(namespaced: project, user:)).to be_success
         end
       end
     end
@@ -56,7 +56,7 @@ RSpec.describe Projects::ValidateNamespace do
         end
 
         it 'succeeds' do
-          expect(described_class.execute(project: project, user: user)).to be_success
+          expect(described_class.execute(namespaced: project, user: user)).to be_success
         end
       end
 
@@ -71,7 +71,7 @@ RSpec.describe Projects::ValidateNamespace do
           end
 
           it 'fails with error message' do
-            result = described_class.execute(project: project, user: user)
+            result = described_class.execute(namespaced: project, user: user)
             expect(result).to be_failure
             expect(result.message).to include("already exists")
           end
@@ -83,7 +83,7 @@ RSpec.describe Projects::ValidateNamespace do
           end
 
           it 'succeeds' do
-            result = described_class.execute(project: project, user: user)
+            result = described_class.execute(namespaced: project, user: user)
             expect(result).to be_success
           end
         end
diff --git a/spec/actions/projects/create_spec.rb b/spec/actions/projects/create_spec.rb
index c72a83da..ad5bab9c 100644
--- a/spec/actions/projects/create_spec.rb
+++ b/spec/actions/projects/create_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe Projects::Create do
 
   before do
     allow(Projects::ValidateGitRepository).to receive(:execute)
-    allow(Projects::ValidateNamespace).to receive(:execute)
+    allow(Namespaced::ValidateNamespace).to receive(:execute)
     allow(Projects::RegisterGitWebhook).to receive(:execute)
   end
 
@@ -156,7 +156,9 @@ RSpec.describe Projects::Create do
       it 'validates with github and registers webhooks' do
         expect(subject).to eq([
           Projects::ValidateGitRepository,
-          Projects::ValidateNamespace,
+          Projects::Create::ToNamespaced,
+          Namespaced::SetUpNamespace,
+          Namespaced::ValidateNamespace,
           Projects::InitializeBuildPacks,
           Projects::Save,
           Projects::RegisterGitWebhook
@@ -172,7 +174,9 @@ RSpec.describe Projects::Create do
       it 'validates with github and does not register webhooks' do
         expect(subject).to eq([
           Projects::ValidateGitRepository,
-          Projects::ValidateNamespace,
+          Projects::Create::ToNamespaced,
+          Namespaced::SetUpNamespace,
+          Namespaced::ValidateNamespace,
           Projects::InitializeBuildPacks,
           Projects::Save
         ])
diff --git a/spec/actions/projects/set_up_namespace_spec.rb b/spec/actions/projects/set_up_namespace_spec.rb
index 9ab81eef..714db2a6 100644
--- a/spec/actions/projects/set_up_namespace_spec.rb
+++ b/spec/actions/projects/set_up_namespace_spec.rb
@@ -1,7 +1,7 @@
 require 'rails_helper'
 
-RSpec.describe Projects::SetUpNamespace do
-  let(:subject) { described_class.execute(project:) }
+RSpec.describe Namespaced::SetUpNamespace do
+  let(:subject) { described_class.execute(namespaced: project) }
 
   context "canine managed namespace" do
     let(:project) { build(:project, managed_namespace: true, namespace: "") }
@@ -9,8 +9,8 @@ RSpec.describe Projects::SetUpNamespace do
     it "autosets the name" do
       result = subject
 
-      expect(result.project.namespace).to eq(project.name)
-      expect(result.project.errors).to be_empty
+      expect(result.namespaced.namespace).to eq(project.name)
+      expect(result.namespaced.errors).to be_empty
     end
   end
 
@@ -19,7 +19,7 @@ RSpec.describe Projects::SetUpNamespace do
 
     it "raises error" do
       result = subject
-      expect(result.project.errors).to be_present
+      expect(result.namespaced.errors).to be_present
       expect(result.failure?).to be_truthy
     end
   end
diff --git a/spec/models/cluster_spec.rb b/spec/models/cluster_spec.rb
index 372143d2..ea6dccdc 100644
--- a/spec/models/cluster_spec.rb
+++ b/spec/models/cluster_spec.rb
@@ -29,8 +29,8 @@ RSpec.describe Cluster, type: :model do
     let!(:add_on) { create(:add_on, cluster: cluster) }
 
     it 'returns the reserved namespaces and project/add_on names' do
-      expect(cluster.namespaces).to include(project.name)
-      expect(cluster.namespaces).to include(add_on.name)
+      expect(cluster.namespaces).to include(project.namespace)
+      expect(cluster.namespaces).to include(add_on.namespace)
     end
   end
 end
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index a2ca4809..76b384c5 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -37,12 +37,12 @@ require 'rails_helper'
 
 RSpec.describe Project, type: :model do
   let(:cluster) { create(:cluster) }
-  let(:project) { build(:project, cluster: cluster, account: cluster.account) }
+  let(:project) { build(:project, cluster:, account: cluster.account, namespace: "taken") }
 
   describe 'validations' do
     context 'when name is not unique to the cluster' do
       before do
-        create(:project, name: project.name, cluster: cluster)
+        create(:project, name: project.name, cluster:, namespace: "taken")
       end
 
       it 'is not valid' do

From 0ab942f21ed03900273e57df4d91680cbc0bdab3 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 26 Nov 2025 01:54:10 -0800
Subject: [PATCH 13/75] specs passing

---
 app/actions/add_ons/apply_template_to_values.rb |  2 +-
 app/actions/add_ons/create.rb                   |  7 +++++--
 app/actions/add_ons/save.rb                     |  2 +-
 app/actions/add_ons/set_package_details.rb      |  2 +-
 app/actions/projects/create.rb                  |  2 +-
 app/controllers/add_ons_controller.rb           |  2 +-
 spec/actions/add_ons/create_spec.rb             | 10 +++++++---
 7 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/app/actions/add_ons/apply_template_to_values.rb b/app/actions/add_ons/apply_template_to_values.rb
index a388cdb6..8d508e52 100644
--- a/app/actions/add_ons/apply_template_to_values.rb
+++ b/app/actions/add_ons/apply_template_to_values.rb
@@ -22,4 +22,4 @@ class AddOns::ApplyTemplateToValues
       end
     end
   end
-end
\ No newline at end of file
+end
diff --git a/app/actions/add_ons/create.rb b/app/actions/add_ons/create.rb
index 5994d24c..ef0f1d0a 100644
--- a/app/actions/add_ons/create.rb
+++ b/app/actions/add_ons/create.rb
@@ -27,8 +27,11 @@ class AddOns::Create
 
   extend LightService::Organizer
 
-  def self.call(add_on)
-    with(add_on:).reduce(
+  def self.call(add_on, user)
+    with(add_on:, user:).reduce(
+      AddOns::Create::ToNamespaced,
+      Namespaced::SetUpNamespace,
+      Namespaced::ValidateNamespace,
       AddOns::ApplyTemplateToValues,
       AddOns::SetPackageDetails,
       AddOns::Save
diff --git a/app/actions/add_ons/save.rb b/app/actions/add_ons/save.rb
index a3b0c522..3b0c564b 100644
--- a/app/actions/add_ons/save.rb
+++ b/app/actions/add_ons/save.rb
@@ -7,4 +7,4 @@ class AddOns::Save
       context.fail_and_return!("Failed to create add on")
     end
   end
-end
\ No newline at end of file
+end
diff --git a/app/actions/add_ons/set_package_details.rb b/app/actions/add_ons/set_package_details.rb
index dc42bb10..02e2033c 100644
--- a/app/actions/add_ons/set_package_details.rb
+++ b/app/actions/add_ons/set_package_details.rb
@@ -15,4 +15,4 @@ class AddOns::SetPackageDetails
     result.response.delete('readme')
     add_on.metadata['package_details'] = result.response
   end
-end
\ No newline at end of file
+end
diff --git a/app/actions/projects/create.rb b/app/actions/projects/create.rb
index cc18d813..b4394654 100644
--- a/app/actions/projects/create.rb
+++ b/app/actions/projects/create.rb
@@ -98,4 +98,4 @@ class Projects::Create
   rescue ActiveRecord::RecordNotFound
     raise "Provider #{provider_id} not found"
   end
-end
\ No newline at end of file
+end
diff --git a/app/controllers/add_ons_controller.rb b/app/controllers/add_ons_controller.rb
index 3b804349..83819787 100644
--- a/app/controllers/add_ons_controller.rb
+++ b/app/controllers/add_ons_controller.rb
@@ -40,7 +40,7 @@ class AddOnsController < ApplicationController
   # POST /add_ons or /add_ons.json
   def create
     params = AddOns::Create.parse_params(params)
-    result = AddOns::Create.execute(add_on: AddOn.new(params))
+    result = AddOns::Create.call(AddOn.new(params), user)
     @add_on = result.add_on
     # Uncomment to authorize with Pundit
     # authorize @add_on
diff --git a/spec/actions/add_ons/create_spec.rb b/spec/actions/add_ons/create_spec.rb
index ff821b1b..8cbc4a46 100644
--- a/spec/actions/add_ons/create_spec.rb
+++ b/spec/actions/add_ons/create_spec.rb
@@ -1,10 +1,12 @@
 require 'rails_helper'
 
 RSpec.describe AddOns::Create do
+  let(:cluster) { create(:cluster) }
   let(:add_on) { build(:add_on) }
   let(:chart_details) { { 'name' => 'redis', 'version' => '1.0.0' } }
 
   before do
+    allow(Namespaced::ValidateNamespace).to receive(:execute)
     allow(AddOns::HelmChartDetails).to receive(:execute).and_return(
       double(success?: true, failure?: false, response: chart_details)
     )
@@ -16,7 +18,7 @@ RSpec.describe AddOns::Create do
       let(:add_on) { build(:add_on, namespace: 'taken') }
 
       it 'raises an error' do
-        result = described_class.call(add_on)
+        result = described_class.call(add_on, cluster.account.owner)
         expect(result.failure?).to be_truthy
       end
     end
@@ -27,10 +29,12 @@ RSpec.describe AddOns::Create do
       add_on: {
         name: 'redis-main',
         chart_type: 'redis',
+        chart_url: 'bitnami/redis',
+        cluster_id: cluster.id,
         metadata: {
           redis: {
             template: {
-              'replicas' => 3,
+              'replica.replicaCount' => 3,
               'master.persistence.size' => {
                 'type' => 'size',
                 'value' => '2',
@@ -45,7 +49,7 @@ RSpec.describe AddOns::Create do
 
   it 'can create an add on successfully' do
     add_on = AddOn.new(AddOns::Create.parse_params(params))
-    result = described_class.call(add_on)
+    result = described_class.call(add_on, cluster.account.owner)
     expect(result.success?).to be_truthy
   end
 end

From b1dd1e95a6651414dccbaf7631fff4f5126aa943 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 27 Nov 2025 02:35:14 +0900
Subject: [PATCH 14/75] updates

---
 lib/devise/strategies/ldap_authenticatable.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index 35621fff..223bce8b 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -85,6 +85,7 @@ module Devise
       end
 
       def get_group_information(user)
+        # ldap.search(base: "ou=Groups,dc=example,dc=org", filter: Net::LDAP::Filter.eq("memberUid", user_dn))
         return [
           {
             name: "developers",

From 9332f62afe48cf77c4b9c7bde857906947429b76 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 26 Nov 2025 14:57:02 -0800
Subject: [PATCH 15/75] added fix for pod_yaml

---
 .../projects/services/_advanced.html.erb      |  2 +-
 config/initializers/core_extensions.rb        |  8 ++++++++
 resources/k8/stateless/cron_job.yaml          |  2 +-
 resources/k8/stateless/deployment.yaml        |  2 +-
 spec/initializers/core_extensions_spec.rb     | 20 +++++++++++++++++++
 5 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 config/initializers/core_extensions.rb
 create mode 100644 spec/initializers/core_extensions_spec.rb

diff --git a/app/views/projects/services/_advanced.html.erb b/app/views/projects/services/_advanced.html.erb
index 2cec9e48..0279d8b5 100644
--- a/app/views/projects/services/_advanced.html.erb
+++ b/app/views/projects/services/_advanced.html.erb
@@ -40,7 +40,7 @@
           placeholder: "# Example:\ncontainers:\n  - name: sidecar\n    image: nginx:latest\nvolumes:\n  - name: cache\n    emptyDir: {}",
           class: "textarea textarea-bordered font-mono text-sm w-full",
           data: { yaml_editor_target: "textarea" },
-          value: @service.pod_yaml.present? ? @service.pod_yaml.to_yaml : "" %>
+          value: @service.pod_yaml.present? ? @service.pod_yaml.to_yaml_raw : "" %>
         <div data-yaml-editor-target="editor"></div>
         <label class="label">
           <span class="label-text-alt">Enter valid YAML for pod template spec fields</span>
diff --git a/config/initializers/core_extensions.rb b/config/initializers/core_extensions.rb
new file mode 100644
index 00000000..42e30f31
--- /dev/null
+++ b/config/initializers/core_extensions.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class Hash
+  # Converts hash to YAML without the document start marker (---)
+  def to_yaml_raw
+    to_yaml.sub(/\A---\n?/, "")
+  end
+end
diff --git a/resources/k8/stateless/cron_job.yaml b/resources/k8/stateless/cron_job.yaml
index c15a1e43..72e38b74 100644
--- a/resources/k8/stateless/cron_job.yaml
+++ b/resources/k8/stateless/cron_job.yaml
@@ -75,5 +75,5 @@ spec:
           <% end %>
           <% end %>
           <% if service.pod_yaml.present? %>
-<%= service.pod_yaml %>
+<%= service.pod_yaml.to_yaml_raw %>
           <% end %>
diff --git a/resources/k8/stateless/deployment.yaml b/resources/k8/stateless/deployment.yaml
index 24103552..125435fe 100644
--- a/resources/k8/stateless/deployment.yaml
+++ b/resources/k8/stateless/deployment.yaml
@@ -95,5 +95,5 @@ spec:
       <% end %>
       <% end %>
       <% if service.pod_yaml.present? %>
-<%= service.pod_yaml %>
+<%= service.pod_yaml.to_yaml_raw %>
       <% end %>
diff --git a/spec/initializers/core_extensions_spec.rb b/spec/initializers/core_extensions_spec.rb
new file mode 100644
index 00000000..3d41d8c2
--- /dev/null
+++ b/spec/initializers/core_extensions_spec.rb
@@ -0,0 +1,20 @@
+require "rails_helper"
+
+RSpec.describe "Hash#to_yaml_raw" do
+  it "returns YAML without the document start marker" do
+    hash = { "nodeSelector" => { "gpu" => "true" } }
+
+    result = hash.to_yaml_raw
+
+    expect(result).to eq("nodeSelector:\n  gpu: 'true'\n")
+  end
+
+  it "produces valid YAML that can be parsed back" do
+    hash = { name: "test", items: [ 1, 2, 3 ] }
+
+    result = hash.to_yaml_raw
+    parsed = YAML.safe_load(result, permitted_classes: [ Symbol ], permitted_symbols: [ :name, :items ])
+
+    expect(parsed).to eq(hash)
+  end
+end

From f381c89643ce6ba4494828f0915edf40d5de8346 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 26 Nov 2025 15:27:07 -0800
Subject: [PATCH 16/75] added templating fixes

---
 app/actions/services/update.rb         | 5 +++--
 app/jobs/projects/deployment_job.rb    | 2 +-
 app/services/k8/kubectl.rb             | 9 +++++++++
 resources/k8/stateless/cron_job.yaml   | 6 +++---
 resources/k8/stateless/deployment.yaml | 8 ++++----
 5 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/app/actions/services/update.rb b/app/actions/services/update.rb
index 7380e328..47567e14 100644
--- a/app/actions/services/update.rb
+++ b/app/actions/services/update.rb
@@ -6,8 +6,9 @@ class Services::Update
 
   executed do |context|
     context.service.update(Service.permitted_params(context.params))
-    if context.service.cron_job?
-      context.service.cron_schedule.update(context.params[:service][:cron_schedule].permit(:schedule))
+    if context.service.cron_job? && context.params[:service][:cron_schedule].present?
+      context.service.cron_schedule.update(
+        context.params[:service][:cron_schedule].permit(:schedule))
     end
     context.service.updated!
   end
diff --git a/app/jobs/projects/deployment_job.rb b/app/jobs/projects/deployment_job.rb
index cfa040ef..7fa11692 100644
--- a/app/jobs/projects/deployment_job.rb
+++ b/app/jobs/projects/deployment_job.rb
@@ -11,7 +11,7 @@ class Projects::DeploymentJob < ApplicationJob
     project = deployment.project
     connection = K8::Connection.new(project, user, allow_anonymous: true)
     kubectl = create_kubectl(deployment, connection)
-    kubectl.register_after_apply do |yaml_content|
+    kubectl.register_before_apply do |yaml_content|
       deployment.add_manifest(yaml_content)
     end
 
diff --git a/app/services/k8/kubectl.rb b/app/services/k8/kubectl.rb
index 399852e2..e0ae909e 100644
--- a/app/services/k8/kubectl.rb
+++ b/app/services/k8/kubectl.rb
@@ -11,14 +11,23 @@ class K8::Kubectl
       raise "Kubeconfig is required"
     end
     @runner = runner
+    @before_apply_blocks = []
     @after_apply_blocks = []
   end
 
+  def register_before_apply(&block)
+    @before_apply_blocks << block
+  end
+
   def register_after_apply(&block)
     @after_apply_blocks << block
   end
 
   def apply_yaml(yaml_content)
+    @before_apply_blocks.each do |block|
+      block.call(yaml_content)
+    end
+
     with_kube_config do |kubeconfig_file|
       # Create a temporary file for the YAML content
       Tempfile.open([ "k8s", ".yaml" ]) do |yaml_file|
diff --git a/resources/k8/stateless/cron_job.yaml b/resources/k8/stateless/cron_job.yaml
index 72e38b74..bf054190 100644
--- a/resources/k8/stateless/cron_job.yaml
+++ b/resources/k8/stateless/cron_job.yaml
@@ -15,6 +15,9 @@ spec:
     spec:
       template:
         spec:
+      <% if service.pod_yaml.present? %>
+<%= service.pod_yaml.to_yaml_raw.to_s.lines.map { |line| "          #{line}" }.join %>
+      <% end %>
           containers:
           - name: <%= project.name %>
             image: <%= project.container_image_reference %>
@@ -74,6 +77,3 @@ spec:
             # Add your volume specifications here (e.g., persistentVolumeClaim, configMap, etc.)
           <% end %>
           <% end %>
-          <% if service.pod_yaml.present? %>
-<%= service.pod_yaml.to_yaml_raw %>
-          <% end %>
diff --git a/resources/k8/stateless/deployment.yaml b/resources/k8/stateless/deployment.yaml
index 125435fe..b1bd6b68 100644
--- a/resources/k8/stateless/deployment.yaml
+++ b/resources/k8/stateless/deployment.yaml
@@ -21,6 +21,9 @@ spec:
       labels:
         app: <%= service.name %>
     spec:
+      <% if service.pod_yaml.present? %>
+<%= service.pod_yaml.to_yaml_raw.to_s.lines.map { |line| "      #{line}" }.join %>
+      <% end %>
       containers:
       - name: <%= project.name %>
         image: <%= project.container_image_reference %>
@@ -93,7 +96,4 @@ spec:
         persistentVolumeClaim:
           claimName: <%= volume.name %>
       <% end %>
-      <% end %>
-      <% if service.pod_yaml.present? %>
-<%= service.pod_yaml.to_yaml_raw %>
-      <% end %>
+      <% end %>
\ No newline at end of file

From 60c2e47c8b46c417384a17e8f84e4766d6150427 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 27 Nov 2025 13:41:47 -0800
Subject: [PATCH 17/75] fix bugs

---
 .../expandable_optional_input_controller.js   | 25 ++++++++---
 .../namespace_input_group_controller.js       | 11 +++++
 app/models/add_on.rb                          |  1 +
 app/models/project.rb                         |  1 +
 .../build_configurations/_form.html.erb       | 42 ++++++++++++-------
 .../projects/create/_new_form_git.html.erb    | 10 -----
 .../create/_select_credentials.html.erb       |  3 +-
 .../partials/_namespace_input_group.html.erb  |  6 +--
 8 files changed, 65 insertions(+), 34 deletions(-)
 create mode 100644 app/javascript/controllers/namespace_input_group_controller.js

diff --git a/app/javascript/controllers/expandable_optional_input_controller.js b/app/javascript/controllers/expandable_optional_input_controller.js
index 43ec28a0..c22b7504 100644
--- a/app/javascript/controllers/expandable_optional_input_controller.js
+++ b/app/javascript/controllers/expandable_optional_input_controller.js
@@ -4,14 +4,29 @@ export default class extends Controller {
   static targets = ["container"]
 
   connect() {
-    this.containerTarget.classList.add("hidden", "opacity-0", "transition-all")
+    // Initial setup: hidden + transparent + transition classes
+    this.containerTarget.classList.add(
+      "hidden",          // prevent layout
+      "opacity-0",       // starting transparency
+      "transition-all",
+      "duration-500"     // control speed
+    )
   }
 
   show(e) {
-    e.preventDefault();
+    e.preventDefault()
 
+    // Hide the button
     e.target.classList.add("hidden")
-    this.containerTarget.classList.remove("hidden", "opacity-0")
-    this.containerTarget.classList.add("opacity-100", "duration-500")
+
+    // Step 1: unhide but keep opacity-0
+    this.containerTarget.classList.remove("hidden")
+
+    // Step 2: allow browser to register this initial state
+    requestAnimationFrame(() => {
+      // Step 3: now fade to opacity-100 → animation occurs
+      this.containerTarget.classList.add("opacity-100")
+      this.containerTarget.classList.remove("opacity-0")
+    })
   }
-}
\ No newline at end of file
+}
diff --git a/app/javascript/controllers/namespace_input_group_controller.js b/app/javascript/controllers/namespace_input_group_controller.js
new file mode 100644
index 00000000..ddf0d032
--- /dev/null
+++ b/app/javascript/controllers/namespace_input_group_controller.js
@@ -0,0 +1,11 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  connect() {
+    console.log("NamespaceInputGroupController connected")
+  }
+
+  toggleManagedNamespace() {
+
+  }
+}
diff --git a/app/models/add_on.rb b/app/models/add_on.rb
index fff705b7..14857446 100644
--- a/app/models/add_on.rb
+++ b/app/models/add_on.rb
@@ -44,6 +44,7 @@ class AddOn < ApplicationRecord
   validates :name, presence: true, format: { with: /\A[a-z0-9-]+\z/, message: "must be lowercase, numbers, and hyphens only" }
   validates_presence_of :chart_url
   validate :has_package_details, if: :helm_chart?
+  validates_uniqueness_of :name, scope: :cluster_id
 
   after_update_commit do
     broadcast_replace_later_to [ self, :install_stage ], target: dom_id(self, :install_stage), partial: "add_ons/install_stage", locals: { add_on: self }
diff --git a/app/models/project.rb b/app/models/project.rb
index c377e8aa..557ad44d 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -69,6 +69,7 @@ class Project < ApplicationRecord
   validates_presence_of :project_fork_cluster_id, unless: :forks_disabled?
   validate :project_fork_cluster_id_is_owned_by_account
   validates_presence_of :build_configuration, if: :git?
+  validates_uniqueness_of :name, scope: :cluster_id
 
   after_save_commit do
     broadcast_replace_to [ self, :status ], target: dom_id(self, :status), partial: "projects/status", locals: { project: self }
diff --git a/app/views/projects/build_configurations/_form.html.erb b/app/views/projects/build_configurations/_form.html.erb
index 58421f67..36adc383 100644
--- a/app/views/projects/build_configurations/_form.html.erb
+++ b/app/views/projects/build_configurations/_form.html.erb
@@ -67,22 +67,34 @@
           <span class="label-text-alt">Select a credential that gives access to a container registry</span>
         </label>
       </div>
-      <div class="form-control mt-1 mb-2 w-full max-w-md">
-        <label class="label">
-          <span class="label-text">Image repository</span>
-        </label>
-        <%= bc_form.text_field(
-          :image_repository,
-          class: "input input-bordered w-full focus:outline-offset-0",
-          value: build_configuration.image_repository,
-          placeholder: "namespace/repo",
-          pattern: "[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]/[a-zA-Z0-9._-]+",
-          title: "Must be in the format 'namespace/repo'"
-        ) %>
-        <label class="label">
-          <span class="label-text-alt">If this is left blank, a container registry will be automatically created for you.</span>
-        </label>
+
+      <div data-controller="expandable-optional-input">
+        <div>
+          <a data-action="expandable-optional-input#show" class="btn btn-ghost">
+            + Choose custom image registry
+          </a>
+        </div>
+
+        <div data-expandable-optional-input-target="container">
+          <div class="form-control mt-1 mb-2 w-full max-w-md">
+            <label class="label">
+              <span class="label-text">Image repository</span>
+            </label>
+            <%= bc_form.text_field(
+              :image_repository,
+              class: "input input-bordered w-full focus:outline-offset-0",
+              value: build_configuration.image_repository,
+              placeholder: "namespace/repo",
+              pattern: "[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]/[a-zA-Z0-9._-]+",
+              title: "Must be in the format 'namespace/repo'"
+            ) %>
+            <label class="label">
+              <span class="label-text-alt">If this is left blank, a container registry will be automatically created for you.</span>
+            </label>
+          </div>
+        </div>
       </div>
+
       <div class="form-control mt-4">
         <label class="label mb-2">
           <span class="label-text">Build method</span>
diff --git a/app/views/projects/create/_new_form_git.html.erb b/app/views/projects/create/_new_form_git.html.erb
index 7d6fb586..34e0fa83 100644
--- a/app/views/projects/create/_new_form_git.html.erb
+++ b/app/views/projects/create/_new_form_git.html.erb
@@ -31,16 +31,6 @@
         </label>
       <% end %>
 
-      <%= render(FormFieldComponent.new(
-        label: "Namespace",
-        description: "The namespace your application is deployed to."
-      )) do %>
-        <%= form.text_field :namespace, current_account.clusters.running, :id, :name, {}, { class: "select select-bordered w-full" } %>
-        <label class="label">
-          <span class="label-text-alt">If this is left blank, a namespace will be created automatically.</span>
-        </label>
-      <% end %>
-
       <%= render(FormFieldComponent.new(
         label: "Git Credentials",
         description: "The credentials to use to connect to your Git repository"
diff --git a/app/views/projects/create/_select_credentials.html.erb b/app/views/projects/create/_select_credentials.html.erb
index aa0dfca8..85f73013 100644
--- a/app/views/projects/create/_select_credentials.html.erb
+++ b/app/views/projects/create/_select_credentials.html.erb
@@ -10,11 +10,12 @@
     },
     {
       class: "select select-bordered w-full",
+      required: true,
       data: {
         "new-project-target": "provider",
         action: "change->new-project#selectProvider",
       }
-    }
+    },
   ) %>
 <% end %>
 <div class="label">
diff --git a/app/views/shared/partials/_namespace_input_group.html.erb b/app/views/shared/partials/_namespace_input_group.html.erb
index 2268998f..63cbf5f7 100644
--- a/app/views/shared/partials/_namespace_input_group.html.erb
+++ b/app/views/shared/partials/_namespace_input_group.html.erb
@@ -4,12 +4,12 @@
       + Add namespace configuration
     </a>
   </div>
-  <div data-expandable-optional-input-target="container">
+  <div data-expandable-optional-input-target="container" data-controller="namespace-input-group">
     <%= render(FormFieldComponent.new(
       label: "Namespace",
       description: "The namespace your application is deployed to."
     )) do %>
-      <%= form.text_field :namespace, class: "input input-bordered w-full focus:outline-offset-0", autofocus: true, required: true %>
+      <%= form.text_field :namespace, class: "input input-bordered w-full focus:outline-offset-0", autofocus: true %>
       <label class="label">
         <span class="label-text-alt">If this is left blank, a namespace will be created automatically.</span>
       </label>
@@ -19,7 +19,7 @@
           <div class="label-text cursor-pointer">
             Automatically create namespace
           </div>
-          <%= form.check_box :managed_namespace, class: "checkbox" %>
+          <%= form.check_box :managed_namespace, class: "checkbox", data: { action: "namespace-input-group#toggleManagedNamespace" } %>
         </label>
       </div>
       <label class="label">

From 96abdfdb35c66b3bb93e37ed9de298cf1b9a57c1 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 27 Nov 2025 14:44:31 -0800
Subject: [PATCH 18/75] updated add ons install

---
 app/actions/add_ons/uninstall_helm_chart.rb     |  2 +-
 app/controllers/add_ons_controller.rb           |  4 ++--
 app/jobs/projects/deployment_job.rb             |  4 +++-
 app/jobs/projects/destroy_job.rb                | 12 ++++++------
 resources/k8/namespace.yaml                     |  2 +-
 .../add_ons/uninstall_helm_chart_spec.rb        | 17 +++++++++++++++++
 6 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/app/actions/add_ons/uninstall_helm_chart.rb b/app/actions/add_ons/uninstall_helm_chart.rb
index f4b2cb37..0678e093 100644
--- a/app/actions/add_ons/uninstall_helm_chart.rb
+++ b/app/actions/add_ons/uninstall_helm_chart.rb
@@ -12,7 +12,7 @@ class AddOns::UninstallHelmChart
     end
 
     client = K8::Client.new(connection)
-    if (namespace = client.get_namespaces.find { |n| n.metadata.name == add_on.name }).present?
+    if add_on.managed_namespace? && (namespace = client.get_namespaces.find { |n| n.metadata.name == add_on.namespace }).present?
       client.delete_namespace(namespace.metadata.name)
     end
 
diff --git a/app/controllers/add_ons_controller.rb b/app/controllers/add_ons_controller.rb
index 83819787..c78e5f9d 100644
--- a/app/controllers/add_ons_controller.rb
+++ b/app/controllers/add_ons_controller.rb
@@ -39,8 +39,8 @@ class AddOnsController < ApplicationController
 
   # POST /add_ons or /add_ons.json
   def create
-    params = AddOns::Create.parse_params(params)
-    result = AddOns::Create.call(AddOn.new(params), user)
+    add_on_params = AddOns::Create.parse_params(params)
+    result = AddOns::Create.call(AddOn.new(add_on_params), current_user)
     @add_on = result.add_on
     # Uncomment to authorize with Pundit
     # authorize @add_on
diff --git a/app/jobs/projects/deployment_job.rb b/app/jobs/projects/deployment_job.rb
index 627be866..7403e041 100644
--- a/app/jobs/projects/deployment_job.rb
+++ b/app/jobs/projects/deployment_job.rb
@@ -16,7 +16,9 @@ class Projects::DeploymentJob < ApplicationJob
     end
 
     # Create namespace
-    apply_namespace(project, kubectl)
+    if project.managed_namespace?
+      apply_namespace(project, kubectl)
+    end
 
     # Upload container registry secrets
     upload_registry_secrets(kubectl, deployment)
diff --git a/app/jobs/projects/destroy_job.rb b/app/jobs/projects/destroy_job.rb
index 20d61768..cc154e81 100644
--- a/app/jobs/projects/destroy_job.rb
+++ b/app/jobs/projects/destroy_job.rb
@@ -1,7 +1,9 @@
 class Projects::DestroyJob < ApplicationJob
   def perform(project, user)
     project.destroying!
-    delete_namespace(project, user)
+    if project.managed_namespace
+      delete_namespace(project, user)
+    end
 
     # Delete the github webhook for the project IF there are no more projects that refer to that repository
     # TODO: This might have overlapping repository urls across different providers.
@@ -14,11 +16,9 @@ class Projects::DestroyJob < ApplicationJob
   end
 
   def delete_namespace(project, user)
-    if project.managed_namespace
-      client = K8::Client.new(K8::Connection.new(project.cluster, user))
-      if (namespace = client.get_namespaces.find { |n| n.metadata.name == project.namespace }).present?
-        client.delete_namespace(namespace.metadata.name)
-      end
+    client = K8::Client.new(K8::Connection.new(project.cluster, user))
+    if (namespace = client.get_namespaces.find { |n| n.metadata.name == project.namespace }).present?
+      client.delete_namespace(namespace.metadata.name)
     end
   end
 
diff --git a/resources/k8/namespace.yaml b/resources/k8/namespace.yaml
index cd1e41af..822bd3dd 100644
--- a/resources/k8/namespace.yaml
+++ b/resources/k8/namespace.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: <%= nameable.name %>
+  name: <%= nameable.namespace %>
   labels:
     caninemanaged: 'true'
diff --git a/spec/actions/add_ons/uninstall_helm_chart_spec.rb b/spec/actions/add_ons/uninstall_helm_chart_spec.rb
index b7e4bd8d..1e417087 100644
--- a/spec/actions/add_ons/uninstall_helm_chart_spec.rb
+++ b/spec/actions/add_ons/uninstall_helm_chart_spec.rb
@@ -18,6 +18,23 @@ RSpec.describe AddOns::UninstallHelmChart do
   end
 
   describe '#execute' do
+    context 'with an unmanaged namespace' do
+      let(:add_on) { create(:add_on, managed_namespace: false) }
+      it 'does not delete the namespace' do
+        expect(client).not_to receive(:delete_namespace)
+        described_class.execute(connection:)
+      end
+    end
+
+    context 'with a managed namespace' do
+      it 'deletes the namespace' do
+        allow(client).to receive(:get_namespaces).and_return([ OpenStruct.new(metadata: OpenStruct.new(name: add_on.namespace)) ])
+        expect(client).to receive(:delete_namespace)
+
+        described_class.execute(connection:)
+      end
+    end
+
     it 'uninstalls the helm chart successfully' do
       expect(add_on).to receive(:uninstalled!)
       expect(add_on).to receive(:destroy!)

From 86f2be4428a855f0d2593c6c87424437767c7820 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 27 Nov 2025 20:08:52 -0800
Subject: [PATCH 19/75] wip

---
 lib/devise/strategies/ldap_authenticatable.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index 223bce8b..b60263eb 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -28,7 +28,7 @@ module Devise
             # LDAP authentication successful, find or create user
             email = construct_email(username, ldap_configuration)
             # Determine the groups
-            groups = get_group_information(username)
+            groups = get_group_information(ldap, user_dn)
             ActiveRecord::Base.transaction do
               user = User.find_or_create_by!(email: email) do |user|
                 password = SecureRandom.hex(32)
@@ -84,7 +84,8 @@ module Devise
         "#{username}@#{domain}"
       end
 
-      def get_group_information(user)
+      def get_group_information(ldap, user_dn)
+        debugger
         # ldap.search(base: "ou=Groups,dc=example,dc=org", filter: Net::LDAP::Filter.eq("memberUid", user_dn))
         return [
           {

From 63093e0d9d7b428c5737f7292254fe356555a6d5 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 28 Nov 2025 12:44:09 -0800
Subject: [PATCH 20/75] added catchphrase

---
 app/views/static/landing_page/_hero.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/static/landing_page/_hero.html.erb b/app/views/static/landing_page/_hero.html.erb
index 7dbd579c..f029bab4 100644
--- a/app/views/static/landing_page/_hero.html.erb
+++ b/app/views/static/landing_page/_hero.html.erb
@@ -22,7 +22,7 @@
       </div>
       <%= render "static/landing_page/announcement" %>
       <img class="h-[70px]" src="/images/logo-full.webp" alt="Canine">
-      <h1 class="mt-10 text-4xl font-bold tracking-tight text-white sm:text-6xl">A modern, open source alternative to Heroku</h1>
+      <h1 class="mt-10 text-4xl font-bold tracking-tight text-white sm:text-6xl">A Developer-friendly PaaS for your Kubernetes</h1>
       <p class="mt-6 text-lg leading-8 text-gray-300">Canine is an open source deployment platform that makes it easy to deploy and manage your applications.</p>
       <div class="mt-10 flex items-center gap-x-6">
         <%= link_to "Get started", new_user_registration_path, class: "rounded-md bg-indigo-500 px-3.5 py-2.5 text-sm font-semibold text-white shadow-sm hover:bg-indigo-400 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-400" %>

From 2e7010e558534d791649c2e4e50d29116cc2bb1e Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sat, 29 Nov 2025 09:46:57 -0800
Subject: [PATCH 21/75] added some better ux

---
 app/actions/add_ons/filter.rb                 |  18 +++
 app/actions/add_ons/list.rb                   |  14 ++
 app/actions/add_ons/visible_to_user.rb        |  13 +-
 app/actions/clusters/filter.rb                |  18 +++
 app/actions/clusters/list.rb                  |  14 ++
 app/actions/clusters/visible_to_user.rb       |  13 +-
 app/actions/projects/filter.rb                |  18 +++
 app/actions/projects/list.rb                  |  14 ++
 app/actions/projects/visible_to_user.rb       |  13 +-
 app/controllers/accounts/teams_controller.rb  |   1 +
 app/controllers/add_ons_controller.rb         |   9 +-
 app/controllers/application_controller.rb     |   6 +
 app/controllers/clusters_controller.rb        |   9 +-
 app/controllers/projects_controller.rb        |   9 +-
 .../async_search_dropdown_controller.js       |   2 +-
 .../team_resource_search_controller.js        |  93 ++++++++++++
 app/models/account_user.rb                    |   4 +
 app/views/accounts/teams/_empty.html.erb      |  49 ++++++
 app/views/accounts/teams/_list.html.erb       |  95 +++++++-----
 .../accounts/teams/_resource_content.html.erb |  29 ++++
 .../accounts/teams/_resource_tabs.html.erb    |  11 ++
 .../teams/_team_resources_table.html.erb      |  37 +++++
 app/views/accounts/teams/index.html.erb       |  21 +--
 app/views/accounts/teams/show.html.erb        | 141 +++++++++++++-----
 app/views/layouts/_sidebar.html.erb           |  12 +-
 app/views/shared/_head.html.erb               |   4 +-
 spec/actions/add_ons/visible_to_user_spec.rb  |  33 +++-
 spec/actions/clusters/visible_to_user_spec.rb |  31 +++-
 spec/actions/projects/visible_to_user_spec.rb |  28 +++-
 29 files changed, 623 insertions(+), 136 deletions(-)
 create mode 100644 app/actions/add_ons/filter.rb
 create mode 100644 app/actions/add_ons/list.rb
 create mode 100644 app/actions/clusters/filter.rb
 create mode 100644 app/actions/clusters/list.rb
 create mode 100644 app/actions/projects/filter.rb
 create mode 100644 app/actions/projects/list.rb
 create mode 100644 app/javascript/controllers/team_resource_search_controller.js
 create mode 100644 app/views/accounts/teams/_empty.html.erb
 create mode 100644 app/views/accounts/teams/_resource_content.html.erb
 create mode 100644 app/views/accounts/teams/_resource_tabs.html.erb
 create mode 100644 app/views/accounts/teams/_team_resources_table.html.erb

diff --git a/app/actions/add_ons/filter.rb b/app/actions/add_ons/filter.rb
new file mode 100644
index 00000000..c7675878
--- /dev/null
+++ b/app/actions/add_ons/filter.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module AddOns
+  class Filter
+    extend LightService::Action
+
+    expects :params, :add_ons
+    promises :add_ons
+
+    executed do |context|
+      query = context.params[:q].to_s.strip
+
+      if query.present?
+        context.add_ons = context.add_ons.where("add_ons.name ILIKE ?", "%#{query}%")
+      end
+    end
+  end
+end
diff --git a/app/actions/add_ons/list.rb b/app/actions/add_ons/list.rb
new file mode 100644
index 00000000..759518c0
--- /dev/null
+++ b/app/actions/add_ons/list.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module AddOns
+  class List
+    extend LightService::Organizer
+
+    def self.call(account_user:, params: {})
+      with(account_user: account_user, params: params).reduce(
+        AddOns::VisibleToUser,
+        AddOns::Filter
+      )
+    end
+  end
+end
diff --git a/app/actions/add_ons/visible_to_user.rb b/app/actions/add_ons/visible_to_user.rb
index a63ded32..dc02602e 100644
--- a/app/actions/add_ons/visible_to_user.rb
+++ b/app/actions/add_ons/visible_to_user.rb
@@ -4,12 +4,19 @@ module AddOns
   class VisibleToUser
     extend LightService::Action
 
-    expects :user, :account
+    expects :account_user
     promises :add_ons
 
     executed do |context|
-      user = context.user
-      account = context.account
+      account_user = context.account_user
+      user = account_user.user
+      account = account_user.account
+
+      # Admins can see all add_ons in the account
+      if account_user.admin?
+        context.add_ons = AddOn.joins(:cluster).where(clusters: { account_id: account.id })
+        next context
+      end
 
       # If account has no teams, user can see all add_ons
       if account.teams.empty?
diff --git a/app/actions/clusters/filter.rb b/app/actions/clusters/filter.rb
new file mode 100644
index 00000000..181583d5
--- /dev/null
+++ b/app/actions/clusters/filter.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Clusters
+  class Filter
+    extend LightService::Action
+
+    expects :params, :clusters
+    promises :clusters
+
+    executed do |context|
+      query = context.params[:q].to_s.strip
+
+      if query.present?
+        context.clusters = context.clusters.where("clusters.name ILIKE ?", "%#{query}%")
+      end
+    end
+  end
+end
diff --git a/app/actions/clusters/list.rb b/app/actions/clusters/list.rb
new file mode 100644
index 00000000..d96c4a54
--- /dev/null
+++ b/app/actions/clusters/list.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Clusters
+  class List
+    extend LightService::Organizer
+
+    def self.call(account_user:, params: {})
+      with(account_user: account_user, params: params).reduce(
+        Clusters::VisibleToUser,
+        Clusters::Filter
+      )
+    end
+  end
+end
diff --git a/app/actions/clusters/visible_to_user.rb b/app/actions/clusters/visible_to_user.rb
index 245a701e..e52bb0d4 100644
--- a/app/actions/clusters/visible_to_user.rb
+++ b/app/actions/clusters/visible_to_user.rb
@@ -4,12 +4,19 @@ module Clusters
   class VisibleToUser
     extend LightService::Action
 
-    expects :user, :account
+    expects :account_user
     promises :clusters
 
     executed do |context|
-      user = context.user
-      account = context.account
+      account_user = context.account_user
+      user = account_user.user
+      account = account_user.account
+
+      # Admins can see all clusters in the account
+      if account_user.admin?
+        context.clusters = Cluster.where(account_id: account.id)
+        next context
+      end
 
       # If account has no teams, user can see all clusters
       if account.teams.empty?
diff --git a/app/actions/projects/filter.rb b/app/actions/projects/filter.rb
new file mode 100644
index 00000000..fdd43ee3
--- /dev/null
+++ b/app/actions/projects/filter.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Projects
+  class Filter
+    extend LightService::Action
+
+    expects :params, :projects
+    promises :projects
+
+    executed do |context|
+      query = context.params[:q].to_s.strip
+
+      if query.present?
+        context.projects = context.projects.where("projects.name ILIKE ?", "%#{query}%")
+      end
+    end
+  end
+end
diff --git a/app/actions/projects/list.rb b/app/actions/projects/list.rb
new file mode 100644
index 00000000..95df0b1e
--- /dev/null
+++ b/app/actions/projects/list.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Projects
+  class List
+    extend LightService::Organizer
+
+    def self.call(account_user:, params: {})
+      with(account_user: account_user, params: params).reduce(
+        Projects::VisibleToUser,
+        Projects::Filter
+      )
+    end
+  end
+end
diff --git a/app/actions/projects/visible_to_user.rb b/app/actions/projects/visible_to_user.rb
index 87e8d8ad..4ecdde56 100644
--- a/app/actions/projects/visible_to_user.rb
+++ b/app/actions/projects/visible_to_user.rb
@@ -4,12 +4,19 @@ module Projects
   class VisibleToUser
     extend LightService::Action
 
-    expects :user, :account
+    expects :account_user
     promises :projects
 
     executed do |context|
-      user = context.user
-      account = context.account
+      account_user = context.account_user
+      user = account_user.user
+      account = account_user.account
+
+      # Admins can see all projects in the account
+      if account_user.admin?
+        context.projects = Project.joins(:cluster).where(clusters: { account_id: account.id })
+        next context
+      end
 
       # If account has no teams, user can see all projects
       if account.teams.empty?
diff --git a/app/controllers/accounts/teams_controller.rb b/app/controllers/accounts/teams_controller.rb
index f87b59a3..2ade0fd3 100644
--- a/app/controllers/accounts/teams_controller.rb
+++ b/app/controllers/accounts/teams_controller.rb
@@ -8,6 +8,7 @@ class Accounts::TeamsController < ApplicationController
 
   def show
     @pagy, @team_memberships = pagy(@team.team_memberships)
+    @tab = params[:tab] || "clusters"
   end
 
   def new
diff --git a/app/controllers/add_ons_controller.rb b/app/controllers/add_ons_controller.rb
index b8105f14..6c3d187c 100644
--- a/app/controllers/add_ons_controller.rb
+++ b/app/controllers/add_ons_controller.rb
@@ -4,9 +4,14 @@ class AddOnsController < ApplicationController
 
   # GET /add_ons
   def index
-    add_ons = AddOns::VisibleToUser.execute(user: current_user, account: current_account).add_ons
+    add_ons = AddOns::List.call(account_user: current_account_user, params: params).add_ons
     @pagy, @add_ons = pagy(add_ons)
 
+    respond_to do |format|
+      format.html
+      format.json { render json: @add_ons.map { |a| { id: a.id, name: a.name } } }
+    end
+
     # Uncomment to authorize with Pundit
     # authorize @add_ons
   end
@@ -120,7 +125,7 @@ class AddOnsController < ApplicationController
 
   # Use callbacks to share common setup or constraints between actions.
   def set_add_on
-    add_ons = AddOns::VisibleToUser.execute(user: current_user, account: current_account).add_ons
+    add_ons = AddOns::VisibleToUser.execute(account_user: current_account_user).add_ons
     @add_on = add_ons.find(params[:id])
     @service = K8::Helm::Service.create_from_add_on(K8::Connection.new(@add_on, current_user))
   rescue ActiveRecord::RecordNotFound
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 77580c27..2fdbe252 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -23,6 +23,12 @@ class ApplicationController < ActionController::Base
     end
     helper_method :current_account
 
+    def current_account_user
+      return nil unless user_signed_in? && current_account
+      @current_account_user ||= AccountUser.find_by(user: current_user, account: current_account)
+    end
+    helper_method :current_account_user
+
     def time_ago(t)
       if t.present?
         "#{time_ago_in_words(t)} ago"
diff --git a/app/controllers/clusters_controller.rb b/app/controllers/clusters_controller.rb
index ed66fc65..0d733228 100644
--- a/app/controllers/clusters_controller.rb
+++ b/app/controllers/clusters_controller.rb
@@ -8,9 +8,14 @@ class ClustersController < ApplicationController
   # GET /clusters
   def index
     sortable_column = params[:sort] || "created_at"
-    clusters = Clusters::VisibleToUser.execute(user: current_user, account: current_account).clusters
+    clusters = Clusters::List.call(account_user: current_account_user, params: params).clusters
     @pagy, @clusters = pagy(clusters.order(sortable_column => "asc"))
 
+    respond_to do |format|
+      format.html
+      format.json { render json: @clusters.map { |c| { id: c.id, name: c.name } } }
+    end
+
     # Uncomment to authorize with Pundit
     # authorize @clusters
   end
@@ -172,7 +177,7 @@ class ClustersController < ApplicationController
 
   # Use callbacks to share common setup or constraints between actions.
   def set_cluster
-    clusters = Clusters::VisibleToUser.execute(user: current_user, account: current_account).clusters
+    clusters = Clusters::VisibleToUser.execute(account_user: current_account_user).clusters
     @cluster = clusters.find(params[:id])
 
     # Uncomment to authorize with Pundit
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 7bd0bc42..e32b0cb5 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -6,9 +6,14 @@ class ProjectsController < ApplicationController
   # GET /projects
   def index
     sortable_column = params[:sort] || "created_at"
-    projects = Projects::VisibleToUser.execute(user: current_user, account: current_account).projects
+    projects = Projects::List.call(account_user: current_account_user, params: params).projects
     @pagy, @projects = pagy(projects.order(sortable_column => "asc"))
 
+    respond_to do |format|
+      format.html
+      format.json { render json: @projects.map { |p| { id: p.id, name: p.name } } }
+    end
+
     # Uncomment to authorize with Pundit
     # authorize @projects
   end
@@ -87,7 +92,7 @@ class ProjectsController < ApplicationController
 
   # Use callbacks to share common setup or constraints between actions.
   def set_project
-    projects = Projects::VisibleToUser.execute(user: current_user, account: current_account).projects
+    projects = Projects::VisibleToUser.execute(account_user: current_account_user).projects
     @project = projects.find(params[:id])
 
     # Uncomment to authorize with Pundit
diff --git a/app/javascript/controllers/components/async_search_dropdown_controller.js b/app/javascript/controllers/components/async_search_dropdown_controller.js
index 1aea762e..82d1abfe 100644
--- a/app/javascript/controllers/components/async_search_dropdown_controller.js
+++ b/app/javascript/controllers/components/async_search_dropdown_controller.js
@@ -48,7 +48,7 @@ export default class extends Controller {
 
   createDropdown() {
     const dropdown = document.createElement('ul')
-    dropdown.className = 'hidden absolute z-10 w-full mt-1 menu bg-base-200 block rounded-box shadow-lg max-h-[300px] overflow-y-auto'
+    dropdown.className = 'hidden absolute z-10 w-full mt-1 menu bg-neutral block rounded-box shadow-lg max-h-[300px] overflow-y-auto'
     return dropdown
   }
 
diff --git a/app/javascript/controllers/team_resource_search_controller.js b/app/javascript/controllers/team_resource_search_controller.js
new file mode 100644
index 00000000..45de99b3
--- /dev/null
+++ b/app/javascript/controllers/team_resource_search_controller.js
@@ -0,0 +1,93 @@
+import AsyncSearchDropdownController from "./components/async_search_dropdown_controller"
+
+export default class extends AsyncSearchDropdownController {
+  static values = {
+    url: String,
+    addUrl: String,
+    resourceType: String,
+    turboFrame: String
+  }
+
+  async fetchResults(query) {
+    const url = `${this.urlValue}.json?q=${encodeURIComponent(query)}`
+    const response = await fetch(url, {
+      headers: {
+        'Accept': 'application/json'
+      }
+    })
+
+    if (!response.ok) {
+      throw new Error('Failed to search resources')
+    }
+
+    return await response.json()
+  }
+
+  renderItem(resource) {
+    return `
+      <div class="flex items-center gap-2">
+        <div class="flex-1">
+          <div class="font-medium">${this.escapeHtml(resource.name)}</div>
+        </div>
+      </div>
+    `
+  }
+
+  async onItemSelect(resource, itemElement) {
+    try {
+      itemElement.classList.add('opacity-50')
+      itemElement.innerHTML = `
+        <div class="flex items-center gap-2">
+          <span class="loading loading-spinner loading-sm"></span>
+          <span>Adding ${this.escapeHtml(resource.name)}...</span>
+        </div>
+      `
+
+      const response = await fetch(this.addUrlValue, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-CSRF-Token': this.getCsrfToken()
+        },
+        body: JSON.stringify({
+          resourceable_type: this.resourceTypeValue,
+          resourceable_id: resource.id
+        })
+      })
+
+      if (!response.ok) {
+        throw new Error('Failed to add resource')
+      }
+
+      // Close the modal
+      const modal = this.element.closest('dialog')
+      if (modal) {
+        modal.close()
+      }
+
+      // Reload the turbo frame
+      if (this.hasTurboFrameValue) {
+        const frame = document.getElementById(this.turboFrameValue)
+        if (frame) {
+          frame.reload()
+        }
+      } else {
+        window.location.reload()
+      }
+    } catch (error) {
+      console.error('Error adding resource:', error)
+      alert('Failed to add resource. Please try again.')
+      itemElement.classList.remove('opacity-50')
+    }
+  }
+
+  escapeHtml(text) {
+    const div = document.createElement('div')
+    div.textContent = text
+    return div.innerHTML
+  }
+
+  getCsrfToken() {
+    return document.querySelector('meta[name="csrf-token"]')?.content || ''
+  }
+}
diff --git a/app/models/account_user.rb b/app/models/account_user.rb
index 9d9c74a9..c818d409 100644
--- a/app/models/account_user.rb
+++ b/app/models/account_user.rb
@@ -21,4 +21,8 @@
 class AccountUser < ApplicationRecord
   belongs_to :user
   belongs_to :account
+
+  def admin?
+    account.owner_id == user_id
+  end
 end
diff --git a/app/views/accounts/teams/_empty.html.erb b/app/views/accounts/teams/_empty.html.erb
new file mode 100644
index 00000000..591e4e32
--- /dev/null
+++ b/app/views/accounts/teams/_empty.html.erb
@@ -0,0 +1,49 @@
+<div class="card card-bordered bg-base-100">
+  <div class="card-body text-center py-16">
+    <div class="flex flex-col items-center gap-6">
+      <h2 class="text-3xl font-bold">Organize access with teams</h2>
+      <p class="text-base-content/70 max-w-2xl">
+        Teams let you group members and control which resources they can access. Perfect for managing permissions as your organization scales.
+      </p>
+
+      <div class="grid grid-cols-1 md:grid-cols-3 gap-8 mt-8 max-w-4xl">
+        <div class="flex flex-col items-center gap-3">
+          <div class="w-16 h-16 rounded-full bg-base-200 flex items-center justify-center">
+            <iconify-icon icon="lucide:shield-check" class="text-2xl text-primary"></iconify-icon>
+          </div>
+          <h3 class="font-semibold text-lg">Granular permissions</h3>
+          <p class="text-base-content/70 text-sm">
+            Assign clusters, projects, and add-ons to specific teams. Members only see what they need.
+          </p>
+        </div>
+
+        <div class="flex flex-col items-center gap-3">
+          <div class="w-16 h-16 rounded-full bg-base-200 flex items-center justify-center">
+            <iconify-icon icon="lucide:user-plus" class="text-2xl text-primary"></iconify-icon>
+          </div>
+          <h3 class="font-semibold text-lg">Simple onboarding</h3>
+          <p class="text-base-content/70 text-sm">
+            Add someone to a team and they instantly get access to all the right resources. No manual setup required.
+          </p>
+        </div>
+
+        <div class="flex flex-col items-center gap-3">
+          <div class="w-16 h-16 rounded-full bg-base-200 flex items-center justify-center">
+            <iconify-icon icon="lucide:folder-tree" class="text-2xl text-primary"></iconify-icon>
+          </div>
+          <h3 class="font-semibold text-lg">Scale with confidence</h3>
+          <p class="text-base-content/70 text-sm">
+            Structure teams by role, project, or however works best. Easily adjust as your organization evolves.
+          </p>
+        </div>
+      </div>
+
+      <div class="flex gap-3 mt-8">
+        <%= link_to new_team_path, class: "btn btn-primary" do %>
+          <iconify-icon icon="lucide:plus"></iconify-icon>
+          Create your first team
+        <% end %>
+      </div>
+    </div>
+  </div>
+</div>
diff --git a/app/views/accounts/teams/_list.html.erb b/app/views/accounts/teams/_list.html.erb
index c667322a..784a9ccf 100644
--- a/app/views/accounts/teams/_list.html.erb
+++ b/app/views/accounts/teams/_list.html.erb
@@ -1,40 +1,55 @@
-<div class="overflow-auto">
-  <table class="table mt-2 rounded-box" data-component="table">
-    <thead>
-      <tr>
-        <th>
-          <span class="text-sm font-medium text-base-content/80">Name</span>
-        </th>
-        <th>
-          <span class="text-sm font-medium text-base-content/80">Members</span>
-        </th>
-        <th>
-          <span class="text-sm font-medium text-base-content/80">Resources</span>
-        </th>
-        <th></th>
-      </tr>
-    </thead>
-    <tbody>
-      <% teams.each do |team| %>
-        <tr class="cursor-pointer hover:bg-base-200/40" onclick="window.location='<%= team_path(team) %>'">
-          <td>
-            <div class="font-medium"><%= team.name %></div>
-          </td>
-          <td>
-            <div class="font-medium"><%= team.users.count %></div>
-          </td>
-          <td>
-            <div class="font-medium"><%= team.team_resources.count %></div>
-          </td>
-          <td>
-            <div class="text-sm capitalize">
-              <%= button_to team_path(team), method: :delete, data: { confirm: "Are you sure?" }, class: "btn btn-square btn-sm btn-danger min-w-max" do %>
-                <iconify-icon icon="lucide:trash" height="18" class="text-error"></iconify-icon>
-              <% end %>
-            </div>
-          </td>
-        </tr>
-      <% end %>
-    </tbody>
-  </table>
-</div>
+<% if teams.empty? %>
+  <%= render "accounts/teams/empty" %>
+<% else %>
+  <div aria-label="Card" class="card card-bordered bg-base-100">
+    <div class="card-body">
+      <div class="text-right px-5 pt-5">
+        <%= link_to new_team_path, class: "btn btn-primary btn-sm" do %>
+          <iconify-icon icon="lucide:plus" height="16"></iconify-icon>
+          <span class="hidden sm:inline">Create Team</span>
+        <% end %>
+      </div>
+
+      <div class="overflow-auto">
+        <table class="table mt-2 rounded-box" data-component="table">
+          <thead>
+            <tr>
+              <th>
+                <span class="text-sm font-medium text-base-content/80">Name</span>
+              </th>
+              <th>
+                <span class="text-sm font-medium text-base-content/80">Members</span>
+              </th>
+              <th>
+                <span class="text-sm font-medium text-base-content/80">Resources</span>
+              </th>
+              <th></th>
+            </tr>
+          </thead>
+          <tbody>
+            <% teams.each do |team| %>
+              <tr class="cursor-pointer hover:bg-base-200/40" onclick="window.location='<%= team_path(team) %>'">
+                <td>
+                  <div class="font-medium"><%= team.name %></div>
+                </td>
+                <td>
+                  <div class="font-medium"><%= team.users.count %></div>
+                </td>
+                <td>
+                  <div class="font-medium"><%= team.team_resources.count %></div>
+                </td>
+                <td>
+                  <div class="text-sm capitalize">
+                    <%= button_to team_path(team), method: :delete, data: { confirm: "Are you sure?" }, class: "btn btn-square btn-sm btn-danger min-w-max" do %>
+                      <iconify-icon icon="lucide:trash" height="18" class="text-error"></iconify-icon>
+                    <% end %>
+                  </div>
+                </td>
+              </tr>
+            <% end %>
+          </tbody>
+        </table>
+      </div>
+    </div>
+  </div>
+<% end %>
diff --git a/app/views/accounts/teams/_resource_content.html.erb b/app/views/accounts/teams/_resource_content.html.erb
new file mode 100644
index 00000000..44c07471
--- /dev/null
+++ b/app/views/accounts/teams/_resource_content.html.erb
@@ -0,0 +1,29 @@
+<%= turbo_frame_tag("team_resources_#{team.id}", data: { turbo_tabs_target: "content" }) do %>
+  <div class="pt-4">
+    <% if tab == "clusters" %>
+      <div class="flex justify-end mb-2">
+        <button class="btn btn-primary btn-sm" onclick="add_cluster_modal.showModal()">
+          <iconify-icon icon="lucide:plus" height="16"></iconify-icon>
+          <span class="hidden sm:inline">Add Cluster</span>
+        </button>
+      </div>
+      <%= render "accounts/teams/team_resources_table", team: team, resource_type: "Cluster" %>
+    <% elsif tab == "projects" %>
+      <div class="flex justify-end mb-2">
+        <button class="btn btn-primary btn-sm" onclick="add_project_modal.showModal()">
+          <iconify-icon icon="lucide:plus" height="16"></iconify-icon>
+          <span class="hidden sm:inline">Add Project</span>
+        </button>
+      </div>
+      <%= render "accounts/teams/team_resources_table", team: team, resource_type: "Project" %>
+    <% elsif tab == "addons" %>
+      <div class="flex justify-end mb-2">
+        <button class="btn btn-primary btn-sm" onclick="add_addon_modal.showModal()">
+          <iconify-icon icon="lucide:plus" height="16"></iconify-icon>
+          <span class="hidden sm:inline">Add Add-on</span>
+        </button>
+      </div>
+      <%= render "accounts/teams/team_resources_table", team: team, resource_type: "AddOn" %>
+    <% end %>
+  </div>
+<% end %>
diff --git a/app/views/accounts/teams/_resource_tabs.html.erb b/app/views/accounts/teams/_resource_tabs.html.erb
new file mode 100644
index 00000000..ba96d0dc
--- /dev/null
+++ b/app/views/accounts/teams/_resource_tabs.html.erb
@@ -0,0 +1,11 @@
+<div role="tablist" class="tabs tabs-bordered" data-turbo-tabs-target="tabs">
+  <%= link_to team_path(team, tab: 'clusters'), class: "tab #{'tab-active' if tab == 'clusters'}" do %>
+    Clusters
+  <% end %>
+  <%= link_to team_path(team, tab: 'projects'), class: "tab #{'tab-active' if tab == 'projects'}" do %>
+    Projects
+  <% end %>
+  <%= link_to team_path(team, tab: 'addons'), class: "tab #{'tab-active' if tab == 'addons'}" do %>
+    Add-ons
+  <% end %>
+</div>
diff --git a/app/views/accounts/teams/_team_resources_table.html.erb b/app/views/accounts/teams/_team_resources_table.html.erb
new file mode 100644
index 00000000..c261f6a2
--- /dev/null
+++ b/app/views/accounts/teams/_team_resources_table.html.erb
@@ -0,0 +1,37 @@
+<% resources = team.team_resources.where(resourceable_type: resource_type) %>
+<div class="overflow-auto">
+  <table class="table mt-2 rounded-box" data-component="table">
+    <thead>
+      <tr>
+        <th>
+          <span class="text-sm font-medium text-base-content/80">Name</span>
+        </th>
+        <th></th>
+      </tr>
+    </thead>
+    <tbody>
+      <% if resources.empty? %>
+        <tr>
+          <td colspan="2" class="text-center text-base-content/50 py-8">
+            No <%= resource_type.underscore.humanize.downcase.pluralize %> assigned to this team yet.
+          </td>
+        </tr>
+      <% else %>
+        <% resources.each do |team_resource| %>
+          <tr class="hover:bg-base-200/40">
+            <td>
+              <div class="font-medium"><%= team_resource.resourceable.name %></div>
+            </td>
+            <td>
+              <div class="text-sm capitalize">
+                <%= button_to team_team_resource_path(team, team_resource), method: :delete, data: { confirm: "Are you sure?" }, class: "btn btn-square btn-sm btn-danger min-w-max" do %>
+                  <iconify-icon icon="lucide:trash" height="18" class="text-error"></iconify-icon>
+                <% end %>
+              </div>
+            </td>
+          </tr>
+        <% end %>
+      <% end %>
+    </tbody>
+  </table>
+</div>
diff --git a/app/views/accounts/teams/index.html.erb b/app/views/accounts/teams/index.html.erb
index 45d7b9cf..57d97774 100644
--- a/app/views/accounts/teams/index.html.erb
+++ b/app/views/accounts/teams/index.html.erb
@@ -32,24 +32,9 @@
     </div>
 
     <div class="mt-5">
-      <div aria-label="Card" class="card card-bordered bg-base-100">
-        <div class="card-body">
-          <div class="text-right px-5 pt-5">
-            <%= link_to new_team_path, class: "btn btn-primary btn-sm" do %>
-              <iconify-icon icon="lucide:plus" height="16"></iconify-icon>
-              <span class="hidden sm:inline">Create Team</span>
-            <% end %>
-          </div>
-
-          <div>
-            <%= tag.div id: ("teams" if @pagy.page == 1) do %>
-              <%= render "accounts/teams/list", teams: @teams, cached: true %>
-            <% end %>
-          </div>
-        </div>
-      </div>
+      <%= tag.div id: "teams" do %>
+        <%= render "accounts/teams/list", teams: @teams %>
+      <% end %>
     </div>
-
-    <%= render 'shared/pagination', pagy: @pagy %>
   </div>
 <% end %>
diff --git a/app/views/accounts/teams/show.html.erb b/app/views/accounts/teams/show.html.erb
index 3146c6f2..44f27718 100644
--- a/app/views/accounts/teams/show.html.erb
+++ b/app/views/accounts/teams/show.html.erb
@@ -3,6 +3,18 @@
   <%= turbo_stream_from [:team_memberships, @team] %>
 
   <div>
+    <div class="breadcrumbs text-sm mb-4">
+      <ul>
+        <li>
+          <%= link_to teams_path, class: "inline-flex items-center gap-1" do %>
+            <iconify-icon icon="lucide:users" height="14"></iconify-icon>
+            Teams
+          <% end %>
+        </li>
+        <li><%= @team.name %></li>
+      </ul>
+    </div>
+
     <div class="mb-6">
       <div class="flex justify-between items-start">
         <div>
@@ -54,16 +66,10 @@
     <div class="mt-5">
       <div aria-label="Card" class="card card-bordered bg-base-100">
         <div class="card-body">
-          <div class="flex justify-between items-center px-5 pt-5">
-            <h3 class="text-lg font-semibold">Team Resources</h3>
-            <button class="btn btn-primary btn-sm" onclick="add_team_resource_modal.showModal()">
-              <iconify-icon icon="lucide:plus" height="16"></iconify-icon>
-              <span class="hidden sm:inline">Grant Access</span>
-            </button>
-          </div>
-
-          <div>
-            <%= render "accounts/teams/team_resources_list", team: @team, cached: true %>
+          <div class="px-5 pt-5" data-controller="turbo-tabs">
+            <h3 class="text-lg font-semibold mb-4">Team Resources</h3>
+            <%= render "accounts/teams/resource_tabs", team: @team, tab: @tab %>
+            <%= render "accounts/teams/resource_content", team: @team, tab: @tab %>
           </div>
         </div>
       </div>
@@ -103,45 +109,104 @@
     </form>
   </dialog>
 
-  <!-- Add Team Resource Modal -->
-  <dialog aria-label="Modal" class="modal" id="add_team_resource_modal">
+  <!-- Add Cluster Modal -->
+  <dialog aria-label="Modal" class="modal" id="add_cluster_modal">
     <div class="modal-box">
       <form method="dialog">
         <button aria-label="Close modal" class="btn btn-circle btn-ghost btn-sm absolute right-2 top-2">
           <iconify-icon icon="lucide:x" height="16"></iconify-icon>
         </button>
       </form>
-      <div class="mb-4 w-full text-xl font-bold">Grant Resource Access to <%= @team.name %></div>
+      <div class="mb-4 w-full text-xl font-bold">Add Cluster to <%= @team.name %></div>
       <div>
-        <%= form_with(url: team_team_resources_path(@team)) do |form| %>
-          <div class="form-control mt-1 w-full">
-            <label class="label">
-              <span class="label-text">Resource Type</span>
-            </label>
-            <%= form.select :resourceable_type,
-                [["Cluster", "Cluster"], ["Project", "Project"], ["Add-on", "AddOn"]],
-                { prompt: "Select resource type" },
-                class: "select select-bordered w-full focus:outline-offset-0",
-                data: { action: "change->team-resource#updateResourceOptions" } %>
+        <div class="form-control mt-1 w-full"
+             data-controller="team-resource-search"
+             data-team-resource-search-url-value="<%= clusters_path %>"
+             data-team-resource-search-add-url-value="<%= team_team_resources_path(@team) %>"
+             data-team-resource-search-resource-type-value="Cluster"
+             data-team-resource-search-turbo-frame-value="team_resources_<%= @team.id %>">
+          <label class="label">
+            <span class="label-text">Search for a cluster</span>
+          </label>
+          <div class="relative">
+            <input type="text"
+                   placeholder="Type to search clusters..."
+                   class="input input-bordered w-full focus:outline-offset-0" />
           </div>
+          <label class="label">
+            <span class="label-text-alt text-warning">Adding a cluster will enable all projects and add-ons within that cluster.</span>
+          </label>
+        </div>
+      </div>
+    </div>
+    <form method="dialog" class="modal-backdrop">
+      <button>close</button>
+    </form>
+  </dialog>
 
-          <div class="form-control mt-1 w-full">
-            <label class="label">
-              <span class="label-text">Resource</span>
-            </label>
-            <%= form.select :resourceable_id,
-                [],
-                { prompt: "Select a resource" },
-                class: "select select-bordered w-full focus:outline-offset-0",
-                id: "resourceable_id_select" %>
-            <label class="label">
-              <span class="label-text-alt">Grant access to a specific resource.</span>
-            </label>
+  <!-- Add Project Modal -->
+  <dialog aria-label="Modal" class="modal" id="add_project_modal">
+    <div class="modal-box">
+      <form method="dialog">
+        <button aria-label="Close modal" class="btn btn-circle btn-ghost btn-sm absolute right-2 top-2">
+          <iconify-icon icon="lucide:x" height="16"></iconify-icon>
+        </button>
+      </form>
+      <div class="mb-4 w-full text-xl font-bold">Add Project to <%= @team.name %></div>
+      <div>
+        <div class="form-control mt-1 w-full"
+             data-controller="team-resource-search"
+             data-team-resource-search-url-value="<%= projects_path %>"
+             data-team-resource-search-add-url-value="<%= team_team_resources_path(@team) %>"
+             data-team-resource-search-resource-type-value="Project"
+             data-team-resource-search-turbo-frame-value="team_resources_<%= @team.id %>">
+          <label class="label">
+            <span class="label-text">Search for a project</span>
+          </label>
+          <div class="relative">
+            <input type="text"
+                   placeholder="Type to search projects..."
+                   class="input input-bordered w-full focus:outline-offset-0" />
           </div>
-          <div class="form-footer">
-            <%= form.button "Grant Access", class: "btn btn-primary" %>
+          <label class="label">
+            <span class="label-text-alt">Grant this team access to the selected project.</span>
+          </label>
+        </div>
+      </div>
+    </div>
+    <form method="dialog" class="modal-backdrop">
+      <button>close</button>
+    </form>
+  </dialog>
+
+  <!-- Add Add-on Modal -->
+  <dialog aria-label="Modal" class="modal" id="add_addon_modal">
+    <div class="modal-box">
+      <form method="dialog">
+        <button aria-label="Close modal" class="btn btn-circle btn-ghost btn-sm absolute right-2 top-2">
+          <iconify-icon icon="lucide:x" height="16"></iconify-icon>
+        </button>
+      </form>
+      <div class="mb-4 w-full text-xl font-bold">Add Add-on to <%= @team.name %></div>
+      <div>
+        <div class="form-control mt-1 w-full"
+             data-controller="team-resource-search"
+             data-team-resource-search-url-value="<%= add_ons_path %>"
+             data-team-resource-search-add-url-value="<%= team_team_resources_path(@team) %>"
+             data-team-resource-search-resource-type-value="AddOn"
+             data-team-resource-search-turbo-frame-value="team_resources_<%= @team.id %>">
+          <label class="label">
+            <span class="label-text">Search for an add-on</span>
+          </label>
+          <div class="relative">
+            <input type="text"
+                   placeholder="Type to search add-ons..."
+                   class="input input-bordered w-full focus:outline-offset-0" />
           </div>
-        <% end %>
+          <label class="label">
+            <span class="label-text-alt">Grant this team access to the selected add-on.</span>
+          </label>
+        </div>
       </div>
     </div>
     <form method="dialog" class="modal-backdrop">
diff --git a/app/views/layouts/_sidebar.html.erb b/app/views/layouts/_sidebar.html.erb
index 3b93eb0c..957d6efa 100644
--- a/app/views/layouts/_sidebar.html.erb
+++ b/app/views/layouts/_sidebar.html.erb
@@ -73,7 +73,9 @@
                       <% end %>
                     </summary>
                     <ul>
-                      <% current_account.projects.order(created_at: :desc).each do |project| %>
+                      <% Projects::VisibleToUser.execute(
+                          account_user: current_account_user
+                        ).projects.order(created_at: :desc).each do |project| %>
                         <li>
                           <%= link_to root_projects_path(project), class: "hover:bg-base-content/15 #{'active' if request.path.start_with?(project_path(project))}" do %>
                             <div class="flex items-center gap-2">
@@ -104,7 +106,9 @@
                       <% end %>
                     </summary>
                     <ul>
-                      <% current_account.clusters.order(created_at: :desc).each do |cluster| %>
+                      <% Clusters::VisibleToUser.execute(
+                        account_user: current_account_user
+                        ).clusters.order(created_at: :desc).each do |cluster| %>
                         <li>
                           <%= link_to cluster_path(cluster), class: "hover:bg-base-content/15 #{'active' if request.path.start_with?(cluster_path(cluster))}" do %>
                             <div class="flex items-center gap-2">
@@ -135,7 +139,9 @@
                       <% end %>
                     </summary>
                     <ul>
-                      <% current_account.add_ons.order(created_at: :desc).each do |add_on| %>
+                      <% AddOns::VisibleToUser.execute(
+                        account_user: current_account_user
+                        ).add_ons.order(created_at: :desc).each do |add_on| %>
                         <li>
                           <%= link_to add_on_path(add_on), class: "hover:bg-base-content/15 #{'active' if request.path.start_with?(add_on_path(add_on))}" do %>
                             <div class="flex items-center gap-2">
diff --git a/app/views/shared/_head.html.erb b/app/views/shared/_head.html.erb
index 810a4513..47ccc49d 100644
--- a/app/views/shared/_head.html.erb
+++ b/app/views/shared/_head.html.erb
@@ -2,14 +2,14 @@
   <% if content_for?(:title) %>
     <%= yield :title %> |
   <% end %>
-  Canine - An open source alternative to Heroku
+  Canine - A Developer-friendly PaaS for your Kubernetes
 </title>
 <meta name="description" content="Canine is an open source deployment platform that makes it easy to deploy and manage your applications.">
 
 <% if content_for?(:og_title) %>
   <meta property="og:title" content="<%= yield :og_title %>" />
 <% else %>
-  <meta property="og:title" content="Canine - An open source alternative to Heroku" />
+  <meta property="og:title" content="Canine - A Developer-friendly PaaS for your Kubernetes" />
 <% end %>
 
 <% if content_for?(:og_url) %>
diff --git a/spec/actions/add_ons/visible_to_user_spec.rb b/spec/actions/add_ons/visible_to_user_spec.rb
index 0154c73d..68b2da09 100644
--- a/spec/actions/add_ons/visible_to_user_spec.rb
+++ b/spec/actions/add_ons/visible_to_user_spec.rb
@@ -3,19 +3,38 @@ require 'rails_helper'
 RSpec.describe AddOns::VisibleToUser do
   let!(:account) { create(:account) }
   let!(:user) { create(:user) }
+  let!(:account_user) { AccountUser.find_by(user: user, account: account) || create(:account_user, user: user, account: account) }
   let!(:cluster) { create(:cluster, account: account) }
 
   before do
-    account.users << user
+    account.users << user unless account.users.include?(user)
   end
 
   describe '.execute' do
+    context 'when user is an admin (account owner)' do
+      let!(:add_on1) { create(:add_on, cluster: cluster) }
+      let!(:add_on2) { create(:add_on, cluster: cluster) }
+      let(:team) { create(:team, account: account) }
+
+      before do
+        account.update!(owner: user)
+        team # Create team so account has teams
+      end
+
+      it 'returns all add_ons in the account regardless of team membership' do
+        result = described_class.execute(account_user: account_user)
+
+        expect(result).to be_success
+        expect(result.add_ons).to match_array([ add_on1, add_on2 ])
+      end
+    end
+
     context 'when account has no teams' do
       let!(:add_on1) { create(:add_on, cluster: cluster) }
       let!(:add_on2) { create(:add_on, cluster: cluster) }
 
       it 'returns all add_ons in the account' do
-        result = described_class.execute(user: user, account: account)
+        result = described_class.execute(account_user: account_user)
 
         expect(result).to be_success
         expect(result.add_ons).to match_array([ add_on1, add_on2 ])
@@ -35,7 +54,7 @@ RSpec.describe AddOns::VisibleToUser do
         end
 
         it 'returns no add_ons' do
-          result = described_class.execute(user: user, account: account.reload)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.add_ons).to be_empty
@@ -49,7 +68,7 @@ RSpec.describe AddOns::VisibleToUser do
         end
 
         it 'returns only add_ons granted to user teams' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.add_ons).to eq([ add_on1 ])
@@ -67,7 +86,7 @@ RSpec.describe AddOns::VisibleToUser do
         end
 
         it 'returns all add_ons in the granted cluster' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.add_ons).to match_array([ add_on4, add_on5 ])
@@ -85,7 +104,7 @@ RSpec.describe AddOns::VisibleToUser do
         end
 
         it 'returns all accessible add_ons without duplicates' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.add_ons).to match_array([ add_on1, add_on4 ])
@@ -101,7 +120,7 @@ RSpec.describe AddOns::VisibleToUser do
         end
 
         it 'returns add_ons from all teams user belongs to' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.add_ons).to match_array([ add_on1, add_on2 ])
diff --git a/spec/actions/clusters/visible_to_user_spec.rb b/spec/actions/clusters/visible_to_user_spec.rb
index 2c22d202..26c9d1e1 100644
--- a/spec/actions/clusters/visible_to_user_spec.rb
+++ b/spec/actions/clusters/visible_to_user_spec.rb
@@ -3,18 +3,37 @@ require 'rails_helper'
 RSpec.describe Clusters::VisibleToUser do
   let!(:account) { create(:account) }
   let!(:user) { create(:user) }
+  let!(:account_user) { AccountUser.find_by(user: user, account: account) || create(:account_user, user: user, account: account) }
 
   before do
-    account.users << user
+    account.users << user unless account.users.include?(user)
   end
 
   describe '.execute' do
+    context 'when user is an admin (account owner)' do
+      let!(:cluster1) { create(:cluster, account: account) }
+      let!(:cluster2) { create(:cluster, account: account) }
+      let(:team) { create(:team, account: account) }
+
+      before do
+        account.update!(owner: user)
+        team # Create team so account has teams
+      end
+
+      it 'returns all clusters in the account regardless of team membership' do
+        result = described_class.execute(account_user: account_user)
+
+        expect(result).to be_success
+        expect(result.clusters).to match_array([ cluster1, cluster2 ])
+      end
+    end
+
     context 'when account has no teams' do
       let!(:cluster1) { create(:cluster, account: account) }
       let!(:cluster2) { create(:cluster, account: account) }
 
       it 'returns all clusters in the account' do
-        result = described_class.execute(user: user, account: account)
+        result = described_class.execute(account_user: account_user)
 
         expect(result).to be_success
         expect(result.clusters).to match_array([ cluster1, cluster2 ])
@@ -34,7 +53,7 @@ RSpec.describe Clusters::VisibleToUser do
         end
 
         it 'returns no clusters' do
-          result = described_class.execute(user: user, account: account.reload)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.clusters).to be_empty
@@ -48,7 +67,7 @@ RSpec.describe Clusters::VisibleToUser do
         end
 
         it 'returns only clusters granted to user teams' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.clusters).to eq([ cluster1 ])
@@ -64,7 +83,7 @@ RSpec.describe Clusters::VisibleToUser do
         end
 
         it 'returns clusters from all teams user belongs to' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.clusters).to match_array([ cluster1, cluster2 ])
@@ -80,7 +99,7 @@ RSpec.describe Clusters::VisibleToUser do
         end
 
         it 'returns unique clusters without duplicates' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.clusters).to eq([ cluster1 ])
diff --git a/spec/actions/projects/visible_to_user_spec.rb b/spec/actions/projects/visible_to_user_spec.rb
index db607fa6..a4687552 100644
--- a/spec/actions/projects/visible_to_user_spec.rb
+++ b/spec/actions/projects/visible_to_user_spec.rb
@@ -9,9 +9,25 @@ RSpec.describe Projects::VisibleToUser do
   let!(:project2) { create(:project, cluster:, account:) }
 
   describe '.execute' do
+    context 'when user is an admin (account owner)' do
+      let(:team) { create(:team, account: account) }
+
+      before do
+        account.update!(owner: user)
+        team # Create team so account has teams
+      end
+
+      it 'returns all projects in the account regardless of team membership' do
+        result = described_class.execute(account_user: account_user)
+
+        expect(result).to be_success
+        expect(result.projects).to match_array([ project1, project2 ])
+      end
+    end
+
     context 'when account has no teams' do
       it 'returns all projects in the account' do
-        result = described_class.execute(user: user, account: account)
+        result = described_class.execute(account_user: account_user)
 
         expect(result).to be_success
         expect(result.projects).to match_array([ project1, project2 ])
@@ -25,7 +41,7 @@ RSpec.describe Projects::VisibleToUser do
 
       context 'when user is not in any teams' do
         it 'returns no projects' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.projects).to be_empty
@@ -39,7 +55,7 @@ RSpec.describe Projects::VisibleToUser do
         end
 
         it 'returns only projects granted to user teams' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.projects).to eq([ project1 ])
@@ -57,7 +73,7 @@ RSpec.describe Projects::VisibleToUser do
         end
 
         it 'returns all projects in the granted cluster' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.projects).to match_array([ project4, project5 ])
@@ -75,7 +91,7 @@ RSpec.describe Projects::VisibleToUser do
         end
 
         it 'returns all accessible projects without duplicates' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.projects).to match_array([ project1, project4 ])
@@ -91,7 +107,7 @@ RSpec.describe Projects::VisibleToUser do
         end
 
         it 'returns projects from all teams user belongs to' do
-          result = described_class.execute(user: user, account: account)
+          result = described_class.execute(account_user: account_user)
 
           expect(result).to be_success
           expect(result.projects).to match_array([ project1, project2 ])

From d8b378e68028dc3b591182b11fa81e663a70fb06 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sat, 29 Nov 2025 09:47:18 -0800
Subject: [PATCH 22/75] remove unecessary specs

---
 spec/models/team_membership_spec.rb | 26 --------------------------
 spec/models/team_resource_spec.rb   | 26 --------------------------
 spec/models/team_spec.rb            | 26 --------------------------
 3 files changed, 78 deletions(-)
 delete mode 100644 spec/models/team_membership_spec.rb
 delete mode 100644 spec/models/team_resource_spec.rb
 delete mode 100644 spec/models/team_spec.rb

diff --git a/spec/models/team_membership_spec.rb b/spec/models/team_membership_spec.rb
deleted file mode 100644
index 8db9862d..00000000
--- a/spec/models/team_membership_spec.rb
+++ /dev/null
@@ -1,26 +0,0 @@
-# == Schema Information
-#
-# Table name: team_memberships
-#
-#  id         :bigint           not null, primary key
-#  created_at :datetime         not null
-#  updated_at :datetime         not null
-#  team_id    :bigint           not null
-#  user_id    :bigint           not null
-#
-# Indexes
-#
-#  index_team_memberships_on_team_id              (team_id)
-#  index_team_memberships_on_user_id              (user_id)
-#  index_team_memberships_on_user_id_and_team_id  (user_id,team_id) UNIQUE
-#
-# Foreign Keys
-#
-#  fk_rails_...  (team_id => teams.id)
-#  fk_rails_...  (user_id => users.id)
-#
-require 'rails_helper'
-
-RSpec.describe TeamMembership, type: :model do
-  pending "add some examples to (or delete) #{__FILE__}"
-end
diff --git a/spec/models/team_resource_spec.rb b/spec/models/team_resource_spec.rb
deleted file mode 100644
index 0af69cfd..00000000
--- a/spec/models/team_resource_spec.rb
+++ /dev/null
@@ -1,26 +0,0 @@
-# == Schema Information
-#
-# Table name: team_resources
-#
-#  id                :bigint           not null, primary key
-#  resourceable_type :string           not null
-#  created_at        :datetime         not null
-#  updated_at        :datetime         not null
-#  resourceable_id   :bigint           not null
-#  team_id           :bigint           not null
-#
-# Indexes
-#
-#  index_team_resources_on_resourceable           (resourceable_type,resourceable_id)
-#  index_team_resources_on_team_and_resourceable  (team_id,resourceable_type,resourceable_id) UNIQUE
-#  index_team_resources_on_team_id                (team_id)
-#
-# Foreign Keys
-#
-#  fk_rails_...  (team_id => teams.id)
-#
-require 'rails_helper'
-
-RSpec.describe TeamResource, type: :model do
-  pending "add some examples to (or delete) #{__FILE__}"
-end
diff --git a/spec/models/team_spec.rb b/spec/models/team_spec.rb
deleted file mode 100644
index 2b2ea8fc..00000000
--- a/spec/models/team_spec.rb
+++ /dev/null
@@ -1,26 +0,0 @@
-# == Schema Information
-#
-# Table name: teams
-#
-#  id         :bigint           not null, primary key
-#  name       :string           not null
-#  slug       :string           not null
-#  created_at :datetime         not null
-#  updated_at :datetime         not null
-#  account_id :bigint           not null
-#
-# Indexes
-#
-#  index_teams_on_account_id           (account_id)
-#  index_teams_on_account_id_and_name  (account_id,name) UNIQUE
-#  index_teams_on_slug                 (slug) UNIQUE
-#
-# Foreign Keys
-#
-#  fk_rails_...  (account_id => accounts.id)
-#
-require 'rails_helper'
-
-RSpec.describe Team, type: :model do
-  pending "add some examples to (or delete) #{__FILE__}"
-end

From 6f82d513b30fc6fd2dd0801fe58e7a324d2e9555 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sun, 30 Nov 2025 13:55:14 -0800
Subject: [PATCH 23/75] lint fixes

---
 app/models/account.rb                         |  2 +-
 app/models/sso_provider.rb                    |  2 +-
 lib/devise/strategies/ldap_authenticatable.rb | 12 ++++++------
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/models/account.rb b/app/models/account.rb
index 901b4ac4..9d952250 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -55,6 +55,6 @@ class Account < ApplicationRecord
   end
 
   def custom_login?
-    return stack_manager&.stack&.provides_authentication? || sso_enabled?
+    stack_manager&.stack&.provides_authentication? || sso_enabled?
   end
 end
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index 0e3ed744..4978a53d 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -30,7 +30,7 @@ class SSOProvider < ApplicationRecord
   enum :team_provisioning_mode, {
     disabled: 0,
     just_in_time: 1,
-    scim: 2,
+    scim: 2
   }
 
 
diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index b60263eb..a9091f52 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -67,7 +67,7 @@ module Devise
         unless sso_provider.ldap?
           raise "Account does not support LDAP authentication"
         end
-        return sso_provider.configuration 
+        sso_provider.configuration
       end
 
       def build_user_dn(ldap_config, username)
@@ -78,7 +78,7 @@ module Devise
       def construct_email(username, ldap_config)
         # If username is already an email, use it as-is
         return username if username.include?('@')
-        
+
         # Otherwise, construct email using mail_domain from config if available
         domain = ldap_config.try(:mail_domain) || ldap_config.host
         "#{username}@#{domain}"
@@ -87,13 +87,13 @@ module Devise
       def get_group_information(ldap, user_dn)
         debugger
         # ldap.search(base: "ou=Groups,dc=example,dc=org", filter: Net::LDAP::Filter.eq("memberUid", user_dn))
-        return [
+        [
           {
-            name: "developers",
+            name: "developers"
           },
           {
-            name: "administrators",
-          },
+            name: "administrators"
+          }
         ]
       end
 

From dff03897a7997011ac0ccb5e7306452aea9823aa Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Mon, 1 Dec 2025 18:48:08 -0800
Subject: [PATCH 24/75] update ldap authenticatable

---
 lib/devise/strategies/ldap_authenticatable.rb | 56 ++++++++++++++-----
 1 file changed, 42 insertions(+), 14 deletions(-)

diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index a9091f52..9e07c83d 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -3,6 +3,47 @@ require 'devise/strategies/authenticatable'
 module Devise
   module Strategies
     class LDAPAuthenticatable < Authenticatable
+      def self.fetch_group_membership(ldap_configuration, user_dn)
+        unless ldap_configuration.reader_dn.present? && ldap_configuration.reader_password.present?
+          return []
+        end
+
+        reader_ldap = Net::LDAP.new(
+          host: ldap_configuration.host,
+          port: ldap_configuration.port,
+          encryption: ldap_configuration.encryption_method,
+          auth: {
+            method: :simple,
+            username: ldap_configuration.reader_dn,
+            password: ldap_configuration.reader_password
+          }
+        )
+
+        unless reader_ldap.bind
+          Rails.logger.warn "LDAP reader bind failed: #{reader_ldap.get_operation_result.message}"
+          return []
+        end
+
+        groups = []
+
+        # Search for groups where the user is a member
+        # Try both member (DN-based) and memberUid (username-based) attributes
+        member_filter = Net::LDAP::Filter.eq("member", user_dn)
+        member_uid_filter = Net::LDAP::Filter.eq("memberUid", user_dn.split(",").first.split("=").last)
+        group_filter = Net::LDAP::Filter.eq("objectClass", "groupOfNames") |
+                       Net::LDAP::Filter.eq("objectClass", "groupOfUniqueNames") |
+                       Net::LDAP::Filter.eq("objectClass", "posixGroup")
+
+        combined_filter = group_filter & (member_filter | member_uid_filter)
+
+        reader_ldap.search(base: ldap_configuration.base_dn, filter: combined_filter) do |entry|
+          groups << { name: entry.cn.first }
+        end
+
+        Rails.logger.info "Found #{groups.size} LDAP groups for user #{user_dn}"
+        groups
+      end
+
       def valid?
         puts "Validating ldap authenticatable"
         true
@@ -28,7 +69,7 @@ module Devise
             # LDAP authentication successful, find or create user
             email = construct_email(username, ldap_configuration)
             # Determine the groups
-            groups = get_group_information(ldap, user_dn)
+            groups = self.class.fetch_group_membership(ldap_configuration, user_dn)
             ActiveRecord::Base.transaction do
               user = User.find_or_create_by!(email: email) do |user|
                 password = SecureRandom.hex(32)
@@ -84,19 +125,6 @@ module Devise
         "#{username}@#{domain}"
       end
 
-      def get_group_information(ldap, user_dn)
-        debugger
-        # ldap.search(base: "ou=Groups,dc=example,dc=org", filter: Net::LDAP::Filter.eq("memberUid", user_dn))
-        [
-          {
-            name: "developers"
-          },
-          {
-            name: "administrators"
-          }
-        ]
-      end
-
       def find_or_create_account_for_ldap(ldap_config)
         sso_provider = ldap_config.sso_provider
         sso_provider&.account

From 342f3c2b811352eb6e47be807d4b81660a78d652 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Mon, 1 Dec 2025 18:50:07 -0800
Subject: [PATCH 25/75] remove oidc for now

---
 .../sso_providers/build_sso_configuration.rb  |  6 +-
 app/avo/resources/oidc_configuration.rb       | 19 -----
 .../accounts/sso_providers_controller.rb      | 58 ++-------------
 .../avo/oidc_configurations_controller.rb     |  4 --
 .../users/omniauth_callbacks_controller.rb    | 42 +----------
 app/models/ldap_configuration.rb              |  2 +
 app/models/oidc_configuration.rb              | 20 ------
 app/models/sso_provider.rb                    |  4 --
 .../accounts/sso_providers/edit.html.erb      | 10 +--
 app/views/accounts/sso_providers/new.html.erb | 17 ++---
 .../sso_providers/oidc/_form_fields.html.erb  | 70 -------------------
 .../accounts/sso_providers/show.html.erb      | 52 +++++---------
 app/views/devise/sessions/new.html.erb        | 18 +----
 config/initializers/devise.rb                 |  4 --
 config/initializers/inflections.rb            |  1 -
 ...251126014508_create_oidc_configurations.rb | 16 -----
 docker-compose.yml                            |  2 +-
 lib/omniauth/strategies/dynamic_oidc.rb       | 61 ----------------
 spec/factories/oidc_configurations.rb         | 28 --------
 spec/models/oidc_configuration_spec.rb        | 21 ------
 20 files changed, 40 insertions(+), 415 deletions(-)
 delete mode 100644 app/avo/resources/oidc_configuration.rb
 delete mode 100644 app/controllers/avo/oidc_configurations_controller.rb
 delete mode 100644 app/models/oidc_configuration.rb
 delete mode 100644 app/views/accounts/sso_providers/oidc/_form_fields.html.erb
 delete mode 100644 db/migrate/20251126014508_create_oidc_configurations.rb
 delete mode 100644 lib/omniauth/strategies/dynamic_oidc.rb
 delete mode 100644 spec/factories/oidc_configurations.rb
 delete mode 100644 spec/models/oidc_configuration_spec.rb

diff --git a/app/actions/sso_providers/build_sso_configuration.rb b/app/actions/sso_providers/build_sso_configuration.rb
index c84c164e..0a1eb602 100644
--- a/app/actions/sso_providers/build_sso_configuration.rb
+++ b/app/actions/sso_providers/build_sso_configuration.rb
@@ -7,11 +7,7 @@ module SSOProviders
     promises :configuration
 
     executed do |context|
-      context.configuration = if context.provider_type == "ldap"
-        LDAPConfiguration.new(context.configuration_params)
-      else
-        OIDCConfiguration.new(context.configuration_params)
-      end
+      context.configuration = LDAPConfiguration.new(context.configuration_params)
     end
   end
 end
diff --git a/app/avo/resources/oidc_configuration.rb b/app/avo/resources/oidc_configuration.rb
deleted file mode 100644
index 1a603d96..00000000
--- a/app/avo/resources/oidc_configuration.rb
+++ /dev/null
@@ -1,19 +0,0 @@
-class Avo::Resources::OIDCConfiguration < Avo::BaseResource
-  # self.includes = []
-  # self.attachments = []
-  # self.search = {
-  #   query: -> { query.ransack(id_eq: q, m: "or").result(distinct: false) }
-  # }
-
-  def fields
-    field :id, as: :id
-    field :issuer, as: :text
-    field :client_id, as: :text
-    field :client_secret, as: :text
-    field :authorization_endpoint, as: :text
-    field :token_endpoint, as: :text
-    field :userinfo_endpoint, as: :text
-    field :jwks_uri, as: :text
-    field :scopes, as: :text
-  end
-end
diff --git a/app/controllers/accounts/sso_providers_controller.rb b/app/controllers/accounts/sso_providers_controller.rb
index d812f9a9..1180476f 100644
--- a/app/controllers/accounts/sso_providers_controller.rb
+++ b/app/controllers/accounts/sso_providers_controller.rb
@@ -7,39 +7,22 @@ module Accounts
 
     def new
       @sso_provider = current_account.build_sso_provider
-      @provider_type = params[:provider_type] || "oidc"
-
-      if @provider_type == "ldap"
-        @ldap_configuration = LDAPConfiguration.new
-      else
-        @oidc_configuration = OIDCConfiguration.new
-      end
+      @ldap_configuration = LDAPConfiguration.new
     end
 
     def create
-      provider_type = params[:provider_type] || "oidc"
-      configuration_params = provider_type == "ldap" ? ldap_configuration_params : oidc_configuration_params
-
       result = SSOProviders::Create.call(
         account: current_account,
         sso_provider_params: sso_provider_params,
-        configuration_params: configuration_params,
-        provider_type: provider_type
+        configuration_params: ldap_configuration_params,
+        provider_type: "ldap"
       )
 
       if result.success?
         redirect_to sso_provider_path, notice: "SSO provider created successfully"
       else
         @sso_provider = result.sso_provider
-        @configuration = result.configuration
-        @provider_type = provider_type
-
-        if provider_type == "ldap"
-          @ldap_configuration = @configuration
-        else
-          @oidc_configuration = @configuration
-        end
-
+        @ldap_configuration = result.configuration
         render :new, status: :unprocessable_entity
       end
     end
@@ -47,36 +30,22 @@ module Accounts
     def edit
       @sso_provider = current_account.sso_provider
       redirect_to new_sso_provider_path, alert: "No SSO provider configured" unless @sso_provider
-      @configuration = @sso_provider&.configuration
-
-      if @sso_provider&.ldap?
-        @ldap_configuration = @configuration
-      else
-        @oidc_configuration = @configuration
-      end
+      @ldap_configuration = @sso_provider&.configuration
     end
 
     def update
       @sso_provider = current_account.sso_provider
-      configuration_params = @sso_provider.ldap? ? ldap_configuration_params : oidc_configuration_params
 
       result = SSOProviders::Update.call(
         sso_provider: @sso_provider,
         sso_provider_params: sso_provider_params,
-        configuration_params: configuration_params
+        configuration_params: ldap_configuration_params
       )
 
       if result.success?
         redirect_to sso_provider_path, notice: "SSO provider updated successfully"
       else
-        @configuration = @sso_provider.configuration
-
-        if @sso_provider.ldap?
-          @ldap_configuration = @configuration
-        else
-          @oidc_configuration = @configuration
-        end
-
+        @ldap_configuration = @sso_provider.configuration
         render :edit, status: :unprocessable_entity
       end
     end
@@ -97,19 +66,6 @@ module Accounts
       params.require(:sso_provider).permit(:name, :enabled, :team_provisioning_mode)
     end
 
-    def oidc_configuration_params
-      params.require(:oidc_configuration).permit(
-        :issuer,
-        :client_id,
-        :client_secret,
-        :authorization_endpoint,
-        :token_endpoint,
-        :userinfo_endpoint,
-        :jwks_uri,
-        :scopes
-      )
-    end
-
     def ldap_configuration_params
       params.require(:ldap_configuration).permit(
         :host,
diff --git a/app/controllers/avo/oidc_configurations_controller.rb b/app/controllers/avo/oidc_configurations_controller.rb
deleted file mode 100644
index 08b8968b..00000000
--- a/app/controllers/avo/oidc_configurations_controller.rb
+++ /dev/null
@@ -1,4 +0,0 @@
-# This controller has been generated to enable Rails' resource routes.
-# More information on https://docs.avohq.io/3.0/controllers.html
-class Avo::OIDCConfigurationsController < Avo::ResourcesController
-end
diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index 9f1f3949..220b8444 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -1,7 +1,7 @@
 module Users
   class OmniauthCallbacksController < Devise::OmniauthCallbacksController
-    before_action :set_provider, except: [ :failure, :oidc ]
-    before_action :set_user, except: [ :failure, :oidc ]
+    before_action :set_provider
+    before_action :set_user
 
     attr_reader :provider, :user
 
@@ -13,46 +13,8 @@ module Users
       handle_auth "Github"
     end
 
-    def oidc
-      sso_provider_id = session["sso_provider_id"]
-      sso_provider = SSOProvider.find_by(id: sso_provider_id) if sso_provider_id.present?
-
-      if sso_provider
-        @user = find_or_create_oidc_user
-        handle_oidc_auth(sso_provider)
-      else
-        redirect_to root_path, alert: "SSO provider not found"
-      end
-    end
-
     private
 
-    def find_or_create_oidc_user
-      if user_signed_in?
-        current_user
-      else
-        # Find or create user from OIDC data
-        create_user
-      end
-    end
-
-    def handle_oidc_auth(sso_provider)
-      # For OIDC, we don't store in Provider model, just authenticate
-      if user_signed_in?
-        flash[:notice] = "Your #{sso_provider.name} account was connected."
-        redirect_to edit_user_registration_path
-      else
-        sign_in_and_redirect @user, event: :authentication
-        # Set account from SSO provider
-        session[:account_id] = sso_provider.account_id
-        set_flash_message :notice, :success, kind: sso_provider.name
-      end
-
-      # Clear SSO session data
-      session.delete("sso_provider_id")
-      session.delete("sso_account_id")
-    end
-
     def handle_auth(kind)
       if provider.present?
         provider.update(provider_attrs)
diff --git a/app/models/ldap_configuration.rb b/app/models/ldap_configuration.rb
index 20c5a7ea..1ffa6e9e 100644
--- a/app/models/ldap_configuration.rb
+++ b/app/models/ldap_configuration.rb
@@ -29,6 +29,8 @@ class LDAPConfiguration < ApplicationRecord
   validates :port, presence: true, numericality: { only_integer: true, greater_than: 0 }
   validates :base_dn, presence: true
   validates :uid_attribute, presence: true
+  validates_presence_of :reader_dn, if: :allow_anonymous_reads?
+  validates_presence_of :reader_password, if: :allow_anonymous_reads?
 
   # Returns encryption method as symbol for Net::LDAP
   # Encryption options: plain (no encryption), simple_tls (LDAPS), start_tls (STARTTLS)
diff --git a/app/models/oidc_configuration.rb b/app/models/oidc_configuration.rb
deleted file mode 100644
index d1b14a4f..00000000
--- a/app/models/oidc_configuration.rb
+++ /dev/null
@@ -1,20 +0,0 @@
-# == Schema Information
-#
-# Table name: oidc_configurations
-#
-#  id                     :bigint           not null, primary key
-#  authorization_endpoint :string
-#  client_secret          :string           not null
-#  issuer                 :string           not null
-#  jwks_uri               :string
-#  scopes                 :string           default("openid email profile")
-#  token_endpoint         :string
-#  userinfo_endpoint      :string
-#  created_at             :datetime         not null
-#  updated_at             :datetime         not null
-#  client_id              :string           not null
-#
-class OIDCConfiguration < ApplicationRecord
-  has_one :sso_provider, as: :configuration, dependent: :destroy
-  has_one :account, through: :sso_provider
-end
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index 4978a53d..1c120f31 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -34,10 +34,6 @@ class SSOProvider < ApplicationRecord
   }
 
 
-  def oidc?
-    configuration_type == "OIDCConfiguration"
-  end
-
   def ldap?
     configuration_type == "LDAPConfiguration"
   end
diff --git a/app/views/accounts/sso_providers/edit.html.erb b/app/views/accounts/sso_providers/edit.html.erb
index 5be1d30f..5ff26094 100644
--- a/app/views/accounts/sso_providers/edit.html.erb
+++ b/app/views/accounts/sso_providers/edit.html.erb
@@ -5,7 +5,7 @@
     </div>
 
     <div class="text-sm text-gray-500 mt-2 mb-4">
-      Update your <%= @sso_provider.ldap? ? "LDAP" : "OIDC" %> provider configuration.
+      Update your LDAP provider configuration.
     </div>
 
     <%= form_with model: @sso_provider, url: sso_provider_path do |form| %>
@@ -38,13 +38,9 @@
         </label>
       </div>
 
-      <div class="divider"><%= @sso_provider.ldap? ? "LDAP" : "OIDC" %> Configuration</div>
+      <div class="divider">LDAP Configuration</div>
 
-      <% if @sso_provider.ldap? %>
-        <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
-      <% else %>
-        <%= render "accounts/sso_providers/oidc/form_fields", oidc_configuration: @oidc_configuration %>
-      <% end %>
+      <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
 
       <div class="form-footer mt-6">
         <%= form.submit "Update Provider", class: "btn btn-primary" %>
diff --git a/app/views/accounts/sso_providers/new.html.erb b/app/views/accounts/sso_providers/new.html.erb
index f6ea8f66..6c53583c 100644
--- a/app/views/accounts/sso_providers/new.html.erb
+++ b/app/views/accounts/sso_providers/new.html.erb
@@ -1,19 +1,14 @@
 <%= settings_layout do %>
   <%= turbo_frame_tag "sso_provider" do %>
     <div class="font-lg font-bold mt-4">
-      Add <%= @provider_type == "ldap" ? "LDAP" : "OIDC" %> Provider
+      Add LDAP Provider
     </div>
 
     <div class="text-sm text-gray-500 mt-2 mb-4">
-      <% if @provider_type == "ldap" %>
-        Configure an LDAP directory for SSO authentication. This will allow users to sign in using their LDAP credentials.
-      <% else %>
-        Configure an OpenID Connect (OIDC) provider for SSO authentication. This will allow users to sign in using your organization's identity provider.
-      <% end %>
+      Configure an LDAP directory for SSO authentication. This will allow users to sign in using their LDAP credentials.
     </div>
 
     <%= form_with model: @sso_provider, url: sso_provider_path do |form| %>
-      <%= hidden_field_tag :provider_type, @provider_type %>
       <%= render "shared/error_messages", resource: form.object %>
 
       <div class="form-control mt-4 w-full max-w-sm">
@@ -43,13 +38,9 @@
         </label>
       </div>
 
-      <div class="divider"><%= @provider_type == "ldap" ? "LDAP" : "OIDC" %> Configuration</div>
+      <div class="divider">LDAP Configuration</div>
 
-      <% if @provider_type == "ldap" %>
-        <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
-      <% else %>
-        <%= render "accounts/sso_providers/oidc/form_fields", oidc_configuration: @oidc_configuration %>
-      <% end %>
+      <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
 
       <div class="form-footer mt-6">
         <%= form.submit "Create Provider", class: "btn btn-primary" %>
diff --git a/app/views/accounts/sso_providers/oidc/_form_fields.html.erb b/app/views/accounts/sso_providers/oidc/_form_fields.html.erb
deleted file mode 100644
index b87f9ec1..00000000
--- a/app/views/accounts/sso_providers/oidc/_form_fields.html.erb
+++ /dev/null
@@ -1,70 +0,0 @@
-<%= fields_for :oidc_configuration, oidc_configuration do |oidc_form| %>
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Issuer URL <span class="text-error">*</span></span>
-    </label>
-    <%= oidc_form.text_field :issuer, class: "input input-bordered", required: true, placeholder: "https://your-idp.com" %>
-    <label class="label">
-      <span class="label-text-alt">The base URL of your OIDC provider</span>
-    </label>
-  </div>
-
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Client ID <span class="text-error">*</span></span>
-    </label>
-    <%= oidc_form.text_field :client_id, class: "input input-bordered", required: true %>
-  </div>
-
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Client Secret <span class="text-error">*</span></span>
-    </label>
-    <%= oidc_form.password_field :client_secret, class: "input input-bordered", required: true %>
-  </div>
-
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Scopes</span>
-    </label>
-    <%= oidc_form.text_field :scopes, class: "input input-bordered", placeholder: "openid email profile" %>
-    <label class="label">
-      <span class="label-text-alt">Space-separated list of scopes (defaults to "openid email profile")</span>
-    </label>
-  </div>
-
-  <details class="collapse collapse-arrow bg-base-200 mt-4 max-w-sm">
-    <summary class="collapse-title font-medium">
-      Advanced Settings (Optional)
-    </summary>
-    <div class="collapse-content space-y-4">
-      <div class="form-control mt-1 w-full">
-        <label class="label">
-          <span class="label-text">Authorization Endpoint</span>
-        </label>
-        <%= oidc_form.text_field :authorization_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
-      </div>
-
-      <div class="form-control mt-1 w-full">
-        <label class="label">
-          <span class="label-text">Token Endpoint</span>
-        </label>
-        <%= oidc_form.text_field :token_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
-      </div>
-
-      <div class="form-control mt-1 w-full">
-        <label class="label">
-          <span class="label-text">UserInfo Endpoint</span>
-        </label>
-        <%= oidc_form.text_field :userinfo_endpoint, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
-      </div>
-
-      <div class="form-control mt-1 w-full">
-        <label class="label">
-          <span class="label-text">JWKS URI</span>
-        </label>
-        <%= oidc_form.text_field :jwks_uri, class: "input input-bordered", placeholder: "Auto-discovered if not set" %>
-      </div>
-    </div>
-  </details>
-<% end %>
diff --git a/app/views/accounts/sso_providers/show.html.erb b/app/views/accounts/sso_providers/show.html.erb
index 67b0580c..7b6db54c 100644
--- a/app/views/accounts/sso_providers/show.html.erb
+++ b/app/views/accounts/sso_providers/show.html.erb
@@ -10,7 +10,7 @@
             <div>
               <h3 class="text-lg font-semibold"><%= @sso_provider.name %></h3>
               <div class="flex gap-2 mt-2">
-                <span class="badge badge-outline"><%= @sso_provider.ldap? ? "LDAP" : "OIDC" %></span>
+                <span class="badge badge-outline">LDAP</span>
                 <% if @sso_provider.enabled %>
                   <span class="badge badge-success">Enabled</span>
                 <% else %>
@@ -27,37 +27,22 @@
           <% if @configuration %>
             <div class="divider"></div>
             <div class="grid grid-cols-2 gap-4 text-sm">
-              <% if @sso_provider.oidc? %>
-                <div>
-                  <span class="text-gray-500">Issuer:</span>
-                  <div class="font-mono"><%= @configuration.issuer %></div>
-                </div>
-                <div>
-                  <span class="text-gray-500">Client ID:</span>
-                  <div class="font-mono"><%= @configuration.client_id %></div>
-                </div>
-                <div>
-                  <span class="text-gray-500">Scopes:</span>
-                  <div class="font-mono"><%= @configuration.scopes || "openid email profile" %></div>
-                </div>
-              <% else %>
-                <div>
-                  <span class="text-gray-500">Host:</span>
-                  <div class="font-mono"><%= @configuration.host %>:<%= @configuration.port %></div>
-                </div>
-                <div>
-                  <span class="text-gray-500">Base DN:</span>
-                  <div class="font-mono"><%= @configuration.base_dn %></div>
-                </div>
-                <div>
-                  <span class="text-gray-500">UID Attribute:</span>
-                  <div class="font-mono"><%= @configuration.uid_attribute %></div>
-                </div>
-                <div>
-                  <span class="text-gray-500">Encryption:</span>
-                  <div class="font-mono"><%= @configuration.encryption.titleize %></div>
-                </div>
-              <% end %>
+              <div>
+                <span class="text-gray-500">Host:</span>
+                <div class="font-mono"><%= @configuration.host %>:<%= @configuration.port %></div>
+              </div>
+              <div>
+                <span class="text-gray-500">Base DN:</span>
+                <div class="font-mono"><%= @configuration.base_dn %></div>
+              </div>
+              <div>
+                <span class="text-gray-500">UID Attribute:</span>
+                <div class="font-mono"><%= @configuration.uid_attribute %></div>
+              </div>
+              <div>
+                <span class="text-gray-500">Encryption:</span>
+                <div class="font-mono"><%= @configuration.encryption.titleize %></div>
+              </div>
             </div>
           <% end %>
         </div>
@@ -69,8 +54,7 @@
       </div>
 
       <div class="flex gap-2">
-        <%= link_to "+ Add OIDC Provider", new_sso_provider_path(provider_type: "oidc"), class: "btn btn-primary btn-sm" %>
-        <%= link_to "+ Add LDAP Provider", new_sso_provider_path(provider_type: "ldap"), class: "btn btn-primary btn-sm" %>
+        <%= link_to "+ Add LDAP Provider", new_sso_provider_path, class: "btn btn-primary btn-sm" %>
       </div>
     <% end %>
   <% end %>
diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb
index c95cd60f..112c8c08 100644
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -41,27 +41,13 @@
           <%= f.submit "Sign in", class: "btn btn-primary w-full" %>
         </div>
       <% end %>
-      <% if defined?(@sso_provider) && @sso_provider.present? %>
+
+      <% unless Rails.application.config.local_mode %>
         <div class="flex items-center my-4">
           <div class="flex-grow border-t border-gray-600"></div>
           <span class="mx-4 text-gray-500">OR</span>
           <div class="flex-grow border-t border-gray-600"></div>
         </div>
-
-        <%= button_to "Sign in with #{@sso_provider.name}",
-                      user_oidc_omniauth_authorize_path(sso_provider_id: @sso_provider.id),
-                      class: "btn btn-outline w-full",
-                      data: { turbo: false } %>
-      <% end %>
-
-      <% unless Rails.application.config.local_mode %>
-        <% unless defined?(@sso_provider) && @sso_provider.present? %>
-          <div class="flex items-center my-4">
-            <div class="flex-grow border-t border-gray-600"></div>
-            <span class="mx-4 text-gray-500">OR</span>
-            <div class="flex-grow border-t border-gray-600"></div>
-          </div>
-        <% end %>
         <%= render "devise/shared/links" %>
       <% end %>
     </div>
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 79f49a1b..f5e250c2 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -275,10 +275,6 @@ Devise.setup do |config|
   config.omniauth :github, ENV["OMNIAUTH_GITHUB_PUBLIC_KEY"], ENV["OMNIAUTH_GITHUB_PRIVATE_KEY"], scope: "user,repo,write:packages,read:org"
   config.omniauth :developer if Rails.env.test?
 
-  # Dynamic OIDC provider
-  require Rails.root.join("lib/omniauth/strategies/dynamic_oidc")
-  config.omniauth :oidc, strategy_class: OmniAuth::Strategies::DynamicOIDC
-
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or
   # change the failure app, you can configure them inside the config.warden block.
diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb
index ea25935f..c53fd28a 100644
--- a/config/initializers/inflections.rb
+++ b/config/initializers/inflections.rb
@@ -12,7 +12,6 @@
 
 # These inflection rules are supported but not enabled by default:
 ActiveSupport::Inflector.inflections(:en) do |inflect|
-  inflect.acronym "OIDC"
   inflect.acronym "SSO"
   inflect.acronym "LDAP"
 end
diff --git a/db/migrate/20251126014508_create_oidc_configurations.rb b/db/migrate/20251126014508_create_oidc_configurations.rb
deleted file mode 100644
index bb5a5595..00000000
--- a/db/migrate/20251126014508_create_oidc_configurations.rb
+++ /dev/null
@@ -1,16 +0,0 @@
-class CreateOIDCConfigurations < ActiveRecord::Migration[7.2]
-  def change
-    create_table :oidc_configurations do |t|
-      t.string :issuer, null: false
-      t.string :client_id, null: false
-      t.string :client_secret, null: false
-      t.string :authorization_endpoint
-      t.string :token_endpoint
-      t.string :userinfo_endpoint
-      t.string :jwks_uri
-      t.string :scopes, default: "openid email profile"
-
-      t.timestamps
-    end
-  end
-end
diff --git a/docker-compose.yml b/docker-compose.yml
index b7284610..98de1b0d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,7 +8,7 @@ x-shared-env: &shared-env
 
 services:
   postgres:
-    image: postgres:16
+    image: postgres:16-bookworm
     environment:
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=password
diff --git a/lib/omniauth/strategies/dynamic_oidc.rb b/lib/omniauth/strategies/dynamic_oidc.rb
deleted file mode 100644
index 9591901b..00000000
--- a/lib/omniauth/strategies/dynamic_oidc.rb
+++ /dev/null
@@ -1,61 +0,0 @@
-require "omniauth_openid_connect"
-
-module OmniAuth
-  module Strategies
-    class DynamicOIDC < OmniAuth::Strategies::OpenIDConnect
-      option :name, "oidc"
-      option :issuer, "placeholder"  # Will be overridden
-
-      # Run before request_phase to load config from database
-      def request_phase
-        load_configuration_from_database
-        super
-      end
-
-      # Run before callback_phase to load config from database
-      def callback_phase
-        load_configuration_from_database
-        super
-      end
-
-      private
-
-      def load_configuration_from_database
-        sso_provider_id = request.params["sso_provider_id"] || session["sso_provider_id"]
-
-        return unless sso_provider_id.present?
-
-        begin
-          sso_provider = SSOProvider.find_by(id: sso_provider_id, enabled: true)
-
-          if sso_provider&.oidc? && sso_provider.configuration
-            oidc_config = sso_provider.configuration
-
-            # Override the options with database values
-            options[:issuer] = oidc_config.issuer
-            options[:client_options] = {
-              identifier: oidc_config.client_id,
-              secret: oidc_config.client_secret,
-              redirect_uri: callback_url,
-              authorization_endpoint: oidc_config.authorization_endpoint.presence,
-              token_endpoint: oidc_config.token_endpoint.presence,
-              userinfo_endpoint: oidc_config.userinfo_endpoint.presence,
-              jwks_uri: oidc_config.jwks_uri.presence
-            }.compact
-
-            options[:scope] = oidc_config.scopes&.split(" ") || [ :openid, :email, :profile ]
-            options[:response_type] = :code
-            options[:uid_field] = "sub"
-
-            # Store in session for callback
-            session["sso_provider_id"] = sso_provider.id
-            session["sso_account_id"] = sso_provider.account_id
-          end
-        rescue ActiveRecord::StatementInvalid, PG::UndefinedTable
-          # Database not ready yet or table doesn't exist
-          Rails.logger.debug "DynamicOIDC: database not ready"
-        end
-      end
-    end
-  end
-end
diff --git a/spec/factories/oidc_configurations.rb b/spec/factories/oidc_configurations.rb
deleted file mode 100644
index 668b106f..00000000
--- a/spec/factories/oidc_configurations.rb
+++ /dev/null
@@ -1,28 +0,0 @@
-# == Schema Information
-#
-# Table name: oidc_configurations
-#
-#  id                     :bigint           not null, primary key
-#  authorization_endpoint :string
-#  client_secret          :string           not null
-#  issuer                 :string           not null
-#  jwks_uri               :string
-#  scopes                 :string           default("openid email profile")
-#  token_endpoint         :string
-#  userinfo_endpoint      :string
-#  created_at             :datetime         not null
-#  updated_at             :datetime         not null
-#  client_id              :string           not null
-#
-FactoryBot.define do
-  factory :oidc_configuration do
-    issuer { "MyString" }
-    client_id { "MyString" }
-    client_secret { "MyString" }
-    authorization_endpoint { "MyString" }
-    token_endpoint { "MyString" }
-    userinfo_endpoint { "MyString" }
-    jwks_uri { "MyString" }
-    scopes { "MyString" }
-  end
-end
diff --git a/spec/models/oidc_configuration_spec.rb b/spec/models/oidc_configuration_spec.rb
deleted file mode 100644
index 3fe2e56e..00000000
--- a/spec/models/oidc_configuration_spec.rb
+++ /dev/null
@@ -1,21 +0,0 @@
-# == Schema Information
-#
-# Table name: oidc_configurations
-#
-#  id                     :bigint           not null, primary key
-#  authorization_endpoint :string
-#  client_secret          :string           not null
-#  issuer                 :string           not null
-#  jwks_uri               :string
-#  scopes                 :string           default("openid email profile")
-#  token_endpoint         :string
-#  userinfo_endpoint      :string
-#  created_at             :datetime         not null
-#  updated_at             :datetime         not null
-#  client_id              :string           not null
-#
-require 'rails_helper'
-
-RSpec.describe OIDCConfiguration, type: :model do
-  pending "add some examples to (or delete) #{__FILE__}"
-end

From 2cc46c6441b2986ce120b15d5c7bde056e470dd8 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Mon, 1 Dec 2025 21:51:36 -0800
Subject: [PATCH 26/75] working team sync

---
 app/actions/sso/create_teams_in_account.rb    |  11 +
 app/actions/sso/create_user_in_account.rb     |  27 ++
 app/actions/sso/sync_teams.rb                 |  12 +
 app/actions/sso/sync_user_teams.rb            |  10 +
 app/avo/resources/ldap_configuration.rb       |   5 +-
 app/models/ldap_configuration.rb              |   6 +-
 app/models/sso_provider.rb                    |   2 +-
 app/services/ldap/authenticator.rb            | 261 ++++++++++++++++++
 config/initializers/devise.rb                 |   1 -
 ...251126014509_create_ldap_configurations.rb |   2 -
 db/schema.rb                                  |  32 ++-
 lib/devise/strategies/ldap_authenticatable.rb | 151 ++++------
 .../sso/create_teams_in_account_spec.rb       |  17 ++
 .../sso/create_user_in_account_spec.rb        |  27 ++
 spec/actions/sso/sync_user_teams_spec.rb      |  18 ++
 spec/factories/ldap_configurations.rb         |   2 -
 spec/models/ldap_configuration_spec.rb        |   2 -
 17 files changed, 477 insertions(+), 109 deletions(-)
 create mode 100644 app/actions/sso/create_teams_in_account.rb
 create mode 100644 app/actions/sso/create_user_in_account.rb
 create mode 100644 app/actions/sso/sync_teams.rb
 create mode 100644 app/actions/sso/sync_user_teams.rb
 create mode 100644 app/services/ldap/authenticator.rb
 create mode 100644 spec/actions/sso/create_teams_in_account_spec.rb
 create mode 100644 spec/actions/sso/create_user_in_account_spec.rb
 create mode 100644 spec/actions/sso/sync_user_teams_spec.rb

diff --git a/app/actions/sso/create_teams_in_account.rb b/app/actions/sso/create_teams_in_account.rb
new file mode 100644
index 00000000..6eb41de2
--- /dev/null
+++ b/app/actions/sso/create_teams_in_account.rb
@@ -0,0 +1,11 @@
+class SSO::CreateTeamsInAccount
+  extend LightService::Action
+  expects :account, :team_names
+  promises :teams
+
+  executed do |context|
+    context.teams = context.team_names.map do |team_hash|
+      context.account.teams.find_or_create_by!(name: team_hash[:name])
+    end
+  end
+end
\ No newline at end of file
diff --git a/app/actions/sso/create_user_in_account.rb b/app/actions/sso/create_user_in_account.rb
new file mode 100644
index 00000000..0b62fb18
--- /dev/null
+++ b/app/actions/sso/create_user_in_account.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module SSO
+  class CreateUserInAccount
+    extend LightService::Action
+    expects :email, :account
+    promises :user
+
+    executed do |context|
+      user = User.find_or_initialize_by(email: context.email.downcase)
+
+      if user.new_record?
+        password = SecureRandom.hex(32)
+        user.password = password
+        user.password_confirmation = password
+
+        unless user.save
+          context.fail_and_return!("Failed to create user", errors: user.errors)
+        end
+      end
+
+      AccountUser.find_or_create_by!(account: context.account, user: user)
+
+      context.user = user
+    end
+  end
+end
diff --git a/app/actions/sso/sync_teams.rb b/app/actions/sso/sync_teams.rb
new file mode 100644
index 00000000..0e834d47
--- /dev/null
+++ b/app/actions/sso/sync_teams.rb
@@ -0,0 +1,12 @@
+class SSO::SyncTeams
+  extend LightService::Action
+  expects :user, :teams
+  promises :team_memberships
+
+  executed do |context|
+    # Find all teams the user is currently in
+    context.team_memberships = context.teams.map do |team|
+      TeamMembership.find_or_create_by!(user: context.user, team:)
+    end
+  end
+end
\ No newline at end of file
diff --git a/app/actions/sso/sync_user_teams.rb b/app/actions/sso/sync_user_teams.rb
new file mode 100644
index 00000000..1d741917
--- /dev/null
+++ b/app/actions/sso/sync_user_teams.rb
@@ -0,0 +1,10 @@
+class SSO::SyncUserTeams
+  extend LightService::Organizer
+  def self.call(email, team_names, account)
+    with(email:, team_names:, account:).reduce(
+      SSO::CreateTeamsInAccount,
+      SSO::CreateUserInAccount,
+      SSO::SyncTeams,
+    )
+  end
+end
\ No newline at end of file
diff --git a/app/avo/resources/ldap_configuration.rb b/app/avo/resources/ldap_configuration.rb
index 72cbadee..743b2ec7 100644
--- a/app/avo/resources/ldap_configuration.rb
+++ b/app/avo/resources/ldap_configuration.rb
@@ -11,8 +11,9 @@ class Avo::Resources::LDAPConfiguration < Avo::BaseResource
       start_tls: "STARTTLS"
     }, default: "plain"
     field :base_dn, as: :text, required: true, help: "Base DN for user searches (e.g., ou=users,dc=example,dc=com)"
-    field :bind_dn, as: :text, help: "Bind DN for authentication (optional for anonymous bind)"
-    field :bind_password, as: :password, help: "Bind password (optional for anonymous bind)"
+    field :allow_anonymous_reads, as: :boolean, help: "Allow anonymous LDAP reads (if disabled, bind credentials are required for group lookups)"
+    field :bind_dn, as: :text, help: "Bind DN for authentication (required if anonymous reads disabled)"
+    field :bind_password, as: :password, help: "Bind password (required if anonymous reads disabled)"
     field :uid_attribute, as: :text, required: true, help: "Attribute for username (e.g., uid, sAMAccountName)", default: "uid"
     field :email_attribute, as: :text, help: "Attribute for email address", default: "mail"
     field :name_attribute, as: :text, help: "Attribute for full name", default: "cn"
diff --git a/app/models/ldap_configuration.rb b/app/models/ldap_configuration.rb
index 1ffa6e9e..10d7ab8d 100644
--- a/app/models/ldap_configuration.rb
+++ b/app/models/ldap_configuration.rb
@@ -13,8 +13,6 @@
 #  host                  :string           not null
 #  name_attribute        :string           default("cn")
 #  port                  :integer          default(389), not null
-#  reader_dn             :string
-#  reader_password       :string
 #  uid_attribute         :string           default("uid"), not null
 #  created_at            :datetime         not null
 #  updated_at            :datetime         not null
@@ -29,8 +27,8 @@ class LDAPConfiguration < ApplicationRecord
   validates :port, presence: true, numericality: { only_integer: true, greater_than: 0 }
   validates :base_dn, presence: true
   validates :uid_attribute, presence: true
-  validates_presence_of :reader_dn, if: :allow_anonymous_reads?
-  validates_presence_of :reader_password, if: :allow_anonymous_reads?
+  validates_presence_of :bind_dn, if: :allow_anonymous_reads?
+  validates_presence_of :bind_password, if: :allow_anonymous_reads?
 
   # Returns encryption method as symbol for Net::LDAP
   # Encryption options: plain (no encryption), simple_tls (LDAPS), start_tls (STARTTLS)
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index 1c120f31..9e717a3c 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -30,7 +30,7 @@ class SSOProvider < ApplicationRecord
   enum :team_provisioning_mode, {
     disabled: 0,
     just_in_time: 1,
-    scim: 2
+    # scim: 2
   }
 
 
diff --git a/app/services/ldap/authenticator.rb b/app/services/ldap/authenticator.rb
new file mode 100644
index 00000000..4fba9f82
--- /dev/null
+++ b/app/services/ldap/authenticator.rb
@@ -0,0 +1,261 @@
+# app/services/ldap/authenticator.rb
+require 'net/ldap'
+
+module LDAP
+  class Authenticator
+    Result = Struct.new(
+      :success?,
+      :email,
+      :name,
+      :user_dn,
+      :entry,
+      :groups,
+      :error_message,
+      keyword_init: true
+    )
+
+    def initialize(ldap_configuration, logger: Rails.logger)
+      @config = ldap_configuration
+      @logger = logger
+    end
+
+    # Public API
+    # ----------
+    # call(username:, password:) -> Result
+    #
+    def call(username:, password:)
+      # 1) Bind as reader (service account or anonymous)
+      reader_ldap = build_reader_connection
+
+      unless reader_ldap.bind
+        msg = "LDAP reader bind failed: #{reader_ldap.get_operation_result.message}"
+        @logger.warn msg
+        return Result.new(success?: false, error_message: msg)
+      end
+
+      # 2) Search for the user entry using uid_attribute + filter
+      entry = search_user_entry(reader_ldap, username)
+
+      if entry.nil?
+        msg = "LDAP search: no user entry found for username=#{username.inspect}"
+        @logger.info msg
+        return Result.new(success?: false, error_message: msg)
+      end
+
+      user_dn = entry.dn
+
+      # 3) Bind as the user to verify the password
+      auth_ldap = build_user_auth_connection(user_dn, password)
+
+      unless auth_ldap.bind
+        msg = "LDAP user bind failed for DN=#{user_dn}: #{auth_ldap.get_operation_result.message}"
+        @logger.info msg
+        return Result.new(success?: false, error_message: msg)
+      end
+
+      # 4) Successful LDAP auth → map attributes, fetch groups
+      email  = resolve_email(entry, username)
+      name   = resolve_name(entry, username)
+      groups = fetch_group_membership(entry)
+
+      Result.new(
+        success?: true,
+        email: email,
+        name: name,
+        user_dn: user_dn,
+        entry: entry,
+        groups: groups,
+        error_message: nil
+      )
+    rescue => e
+      @logger.error "LDAP auth: unexpected error - #{e.class}: #{e.message}"
+      Result.new(success?: false, error_message: e.message)
+    end
+
+    private
+
+    attr_reader :config, :logger
+
+    # ---------------- CONNECTION HELPERS ----------------
+
+    def build_reader_connection
+      # If we have bind_dn/bind_password, use them.
+      # Otherwise, only allow anonymous if allow_anonymous_reads is true.
+      options = {
+        host: config.host,
+        port: config.port
+      }
+
+      encryption = net_ldap_encryption
+      options[:encryption] = encryption if encryption
+
+      if config.bind_dn.present? && config.bind_password.present?
+        options[:auth] = {
+          method: :simple,
+          username: config.bind_dn,
+          password: config.bind_password
+        }
+      elsif !config.allow_anonymous_reads?
+        # No way to bind safely
+        # Let caller see failure via bind result
+        logger.info "LDAP: no reader credentials and anonymous reads disabled"
+      end
+
+      Net::LDAP.new(options)
+    end
+
+    def build_user_auth_connection(user_dn, password)
+      options = {
+        host: config.host,
+        port: config.port
+      }
+
+      encryption = net_ldap_encryption
+      options[:encryption] = encryption if encryption
+
+      ldap = Net::LDAP.new(options)
+      ldap.auth(user_dn, password)
+      ldap
+    end
+
+    # Map your `encryption` enum to Net::LDAP’s expectations
+    #
+    # Adjust the case branches here to match your actual enum:
+    #   enum encryption: { plain: 0, start_tls: 1, simple_tls: 2 }
+    #
+    def net_ldap_encryption
+      case config.encryption.to_s
+      when 'plain', 'none'
+        nil
+      when 'start_tls'
+        { method: :start_tls }
+      when 'simple_tls', 'ssl'
+        { method: :simple_tls }
+      else
+        nil
+      end
+    end
+
+    # ---------------- SEARCH ----------------
+
+    def search_user_entry(ldap, username)
+      uid_attr = config.uid_attribute.presence || 'uid'
+
+      user_filter = Net::LDAP::Filter.eq(uid_attr, username)
+
+      # config.filter is an LDAP filter string, e.g. "(objectClass=person)"
+      base_filter =
+        if config.filter.present?
+          Net::LDAP::Filter.construct(config.filter)
+        else
+          Net::LDAP::Filter.eq('objectClass', '*') # match anything if no filter given
+        end
+
+      filter = base_filter & user_filter
+
+      entry = nil
+      ldap.search(base: config.base_dn, filter: filter, size: 2) do |e|
+        entry = e
+        break
+      end
+
+      entry
+    end
+
+    # ---------------- ATTRIBUTE MAPPING ----------------
+
+    def resolve_email(entry, username)
+      attr = config.email_attribute.presence || 'mail'
+
+      if entry[attr].present?
+        entry[attr].first
+      else
+        # Fallback to username or constructed email
+        construct_email(username)
+      end
+    end
+
+    def resolve_name(entry, username)
+      attr = config.name_attribute.presence || 'cn'
+
+      if entry[attr].present?
+        entry[attr].first
+      elsif entry[:cn].present?
+        entry[:cn].first
+      else
+        username
+      end
+    end
+
+    def construct_email(username)
+      return username if username.include?('@')
+
+      domain = config.try(:mail_domain) || config.host
+      "#{username}@#{domain}"
+    end
+
+    # ---------------- GROUP MEMBERSHIP ----------------
+
+    def fetch_group_membership(user_entry)
+      reader_ldap = build_reader_connection
+    
+      unless reader_ldap.bind
+        if config.allow_anonymous_reads?
+          logger.warn "LDAP group lookup: anonymous/reader bind failed: #{reader_ldap.get_operation_result.message}"
+        else
+          logger.info "LDAP group lookup skipped: cannot bind and anonymous reads disabled"
+        end
+        return []
+      end
+    
+      groups = []
+    
+      # From the entry
+      dn_from_entry = user_entry.dn
+    
+      uid_attr = config.uid_attribute.presence || 'uid'
+      uid_val  = Array(user_entry[uid_attr]).first
+    
+      # This is the DN your groups seem to be using:
+      #   uid=czhu,dc=example,dc=org
+      dn_from_uid = if uid_val.present?
+        "#{uid_attr}=#{uid_val},#{config.base_dn}"
+      end
+    
+      member_filters = []
+    
+      # Try DN from entry (cn=... case)
+      member_filters << Net::LDAP::Filter.eq('member', dn_from_entry) if dn_from_entry.present?
+    
+      # Try DN built from uid (uid=... case – this is the one that works for you)
+      member_filters << Net::LDAP::Filter.eq('member', dn_from_uid) if dn_from_uid.present?
+    
+      # Try memberUid=uid (posixGroup style)
+      member_filters << Net::LDAP::Filter.eq('memberUid', uid_val) if uid_val.present?
+    
+      # If for some reason we have no filters, bail out
+      return [] if member_filters.empty?
+    
+      member_filter = member_filters.reduce do |memo, f|
+        memo | f
+      end
+    
+      group_filter  = Net::LDAP::Filter.eq('objectClass', 'groupOfNames') |
+                      Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') |
+                      Net::LDAP::Filter.eq('objectClass', 'posixGroup')
+    
+      combined_filter = group_filter & member_filter
+    
+      reader_ldap.search(base: config.base_dn, filter: combined_filter) do |entry|
+        groups << { name: entry.cn.first }
+      end
+    
+      logger.info "Found #{groups.size} LDAP groups for user #{dn_from_entry}"
+      groups
+    rescue => e
+      logger.error "LDAP group lookup error for #{dn_from_entry}: #{e.class}: #{e.message}"
+      []
+    end
+
+  end
+end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index f5e250c2..828812e0 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -283,7 +283,6 @@ Devise.setup do |config|
   require Rails.root.join('lib', 'devise', 'strategies', 'ldap_authenticatable')
 
   config.warden do |manager|
-    puts "Adding LDAP authenticatable strategy"
     manager.strategies.add(:ldap_authenticatable, Devise::Strategies::LDAPAuthenticatable)
   end
 
diff --git a/db/migrate/20251126014509_create_ldap_configurations.rb b/db/migrate/20251126014509_create_ldap_configurations.rb
index 90fa3689..d30dddbe 100644
--- a/db/migrate/20251126014509_create_ldap_configurations.rb
+++ b/db/migrate/20251126014509_create_ldap_configurations.rb
@@ -12,8 +12,6 @@ class CreateLDAPConfigurations < ActiveRecord::Migration[7.2]
       t.string :name_attribute, default: "cn"
       t.string :filter
       t.boolean :allow_anonymous_reads, default: false
-      t.string :reader_dn
-      t.string :reader_password
 
       t.timestamps
     end
diff --git a/db/schema.rb b/db/schema.rb
index 0e5ce25b..191dc5d2 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_11_26_014503) do
+ActiveRecord::Schema[7.2].define(version: 2025_11_26_014509) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -335,6 +335,22 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_26_014503) do
     t.datetime "updated_at", null: false
   end
 
+  create_table "ldap_configurations", force: :cascade do |t|
+    t.string "host", null: false
+    t.integer "port", default: 389, null: false
+    t.integer "encryption", null: false
+    t.string "base_dn", null: false
+    t.string "bind_dn"
+    t.string "bind_password"
+    t.string "uid_attribute", default: "uid", null: false
+    t.string "email_attribute", default: "mail"
+    t.string "name_attribute", default: "cn"
+    t.string "filter"
+    t.boolean "allow_anonymous_reads", default: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
   create_table "log_outputs", force: :cascade do |t|
     t.bigint "loggable_id", null: false
     t.string "loggable_type", null: false
@@ -481,6 +497,19 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_26_014503) do
     t.index ["project_id"], name: "index_services_on_project_id"
   end
 
+  create_table "sso_providers", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "configuration_type", null: false
+    t.bigint "configuration_id", null: false
+    t.string "name", null: false
+    t.boolean "enabled", default: true, null: false
+    t.integer "team_provisioning_mode", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["account_id"], name: "index_sso_providers_on_account_id", unique: true
+    t.index ["configuration_type", "configuration_id"], name: "index_sso_providers_on_configuration"
+  end
+
   create_table "stack_managers", force: :cascade do |t|
     t.string "provider_url", null: false
     t.integer "stack_manager_type", default: 0, null: false
@@ -580,6 +609,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_26_014503) do
   add_foreign_key "projects", "clusters", column: "project_fork_cluster_id"
   add_foreign_key "providers", "users"
   add_foreign_key "services", "projects"
+  add_foreign_key "sso_providers", "accounts"
   add_foreign_key "stack_managers", "accounts"
   add_foreign_key "team_memberships", "teams"
   add_foreign_key "team_memberships", "users"
diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index 9e07c83d..dded71be 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -1,89 +1,72 @@
+# app/strategies/devise/ldap_authenticatable.rb
 require 'devise/strategies/authenticatable'
 
 module Devise
   module Strategies
     class LDAPAuthenticatable < Authenticatable
-      def self.fetch_group_membership(ldap_configuration, user_dn)
-        unless ldap_configuration.reader_dn.present? && ldap_configuration.reader_password.present?
-          return []
-        end
-
-        reader_ldap = Net::LDAP.new(
-          host: ldap_configuration.host,
-          port: ldap_configuration.port,
-          encryption: ldap_configuration.encryption_method,
-          auth: {
-            method: :simple,
-            username: ldap_configuration.reader_dn,
-            password: ldap_configuration.reader_password
-          }
-        )
-
-        unless reader_ldap.bind
-          Rails.logger.warn "LDAP reader bind failed: #{reader_ldap.get_operation_result.message}"
-          return []
-        end
-
-        groups = []
-
-        # Search for groups where the user is a member
-        # Try both member (DN-based) and memberUid (username-based) attributes
-        member_filter = Net::LDAP::Filter.eq("member", user_dn)
-        member_uid_filter = Net::LDAP::Filter.eq("memberUid", user_dn.split(",").first.split("=").last)
-        group_filter = Net::LDAP::Filter.eq("objectClass", "groupOfNames") |
-                       Net::LDAP::Filter.eq("objectClass", "groupOfUniqueNames") |
-                       Net::LDAP::Filter.eq("objectClass", "posixGroup")
-
-        combined_filter = group_filter & (member_filter | member_uid_filter)
-
-        reader_ldap.search(base: ldap_configuration.base_dn, filter: combined_filter) do |entry|
-          groups << { name: entry.cn.first }
-        end
-
-        Rails.logger.info "Found #{groups.size} LDAP groups for user #{user_dn}"
-        groups
-      end
-
       def valid?
-        puts "Validating ldap authenticatable"
+        # basic shape check
+        user_params = params[:user]
+        return false unless user_params.is_a?(ActionController::Parameters) || user_params.is_a?(Hash)
+      
+        username = user_params[:username].presence
+        password = user_params[:password].presence
+      
+        return false if username.blank? || password.blank?
+      
+        # make sure this slug maps to an LDAP-enabled account
+        begin
+          account = Account.friendly.find(params[:slug])
+      
+          return false unless account&.sso_enabled?
+          sso_provider = account.sso_provider
+          return false unless sso_provider&.ldap?
+        rescue ActiveRecord::RecordNotFound
+          # bad slug → this strategy is not applicable
+          return false
+        end
+      
         true
       end
 
       def authenticate!
-        if params[:user]
-          ldap_configuration = find_ldap_configuration
+        return unless params[:user]
 
-          return fail(:invalid_login) unless ldap_configuration
+        ldap_configuration = find_ldap_configuration
+        return fail(:invalid_login) unless ldap_configuration
 
-          ldap = Net::LDAP.new(
-            host: ldap_configuration.host,
-            port: ldap_configuration.port,
-            encryption: ldap_configuration.encryption_method
-          )
+        authenticator = LDAP::Authenticator.new(ldap_configuration)
 
-          # Build the user DN for authentication
-          user_dn = build_user_dn(ldap_configuration, username)
-          ldap.auth user_dn, password
+        result = authenticator.call(username: username, password: password)
 
-          if ldap.bind
-            # LDAP authentication successful, find or create user
-            email = construct_email(username, ldap_configuration)
-            # Determine the groups
-            groups = self.class.fetch_group_membership(ldap_configuration, user_dn)
-            ActiveRecord::Base.transaction do
-              user = User.find_or_create_by!(email: email) do |user|
-                password = SecureRandom.hex(32)
-                user.password = password
-                user.password_confirmation = password
-              end
-              AccountUser.find_or_create_by!(account: ldap_configuration.account, user:)
-            end
-            success!(user)
-          else
-            Rails.logger.info "LDAP bind failed for #{email}: #{ldap.get_operation_result.message}"
-            fail(:invalid_login)
-          end
+        unless result.success?
+          Rails.logger.info "LDAP auth failed for username=#{username.inspect}: #{result.error_message}"
+          return fail(:invalid_login)
         end
+
+        email = result.email
+        groups = result.groups
+        sso_provider = ldap_configuration.sso_provider
+
+        if sso_provider.just_in_time?
+          ar_result = ActiveRecord::Base.transaction do
+            SSO::SyncUserTeams.call(email, groups, ldap_configuration.account)
+          end
+        else
+          ar_result = SSO::CreateUserInAccount.call(email, ldap_configuration.account)
+        end
+
+        if ar_result.failure?
+          return fail(:invalid_login)
+        end
+
+        success!(ar_result.user)
+      rescue ActiveRecord::RecordNotFound => e
+        Rails.logger.warn "LDAP auth: account not found - #{e.message}"
+        fail(:invalid_login)
+      rescue => e
+        Rails.logger.error "LDAP auth: unexpected error in Devise strategy - #{e.class}: #{e.message}"
+        fail(:invalid_login)
       end
 
       def username
@@ -97,38 +80,18 @@ module Devise
       private
 
       def find_ldap_configuration
-        # Find the LDAP configuration for the account
-        # This could be based on email domain or a selection during login
         account = Account.friendly.find(params[:slug])
         unless account.sso_enabled?
-          raise "SSO is not enabled for this account"
+          raise 'SSO is not enabled for this account'
         end
 
         sso_provider = account.sso_provider
         unless sso_provider.ldap?
-          raise "Account does not support LDAP authentication"
+          raise 'Account does not support LDAP authentication'
         end
+
         sso_provider.configuration
       end
-
-      def build_user_dn(ldap_config, username)
-        # Build the DN using the uid attribute and base DN
-        "#{ldap_config.uid_attribute}=#{username},#{ldap_config.base_dn}"
-      end
-
-      def construct_email(username, ldap_config)
-        # If username is already an email, use it as-is
-        return username if username.include?('@')
-
-        # Otherwise, construct email using mail_domain from config if available
-        domain = ldap_config.try(:mail_domain) || ldap_config.host
-        "#{username}@#{domain}"
-      end
-
-      def find_or_create_account_for_ldap(ldap_config)
-        sso_provider = ldap_config.sso_provider
-        sso_provider&.account
-      end
     end
   end
 end
diff --git a/spec/actions/sso/create_teams_in_account_spec.rb b/spec/actions/sso/create_teams_in_account_spec.rb
new file mode 100644
index 00000000..259b7f77
--- /dev/null
+++ b/spec/actions/sso/create_teams_in_account_spec.rb
@@ -0,0 +1,17 @@
+require 'rails_helper'
+
+RSpec.describe SSO::CreateTeamsInAccount do
+  let(:account) { create(:account) }
+
+  describe '.execute' do
+    it 'creates only teams that do not already exist' do
+      create(:team, account: account, name: 'Engineering')
+
+      result = described_class.execute(account: account, team_names: [{ name: 'Engineering' }, { name: 'Design' }])
+
+      expect(result).to be_success
+      expect(account.teams.pluck(:name)).to match_array(%w[Engineering Design])
+      expect(account.teams.count).to eq(2)
+    end
+  end
+end
diff --git a/spec/actions/sso/create_user_in_account_spec.rb b/spec/actions/sso/create_user_in_account_spec.rb
new file mode 100644
index 00000000..5be8c16d
--- /dev/null
+++ b/spec/actions/sso/create_user_in_account_spec.rb
@@ -0,0 +1,27 @@
+require 'rails_helper'
+
+RSpec.describe SSO::CreateUserInAccount do
+  let(:account) { create(:account) }
+
+  describe '.execute' do
+    it 'creates a new user and associates them with the account when user does not exist' do
+      result = described_class.execute(email: 'new@example.com', account: account)
+
+      expect(result).to be_success
+      expect(result.user).to be_persisted
+      expect(result.user.email).to eq('new@example.com')
+      expect(account.users).to include(result.user)
+    end
+
+    it 'associates an existing user with the account without creating a duplicate' do
+      existing_user = create(:user, email: 'existing@example.com')
+
+      result = described_class.execute(email: 'EXISTING@example.com', account: account)
+
+      expect(result).to be_success
+      expect(result.user).to eq(existing_user)
+      expect(account.users).to include(existing_user)
+      expect(User.where(email: 'existing@example.com').count).to eq(1)
+    end
+  end
+end
diff --git a/spec/actions/sso/sync_user_teams_spec.rb b/spec/actions/sso/sync_user_teams_spec.rb
new file mode 100644
index 00000000..a9b7ee2d
--- /dev/null
+++ b/spec/actions/sso/sync_user_teams_spec.rb
@@ -0,0 +1,18 @@
+require 'rails_helper'
+
+RSpec.describe SSO::SyncUserTeams do
+  let(:account) { create(:account) }
+
+  describe '.call' do
+    it 'creates user, teams, and team memberships' do
+      create(:team, account: account, name: 'Existing')
+
+      result = described_class.call('new@example.com', [{ name: 'Existing' }, { name: 'NewTeam' }], account)
+
+      expect(result).to be_success
+      expect(result.user.email).to eq('new@example.com')
+      expect(account.teams.pluck(:name)).to match_array(%w[Existing NewTeam])
+      expect(result.user.teams).to match_array(account.teams)
+    end
+  end
+end
diff --git a/spec/factories/ldap_configurations.rb b/spec/factories/ldap_configurations.rb
index ade5cc5b..6993b395 100644
--- a/spec/factories/ldap_configurations.rb
+++ b/spec/factories/ldap_configurations.rb
@@ -13,8 +13,6 @@
 #  host                  :string           not null
 #  name_attribute        :string           default("cn")
 #  port                  :integer          default(389), not null
-#  reader_dn             :string
-#  reader_password       :string
 #  uid_attribute         :string           default("uid"), not null
 #  created_at            :datetime         not null
 #  updated_at            :datetime         not null
diff --git a/spec/models/ldap_configuration_spec.rb b/spec/models/ldap_configuration_spec.rb
index e925cbfe..7563d88e 100644
--- a/spec/models/ldap_configuration_spec.rb
+++ b/spec/models/ldap_configuration_spec.rb
@@ -13,8 +13,6 @@
 #  host                  :string           not null
 #  name_attribute        :string           default("cn")
 #  port                  :integer          default(389), not null
-#  reader_dn             :string
-#  reader_password       :string
 #  uid_attribute         :string           default("uid"), not null
 #  created_at            :datetime         not null
 #  updated_at            :datetime         not null

From ddb176ed87d3d06c32cae45dde7c87b852ba0b64 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Mon, 1 Dec 2025 21:56:57 -0800
Subject: [PATCH 27/75] lint fixes

---
 app/actions/sso/create_teams_in_account.rb    |  2 +-
 app/actions/sso/sync_teams.rb                 |  2 +-
 app/actions/sso/sync_user_teams.rb            |  2 +-
 app/models/sso_provider.rb                    |  2 +-
 app/services/ldap/authenticator.rb            | 31 +++++++++----------
 lib/devise/strategies/ldap_authenticatable.rb | 10 +++---
 .../sso/create_teams_in_account_spec.rb       |  2 +-
 spec/actions/sso/sync_user_teams_spec.rb      |  2 +-
 8 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/app/actions/sso/create_teams_in_account.rb b/app/actions/sso/create_teams_in_account.rb
index 6eb41de2..900f5810 100644
--- a/app/actions/sso/create_teams_in_account.rb
+++ b/app/actions/sso/create_teams_in_account.rb
@@ -8,4 +8,4 @@ class SSO::CreateTeamsInAccount
       context.account.teams.find_or_create_by!(name: team_hash[:name])
     end
   end
-end
\ No newline at end of file
+end
diff --git a/app/actions/sso/sync_teams.rb b/app/actions/sso/sync_teams.rb
index 0e834d47..3fabb969 100644
--- a/app/actions/sso/sync_teams.rb
+++ b/app/actions/sso/sync_teams.rb
@@ -9,4 +9,4 @@ class SSO::SyncTeams
       TeamMembership.find_or_create_by!(user: context.user, team:)
     end
   end
-end
\ No newline at end of file
+end
diff --git a/app/actions/sso/sync_user_teams.rb b/app/actions/sso/sync_user_teams.rb
index 1d741917..e0e2d33e 100644
--- a/app/actions/sso/sync_user_teams.rb
+++ b/app/actions/sso/sync_user_teams.rb
@@ -7,4 +7,4 @@ class SSO::SyncUserTeams
       SSO::SyncTeams,
     )
   end
-end
\ No newline at end of file
+end
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index 9e717a3c..6e180bf8 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -29,7 +29,7 @@ class SSOProvider < ApplicationRecord
 
   enum :team_provisioning_mode, {
     disabled: 0,
-    just_in_time: 1,
+    just_in_time: 1
     # scim: 2
   }
 
diff --git a/app/services/ldap/authenticator.rb b/app/services/ldap/authenticator.rb
index 4fba9f82..e72ce2a1 100644
--- a/app/services/ldap/authenticator.rb
+++ b/app/services/ldap/authenticator.rb
@@ -198,7 +198,7 @@ module LDAP
 
     def fetch_group_membership(user_entry)
       reader_ldap = build_reader_connection
-    
+
       unless reader_ldap.bind
         if config.allow_anonymous_reads?
           logger.warn "LDAP group lookup: anonymous/reader bind failed: #{reader_ldap.get_operation_result.message}"
@@ -207,55 +207,54 @@ module LDAP
         end
         return []
       end
-    
+
       groups = []
-    
+
       # From the entry
       dn_from_entry = user_entry.dn
-    
+
       uid_attr = config.uid_attribute.presence || 'uid'
       uid_val  = Array(user_entry[uid_attr]).first
-    
+
       # This is the DN your groups seem to be using:
       #   uid=czhu,dc=example,dc=org
       dn_from_uid = if uid_val.present?
         "#{uid_attr}=#{uid_val},#{config.base_dn}"
       end
-    
+
       member_filters = []
-    
+
       # Try DN from entry (cn=... case)
       member_filters << Net::LDAP::Filter.eq('member', dn_from_entry) if dn_from_entry.present?
-    
+
       # Try DN built from uid (uid=... case – this is the one that works for you)
       member_filters << Net::LDAP::Filter.eq('member', dn_from_uid) if dn_from_uid.present?
-    
+
       # Try memberUid=uid (posixGroup style)
       member_filters << Net::LDAP::Filter.eq('memberUid', uid_val) if uid_val.present?
-    
+
       # If for some reason we have no filters, bail out
       return [] if member_filters.empty?
-    
+
       member_filter = member_filters.reduce do |memo, f|
         memo | f
       end
-    
+
       group_filter  = Net::LDAP::Filter.eq('objectClass', 'groupOfNames') |
                       Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') |
                       Net::LDAP::Filter.eq('objectClass', 'posixGroup')
-    
+
       combined_filter = group_filter & member_filter
-    
+
       reader_ldap.search(base: config.base_dn, filter: combined_filter) do |entry|
         groups << { name: entry.cn.first }
       end
-    
+
       logger.info "Found #{groups.size} LDAP groups for user #{dn_from_entry}"
       groups
     rescue => e
       logger.error "LDAP group lookup error for #{dn_from_entry}: #{e.class}: #{e.message}"
       []
     end
-
   end
 end
diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index dded71be..31456303 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -8,16 +8,16 @@ module Devise
         # basic shape check
         user_params = params[:user]
         return false unless user_params.is_a?(ActionController::Parameters) || user_params.is_a?(Hash)
-      
+
         username = user_params[:username].presence
         password = user_params[:password].presence
-      
+
         return false if username.blank? || password.blank?
-      
+
         # make sure this slug maps to an LDAP-enabled account
         begin
           account = Account.friendly.find(params[:slug])
-      
+
           return false unless account&.sso_enabled?
           sso_provider = account.sso_provider
           return false unless sso_provider&.ldap?
@@ -25,7 +25,7 @@ module Devise
           # bad slug → this strategy is not applicable
           return false
         end
-      
+
         true
       end
 
diff --git a/spec/actions/sso/create_teams_in_account_spec.rb b/spec/actions/sso/create_teams_in_account_spec.rb
index 259b7f77..cb92ca31 100644
--- a/spec/actions/sso/create_teams_in_account_spec.rb
+++ b/spec/actions/sso/create_teams_in_account_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe SSO::CreateTeamsInAccount do
     it 'creates only teams that do not already exist' do
       create(:team, account: account, name: 'Engineering')
 
-      result = described_class.execute(account: account, team_names: [{ name: 'Engineering' }, { name: 'Design' }])
+      result = described_class.execute(account: account, team_names: [ { name: 'Engineering' }, { name: 'Design' } ])
 
       expect(result).to be_success
       expect(account.teams.pluck(:name)).to match_array(%w[Engineering Design])
diff --git a/spec/actions/sso/sync_user_teams_spec.rb b/spec/actions/sso/sync_user_teams_spec.rb
index a9b7ee2d..f0d8a719 100644
--- a/spec/actions/sso/sync_user_teams_spec.rb
+++ b/spec/actions/sso/sync_user_teams_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe SSO::SyncUserTeams do
     it 'creates user, teams, and team memberships' do
       create(:team, account: account, name: 'Existing')
 
-      result = described_class.call('new@example.com', [{ name: 'Existing' }, { name: 'NewTeam' }], account)
+      result = described_class.call('new@example.com', [ { name: 'Existing' }, { name: 'NewTeam' } ], account)
 
       expect(result).to be_success
       expect(result.user.email).to eq('new@example.com')

From 01322d76c4bd2c998c83ab04d14c5ace765f9133 Mon Sep 17 00:00:00 2001
From: Chris Zhu <chris_zhu12@hotmail.com>
Date: Tue, 2 Dec 2025 15:32:52 +0900
Subject: [PATCH 28/75] pin postgres to bookworm

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index b7284610..98de1b0d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,7 +8,7 @@ x-shared-env: &shared-env
 
 services:
   postgres:
-    image: postgres:16
+    image: postgres:16-bookworm
     environment:
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=password

From d70eb8e35dda7bc831659cb6d98e37549faab7b9 Mon Sep 17 00:00:00 2001
From: Chris Zhu <chris_zhu12@hotmail.com>
Date: Wed, 3 Dec 2025 11:46:04 +0900
Subject: [PATCH 29/75] fix bug with cluster installation

---
 app/actions/clusters/create_namespace.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/actions/clusters/create_namespace.rb b/app/actions/clusters/create_namespace.rb
index 53a27165..2e965d5d 100644
--- a/app/actions/clusters/create_namespace.rb
+++ b/app/actions/clusters/create_namespace.rb
@@ -4,6 +4,10 @@ class Clusters::CreateNamespace
   expects :kubectl
 
   executed do |context|
-    context.kubectl.apply_yaml(K8::Namespace.new(Struct.new(:name).new(Clusters::Install::DEFAULT_NAMESPACE)).to_yaml)
+    context.kubectl.apply_yaml(
+      K8::Namespace.new(
+        Struct.new(:namespace).new(Clusters::Install::DEFAULT_NAMESPACE)
+      ).to_yaml
+    )
   end
 end

From a7fdfd0d12453111db0f091c22443b04d462a16d Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 3 Dec 2025 23:29:18 -0800
Subject: [PATCH 30/75] remove portainer stack manager based authentication

---
 app/actions/clusters/create_namespace.rb      |  6 +-
 .../accounts/stack_managers_controller.rb     | 74 ++++++++++--------
 app/controllers/application_controller.rb     |  5 ++
 .../providers/portainer_tokens_controller.rb  | 44 +++++++++++
 app/controllers/users/sessions_controller.rb  | 24 +-----
 .../stack_manager/badge_controller.js         | 54 ++++---------
 app/javascript/utils/portainer.js             | 30 +++-----
 app/models/account.rb                         |  2 +-
 app/models/user.rb                            |  6 ++
 app/policies/account_policy.rb                | 20 +++++
 .../accounts/sso_providers/show.html.erb      | 10 +--
 .../devise/sessions/_portainer_badge.html.erb | 22 +++---
 app/views/devise/sessions/portainer.html.erb  | 75 ------------------
 app/views/layouts/_sidebar.html.erb           |  4 +-
 app/views/providers/_portainer_token.html.erb | 48 ++++++++++++
 app/views/providers/index.html.erb            |  6 ++
 app/views/settings/_layout.html.erb           |  2 +-
 config/routes.rb                              |  3 +-
 lib/portainer/client.rb                       |  1 +
 lib/portainer/login.rb                        | 46 -----------
 lib/portainer/stack.rb                        |  4 +-
 spec/lib/portainer/login_spec.rb              | 77 -------------------
 22 files changed, 231 insertions(+), 332 deletions(-)
 create mode 100644 app/controllers/providers/portainer_tokens_controller.rb
 create mode 100644 app/policies/account_policy.rb
 delete mode 100644 app/views/devise/sessions/portainer.html.erb
 create mode 100644 app/views/providers/_portainer_token.html.erb
 delete mode 100644 lib/portainer/login.rb
 delete mode 100644 spec/lib/portainer/login_spec.rb

diff --git a/app/actions/clusters/create_namespace.rb b/app/actions/clusters/create_namespace.rb
index 53a27165..2e965d5d 100644
--- a/app/actions/clusters/create_namespace.rb
+++ b/app/actions/clusters/create_namespace.rb
@@ -4,6 +4,10 @@ class Clusters::CreateNamespace
   expects :kubectl
 
   executed do |context|
-    context.kubectl.apply_yaml(K8::Namespace.new(Struct.new(:name).new(Clusters::Install::DEFAULT_NAMESPACE)).to_yaml)
+    context.kubectl.apply_yaml(
+      K8::Namespace.new(
+        Struct.new(:namespace).new(Clusters::Install::DEFAULT_NAMESPACE)
+      ).to_yaml
+    )
   end
 end
diff --git a/app/controllers/accounts/stack_managers_controller.rb b/app/controllers/accounts/stack_managers_controller.rb
index be7e404a..1e1faa62 100644
--- a/app/controllers/accounts/stack_managers_controller.rb
+++ b/app/controllers/accounts/stack_managers_controller.rb
@@ -1,34 +1,11 @@
 module Accounts
   class StackManagersController < ApplicationController
     before_action :authenticate_user!
+    before_action :authorize_account_admin, only: [ :show, :new, :create, :edit, :update, :destroy, :sync_clusters, :sync_registries ]
+    before_action :set_stack_manager, only: [ :show, :edit, :update, :destroy, :sync_clusters, :sync_registries ]
     before_action :set_stack, only: [ :sync_clusters, :sync_registries ]
     skip_before_action :authenticate_user!, only: [ :verify_url, :check_reachable ]
 
-    def _verify_stack(stack)
-      if stack.authenticated?
-        head :ok
-      else
-        head :unauthorized
-      end
-    end
-
-    def verify_login
-      stack_manager = current_account.stack_manager
-      if stack_manager.nil?
-        head :not_found
-      end
-
-      # If the user is not having an email domain end in the
-      # portainer stack url, don't log them out, just return a different unauthorized.
-      if !stack_manager.is_user?(current_user)
-        head :method_not_allowed
-        return
-      end
-
-      stack = stack_manager.stack.connect(current_user, allow_anonymous: false)
-      _verify_stack(stack)
-    end
-
     def check_reachable
       url = params[:stack_manager][:url]
       unless Portainer::Client.reachable?(url)
@@ -38,6 +15,30 @@ module Accounts
       head :ok
     end
 
+    def verify_connectivity
+      stack_manager = current_account.stack_manager
+      if stack_manager.nil?
+        head :not_found
+        return
+      end
+
+      if current_user.portainer_jwt.blank?
+        head :unauthorized
+        return
+      end
+
+      stack = stack_manager.stack.connect(current_user, allow_anonymous: false)
+      if stack.authenticated?
+        head :ok
+      else
+        head :unauthorized
+      end
+    rescue Portainer::Client::MissingCredentialError, Portainer::Client::UnauthorizedError
+      head :unauthorized
+    rescue Portainer::Client::ConnectionError
+      head :bad_gateway
+    end
+
     def verify_url
       url = params[:stack_manager][:url]
       access_token = params[:stack_manager][:access_token]
@@ -59,7 +60,6 @@ module Accounts
     end
 
     def show
-      @stack_manager = current_account.stack_manager
     end
 
     def new
@@ -77,13 +77,10 @@ module Accounts
     end
 
     def edit
-      @stack_manager = current_account.stack_manager
       redirect_to new_stack_manager_path unless @stack_manager
     end
 
     def update
-      @stack_manager = current_account.stack_manager
-
       if @stack_manager.update(stack_manager_params)
         redirect_to stack_manager_path, notice: "Stack manager was successfully updated."
       else
@@ -92,7 +89,6 @@ module Accounts
     end
 
     def destroy
-      @stack_manager = current_account.stack_manager
       @stack_manager.destroy!
       redirect_to stack_manager_path, notice: "Stack manager was successfully removed."
     end
@@ -135,8 +131,24 @@ module Accounts
       )
     end
 
+    def set_stack_manager
+      @stack_manager = current_account.stack_manager
+    end
+
+    def authorize_account_admin
+      authorize current_account, :manage_stack_manager?
+    end
+
     def set_stack
-      @stack ||= current_account.stack_manager&.stack&.connect(current_user)
+      @stack ||= @stack_manager&.stack&.connect(current_user)
+    end
+
+    def _verify_stack(stack)
+      if stack.authenticated?
+        head :ok
+      else
+        head :unauthorized
+      end
     end
   end
 end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2fdbe252..46053350 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -13,6 +13,7 @@ class ApplicationController < ActionController::Base
   layout :determine_layout
 
   rescue_from ActiveRecord::RecordNotFound, with: :record_not_found
+  rescue_from Portainer::Client::MissingCredentialError, with: :missing_portainer_credential
 
   protected
     def current_account
@@ -52,4 +53,8 @@ class ApplicationController < ActionController::Base
       flash[:alert] = "The requested resource could not be found."
       redirect_to root_path
     end
+
+    def missing_portainer_credential
+      redirect_to providers_path, alert: "Please add your Portainer API token to continue."
+    end
 end
diff --git a/app/controllers/providers/portainer_tokens_controller.rb b/app/controllers/providers/portainer_tokens_controller.rb
new file mode 100644
index 00000000..150e6cb0
--- /dev/null
+++ b/app/controllers/providers/portainer_tokens_controller.rb
@@ -0,0 +1,44 @@
+module Providers
+  class PortainerTokensController < ApplicationController
+    before_action :authenticate_user!
+    before_action :require_stack_manager
+
+    def update
+      token = params[:portainer_token]
+
+      if token.blank?
+        redirect_to providers_path, alert: "Please provide a Portainer API token"
+        return
+      end
+
+      provider = current_user.providers.find_or_initialize_by(provider: Provider::PORTAINER_PROVIDER)
+      provider.access_token = token
+      provider.save!
+
+      # Clear the cached portainer_jwt on the user
+      current_user.instance_variable_set(:@portainer_jwt, nil)
+
+      redirect_to providers_path, notice: "Portainer API token saved successfully"
+    end
+
+    def destroy
+      provider = current_user.providers.find_by(provider: Provider::PORTAINER_PROVIDER)
+
+      if provider&.destroy
+        current_user.instance_variable_set(:@portainer_jwt, nil)
+        redirect_to providers_path, notice: "Portainer API token removed"
+      else
+        redirect_to providers_path, alert: "No Portainer API token found"
+      end
+    end
+
+    private
+
+    def require_stack_manager
+      stack_manager = current_account.stack_manager
+      unless stack_manager&.portainer? && stack_manager.enable_role_based_access_control?
+        redirect_to providers_path, alert: "This account does not require individual Portainer credentials"
+      end
+    end
+  end
+end
diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index 604242f4..d8a353b7 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -41,9 +41,7 @@ class Users::SessionsController < Devise::SessionsController
     self.resource = resource_class.new(sign_in_params)
     clean_up_passwords(resource)
     @sso_provider = @account.sso_provider if @account.sso_enabled?
-    if @account.stack_manager&.portainer?
-      render "devise/sessions/portainer"
-    elsif @account.sso_provider&.ldap?
+    if @account.sso_provider&.ldap?
       render "devise/sessions/ldap"
     else
       render :new
@@ -66,26 +64,6 @@ class Users::SessionsController < Devise::SessionsController
         clean_up_passwords(self.resource)
         render "devise/sessions/ldap"
       end
-    # If account has a stack manager, use Portainer authentication
-    elsif @account.stack_manager.present?
-      result = Portainer::Login.execute(
-        username: params[:user][:username],
-        password: params[:user][:password],
-        account: @account,
-      )
-
-      if result.success?
-        sign_in(result.user)
-        # Auto-associate user with account if they sign in through account URL
-        session[:account_id] = result.account.id
-
-        redirect_to after_sign_in_path_for(result.user), notice: "Logged in successfully"
-      else
-        flash[:alert] = result.message
-        self.resource = result.user || resource_class.new(sign_in_params)
-        clean_up_passwords(resource)
-        render 'devise/sessions/portainer'
-      end
     else
       redirect_to new_user_session_path
     end
diff --git a/app/javascript/controllers/stack_manager/badge_controller.js b/app/javascript/controllers/stack_manager/badge_controller.js
index b230ab4d..e7b64880 100644
--- a/app/javascript/controllers/stack_manager/badge_controller.js
+++ b/app/javascript/controllers/stack_manager/badge_controller.js
@@ -1,59 +1,39 @@
 import { Controller } from "@hotwired/stimulus"
 import { PortainerChecker } from "../../utils/portainer"
 
-const AUTHENTICATION_VERIFICATION_METHOD = "authentication";
-const URL_VERIFICATION_METHOD = "url";
-
 export default class extends Controller {
-  static targets = [ "message", "verifyUrlSuccess", "verifyUrlError", "verifyUrlLoading", "verifyUrlNotAllowed" ]
+  static targets = [ "verifyUrlSuccess", "verifyUrlError", "verifyUrlLoading", "verifyUrlUnauthorized" ]
 
   static values = {
-    verificationMethod: String,
     verifyUrl: String,
+    credentialsPath: { type: String, default: "/providers" },
+    rbacEnabled: { type: Boolean, default: false }
   }
 
   async connect() {
     this.verifyUrlLoadingTarget.classList.remove('hidden')
     const portainerChecker = new PortainerChecker();
-    let result = null;
-    if (this.verificationMethodValue === AUTHENTICATION_VERIFICATION_METHOD) {
-      result = await portainerChecker.verifyPortainerAuthentication();
-    } else if (this.verificationMethodValue === URL_VERIFICATION_METHOD) {
-      const url = this.verifyUrlValue;
-      result = await portainerChecker.checkReachable(url);
-    }
 
-    if (result === PortainerChecker.STATUS_UNAUTHORIZED) {
-      this.logout();
-    } else if (result === PortainerChecker.STATUS_OK) {
+    // Only verify user connectivity if RBAC is enabled, otherwise just check URL reachability
+    const result = this.rbacEnabledValue
+      ? await portainerChecker.verifyConnectivity()
+      : await portainerChecker.checkReachable(this.verifyUrlValue);
+
+    if (result === PortainerChecker.STATUS_OK) {
       this.verifyUrlSuccessTarget.classList.remove('hidden')
-    } else if (result === PortainerChecker.STATUS_NOT_ALLOWED) {
-      this.verifyUrlNotAllowedTarget.classList.remove('hidden')
+    } else if (result === PortainerChecker.STATUS_UNAUTHORIZED && this.rbacEnabledValue) {
+      if (this.hasVerifyUrlUnauthorizedTarget) {
+        this.verifyUrlUnauthorizedTarget.classList.remove('hidden')
+      } else {
+        this.verifyUrlErrorTarget.classList.remove('hidden')
+      }
     } else {
       this.verifyUrlErrorTarget.classList.remove('hidden')
     }
     this.verifyUrlLoadingTarget.classList.add('hidden')
   }
 
-  async logout() {
-    try {
-      const response = await fetch('/users/sign_out', {
-        method: 'DELETE',
-        headers: {
-          'X-CSRF-Token': document.querySelector('meta[name="csrf-token"]').content,
-          'Accept': 'application/json'
-        },
-        credentials: 'same-origin'
-      })
-
-      if (response.ok) {
-        const data = await response.json()
-        window.location.href = data.redirect_url
-      } else {
-        window.location.href = '/users/sign_in'
-      }
-    } catch (error) {
-      window.location.href = '/users/sign_in'
-    }
+  navigateToCredentials() {
+    window.location.href = this.credentialsPathValue
   }
 }
diff --git a/app/javascript/utils/portainer.js b/app/javascript/utils/portainer.js
index ace2f159..7bc67665 100644
--- a/app/javascript/utils/portainer.js
+++ b/app/javascript/utils/portainer.js
@@ -1,34 +1,17 @@
 export class PortainerChecker {
   static STATUS_OK = "ok";
   static STATUS_UNAUTHORIZED = "unauthorized";
-  static STATUS_NOT_ALLOWED = "not_allowed";
   static STATUS_ERROR = "error";
 
   csrfToken() {
     return document.querySelector('meta[name="csrf-token"]').content
   }
 
-  async verifyPortainerAuthentication() {
-    const response = await fetch('/stack_manager/verify_login', {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'X-CSRF-Token': this.csrfToken()
-      }
-    })
-
-    return this.toResult(response);
-  }
-
   toResult(response) {
     if (response.status === 401) {
       return PortainerChecker.STATUS_UNAUTHORIZED;
     }
 
-    if (response.status === 405) {
-      return PortainerChecker.STATUS_NOT_ALLOWED;
-    }
-
     if (response.status === 502) {
       return PortainerChecker.STATUS_ERROR;
     }
@@ -52,6 +35,17 @@ export class PortainerChecker {
     return this.toResult(response);
   }
 
+  async verifyConnectivity() {
+    const response = await fetch('/stack_manager/verify_connectivity', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-CSRF-Token': this.csrfToken()
+      }
+    })
+    return this.toResult(response);
+  }
+
   async verifyPortainerUrl(url, accessToken) {
     const response = await fetch('/stack_manager/verify_url', {
       method: 'POST',
@@ -64,4 +58,4 @@ export class PortainerChecker {
 
     return this.toResult(response);
   }
-}
\ No newline at end of file
+}
diff --git a/app/models/account.rb b/app/models/account.rb
index 9d952250..a9709551 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -55,6 +55,6 @@ class Account < ApplicationRecord
   end
 
   def custom_login?
-    stack_manager&.stack&.provides_authentication? || sso_enabled?
+    sso_enabled?
   end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index d896b989..8cf85c9a 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -56,6 +56,12 @@ class User < ApplicationRecord
     @portainer_jwt = providers.find_by(provider: "portainer")&.access_token
   end
 
+  def needs_portainer_credential?(account)
+    account.stack_manager&.portainer? &&
+      account.stack_manager.enable_role_based_access_control? &&
+      portainer_jwt.blank?
+  end
+
   private
 
   def downcase_email
diff --git a/app/policies/account_policy.rb b/app/policies/account_policy.rb
new file mode 100644
index 00000000..508b468c
--- /dev/null
+++ b/app/policies/account_policy.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class AccountPolicy < ApplicationPolicy
+  def admin?
+    account_admin?
+  end
+
+  def manage_stack_manager?
+    account_admin?
+  end
+
+  private
+
+  def account_admin?
+    return false unless record
+
+    account_user = AccountUser.find_by(user: user, account: record)
+    account_user&.admin?
+  end
+end
diff --git a/app/views/accounts/sso_providers/show.html.erb b/app/views/accounts/sso_providers/show.html.erb
index 7b6db54c..63af6a0d 100644
--- a/app/views/accounts/sso_providers/show.html.erb
+++ b/app/views/accounts/sso_providers/show.html.erb
@@ -26,21 +26,21 @@
 
           <% if @configuration %>
             <div class="divider"></div>
-            <div class="grid grid-cols-2 gap-4 text-sm">
+            <div class="grid grid-cols-2 gap-4">
               <div>
-                <span class="text-gray-500">Host:</span>
+                <div class="text-sm font-medium text-base-content/70 mb-1">Host</div>
                 <div class="font-mono"><%= @configuration.host %>:<%= @configuration.port %></div>
               </div>
               <div>
-                <span class="text-gray-500">Base DN:</span>
+                <div class="text-sm font-medium text-base-content/70 mb-1">Base DN</div>
                 <div class="font-mono"><%= @configuration.base_dn %></div>
               </div>
               <div>
-                <span class="text-gray-500">UID Attribute:</span>
+                <div class="text-sm font-medium text-base-content/70 mb-1">UID Attribute</div>
                 <div class="font-mono"><%= @configuration.uid_attribute %></div>
               </div>
               <div>
-                <span class="text-gray-500">Encryption:</span>
+                <div class="text-sm font-medium text-base-content/70 mb-1">Encryption</div>
                 <div class="font-mono"><%= @configuration.encryption.titleize %></div>
               </div>
             </div>
diff --git a/app/views/devise/sessions/_portainer_badge.html.erb b/app/views/devise/sessions/_portainer_badge.html.erb
index 5cd92b6c..c77db734 100644
--- a/app/views/devise/sessions/_portainer_badge.html.erb
+++ b/app/views/devise/sessions/_portainer_badge.html.erb
@@ -1,9 +1,9 @@
-<% verification_method ||= "url" %>
 <div
   class="border-t border-base-300/50 transition-all duration-300 group-hover:border-base-300"
   data-controller="stack-manager--badge"
-  data-stack-manager--badge-verification-method-value="<%= verification_method %>"
   data-stack-manager--badge-verify-url-value="<%= stack_manager.provider_url %>"
+  data-stack-manager--badge-credentials-path-value="<%= providers_path %>"
+  data-stack-manager--badge-rbac-enabled-value="<%= stack_manager.enable_role_based_access_control? %>"
 >
   <div class="flex items-center justify-between">
     <%= link_to stack_manager.provider_url, target: "_blank", rel: "noopener", class: "group/badge inline-flex" do %>
@@ -15,7 +15,7 @@
           data-tip="Portainer is reachable"
           data-stack-manager--badge-target="verifyUrlSuccess"
         >
-          <iconify-icon icon="lucide:external-link" width="12" height="12" class="opacity-80 group-hover/badge:opacity-100 transition-opacity duration-200"></iconify-icon>
+          <iconify-icon icon="lucide:check-circle" width="12" height="12" class="text-green-400 opacity-80 group-hover/badge:opacity-100 transition-opacity duration-200"></iconify-icon>
         </div>
         <div
           class="tooltip tooltip-bottom flex hidden"
@@ -24,20 +24,20 @@
         >
           <iconify-icon icon="lucide:alert-circle" width="12" height="12" class="text-red-400 opacity-80 group-hover/badge:opacity-100 transition-opacity duration-200"></iconify-icon>
         </div>
-        <div
-          class="tooltip tooltip-bottom flex hidden"
-          data-tip="Your current login does not have access to this stack manager. Please logout and login with your portainer username and password."
-          data-stack-manager--badge-target="verifyUrlNotAllowed"
-        >
-          <iconify-icon icon="lucide:ban" width="12" height="12" class="text-red-400 opacity-80 group-hover/badge:opacity-100 transition-opacity duration-200"></iconify-icon>
-        </div>
         <iconify-icon
           icon="lucide:loader-2"
           width="12"
           height="12"
           class="opacity-80 animate-spin"
           data-stack-manager--badge-target="verifyUrlLoading"></iconify-icon>
+        <div
+          class="tooltip tooltip-bottom flex hidden"
+          data-tip="Access token is invalid. Please add or update your Portainer access token to continue"
+          data-stack-manager--badge-target="verifyUrlUnauthorized"
+        >
+          <iconify-icon icon="lucide:alert-triangle" width="12" height="12" class="text-red-400 opacity-80 group-hover/badge:opacity-100 transition-opacity duration-200"></iconify-icon>
+        </div>
       </div>
     <% end %>
   </div>
-</div>
\ No newline at end of file
+</div>
diff --git a/app/views/devise/sessions/portainer.html.erb b/app/views/devise/sessions/portainer.html.erb
deleted file mode 100644
index c3fe3699..00000000
--- a/app/views/devise/sessions/portainer.html.erb
+++ /dev/null
@@ -1,75 +0,0 @@
-<div class="flex justify-center items-center min-h-screen bg-base-200">
-  <div class="card w-96 bg-base-100 shadow-xl">
-    <div class="card-body">
-      <div>
-        <h1 class="text-2xl font-bold text-center mb-0">
-          Log in to <%= @account.name %>
-        </h1>
-        <div class="flex justify-center mt-3">
-          <%= render "devise/sessions/portainer_badge", stack_manager: @account.stack_manager %>
-        </div>
-      </div>
-      <p class="text-center text-sm text-gray-500 mt-2">
-        Sign in to access your account
-      </p>
-
-      <%= form_with(
-        model: resource,
-        as: resource_name,
-        url: account_sign_in_path(@account.slug),
-        method: :post,
-        data: { turbo: false },
-        html: { class: "space-y-4" }) do |f|
-      %>
-        <% if flash[:alert] %>
-          <div class="alert alert-error mb-4">
-            <iconify-icon icon="lucide:alert-triangle" class="mr-2 text-white"></iconify-icon>
-            <span><%= flash[:alert] %></span>
-          </div>
-        <% end %>
-
-        <%= render 'shared/error_messages', resource: resource %>
-
-        <div class="form-control">
-          <%= f.label :username, class: "label" do %>
-            <span class="label-text">Portainer Username</span>
-          <% end %>
-          <%= f.text_field(
-            :username,
-            autofocus: true,
-            placeholder: "Enter your username",
-            class: "input input-bordered w-full",
-            required: true,
-          ) %>
-        </div>
-
-        <div class="form-control">
-          <%= f.label :password, class: "label" do %>
-            <span class="label-text">Portainer Password</span>
-          <% end %>
-          <%= f.password_field(
-            :password,
-            autocomplete: "current-password",
-            placeholder: "Enter your password",
-            class: "input input-bordered w-full",
-            required: true,
-          ) %>
-        </div>
-
-        <div class="form-control mt-6">
-          <%= f.submit "Sign in to #{@account.name}", class: "btn btn-primary w-full" %>
-        </div>
-      <% end %>
-
-      <div class="divider">New to <%= @account.name %>?</div>
-
-      <p class="text-center text-sm">
-        Contact your account administrator to get access
-      </p>
-
-      <div class="mt-4 text-center">
-        <%= link_to "Back to main login", new_user_session_path, class: "link link-primary text-sm" %>
-      </div>
-    </div>
-  </div>
-</div>
\ No newline at end of file
diff --git a/app/views/layouts/_sidebar.html.erb b/app/views/layouts/_sidebar.html.erb
index 957d6efa..df0ae075 100644
--- a/app/views/layouts/_sidebar.html.erb
+++ b/app/views/layouts/_sidebar.html.erb
@@ -8,9 +8,7 @@
   <% if current_account.stack_manager.present? %>
     <div class="flex items-center justify-center">
       <%= render "devise/sessions/portainer_badge",
-                 stack_manager: current_account.stack_manager,
-                 verification_method: "authentication",
-                 logout_on_unauthorized: true %>
+                 stack_manager: current_account.stack_manager %>
     </div>
   <% end %>
   <div class="flex items-center justify-center">
diff --git a/app/views/providers/_portainer_token.html.erb b/app/views/providers/_portainer_token.html.erb
new file mode 100644
index 00000000..9293cbf0
--- /dev/null
+++ b/app/views/providers/_portainer_token.html.erb
@@ -0,0 +1,48 @@
+<%= turbo_frame_tag "portainer_token" do %>
+  <div class="mb-4">
+    <h3 class="text-lg font-semibold mb-2">Portainer Access Token</h3>
+    <p class="text-sm text-base-content/70 mb-4">
+      This account is configured to use Portainer for cluster management.
+    </p>
+
+    <% if current_user.portainer_jwt.present? %>
+      <div class="alert alert-success mb-4">
+        <iconify-icon icon="lucide:check-circle" height="20"></iconify-icon>
+        <span>Access token configured.</span>
+      </div>
+    <% else %>
+      <div class="alert alert-warning mb-4">
+        <iconify-icon icon="lucide:alert-triangle" height="20"></iconify-icon>
+        <span>No Access token configured. You won't be able to access cluster features until you add one.</span>
+      </div>
+    <% end %>
+
+    <%= form_with url: portainer_token_path, method: :patch, class: "space-y-4", data: { turbo_frame: "portainer_token" } do |f| %>
+      <div class="form-control w-full max-w-md">
+        <label class="label">
+          <span class="label-text">Token</span>
+        </label>
+        <%= f.text_field :portainer_token,
+            value: "",
+            placeholder: current_user.portainer_jwt.present? ? "••••••••••••••••" : "Enter your Portainer Access token",
+            class: "input input-bordered w-full" %>
+        <label class="label flex justify-between" for="portainer_token">
+          <span class="label-text-alt">
+            <%= link_to "Get your access token in Portainer →", "#{current_account.stack_manager.provider_url}/#!/account", target: "_blank", class: "link link-primary" %>
+          </span>
+        </label>
+      </div>
+      <div class="flex gap-2">
+        <%= f.submit current_user.portainer_jwt.present? ? "Update Token" : "Save Token", class: "btn btn-primary" %>
+        <% if current_user.portainer_jwt.present? %>
+          <%= button_to portainer_token_path,
+              method: :delete,
+              class: "btn btn-outline btn-error",
+              data: { turbo_confirm: "Are you sure you want to remove your Portainer Access token?" } do %>
+            Remove Token
+          <% end %>
+        <% end %>
+      </div>
+    <% end %>
+  </div>
+<% end %>
diff --git a/app/views/providers/index.html.erb b/app/views/providers/index.html.erb
index 3a1e5197..e30d068d 100644
--- a/app/views/providers/index.html.erb
+++ b/app/views/providers/index.html.erb
@@ -1,6 +1,7 @@
 <%= settings_layout do %>
   <h2 class="text-2xl font-bold">Credentials</h2>
   <hr class="mt-3 mb-4 border-t border-base-300" />
+
   <%= turbo_frame_tag "provider" do %>
     <%= render "providers/index" %>
     <div class="flex items-center gap-2">
@@ -16,4 +17,9 @@
       <% end %>
     </div>
   <% end %>
+
+  <% if current_account.stack_manager&.portainer? && current_account.stack_manager.enable_role_based_access_control? %>
+    <hr class="my-6 border-t border-base-300" />
+    <%= render "providers/portainer_token" %>
+  <% end %>
 <% end %>
\ No newline at end of file
diff --git a/app/views/settings/_layout.html.erb b/app/views/settings/_layout.html.erb
index 4e1d47e3..51e3516a 100644
--- a/app/views/settings/_layout.html.erb
+++ b/app/views/settings/_layout.html.erb
@@ -1,6 +1,6 @@
 <div class="flex flex-row gap-x-4 items-stretch">
   <div class="w-64 space-y-4">
-    <% if (current_account.stack_manager.present? && current_account.stack_manager.stack.provides_authentication?) || current_account.sso_provider.present? %>
+    <% if current_account.sso_provider.present? %>
     <div class="rounded bg-base-200 pl-4 pr-2 py-4">
       <h3 class="text-sm font-semibold mb-3">Account Login URL</h3>
       <div class="flex items-center gap-2 mb-2">
diff --git a/config/routes.rb b/config/routes.rb
index e678cac9..edb14ea8 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -34,8 +34,8 @@ Rails.application.routes.draw do
   resource :stack_manager, only: %i[show new create edit update destroy], controller: 'accounts/stack_managers' do
     collection do
       post :verify_url
-      post :verify_login
       post :check_reachable
+      post :verify_connectivity
       post :sync_clusters
       post :sync_registries
     end
@@ -74,6 +74,7 @@ Rails.application.routes.draw do
   end
 
   resources :providers, only: %i[index new create destroy]
+  resource :portainer_token, only: %i[update destroy], controller: 'providers/portainer_tokens'
   resources :projects do
     member do
       post :restart
diff --git a/lib/portainer/client.rb b/lib/portainer/client.rb
index 97a7c45d..19599673 100644
--- a/lib/portainer/client.rb
+++ b/lib/portainer/client.rb
@@ -18,6 +18,7 @@ module Portainer
     class ConnectionError < StandardError; end
     class PermissionDeniedError < StandardError; end
     class AuthenticationError < StandardError; end
+    class MissingCredentialError < StandardError; end
 
     def initialize(provider_url, jwt)
       @jwt = jwt
diff --git a/lib/portainer/login.rb b/lib/portainer/login.rb
deleted file mode 100644
index f35a6c2c..00000000
--- a/lib/portainer/login.rb
+++ /dev/null
@@ -1,46 +0,0 @@
-class Portainer::Login
-  extend LightService::Action
-
-  expects :username, :password, :account
-  promises :user, :account
-
-  executed do |context|
-    provider_url = context.account.stack_manager.provider_url
-    hostname = context.account.stack_manager.domain_host
-    context.user = User.find_or_initialize_by(
-      email: context.username + "@#{hostname}",
-    )
-    portainer_user = Portainer::Client.authenticate(
-      username: context.username,
-      auth_code: context.password,
-      provider_url: provider_url
-    )
-
-    password = Devise.friendly_token
-    context.user.assign_attributes(
-      password:,
-      password_confirmation: password,
-    )
-    context.user.save!
-    provider = context.user.providers.find_or_initialize_by(provider: "portainer")
-    provider.auth = {
-      info: {
-        username: portainer_user.username
-      }
-    }.to_json
-    provider.access_token = portainer_user.jwt
-    provider.save!
-
-    unless context.account.users.include?(context.user)
-      context.account.account_users.create!(user: context.user)
-    end
-  rescue Portainer::Client::AuthenticationError => e
-    context.user.errors.add(:base, "Invalid username or password")
-    context.fail_and_return!
-  rescue Portainer::Client::ConnectionError => e
-    context.fail_and_return!(e.message)
-  rescue StandardError => e
-    context.user ||= User.new(email: context.username)
-    context.fail_and_return!("Authentication failed: #{e.message}")
-  end
-end
diff --git a/lib/portainer/stack.rb b/lib/portainer/stack.rb
index d4d3b657..af5bf3f9 100644
--- a/lib/portainer/stack.rb
+++ b/lib/portainer/stack.rb
@@ -20,7 +20,7 @@ class Portainer::Stack
     elsif user.nil? && allow_anonymous && stack_manager.access_token.present?
       Portainer::Client::AccessToken.new(stack_manager.access_token)
     else
-      raise "No access token found for user or stack manager. Please check your configuration."
+      raise Portainer::Client::MissingCredentialError, "Please add your Portainer API token in the Credentials settings."
     end
   end
 
@@ -42,7 +42,7 @@ class Portainer::Stack
   end
 
   def provides_authentication?
-    true
+    false
   end
 
   def provides_registries?
diff --git a/spec/lib/portainer/login_spec.rb b/spec/lib/portainer/login_spec.rb
deleted file mode 100644
index 1bb48a67..00000000
--- a/spec/lib/portainer/login_spec.rb
+++ /dev/null
@@ -1,77 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe Portainer::Login do
-  let(:account) { create(:account) }
-  let(:stack_manager) { create(:stack_manager, account: account, provider_url: 'https://portainer.example.com') }
-  let(:username) { 'testuser' }
-  let(:password) { 'testpassword' }
-  let(:jwt) { 'valid-jwt-token' }
-
-  let(:context) do
-    LightService::Context.make(
-      username: username,
-      password: password,
-      account: account
-    )
-  end
-
-  before do
-    account.stack_manager = stack_manager
-  end
-
-  describe '#execute' do
-    context 'when authentication succeeds' do
-      before do
-        allow(Portainer::Client).to receive(:authenticate).and_return(Portainer::Data::User.new(id: 1, username:, jwt:))
-      end
-
-      it 'creates or finds a user' do
-        described_class.execute(context)
-
-        expect(context).to be_success
-        expect(context.user).to be_persisted
-        expect(context.user.email).to eq('testuser@portainer.example.com')
-      end
-
-      it 'stores the JWT token in provider' do
-        described_class.execute(context)
-
-        provider = context.user.providers.find_by(provider: 'portainer')
-        expect(provider.access_token).to eq(jwt)
-      end
-    end
-
-    context 'when authentication fails' do
-      before do
-        allow(Portainer::Client).to receive(:authenticate).and_raise(Portainer::Client::AuthenticationError.new('Invalid username or password'))
-      end
-
-      it 'fails with error message' do
-        described_class.execute(context)
-
-        expect(context).to be_failure
-        expect(context.user.errors[:base]).to include('Invalid username or password')
-      end
-
-      it 'does not create a user' do
-        expect {
-          described_class.execute(context)
-        }.not_to change(User, :count)
-      end
-    end
-
-    context 'when connection error occurs' do
-      before do
-        allow(Portainer::Client).to receive(:authenticate)
-          .and_raise(Portainer::Client::ConnectionError.new('Connection timeout'))
-      end
-
-      it 'fails with connection error message' do
-        described_class.execute(context)
-
-        expect(context).to be_failure
-        expect(context.message).to eq('Connection timeout')
-      end
-    end
-  end
-end

From dceefb418453b580be599529adcc2f8d686c3463 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 4 Dec 2025 00:16:39 -0800
Subject: [PATCH 31/75] clean up code a bit

---
 app/views/providers/_portainer_token.html.erb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/views/providers/_portainer_token.html.erb b/app/views/providers/_portainer_token.html.erb
index 9293cbf0..1aef7d0e 100644
--- a/app/views/providers/_portainer_token.html.erb
+++ b/app/views/providers/_portainer_token.html.erb
@@ -6,9 +6,9 @@
     </p>
 
     <% if current_user.portainer_jwt.present? %>
-      <div class="alert alert-success mb-4">
-        <iconify-icon icon="lucide:check-circle" height="20"></iconify-icon>
-        <span>Access token configured.</span>
+      <div class="flex items-center gap-2 text-sm text-success mb-4">
+        <iconify-icon icon="lucide:check-circle" height="16"></iconify-icon>
+        <span>Access token configured</span>
       </div>
     <% else %>
       <div class="alert alert-warning mb-4">
@@ -17,7 +17,7 @@
       </div>
     <% end %>
 
-    <%= form_with url: portainer_token_path, method: :patch, class: "space-y-4", data: { turbo_frame: "portainer_token" } do |f| %>
+    <%= form_with url: portainer_token_path, method: :patch, class: "space-y-4", data: { turbo: false } do |f| %>
       <div class="form-control w-full max-w-md">
         <label class="label">
           <span class="label-text">Token</span>

From 69073b4afc6da3accaf7001cd2dd350edcf8914a Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 4 Dec 2025 10:16:34 -0800
Subject: [PATCH 32/75] ldap adjustments

---
 app/views/devise/sessions/ldap.html.erb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/views/devise/sessions/ldap.html.erb b/app/views/devise/sessions/ldap.html.erb
index f02e5a58..775a3cdf 100644
--- a/app/views/devise/sessions/ldap.html.erb
+++ b/app/views/devise/sessions/ldap.html.erb
@@ -1,9 +1,16 @@
 <div class="flex justify-center items-center min-h-screen bg-base-200">
   <div class="card w-96 bg-base-100 shadow-xl">
     <div class="card-body">
-      <p class="text-center text-sm text-gray-500 mt-2">
+      <h1 class="text-2xl font-bold text-center">Sign in</h1>
+      <div class="text-center text-sm">
         Sign in to access your account
-      </p>
+      </div>
+
+      <% if @account.stack_manager&.portainer? %>
+        <div class="flex justify-center mt-2">
+          <%= render "devise/sessions/portainer_badge", stack_manager: @account.stack_manager %>
+        </div>
+      <% end %>
 
       <%= form_with(
         model: resource,

From f997707b286739336d8572120b0ac8fb9aee8221 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 4 Dec 2025 10:27:16 -0800
Subject: [PATCH 33/75] added auth updates

---
 app/views/devise/sessions/_account_selector.html.erb | 2 +-
 app/views/devise/sessions/_portainer_badge.html.erb  | 2 +-
 app/views/devise/sessions/ldap.html.erb              | 2 +-
 app/views/layouts/_sidebar.html.erb                  | 3 ++-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/views/devise/sessions/_account_selector.html.erb b/app/views/devise/sessions/_account_selector.html.erb
index c8dc746c..21d242ea 100644
--- a/app/views/devise/sessions/_account_selector.html.erb
+++ b/app/views/devise/sessions/_account_selector.html.erb
@@ -27,7 +27,7 @@
 
     <div class="flex justify-start mt-3">
       <% if account.stack_manager&.portainer? %>
-        <%= render "devise/sessions/portainer_badge", stack_manager: account.stack_manager %>
+        <%= render "devise/sessions/portainer_badge", stack_manager: account.stack_manager, logged_in: true %>
       <% end %>
     </div>
   </div>
diff --git a/app/views/devise/sessions/_portainer_badge.html.erb b/app/views/devise/sessions/_portainer_badge.html.erb
index c77db734..e7dc8f2b 100644
--- a/app/views/devise/sessions/_portainer_badge.html.erb
+++ b/app/views/devise/sessions/_portainer_badge.html.erb
@@ -3,7 +3,7 @@
   data-controller="stack-manager--badge"
   data-stack-manager--badge-verify-url-value="<%= stack_manager.provider_url %>"
   data-stack-manager--badge-credentials-path-value="<%= providers_path %>"
-  data-stack-manager--badge-rbac-enabled-value="<%= stack_manager.enable_role_based_access_control? %>"
+  data-stack-manager--badge-rbac-enabled-value="<%= stack_manager.enable_role_based_access_control? && logged_in %>"
 >
   <div class="flex items-center justify-between">
     <%= link_to stack_manager.provider_url, target: "_blank", rel: "noopener", class: "group/badge inline-flex" do %>
diff --git a/app/views/devise/sessions/ldap.html.erb b/app/views/devise/sessions/ldap.html.erb
index 775a3cdf..0a72e854 100644
--- a/app/views/devise/sessions/ldap.html.erb
+++ b/app/views/devise/sessions/ldap.html.erb
@@ -8,7 +8,7 @@
 
       <% if @account.stack_manager&.portainer? %>
         <div class="flex justify-center mt-2">
-          <%= render "devise/sessions/portainer_badge", stack_manager: @account.stack_manager %>
+          <%= render "devise/sessions/portainer_badge", stack_manager: @account.stack_manager, logged_in: false %>
         </div>
       <% end %>
 
diff --git a/app/views/layouts/_sidebar.html.erb b/app/views/layouts/_sidebar.html.erb
index df0ae075..249df991 100644
--- a/app/views/layouts/_sidebar.html.erb
+++ b/app/views/layouts/_sidebar.html.erb
@@ -8,7 +8,8 @@
   <% if current_account.stack_manager.present? %>
     <div class="flex items-center justify-center">
       <%= render "devise/sessions/portainer_badge",
-                 stack_manager: current_account.stack_manager %>
+                 stack_manager: current_account.stack_manager,
+                 logged_in: true %>
     </div>
   <% end %>
   <div class="flex items-center justify-center">

From a6328365eaef6d99b2cce824d5b8745d41ed373d Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 4 Dec 2025 11:33:47 -0800
Subject: [PATCH 34/75] portainer badge

---
 app/models/sso_provider.rb             | 3 +--
 app/views/devise/sessions/new.html.erb | 6 ++++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index 6e180bf8..17729d85 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -23,14 +23,13 @@
 #
 class SSOProvider < ApplicationRecord
   belongs_to :account
-  belongs_to :configuration, polymorphic: true
+  belongs_to :configuration, polymorphic: true, dependent: :destroy
 
   validates :account_id, uniqueness: true
 
   enum :team_provisioning_mode, {
     disabled: 0,
     just_in_time: 1
-    # scim: 2
   }
 
 
diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb
index 112c8c08..f5773df7 100644
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -6,6 +6,12 @@
         <%= link_to "Sign up", new_user_registration_path, class: "underline" %> instead
       </div>
 
+      <% if @account&.stack_manager&.portainer? %>
+        <div class="flex justify-center mt-2">
+          <%= render "devise/sessions/portainer_badge", stack_manager: @account.stack_manager, logged_in: false %>
+        </div>
+      <% end %>
+
       <%= form_with(model: resource, as: resource_name, url: session_path(resource_name), html: { class: "space-y-4" }) do |f| %>
         <% if flash[:alert] %>
           <div class="alert alert-error mb-4">

From 88ac27bc8a4f4aff9ac8fea5fcd6a57c6557db6c Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 4 Dec 2025 12:31:18 -0800
Subject: [PATCH 35/75] added portainer token updatable

---
 app/views/providers/_portainer_token.html.erb | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/app/views/providers/_portainer_token.html.erb b/app/views/providers/_portainer_token.html.erb
index 1aef7d0e..606fd40a 100644
--- a/app/views/providers/_portainer_token.html.erb
+++ b/app/views/providers/_portainer_token.html.erb
@@ -32,17 +32,7 @@
           </span>
         </label>
       </div>
-      <div class="flex gap-2">
-        <%= f.submit current_user.portainer_jwt.present? ? "Update Token" : "Save Token", class: "btn btn-primary" %>
-        <% if current_user.portainer_jwt.present? %>
-          <%= button_to portainer_token_path,
-              method: :delete,
-              class: "btn btn-outline btn-error",
-              data: { turbo_confirm: "Are you sure you want to remove your Portainer Access token?" } do %>
-            Remove Token
-          <% end %>
-        <% end %>
-      </div>
+      <%= f.submit current_user.portainer_jwt.present? ? "Update Token" : "Save Token", class: "btn btn-primary" %>
     <% end %>
   </div>
 <% end %>

From 955814e69690e029df1e88c9b60aa210ab4dadc0 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 4 Dec 2025 16:21:22 -0800
Subject: [PATCH 36/75] always use access tokens for portainer

---
 lib/portainer/stack.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/portainer/stack.rb b/lib/portainer/stack.rb
index af5bf3f9..6ca0ce5f 100644
--- a/lib/portainer/stack.rb
+++ b/lib/portainer/stack.rb
@@ -16,7 +16,7 @@ class Portainer::Stack
     if !stack_manager.enable_role_based_access_control && stack_manager.access_token.present?
       Portainer::Client::AccessToken.new(stack_manager.access_token)
     elsif user.present? && user.portainer_jwt.present?
-      Portainer::Client::UserJWT.new(user.portainer_jwt)
+      Portainer::Client::AccessToken.new(user.portainer_jwt)
     elsif user.nil? && allow_anonymous && stack_manager.access_token.present?
       Portainer::Client::AccessToken.new(stack_manager.access_token)
     else

From 9ab60fc87180312a2e165fe4fc02239dc7fdb607 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 4 Dec 2025 16:24:31 -0800
Subject: [PATCH 37/75] rename portainer jwt to portainer access token

---
 app/controllers/accounts/stack_managers_controller.rb    | 2 +-
 app/controllers/providers/portainer_tokens_controller.rb | 6 +++---
 app/models/user.rb                                       | 8 ++++----
 app/views/providers/_portainer_token.html.erb            | 6 +++---
 lib/portainer/stack.rb                                   | 4 ++--
 spec/lib/portainer/stack_spec.rb                         | 8 ++++----
 6 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/app/controllers/accounts/stack_managers_controller.rb b/app/controllers/accounts/stack_managers_controller.rb
index 1e1faa62..bab8e773 100644
--- a/app/controllers/accounts/stack_managers_controller.rb
+++ b/app/controllers/accounts/stack_managers_controller.rb
@@ -22,7 +22,7 @@ module Accounts
         return
       end
 
-      if current_user.portainer_jwt.blank?
+      if current_user.portainer_access_token.blank?
         head :unauthorized
         return
       end
diff --git a/app/controllers/providers/portainer_tokens_controller.rb b/app/controllers/providers/portainer_tokens_controller.rb
index 150e6cb0..4a80e010 100644
--- a/app/controllers/providers/portainer_tokens_controller.rb
+++ b/app/controllers/providers/portainer_tokens_controller.rb
@@ -15,8 +15,8 @@ module Providers
       provider.access_token = token
       provider.save!
 
-      # Clear the cached portainer_jwt on the user
-      current_user.instance_variable_set(:@portainer_jwt, nil)
+      # Clear the cached portainer_access_token on the user
+      current_user.instance_variable_set(:@portainer_access_token, nil)
 
       redirect_to providers_path, notice: "Portainer API token saved successfully"
     end
@@ -25,7 +25,7 @@ module Providers
       provider = current_user.providers.find_by(provider: Provider::PORTAINER_PROVIDER)
 
       if provider&.destroy
-        current_user.instance_variable_set(:@portainer_jwt, nil)
+        current_user.instance_variable_set(:@portainer_access_token, nil)
         redirect_to providers_path, notice: "Portainer API token removed"
       else
         redirect_to providers_path, alert: "No Portainer API token found"
diff --git a/app/models/user.rb b/app/models/user.rb
index 8cf85c9a..a0a778ce 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -51,15 +51,15 @@ class User < ApplicationRecord
     providers.find_by(provider: "github")
   end
 
-  def portainer_jwt
-    return @portainer_jwt if @portainer_jwt
-    @portainer_jwt = providers.find_by(provider: "portainer")&.access_token
+  def portainer_access_token
+    return @portainer_access_token if @portainer_access_token
+    @portainer_access_token = providers.find_by(provider: "portainer")&.access_token
   end
 
   def needs_portainer_credential?(account)
     account.stack_manager&.portainer? &&
       account.stack_manager.enable_role_based_access_control? &&
-      portainer_jwt.blank?
+      portainer_access_token.blank?
   end
 
   private
diff --git a/app/views/providers/_portainer_token.html.erb b/app/views/providers/_portainer_token.html.erb
index 606fd40a..9ca009ca 100644
--- a/app/views/providers/_portainer_token.html.erb
+++ b/app/views/providers/_portainer_token.html.erb
@@ -5,7 +5,7 @@
       This account is configured to use Portainer for cluster management.
     </p>
 
-    <% if current_user.portainer_jwt.present? %>
+    <% if current_user.portainer_access_token.present? %>
       <div class="flex items-center gap-2 text-sm text-success mb-4">
         <iconify-icon icon="lucide:check-circle" height="16"></iconify-icon>
         <span>Access token configured</span>
@@ -24,7 +24,7 @@
         </label>
         <%= f.text_field :portainer_token,
             value: "",
-            placeholder: current_user.portainer_jwt.present? ? "••••••••••••••••" : "Enter your Portainer Access token",
+            placeholder: current_user.portainer_access_token.present? ? "••••••••••••••••" : "Enter your Portainer Access token",
             class: "input input-bordered w-full" %>
         <label class="label flex justify-between" for="portainer_token">
           <span class="label-text-alt">
@@ -32,7 +32,7 @@
           </span>
         </label>
       </div>
-      <%= f.submit current_user.portainer_jwt.present? ? "Update Token" : "Save Token", class: "btn btn-primary" %>
+      <%= f.submit current_user.portainer_access_token.present? ? "Update Token" : "Save Token", class: "btn btn-primary" %>
     <% end %>
   </div>
 <% end %>
diff --git a/lib/portainer/stack.rb b/lib/portainer/stack.rb
index 6ca0ce5f..eace2b1b 100644
--- a/lib/portainer/stack.rb
+++ b/lib/portainer/stack.rb
@@ -15,8 +15,8 @@ class Portainer::Stack
   def retrieve_access_token(user, allow_anonymous: false)
     if !stack_manager.enable_role_based_access_control && stack_manager.access_token.present?
       Portainer::Client::AccessToken.new(stack_manager.access_token)
-    elsif user.present? && user.portainer_jwt.present?
-      Portainer::Client::AccessToken.new(user.portainer_jwt)
+    elsif user.present? && user.portainer_access_token.present?
+      Portainer::Client::AccessToken.new(user.portainer_access_token)
     elsif user.nil? && allow_anonymous && stack_manager.access_token.present?
       Portainer::Client::AccessToken.new(stack_manager.access_token)
     else
diff --git a/spec/lib/portainer/stack_spec.rb b/spec/lib/portainer/stack_spec.rb
index 0ebea8c6..4d68f98b 100644
--- a/spec/lib/portainer/stack_spec.rb
+++ b/spec/lib/portainer/stack_spec.rb
@@ -11,16 +11,16 @@ RSpec.describe Portainer::Stack do
   let(:client) {
     Portainer::Client.new(
       stack_manager.provider_url,
-      Portainer::Client::UserJWT.new(account.owner.portainer_jwt),
+      Portainer::Client::UserJWT.new(account.owner.portainer_access_token),
     )
   }
   let(:portainer_stack) { described_class.new(stack_manager)._connect_with_client(client) }
 
   describe "#retrieve_access_token" do
-    it "returns user portainer_jwt when RBAC is enabled" do
+    it "returns user portainer_access_token when RBAC is enabled" do
       user = account.owner
       stack = described_class.new(stack_manager)
-      expect(stack.retrieve_access_token(user).token).to eq(user.portainer_jwt)
+      expect(stack.retrieve_access_token(user).token).to eq(user.portainer_access_token)
     end
 
     it "returns stack_manager access_token when RBAC is disabled" do
@@ -41,7 +41,7 @@ RSpec.describe Portainer::Stack do
   describe "#fetch_kubeconfig" do
     let(:kubeconfig_json) { File.read(Rails.root.join("spec/resources/integrations/portainer/config.json")) }
     let(:cluster) { create(:cluster, account:, external_id: "1") }
-    let(:client) { Portainer::Client.new(stack_manager.provider_url, Portainer::Client::UserJWT.new(account.owner.portainer_jwt)) }
+    let(:client) { Portainer::Client.new(stack_manager.provider_url, Portainer::Client::UserJWT.new(account.owner.portainer_access_token)) }
 
     before do
       allow(client).to receive(:get_kubernetes_config).and_return(JSON.parse(kubeconfig_json))

From d64ee0362fdfbc92316ed0d4532bb8b318ccaf70 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 5 Dec 2025 10:21:39 -0800
Subject: [PATCH 38/75] added docker compose pinning of postgres

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 98de1b0d..346f3283 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,7 +8,7 @@ x-shared-env: &shared-env
 
 services:
   postgres:
-    image: postgres:16-bookworm
+    image: postgres:16-bookworm@sha256:878977a5fe8d75ba7eab7610e4cf7e0c8626a683d89b3f9da965b8ceba952a09
     environment:
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=password

From 8482356b821ef23ee2c06131ec42b26619364f11 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 5 Dec 2025 10:57:35 -0800
Subject: [PATCH 39/75] added account selector as part of onboarding

---
 app/controllers/local/onboarding_controller.rb  |  6 ++++++
 app/controllers/users/sessions_controller.rb    | 17 +++--------------
 .../onboarding}/account_select.html.erb         |  0
 config/routes.rb                                | 11 ++++++-----
 4 files changed, 15 insertions(+), 19 deletions(-)
 rename app/views/{devise/sessions => local/onboarding}/account_select.html.erb (100%)

diff --git a/app/controllers/local/onboarding_controller.rb b/app/controllers/local/onboarding_controller.rb
index afc5b1e6..a5bd44e7 100644
--- a/app/controllers/local/onboarding_controller.rb
+++ b/app/controllers/local/onboarding_controller.rb
@@ -5,6 +5,12 @@ class Local::OnboardingController < ApplicationController
   def index
   end
 
+  def account_select
+    redirect_to new_user_session_path unless Rails.application.config.account_sign_in_only
+
+    @accounts = Account.all.includes(:stack_manager)
+  end
+
   def create
     result = Portainer::Onboarding::Create.call(params)
 
diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index d8a353b7..a881a9b1 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -1,10 +1,9 @@
 class Users::SessionsController < Devise::SessionsController
-  layout 'homepage', only: [ :new, :create, :account_login, :account_create, :account_select ]
-  before_action :require_no_authentication, only: [ :account_login, :account_select ]
+  layout 'homepage', only: [ :new, :create, :account_login, :account_create ]
+  before_action :require_no_authentication, only: [ :account_login ]
   before_action :load_account_from_slug, only: [ :account_login, :account_create ]
 
   before_action :check_if_default_sign_in_allowed, only: [ :new ]
-  before_action :check_if_account_select_allowed, only: [ :account_select ]
 
   def new
     super
@@ -33,10 +32,6 @@ class Users::SessionsController < Devise::SessionsController
     end
   end
 
-  def account_select
-    @accounts = Account.all.includes(:stack_manager)
-  end
-
   def account_login
     self.resource = resource_class.new(sign_in_params)
     clean_up_passwords(resource)
@@ -73,13 +68,7 @@ class Users::SessionsController < Devise::SessionsController
 
   def check_if_default_sign_in_allowed
     if Rails.application.config.account_sign_in_only
-      redirect_to accounts_select_url
-    end
-  end
-
-  def check_if_account_select_allowed
-    unless Rails.application.config.account_sign_in_only
-      redirect_to new_user_session_path
+      redirect_to account_select_local_onboarding_index_path
     end
   end
 
diff --git a/app/views/devise/sessions/account_select.html.erb b/app/views/local/onboarding/account_select.html.erb
similarity index 100%
rename from app/views/devise/sessions/account_select.html.erb
rename to app/views/local/onboarding/account_select.html.erb
diff --git a/config/routes.rb b/config/routes.rb
index edb14ea8..f97346ff 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,9 +1,6 @@
 Rails.application.routes.draw do
   # Account-specific URL-based routes
   devise_scope :user do
-    if Rails.application.config.local_mode
-      get '/accounts/select', to: 'users/sessions#account_select'
-    end
     get '/accounts/:slug/sign_in', to: 'users/sessions#account_login', as: :account_sign_in
     post '/accounts/:slug/sign_in', to: 'users/sessions#account_create'
   end
@@ -160,12 +157,16 @@ Rails.application.routes.draw do
           post :login
         end
       end
-      resources :onboarding, only: [ :index, :create ]
+      resources :onboarding, only: [ :index, :create ] do
+        collection do
+          get :account_select
+        end
+      end
     end
     if Rails.application.config.onboarding_methods.any?
       root to: "local/onboarding#index"
     else
-      root to: "projects#index"
+      root to: "local/onboarding#account_select"
     end
   else
     root to: "static#index"

From bf71ac16760a23ee09c393f09c2c5792283b50d8 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 5 Dec 2025 14:39:17 -0800
Subject: [PATCH 40/75] remove portainer login on onboarding flow

---
 .../accounts/stack_managers/_url.html.erb     |   9 +-
 .../local/onboarding/_portainer.html.erb      |  58 +++++++---
 lib/portainer/onboarding/create.rb            |   6 +-
 .../create_user_with_stack_manager.rb         |  21 ++--
 spec/lib/portainer/onboarding/create_spec.rb  | 103 +++---------------
 5 files changed, 76 insertions(+), 121 deletions(-)

diff --git a/app/views/accounts/stack_managers/_url.html.erb b/app/views/accounts/stack_managers/_url.html.erb
index 8b379708..716ea342 100644
--- a/app/views/accounts/stack_managers/_url.html.erb
+++ b/app/views/accounts/stack_managers/_url.html.erb
@@ -11,7 +11,7 @@
   </div>
 
   <div class="form-group">
-    <%= form.label :access_token, "Access Token" %>
+    <%= form.label :access_token, "Account Access Token" %>
     <%= form.text_field(
       :access_token,
       name: "stack_manager[access_token]",
@@ -20,9 +20,12 @@
       required: true,
       data: { "stack-manager--url-input-target": "accessTokenInput", action: "blur->stack-manager--url-input#verifyUrl" },
     ) %>
-    <div class="hidden" data-stack-manager--url-input-target="accessTokenHelp">
-      <label class="label flex justify-between" for="access_token">
+    <div>
+      <label class="label" style="display: flex" for="access_token">
         <span class="label-text-alt">
+          This access token is used for all members of the account, to perform asynchronous Git deployments.
+        </span>
+        <span class="label-text-alt" class="hidden" data-stack-manager--url-input-target="accessTokenHelp">
           <a class="link link-primary" target="_blank" href="#">Get your access token in Portainer →</a>
         </span>
       </label>
diff --git a/app/views/local/onboarding/_portainer.html.erb b/app/views/local/onboarding/_portainer.html.erb
index 1680f854..e16b8740 100644
--- a/app/views/local/onboarding/_portainer.html.erb
+++ b/app/views/local/onboarding/_portainer.html.erb
@@ -17,34 +17,26 @@
     <% end %>
 
     <%= render(FormFieldComponent.new(
-      label: "Portainer Configuration",
-      description: "The command to run to start the container."
-    )) do %>
-      <%= render "accounts/stack_managers/url", form: form %>
-    <% end %>
-
-    <%= render(FormFieldComponent.new(
-      label: "Portainer Credentials",
-      description: "We'll create the first user in this organization by connecting to your Portainer instance with your credentials."
+      label: "Admin User",
+      description: "Create the first admin user for this account."
     )) do %>
       <div class="form-group">
-        <%= form.label :username, "Portainer Username" %>
-        <%= form.text_field(
-          :username,
-          placeholder: "Enter your username",
-          name: "user[username]",
+        <%= form.label :email, "Email" %>
+        <%= form.email_field(
+          :email,
+          placeholder: "admin@example.com",
+          name: "user[email]",
           class: "input input-bordered w-full",
           required: true,
         ) %>
       </div>
       <div class="form-group" data-controller="toggle-password">
-        <%= form.label :password, "Portainer Password" %>
+        <%= form.label :password, "Password" %>
         <div class="flex items-center">
-          <%= form.text_field(
+          <%= form.password_field(
             :password,
             placeholder: "Enter your password",
             name: "user[password]",
-            type: "password",
             class: "input input-bordered w-full",
             required: true,
             data: { toggle_password_target: "input" },
@@ -55,6 +47,38 @@
         </div>
       </div>
     <% end %>
+
+    <%= render(FormFieldComponent.new(
+      label: "Portainer Configuration",
+      description: "Configure your Portainer instance URL and access token."
+    )) do %>
+      <%= render "accounts/stack_managers/url", form: form %>
+
+      <div data-controller="expandable-optional-input">
+        <div>
+          <a data-action="expandable-optional-input#show" class="btn btn-ghost">
+            + Add personal access token
+          </a>
+        </div>
+        <div data-expandable-optional-input-target="container">
+          <div class="form-group">
+            <%= form.label :personal_access_token, "Personal Access Token" %>
+            <%= form.text_field(
+              :personal_access_token,
+              name: "user[personal_access_token]",
+              placeholder: "Enter your personal access token",
+              class: "input input-bordered w-full",
+            ) %>
+            <div class="label">
+              <span class="label-text-alt text-gray-500">
+                If not provided, the account's access token will be used for your Portainer access.
+              </span>
+            </div>
+          </div>
+        </div>
+      </div>
+    <% end %>
+
     <div class="form-footer">
       <%= form.submit "Save", class: "btn btn-primary" %>
     </div>
diff --git a/lib/portainer/onboarding/create.rb b/lib/portainer/onboarding/create.rb
index bf0f009b..4954aeb7 100644
--- a/lib/portainer/onboarding/create.rb
+++ b/lib/portainer/onboarding/create.rb
@@ -10,15 +10,15 @@ class Portainer::Onboarding::Create
 
   def self.call(params)
     with(
-      username: params[:user][:username],
-      password: params[:user][:password],
       account_name: params[:account][:name],
       provider_url: params[:stack_manager][:provider_url],
       access_token: params[:stack_manager][:access_token],
       enable_role_based_access_control: params[:stack_manager][:enable_role_based_access_control],
+      email: params[:user][:email],
+      password: params[:user][:password],
+      personal_access_token: params[:user]&.dig(:personal_access_token),
     ).reduce(
       Portainer::Onboarding::ValidateBootMode,
-      Portainer::Onboarding::AuthenticateWithPortainer,
       Portainer::Onboarding::CreateUserWithStackManager,
       *post_create,
     )
diff --git a/lib/portainer/onboarding/create_user_with_stack_manager.rb b/lib/portainer/onboarding/create_user_with_stack_manager.rb
index 5b684a64..cbc8b56f 100644
--- a/lib/portainer/onboarding/create_user_with_stack_manager.rb
+++ b/lib/portainer/onboarding/create_user_with_stack_manager.rb
@@ -1,31 +1,26 @@
 class Portainer::Onboarding::CreateUserWithStackManager
   extend LightService::Action
-  expects :portainer_user, :username, :account_name, :provider_url, :access_token, :enable_role_based_access_control
+  expects :account_name, :provider_url, :access_token, :enable_role_based_access_control,
+          :email, :password, :personal_access_token
   promises :user, :account, :stack_manager
 
   executed do |context|
-    password = Devise.friendly_token
-    hostname = URI.parse(context.provider_url).host
     ActiveRecord::Base.transaction do
       context.user = User.find_or_initialize_by(
-        email: context.username + "@#{hostname}",
+        email: context.email,
       )
       context.user.assign_attributes(
-        password:,
-        password_confirmation: password,
+        password: context.password,
+        password_confirmation: context.password,
       )
       if context.user.new_record?
         context.user.write_attribute(:admin, true)
       end
       context.user.save!
 
-      provider = context.user.providers.find_or_initialize_by(provider: "portainer")
-      provider.auth = {
-        info: {
-          username: context.portainer_user.username
-        }
-      }.to_json
-      provider.access_token = context.portainer_user.jwt
+      portainer_access_token = context.personal_access_token.presence || context.access_token
+      provider = context.user.providers.find_or_initialize_by(provider: Provider::PORTAINER_PROVIDER)
+      provider.access_token = portainer_access_token
       provider.save!
 
       context.account = Account.create!(owner: context.user, name: context.account_name)
diff --git a/spec/lib/portainer/onboarding/create_spec.rb b/spec/lib/portainer/onboarding/create_spec.rb
index e8f808ab..e2d298b5 100644
--- a/spec/lib/portainer/onboarding/create_spec.rb
+++ b/spec/lib/portainer/onboarding/create_spec.rb
@@ -1,19 +1,15 @@
 require 'rails_helper'
 
 RSpec.describe Portainer::Onboarding::Create do
-  let(:jwt) { 'test-jwt-token' }
   let(:params) do
     ActionController::Parameters.new(
       account: { name: 'testorg' },
-      user: { username: username, password: 'testpassword' },
-      stack_manager: { provider_url: 'https://test.portainer.io' },
+      user: { email: 'admin@example.com', password: 'password123' },
+      stack_manager: { provider_url: 'https://test.portainer.io', access_token: 'test-token' },
     )
   end
 
-  let(:username) { 'testuser' }
-
   before do
-    allow(Portainer::Client).to receive(:authenticate).and_return(Portainer::Data::User.new(id: 1, username:, jwt:))
     allow(described_class).to receive(:post_create).and_return([])
   end
 
@@ -30,14 +26,27 @@ RSpec.describe Portainer::Onboarding::Create do
         Rails.application.config.cluster_mode = original_cluster_mode
       end
 
-      it 'creates a user with admin privileges' do
+      it 'creates a user with admin privileges and uses account access token when no personal token provided' do
         result = described_class.call(params)
 
         expect(result).to be_success
         expect(result.user).to be_persisted
-        expect(result.user.email).to eq('testuser@test.portainer.io')
+        expect(result.user.email).to eq('admin@example.com')
         expect(result.user.admin).to be true
         expect(result.account.stack_manager).to be_persisted
+        expect(result.user.providers.find_by(provider: 'portainer').access_token).to eq('test-token')
+      end
+
+      it 'uses personal access token when provided' do
+        params_with_personal_token = ActionController::Parameters.new(
+          account: { name: 'testorg' },
+          user: { email: 'admin2@example.com', password: 'password123', personal_access_token: 'personal-token' },
+          stack_manager: { provider_url: 'https://test2.portainer.io', access_token: 'account-token' },
+        )
+        result = described_class.call(params_with_personal_token)
+
+        expect(result).to be_success
+        expect(result.user.providers.find_by(provider: 'portainer').access_token).to eq('personal-token')
       end
     end
 
@@ -52,88 +61,12 @@ RSpec.describe Portainer::Onboarding::Create do
         Rails.application.config.cloud_mode = original_cloud_mode
         Rails.application.config.cluster_mode = original_cluster_mode
       end
+
       it 'fails with an error message' do
         result = described_class.call(params)
 
         expect(result).to be_failure
       end
     end
-
-    context 'when Portainer authentication fails' do
-      around do |example|
-        original_cloud_mode = Rails.application.config.cloud_mode
-        original_cluster_mode = Rails.application.config.cluster_mode
-        Rails.application.config.cluster_mode = true
-        Rails.application.config.cloud_mode = false
-        example.run
-      ensure
-        Rails.application.config.cloud_mode = original_cloud_mode
-        Rails.application.config.cluster_mode = original_cluster_mode
-      end
-
-      before do
-        allow(Portainer::Client).to receive(:authenticate).and_raise(Portainer::Client::AuthenticationError.new('Invalid username or password'))
-      end
-
-      it 'fails with invalid username or password message' do
-        result = described_class.call(params)
-
-        expect(result).to be_failure
-        expect(result.message).to eq('Invalid username or password')
-      end
-
-      it 'does not create a user' do
-        expect {
-          described_class.call(params)
-        }.not_to change(User, :count)
-      end
-
-      it 'does not create an account' do
-        expect {
-          described_class.call(params)
-        }.not_to change(Account, :count)
-      end
-
-      it 'does not create a stack manager' do
-        expect {
-          described_class.call(params)
-        }.not_to change(StackManager, :count)
-      end
-    end
-
-    context 'when Portainer authentication raises an exception' do
-      around do |example|
-        original_cloud_mode = Rails.application.config.cloud_mode
-        original_cluster_mode = Rails.application.config.cluster_mode
-        Rails.application.config.cluster_mode = true
-        Rails.application.config.cloud_mode = false
-        example.run
-      ensure
-        Rails.application.config.cloud_mode = original_cloud_mode
-        Rails.application.config.cluster_mode = original_cluster_mode
-      end
-
-      before do
-        allow(Portainer::Client).to receive(:authenticate).and_raise(StandardError, 'Connection failed')
-      end
-
-      it 'raises the exception' do
-        expect {
-          described_class.call(params)
-        }.to raise_error(StandardError, 'Connection failed')
-      end
-
-      it 'does not create a user' do
-        expect {
-          described_class.call(params) rescue nil
-        }.not_to change(User, :count)
-      end
-
-      it 'does not create an account' do
-        expect {
-          described_class.call(params) rescue nil
-        }.not_to change(Account, :count)
-      end
-    end
   end
 end

From 9b65ce122538897393acbddd1b8caa0a9a2161ad Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 5 Dec 2025 15:13:49 -0800
Subject: [PATCH 41/75] use built image instead of building from scratch

---
 app/views/local/onboarding/_portainer.html.erb | 3 ++-
 docker-compose.yml                             | 8 ++------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/app/views/local/onboarding/_portainer.html.erb b/app/views/local/onboarding/_portainer.html.erb
index e16b8740..83b9f47c 100644
--- a/app/views/local/onboarding/_portainer.html.erb
+++ b/app/views/local/onboarding/_portainer.html.erb
@@ -18,7 +18,7 @@
 
     <%= render(FormFieldComponent.new(
       label: "Admin User",
-      description: "Create the first admin user for this account."
+      description: "Create the first admin user for this account. (You can configure SSO later.)"
     )) do %>
       <div class="form-group">
         <%= form.label :email, "Email" %>
@@ -59,6 +59,7 @@
           <a data-action="expandable-optional-input#show" class="btn btn-ghost">
             + Add personal access token
           </a>
+          <span>Hello world</span>
         </div>
         <div data-expandable-optional-input-target="container">
           <div class="form-group">
diff --git a/docker-compose.yml b/docker-compose.yml
index 346f3283..838d386e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,9 +19,7 @@ services:
       - "postgres:/var/lib/postgresql/data"
 
   web:
-    build:
-      context: .
-      dockerfile: Dockerfile
+    image: ghcr.io/caninehq/canine:latest
     # Overrides default command so things don't shut down after the process ends.
     # command: sleep infinity
     depends_on:
@@ -39,9 +37,7 @@ services:
       - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
 
   worker:
-    build:
-      context: .
-      dockerfile: Dockerfile
+    image: ghcr.io/caninehq/canine:latest
     command: bundle exec good_job start
     depends_on:
       - postgres

From 1701c66cf44e092fc805ac7639347537f9c8f92b Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 5 Dec 2025 15:57:00 -0800
Subject: [PATCH 42/75] update portainer build

---
 install/portainer/docker-compose.yml | 26 ++++++--------------------
 1 file changed, 6 insertions(+), 20 deletions(-)

diff --git a/install/portainer/docker-compose.yml b/install/portainer/docker-compose.yml
index 37d84e71..f61a7aba 100644
--- a/install/portainer/docker-compose.yml
+++ b/install/portainer/docker-compose.yml
@@ -8,7 +8,7 @@ x-shared-env: &shared-env
 
 services:
   postgres:
-    image: postgres:16
+    image: postgres:16-bookworm@sha256:878977a5fe8d75ba7eab7610e4cf7e0c8626a683d89b3f9da965b8ceba952a09
     environment:
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=password
@@ -17,13 +17,11 @@ services:
       - "5432:5432"
     volumes:
       - "postgres:/var/lib/postgresql/data"
-    networks:
-      - default
 
   web:
-    build:
-      context: .
-      dockerfile: Dockerfile
+    image: ghcr.io/caninehq/canine:latest
+    # Overrides default command so things don't shut down after the process ends.
+    # command: sleep infinity
     depends_on:
       - postgres
     stdin_open: true
@@ -37,14 +35,9 @@ services:
       ACCOUNT_SIGN_IN_ONLY: "true"
     volumes:
       - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
-    networks:
-      - default
-      - portainer_network
 
   worker:
-    build:
-      context: .
-      dockerfile: Dockerfile
+    image: ghcr.io/caninehq/canine:latest
     command: bundle exec good_job start
     depends_on:
       - postgres
@@ -53,18 +46,11 @@ services:
       LOCAL_MODE: "true"
     volumes:
       - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
-    networks:
-      - default
-      - portainer_network
 
 volumes:
   postgres:
 
 networks:
-  # default local network for this compose file
   default:
-    name: canine_default   # optional; can omit to let compose auto-name
-  # external network created elsewhere
-  portainer_network:
+    name: portainer_network
     external: true
-

From f0282662e4293def2bc1b3fbfcc919f182f4175b Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 5 Dec 2025 16:18:09 -0800
Subject: [PATCH 43/75] handle empty clusters from portainer

---
 .../local/onboarding/_portainer.html.erb      | 43 ++++++++++---------
 lib/portainer/sync_registries.rb              | 10 +++--
 2 files changed, 28 insertions(+), 25 deletions(-)

diff --git a/app/views/local/onboarding/_portainer.html.erb b/app/views/local/onboarding/_portainer.html.erb
index 83b9f47c..5f6613c6 100644
--- a/app/views/local/onboarding/_portainer.html.erb
+++ b/app/views/local/onboarding/_portainer.html.erb
@@ -5,7 +5,7 @@
       description: "The name of your team, organization or account."
     )) do %>
       <div class="form-group">
-        <%= form.label :account_name, "Name" %>
+        <%= form.label :account_name, "Organization Name" %>
         <%= form.text_field(
           :account_name,
           placeholder: "My Organization",
@@ -54,29 +54,30 @@
     )) do %>
       <%= render "accounts/stack_managers/url", form: form %>
 
-      <div data-controller="expandable-optional-input">
-        <div>
-          <a data-action="expandable-optional-input#show" class="btn btn-ghost">
-            + Add personal access token
-          </a>
-          <span>Hello world</span>
-        </div>
-        <div data-expandable-optional-input-target="container">
-          <div class="form-group">
-            <%= form.label :personal_access_token, "Personal Access Token" %>
-            <%= form.text_field(
-              :personal_access_token,
-              name: "user[personal_access_token]",
-              placeholder: "Enter your personal access token",
-              class: "input input-bordered w-full",
-            ) %>
-            <div class="label">
-              <span class="label-text-alt text-gray-500">
-                If not provided, the account's access token will be used for your Portainer access.
-              </span>
+      <div class="mt-4">
+        <div data-controller="expandable-optional-input">
+          <div>
+            <a data-action="expandable-optional-input#show" class="btn btn-ghost">
+              + Add personal access token
+            </a>
+          </div>
+          <div data-expandable-optional-input-target="container">
+            <div class="form-group">
+              <%= form.label :personal_access_token, "Personal Access Token" %>
+              <%= form.text_field(
+                :personal_access_token,
+                name: "user[personal_access_token]",
+                placeholder: "Enter your personal access token",
+                class: "input input-bordered w-full",
+              ) %>
             </div>
           </div>
         </div>
+        <div class="label">
+          <span class="label-text-alt text-gray-500">
+            If not provided, the account's access token will be used for your Portainer access.
+          </span>
+        </div>
       </div>
     <% end %>
 
diff --git a/lib/portainer/sync_registries.rb b/lib/portainer/sync_registries.rb
index 89fb14a8..5a017a1b 100644
--- a/lib/portainer/sync_registries.rb
+++ b/lib/portainer/sync_registries.rb
@@ -5,9 +5,11 @@ class Portainer::SyncRegistries
 
   executed do |context|
     clusters = context.stack_manager.account.clusters
-    context.stack_manager.stack.connect(context.user).sync_registries(
-      context.user,
-      clusters.first
-    )
+    if clusters.any?
+      context.stack_manager.stack.connect(context.user).sync_registries(
+        context.user,
+        clusters.first
+      )
+    end
   end
 end

From f4e2d088a9c52eec285086a72043276d0d3d3ee8 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 5 Dec 2025 16:32:42 -0800
Subject: [PATCH 44/75] nit

---
 lib/portainer/client.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/portainer/client.rb b/lib/portainer/client.rb
index 19599673..f5a5fa83 100644
--- a/lib/portainer/client.rb
+++ b/lib/portainer/client.rb
@@ -22,7 +22,7 @@ module Portainer
 
     def initialize(provider_url, jwt)
       @jwt = jwt
-      @provider_url = provider_url
+      @provider_url = provider_url.chomp("/")
     end
 
     def self.reachable?(provider_url)

From 3b725b38507e91c82b36e43bdf423822a98f8ad8 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sat, 6 Dec 2025 14:31:39 -0800
Subject: [PATCH 45/75] added docker build to pull request

---
 .github/workflows/docker-build.yml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 6f5f4bd3..531e8337 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -5,11 +5,12 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+  workflow_dispatch:
 
 jobs:
   build:
     runs-on: ubuntu-latest
-    timeout-minutes: 10
+    timeout-minutes: 30
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
@@ -19,3 +20,20 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ghcr.io/caninehq/canine:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

From 68f6108a3c245d7c2963a496988e0c2deac1b75c Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sat, 6 Dec 2025 14:34:14 -0800
Subject: [PATCH 46/75] testing

---
 .github/workflows/docker-build.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 531e8337..06a94a52 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -2,9 +2,7 @@ name: Docker Build and Push
 
 on:
   push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
+    branches: [ main, chriszhu__build_docker_on_branch ]
   workflow_dispatch:
 
 jobs:

From 492aee046aeff8490939665a5ebe1d8358b4a68a Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sat, 6 Dec 2025 15:04:53 -0800
Subject: [PATCH 47/75] bump timeout to 1 hour

---
 .github/workflows/docker-build.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 06a94a52..89d4d1f8 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -5,10 +5,14 @@ on:
     branches: [ main, chriszhu__build_docker_on_branch ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 60
     steps:
       - name: Checkout code
         uses: actions/checkout@v5

From a08ae8b7e1d0d2af7fe9340cb440ffe5138625fc Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sun, 7 Dec 2025 13:59:41 -0800
Subject: [PATCH 48/75] remove testing branch

---
 .github/workflows/docker-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 89d4d1f8..c31aa72c 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -2,7 +2,7 @@ name: Docker Build and Push
 
 on:
   push:
-    branches: [ main, chriszhu__build_docker_on_branch ]
+    branches: [ main ]
   workflow_dispatch:
 
 permissions:

From 7f0b9a3f87c5c36bab1f441af2a089ecda5422a2 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sun, 7 Dec 2025 16:09:39 -0800
Subject: [PATCH 49/75] fix bug with select credentials

---
 app/views/projects/create/_select_credentials.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/projects/create/_select_credentials.html.erb b/app/views/projects/create/_select_credentials.html.erb
index 85f73013..fede9643 100644
--- a/app/views/projects/create/_select_credentials.html.erb
+++ b/app/views/projects/create/_select_credentials.html.erb
@@ -5,7 +5,7 @@
     :id,
     :friendly_name,
     { 
-      include_blank: selectable_providers.count > 1,
+      include_blank: selectable_providers.count >= 1,
       selected: selectable_providers.count == 1 ? selectable_providers.first.id : nil
     },
     {

From 9bef5c54c47b927310648a8a73c28c3f639e85ee Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sun, 7 Dec 2025 16:27:40 -0800
Subject: [PATCH 50/75] fix html closing tag

---
 app/views/projects/_layout.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/projects/_layout.html.erb b/app/views/projects/_layout.html.erb
index a3e28ce8..a7327f30 100644
--- a/app/views/projects/_layout.html.erb
+++ b/app/views/projects/_layout.html.erb
@@ -39,7 +39,7 @@
           <div class="flex flex-row items-center gap-1">
             <iconify-icon icon="logos:docker-icon"></iconify-icon>
             <span class="underline"><%= project.repository_url %></span>
-          <div class="flex flex-row items-center gap-1">
+          </div>
         <% end %>
       <% end %>
 

From ecd753f4f2c0c5fe7f510299606c05c69a7216be Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Mon, 8 Dec 2025 16:24:22 -0800
Subject: [PATCH 51/75] added floating ui for search dropdowns

---
 .../async_search_dropdown_controller.js       | 64 +++++++++++++++++--
 package.json                                  |  1 +
 yarn.lock                                     | 20 ++++++
 3 files changed, 81 insertions(+), 4 deletions(-)

diff --git a/app/javascript/controllers/components/async_search_dropdown_controller.js b/app/javascript/controllers/components/async_search_dropdown_controller.js
index 82d1abfe..68389ea9 100644
--- a/app/javascript/controllers/components/async_search_dropdown_controller.js
+++ b/app/javascript/controllers/components/async_search_dropdown_controller.js
@@ -1,4 +1,5 @@
 import { Controller } from "@hotwired/stimulus"
+import { computePosition, autoUpdate, flip, shift, offset, size } from "@floating-ui/dom"
 import { debounce } from "../../utils"
 
 /**
@@ -26,9 +27,9 @@ export default class extends Controller {
     // Disable browser autocomplete
     this.input.setAttribute('autocomplete', 'off')
 
-    // Create dropdown
+    // Create dropdown and append to the appropriate container
     this.dropdown = this.createDropdown()
-    this.element.appendChild(this.dropdown)
+    this.getDropdownContainer().appendChild(this.dropdown)
 
     // Bind search handler with debounce
     this.searchHandler = debounce(this.performSearch.bind(this), this.getDebounceDelay())
@@ -37,6 +38,8 @@ export default class extends Controller {
     // Handle click outside to close dropdown
     this.clickOutsideHandler = this.handleClickOutside.bind(this)
     document.addEventListener('click', this.clickOutsideHandler)
+
+    this.cleanupAutoUpdate = null
   }
 
   disconnect() {
@@ -44,14 +47,52 @@ export default class extends Controller {
       this.input.removeEventListener('input', this.searchHandler)
     }
     document.removeEventListener('click', this.clickOutsideHandler)
+    if (this.cleanupAutoUpdate) {
+      this.cleanupAutoUpdate()
+    }
+    if (this.dropdown && this.dropdown.parentNode) {
+      this.dropdown.parentNode.removeChild(this.dropdown)
+    }
   }
 
   createDropdown() {
     const dropdown = document.createElement('ul')
-    dropdown.className = 'hidden absolute z-10 w-full mt-1 menu bg-neutral block rounded-box shadow-lg max-h-[300px] overflow-y-auto'
+    dropdown.className = 'hidden z-50 menu bg-neutral rounded-box shadow-lg max-h-[300px] overflow-y-auto'
+    dropdown.style.position = 'absolute'
+    dropdown.style.top = '0'
+    dropdown.style.left = '0'
     return dropdown
   }
 
+  getDropdownContainer() {
+    // Check if we're inside a modal and append there to maintain stacking context
+    const modal = this.element.closest('.modal, [role="dialog"], dialog')
+    return modal || document.body
+  }
+
+  updatePosition() {
+    computePosition(this.input, this.dropdown, {
+      placement: 'bottom-start',
+      middleware: [
+        offset(4),
+        flip({ fallbackPlacements: ['top-start'] }),
+        shift({ padding: 8 }),
+        size({
+          apply({ rects, elements }) {
+            Object.assign(elements.floating.style, {
+              minWidth: `${rects.reference.width}px`
+            })
+          }
+        })
+      ]
+    }).then(({ x, y }) => {
+      Object.assign(this.dropdown.style, {
+        left: `${x}px`,
+        top: `${y}px`
+      })
+    })
+  }
+
   getInputElement() {
     return this.element.querySelector('input')
   }
@@ -121,11 +162,26 @@ export default class extends Controller {
 
   showDropdown() {
     this.dropdown.classList.remove('hidden')
+    this.updatePosition()
+
+    // Set up auto-update to keep position in sync during scroll/resize
+    if (this.cleanupAutoUpdate) {
+      this.cleanupAutoUpdate()
+    }
+    this.cleanupAutoUpdate = autoUpdate(this.input, this.dropdown, () => {
+      this.updatePosition()
+    })
   }
 
   hideDropdown() {
     this.dropdown.classList.add('hidden')
     this.dropdown.innerHTML = ''
+
+    // Clean up auto-update listener
+    if (this.cleanupAutoUpdate) {
+      this.cleanupAutoUpdate()
+      this.cleanupAutoUpdate = null
+    }
   }
 
   showLoading() {
@@ -157,7 +213,7 @@ export default class extends Controller {
   }
 
   handleClickOutside(event) {
-    if (!this.element.contains(event.target)) {
+    if (!this.element.contains(event.target) && !this.dropdown.contains(event.target)) {
       this.hideDropdown()
     }
   }
diff --git a/package.json b/package.json
index 779aed7a..2c38b23d 100644
--- a/package.json
+++ b/package.json
@@ -13,6 +13,7 @@
     "@codemirror/state": "^6.5.2",
     "@codemirror/theme-one-dark": "^6.1.3",
     "@codemirror/view": "^6.38.1",
+    "@floating-ui/dom": "^1.7.4",
     "@gorails/ninja-keys": "^1.2.1",
     "@hotwired/stimulus": "^3.2.2",
     "@hotwired/turbo-rails": "^8.0.20",
diff --git a/yarn.lock b/yarn.lock
index 8df07aee..dad22462 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -217,6 +217,26 @@
   resolved "https://registry.yarnpkg.com/@esbuild/win32-x64/-/win32-x64-0.24.0.tgz#168ab1c7e1c318b922637fad8f339d48b01e1244"
   integrity sha512-7IAFPrjSQIJrGsK6flwg7NFmwBoSTyF3rl7If0hNUFQU4ilTsEPL6GuMuU9BfIWVVGuRnuIidkSMC+c0Otu8IA==
 
+"@floating-ui/core@^1.7.3":
+  version "1.7.3"
+  resolved "https://registry.yarnpkg.com/@floating-ui/core/-/core-1.7.3.tgz#462d722f001e23e46d86fd2bd0d21b7693ccb8b7"
+  integrity sha512-sGnvb5dmrJaKEZ+LDIpguvdX3bDlEllmv4/ClQ9awcmCZrlx5jQyyMWFM5kBI+EyNOCDDiKk8il0zeuX3Zlg/w==
+  dependencies:
+    "@floating-ui/utils" "^0.2.10"
+
+"@floating-ui/dom@^1.7.4":
+  version "1.7.4"
+  resolved "https://registry.yarnpkg.com/@floating-ui/dom/-/dom-1.7.4.tgz#ee667549998745c9c3e3e84683b909c31d6c9a77"
+  integrity sha512-OOchDgh4F2CchOX94cRVqhvy7b3AFb+/rQXyswmzmGakRfkMgoWVjfnLWkRirfLEfuD4ysVW16eXzwt3jHIzKA==
+  dependencies:
+    "@floating-ui/core" "^1.7.3"
+    "@floating-ui/utils" "^0.2.10"
+
+"@floating-ui/utils@^0.2.10":
+  version "0.2.10"
+  resolved "https://registry.yarnpkg.com/@floating-ui/utils/-/utils-0.2.10.tgz#a2a1e3812d14525f725d011a73eceb41fef5bc1c"
+  integrity sha512-aGTxbpbg8/b5JfU1HXSrbH3wXZuLPJcNEcZQFMxLs3oSzgtVu6nFPkbbGGUvBcUjKV2YyB9Wxxabo+HEH9tcRQ==
+
 "@gorails/ninja-keys@^1.2.1":
   version "1.2.1"
   resolved "https://registry.npmjs.org/@gorails/ninja-keys/-/ninja-keys-1.2.1.tgz"

From 1c02a79a26c136283737c6639179cd7bd49409f0 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Tue, 9 Dec 2025 20:15:21 -0800
Subject: [PATCH 52/75] added ldap implementation

---
 app/actions/sso/sync_teams.rb                 |  21 +-
 app/models/sso_provider.rb                    |   2 +-
 app/services/k8/stateless/ingress.rb          |  12 +-
 app/services/ldap/authenticator.rb            |   8 +-
 lib/devise/strategies/ldap_authenticatable.rb |  17 +-
 spec/actions/sso/sync_user_teams_spec.rb      |  29 +++
 spec/services/ldap/authenticator_spec.rb      | 236 ++++++++++++++++++
 7 files changed, 312 insertions(+), 13 deletions(-)
 create mode 100644 spec/services/ldap/authenticator_spec.rb

diff --git a/app/actions/sso/sync_teams.rb b/app/actions/sso/sync_teams.rb
index 3fabb969..b705705e 100644
--- a/app/actions/sso/sync_teams.rb
+++ b/app/actions/sso/sync_teams.rb
@@ -1,12 +1,25 @@
 class SSO::SyncTeams
   extend LightService::Action
-  expects :user, :teams
+  expects :user, :teams, :account
   promises :team_memberships
 
   executed do |context|
-    # Find all teams the user is currently in
-    context.team_memberships = context.teams.map do |team|
-      TeamMembership.find_or_create_by!(user: context.user, team:)
+    user = context.user
+    account = context.account
+    remote_teams = context.teams
+
+    # Add user to teams from remote source
+    context.team_memberships = remote_teams.map do |team|
+      TeamMembership.find_or_create_by!(user:, team:)
     end
+
+    # Remove user from account teams they're no longer part of on the remote source
+    remote_team_ids = remote_teams.map(&:id)
+    stale_memberships = user.team_memberships
+      .joins(:team)
+      .where(teams: { account_id: account.id })
+      .where.not(team_id: remote_team_ids)
+
+    stale_memberships.destroy_all
   end
 end
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index 17729d85..51311213 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -30,7 +30,7 @@ class SSOProvider < ApplicationRecord
   enum :team_provisioning_mode, {
     disabled: 0,
     just_in_time: 1
-  }
+  }, suffix: true
 
 
   def ldap?
diff --git a/app/services/k8/stateless/ingress.rb b/app/services/k8/stateless/ingress.rb
index 677cabfc..7b0a8b46 100644
--- a/app/services/k8/stateless/ingress.rb
+++ b/app/services/k8/stateless/ingress.rb
@@ -33,7 +33,17 @@ class K8::Stateless::Ingress < K8::Base
     if service.nil?
       raise "Ingress-nginx-controller service not installed"
     end
-    service.status.loadBalancer.ingress[0].ip
+    if service.status.loadBalancer.ingress[0].ip
+      {
+        ip: service.status.loadBalancer.ingress[0].ip,
+        record_type: :a_record
+      }
+    else
+      {
+        ip: service.status.loadBalancer.ingress[0].hostname,
+        record_type: :cname_record
+      }
+    end
   end
 
   def ip_address
diff --git a/app/services/ldap/authenticator.rb b/app/services/ldap/authenticator.rb
index e72ce2a1..3f27486d 100644
--- a/app/services/ldap/authenticator.rb
+++ b/app/services/ldap/authenticator.rb
@@ -23,7 +23,7 @@ module LDAP
     # ----------
     # call(username:, password:) -> Result
     #
-    def call(username:, password:)
+    def call(username:, password:, fetch_groups:)
       # 1) Bind as reader (service account or anonymous)
       reader_ldap = build_reader_connection
 
@@ -56,7 +56,11 @@ module LDAP
       # 4) Successful LDAP auth → map attributes, fetch groups
       email  = resolve_email(entry, username)
       name   = resolve_name(entry, username)
-      groups = fetch_group_membership(entry)
+      if fetch_groups
+        groups = fetch_group_membership(entry)
+      else
+        groups = []
+      end
 
       Result.new(
         success?: true,
diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index 31456303..838a426c 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -37,7 +37,12 @@ module Devise
 
         authenticator = LDAP::Authenticator.new(ldap_configuration)
 
-        result = authenticator.call(username: username, password: password)
+        sso_provider = ldap_configuration.sso_provider
+        result = authenticator.call(
+          username: username,
+          password: password,
+          fetch_groups: sso_provider.just_in_time_team_provisioning_mode?
+        )
 
         unless result.success?
           Rails.logger.info "LDAP auth failed for username=#{username.inspect}: #{result.error_message}"
@@ -45,15 +50,17 @@ module Devise
         end
 
         email = result.email
-        groups = result.groups
-        sso_provider = ldap_configuration.sso_provider
 
-        if sso_provider.just_in_time?
+        if sso_provider.just_in_time_team_provisioning_mode?
+          groups = result.groups
           ar_result = ActiveRecord::Base.transaction do
             SSO::SyncUserTeams.call(email, groups, ldap_configuration.account)
           end
         else
-          ar_result = SSO::CreateUserInAccount.call(email, ldap_configuration.account)
+          ar_result = SSO::CreateUserInAccount.execute(
+            email: email,
+            account: ldap_configuration.account,
+          )
         end
 
         if ar_result.failure?
diff --git a/spec/actions/sso/sync_user_teams_spec.rb b/spec/actions/sso/sync_user_teams_spec.rb
index f0d8a719..0779bb0c 100644
--- a/spec/actions/sso/sync_user_teams_spec.rb
+++ b/spec/actions/sso/sync_user_teams_spec.rb
@@ -14,5 +14,34 @@ RSpec.describe SSO::SyncUserTeams do
       expect(account.teams.pluck(:name)).to match_array(%w[Existing NewTeam])
       expect(result.user.teams).to match_array(account.teams)
     end
+
+    it 'removes user from teams they are no longer part of on remote source' do
+      user = create(:user, email: 'existing@example.com')
+      team_to_keep = create(:team, account: account, name: 'KeepTeam')
+      team_to_remove = create(:team, account: account, name: 'RemoveTeam')
+      create(:team_membership, user: user, team: team_to_keep)
+      create(:team_membership, user: user, team: team_to_remove)
+      create(:account_user, account: account, user: user)
+
+      result = described_class.call('existing@example.com', [ { name: 'KeepTeam' } ], account)
+
+      expect(result).to be_success
+      expect(result.user.teams.reload).to contain_exactly(team_to_keep)
+    end
+
+    it 'does not remove user from teams in other accounts' do
+      other_account = create(:account)
+      user = create(:user, email: 'existing@example.com')
+      team_in_account = create(:team, account: account, name: 'AccountTeam')
+      team_in_other = create(:team, account: other_account, name: 'OtherTeam')
+      create(:team_membership, user: user, team: team_in_account)
+      create(:team_membership, user: user, team: team_in_other)
+      create(:account_user, account: account, user: user)
+
+      result = described_class.call('existing@example.com', [], account)
+
+      expect(result).to be_success
+      expect(user.teams.reload).to contain_exactly(team_in_other)
+    end
   end
 end
diff --git a/spec/services/ldap/authenticator_spec.rb b/spec/services/ldap/authenticator_spec.rb
new file mode 100644
index 00000000..b441bee2
--- /dev/null
+++ b/spec/services/ldap/authenticator_spec.rb
@@ -0,0 +1,236 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe LDAP::Authenticator do
+  let(:ldap_config) { build(:ldap_configuration) }
+  let(:logger) { instance_double(Logger, info: nil, warn: nil, error: nil) }
+  let(:authenticator) { described_class.new(ldap_config, logger: logger) }
+
+  let(:reader_ldap) { instance_double(Net::LDAP) }
+  let(:user_ldap) { instance_double(Net::LDAP) }
+  let(:operation_result) { double('OperationResult', message: 'Success') }
+
+  let(:user_entry) do
+    entry = Net::LDAP::Entry.new("uid=john,#{ldap_config.base_dn}")
+    entry[:uid] = [ 'john' ]
+    entry[:mail] = [ 'john@example.com' ]
+    entry[:cn] = [ 'John Doe' ]
+    entry
+  end
+
+  before do
+    allow(Net::LDAP).to receive(:new).and_return(reader_ldap, user_ldap)
+    allow(reader_ldap).to receive(:get_operation_result).and_return(operation_result)
+    allow(user_ldap).to receive(:get_operation_result).and_return(operation_result)
+    allow(user_ldap).to receive(:auth)
+  end
+
+  describe '#call' do
+    context 'when reader bind fails' do
+      before do
+        allow(reader_ldap).to receive(:bind).and_return(false)
+        allow(operation_result).to receive(:message).and_return('Invalid credentials')
+      end
+
+      it 'returns failure result' do
+        result = authenticator.call(username: 'john', password: 'secret', fetch_groups: false)
+
+        expect(result.success?).to be false
+        expect(result.error_message).to include('LDAP reader bind failed')
+      end
+    end
+
+    context 'when user is not found' do
+      before do
+        allow(reader_ldap).to receive(:bind).and_return(true)
+        allow(reader_ldap).to receive(:search).and_yield(nil)
+      end
+
+      it 'returns failure result' do
+        result = authenticator.call(username: 'nonexistent', password: 'secret', fetch_groups: false)
+
+        expect(result.success?).to be false
+        expect(result.error_message).to include('no user entry found')
+      end
+    end
+
+    context 'when user bind fails (wrong password)' do
+      before do
+        allow(reader_ldap).to receive(:bind).and_return(true)
+        allow(reader_ldap).to receive(:search).and_yield(user_entry)
+        allow(user_ldap).to receive(:bind).and_return(false)
+        allow(operation_result).to receive(:message).and_return('Invalid credentials')
+      end
+
+      it 'returns failure result' do
+        result = authenticator.call(username: 'john', password: 'wrong', fetch_groups: false)
+
+        expect(result.success?).to be false
+        expect(result.error_message).to include('LDAP user bind failed')
+      end
+    end
+
+    context 'when authentication succeeds' do
+      before do
+        allow(reader_ldap).to receive(:bind).and_return(true)
+        allow(reader_ldap).to receive(:search).and_yield(user_entry)
+        allow(user_ldap).to receive(:bind).and_return(true)
+      end
+
+      it 'returns success result with user info' do
+        result = authenticator.call(username: 'john', password: 'secret', fetch_groups: false)
+
+        expect(result.success?).to be true
+        expect(result.email).to eq('john@example.com')
+        expect(result.name).to eq('John Doe')
+        expect(result.user_dn).to eq("uid=john,#{ldap_config.base_dn}")
+        expect(result.groups).to eq([])
+      end
+
+      context 'with fetch_groups: true' do
+        let(:group_ldap) { instance_double(Net::LDAP) }
+        let(:group_entry) do
+          entry = Net::LDAP::Entry.new("cn=developers,#{ldap_config.base_dn}")
+          entry[:cn] = [ 'developers' ]
+          entry
+        end
+
+        before do
+          # First Net::LDAP.new returns reader_ldap (for user search)
+          # Second returns user_ldap (for auth bind)
+          # Third returns group_ldap (for group search)
+          allow(Net::LDAP).to receive(:new).and_return(reader_ldap, user_ldap, group_ldap)
+          allow(group_ldap).to receive(:bind).and_return(true)
+          allow(group_ldap).to receive(:search).and_yield(group_entry)
+        end
+
+        it 'fetches group membership' do
+          result = authenticator.call(username: 'john', password: 'secret', fetch_groups: true)
+
+          expect(result.success?).to be true
+          expect(result.groups).to include({ name: 'developers' })
+        end
+      end
+    end
+
+    context 'when email attribute is missing' do
+      let(:user_entry_no_email) do
+        entry = Net::LDAP::Entry.new("uid=john,#{ldap_config.base_dn}")
+        entry[:uid] = [ 'john' ]
+        entry[:cn] = [ 'John Doe' ]
+        entry
+      end
+
+      before do
+        allow(reader_ldap).to receive(:bind).and_return(true)
+        allow(reader_ldap).to receive(:search).and_yield(user_entry_no_email)
+        allow(user_ldap).to receive(:bind).and_return(true)
+      end
+
+      it 'constructs email from username and host' do
+        result = authenticator.call(username: 'john', password: 'secret', fetch_groups: false)
+
+        expect(result.success?).to be true
+        expect(result.email).to eq("john@#{ldap_config.host}")
+      end
+
+      context 'when username already contains @' do
+        it 'uses username as email' do
+          result = authenticator.call(username: 'john@company.com', password: 'secret', fetch_groups: false)
+
+          expect(result.email).to eq('john@company.com')
+        end
+      end
+    end
+
+    context 'when an unexpected error occurs' do
+      before do
+        allow(reader_ldap).to receive(:bind).and_raise(StandardError.new('Connection refused'))
+      end
+
+      it 'returns failure result with error message' do
+        result = authenticator.call(username: 'john', password: 'secret', fetch_groups: false)
+
+        expect(result.success?).to be false
+        expect(result.error_message).to eq('Connection refused')
+      end
+    end
+  end
+
+  describe 'encryption settings' do
+    context 'with plain encryption' do
+      let(:ldap_config) { build(:ldap_configuration, encryption: 'plain') }
+
+      it 'creates connection without encryption' do
+        allow(reader_ldap).to receive(:bind).and_return(false)
+
+        authenticator.call(username: 'john', password: 'secret', fetch_groups: false)
+
+        expect(Net::LDAP).to have_received(:new).with(
+          hash_including(host: ldap_config.host, port: ldap_config.port)
+        )
+      end
+    end
+
+    context 'with start_tls encryption' do
+      let(:ldap_config) { build(:ldap_configuration, encryption: 'start_tls') }
+
+      it 'creates connection with start_tls' do
+        allow(reader_ldap).to receive(:bind).and_return(false)
+
+        authenticator.call(username: 'john', password: 'secret', fetch_groups: false)
+
+        expect(Net::LDAP).to have_received(:new).with(
+          hash_including(encryption: { method: :start_tls })
+        )
+      end
+    end
+
+    context 'with simple_tls encryption' do
+      let(:ldap_config) { build(:ldap_configuration, encryption: 'simple_tls') }
+
+      it 'creates connection with simple_tls' do
+        allow(reader_ldap).to receive(:bind).and_return(false)
+
+        authenticator.call(username: 'john', password: 'secret', fetch_groups: false)
+
+        expect(Net::LDAP).to have_received(:new).with(
+          hash_including(encryption: { method: :simple_tls })
+        )
+      end
+    end
+  end
+
+  describe 'custom attribute mapping' do
+    let(:ldap_config) do
+      build(:ldap_configuration,
+        uid_attribute: 'sAMAccountName',
+        email_attribute: 'userPrincipalName',
+        name_attribute: 'displayName'
+      )
+    end
+
+    let(:ad_user_entry) do
+      entry = Net::LDAP::Entry.new("cn=John Doe,#{ldap_config.base_dn}")
+      entry[:sAMAccountName] = [ 'jdoe' ]
+      entry[:userPrincipalName] = [ 'jdoe@corp.example.com' ]
+      entry[:displayName] = [ 'John Q. Doe' ]
+      entry
+    end
+
+    before do
+      allow(reader_ldap).to receive(:bind).and_return(true)
+      allow(reader_ldap).to receive(:search).and_yield(ad_user_entry)
+      allow(user_ldap).to receive(:bind).and_return(true)
+    end
+
+    it 'uses custom attribute mappings' do
+      result = authenticator.call(username: 'jdoe', password: 'secret', fetch_groups: false)
+
+      expect(result.success?).to be true
+      expect(result.email).to eq('jdoe@corp.example.com')
+      expect(result.name).to eq('John Q. Doe')
+    end
+  end
+end

From cea3a4920c3ee0af39842bfc2fbcf77824e7ab13 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 10 Dec 2025 11:08:14 -0800
Subject: [PATCH 53/75] ldap test connection button

---
 .../accounts/sso_providers_controller.rb      | 18 ++++++++
 .../ldap_test_connection_controller.js        | 44 +++++++++++++++++++
 app/services/ldap/authenticator.rb            | 32 ++++++++++++--
 .../ldap/_connection_failed.html.erb          | 11 +++++
 .../ldap/_connection_success.html.erb         |  6 +++
 .../sso_providers/ldap/_form_fields.html.erb  | 12 +++++
 config/routes.rb                              |  4 +-
 7 files changed, 123 insertions(+), 4 deletions(-)
 create mode 100644 app/javascript/controllers/ldap_test_connection_controller.js
 create mode 100644 app/views/accounts/sso_providers/ldap/_connection_failed.html.erb
 create mode 100644 app/views/accounts/sso_providers/ldap/_connection_success.html.erb

diff --git a/app/controllers/accounts/sso_providers_controller.rb b/app/controllers/accounts/sso_providers_controller.rb
index 1180476f..b2b39dff 100644
--- a/app/controllers/accounts/sso_providers_controller.rb
+++ b/app/controllers/accounts/sso_providers_controller.rb
@@ -60,6 +60,24 @@ module Accounts
       end
     end
 
+    def test_connection
+      ldap_configuration = LDAPConfiguration.new(ldap_configuration_params)
+      result = LDAP::Authenticator.new(ldap_configuration).test_connection
+
+      if result.success?
+        render turbo_stream: turbo_stream.replace(
+          "ldap_test_connection_result",
+          partial: "accounts/sso_providers/ldap/connection_success"
+        )
+      else
+        render turbo_stream: turbo_stream.replace(
+          "ldap_test_connection_result",
+          partial: "accounts/sso_providers/ldap/connection_failed",
+          locals: { error_message: result.error_message }
+        )
+      end
+    end
+
     private
 
     def sso_provider_params
diff --git a/app/javascript/controllers/ldap_test_connection_controller.js b/app/javascript/controllers/ldap_test_connection_controller.js
new file mode 100644
index 00000000..162f54b9
--- /dev/null
+++ b/app/javascript/controllers/ldap_test_connection_controller.js
@@ -0,0 +1,44 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["button", "result"]
+
+  async test(event) {
+    debugger
+    event.preventDefault()
+
+    const form = this.element.closest("form")
+    const formData = new FormData(form)
+
+    // Clear previous result
+    this.resultTarget.innerHTML = ""
+
+    // Update button to show loading state
+    const button = this.buttonTarget
+    const originalContent = button.innerHTML
+    button.disabled = true
+    button.innerHTML = '<span class="loading loading-spinner loading-xs"></span> Testing...'
+
+    try {
+      const response = await fetch("/accounts/sso_provider/test_connection", {
+        method: "POST",
+        headers: {
+          "X-CSRF-Token": document.querySelector('meta[name="csrf-token"]').content,
+          "Accept": "text/vnd.turbo-stream.html"
+        },
+        body: formData
+      })
+
+      if (response.ok) {
+        const html = await response.text()
+        Turbo.renderStreamMessage(html)
+      }
+    } catch (error) {
+      console.error("LDAP test connection failed:", error)
+    } finally {
+      // Always re-enable the button so it can be clicked again
+      button.disabled = false
+      button.innerHTML = originalContent
+    }
+  }
+}
diff --git a/app/services/ldap/authenticator.rb b/app/services/ldap/authenticator.rb
index 3f27486d..90f7c6cc 100644
--- a/app/services/ldap/authenticator.rb
+++ b/app/services/ldap/authenticator.rb
@@ -21,8 +21,33 @@ module LDAP
 
     # Public API
     # ----------
-    # call(username:, password:) -> Result
+    # test_connection -> Result (tests bind credentials only)
+    # call(username:, password:) -> Result (full authentication)
     #
+    def test_connection
+      # Validate required configuration
+      if config.host.blank?
+        return Result.new(success?: false, error_message: "Host is required")
+      end
+
+      if config.bind_dn.blank? && !config.allow_anonymous_reads?
+        return Result.new(success?: false, error_message: "Bind DN and password are required when anonymous reads are disabled")
+      end
+
+      reader_ldap = build_reader_connection
+
+      if reader_ldap.bind
+        Result.new(success?: true, error_message: nil)
+      else
+        msg = "LDAP bind failed: #{reader_ldap.get_operation_result.message}"
+        @logger.warn msg
+        Result.new(success?: false, error_message: msg)
+      end
+    rescue => e
+      @logger.error "LDAP test connection: unexpected error - #{e.class}: #{e.message}"
+      Result.new(success?: false, error_message: e.message)
+    end
+
     def call(username:, password:, fetch_groups:)
       # 1) Bind as reader (service account or anonymous)
       reader_ldap = build_reader_connection
@@ -54,8 +79,8 @@ module LDAP
       end
 
       # 4) Successful LDAP auth → map attributes, fetch groups
-      email  = resolve_email(entry, username)
-      name   = resolve_name(entry, username)
+      email = resolve_email(entry, username)
+      name = resolve_name(entry, username)
       if fetch_groups
         groups = fetch_group_membership(entry)
       else
@@ -103,6 +128,7 @@ module LDAP
         # No way to bind safely
         # Let caller see failure via bind result
         logger.info "LDAP: no reader credentials and anonymous reads disabled"
+        raise "LDAP: no reader credentials and anonymous reads disabled"
       end
 
       Net::LDAP.new(options)
diff --git a/app/views/accounts/sso_providers/ldap/_connection_failed.html.erb b/app/views/accounts/sso_providers/ldap/_connection_failed.html.erb
new file mode 100644
index 00000000..77d84c14
--- /dev/null
+++ b/app/views/accounts/sso_providers/ldap/_connection_failed.html.erb
@@ -0,0 +1,11 @@
+<%= turbo_frame_tag "ldap_test_connection_result", class: "block mt-3", data: { ldap_test_connection_target: "result" } do %>
+  <div class="flex flex-col gap-1">
+    <div class="flex items-center gap-2 text-error">
+      <iconify-icon icon="lucide:x-circle" height="16"></iconify-icon>
+      <span>Connection failed</span>
+    </div>
+    <% if local_assigns[:error_message].present? %>
+      <span class="text-sm text-base-content/70"><%= error_message %></span>
+    <% end %>
+  </div>
+<% end %>
diff --git a/app/views/accounts/sso_providers/ldap/_connection_success.html.erb b/app/views/accounts/sso_providers/ldap/_connection_success.html.erb
new file mode 100644
index 00000000..939554d3
--- /dev/null
+++ b/app/views/accounts/sso_providers/ldap/_connection_success.html.erb
@@ -0,0 +1,6 @@
+<%= turbo_frame_tag "ldap_test_connection_result", class: "block mt-3", data: { ldap_test_connection_target: "result" } do %>
+  <div class="flex items-center gap-2 text-success">
+    <iconify-icon icon="lucide:check-circle" height="16"></iconify-icon>
+    <span>Connection successful!</span>
+  </div>
+<% end %>
diff --git a/app/views/accounts/sso_providers/ldap/_form_fields.html.erb b/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
index 03a9f6e8..306f60f6 100644
--- a/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
+++ b/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
@@ -107,4 +107,16 @@
       </div>
     </div>
   </details>
+
+  <div class="mt-6 mb-4" data-controller="ldap-test-connection">
+    <button type="button"
+            class="btn btn-outline btn-sm"
+            data-action="click->ldap-test-connection#test"
+            data-ldap-test-connection-target="button">
+      <iconify-icon icon="lucide:plug" height="16"></iconify-icon>
+      Test Connection
+    </button>
+    <%= turbo_frame_tag "ldap_test_connection_result", class: "block mt-3", data: { ldap_test_connection_target: "result" } do %>
+    <% end %>
+  </div>
 <% end %>
diff --git a/config/routes.rb b/config/routes.rb
index f97346ff..95ba4434 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -16,7 +16,9 @@ Rails.application.routes.draw do
   resources :accounts, only: [ :create ] do
     collection do
       resources :account_users, only: %i[create index destroy], module: :accounts
-      resource :sso_provider, only: %i[show new create edit update destroy], module: :accounts
+      resource :sso_provider, only: %i[show new create edit update destroy], module: :accounts do
+        post :test_connection
+      end
       resources :teams, module: :accounts do
         resources :team_memberships, only: %i[create destroy], module: :teams
         resources :team_resources, only: %i[create destroy], module: :teams

From 34b79257e56ee6ce94b547ed59cb982d4ad05e35 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 10 Dec 2025 13:38:48 -0800
Subject: [PATCH 54/75] ingress bugfix

---
 app/actions/networks/check_dns.rb              | 17 +++++++++++------
 .../ldap_test_connection_controller.js         |  1 -
 app/services/k8/stateless/ingress.rb           | 16 ++++++++--------
 app/services/ldap/authenticator.rb             |  4 +---
 .../async/k8/certificate_status_view_model.rb  |  8 ++++----
 .../async/k8/cluster_ip_view_model.rb          | 18 ++++++++++++++++--
 app/views/add_ons/endpoints/edit.html.erb      |  8 +++++++-
 .../projects/services/_networking.html.erb     | 12 ++++++------
 .../projects/services/domains/_list.html.erb   |  2 +-
 spec/actions/networks/check_dns_spec.rb        | 14 +++++++-------
 10 files changed, 61 insertions(+), 39 deletions(-)

diff --git a/app/actions/networks/check_dns.rb b/app/actions/networks/check_dns.rb
index be80ce14..31ab524e 100644
--- a/app/actions/networks/check_dns.rb
+++ b/app/actions/networks/check_dns.rb
@@ -3,15 +3,20 @@ class Networks::CheckDns
   expects :ingress, :connection
 
   class << self
-    def infer_expected_ip(ingress, connection)
+    def infer_expected_dns(ingress, connection)
       ingress.connect(connection)
-      ip = ingress.ip_address
+      dns_record = ingress.hostname
 
-      if is_private_ip?(ip)
+      if dns_record[:type] == :ip_address && is_private_ip?(dns_record[:value])
         cluster = ingress.service.project.cluster
-        ip = infer_public_ip_from_cluster(connection)
+        # This only works if it is a single node cluster like k3s
+        public_ip = infer_public_ip_from_cluster(connection)
+        dns_record = {
+          value: public_ip,
+          type: :ip_address
+        }
       end
-      ip
+      dns_record
     end
 
     def is_private_ip?(ip)
@@ -40,7 +45,7 @@ class Networks::CheckDns
 
   executed do |context|
     # TODO
-    expected_ip = infer_expected_ip(context.ingress, context.connection)
+    expected_ip = infer_expected_dns(context.ingress, context.connection)
     context.ingress.service.domains.each do |domain|
       ip_addresses = Resolv::DNS.open do |dns|
         dns.getresources(domain.domain_name, Resolv::DNS::Resource::IN::A).map do |resource|
diff --git a/app/javascript/controllers/ldap_test_connection_controller.js b/app/javascript/controllers/ldap_test_connection_controller.js
index 162f54b9..7ae37f5e 100644
--- a/app/javascript/controllers/ldap_test_connection_controller.js
+++ b/app/javascript/controllers/ldap_test_connection_controller.js
@@ -4,7 +4,6 @@ export default class extends Controller {
   static targets = ["button", "result"]
 
   async test(event) {
-    debugger
     event.preventDefault()
 
     const form = this.element.closest("form")
diff --git a/app/services/k8/stateless/ingress.rb b/app/services/k8/stateless/ingress.rb
index 7b0a8b46..e3ec7d88 100644
--- a/app/services/k8/stateless/ingress.rb
+++ b/app/services/k8/stateless/ingress.rb
@@ -28,27 +28,27 @@ class K8::Stateless::Ingress < K8::Base
     results['items'].find { |r| r['metadata']['name'] == "#{@service.project.namespace}-ingress" }
   end
 
-  def self.ip_address(client)
+  def self.hostname(client)
     service = client.get_services.find { |s| s['metadata']['name'] == 'ingress-nginx-controller' }
     if service.nil?
       raise "Ingress-nginx-controller service not installed"
     end
     if service.status.loadBalancer.ingress[0].ip
       {
-        ip: service.status.loadBalancer.ingress[0].ip,
-        record_type: :a_record
+        value: service.status.loadBalancer.ingress[0].ip,
+        type: :ip_address
       }
     else
       {
-        ip: service.status.loadBalancer.ingress[0].hostname,
-        record_type: :cname_record
+        value: service.status.loadBalancer.ingress[0].hostname,
+        type: :hostname
       }
     end
   end
 
-  def ip_address
-    @ip_address ||= begin
-      self.class.ip_address(self.client)
+  def hostname
+    @hostname ||= begin
+      self.class.hostname(self.client)
     end
   rescue StandardError => e
     Rails.logger.error("Error getting ingress ip address: #{e.message}")
diff --git a/app/services/ldap/authenticator.rb b/app/services/ldap/authenticator.rb
index 90f7c6cc..a7d24c19 100644
--- a/app/services/ldap/authenticator.rb
+++ b/app/services/ldap/authenticator.rb
@@ -224,8 +224,6 @@ module LDAP
       "#{username}@#{domain}"
     end
 
-    # ---------------- GROUP MEMBERSHIP ----------------
-
     def fetch_group_membership(user_entry)
       reader_ldap = build_reader_connection
 
@@ -270,7 +268,7 @@ module LDAP
         memo | f
       end
 
-      group_filter  = Net::LDAP::Filter.eq('objectClass', 'groupOfNames') |
+      group_filter = Net::LDAP::Filter.eq('objectClass', 'groupOfNames') |
                       Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') |
                       Net::LDAP::Filter.eq('objectClass', 'posixGroup')
 
diff --git a/app/view_models/async/k8/certificate_status_view_model.rb b/app/view_models/async/k8/certificate_status_view_model.rb
index 02266d98..534de709 100644
--- a/app/view_models/async/k8/certificate_status_view_model.rb
+++ b/app/view_models/async/k8/certificate_status_view_model.rb
@@ -7,7 +7,7 @@ class Async::K8::CertificateStatusViewModel < Async::BaseViewModel
   end
 
   def initial_render
-    "Certificate Status: <div class='loading loading-spinner loading-sm'></div>"
+    "<div class='flex items-center gap-2'>Certificate Status: <div class='loading loading-spinner loading-sm'></div></div>"
   end
 
   def connection
@@ -15,12 +15,12 @@ class Async::K8::CertificateStatusViewModel < Async::BaseViewModel
   end
   def async_render
     template = <<-HTML
-      <div>
+      <div class="flex items-center gap-2">
         Certificate Status:
         <% if K8::Stateless::Ingress.new(service).connect(connection).certificate_status %>
-          <span class="text-success ml-2 font-semibold">Issued</span>
+          <span class="text-success font-semibold">Issued</span>
         <% else %>
-          <span class="text-warning ml-2 font-semibold">Issuing</span>
+          <span class="text-warning font-semibold">Issuing</span>
         <% end %>
       </div>
     HTML
diff --git a/app/view_models/async/k8/cluster_ip_view_model.rb b/app/view_models/async/k8/cluster_ip_view_model.rb
index c409368c..bd8c7ea4 100644
--- a/app/view_models/async/k8/cluster_ip_view_model.rb
+++ b/app/view_models/async/k8/cluster_ip_view_model.rb
@@ -12,7 +12,21 @@ class Async::K8::ClusterIpViewModel < Async::BaseViewModel
   def async_render
     connection = K8::Connection.new(service.project, current_user)
     ingress = K8::Stateless::Ingress.new(service)
-    ip = Networks::CheckDns.infer_expected_ip(ingress, connection)
-    "<pre class='cursor-pointer' data-controller='clipboard' data-clipboard-text='#{ip}'>#{ip}</pre>"
+    record = Networks::CheckDns.infer_expected_dns(ingress, connection)
+    if record[:type] == :ip_address
+      ip = record[:value]
+      <<~HTML
+      <div class='flex items-center gap-2'>
+        <pre>A Record</pre> / <pre class='cursor-pointer' data-controller='clipboard' data-clipboard-text='#{ip}'>#{ip}</pre>
+      </div>
+      HTML
+    else
+      hostname = record[:value]
+      <<~HTML
+      <div class='flex items-center gap-2'>
+        <pre>CNAME Record</pre> / <pre class='cursor-pointer' data-controller='clipboard' data-clipboard-text='#{hostname}'>#{hostname}</pre>
+      </div>
+      HTML
+    end
   end
 end
diff --git a/app/views/add_ons/endpoints/edit.html.erb b/app/views/add_ons/endpoints/edit.html.erb
index e7d205ec..0ee6d235 100644
--- a/app/views/add_ons/endpoints/edit.html.erb
+++ b/app/views/add_ons/endpoints/edit.html.erb
@@ -29,7 +29,13 @@
       <p class="text-sm text-gray-500">Comma separated list of domains to use for this endpoint</p>
     </div>
     <div class="my-4 alert alert-warning inline-block">
-      Make sure to create an A Record to <pre class="inline font-semibold cursor-pointer" data-controller="clipboard" data-clipboard-text="<%= @ip_address %>"><%= @ip_address %></pre> for any domain you add here.
+      Make sure to create an A Record to
+      <pre
+        class="inline font-semibold cursor-pointer"
+        data-controller="clipboard"
+        data-clipboard-text="<%= @ip_address %>">
+        <%= @ip_address %>
+      </pre> for any domain you add here.
     </div>
 
     <div class="form-footer">
diff --git a/app/views/projects/services/_networking.html.erb b/app/views/projects/services/_networking.html.erb
index b67f036d..5f0e8e16 100644
--- a/app/views/projects/services/_networking.html.erb
+++ b/app/views/projects/services/_networking.html.erb
@@ -9,13 +9,13 @@
 
     <%= render "projects/services/telepresence_guide", cluster: @project.cluster, url: "http://#{service.internal_url}" %>
   </div>
-  <div>
-    <h2 class="text-xl font-bold">Public Networking</h2>
-    <hr class="mt-3 mb-4 border-t border-base-300" />
-    <% if service.allow_public_networking? %>
+  <% if service.allow_public_networking? %>
+    <div>
+      <h2 class="text-xl font-bold">Public Networking</h2>
+      <hr class="mt-3 mb-4 border-t border-base-300" />
       <div class="form-control form-group">
         <%= render "projects/services/domains/index", service: service %>
       </div>
-    <% end %>
-  </div>
+    </div>
+  <% end %>
 </div>
\ No newline at end of file
diff --git a/app/views/projects/services/domains/_list.html.erb b/app/views/projects/services/domains/_list.html.erb
index 5d179445..91469e1f 100644
--- a/app/views/projects/services/domains/_list.html.erb
+++ b/app/views/projects/services/domains/_list.html.erb
@@ -2,7 +2,7 @@
   <thead>
     <tr>
       <th>Domain</th>
-      <th>A Record</th>
+      <th>DNS Type / Value</th>
       <th>DNS Status</th>
       <th></th>
     </tr>
diff --git a/spec/actions/networks/check_dns_spec.rb b/spec/actions/networks/check_dns_spec.rb
index 0e749f73..185d4035 100644
--- a/spec/actions/networks/check_dns_spec.rb
+++ b/spec/actions/networks/check_dns_spec.rb
@@ -8,25 +8,25 @@ RSpec.describe Networks::CheckDns do
   let(:connection) { K8::Connection.new(cluster, user) }
   let(:ingress) { K8::Stateless::Ingress.new(service).connect(connection) }
 
-  describe '.infer_expected_ip' do
+  describe '.infer_expected_dns' do
     context 'when ingress returns public IP' do
       before do
-        allow(ingress).to receive(:ip_address).and_return('8.8.8.8')
+        allow(ingress).to receive(:hostname).and_return({ value: '8.8.8.8', type: :ip_address })
       end
 
       it 'returns the IP' do
-        expect(described_class.infer_expected_ip(ingress, connection)).to eq('8.8.8.8')
+        expect(described_class.infer_expected_dns(ingress, connection)).to eq({ value: "8.8.8.8", type: :ip_address })
       end
     end
 
     context 'when ingress returns private IP' do
       before do
-        allow(ingress).to receive(:ip_address).and_return('10.0.0.1')
+        allow(ingress).to receive(:hostname).and_return({ value: '10.0.0.1', type: :ip_address })
         allow(Resolv).to receive(:getaddress).with('example.com').and_return('1.2.3.4')
       end
 
       it 'resolves and returns public IP' do
-        expect(described_class.infer_expected_ip(ingress, connection)).to eq('1.2.3.4')
+        expect(described_class.infer_expected_dns(ingress, connection)).to eq({ value: "1.2.3.4", type: :ip_address })
       end
     end
 
@@ -45,11 +45,11 @@ RSpec.describe Networks::CheckDns do
       end
 
       before do
-        allow(ingress).to receive(:ip_address).and_return('10.0.0.1')
+        allow(ingress).to receive(:hostname).and_return({ value: '1.2.3.4', type: :ip_address })
       end
 
       it 'returns the hostname IP' do
-        expect(described_class.infer_expected_ip(ingress, connection)).to eq('1.2.3.4')
+        expect(described_class.infer_expected_dns(ingress, connection)).to eq({ value: "1.2.3.4", type: :ip_address })
       end
     end
   end

From 15b6b8bc7d2639b436011141d1763db57fd4600e Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 10 Dec 2025 14:00:01 -0800
Subject: [PATCH 55/75] check dns status fix

---
 app/actions/networks/check_dns.rb       | 30 ++++++++++++++++++-------
 spec/actions/networks/check_dns_spec.rb |  2 +-
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/app/actions/networks/check_dns.rb b/app/actions/networks/check_dns.rb
index 31ab524e..4e68629f 100644
--- a/app/actions/networks/check_dns.rb
+++ b/app/actions/networks/check_dns.rb
@@ -45,18 +45,32 @@ class Networks::CheckDns
 
   executed do |context|
     # TODO
-    expected_ip = infer_expected_dns(context.ingress, context.connection)
+    expected_dns = infer_expected_dns(context.ingress, context.connection)
     context.ingress.service.domains.each do |domain|
-      ip_addresses = Resolv::DNS.open do |dns|
-        dns.getresources(domain.domain_name, Resolv::DNS::Resource::IN::A).map do |resource|
-          resource.address
+      # If the expected DNS record is an IP address, 
+      if expected_dns[:type] == :ip_address
+        ip_addresses = Resolv::DNS.open do |dns|
+          dns.getresources(domain.domain_name, Resolv::DNS::Resource::IN::A).map do |resource|
+            resource.address
+          end
         end
-      end
 
-      if ip_addresses.any? && ip_addresses.first.to_s == expected_ip
-        domain.update(status: :dns_verified)
+        if ip_addresses.any? && ip_addresses.first.to_s == expected_dns[:value]
+          domain.update(status: :dns_verified)
+        else
+          domain.update(status: :dns_incorrect, status_reason: "DNS record (#{ip_addresses.first || "empty"}) does not match expected IP address (#{expected_dns[:value]})")
+        end
       else
-        domain.update(status: :dns_incorrect, status_reason: "DNS record (#{ip_addresses.first}) does not match expected IP address (#{expected_ip})")
+        hostnames = Resolv::DNS.open do |dns|
+          dns.getresources(domain.domain_name, Resolv::DNS::Resource::IN::CNAME).map do |resource|
+            resource.name
+          end
+        end
+        if hostnames.any? && hostnames.first.to_s == expected_dns[:value]
+          domain.update(status: :dns_verified)
+        else
+          domain.update(status: :dns_incorrect, status_reason: "DNS record (#{hostnames.first || "empty"}) does not match expected hostname (#{expected_dns[:value]})")
+        end
       end
     end
   end
diff --git a/spec/actions/networks/check_dns_spec.rb b/spec/actions/networks/check_dns_spec.rb
index 185d4035..5e816a83 100644
--- a/spec/actions/networks/check_dns_spec.rb
+++ b/spec/actions/networks/check_dns_spec.rb
@@ -49,7 +49,7 @@ RSpec.describe Networks::CheckDns do
       end
 
       it 'returns the hostname IP' do
-        expect(described_class.infer_expected_dns(ingress, connection)).to eq({ value: "1.2.3.4", type: :ip_address })
+        expect(described_class.infer_expected_dns(ingress, connection)).to(eq({ value: "1.2.3.4", type: :ip_address }))
       end
     end
   end

From 15aad3ef2603cf34c33acf80eadc56d930ad6589 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 10 Dec 2025 14:00:34 -0800
Subject: [PATCH 56/75] fix lint

---
 app/actions/networks/check_dns.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/actions/networks/check_dns.rb b/app/actions/networks/check_dns.rb
index 4e68629f..6b61c35f 100644
--- a/app/actions/networks/check_dns.rb
+++ b/app/actions/networks/check_dns.rb
@@ -47,7 +47,6 @@ class Networks::CheckDns
     # TODO
     expected_dns = infer_expected_dns(context.ingress, context.connection)
     context.ingress.service.domains.each do |domain|
-      # If the expected DNS record is an IP address, 
       if expected_dns[:type] == :ip_address
         ip_addresses = Resolv::DNS.open do |dns|
           dns.getresources(domain.domain_name, Resolv::DNS::Resource::IN::A).map do |resource|

From beaa7e5048c8beccdd166b2197e20c1a1a3e974b Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 10 Dec 2025 17:17:37 -0800
Subject: [PATCH 57/75] support for github / gitlab enterprise

---
 .../providers/create_github_provider.rb       | 23 +++++++++----
 .../providers/create_gitlab_provider.rb       | 27 ++++++++++-----
 app/models/provider.rb                        | 16 +++++++++
 app/services/git/client.rb                    |  4 +--
 app/services/git/github/client.rb             | 14 +++++---
 app/services/git/gitlab/client.rb             | 34 +++++++++++--------
 app/views/providers/_form.html.erb            | 11 ++++++
 app/views/providers/new.html.erb              |  6 ++++
 .../providers/create_gitlab_provider_spec.rb  | 11 +++---
 spec/services/git/gitlab/client_spec.rb       |  7 ++--
 10 files changed, 111 insertions(+), 42 deletions(-)

diff --git a/app/actions/providers/create_github_provider.rb b/app/actions/providers/create_github_provider.rb
index 27b82b41..db5023db 100644
--- a/app/actions/providers/create_github_provider.rb
+++ b/app/actions/providers/create_github_provider.rb
@@ -6,7 +6,11 @@ class Providers::CreateGithubProvider
   promises :provider
 
   executed do |context|
-    client = Octokit::Client.new(access_token: context.provider.access_token)
+    client_options = { access_token: context.provider.access_token }
+    if context.provider.enterprise?
+      client_options[:api_endpoint] = "#{context.provider.api_base_url}/api/v3/"
+    end
+    client = Octokit::Client.new(client_options)
     username = client.user[:login]
     context.provider.auth = {
       info: {
@@ -14,16 +18,23 @@ class Providers::CreateGithubProvider
       }
     }.to_json
 
-    if (client.scopes & EXPECTED_SCOPES).sort != EXPECTED_SCOPES.sort
-      message = "Invalid scopes. Please check that your personal access token has the following scopes: #{EXPECTED_SCOPES.join(", ")}"
-      context.fail_and_return!(message)
-      context.provider.errors.add(:access_token, message)
-      next
+    # Skip scope validation for enterprise (some GHE instances don't expose scopes)
+    unless context.provider.enterprise?
+      if (client.scopes & EXPECTED_SCOPES).sort != EXPECTED_SCOPES.sort
+        message = "Invalid scopes. Please check that your personal access token has the following scopes: #{EXPECTED_SCOPES.join(", ")}"
+        context.fail_and_return!(message)
+        context.provider.errors.add(:access_token, message)
+        next
+      end
     end
     context.provider.save!
   rescue Octokit::Unauthorized
     message = "Invalid access token"
     context.provider.errors.add(:access_token, message)
     context.fail_and_return!(message)
+  rescue Faraday::ConnectionFailed => e
+    message = "Could not connect to GitHub server: #{e.message}"
+    context.provider.errors.add(:registry_url, message)
+    context.fail_and_return!(message)
   end
 end
diff --git a/app/actions/providers/create_gitlab_provider.rb b/app/actions/providers/create_gitlab_provider.rb
index 3bce6750..bff9e8aa 100644
--- a/app/actions/providers/create_gitlab_provider.rb
+++ b/app/actions/providers/create_gitlab_provider.rb
@@ -1,14 +1,16 @@
 class Providers::CreateGitlabProvider
   EXPECTED_SCOPES = %w[ api read_repository read_registry write_registry ]
-  GITLAB_PAT_API_URL = "https://gitlab.com/api/v4/personal_access_tokens/self"
-  GITLAB_USER_API_URL = "https://gitlab.com/api/v4/user"
   extend LightService::Action
 
   expects :provider
   promises :provider
 
   executed do |context|
-    response = HTTParty.get(GITLAB_PAT_API_URL,
+    base_url = context.provider.api_base_url
+    pat_api_url = "#{base_url}/api/v4/personal_access_tokens/self"
+    user_api_url = "#{base_url}/api/v4/user"
+
+    response = HTTParty.get(pat_api_url,
       headers: {
         "Authorization" => "Bearer #{context.provider.access_token}"
       },
@@ -20,15 +22,18 @@ class Providers::CreateGitlabProvider
       next
     end
 
-    if (response["scopes"] & EXPECTED_SCOPES).sort != EXPECTED_SCOPES.sort
-      message = "Invalid scopes. Please check that your personal access token has the following scopes: #{EXPECTED_SCOPES.join(", ")}"
-      context.provider.errors.add(:access_token, message)
-      context.fail_and_return!(message)
-      next
+    # Skip scope validation for enterprise (some instances may have different scope requirements)
+    unless context.provider.enterprise?
+      if (response["scopes"] & EXPECTED_SCOPES).sort != EXPECTED_SCOPES.sort
+        message = "Invalid scopes. Please check that your personal access token has the following scopes: #{EXPECTED_SCOPES.join(", ")}"
+        context.provider.errors.add(:access_token, message)
+        context.fail_and_return!(message)
+        next
+      end
     end
     # Get username data
 
-    response = HTTParty.get(GITLAB_USER_API_URL,
+    response = HTTParty.get(user_api_url,
       headers: {
         "Authorization" => "Bearer #{context.provider.access_token}"
       },
@@ -43,5 +48,9 @@ class Providers::CreateGitlabProvider
     context.provider.auth = body
 
     context.provider.save!
+  rescue Errno::ECONNREFUSED, SocketError => e
+    message = "Could not connect to GitLab server: #{e.message}"
+    context.provider.errors.add(:registry_url, message)
+    context.fail_and_return!(message)
   end
 end
diff --git a/app/models/provider.rb b/app/models/provider.rb
index 4b650668..8cb7fa23 100644
--- a/app/models/provider.rb
+++ b/app/models/provider.rb
@@ -28,8 +28,10 @@
 class Provider < ApplicationRecord
   attr_accessor :username_param
   GITHUB_PROVIDER = "github"
+  GITHUB_API_BASE = "https://api.github.com"
   CUSTOM_REGISTRY_PROVIDER = "container_registry"
   GITLAB_PROVIDER = "gitlab"
+  GITLAB_API_BASE = "https://gitlab.com"
   GIT_TYPE = "git"
   REGISTRY_TYPE = "registry"
   PROVIDER_TYPES = {
@@ -83,6 +85,20 @@ class Provider < ApplicationRecord
     provider == GITLAB_PROVIDER
   end
 
+  def enterprise?
+    (github? || gitlab?) && registry_url.present?
+  end
+
+  def api_base_url
+    if registry_url.present?
+      registry_url.chomp("/")
+    elsif github?
+      GITHUB_API_BASE
+    elsif gitlab?
+      GITLAB_API_BASE
+    end
+  end
+
   def twitter_refresh_token!(token); end
 
   def used!
diff --git a/app/services/git/client.rb b/app/services/git/client.rb
index 3a64382e..e5b6d4b6 100644
--- a/app/services/git/client.rb
+++ b/app/services/git/client.rb
@@ -1,9 +1,9 @@
 class Git::Client
   def self.from_provider(provider:, repository_url:)
     if provider.github?
-      Git::Github::Client.new(access_token: provider.access_token, repository_url:)
+      Git::Github::Client.new(access_token: provider.access_token, repository_url:, api_base_url: provider.api_base_url)
     elsif provider.gitlab?
-      Git::Gitlab::Client.new(access_token: provider.access_token, repository_url:)
+      Git::Gitlab::Client.new(access_token: provider.access_token, repository_url:, api_base_url: provider.api_base_url)
     else
       raise "Unsupported Git provider: #{provider}"
     end
diff --git a/app/services/git/github/client.rb b/app/services/git/github/client.rb
index 9ba540b8..60e5892e 100644
--- a/app/services/git/github/client.rb
+++ b/app/services/git/github/client.rb
@@ -4,9 +4,11 @@ class Git::Github::Client < Git::Client
   attr_accessor :client, :repository_url
 
   def self.from_project(project)
+    provider = project.project_credential_provider.provider
     new(
-      access_token: project.project_credential_provider.access_token,
-      repository_url: project.repository_url
+      access_token: provider.access_token,
+      repository_url: project.repository_url,
+      api_base_url: provider.api_base_url
     )
   end
 
@@ -26,8 +28,12 @@ class Git::Github::Client < Git::Client
     end
   end
 
-  def initialize(access_token:, repository_url:)
-    @client = Octokit::Client.new(access_token:)
+  def initialize(access_token:, repository_url:, api_base_url: nil)
+    client_options = { access_token: }
+    if api_base_url && api_base_url != "https://api.github.com"
+      client_options[:api_endpoint] = "#{api_base_url}/api/v3/"
+    end
+    @client = Octokit::Client.new(client_options)
     @repository_url = repository_url
   end
 
diff --git a/app/services/git/gitlab/client.rb b/app/services/git/gitlab/client.rb
index a682c3ab..f239daed 100644
--- a/app/services/git/gitlab/client.rb
+++ b/app/services/git/gitlab/client.rb
@@ -1,19 +1,25 @@
 class Git::Gitlab::Client < Git::Client
-  GITLAB_API_BASE = "https://gitlab.com/api/v4"
   GITLAB_WEBHOOK_SECRET = ENV["GITLAB_WEBHOOK_SECRET"]
-  attr_accessor :access_token, :repository_url
+  attr_accessor :access_token, :repository_url, :api_base_url
 
   def self.from_project(project)
-    raise "Project is not a GitLab project" unless project.project_credential_provider.provider.gitlab?
+    provider = project.project_credential_provider.provider
+    raise "Project is not a GitLab project" unless provider.gitlab?
     new(
-      access_token: project.project_credential_provider.access_token,
-      repository_url: project.repository_url
+      access_token: provider.access_token,
+      repository_url: project.repository_url,
+      api_base_url: provider.api_base_url
     )
   end
 
-  def initialize(access_token:, repository_url:)
+  def initialize(access_token:, repository_url:, api_base_url: nil)
     @access_token = access_token
     @repository_url = repository_url
+    @api_base_url = api_base_url || "https://gitlab.com"
+  end
+
+  def gitlab_api_base
+    "#{@api_base_url}/api/v4"
   end
 
   def repository_exists?
@@ -22,7 +28,7 @@ class Git::Gitlab::Client < Git::Client
 
   def commits(branch)
     response = HTTParty.get(
-      "#{GITLAB_API_BASE}/projects/#{encoded_url}/repository/commits?ref=#{branch}",
+      "#{gitlab_api_base}/projects/#{encoded_url}/repository/commits?ref=#{branch}",
       headers: { "Authorization" => "Bearer #{access_token}" }
     )
     unless response.success?
@@ -53,7 +59,7 @@ class Git::Gitlab::Client < Git::Client
       return
     end
     response = HTTParty.post(
-      "#{GITLAB_API_BASE}/projects/#{encoded_url}/hooks",
+      "#{gitlab_api_base}/projects/#{encoded_url}/hooks",
       headers: { "Authorization" => "Bearer #{access_token}", "Content-Type" => "application/json" },
       body: {
         url: Rails.application.routes.url_helpers.inbound_webhooks_gitlab_index_url,
@@ -71,7 +77,7 @@ class Git::Gitlab::Client < Git::Client
 
   def webhooks
     response = HTTParty.get(
-      "#{GITLAB_API_BASE}/projects/#{encoded_url}/hooks",
+      "#{gitlab_api_base}/projects/#{encoded_url}/hooks",
       headers: { "Authorization" => "Bearer #{access_token}" },
       format: :json
     )
@@ -84,7 +90,7 @@ class Git::Gitlab::Client < Git::Client
   def repository
     @repository ||= begin
       project_response = HTTParty.get(
-        "#{GITLAB_API_BASE}/projects/#{encoded_url}",
+        "#{gitlab_api_base}/projects/#{encoded_url}",
         headers: { "Authorization" => "Bearer #{access_token}" }
       )
     end
@@ -105,7 +111,7 @@ class Git::Gitlab::Client < Git::Client
   def remove_webhook!
     if webhook_exists?
       HTTParty.delete(
-        "#{GITLAB_API_BASE}/projects/#{encoded_url}/hooks/#{webhook['id']}",
+        "#{gitlab_api_base}/projects/#{encoded_url}/hooks/#{webhook['id']}",
         headers: { "Authorization" => "Bearer #{access_token}" }
       )
     end
@@ -113,7 +119,7 @@ class Git::Gitlab::Client < Git::Client
 
   def pull_requests
     HTTParty.get(
-      "#{GITLAB_API_BASE}/projects/#{encoded_url}/merge_requests",
+      "#{gitlab_api_base}/projects/#{encoded_url}/merge_requests",
       headers: { "Authorization" => "Bearer #{access_token}" }
     ).map do |row|
       Git::Common::PullRequest.new(
@@ -131,7 +137,7 @@ class Git::Gitlab::Client < Git::Client
 
   def pull_request_status(pr_number)
     response = HTTParty.get(
-      "#{GITLAB_API_BASE}/projects/#{encoded_url}/merge_requests/#{pr_number}",
+      "#{gitlab_api_base}/projects/#{encoded_url}/merge_requests/#{pr_number}",
       headers: { "Authorization" => "Bearer #{access_token}" }
     )
     return 'not_found' unless response.success?
@@ -141,7 +147,7 @@ class Git::Gitlab::Client < Git::Client
 
   def get_file(file_path, branch)
     response = HTTParty.get(
-      "#{GITLAB_API_BASE}/projects/#{encoded_url}/repository/files/#{URI.encode_www_form_component(file_path)}/raw?ref=#{branch}",
+      "#{gitlab_api_base}/projects/#{encoded_url}/repository/files/#{URI.encode_www_form_component(file_path)}/raw?ref=#{branch}",
       headers: { "Authorization" => "Bearer #{access_token}" }
     )
     response.success? ? Git::Common::File.new(file_path, response.body, branch) : nil
diff --git a/app/views/providers/_form.html.erb b/app/views/providers/_form.html.erb
index af6d7176..c385666e 100644
--- a/app/views/providers/_form.html.erb
+++ b/app/views/providers/_form.html.erb
@@ -1,6 +1,17 @@
 <%= form_with model: provider do |form| %>
   <%= render "shared/error_messages", resource: form.object %>
   <%= form.hidden_field :provider, value: params[:provider_type] %>
+  <% if params[:provider_type] == Provider::GITHUB_PROVIDER || params[:provider_type] == Provider::GITLAB_PROVIDER %>
+    <div class="form-control mt-1 w-full max-w-sm">
+      <label class="label">
+        <span class="label-text">Host URL <span class="text-gray-400">(optional, for Enterprise)</span></span>
+      </label>
+      <%= form.text_field :registry_url, class: "input input-bordered", placeholder: params[:provider_type] == Provider::GITHUB_PROVIDER ? "https://github.example.com" : "https://gitlab.example.com" %>
+      <label class="label">
+        <span class="label-text-alt text-gray-400">Leave blank for <%= params[:provider_type] == Provider::GITHUB_PROVIDER ? "github.com" : "gitlab.com" %></span>
+      </label>
+    </div>
+  <% end %>
   <% if params[:provider_type] == Provider::CUSTOM_REGISTRY_PROVIDER || form.object.provider == Provider::CUSTOM_REGISTRY_PROVIDER %>
     <div data-controller="registry-selector">
       <div class="form-control mt-1 w-full max-w-sm">
diff --git a/app/views/providers/new.html.erb b/app/views/providers/new.html.erb
index 692f787d..1bb1c067 100644
--- a/app/views/providers/new.html.erb
+++ b/app/views/providers/new.html.erb
@@ -22,6 +22,9 @@
             <% end %>
             permissions.
           </div>
+          <div class="mt-2 text-sm text-gray-500">
+            For GitHub Enterprise, enter your server's host URL below.
+          </div>
         <% elsif params[:provider_type] == Provider::GITLAB_PROVIDER %>
           <%= link_to "Find your Gitlab token →", "https://gitlab.com/-/user_settings/personal_access_tokens", target: "_blank", class: "text-sm text-gray-500 " %>
           <div class="mt-2">
@@ -31,6 +34,9 @@
             <% end %>
             permissions.
           </div>
+          <div class="mt-2 text-sm text-gray-500">
+            For GitLab Enterprise/Self-Managed, enter your server's host URL below.
+          </div>
         <% end %>
       </div>
     </div>
diff --git a/spec/actions/providers/create_gitlab_provider_spec.rb b/spec/actions/providers/create_gitlab_provider_spec.rb
index a9d7ea0e..d65cf781 100644
--- a/spec/actions/providers/create_gitlab_provider_spec.rb
+++ b/spec/actions/providers/create_gitlab_provider_spec.rb
@@ -12,16 +12,19 @@ RSpec.describe Providers::CreateGitlabProvider do
     JSON.parse(File.read(Rails.root.join('spec/resources/integrations/gitlab/user.json')))
   end
 
+  let(:gitlab_pat_api_url) { "#{provider.api_base_url}/api/v4/personal_access_tokens/self" }
+  let(:gitlab_user_api_url) { "#{provider.api_base_url}/api/v4/user" }
+
   describe '.execute' do
     context 'when the access token is valid and has correct scopes' do
       before do
-        stub_request(:get, Providers::CreateGitlabProvider::GITLAB_PAT_API_URL)
+        stub_request(:get, gitlab_pat_api_url)
           .to_return(
             status: 200,
             body: personal_access_tokens_data.to_json,
             headers: { 'Content-Type' => 'application/json' }
           )
-        stub_request(:get, Providers::CreateGitlabProvider::GITLAB_USER_API_URL)
+        stub_request(:get, gitlab_user_api_url)
           .to_return(
             status: 200,
             body: user_data.to_json,
@@ -38,7 +41,7 @@ RSpec.describe Providers::CreateGitlabProvider do
 
     context 'when the access token is invalid' do
       before do
-        stub_request(:get, Providers::CreateGitlabProvider::GITLAB_PAT_API_URL)
+        stub_request(:get, gitlab_pat_api_url)
           .to_return(
             status: 401,
             body: { error: "Unauthorized" }.to_json,
@@ -60,7 +63,7 @@ RSpec.describe Providers::CreateGitlabProvider do
       before do
         error_response = personal_access_tokens_data.deep_dup
         error_response["scopes"] = []
-        stub_request(:get, Providers::CreateGitlabProvider::GITLAB_PAT_API_URL)
+        stub_request(:get, gitlab_pat_api_url)
           .to_return(
             status: 200,
             body: error_response.to_json,
diff --git a/spec/services/git/gitlab/client_spec.rb b/spec/services/git/gitlab/client_spec.rb
index ad9fd412..c1718175 100644
--- a/spec/services/git/gitlab/client_spec.rb
+++ b/spec/services/git/gitlab/client_spec.rb
@@ -4,6 +4,7 @@ RSpec.describe Git::Gitlab::Client do
   let(:access_token) { 'test_token' }
   let(:repository_url) { 'czhu12/echo' }
   let(:client) { described_class.new(access_token:, repository_url:) }
+  let(:gitlab_api_base) { "#{Provider::GITLAB_API_BASE}/api/v4" }
 
   describe '#register_webhook!' do
     let(:webhook_url) { 'http://localhost:3000/inbound_webhooks/gitlab' }
@@ -32,7 +33,7 @@ RSpec.describe Git::Gitlab::Client do
 
       it 'creates a new webhook' do
         expect(HTTParty).to receive(:post).with(
-          "#{described_class::GITLAB_API_BASE}/projects/#{client.encoded_url}/hooks",
+          "#{gitlab_api_base}/projects/#{client.encoded_url}/hooks",
           headers: { "Authorization" => "Bearer #{access_token}", "Content-Type" => "application/json" },
           body: {
             url: webhook_url,
@@ -66,7 +67,7 @@ RSpec.describe Git::Gitlab::Client do
 
       it 'deletes the webhook' do
         expect(HTTParty).to receive(:delete).with(
-          "#{described_class::GITLAB_API_BASE}/projects/#{client.encoded_url}/hooks/#{webhook['id']}",
+          "#{gitlab_api_base}/projects/#{client.encoded_url}/hooks/#{webhook['id']}",
           headers: { "Authorization" => "Bearer #{access_token}" }
         )
 
@@ -96,7 +97,7 @@ RSpec.describe Git::Gitlab::Client do
     context 'when file exists' do
       before do
         allow(HTTParty).to receive(:get).with(
-          "#{described_class::GITLAB_API_BASE}/projects/#{client.encoded_url}/repository/files/#{URI.encode_www_form_component(file_path)}/raw?ref=#{branch}",
+          "#{gitlab_api_base}/projects/#{client.encoded_url}/repository/files/#{URI.encode_www_form_component(file_path)}/raw?ref=#{branch}",
           headers: { "Authorization" => "Bearer #{access_token}" }
         ).and_return(success_response)
       end

From 02f6a380d3f4a6578e1cfc918b366916924ea0cb Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Wed, 10 Dec 2025 20:01:17 -0800
Subject: [PATCH 58/75] updates

---
 app/actions/providers/create_github_provider.rb    |  9 ++++-----
 .../integrations/github/repositories_controller.rb |  6 +++++-
 app/services/git/github/client.rb                  | 14 +++++++++-----
 spec/actions/providers/create_spec.rb              |  6 +++---
 4 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/app/actions/providers/create_github_provider.rb b/app/actions/providers/create_github_provider.rb
index db5023db..fdecb90c 100644
--- a/app/actions/providers/create_github_provider.rb
+++ b/app/actions/providers/create_github_provider.rb
@@ -6,11 +6,10 @@ class Providers::CreateGithubProvider
   promises :provider
 
   executed do |context|
-    client_options = { access_token: context.provider.access_token }
-    if context.provider.enterprise?
-      client_options[:api_endpoint] = "#{context.provider.api_base_url}/api/v3/"
-    end
-    client = Octokit::Client.new(client_options)
+    client = Git::Github::Client.build_client(
+      access_token: context.provider.access_token,
+      api_base_url: context.provider.api_base_url
+    )
     username = client.user[:login]
     context.provider.auth = {
       info: {
diff --git a/app/controllers/integrations/github/repositories_controller.rb b/app/controllers/integrations/github/repositories_controller.rb
index 020da3dd..5121926e 100644
--- a/app/controllers/integrations/github/repositories_controller.rb
+++ b/app/controllers/integrations/github/repositories_controller.rb
@@ -1,6 +1,10 @@
 class Integrations::Github::RepositoriesController < ApplicationController
   def index
-    client = Octokit::Client.new(access_token: current_account.github_provider.access_token)
+    provider = current_account.github_provider
+    client = Git::Github::Client.build_client(
+      access_token: provider.access_token,
+      api_base_url: provider.api_base_url
+    )
     if params[:q].present?
       client.auto_paginate = true
       @repositories = client.repos(current_account.github_username)
diff --git a/app/services/git/github/client.rb b/app/services/git/github/client.rb
index 60e5892e..fc59a833 100644
--- a/app/services/git/github/client.rb
+++ b/app/services/git/github/client.rb
@@ -12,6 +12,14 @@ class Git::Github::Client < Git::Client
     )
   end
 
+  def self.build_client(access_token:, api_base_url: nil)
+    client_options = { access_token: }
+    if api_base_url && api_base_url != "https://api.github.com"
+      client_options[:api_endpoint] = "#{api_base_url}/api/v3/"
+    end
+    Octokit::Client.new(client_options)
+  end
+
   def commits(branch)
     client.commits(repository_url, branch).map do |commit|
       Git::Common::Commit.new(
@@ -29,11 +37,7 @@ class Git::Github::Client < Git::Client
   end
 
   def initialize(access_token:, repository_url:, api_base_url: nil)
-    client_options = { access_token: }
-    if api_base_url && api_base_url != "https://api.github.com"
-      client_options[:api_endpoint] = "#{api_base_url}/api/v3/"
-    end
-    @client = Octokit::Client.new(client_options)
+    @client = self.class.build_client(access_token:, api_base_url:)
     @repository_url = repository_url
   end
 
diff --git a/spec/actions/providers/create_spec.rb b/spec/actions/providers/create_spec.rb
index 8142f126..f08e1ba4 100644
--- a/spec/actions/providers/create_spec.rb
+++ b/spec/actions/providers/create_spec.rb
@@ -22,7 +22,7 @@ RSpec.describe Providers::Create do
       let(:provider) { build(:provider, :github) }
       context 'when the access token is valid' do
         before do
-          allow(Octokit::Client).to receive(:new).and_return(double(user: { login: 'test_user' }, scopes: [ 'repo', 'write:packages' ]))
+          allow(Git::Github::Client).to receive(:build_client).and_return(double(user: { login: 'test_user' }, scopes: [ 'repo', 'write:packages' ]))
         end
 
         it 'sets the provider auth info' do
@@ -37,7 +37,7 @@ RSpec.describe Providers::Create do
 
       context 'when the access token is invalid' do
         before do
-          allow(Octokit::Client).to receive(:new).and_raise(Octokit::Unauthorized)
+          allow(Git::Github::Client).to receive(:build_client).and_raise(Octokit::Unauthorized)
         end
 
         it 'adds an error to the provider' do
@@ -48,7 +48,7 @@ RSpec.describe Providers::Create do
 
       context 'when the scopes are invalid' do
         before do
-          allow(Octokit::Client).to receive(:new).and_return(double(user: { login: 'test_user' }, scopes: [ 'repo' ]))
+          allow(Git::Github::Client).to receive(:build_client).and_return(double(user: { login: 'test_user' }, scopes: [ 'repo' ]))
         end
 
         it 'fails the context with an invalid scopes message' do

From 53154d15711abec91f7d5a062ee08afb1a0da42d Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 11 Dec 2025 09:30:58 -0800
Subject: [PATCH 59/75] reduce errors on health check

---
 app/jobs/scheduled/check_health_job.rb | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/jobs/scheduled/check_health_job.rb b/app/jobs/scheduled/check_health_job.rb
index 1603a653..268b0283 100644
--- a/app/jobs/scheduled/check_health_job.rb
+++ b/app/jobs/scheduled/check_health_job.rb
@@ -8,10 +8,15 @@ class Scheduled::CheckHealthJob < ApplicationJob
       if service.domains.any?
         url = File.join("https://#{service.domains.first.domain_name}", service.healthcheck_url)
         Rails.logger.info("Checking health for #{service.name} at #{url}")
-        response = HTTParty.get(url)
-        if response.success?
-          service.status = :healthy
-        else
+        begin
+          response = HTTParty.get(url, timeout: 10)
+          if response.success?
+            service.status = :healthy
+          else
+            service.status = :unhealthy
+          end
+        rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError, HTTParty::Error => e
+          Rails.logger.warn("Health check failed for #{service.name}: #{e.class} - #{e.message}")
           service.status = :unhealthy
         end
         service.last_health_checked_at = DateTime.current

From b277bedb5046300514c1589cc6fe1576f483aab0 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 11 Dec 2025 10:19:15 -0800
Subject: [PATCH 60/75] catch more errors

---
 app/jobs/scheduled/check_health_job.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/jobs/scheduled/check_health_job.rb b/app/jobs/scheduled/check_health_job.rb
index 268b0283..26878d7c 100644
--- a/app/jobs/scheduled/check_health_job.rb
+++ b/app/jobs/scheduled/check_health_job.rb
@@ -15,7 +15,7 @@ class Scheduled::CheckHealthJob < ApplicationJob
           else
             service.status = :unhealthy
           end
-        rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError, HTTParty::Error => e
+        rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError, HTTParty::Error, OpenSSL::SSL::SSLError => e
           Rails.logger.warn("Health check failed for #{service.name}: #{e.class} - #{e.message}")
           service.status = :unhealthy
         end

From 1ebfb81178addb4c37ebd09583a197d5bc52e0c4 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 11 Dec 2025 10:21:33 -0800
Subject: [PATCH 61/75] bugfixes for environment varaibles

---
 app/controllers/projects/environment_variables_controller.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/projects/environment_variables_controller.rb b/app/controllers/projects/environment_variables_controller.rb
index 38a4e202..8de4dd28 100644
--- a/app/controllers/projects/environment_variables_controller.rb
+++ b/app/controllers/projects/environment_variables_controller.rb
@@ -30,7 +30,7 @@ class Projects::EnvironmentVariablesController < Projects::BaseController
       @project.updated!
 
       if @project.current_deployment.present?
-        Projects::DeploymentJob.perform_later(@project.current_deployment)
+        Projects::DeploymentJob.perform_later(@project.current_deployment, current_user)
         @project.events.create(user: current_user, eventable: @project.last_build, event_action: :update)
         redirect_to project_environment_variables_path(@project),
                     notice: "Restarting services with new environment variables."
@@ -47,7 +47,7 @@ class Projects::EnvironmentVariablesController < Projects::BaseController
     @environment_variable = @project.environment_variables.find(params[:id])
     @environment_variable.destroy
     if @project.current_deployment.present?
-      Projects::DeploymentJob.perform_later(@project.current_deployment)
+      Projects::DeploymentJob.perform_later(@project.current_deployment, current_user)
     end
     render turbo_stream: turbo_stream.remove("environment_variable_#{@environment_variable.id}")
   end

From c48e77ce9cdf7ea2600fcd4aa035a52e47d85f87 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 11 Dec 2025 12:21:50 -0800
Subject: [PATCH 62/75] added gh enterprise fixes

---
 app/views/providers/_form.html.erb  | 34 +++++++++++++--------
 app/views/providers/_index.html.erb | 14 ++++-----
 app/views/providers/new.html.erb    |  6 ----
 spec/models/provider_spec.rb        | 47 +++++++++++++++++++++++++++++
 4 files changed, 76 insertions(+), 25 deletions(-)
 create mode 100644 spec/models/provider_spec.rb

diff --git a/app/views/providers/_form.html.erb b/app/views/providers/_form.html.erb
index c385666e..0c5afb7c 100644
--- a/app/views/providers/_form.html.erb
+++ b/app/views/providers/_form.html.erb
@@ -1,17 +1,6 @@
 <%= form_with model: provider do |form| %>
   <%= render "shared/error_messages", resource: form.object %>
-  <%= form.hidden_field :provider, value: params[:provider_type] %>
-  <% if params[:provider_type] == Provider::GITHUB_PROVIDER || params[:provider_type] == Provider::GITLAB_PROVIDER %>
-    <div class="form-control mt-1 w-full max-w-sm">
-      <label class="label">
-        <span class="label-text">Host URL <span class="text-gray-400">(optional, for Enterprise)</span></span>
-      </label>
-      <%= form.text_field :registry_url, class: "input input-bordered", placeholder: params[:provider_type] == Provider::GITHUB_PROVIDER ? "https://github.example.com" : "https://gitlab.example.com" %>
-      <label class="label">
-        <span class="label-text-alt text-gray-400">Leave blank for <%= params[:provider_type] == Provider::GITHUB_PROVIDER ? "github.com" : "gitlab.com" %></span>
-      </label>
-    </div>
-  <% end %>
+  <%= form.hidden_field :provider, value: params[:provider_type] || form.object.provider %>
   <% if params[:provider_type] == Provider::CUSTOM_REGISTRY_PROVIDER || form.object.provider == Provider::CUSTOM_REGISTRY_PROVIDER %>
     <div data-controller="registry-selector">
       <div class="form-control mt-1 w-full max-w-sm">
@@ -69,6 +58,27 @@
     <%= form.text_field :access_token, class: "input input-bordered", required: true %>
   </div>
 
+  <% provider_type = params[:provider_type] || form.object.provider %>
+  <% if provider_type == Provider::GITHUB_PROVIDER || provider_type == Provider::GITLAB_PROVIDER %>
+    <% provider_name = provider_type == Provider::GITHUB_PROVIDER ? "GitHub" : "GitLab" %>
+    <div data-controller="expandable-optional-input">
+      <div>
+        <a data-action="expandable-optional-input#show" class="btn btn-ghost btn-sm mt-2">
+          + Add custom hostname
+        </a>
+      </div>
+      <div data-expandable-optional-input-target="container" class="form-control mt-1 w-full max-w-sm">
+        <label class="label">
+          <span class="label-text">Host URL</span>
+        </label>
+        <%= form.text_field :registry_url, class: "input input-bordered", placeholder: provider_type == Provider::GITHUB_PROVIDER ? "https://github.example.com" : "https://gitlab.example.com" %>
+        <label class="label">
+          <span class="label-text-alt text-gray-400">Enter your <%= provider_name %> Enterprise server URL</span>
+        </label>
+      </div>
+    </div>
+  <% end %>
+
   <div class="form-footer">
     <%= form.submit "Save", class: "btn btn-primary" %>
     <%= link_to "Cancel", providers_path, class: "btn btn-outline" %>
diff --git a/app/views/providers/_index.html.erb b/app/views/providers/_index.html.erb
index 0fa3ad55..10a6d753 100644
--- a/app/views/providers/_index.html.erb
+++ b/app/views/providers/_index.html.erb
@@ -16,13 +16,13 @@
         <% project_credential_providers = ProjectCredentialProvider.where(provider:).all %>
         <tr>
           <td>
-          <%= provider.provider %>
-          <br />
-          <% if provider.container_registry? %>
-            <span class="text-gray-500">
-              <%= provider.registry_url %>
-            </span>
-          <% end %>
+            <%= provider.provider.titleize %>
+            <% if provider.registry_url.present? %>
+              <br />
+              <span class="text-gray-500 text-sm">
+                <%= provider.registry_url %>
+              </span>
+            <% end %>
           </td>
           <td>
             <%= render "providers/show", provider: %>
diff --git a/app/views/providers/new.html.erb b/app/views/providers/new.html.erb
index 1bb1c067..692f787d 100644
--- a/app/views/providers/new.html.erb
+++ b/app/views/providers/new.html.erb
@@ -22,9 +22,6 @@
             <% end %>
             permissions.
           </div>
-          <div class="mt-2 text-sm text-gray-500">
-            For GitHub Enterprise, enter your server's host URL below.
-          </div>
         <% elsif params[:provider_type] == Provider::GITLAB_PROVIDER %>
           <%= link_to "Find your Gitlab token →", "https://gitlab.com/-/user_settings/personal_access_tokens", target: "_blank", class: "text-sm text-gray-500 " %>
           <div class="mt-2">
@@ -34,9 +31,6 @@
             <% end %>
             permissions.
           </div>
-          <div class="mt-2 text-sm text-gray-500">
-            For GitLab Enterprise/Self-Managed, enter your server's host URL below.
-          </div>
         <% end %>
       </div>
     </div>
diff --git a/spec/models/provider_spec.rb b/spec/models/provider_spec.rb
new file mode 100644
index 00000000..e422841b
--- /dev/null
+++ b/spec/models/provider_spec.rb
@@ -0,0 +1,47 @@
+require 'rails_helper'
+
+RSpec.describe Provider, type: :model do
+  describe '#enterprise?' do
+    it 'returns true for github with registry_url' do
+      provider = build(:provider, :github, registry_url: 'https://github.example.com')
+      expect(provider.enterprise?).to be true
+    end
+
+    it 'returns true for gitlab with registry_url' do
+      provider = build(:provider, :gitlab, registry_url: 'https://gitlab.example.com')
+      expect(provider.enterprise?).to be true
+    end
+
+    it 'returns false for github without registry_url' do
+      provider = build(:provider, :github, registry_url: nil)
+      expect(provider.enterprise?).to be false
+    end
+
+    it 'returns false for gitlab without registry_url' do
+      provider = build(:provider, :gitlab, registry_url: nil)
+      expect(provider.enterprise?).to be false
+    end
+
+    it 'returns false for container_registry even with registry_url' do
+      provider = build(:provider, :container_registry)
+      expect(provider.enterprise?).to be false
+    end
+  end
+
+  describe '#api_base_url' do
+    it 'returns registry_url without trailing slash when present' do
+      provider = build(:provider, :github, registry_url: 'https://github.example.com/')
+      expect(provider.api_base_url).to eq('https://github.example.com')
+    end
+
+    it 'returns github api base when github without registry_url' do
+      provider = build(:provider, :github, registry_url: nil)
+      expect(provider.api_base_url).to eq('https://api.github.com')
+    end
+
+    it 'returns gitlab api base when gitlab without registry_url' do
+      provider = build(:provider, :gitlab, registry_url: nil)
+      expect(provider.api_base_url).to eq('https://gitlab.com')
+    end
+  end
+end

From f7bba6368f7b324065a8d09c8b7711541ff3485a Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 11 Dec 2025 13:09:34 -0800
Subject: [PATCH 63/75] added discord invite url as environment varialbe

---
 app/views/layouts/_sidebar.html.erb            | 18 ++++++++++--------
 app/views/shared/_footer.html.erb              | 10 ++++++----
 app/views/static/landing_page/_footer.html.erb | 10 ++++++----
 app/views/static/landing_page/_hero.html.erb   | 14 ++++++++------
 public/404.html                                |  8 --------
 public/422.html                                |  8 --------
 public/500.html                                |  8 --------
 7 files changed, 30 insertions(+), 46 deletions(-)

diff --git a/app/views/layouts/_sidebar.html.erb b/app/views/layouts/_sidebar.html.erb
index 249df991..29ad1858 100644
--- a/app/views/layouts/_sidebar.html.erb
+++ b/app/views/layouts/_sidebar.html.erb
@@ -168,15 +168,17 @@
       </div>
     </div>
   </div>
-  <div class="mx-4 hidden rounded bg-base-200 px-3 py-4 lg:block">
-    <p class="text-center text-base font-medium">Need Help?</p>
-    <p class="mt-3 text-center text-sm">Join our Discord server!</p>
-    <div class="mt-3 text-center">
-      <%= link_to "https://discord.gg/68YthskqEz", class: "btn btn-primary btn-sm" do %>
-        Join Discord <iconify-icon icon="ic:baseline-discord" height="16"></iconify-icon>
-      <% end %>
+  <% if ENV['DISCORD_INVITE_URL'].present? %>
+    <div class="mx-4 hidden rounded bg-base-200 px-3 py-4 lg:block">
+      <p class="text-center text-base font-medium">Need Help?</p>
+      <p class="mt-3 text-center text-sm">Join our Discord server!</p>
+      <div class="mt-3 text-center">
+        <%= link_to ENV['DISCORD_INVITE_URL'], class: "btn btn-primary btn-sm" do %>
+          Join Discord <iconify-icon icon="ic:baseline-discord" height="16"></iconify-icon>
+        <% end %>
+      </div>
     </div>
-  </div>
+  <% end %>
 </div>
 <!-- Start: Click Outside Modal -->
 <dialog aria-label="Modal" class="modal" id="click_outside_modal_2">
diff --git a/app/views/shared/_footer.html.erb b/app/views/shared/_footer.html.erb
index e13541bc..20c83974 100644
--- a/app/views/shared/_footer.html.erb
+++ b/app/views/shared/_footer.html.erb
@@ -5,10 +5,12 @@
         <span class="sr-only">GitHub</span>
         <iconify-icon icon="simple-icons:github" height="24"></iconify-icon>
       </a>
-      <a href="https://discord.gg/68YthskqEz" class="text-gray-400 hover:text-gray-500">
-        <span class="sr-only">Discord</span>
-        <iconify-icon icon="skill-icons:discord" height="24"></iconify-icon>
-      </a>
+      <% if ENV['DISCORD_INVITE_URL'].present? %>
+        <a href="<%= ENV['DISCORD_INVITE_URL'] %>" class="text-gray-400 hover:text-gray-500">
+          <span class="sr-only">Discord</span>
+          <iconify-icon icon="skill-icons:discord" height="24"></iconify-icon>
+        </a>
+      <% end %>
     </div>
     <div class="mt-8 md:order-1 md:mt-0">
       <p class="text-center text-xs leading-5 text-gray-500">© 2024 Canine, Inc. All rights reserved.</p>
diff --git a/app/views/static/landing_page/_footer.html.erb b/app/views/static/landing_page/_footer.html.erb
index eb5ced57..64d4b0bb 100644
--- a/app/views/static/landing_page/_footer.html.erb
+++ b/app/views/static/landing_page/_footer.html.erb
@@ -7,10 +7,12 @@
           <span class="sr-only">GitHub</span>
           <iconify-icon icon="simple-icons:github" height="24"></iconify-icon>
         </a>
-        <a href="https://discord.gg/68YthskqEz" class="text-gray-400 hover:text-gray-500">
-          <span class="sr-only">Discord</span>
-          <iconify-icon icon="skill-icons:discord" height="24"></iconify-icon>
-        </a>
+        <% if ENV['DISCORD_INVITE_URL'].present? %>
+          <a href="<%= ENV['DISCORD_INVITE_URL'] %>" class="text-gray-400 hover:text-gray-500">
+            <span class="sr-only">Discord</span>
+            <iconify-icon icon="skill-icons:discord" height="24"></iconify-icon>
+          </a>
+        <% end %>
       </div>
       <p class="mt-8 text-xs leading-5 text-gray-400 md:order-1 md:mt-0">© 2025 Canine, Inc. MIT License.</p>
     </div>
diff --git a/app/views/static/landing_page/_hero.html.erb b/app/views/static/landing_page/_hero.html.erb
index f029bab4..877b52b9 100644
--- a/app/views/static/landing_page/_hero.html.erb
+++ b/app/views/static/landing_page/_hero.html.erb
@@ -14,12 +14,14 @@
     <div class="aspect-[1108/632] w-[69.25rem] bg-gradient-to-r from-[#80caff] to-[#4f46e5] opacity-20" style="clip-path: polygon(73.6% 51.7%, 91.7% 11.8%, 100% 46.4%, 97.4% 82.2%, 92.5% 84.9%, 75.7% 64%, 55.3% 47.5%, 46.5% 49.4%, 45% 62.9%, 50.3% 87.2%, 21.3% 64.1%, 0.1% 100%, 5.4% 51.1%, 21.4% 63.9%, 58.9% 0.2%, 73.6% 51.7%)"></div>
   </div>
   <div class="mx-auto max-w-7xl px-6 pb-24 pt-2 sm:pb-40 lg:flex lg:px-8 lg:pt-4 justify-center">
-    <div class="mx-auto max-w-2xl flex-shrink-0 lg:mx-0 lg:max-w-4xl lg:pt-2">
-      <div class="mb-4 lg:mb-20">
-        <%= link_to "https://discord.gg/68YthskqEz", class: "btn btn-ghost btn-sm lg:btn-md" do %>
-          <span class="lg:inline">Join us on Discord</span> <iconify-icon icon="skill-icons:discord" height="20"></iconify-icon>
-        <% end %>
-      </div>
+    <div class="mx-auto max-w-2xl flex-shrink-0 lg:mx-0 lg:max-w-4xl lg:pt-2 <%= 'pt-4 lg:pt-20' unless ENV['DISCORD_INVITE_URL'].present? %>">
+      <% if ENV['DISCORD_INVITE_URL'].present? %>
+        <div class="mb-4 lg:mb-20">
+          <%= link_to ENV['DISCORD_INVITE_URL'], class: "btn btn-ghost btn-sm lg:btn-md" do %>
+            <span class="lg:inline">Join us on Discord</span> <iconify-icon icon="skill-icons:discord" height="20"></iconify-icon>
+          <% end %>
+        </div>
+      <% end %>
       <%= render "static/landing_page/announcement" %>
       <img class="h-[70px]" src="/images/logo-full.webp" alt="Canine">
       <h1 class="mt-10 text-4xl font-bold tracking-tight text-white sm:text-6xl">A Developer-friendly PaaS for your Kubernetes</h1>
diff --git a/public/404.html b/public/404.html
index 0453bd96..cd9d6070 100644
--- a/public/404.html
+++ b/public/404.html
@@ -42,14 +42,6 @@
             </button>
           </div>
 
-          <div class="pt-4">
-            <a href="https://discord.gg/68YthskqEz" target="_blank" class="text-sm hover:underline inline-flex items-center gap-2" style="color: var(--primary);">
-              <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" viewBox="0 0 24 24" fill="currentColor">
-                <path d="M20.317 4.37a19.791 19.791 0 0 0-4.885-1.515a.074.074 0 0 0-.079.037c-.21.375-.444.864-.608 1.25a18.27 18.27 0 0 0-5.487 0a12.64 12.64 0 0 0-.617-1.25a.077.077 0 0 0-.079-.037A19.736 19.736 0 0 0 3.677 4.37a.07.07 0 0 0-.032.027C.533 9.046-.32 13.58.099 18.057a.082.082 0 0 0 .031.057a19.9 19.9 0 0 0 5.993 3.03a.078.078 0 0 0 .084-.028a14.09 14.09 0 0 0 1.226-1.994a.076.076 0 0 0-.041-.106a13.107 13.107 0 0 1-1.872-.892a.077.077 0 0 1-.008-.128a10.2 10.2 0 0 0 .372-.292a.074.074 0 0 1 .077-.01c3.928 1.793 8.18 1.793 12.062 0a.074.074 0 0 1 .078.01c.12.098.246.198.373.292a.077.077 0 0 1-.006.127a12.299 12.299 0 0 1-1.873.892a.077.077 0 0 0-.041.107c.36.698.772 1.362 1.225 1.993a.076.076 0 0 0 .084.028a19.839 19.839 0 0 0 6.002-3.03a.077.077 0 0 0 .032-.054c.5-5.177-.838-9.674-3.549-13.66a.061.061 0 0 0-.031-.03zM8.02 15.33c-1.183 0-2.157-1.085-2.157-2.419c0-1.333.956-2.419 2.157-2.419c1.21 0 2.176 1.096 2.157 2.42c0 1.333-.956 2.418-2.157 2.418zm7.975 0c-1.183 0-2.157-1.085-2.157-2.419c0-1.333.955-2.419 2.157-2.419c1.21 0 2.176 1.096 2.157 2.42c0 1.333-.946 2.418-2.157 2.418z"/>
-              </svg>
-              Need help? Join our Discord
-            </a>
-          </div>
         </div>
 
         <!-- Right side - Illustration -->
diff --git a/public/422.html b/public/422.html
index 373a4871..e53d0e4c 100644
--- a/public/422.html
+++ b/public/422.html
@@ -43,14 +43,6 @@
             </button>
           </div>
 
-          <div class="pt-4">
-            <a href="https://discord.gg/68YthskqEz" target="_blank" class="text-sm hover:underline inline-flex items-center gap-2" style="color: var(--primary);">
-              <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" viewBox="0 0 24 24" fill="currentColor">
-                <path d="M20.317 4.37a19.791 19.791 0 0 0-4.885-1.515a.074.074 0 0 0-.079.037c-.21.375-.444.864-.608 1.25a18.27 18.27 0 0 0-5.487 0a12.64 12.64 0 0 0-.617-1.25a.077.077 0 0 0-.079-.037A19.736 19.736 0 0 0 3.677 4.37a.07.07 0 0 0-.032.027C.533 9.046-.32 13.58.099 18.057a.082.082 0 0 0 .031.057a19.9 19.9 0 0 0 5.993 3.03a.078.078 0 0 0 .084-.028a14.09 14.09 0 0 0 1.226-1.994a.076.076 0 0 0-.041-.106a13.107 13.107 0 0 1-1.872-.892a.077.077 0 0 1-.008-.128a10.2 10.2 0 0 0 .372-.292a.074.074 0 0 1 .077-.01c3.928 1.793 8.18 1.793 12.062 0a.074.074 0 0 1 .078.01c.12.098.246.198.373.292a.077.077 0 0 1-.006.127a12.299 12.299 0 0 1-1.873.892a.077.077 0 0 0-.041.107c.36.698.772 1.362 1.225 1.993a.076.076 0 0 0 .084.028a19.839 19.839 0 0 0 6.002-3.03a.077.077 0 0 0 .032-.054c.5-5.177-.838-9.674-3.549-13.66a.061.061 0 0 0-.031-.03zM8.02 15.33c-1.183 0-2.157-1.085-2.157-2.419c0-1.333.956-2.419 2.157-2.419c1.21 0 2.176 1.096 2.157 2.42c0 1.333-.956 2.418-2.157 2.418zm7.975 0c-1.183 0-2.157-1.085-2.157-2.419c0-1.333.955-2.419 2.157-2.419c1.21 0 2.176 1.096 2.157 2.42c0 1.333-.946 2.418-2.157 2.418z"/>
-              </svg>
-              Need help? Join our Discord
-            </a>
-          </div>
         </div>
 
         <!-- Right side - Illustration -->
diff --git a/public/500.html b/public/500.html
index d0e67f6d..44501ab2 100644
--- a/public/500.html
+++ b/public/500.html
@@ -43,14 +43,6 @@
             </button>
           </div>
 
-          <div class="pt-4">
-            <a href="https://discord.gg/68YthskqEz" target="_blank" class="text-sm hover:underline inline-flex items-center gap-2" style="color: var(--primary);">
-              <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" viewBox="0 0 24 24" fill="currentColor">
-                <path d="M20.317 4.37a19.791 19.791 0 0 0-4.885-1.515a.074.074 0 0 0-.079.037c-.21.375-.444.864-.608 1.25a18.27 18.27 0 0 0-5.487 0a12.64 12.64 0 0 0-.617-1.25a.077.077 0 0 0-.079-.037A19.736 19.736 0 0 0 3.677 4.37a.07.07 0 0 0-.032.027C.533 9.046-.32 13.58.099 18.057a.082.082 0 0 0 .031.057a19.9 19.9 0 0 0 5.993 3.03a.078.078 0 0 0 .084-.028a14.09 14.09 0 0 0 1.226-1.994a.076.076 0 0 0-.041-.106a13.107 13.107 0 0 1-1.872-.892a.077.077 0 0 1-.008-.128a10.2 10.2 0 0 0 .372-.292a.074.074 0 0 1 .077-.01c3.928 1.793 8.18 1.793 12.062 0a.074.074 0 0 1 .078.01c.12.098.246.198.373.292a.077.077 0 0 1-.006.127a12.299 12.299 0 0 1-1.873.892a.077.077 0 0 0-.041.107c.36.698.772 1.362 1.225 1.993a.076.076 0 0 0 .084.028a19.839 19.839 0 0 0 6.002-3.03a.077.077 0 0 0 .032-.054c.5-5.177-.838-9.674-3.549-13.66a.061.061 0 0 0-.031-.03zM8.02 15.33c-1.183 0-2.157-1.085-2.157-2.419c0-1.333.956-2.419 2.157-2.419c1.21 0 2.176 1.096 2.157 2.42c0 1.333-.956 2.418-2.157 2.418zm7.975 0c-1.183 0-2.157-1.085-2.157-2.419c0-1.333.955-2.419 2.157-2.419c1.21 0 2.176 1.096 2.157 2.42c0 1.333-.946 2.418-2.157 2.418z"/>
-              </svg>
-              Need help? Join our Discord
-            </a>
-          </div>
         </div>
 
         <!-- Right side - Illustration -->

From 0c21dc9caf42fddee4b719519a43453a74e804b0 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 11 Dec 2025 14:07:46 -0800
Subject: [PATCH 64/75] handle more healthcheck errors

---
 app/jobs/scheduled/check_health_job.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/jobs/scheduled/check_health_job.rb b/app/jobs/scheduled/check_health_job.rb
index 26878d7c..07f976a0 100644
--- a/app/jobs/scheduled/check_health_job.rb
+++ b/app/jobs/scheduled/check_health_job.rb
@@ -15,7 +15,7 @@ class Scheduled::CheckHealthJob < ApplicationJob
           else
             service.status = :unhealthy
           end
-        rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError, HTTParty::Error, OpenSSL::SSL::SSLError => e
+        rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, Errno::EHOSTUNREACH, SocketError, HTTParty::Error, OpenSSL::SSL::SSLError => e
           Rails.logger.warn("Health check failed for #{service.name}: #{e.class} - #{e.message}")
           service.status = :unhealthy
         end

From 6f702daf5edaf850628c520db7e1b40fb67ec334 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Thu, 11 Dec 2025 15:03:58 -0800
Subject: [PATCH 65/75] use floating ui for coplex dropdowns

---
 .../teams/team_members_search_controller.rb   |  3 ++-
 .../async_search_dropdown_controller.js       |  4 ++--
 .../team_member_search_controller.js          | 16 +++++++++++----
 .../team_resource_search_controller.js        |  6 +++---
 app/javascript/utils/helm_charts/index.js     |  4 ++--
 app/views/accounts/teams/show.html.erb        | 20 +++++++------------
 6 files changed, 28 insertions(+), 25 deletions(-)

diff --git a/app/controllers/accounts/teams/team_members_search_controller.rb b/app/controllers/accounts/teams/team_members_search_controller.rb
index df88087c..e1828963 100644
--- a/app/controllers/accounts/teams/team_members_search_controller.rb
+++ b/app/controllers/accounts/teams/team_members_search_controller.rb
@@ -21,7 +21,8 @@ class Accounts::Teams::TeamMembersSearchController < ApplicationController
         email: user.email,
         name: user.name,
         first_name: user.first_name,
-        last_name: user.last_name
+        last_name: user.last_name,
+        avatar_url: helpers.avatar_path(user, size: 64)
       }
     }
   end
diff --git a/app/javascript/controllers/components/async_search_dropdown_controller.js b/app/javascript/controllers/components/async_search_dropdown_controller.js
index 68389ea9..0b726b19 100644
--- a/app/javascript/controllers/components/async_search_dropdown_controller.js
+++ b/app/javascript/controllers/components/async_search_dropdown_controller.js
@@ -57,7 +57,7 @@ export default class extends Controller {
 
   createDropdown() {
     const dropdown = document.createElement('ul')
-    dropdown.className = 'hidden z-50 menu bg-neutral rounded-box shadow-lg max-h-[300px] overflow-y-auto'
+    dropdown.className = 'hidden z-50 bg-neutral rounded-box shadow-lg max-h-[300px] overflow-y-auto'
     dropdown.style.position = 'absolute'
     dropdown.style.top = '0'
     dropdown.style.left = '0'
@@ -130,7 +130,7 @@ export default class extends Controller {
     }
 
     this.dropdown.innerHTML = results.map((item, index) => `
-      <li class="cursor-pointer hover:bg-base-300 p-2" data-index="${index}">
+      <li class="cursor-pointer p-2 hover:bg-base-300" data-index="${index}">
         ${this.renderItem(item)}
       </li>
     `).join('')
diff --git a/app/javascript/controllers/team_member_search_controller.js b/app/javascript/controllers/team_member_search_controller.js
index a42087fc..f8220d74 100644
--- a/app/javascript/controllers/team_member_search_controller.js
+++ b/app/javascript/controllers/team_member_search_controller.js
@@ -22,11 +22,19 @@ export default class extends AsyncSearchDropdownController {
   }
 
   renderItem(user) {
+    const displayName = user.name || user.first_name || user.email.split('@')[0]
+    const showEmail = user.name || user.first_name
+
     return `
-      <div class="flex items-center gap-2">
-        <div class="flex-1">
-          <div class="font-medium">${this.escapeHtml(user.name || user.email)}</div>
-          ${user.email !== user.name ? `<div class="text-sm text-base-content/60">${this.escapeHtml(user.email)}</div>` : ''}
+      <div class="flex items-center gap-3 px-2 py-2">
+        <div class="avatar">
+          <div class="w-8 h-8 rounded">
+            <img src="${this.escapeHtml(user.avatar_url)}" alt="${this.escapeHtml(displayName)}" />
+          </div>
+        </div>
+        <div class="flex-1 min-w-0">
+          <div class="font-medium truncate">${this.escapeHtml(displayName)}</div>
+          ${showEmail ? `<div class="text-sm text-base-content/60 truncate">${this.escapeHtml(user.email)}</div>` : ''}
         </div>
       </div>
     `
diff --git a/app/javascript/controllers/team_resource_search_controller.js b/app/javascript/controllers/team_resource_search_controller.js
index 45de99b3..b46942c9 100644
--- a/app/javascript/controllers/team_resource_search_controller.js
+++ b/app/javascript/controllers/team_resource_search_controller.js
@@ -25,9 +25,9 @@ export default class extends AsyncSearchDropdownController {
 
   renderItem(resource) {
     return `
-      <div class="flex items-center gap-2">
-        <div class="flex-1">
-          <div class="font-medium">${this.escapeHtml(resource.name)}</div>
+      <div class="flex items-center gap-3 px-2 py-2">
+        <div class="flex-1 min-w-0">
+          <div class="font-medium truncate">${this.escapeHtml(resource.name)}</div>
         </div>
       </div>
     `
diff --git a/app/javascript/utils/helm_charts/index.js b/app/javascript/utils/helm_charts/index.js
index c48a6498..b87f9cc0 100644
--- a/app/javascript/utils/helm_charts/index.js
+++ b/app/javascript/utils/helm_charts/index.js
@@ -23,7 +23,7 @@ export async function getDefaultValues(
 export function helmChartHeader(packageData) {
   const logoImageUrl = getLogoImageUrl(packageData);
   return `
-      <div class="flex items-center gap-4">
+      <div class="flex items-center gap-4 max-w-lg">
         <img src="${logoImageUrl}" alt="${packageData.name}" class="h-16 w-16">
         <div class="flex-1">
           <div class="flex items-center justify-between mb-1">
@@ -41,7 +41,7 @@ export function helmChartHeader(packageData) {
                 ${packageData.stars}
               </span>` : ''}
           </div>
-          <p class="text-sm text-base-content/70 mb-2">${packageData.description}</p>
+          <p class="text-sm text-base-content/70 mb-2 line-clamp-2">${packageData.description}</p>
           <div class="flex gap-4 text-xs text-base-content/70">
             <div class="flex items-center gap-1">
               <iconify-icon icon="lucide:globe"></iconify-icon>
diff --git a/app/views/accounts/teams/show.html.erb b/app/views/accounts/teams/show.html.erb
index 44f27718..c416c4e9 100644
--- a/app/views/accounts/teams/show.html.erb
+++ b/app/views/accounts/teams/show.html.erb
@@ -3,22 +3,16 @@
   <%= turbo_stream_from [:team_memberships, @team] %>
 
   <div>
-    <div class="breadcrumbs text-sm mb-4">
-      <ul>
-        <li>
-          <%= link_to teams_path, class: "inline-flex items-center gap-1" do %>
-            <iconify-icon icon="lucide:users" height="14"></iconify-icon>
-            Teams
-          <% end %>
-        </li>
-        <li><%= @team.name %></li>
-      </ul>
-    </div>
-
     <div class="mb-6">
       <div class="flex justify-between items-start">
         <div>
-          <h2 class="text-2xl font-bold"><%= @team.name %></h2>
+          <h2 class="text-2xl font-bold flex items-center gap-2">
+            <%= link_to teams_path, class: "text-base-content/60 hover:text-base-content" do %>
+              Teams
+            <% end %>
+            <span class="text-base-content/40">/</span>
+            <%= @team.name %>
+          </h2>
           <div class="flex text-sm">
             <div class="flex items-center gap-1">
               <iconify-icon icon="lucide:building"></iconify-icon>

From d302172904345c7f85c99d5568a9e1afbc213987 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 12 Dec 2025 12:59:47 -0800
Subject: [PATCH 66/75] added oidc impementation

---
 .../sso_providers/build_sso_configuration.rb  |   9 +-
 app/avo/resources/oidc_configuration.rb       |  20 ++
 app/controllers/accounts/oidc_controller.rb   | 111 ++++++++++
 .../accounts/sso_providers_controller.rb      |  50 ++++-
 .../avo/oidc_configurations_controller.rb     |   4 +
 app/controllers/users/sessions_controller.rb  |   6 +
 app/models/oidc_configuration.rb              |  36 ++++
 app/models/sso_provider.rb                    |   4 +
 app/services/oidc/authenticator.rb            | 147 ++++++++++++++
 .../accounts/sso_providers/edit.html.erb      |  61 +++---
 .../sso_providers/ldap/_form_fields.html.erb  | 192 +++++++++---------
 app/views/accounts/sso_providers/new.html.erb |  70 ++++---
 .../sso_providers/oidc/_form_fields.html.erb  | 121 +++++++++++
 .../oidc/_redirect_uri_info.html.erb          |   8 +
 .../accounts/sso_providers/show.html.erb      |  63 ++++--
 app/views/devise/sessions/oidc.html.erb       |  40 ++++
 config/initializers/inflections.rb            |   1 +
 config/routes.rb                              |   4 +
 ...251211151950_create_oidc_configurations.rb |  19 ++
 db/schema.rb                                  |  18 +-
 docker-compose.yml                            |  14 +-
 install/portainer/docker-compose.yml          |  14 +-
 spec/factories/oidc_configurations.rb         |  34 ++++
 spec/models/oidc_configuration_spec.rb        |  64 ++++++
 spec/models/provider_spec.rb                  |  27 +++
 25 files changed, 953 insertions(+), 184 deletions(-)
 create mode 100644 app/avo/resources/oidc_configuration.rb
 create mode 100644 app/controllers/accounts/oidc_controller.rb
 create mode 100644 app/controllers/avo/oidc_configurations_controller.rb
 create mode 100644 app/models/oidc_configuration.rb
 create mode 100644 app/services/oidc/authenticator.rb
 create mode 100644 app/views/accounts/sso_providers/oidc/_form_fields.html.erb
 create mode 100644 app/views/accounts/sso_providers/oidc/_redirect_uri_info.html.erb
 create mode 100644 app/views/devise/sessions/oidc.html.erb
 create mode 100644 db/migrate/20251211151950_create_oidc_configurations.rb
 create mode 100644 spec/factories/oidc_configurations.rb
 create mode 100644 spec/models/oidc_configuration_spec.rb

diff --git a/app/actions/sso_providers/build_sso_configuration.rb b/app/actions/sso_providers/build_sso_configuration.rb
index 0a1eb602..985d2f1e 100644
--- a/app/actions/sso_providers/build_sso_configuration.rb
+++ b/app/actions/sso_providers/build_sso_configuration.rb
@@ -7,7 +7,14 @@ module SSOProviders
     promises :configuration
 
     executed do |context|
-      context.configuration = LDAPConfiguration.new(context.configuration_params)
+      context.configuration = case context.provider_type
+      when "ldap"
+        LDAPConfiguration.new(context.configuration_params)
+      when "oidc"
+        OIDCConfiguration.new(context.configuration_params)
+      else
+        context.fail_and_return!("Unknown provider type: #{context.provider_type}")
+      end
     end
   end
 end
diff --git a/app/avo/resources/oidc_configuration.rb b/app/avo/resources/oidc_configuration.rb
new file mode 100644
index 00000000..3a4d2cb7
--- /dev/null
+++ b/app/avo/resources/oidc_configuration.rb
@@ -0,0 +1,20 @@
+class Avo::Resources::OIDCConfiguration < Avo::BaseResource
+  self.includes = []
+
+  def fields
+    field :id, as: :id
+    field :issuer, as: :text, required: true, help: "OIDC provider issuer URL (e.g., https://auth.example.com)"
+    field :client_id, as: :text, required: true, help: "OAuth 2.0 client ID"
+    field :client_secret, as: :password, required: true, help: "OAuth 2.0 client secret"
+    field :authorization_endpoint, as: :text, help: "Authorization endpoint URL (leave blank to use discovery)"
+    field :token_endpoint, as: :text, help: "Token endpoint URL (leave blank to use discovery)"
+    field :userinfo_endpoint, as: :text, help: "UserInfo endpoint URL (leave blank to use discovery)"
+    field :jwks_uri, as: :text, help: "JWKS URI for token verification (leave blank to use discovery)"
+    field :scopes, as: :text, help: "Space-separated scopes to request", default: "openid email profile"
+    field :uid_claim, as: :text, required: true, help: "Claim to use as user identifier", default: "sub"
+    field :email_claim, as: :text, help: "Claim for email address", default: "email"
+    field :name_claim, as: :text, help: "Claim for full name", default: "name"
+
+    field :sso_provider, as: :has_one
+  end
+end
diff --git a/app/controllers/accounts/oidc_controller.rb b/app/controllers/accounts/oidc_controller.rb
new file mode 100644
index 00000000..9cd2501d
--- /dev/null
+++ b/app/controllers/accounts/oidc_controller.rb
@@ -0,0 +1,111 @@
+module Accounts
+  class OIDCController < ApplicationController
+    skip_before_action :authenticate_user!
+    before_action :load_account
+
+    def authorize
+      oidc_config = @account.sso_provider&.configuration
+      unless oidc_config.is_a?(OIDCConfiguration)
+        redirect_to account_sign_in_path(@account.slug), alert: "OIDC is not configured for this account"
+        return
+      end
+
+      # Store state in session for CSRF protection
+      state = SecureRandom.hex(32)
+      session[:oidc_state] = state
+
+      # Build authorization URL
+      auth_url = build_authorization_url(oidc_config, state)
+      redirect_to auth_url, allow_other_host: true
+    end
+
+    def callback
+      # Verify state for CSRF protection
+      unless params[:state].present? && params[:state] == session[:oidc_state]
+        redirect_to root_path, alert: "Invalid state parameter"
+        return
+      end
+
+      oidc_config = @account.sso_provider&.configuration
+
+      unless oidc_config.is_a?(OIDCConfiguration)
+        redirect_to root_path, alert: "OIDC is not configured"
+        return
+      end
+
+      if params[:error].present?
+        redirect_to account_sign_in_path(@account.slug), alert: "Authentication failed: #{params[:error_description] || params[:error]}"
+        return
+      end
+
+      # Exchange code for tokens
+      result = OIDC::Authenticator.new(oidc_config).authenticate(
+        code: params[:code],
+        redirect_uri: oidc_callback_url(slug: @account.slug)
+      )
+
+      unless result.success?
+        redirect_to account_sign_in_path(@account.slug), alert: result.error_message
+        return
+      end
+
+      # Create or find user
+      sso_provider = @account.sso_provider
+      if sso_provider.just_in_time_team_provisioning_mode?
+        ar_result = ActiveRecord::Base.transaction do
+          SSO::SyncUserTeams.call(result.email, result.groups || [], @account)
+        end
+      else
+        ar_result = SSO::CreateUserInAccount.execute(
+          email: result.email,
+          account: @account
+        )
+      end
+
+      if ar_result.failure?
+        redirect_to account_sign_in_path(@account.slug), alert: "Failed to create user account"
+        return
+      end
+
+      # Clear session state
+      session.delete(:oidc_state)
+
+      # Sign in user
+      sign_in(ar_result.user)
+      session[:account_id] = @account.id
+      redirect_to after_sign_in_path_for(ar_result.user), notice: "Signed in successfully"
+    end
+
+    private
+
+    def load_account
+      @account = Account.friendly.find(params[:slug])
+    rescue ActiveRecord::RecordNotFound
+      redirect_to root_path, alert: "Account not found"
+    end
+
+    def build_authorization_url(oidc_config, state)
+      params = {
+        response_type: "code",
+        client_id: oidc_config.client_id,
+        redirect_uri: oidc_callback_url(slug: @account.slug),
+        scope: oidc_config.scopes,
+        state: state
+      }
+
+      auth_endpoint = oidc_config.authorization_endpoint.presence || discover_authorization_endpoint(oidc_config)
+      "#{auth_endpoint}?#{params.to_query}"
+    end
+
+    def discover_authorization_endpoint(oidc_config)
+      # Fetch from OIDC discovery document
+      discovery_url = oidc_config.discovery_url
+      response = HTTP.get(discovery_url)
+      if response.status.success?
+        JSON.parse(response.body.to_s)["authorization_endpoint"]
+      else
+        raise "Failed to discover OIDC endpoints"
+      end
+    end
+  end
+end
diff --git a/app/controllers/accounts/sso_providers_controller.rb b/app/controllers/accounts/sso_providers_controller.rb
index b2b39dff..de0b2e96 100644
--- a/app/controllers/accounts/sso_providers_controller.rb
+++ b/app/controllers/accounts/sso_providers_controller.rb
@@ -6,23 +6,29 @@ module Accounts
     end
 
     def new
+      @provider_type = params[:provider_type] || "ldap"
       @sso_provider = current_account.build_sso_provider
       @ldap_configuration = LDAPConfiguration.new
+      @oidc_configuration = OIDCConfiguration.new
     end
 
     def create
+      provider_type = params[:provider_type] || "ldap"
+
       result = SSOProviders::Create.call(
         account: current_account,
         sso_provider_params: sso_provider_params,
-        configuration_params: ldap_configuration_params,
-        provider_type: "ldap"
+        configuration_params: configuration_params_for(provider_type),
+        provider_type: provider_type
       )
 
       if result.success?
         redirect_to sso_provider_path, notice: "SSO provider created successfully"
       else
+        @provider_type = provider_type
         @sso_provider = result.sso_provider
-        @ldap_configuration = result.configuration
+        @ldap_configuration = provider_type == "ldap" ? result.configuration : LDAPConfiguration.new
+        @oidc_configuration = provider_type == "oidc" ? result.configuration : OIDCConfiguration.new
         render :new, status: :unprocessable_entity
       end
     end
@@ -30,22 +36,27 @@ module Accounts
     def edit
       @sso_provider = current_account.sso_provider
       redirect_to new_sso_provider_path, alert: "No SSO provider configured" unless @sso_provider
-      @ldap_configuration = @sso_provider&.configuration
+      @provider_type = @sso_provider&.oidc? ? "oidc" : "ldap"
+      @ldap_configuration = @sso_provider&.ldap? ? @sso_provider.configuration : LDAPConfiguration.new
+      @oidc_configuration = @sso_provider&.oidc? ? @sso_provider.configuration : OIDCConfiguration.new
     end
 
     def update
       @sso_provider = current_account.sso_provider
+      provider_type = @sso_provider.oidc? ? "oidc" : "ldap"
 
       result = SSOProviders::Update.call(
         sso_provider: @sso_provider,
         sso_provider_params: sso_provider_params,
-        configuration_params: ldap_configuration_params
+        configuration_params: configuration_params_for(provider_type)
       )
 
       if result.success?
         redirect_to sso_provider_path, notice: "SSO provider updated successfully"
       else
-        @ldap_configuration = @sso_provider.configuration
+        @provider_type = provider_type
+        @ldap_configuration = @sso_provider.ldap? ? @sso_provider.configuration : LDAPConfiguration.new
+        @oidc_configuration = @sso_provider.oidc? ? @sso_provider.configuration : OIDCConfiguration.new
         render :edit, status: :unprocessable_entity
       end
     end
@@ -84,6 +95,17 @@ module Accounts
       params.require(:sso_provider).permit(:name, :enabled, :team_provisioning_mode)
     end
 
+    def configuration_params_for(provider_type)
+      case provider_type
+      when "ldap"
+        ldap_configuration_params
+      when "oidc"
+        oidc_configuration_params
+      else
+        {}
+      end
+    end
+
     def ldap_configuration_params
       params.require(:ldap_configuration).permit(
         :host,
@@ -98,5 +120,21 @@ module Accounts
         :encryption
       )
     end
+
+    def oidc_configuration_params
+      params.require(:oidc_configuration).permit(
+        :issuer,
+        :client_id,
+        :client_secret,
+        :authorization_endpoint,
+        :token_endpoint,
+        :userinfo_endpoint,
+        :jwks_uri,
+        :scopes,
+        :uid_claim,
+        :email_claim,
+        :name_claim
+      )
+    end
   end
 end
diff --git a/app/controllers/avo/oidc_configurations_controller.rb b/app/controllers/avo/oidc_configurations_controller.rb
new file mode 100644
index 00000000..08b8968b
--- /dev/null
+++ b/app/controllers/avo/oidc_configurations_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/3.0/controllers.html
+class Avo::OIDCConfigurationsController < Avo::ResourcesController
+end
diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index a881a9b1..b1848487 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -36,8 +36,11 @@ class Users::SessionsController < Devise::SessionsController
     self.resource = resource_class.new(sign_in_params)
     clean_up_passwords(resource)
     @sso_provider = @account.sso_provider if @account.sso_enabled?
+
     if @account.sso_provider&.ldap?
       render "devise/sessions/ldap"
+    elsif @account.sso_provider&.oidc?
+      render "devise/sessions/oidc"
     else
       render :new
     end
@@ -59,6 +62,9 @@ class Users::SessionsController < Devise::SessionsController
         clean_up_passwords(self.resource)
         render "devise/sessions/ldap"
       end
+    elsif @account.sso_provider&.oidc?
+      # OIDC uses a redirect flow, so this shouldn't be called directly
+      redirect_to account_sign_in_path(@account.slug)
     else
       redirect_to new_user_session_path
     end
diff --git a/app/models/oidc_configuration.rb b/app/models/oidc_configuration.rb
new file mode 100644
index 00000000..65bdc47d
--- /dev/null
+++ b/app/models/oidc_configuration.rb
@@ -0,0 +1,36 @@
+# == Schema Information
+#
+# Table name: oidc_configurations
+#
+#  id                     :bigint           not null, primary key
+#  issuer                 :string           not null
+#  client_id              :string           not null
+#  client_secret          :string           not null
+#  authorization_endpoint :string
+#  token_endpoint         :string
+#  userinfo_endpoint      :string
+#  jwks_uri               :string
+#  scopes                 :string           default("openid email profile")
+#  uid_claim              :string           default("sub"), not null
+#  email_claim            :string           default("email")
+#  name_claim             :string           default("name")
+#  created_at             :datetime         not null
+#  updated_at             :datetime         not null
+#
+class OIDCConfiguration < ApplicationRecord
+  has_one :sso_provider, as: :configuration, dependent: :destroy
+  has_one :account, through: :sso_provider
+
+  validates :issuer, presence: true
+  validates :client_id, presence: true
+  validates :client_secret, presence: true
+  validates :uid_claim, presence: true
+
+  def discovery_url
+    "#{issuer.chomp('/')}/.well-known/openid-configuration"
+  end
+
+  def uses_discovery?
+    authorization_endpoint.blank? && token_endpoint.blank?
+  end
+end
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index 51311213..ed1cbfac 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -36,4 +36,8 @@ class SSOProvider < ApplicationRecord
   def ldap?
     configuration_type == "LDAPConfiguration"
   end
+
+  def oidc?
+    configuration_type == "OIDCConfiguration"
+  end
 end
diff --git a/app/services/oidc/authenticator.rb b/app/services/oidc/authenticator.rb
new file mode 100644
index 00000000..40bd09f3
--- /dev/null
+++ b/app/services/oidc/authenticator.rb
@@ -0,0 +1,147 @@
+# app/services/oidc/authenticator.rb
+module OIDC
+  class Authenticator
+    Result = Struct.new(
+      :success?,
+      :email,
+      :name,
+      :uid,
+      :groups,
+      :id_token,
+      :access_token,
+      :error_message,
+      keyword_init: true
+    )
+
+    def initialize(oidc_configuration, logger: Rails.logger)
+      @config = oidc_configuration
+      @logger = logger
+      @discovery_cache = nil
+    end
+
+    def authenticate(code:, redirect_uri:)
+      # Exchange authorization code for tokens
+      token_result = exchange_code_for_tokens(code, redirect_uri)
+      return token_result if token_result.failure?
+
+      # Parse and validate ID token claims
+      claims = extract_claims(token_result.id_token, token_result.access_token)
+      return claims if claims.is_a?(Result) && claims.failure?
+
+      email = claims[config.email_claim] || claims["email"]
+      name = claims[config.name_claim] || claims["name"]
+      uid = claims[config.uid_claim] || claims["sub"]
+
+      if email.blank?
+        return Result.new(success?: false, error_message: "Email claim not found in token")
+      end
+
+      Result.new(
+        success?: true,
+        email: email,
+        name: name,
+        uid: uid,
+        groups: extract_groups(claims),
+        id_token: token_result.id_token,
+        access_token: token_result.access_token,
+        error_message: nil
+      )
+    rescue => e
+      @logger.error "OIDC auth: unexpected error - #{e.class}: #{e.message}"
+      Result.new(success?: false, error_message: e.message)
+    end
+
+    private
+
+    attr_reader :config, :logger
+
+    def exchange_code_for_tokens(code, redirect_uri)
+      token_endpoint = config.token_endpoint.presence || discover_endpoint("token_endpoint")
+
+      response = HTTP.post(token_endpoint, form: {
+        grant_type: "authorization_code",
+        code: code,
+        redirect_uri: redirect_uri,
+        client_id: config.client_id,
+        client_secret: config.client_secret
+      })
+
+      unless response.status.success?
+        error_body = JSON.parse(response.body.to_s) rescue {}
+        error_msg = error_body["error_description"] || error_body["error"] || "Token exchange failed"
+        return Result.new(success?: false, error_message: error_msg)
+      end
+
+      token_data = JSON.parse(response.body.to_s)
+
+      OpenStruct.new(
+        success?: true,
+        id_token: token_data["id_token"],
+        access_token: token_data["access_token"],
+        refresh_token: token_data["refresh_token"]
+      )
+    rescue HTTP::Error => e
+      Result.new(success?: false, error_message: "Failed to exchange code: #{e.message}")
+    end
+
+    def extract_claims(id_token, access_token)
+      if id_token.present?
+        # Decode JWT without verification for now (verification should be added for production)
+        # The ID token contains the user claims
+        payload = decode_jwt(id_token)
+        return payload if payload.is_a?(Result)
+        payload
+      elsif access_token.present?
+        # Fallback to userinfo endpoint
+        fetch_userinfo(access_token)
+      else
+        Result.new(success?: false, error_message: "No tokens received")
+      end
+    end
+
+    def decode_jwt(token)
+      # Simple JWT decode (without signature verification - should add JWKS verification for production)
+      parts = token.split(".")
+      return Result.new(success?: false, error_message: "Invalid JWT format") if parts.length < 2
+
+      payload = Base64.urlsafe_decode64(parts[1] + "=" * (4 - parts[1].length % 4))
+      JSON.parse(payload)
+    rescue => e
+      Result.new(success?: false, error_message: "Failed to decode JWT: #{e.message}")
+    end
+
+    def fetch_userinfo(access_token)
+      userinfo_endpoint = config.userinfo_endpoint.presence || discover_endpoint("userinfo_endpoint")
+
+      response = HTTP.auth("Bearer #{access_token}").get(userinfo_endpoint)
+
+      unless response.status.success?
+        return Result.new(success?: false, error_message: "Failed to fetch user info")
+      end
+
+      JSON.parse(response.body.to_s)
+    rescue => e
+      Result.new(success?: false, error_message: "Failed to fetch user info: #{e.message}")
+    end
+
+    def extract_groups(claims)
+      # Common group claims from various OIDC providers
+      groups = claims["groups"] || claims["roles"] || claims["cognito:groups"] || []
+      groups = [ groups ] unless groups.is_a?(Array)
+      groups.map { |g| { name: g.to_s } }
+    end
+
+    def discover_endpoint(endpoint_name)
+      discovery_doc[endpoint_name]
+    end
+
+    def discovery_doc
+      return @discovery_cache if @discovery_cache
+
+      response = HTTP.get(config.discovery_url)
+      raise "Failed to fetch OIDC discovery document" unless response.status.success?
+
+      @discovery_cache = JSON.parse(response.body.to_s)
+    end
+  end
+end
diff --git a/app/views/accounts/sso_providers/edit.html.erb b/app/views/accounts/sso_providers/edit.html.erb
index 5ff26094..130bebc1 100644
--- a/app/views/accounts/sso_providers/edit.html.erb
+++ b/app/views/accounts/sso_providers/edit.html.erb
@@ -5,42 +5,49 @@
     </div>
 
     <div class="text-sm text-gray-500 mt-2 mb-4">
-      Update your LDAP provider configuration.
+      <% if @provider_type == "oidc" %>
+        Update your OIDC provider configuration.
+      <% else %>
+        Update your LDAP provider configuration.
+      <% end %>
     </div>
 
     <%= form_with model: @sso_provider, url: sso_provider_path do |form| %>
       <%= render "shared/error_messages", resource: form.object %>
 
-      <div class="form-control mt-4 w-full max-w-sm">
-        <label class="label">
-          <span class="label-text">Provider Name</span>
-        </label>
-        <%= form.text_field :name, class: "input input-bordered", required: true, placeholder: "e.g., Company SSO" %>
-        <label class="label">
-          <span class="label-text-alt">A friendly name for this SSO provider</span>
-        </label>
-      </div>
+      <div class="space-y-8">
+        <%= render(FormFieldComponent.new(
+          label: "Provider Name",
+          description: "A friendly name for this SSO provider"
+        )) do %>
+          <%= form.text_field :name, class: "input input-bordered w-full", required: true, placeholder: "e.g., Company SSO" %>
+          <label class="label">
+            <span class="label-text-alt">* Required</span>
+          </label>
+        <% end %>
 
-      <div class="form-control mt-1 w-full max-w-sm">
-        <label class="label cursor-pointer justify-start gap-2">
+        <%= render(FormFieldComponent.new(
+          label: "Enabled",
+          description: "Enable or disable this SSO provider"
+        )) do %>
           <%= form.check_box :enabled, class: "checkbox checkbox-primary" %>
-          <span class="label-text">Enable this provider</span>
-        </label>
+        <% end %>
+
+        <%= render(FormFieldComponent.new(
+          label: "Team Provisioning Mode",
+          description: "How teams are provisioned for SSO users"
+        )) do %>
+          <%= form.select :team_provisioning_mode, SSOProvider.team_provisioning_modes.keys.map { |k| [k.titleize, k] }, {}, class: "select select-bordered w-full" %>
+        <% end %>
       </div>
 
-      <div class="form-control mt-4 w-full max-w-sm">
-        <label class="label">
-          <span class="label-text">Team Provisioning Mode</span>
-        </label>
-        <%= form.select :team_provisioning_mode, SSOProvider.team_provisioning_modes.keys.map { |k| [k.titleize, k] }, {}, class: "select select-bordered" %>
-        <label class="label">
-          <span class="label-text-alt">How teams are provisioned for SSO users</span>
-        </label>
-      </div>
-
-      <div class="divider">LDAP Configuration</div>
-
-      <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
+      <% if @provider_type == "oidc" %>
+        <div class="divider">OIDC Configuration</div>
+        <%= render "accounts/sso_providers/oidc/form_fields", oidc_configuration: @oidc_configuration %>
+      <% else %>
+        <div class="divider">LDAP Configuration</div>
+        <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
+      <% end %>
 
       <div class="form-footer mt-6">
         <%= form.submit "Update Provider", class: "btn btn-primary" %>
diff --git a/app/views/accounts/sso_providers/ldap/_form_fields.html.erb b/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
index 306f60f6..64b84e91 100644
--- a/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
+++ b/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
@@ -1,114 +1,110 @@
 <%= fields_for :ldap_configuration, ldap_configuration do |ldap_form| %>
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Host <span class="text-error">*</span></span>
-    </label>
-    <%= ldap_form.text_field :host, class: "input input-bordered", required: true, placeholder: "ldap.example.com" %>
-    <label class="label">
-      <span class="label-text-alt">LDAP server hostname or IP address</span>
-    </label>
+  <div class="space-y-8">
+    <%= render(FormFieldComponent.new(
+      label: "Host",
+      description: "LDAP server hostname or IP address"
+    )) do %>
+      <%= ldap_form.text_field :host, class: "input input-bordered w-full", required: true, placeholder: "ldap.example.com" %>
+      <label class="label">
+        <span class="label-text-alt">* Required</span>
+      </label>
+    <% end %>
+
+    <%= render(FormFieldComponent.new(
+      label: "Port",
+      description: "LDAP server port"
+    )) do %>
+      <%= ldap_form.number_field :port, class: "input input-bordered w-full", required: true, placeholder: "389" %>
+      <label class="label">
+        <span class="label-text-alt">Default: 389 (LDAP), 636 (LDAPS)</span>
+      </label>
+    <% end %>
+
+    <%= render(FormFieldComponent.new(
+      label: "Base DN",
+      description: "Base Distinguished Name for user searches"
+    )) do %>
+      <%= ldap_form.text_field :base_dn, class: "input input-bordered w-full", required: true, placeholder: "dc=example,dc=com" %>
+      <label class="label">
+        <span class="label-text-alt">* Required</span>
+      </label>
+    <% end %>
+
+    <%= render(FormFieldComponent.new(
+      label: "Encryption",
+      description: "Connection encryption method"
+    )) do %>
+      <%= ldap_form.select :encryption,
+          LDAPConfiguration.encryptions.keys.map { |key| [key.titleize, key] },
+          {},
+          class: "select select-bordered w-full" %>
+    <% end %>
+
+    <%= render(FormFieldComponent.new(
+      label: "Bind DN",
+      description: "Service account DN for LDAP searches"
+    )) do %>
+      <%= ldap_form.text_field :bind_dn, class: "input input-bordered w-full", placeholder: "cn=admin,dc=example,dc=com" %>
+      <label class="label">
+        <span class="label-text-alt">Leave empty for anonymous bind</span>
+      </label>
+    <% end %>
+
+    <%= render(FormFieldComponent.new(
+      label: "Bind Password",
+      description: "Password for the bind DN"
+    )) do %>
+      <%= ldap_form.password_field :bind_password, class: "input input-bordered w-full" %>
+    <% end %>
   </div>
 
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Port <span class="text-error">*</span></span>
-    </label>
-    <%= ldap_form.number_field :port, class: "input input-bordered", required: true, placeholder: "389" %>
-    <label class="label">
-      <span class="label-text-alt">Default: 389 (LDAP), 636 (LDAPS)</span>
-    </label>
-  </div>
-
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Base DN <span class="text-error">*</span></span>
-    </label>
-    <%= ldap_form.text_field :base_dn, class: "input input-bordered", required: true, placeholder: "dc=example,dc=com" %>
-    <label class="label">
-      <span class="label-text-alt">Base Distinguished Name for user searches</span>
-    </label>
-  </div>
-
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Encryption</span>
-    </label>
-    <%= ldap_form.select :encryption,
-        LDAPConfiguration.encryptions.keys.map { |key| [key.titleize, key] },
-        {},
-        class: "select select-bordered" %>
-    <label class="label">
-      <span class="label-text-alt">Connection encryption method</span>
-    </label>
-  </div>
-
-  <div class="divider">Bind Credentials (Optional)</div>
-
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Bind DN</span>
-    </label>
-    <%= ldap_form.text_field :bind_dn, class: "input input-bordered", placeholder: "cn=admin,dc=example,dc=com" %>
-    <label class="label">
-      <span class="label-text-alt">Leave empty for anonymous bind</span>
-    </label>
-  </div>
-
-  <div class="form-control mt-1 w-full max-w-sm">
-    <label class="label">
-      <span class="label-text">Bind Password</span>
-    </label>
-    <%= ldap_form.password_field :bind_password, class: "input input-bordered" %>
-  </div>
-
-  <details class="collapse collapse-arrow bg-base-200 mt-4 max-w-sm">
+  <details class="collapse collapse-arrow bg-base-200 mt-8">
     <summary class="collapse-title font-medium">
       Advanced Settings (Optional)
     </summary>
-    <div class="collapse-content space-y-4">
-      <div class="form-control mt-1 w-full">
-        <label class="label">
-          <span class="label-text">UID Attribute</span>
-        </label>
-        <%= ldap_form.text_field :uid_attribute, class: "input input-bordered", placeholder: "uid" %>
-        <label class="label">
-          <span class="label-text-alt">Attribute used for username (default: uid)</span>
-        </label>
-      </div>
+    <div class="collapse-content">
+      <div class="space-y-8 mt-4">
+        <%= render(FormFieldComponent.new(
+          label: "UID Attribute",
+          description: "Attribute used for username"
+        )) do %>
+          <%= ldap_form.text_field :uid_attribute, class: "input input-bordered w-full", placeholder: "uid" %>
+          <label class="label">
+            <span class="label-text-alt">Default: uid</span>
+          </label>
+        <% end %>
 
-      <div class="form-control mt-1 w-full">
-        <label class="label">
-          <span class="label-text">Email Attribute</span>
-        </label>
-        <%= ldap_form.text_field :email_attribute, class: "input input-bordered", placeholder: "mail" %>
-        <label class="label">
-          <span class="label-text-alt">Attribute used for email (default: mail)</span>
-        </label>
-      </div>
+        <%= render(FormFieldComponent.new(
+          label: "Email Attribute",
+          description: "Attribute used for email address"
+        )) do %>
+          <%= ldap_form.text_field :email_attribute, class: "input input-bordered w-full", placeholder: "mail" %>
+          <label class="label">
+            <span class="label-text-alt">Default: mail</span>
+          </label>
+        <% end %>
 
-      <div class="form-control mt-1 w-full">
-        <label class="label">
-          <span class="label-text">Name Attribute</span>
-        </label>
-        <%= ldap_form.text_field :name_attribute, class: "input input-bordered", placeholder: "cn" %>
-        <label class="label">
-          <span class="label-text-alt">Attribute used for display name (default: cn)</span>
-        </label>
-      </div>
+        <%= render(FormFieldComponent.new(
+          label: "Name Attribute",
+          description: "Attribute used for display name"
+        )) do %>
+          <%= ldap_form.text_field :name_attribute, class: "input input-bordered w-full", placeholder: "cn" %>
+          <label class="label">
+            <span class="label-text-alt">Default: cn</span>
+          </label>
+        <% end %>
 
-      <div class="form-control mt-1 w-full">
-        <label class="label">
-          <span class="label-text">Filter</span>
-        </label>
-        <%= ldap_form.text_field :filter, class: "input input-bordered", placeholder: "(objectClass=person)" %>
-        <label class="label">
-          <span class="label-text-alt">Additional LDAP filter for user searches</span>
-        </label>
+        <%= render(FormFieldComponent.new(
+          label: "Filter",
+          description: "Additional LDAP filter for user searches"
+        )) do %>
+          <%= ldap_form.text_field :filter, class: "input input-bordered w-full", placeholder: "(objectClass=person)" %>
+        <% end %>
       </div>
     </div>
   </details>
 
-  <div class="mt-6 mb-4" data-controller="ldap-test-connection">
+  <div class="mt-8" data-controller="ldap-test-connection">
     <button type="button"
             class="btn btn-outline btn-sm"
             data-action="click->ldap-test-connection#test"
diff --git a/app/views/accounts/sso_providers/new.html.erb b/app/views/accounts/sso_providers/new.html.erb
index 6c53583c..6d0a3d47 100644
--- a/app/views/accounts/sso_providers/new.html.erb
+++ b/app/views/accounts/sso_providers/new.html.erb
@@ -1,46 +1,58 @@
 <%= settings_layout do %>
   <%= turbo_frame_tag "sso_provider" do %>
     <div class="font-lg font-bold mt-4">
-      Add LDAP Provider
+      Add <%= @provider_type == "oidc" ? "OIDC" : "LDAP" %> Provider
     </div>
 
     <div class="text-sm text-gray-500 mt-2 mb-4">
-      Configure an LDAP directory for SSO authentication. This will allow users to sign in using their LDAP credentials.
+      <% if @provider_type == "oidc" %>
+        Configure an OpenID Connect provider for SSO authentication. This will allow users to sign in using your identity provider.
+      <% else %>
+        Configure an LDAP directory for SSO authentication. This will allow users to sign in using their LDAP credentials.
+      <% end %>
     </div>
 
-    <%= form_with model: @sso_provider, url: sso_provider_path do |form| %>
+    <div class="tabs tabs-boxed mb-4 max-w-sm">
+      <%= link_to "LDAP", new_sso_provider_path(provider_type: "ldap"), class: "tab #{@provider_type == 'ldap' ? 'tab-active' : ''}" %>
+      <%= link_to "OIDC", new_sso_provider_path(provider_type: "oidc"), class: "tab #{@provider_type == 'oidc' ? 'tab-active' : ''}" %>
+    </div>
+
+    <%= form_with model: @sso_provider, url: sso_provider_path(provider_type: @provider_type) do |form| %>
       <%= render "shared/error_messages", resource: form.object %>
 
-      <div class="form-control mt-4 w-full max-w-sm">
-        <label class="label">
-          <span class="label-text">Provider Name</span>
-        </label>
-        <%= form.text_field :name, class: "input input-bordered", required: true, placeholder: "e.g., Company SSO" %>
-        <label class="label">
-          <span class="label-text-alt">A friendly name for this SSO provider</span>
-        </label>
-      </div>
+      <div class="space-y-8">
+        <%= render(FormFieldComponent.new(
+          label: "Provider Name",
+          description: "A friendly name for this SSO provider"
+        )) do %>
+          <%= form.text_field :name, class: "input input-bordered w-full", required: true, placeholder: "e.g., Company SSO" %>
+          <label class="label">
+            <span class="label-text-alt">* Required</span>
+          </label>
+        <% end %>
 
-      <div class="form-control mt-1 w-full max-w-sm">
-        <label class="label cursor-pointer justify-start gap-2">
+        <%= render(FormFieldComponent.new(
+          label: "Enabled",
+          description: "Enable or disable this SSO provider"
+        )) do %>
           <%= form.check_box :enabled, class: "checkbox checkbox-primary" %>
-          <span class="label-text">Enable this provider</span>
-        </label>
+        <% end %>
+
+        <%= render(FormFieldComponent.new(
+          label: "Team Provisioning Mode",
+          description: "How teams are provisioned for SSO users"
+        )) do %>
+          <%= form.select :team_provisioning_mode, SSOProvider.team_provisioning_modes.keys.map { |k| [k.titleize, k] }, {}, class: "select select-bordered w-full" %>
+        <% end %>
       </div>
 
-      <div class="form-control mt-4 w-full max-w-sm">
-        <label class="label">
-          <span class="label-text">Team Provisioning Mode</span>
-        </label>
-        <%= form.select :team_provisioning_mode, SSOProvider.team_provisioning_modes.keys.map { |k| [k.titleize, k] }, {}, class: "select select-bordered" %>
-        <label class="label">
-          <span class="label-text-alt">How teams are provisioned for SSO users</span>
-        </label>
-      </div>
-
-      <div class="divider">LDAP Configuration</div>
-
-      <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
+      <% if @provider_type == "oidc" %>
+        <div class="divider">OIDC Configuration</div>
+        <%= render "accounts/sso_providers/oidc/form_fields", oidc_configuration: @oidc_configuration %>
+      <% else %>
+        <div class="divider">LDAP Configuration</div>
+        <%= render "accounts/sso_providers/ldap/form_fields", ldap_configuration: @ldap_configuration %>
+      <% end %>
 
       <div class="form-footer mt-6">
         <%= form.submit "Create Provider", class: "btn btn-primary" %>
diff --git a/app/views/accounts/sso_providers/oidc/_form_fields.html.erb b/app/views/accounts/sso_providers/oidc/_form_fields.html.erb
new file mode 100644
index 00000000..908f0cd4
--- /dev/null
+++ b/app/views/accounts/sso_providers/oidc/_form_fields.html.erb
@@ -0,0 +1,121 @@
+<%= render "accounts/sso_providers/oidc/redirect_uri_info" %>
+
+<%= fields_for :oidc_configuration, oidc_configuration do |oidc_form| %>
+  <div class="space-y-8">
+    <%= render(FormFieldComponent.new(
+      label: "Issuer URL",
+      description: "The OIDC provider's issuer URL (used for discovery)"
+    )) do %>
+      <%= oidc_form.text_field :issuer, class: "input input-bordered w-full", required: true, placeholder: "https://auth.example.com" %>
+      <label class="label">
+        <span class="label-text-alt">* Required</span>
+      </label>
+    <% end %>
+
+    <%= render(FormFieldComponent.new(
+      label: "Client ID",
+      description: "OAuth 2.0 client identifier"
+    )) do %>
+      <%= oidc_form.text_field :client_id, class: "input input-bordered w-full", required: true, placeholder: "your-client-id" %>
+      <label class="label">
+        <span class="label-text-alt">* Required</span>
+      </label>
+    <% end %>
+
+    <%= render(FormFieldComponent.new(
+      label: "Client Secret",
+      description: "OAuth 2.0 client secret"
+    )) do %>
+      <%= oidc_form.password_field :client_secret, class: "input input-bordered w-full", required: true %>
+      <label class="label">
+        <span class="label-text-alt">* Required</span>
+      </label>
+    <% end %>
+
+    <%= render(FormFieldComponent.new(
+      label: "Scopes",
+      description: "Space-separated list of scopes to request"
+    )) do %>
+      <%= oidc_form.text_field :scopes, class: "input input-bordered w-full", placeholder: "openid email profile" %>
+      <label class="label">
+        <span class="label-text-alt">Default: openid email profile</span>
+      </label>
+    <% end %>
+  </div>
+
+  <details class="collapse collapse-arrow bg-base-200 mt-8">
+    <summary class="collapse-title font-medium">
+      Advanced Settings (Optional)
+    </summary>
+    <div class="collapse-content">
+      <div class="alert mt-4 mb-6">
+        <iconify-icon icon="lucide:info" class="mr-1"></iconify-icon>
+        <span class="text-sm">Leave these blank to use OIDC discovery. Only fill in if your provider doesn't support discovery.</span>
+      </div>
+
+      <div class="space-y-8">
+        <%= render(FormFieldComponent.new(
+          label: "Authorization Endpoint",
+          description: "URL for authorization requests"
+        )) do %>
+          <%= oidc_form.text_field :authorization_endpoint, class: "input input-bordered w-full", placeholder: "https://auth.example.com/authorize" %>
+        <% end %>
+
+        <%= render(FormFieldComponent.new(
+          label: "Token Endpoint",
+          description: "URL for token requests"
+        )) do %>
+          <%= oidc_form.text_field :token_endpoint, class: "input input-bordered w-full", placeholder: "https://auth.example.com/oauth/token" %>
+        <% end %>
+
+        <%= render(FormFieldComponent.new(
+          label: "UserInfo Endpoint",
+          description: "URL for fetching user information"
+        )) do %>
+          <%= oidc_form.text_field :userinfo_endpoint, class: "input input-bordered w-full", placeholder: "https://auth.example.com/userinfo" %>
+        <% end %>
+
+        <%= render(FormFieldComponent.new(
+          label: "JWKS URI",
+          description: "URL for JSON Web Key Set"
+        )) do %>
+          <%= oidc_form.text_field :jwks_uri, class: "input input-bordered w-full", placeholder: "https://auth.example.com/.well-known/jwks.json" %>
+        <% end %>
+      </div>
+
+      <div class="divider">Claim Mappings</div>
+
+      <div class="space-y-8">
+        <%= render(FormFieldComponent.new(
+          label: "UID Claim",
+          description: "Claim used as user identifier"
+        )) do %>
+          <%= oidc_form.text_field :uid_claim, class: "input input-bordered w-full", placeholder: "sub" %>
+          <label class="label">
+            <span class="label-text-alt">Default: sub</span>
+          </label>
+        <% end %>
+
+        <%= render(FormFieldComponent.new(
+          label: "Email Claim",
+          description: "Claim used for email address"
+        )) do %>
+          <%= oidc_form.text_field :email_claim, class: "input input-bordered w-full", placeholder: "email" %>
+          <label class="label">
+            <span class="label-text-alt">Default: email</span>
+          </label>
+        <% end %>
+
+        <%= render(FormFieldComponent.new(
+          label: "Name Claim",
+          description: "Claim used for display name"
+        )) do %>
+          <%= oidc_form.text_field :name_claim, class: "input input-bordered w-full", placeholder: "name" %>
+          <label class="label">
+            <span class="label-text-alt">Default: name</span>
+          </label>
+        <% end %>
+      </div>
+    </div>
+  </details>
+<% end %>
diff --git a/app/views/accounts/sso_providers/oidc/_redirect_uri_info.html.erb b/app/views/accounts/sso_providers/oidc/_redirect_uri_info.html.erb
new file mode 100644
index 00000000..992cd3a3
--- /dev/null
+++ b/app/views/accounts/sso_providers/oidc/_redirect_uri_info.html.erb
@@ -0,0 +1,8 @@
+<div class="alert mb-4">
+  <iconify-icon icon="lucide:info" class="mr-2"></iconify-icon>
+  <div>
+    <div class="font-medium">Redirect URI</div>
+    <div class="text-sm mt-1">Configure this redirect URI in your OIDC provider:</div>
+    <code class="block mt-2 text-xs bg-base-300 p-2 rounded break-all select-all"><%= oidc_callback_url(slug: current_account.slug) %></code>
+  </div>
+</div>
diff --git a/app/views/accounts/sso_providers/show.html.erb b/app/views/accounts/sso_providers/show.html.erb
index 63af6a0d..20657229 100644
--- a/app/views/accounts/sso_providers/show.html.erb
+++ b/app/views/accounts/sso_providers/show.html.erb
@@ -10,7 +10,11 @@
             <div>
               <h3 class="text-lg font-semibold"><%= @sso_provider.name %></h3>
               <div class="flex gap-2 mt-2">
-                <span class="badge badge-outline">LDAP</span>
+                <% if @sso_provider.ldap? %>
+                  <span class="badge badge-outline">LDAP</span>
+                <% elsif @sso_provider.oidc? %>
+                  <span class="badge badge-outline">OIDC</span>
+                <% end %>
                 <% if @sso_provider.enabled %>
                   <span class="badge badge-success">Enabled</span>
                 <% else %>
@@ -26,24 +30,46 @@
 
           <% if @configuration %>
             <div class="divider"></div>
-            <div class="grid grid-cols-2 gap-4">
-              <div>
-                <div class="text-sm font-medium text-base-content/70 mb-1">Host</div>
-                <div class="font-mono"><%= @configuration.host %>:<%= @configuration.port %></div>
+            <% if @sso_provider.ldap? %>
+              <div class="grid grid-cols-2 gap-4">
+                <div>
+                  <div class="text-sm font-medium text-base-content/70 mb-1">Host</div>
+                  <div class="font-mono"><%= @configuration.host %>:<%= @configuration.port %></div>
+                </div>
+                <div>
+                  <div class="text-sm font-medium text-base-content/70 mb-1">Base DN</div>
+                  <div class="font-mono"><%= @configuration.base_dn %></div>
+                </div>
+                <div>
+                  <div class="text-sm font-medium text-base-content/70 mb-1">UID Attribute</div>
+                  <div class="font-mono"><%= @configuration.uid_attribute %></div>
+                </div>
+                <div>
+                  <div class="text-sm font-medium text-base-content/70 mb-1">Encryption</div>
+                  <div class="font-mono"><%= @configuration.encryption.titleize %></div>
+                </div>
               </div>
-              <div>
-                <div class="text-sm font-medium text-base-content/70 mb-1">Base DN</div>
-                <div class="font-mono"><%= @configuration.base_dn %></div>
+            <% elsif @sso_provider.oidc? %>
+              <%= render "accounts/sso_providers/oidc/redirect_uri_info" %>
+              <div class="grid grid-cols-2 gap-4">
+                <div>
+                  <div class="text-sm font-medium text-base-content/70 mb-1">Issuer</div>
+                  <div class="font-mono text-sm break-all"><%= @configuration.issuer %></div>
+                </div>
+                <div>
+                  <div class="text-sm font-medium text-base-content/70 mb-1">Client ID</div>
+                  <div class="font-mono text-sm"><%= @configuration.client_id %></div>
+                </div>
+                <div>
+                  <div class="text-sm font-medium text-base-content/70 mb-1">Scopes</div>
+                  <div class="font-mono text-sm"><%= @configuration.scopes %></div>
+                </div>
+                <div>
+                  <div class="text-sm font-medium text-base-content/70 mb-1">UID Claim</div>
+                  <div class="font-mono text-sm"><%= @configuration.uid_claim %></div>
+                </div>
               </div>
-              <div>
-                <div class="text-sm font-medium text-base-content/70 mb-1">UID Attribute</div>
-                <div class="font-mono"><%= @configuration.uid_attribute %></div>
-              </div>
-              <div>
-                <div class="text-sm font-medium text-base-content/70 mb-1">Encryption</div>
-                <div class="font-mono"><%= @configuration.encryption.titleize %></div>
-              </div>
-            </div>
+            <% end %>
           <% end %>
         </div>
       </div>
@@ -54,7 +80,8 @@
       </div>
 
       <div class="flex gap-2">
-        <%= link_to "+ Add LDAP Provider", new_sso_provider_path, class: "btn btn-primary btn-sm" %>
+        <%= link_to "+ Add LDAP Provider", new_sso_provider_path(provider_type: "ldap"), class: "btn btn-primary btn-sm" %>
+        <%= link_to "+ Add OIDC Provider", new_sso_provider_path(provider_type: "oidc"), class: "btn btn-primary btn-sm" %>
       </div>
     <% end %>
   <% end %>
diff --git a/app/views/devise/sessions/oidc.html.erb b/app/views/devise/sessions/oidc.html.erb
new file mode 100644
index 00000000..e09f1c27
--- /dev/null
+++ b/app/views/devise/sessions/oidc.html.erb
@@ -0,0 +1,40 @@
+<div class="flex justify-center items-center min-h-screen bg-base-200">
+  <div class="card w-96 bg-base-100 shadow-xl">
+    <div class="card-body">
+      <h1 class="text-2xl font-bold text-center">Sign in</h1>
+      <div class="text-center text-sm">
+        Sign in to access your account
+      </div>
+
+      <% if @account.stack_manager&.portainer? %>
+        <div class="flex justify-center mt-2">
+          <%= render "devise/sessions/portainer_badge", stack_manager: @account.stack_manager, logged_in: false %>
+        </div>
+      <% end %>
+
+      <% if flash[:alert] %>
+        <div class="alert alert-error mb-4 mt-4">
+          <iconify-icon icon="lucide:alert-triangle" class="mr-2 text-white"></iconify-icon>
+          <span><%= flash[:alert] %></span>
+        </div>
+      <% end %>
+
+      <div class="mt-6">
+        <%= link_to oidc_auth_path(@account.slug), class: "btn btn-primary w-full", data: { turbo: false } do %>
+          <iconify-icon icon="lucide:log-in" height="18"></iconify-icon>
+          Sign in with <%= @sso_provider.name %>
+        <% end %>
+      </div>
+
+      <div class="divider">New to <%= @account.name %>?</div>
+
+      <p class="text-center text-sm">
+        Contact your account administrator to get access
+      </p>
+
+      <div class="mt-4 text-center">
+        <%= link_to "Back to main login", new_user_session_path, class: "link link-primary text-sm" %>
+      </div>
+    </div>
+  </div>
+</div>
diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb
index c53fd28a..95cc14d5 100644
--- a/config/initializers/inflections.rb
+++ b/config/initializers/inflections.rb
@@ -14,4 +14,5 @@
 ActiveSupport::Inflector.inflections(:en) do |inflect|
   inflect.acronym "SSO"
   inflect.acronym "LDAP"
+  inflect.acronym "OIDC"
 end
diff --git a/config/routes.rb b/config/routes.rb
index 95ba4434..ab82cf85 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -5,6 +5,10 @@ Rails.application.routes.draw do
     post '/accounts/:slug/sign_in', to: 'users/sessions#account_create'
   end
 
+  # OIDC authentication routes
+  get '/accounts/:slug/auth/oidc', to: 'accounts/oidc#authorize', as: :oidc_auth
+  get '/accounts/:slug/auth/oidc/callback', to: 'accounts/oidc#callback', as: :oidc_callback
+
   authenticate :user, ->(user) { user.admin? } do
     mount Avo::Engine, at: Avo.configuration.root_path
     Avo::Engine.routes.draw do
diff --git a/db/migrate/20251211151950_create_oidc_configurations.rb b/db/migrate/20251211151950_create_oidc_configurations.rb
new file mode 100644
index 00000000..8e00af0c
--- /dev/null
+++ b/db/migrate/20251211151950_create_oidc_configurations.rb
@@ -0,0 +1,19 @@
+class CreateOIDCConfigurations < ActiveRecord::Migration[7.2]
+  def change
+    create_table :oidc_configurations do |t|
+      t.string :issuer, null: false
+      t.string :client_id, null: false
+      t.string :client_secret, null: false
+      t.string :authorization_endpoint
+      t.string :token_endpoint
+      t.string :userinfo_endpoint
+      t.string :jwks_uri
+      t.string :scopes, default: "openid email profile"
+      t.string :uid_claim, default: "sub", null: false
+      t.string :email_claim, default: "email"
+      t.string :name_claim, default: "name"
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 191dc5d2..7b187afa 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_11_26_014509) do
+ActiveRecord::Schema[7.2].define(version: 2025_12_11_151950) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -393,6 +393,22 @@ ActiveRecord::Schema[7.2].define(version: 2025_11_26_014509) do
     t.index ["recipient_type", "recipient_id"], name: "index_noticed_notifications_on_recipient"
   end
 
+  create_table "oidc_configurations", force: :cascade do |t|
+    t.string "issuer", null: false
+    t.string "client_id", null: false
+    t.string "client_secret", null: false
+    t.string "authorization_endpoint"
+    t.string "token_endpoint"
+    t.string "userinfo_endpoint"
+    t.string "jwks_uri"
+    t.string "scopes", default: "openid email profile"
+    t.string "uid_claim", default: "sub", null: false
+    t.string "email_claim", default: "email"
+    t.string "name_claim", default: "name"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
   create_table "project_add_ons", force: :cascade do |t|
     t.bigint "project_id", null: false
     t.bigint "add_on_id", null: false
diff --git a/docker-compose.yml b/docker-compose.yml
index 838d386e..30d2033c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,6 +8,7 @@ x-shared-env: &shared-env
 
 services:
   postgres:
+    restart: unless-stopped
     image: postgres:16-bookworm@sha256:878977a5fe8d75ba7eab7610e4cf7e0c8626a683d89b3f9da965b8ceba952a09
     environment:
       - POSTGRES_USER=postgres
@@ -17,13 +18,20 @@ services:
       - "5432:5432"
     volumes:
       - "postgres:/var/lib/postgresql/data"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 30s
+      retries: 5
+      start_period: 20s
 
   web:
+    restart: unless-stopped
     image: ghcr.io/caninehq/canine:latest
     # Overrides default command so things don't shut down after the process ends.
     # command: sleep infinity
     depends_on:
-      - postgres
+      postgres:
+        condition: service_healthy
     stdin_open: true
     tty: true
     ports:
@@ -37,10 +45,12 @@ services:
       - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
 
   worker:
+    restart: unless-stopped
     image: ghcr.io/caninehq/canine:latest
     command: bundle exec good_job start
     depends_on:
-      - postgres
+      postgres:
+        condition: service_healthy
     environment:
       <<: *shared-env
       LOCAL_MODE: "true"
diff --git a/install/portainer/docker-compose.yml b/install/portainer/docker-compose.yml
index f61a7aba..2faa929b 100644
--- a/install/portainer/docker-compose.yml
+++ b/install/portainer/docker-compose.yml
@@ -8,6 +8,7 @@ x-shared-env: &shared-env
 
 services:
   postgres:
+    restart: unless-stopped
     image: postgres:16-bookworm@sha256:878977a5fe8d75ba7eab7610e4cf7e0c8626a683d89b3f9da965b8ceba952a09
     environment:
       - POSTGRES_USER=postgres
@@ -17,13 +18,20 @@ services:
       - "5432:5432"
     volumes:
       - "postgres:/var/lib/postgresql/data"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 30s
+      retries: 5
+      start_period: 20s
 
   web:
+    restart: unless-stopped
     image: ghcr.io/caninehq/canine:latest
     # Overrides default command so things don't shut down after the process ends.
     # command: sleep infinity
     depends_on:
-      - postgres
+      postgres:
+        condition: service_healthy
     stdin_open: true
     tty: true
     ports:
@@ -37,10 +45,12 @@ services:
       - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
 
   worker:
+    restart: unless-stopped
     image: ghcr.io/caninehq/canine:latest
     command: bundle exec good_job start
     depends_on:
-      - postgres
+      postgres:
+        condition: service_healthy
     environment:
       <<: *shared-env
       LOCAL_MODE: "true"
diff --git a/spec/factories/oidc_configurations.rb b/spec/factories/oidc_configurations.rb
new file mode 100644
index 00000000..a35d1088
--- /dev/null
+++ b/spec/factories/oidc_configurations.rb
@@ -0,0 +1,34 @@
+# == Schema Information
+#
+# Table name: oidc_configurations
+#
+#  id                     :bigint           not null, primary key
+#  issuer                 :string           not null
+#  client_id              :string           not null
+#  client_secret          :string           not null
+#  authorization_endpoint :string
+#  token_endpoint         :string
+#  userinfo_endpoint      :string
+#  jwks_uri               :string
+#  scopes                 :string           default("openid email profile")
+#  uid_claim              :string           default("sub"), not null
+#  email_claim            :string           default("email")
+#  name_claim             :string           default("name")
+#  created_at             :datetime         not null
+#  updated_at             :datetime         not null
+#
+FactoryBot.define do
+  factory :oidc_configuration do
+    issuer { "https://auth.example.com" }
+    client_id { "canine-client" }
+    client_secret { "super-secret-key" }
+    authorization_endpoint { nil }
+    token_endpoint { nil }
+    userinfo_endpoint { nil }
+    jwks_uri { nil }
+    scopes { "openid email profile" }
+    uid_claim { "sub" }
+    email_claim { "email" }
+    name_claim { "name" }
+  end
+end
diff --git a/spec/models/oidc_configuration_spec.rb b/spec/models/oidc_configuration_spec.rb
new file mode 100644
index 00000000..57947dcf
--- /dev/null
+++ b/spec/models/oidc_configuration_spec.rb
@@ -0,0 +1,64 @@
+# == Schema Information
+#
+# Table name: oidc_configurations
+#
+#  id                     :bigint           not null, primary key
+#  issuer                 :string           not null
+#  client_id              :string           not null
+#  client_secret          :string           not null
+#  authorization_endpoint :string
+#  token_endpoint         :string
+#  userinfo_endpoint      :string
+#  jwks_uri               :string
+#  scopes                 :string           default("openid email profile")
+#  uid_claim              :string           default("sub"), not null
+#  email_claim            :string           default("email")
+#  name_claim             :string           default("name")
+#  created_at             :datetime         not null
+#  updated_at             :datetime         not null
+#
+require 'rails_helper'
+
+RSpec.describe OIDCConfiguration, type: :model do
+  describe "validations" do
+    it "is valid with valid attributes" do
+      config = build(:oidc_configuration)
+      expect(config).to be_valid
+    end
+
+    it "requires issuer, client_id, and client_secret" do
+      config = build(:oidc_configuration, issuer: nil, client_id: nil, client_secret: nil)
+      expect(config).not_to be_valid
+      expect(config.errors[:issuer]).to be_present
+      expect(config.errors[:client_id]).to be_present
+      expect(config.errors[:client_secret]).to be_present
+    end
+  end
+
+  describe "#discovery_url" do
+    it "returns the well-known configuration URL" do
+      config = build(:oidc_configuration, issuer: "https://auth.example.com")
+      expect(config.discovery_url).to eq("https://auth.example.com/.well-known/openid-configuration")
+    end
+
+    it "strips trailing slash from issuer" do
+      config = build(:oidc_configuration, issuer: "https://auth.example.com/")
+      expect(config.discovery_url).to eq("https://auth.example.com/.well-known/openid-configuration")
+    end
+  end
+
+  describe "#uses_discovery?" do
+    it "returns true when endpoints are blank" do
+      config = build(:oidc_configuration, authorization_endpoint: nil, token_endpoint: nil)
+      expect(config.uses_discovery?).to be true
+    end
+
+    it "returns false when endpoints are configured" do
+      config = build(:oidc_configuration,
+        authorization_endpoint: "https://auth.example.com/authorize",
+        token_endpoint: "https://auth.example.com/token"
+      )
+      expect(config.uses_discovery?).to be false
+    end
+  end
+end
diff --git a/spec/models/provider_spec.rb b/spec/models/provider_spec.rb
index e422841b..e9c6d97c 100644
--- a/spec/models/provider_spec.rb
+++ b/spec/models/provider_spec.rb
@@ -1,3 +1,30 @@
+# == Schema Information
+#
+# Table name: providers
+#
+#  id                  :bigint           not null, primary key
+#  access_token        :string
+#  access_token_secret :string
+#  auth                :text
+#  expires_at          :datetime
+#  last_used_at        :datetime
+#  provider            :string
+#  refresh_token       :string
+#  registry_url        :string
+#  uid                 :string
+#  created_at          :datetime         not null
+#  updated_at          :datetime         not null
+#  external_id         :string
+#  user_id             :bigint           not null
+#
+# Indexes
+#
+#  index_providers_on_user_id  (user_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (user_id => users.id)
+#
 require 'rails_helper'
 
 RSpec.describe Provider, type: :model do

From 58e4dc22d52d3074bf5472a66254ba12d2e5f7c4 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 12 Dec 2025 13:06:20 -0800
Subject: [PATCH 67/75] install script pull latest images

---
 install/install.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/install/install.sh b/install/install.sh
index 8eabfe45..64215437 100755
--- a/install/install.sh
+++ b/install/install.sh
@@ -94,13 +94,13 @@ if [ -t 0 ]; then  # Only prompt if running in interactive terminal
     port=${port:-3456}
 fi
 
-echo "Building Docker images..."
+echo "Pulling latest Docker images..."
+
+# Pull latest images and start docker compose
+docker compose pull
 echo " [OK]"
 
 echo "Starting Canine on port $port..."
-
-# Start docker compose in the background
-docker compose build
 PORT=$port DOCKER_SOCKET="$DOCKER_SOCKET" docker compose up -d
 
 # Function to check if port is ready

From 47198e02800119a8630ecc96b7f9ee6a52e0fb85 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 12 Dec 2025 13:14:55 -0800
Subject: [PATCH 68/75] clean up errors in sentry

---
 config/initializers/sentry.rb | 1 +
 lib/portainer/client.rb       | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/config/initializers/sentry.rb b/config/initializers/sentry.rb
index ed00fc55..db192705 100644
--- a/config/initializers/sentry.rb
+++ b/config/initializers/sentry.rb
@@ -2,5 +2,6 @@ if ENV['SENTRY_DSN'].present?
   Sentry.init do |config|
     config.dsn = ENV['SENTRY_DSN']
     config.breadcrumbs_logger = [ :active_support_logger, :http_logger ]
+    config.excluded_exceptions += [ 'ActionDispatch::RemoteIp::IpSpoofAttackError' ]
   end
 end
diff --git a/lib/portainer/client.rb b/lib/portainer/client.rb
index f5a5fa83..ebd2564d 100644
--- a/lib/portainer/client.rb
+++ b/lib/portainer/client.rb
@@ -79,7 +79,7 @@ module Portainer
       end
     rescue Socket::ResolutionError
       raise ConnectionError, "Portainer URL is not resolvable"
-    rescue Net::ReadTimeout
+    rescue Net::ReadTimeout, Net::OpenTimeout
       raise ConnectionError, "Connection to Portainer timed out"
     end
 
@@ -131,7 +131,7 @@ module Portainer
       end
     rescue Socket::ResolutionError
       raise ConnectionError, "Portainer URL is not resolvable"
-    rescue Net::ReadTimeout
+    rescue Net::ReadTimeout, Net::OpenTimeout
       raise ConnectionError, "Connection to Portainer timed out"
     end
 
@@ -141,7 +141,7 @@ module Portainer
       end
     rescue Socket::ResolutionError
       raise ConnectionError, "Portainer URL is not resolvable"
-    rescue Net::ReadTimeout
+    rescue Net::ReadTimeout, Net::OpenTimeout
       raise ConnectionError, "Connection to Portainer timed out"
     end
 

From 165f234dd8eb550d509df72c7c12e55a5040ce2a Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 12 Dec 2025 14:34:06 -0800
Subject: [PATCH 69/75] use sso provider as anchor

---
 app/actions/sso/create_user_in_account.rb     | 39 +++++++--
 app/actions/sso/sync_user_teams.rb            |  4 +-
 app/controllers/accounts/oidc_controller.rb   | 14 ++-
 app/models/provider.rb                        |  8 +-
 app/models/sso_provider.rb                    |  1 +
 app/views/providers/_index.html.erb           |  2 +-
 ...212215414_add_sso_provider_to_providers.rb |  6 ++
 db/schema.rb                                  |  6 +-
 lib/devise/strategies/ldap_authenticatable.rb | 12 ++-
 .../sso/create_user_in_account_spec.rb        | 85 +++++++++++++++++--
 spec/actions/sso/sync_user_teams_spec.rb      | 27 +++++-
 spec/factories/providers.rb                   |  6 +-
 spec/factories/sso_providers.rb               |  9 +-
 spec/models/provider_spec.rb                  |  6 +-
 14 files changed, 195 insertions(+), 30 deletions(-)
 create mode 100644 db/migrate/20251212215414_add_sso_provider_to_providers.rb

diff --git a/app/actions/sso/create_user_in_account.rb b/app/actions/sso/create_user_in_account.rb
index 0b62fb18..c30fb570 100644
--- a/app/actions/sso/create_user_in_account.rb
+++ b/app/actions/sso/create_user_in_account.rb
@@ -3,20 +3,43 @@
 module SSO
   class CreateUserInAccount
     extend LightService::Action
-    expects :email, :account
+    expects :email, :account, :sso_provider, :uid
+    expects :name, default: nil
     promises :user
 
     executed do |context|
-      user = User.find_or_initialize_by(email: context.email.downcase)
+      # First try to find user by SSO provider identity
+      provider = Provider.find_by(sso_provider: context.sso_provider, uid: context.uid)
 
-      if user.new_record?
-        password = SecureRandom.hex(32)
-        user.password = password
-        user.password_confirmation = password
+      if provider
+        user = provider.user
+      else
+        # Fall back to finding by email, or create new user
+        user = User.find_or_initialize_by(email: context.email.downcase)
 
-        unless user.save
-          context.fail_and_return!("Failed to create user", errors: user.errors)
+        if user.new_record?
+          password = SecureRandom.hex(32)
+          user.password = password
+          user.password_confirmation = password
+
+          unless user.save
+            context.fail_and_return!("Failed to create user", errors: user.errors)
+          end
         end
+
+        # Create provider record to link user to SSO provider
+        Provider.create!(
+          user: user,
+          sso_provider: context.sso_provider,
+          uid: context.uid,
+          provider: context.sso_provider.name
+        )
+      end
+
+      # Update name from SSO provider on every login
+      if context.name.present?
+        name_parts = context.name.split(" ", 2)
+        user.update(first_name: name_parts.first, last_name: name_parts.second)
       end
 
       AccountUser.find_or_create_by!(account: context.account, user: user)
diff --git a/app/actions/sso/sync_user_teams.rb b/app/actions/sso/sync_user_teams.rb
index e0e2d33e..ea66740b 100644
--- a/app/actions/sso/sync_user_teams.rb
+++ b/app/actions/sso/sync_user_teams.rb
@@ -1,7 +1,7 @@
 class SSO::SyncUserTeams
   extend LightService::Organizer
-  def self.call(email, team_names, account)
-    with(email:, team_names:, account:).reduce(
+  def self.call(email:, team_names:, account:, sso_provider:, uid:, name: nil)
+    with(email:, team_names:, account:, sso_provider:, uid:, name:).reduce(
       SSO::CreateTeamsInAccount,
       SSO::CreateUserInAccount,
       SSO::SyncTeams,
diff --git a/app/controllers/accounts/oidc_controller.rb b/app/controllers/accounts/oidc_controller.rb
index 9cd2501d..2f7337a9 100644
--- a/app/controllers/accounts/oidc_controller.rb
+++ b/app/controllers/accounts/oidc_controller.rb
@@ -53,12 +53,22 @@ module Accounts
       sso_provider = @account.sso_provider
       if sso_provider.just_in_time_team_provisioning_mode?
         ar_result = ActiveRecord::Base.transaction do
-          SSO::SyncUserTeams.call(result.email, result.groups || [], @account)
+          SSO::SyncUserTeams.call(
+            email: result.email,
+            team_names: result.groups || [],
+            account: @account,
+            sso_provider: sso_provider,
+            uid: result.uid,
+            name: result.name
+          )
         end
       else
         ar_result = SSO::CreateUserInAccount.execute(
           email: result.email,
-          account: @account
+          account: @account,
+          sso_provider: sso_provider,
+          uid: result.uid,
+          name: result.name
         )
       end
 
diff --git a/app/models/provider.rb b/app/models/provider.rb
index 8cb7fa23..16fd3f8c 100644
--- a/app/models/provider.rb
+++ b/app/models/provider.rb
@@ -15,14 +15,18 @@
 #  created_at          :datetime         not null
 #  updated_at          :datetime         not null
 #  external_id         :string
+#  sso_provider_id     :bigint
 #  user_id             :bigint           not null
 #
 # Indexes
 #
-#  index_providers_on_user_id  (user_id)
+#  index_providers_on_sso_provider_id          (sso_provider_id)
+#  index_providers_on_sso_provider_id_and_uid  (sso_provider_id,uid) UNIQUE WHERE (sso_provider_id IS NOT NULL)
+#  index_providers_on_user_id                  (user_id)
 #
 # Foreign Keys
 #
+#  fk_rails_...  (sso_provider_id => sso_providers.id)
 #  fk_rails_...  (user_id => users.id)
 #
 class Provider < ApplicationRecord
@@ -44,8 +48,10 @@ class Provider < ApplicationRecord
   AVAILABLE_PROVIDERS = [ GITHUB_PROVIDER, GITLAB_PROVIDER, CUSTOM_REGISTRY_PROVIDER ].freeze
   validates :registry_url, presence: true, if: :container_registry?
   scope :has_container_registry, -> { where(provider: [ GITHUB_PROVIDER, GITLAB_PROVIDER, CUSTOM_REGISTRY_PROVIDER ]) }
+  scope :non_sso, -> { where(sso_provider_id: nil) }
 
   belongs_to :user
+  belongs_to :sso_provider, class_name: "SSOProvider", optional: true
 
   Devise.omniauth_configs.keys.each do |provider|
     scope provider, -> { where(provider: provider) }
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index ed1cbfac..afd4486f 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -24,6 +24,7 @@
 class SSOProvider < ApplicationRecord
   belongs_to :account
   belongs_to :configuration, polymorphic: true, dependent: :destroy
+  has_many :providers, dependent: :nullify
 
   validates :account_id, uniqueness: true
 
diff --git a/app/views/providers/_index.html.erb b/app/views/providers/_index.html.erb
index 10a6d753..139d4667 100644
--- a/app/views/providers/_index.html.erb
+++ b/app/views/providers/_index.html.erb
@@ -12,7 +12,7 @@
       </tr>
     </thead>
     <tbody>
-      <% current_user.providers.each do |provider| %>
+      <% current_user.providers.non_sso.each do |provider| %>
         <% project_credential_providers = ProjectCredentialProvider.where(provider:).all %>
         <tr>
           <td>
diff --git a/db/migrate/20251212215414_add_sso_provider_to_providers.rb b/db/migrate/20251212215414_add_sso_provider_to_providers.rb
new file mode 100644
index 00000000..a7e4eb6b
--- /dev/null
+++ b/db/migrate/20251212215414_add_sso_provider_to_providers.rb
@@ -0,0 +1,6 @@
+class AddSSOProviderToProviders < ActiveRecord::Migration[7.2]
+  def change
+    add_reference :providers, :sso_provider, null: true, foreign_key: true
+    add_index :providers, [ :sso_provider_id, :uid ], unique: true, where: "sso_provider_id IS NOT NULL"
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 7b187afa..71628ec1 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_12_11_151950) do
+ActiveRecord::Schema[7.2].define(version: 2025_12_12_215414) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -480,6 +480,9 @@ ActiveRecord::Schema[7.2].define(version: 2025_12_11_151950) do
     t.datetime "last_used_at"
     t.string "registry_url"
     t.string "external_id"
+    t.bigint "sso_provider_id"
+    t.index ["sso_provider_id", "uid"], name: "index_providers_on_sso_provider_id_and_uid", unique: true, where: "(sso_provider_id IS NOT NULL)"
+    t.index ["sso_provider_id"], name: "index_providers_on_sso_provider_id"
     t.index ["user_id"], name: "index_providers_on_user_id"
   end
 
@@ -623,6 +626,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_12_11_151950) do
   add_foreign_key "project_forks", "projects", column: "parent_project_id"
   add_foreign_key "projects", "clusters"
   add_foreign_key "projects", "clusters", column: "project_fork_cluster_id"
+  add_foreign_key "providers", "sso_providers"
   add_foreign_key "providers", "users"
   add_foreign_key "services", "projects"
   add_foreign_key "sso_providers", "accounts"
diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index 838a426c..3139f383 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -54,12 +54,22 @@ module Devise
         if sso_provider.just_in_time_team_provisioning_mode?
           groups = result.groups
           ar_result = ActiveRecord::Base.transaction do
-            SSO::SyncUserTeams.call(email, groups, ldap_configuration.account)
+            SSO::SyncUserTeams.call(
+              email: email,
+              team_names: groups,
+              account: ldap_configuration.account,
+              sso_provider: sso_provider,
+              uid: result.user_dn,
+              name: result.name
+            )
           end
         else
           ar_result = SSO::CreateUserInAccount.execute(
             email: email,
             account: ldap_configuration.account,
+            sso_provider: sso_provider,
+            uid: result.user_dn,
+            name: result.name
           )
         end
 
diff --git a/spec/actions/sso/create_user_in_account_spec.rb b/spec/actions/sso/create_user_in_account_spec.rb
index 5be8c16d..871cff74 100644
--- a/spec/actions/sso/create_user_in_account_spec.rb
+++ b/spec/actions/sso/create_user_in_account_spec.rb
@@ -2,26 +2,101 @@ require 'rails_helper'
 
 RSpec.describe SSO::CreateUserInAccount do
   let(:account) { create(:account) }
+  let(:sso_provider) { create(:sso_provider, account: account) }
 
   describe '.execute' do
-    it 'creates a new user and associates them with the account when user does not exist' do
-      result = described_class.execute(email: 'new@example.com', account: account)
+    it 'creates a new user, provider record, and associates them with the account' do
+      result = described_class.execute(
+        email: 'new@example.com',
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'external-uid-123'
+      )
 
       expect(result).to be_success
       expect(result.user).to be_persisted
       expect(result.user.email).to eq('new@example.com')
       expect(account.users).to include(result.user)
+
+      provider = Provider.find_by(sso_provider: sso_provider, uid: 'external-uid-123')
+      expect(provider).to be_present
+      expect(provider.user).to eq(result.user)
     end
 
-    it 'associates an existing user with the account without creating a duplicate' do
+    it 'sets first and last name when name is provided' do
+      result = described_class.execute(
+        email: 'new@example.com',
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'external-uid-123',
+        name: 'John Doe'
+      )
+
+      expect(result).to be_success
+      expect(result.user.first_name).to eq('John')
+      expect(result.user.last_name).to eq('Doe')
+    end
+
+    it 'finds existing user by SSO provider uid on subsequent logins' do
+      first_result = described_class.execute(
+        email: 'user@example.com',
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'same-uid'
+      )
+
+      second_result = described_class.execute(
+        email: 'different@example.com',
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'same-uid'
+      )
+
+      expect(second_result).to be_success
+      expect(second_result.user).to eq(first_result.user)
+      expect(Provider.where(sso_provider: sso_provider, uid: 'same-uid').count).to eq(1)
+    end
+
+    it 'updates name on subsequent logins' do
+      first_result = described_class.execute(
+        email: 'user@example.com',
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'same-uid',
+        name: 'Old Name'
+      )
+
+      expect(first_result.user.first_name).to eq('Old')
+      expect(first_result.user.last_name).to eq('Name')
+
+      second_result = described_class.execute(
+        email: 'user@example.com',
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'same-uid',
+        name: 'New Name'
+      )
+
+      expect(second_result.user.reload.first_name).to eq('New')
+      expect(second_result.user.last_name).to eq('Name')
+    end
+
+    it 'links existing user by email if no provider record exists' do
       existing_user = create(:user, email: 'existing@example.com')
 
-      result = described_class.execute(email: 'EXISTING@example.com', account: account)
+      result = described_class.execute(
+        email: 'EXISTING@example.com',
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'new-uid'
+      )
 
       expect(result).to be_success
       expect(result.user).to eq(existing_user)
       expect(account.users).to include(existing_user)
-      expect(User.where(email: 'existing@example.com').count).to eq(1)
+
+      provider = Provider.find_by(sso_provider: sso_provider, uid: 'new-uid')
+      expect(provider.user).to eq(existing_user)
     end
   end
 end
diff --git a/spec/actions/sso/sync_user_teams_spec.rb b/spec/actions/sso/sync_user_teams_spec.rb
index 0779bb0c..3f6732b2 100644
--- a/spec/actions/sso/sync_user_teams_spec.rb
+++ b/spec/actions/sso/sync_user_teams_spec.rb
@@ -2,12 +2,19 @@ require 'rails_helper'
 
 RSpec.describe SSO::SyncUserTeams do
   let(:account) { create(:account) }
+  let(:sso_provider) { create(:sso_provider, account: account) }
 
   describe '.call' do
     it 'creates user, teams, and team memberships' do
       create(:team, account: account, name: 'Existing')
 
-      result = described_class.call('new@example.com', [ { name: 'Existing' }, { name: 'NewTeam' } ], account)
+      result = described_class.call(
+        email: 'new@example.com',
+        team_names: [ { name: 'Existing' }, { name: 'NewTeam' } ],
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'user-uid-123'
+      )
 
       expect(result).to be_success
       expect(result.user.email).to eq('new@example.com')
@@ -22,8 +29,15 @@ RSpec.describe SSO::SyncUserTeams do
       create(:team_membership, user: user, team: team_to_keep)
       create(:team_membership, user: user, team: team_to_remove)
       create(:account_user, account: account, user: user)
+      create(:provider, user: user, sso_provider: sso_provider, uid: 'existing-uid', provider: sso_provider.name)
 
-      result = described_class.call('existing@example.com', [ { name: 'KeepTeam' } ], account)
+      result = described_class.call(
+        email: 'existing@example.com',
+        team_names: [ { name: 'KeepTeam' } ],
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'existing-uid'
+      )
 
       expect(result).to be_success
       expect(result.user.teams.reload).to contain_exactly(team_to_keep)
@@ -37,8 +51,15 @@ RSpec.describe SSO::SyncUserTeams do
       create(:team_membership, user: user, team: team_in_account)
       create(:team_membership, user: user, team: team_in_other)
       create(:account_user, account: account, user: user)
+      create(:provider, user: user, sso_provider: sso_provider, uid: 'existing-uid', provider: sso_provider.name)
 
-      result = described_class.call('existing@example.com', [], account)
+      result = described_class.call(
+        email: 'existing@example.com',
+        team_names: [],
+        account: account,
+        sso_provider: sso_provider,
+        uid: 'existing-uid'
+      )
 
       expect(result).to be_success
       expect(user.teams.reload).to contain_exactly(team_in_other)
diff --git a/spec/factories/providers.rb b/spec/factories/providers.rb
index 1d956e83..c3e2c524 100644
--- a/spec/factories/providers.rb
+++ b/spec/factories/providers.rb
@@ -15,14 +15,18 @@
 #  created_at          :datetime         not null
 #  updated_at          :datetime         not null
 #  external_id         :string
+#  sso_provider_id     :bigint
 #  user_id             :bigint           not null
 #
 # Indexes
 #
-#  index_providers_on_user_id  (user_id)
+#  index_providers_on_sso_provider_id          (sso_provider_id)
+#  index_providers_on_sso_provider_id_and_uid  (sso_provider_id,uid) UNIQUE WHERE (sso_provider_id IS NOT NULL)
+#  index_providers_on_user_id                  (user_id)
 #
 # Foreign Keys
 #
+#  fk_rails_...  (sso_provider_id => sso_providers.id)
 #  fk_rails_...  (user_id => users.id)
 #
 FactoryBot.define do
diff --git a/spec/factories/sso_providers.rb b/spec/factories/sso_providers.rb
index 6b6f3c44..e3f02cb7 100644
--- a/spec/factories/sso_providers.rb
+++ b/spec/factories/sso_providers.rb
@@ -23,9 +23,10 @@
 #
 FactoryBot.define do
   factory :sso_provider do
-    account { nil }
-    configuration { nil }
-    name { "MyString" }
-    enabled { false }
+    account
+    configuration { association :oidc_configuration }
+    name { "Test SSO Provider" }
+    enabled { true }
+    team_provisioning_mode { :disabled }
   end
 end
diff --git a/spec/models/provider_spec.rb b/spec/models/provider_spec.rb
index e9c6d97c..6d07a9c1 100644
--- a/spec/models/provider_spec.rb
+++ b/spec/models/provider_spec.rb
@@ -15,14 +15,18 @@
 #  created_at          :datetime         not null
 #  updated_at          :datetime         not null
 #  external_id         :string
+#  sso_provider_id     :bigint
 #  user_id             :bigint           not null
 #
 # Indexes
 #
-#  index_providers_on_user_id  (user_id)
+#  index_providers_on_sso_provider_id          (sso_provider_id)
+#  index_providers_on_sso_provider_id_and_uid  (sso_provider_id,uid) UNIQUE WHERE (sso_provider_id IS NOT NULL)
+#  index_providers_on_user_id                  (user_id)
 #
 # Foreign Keys
 #
+#  fk_rails_...  (sso_provider_id => sso_providers.id)
 #  fk_rails_...  (user_id => users.id)
 #
 require 'rails_helper'

From af601a3c2764d11fd27390c03360341085ae6b0b Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 12 Dec 2025 14:56:00 -0800
Subject: [PATCH 70/75] added spec coverage

---
 .github/workflows/ci.yml             |  9 +++++++++
 spec/actions/add_ons/filter_spec.rb  | 12 ++++++++++++
 spec/actions/clusters/filter_spec.rb | 12 ++++++++++++
 spec/actions/projects/filter_spec.rb | 12 ++++++++++++
 spec/actions/services/create_spec.rb | 14 ++++++++++++++
 spec/rails_helper.rb                 |  3 +++
 spec/spec_helper.rb                  | 22 +++++++++++++++++++---
 7 files changed, 81 insertions(+), 3 deletions(-)
 create mode 100644 spec/actions/add_ons/filter_spec.rb
 create mode 100644 spec/actions/clusters/filter_spec.rb
 create mode 100644 spec/actions/projects/filter_spec.rb
 create mode 100644 spec/actions/services/create_spec.rb

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index eadd69b8..bcd9ee52 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -53,10 +53,19 @@ jobs:
         env:
           RAILS_ENV: test
           DATABASE_URL: postgres://postgres:postgres@localhost:5432
+          CI: true
         run: |
           bin/rails db:test:prepare
           bin/bundle exec rspec --exclude-pattern spec/system/local/**/*_spec.rb
 
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: coverage-report
+          path: coverage/
+          if-no-files-found: ignore
+
       - name: Keep screenshots from failed system tests
         uses: actions/upload-artifact@v4
         if: failure()
diff --git a/spec/actions/add_ons/filter_spec.rb b/spec/actions/add_ons/filter_spec.rb
new file mode 100644
index 00000000..d6ed3b6d
--- /dev/null
+++ b/spec/actions/add_ons/filter_spec.rb
@@ -0,0 +1,12 @@
+require 'rails_helper'
+
+RSpec.describe AddOns::Filter do
+  it 'filters add_ons by name with case-insensitive ILIKE' do
+    cluster = create(:cluster)
+    redis = create(:add_on, cluster: cluster, name: 'redis-cache')
+    create(:add_on, cluster: cluster, name: 'postgres-db')
+
+    expect(described_class.execute(params: { q: 'REDIS' }, add_ons: AddOn.all).add_ons).to eq([redis])
+    expect(described_class.execute(params: { q: '' }, add_ons: AddOn.all).add_ons.count).to eq(2)
+  end
+end
diff --git a/spec/actions/clusters/filter_spec.rb b/spec/actions/clusters/filter_spec.rb
new file mode 100644
index 00000000..b771db4b
--- /dev/null
+++ b/spec/actions/clusters/filter_spec.rb
@@ -0,0 +1,12 @@
+require 'rails_helper'
+
+RSpec.describe Clusters::Filter do
+  it 'filters clusters by name with case-insensitive ILIKE' do
+    account = create(:account)
+    prod = create(:cluster, account: account, name: 'production-us')
+    create(:cluster, account: account, name: 'staging-eu')
+
+    expect(described_class.execute(params: { q: 'PROD' }, clusters: Cluster.all).clusters).to eq([prod])
+    expect(described_class.execute(params: { q: '' }, clusters: Cluster.all).clusters.count).to eq(2)
+  end
+end
diff --git a/spec/actions/projects/filter_spec.rb b/spec/actions/projects/filter_spec.rb
new file mode 100644
index 00000000..a1ff9ce6
--- /dev/null
+++ b/spec/actions/projects/filter_spec.rb
@@ -0,0 +1,12 @@
+require 'rails_helper'
+
+RSpec.describe Projects::Filter do
+  it 'filters projects by name with case-insensitive ILIKE' do
+    cluster = create(:cluster)
+    api = create(:project, cluster: cluster, account: cluster.account, name: 'api-service')
+    create(:project, cluster: cluster, account: cluster.account, name: 'web-frontend')
+
+    expect(described_class.execute(params: { q: 'API' }, projects: Project.all).projects).to eq([api])
+    expect(described_class.execute(params: { q: '' }, projects: Project.all).projects.count).to eq(2)
+  end
+end
diff --git a/spec/actions/services/create_spec.rb b/spec/actions/services/create_spec.rb
new file mode 100644
index 00000000..dba98053
--- /dev/null
+++ b/spec/actions/services/create_spec.rb
@@ -0,0 +1,14 @@
+require 'rails_helper'
+
+RSpec.describe Services::Create do
+  it 'saves the service with associations' do
+    project = create(:project)
+    service = build(:service, :cron_job, project: project)
+
+    result = described_class.call(service, { service: {} })
+
+    expect(result).to be_success
+    expect(service).to be_persisted
+    expect(service.cron_schedule).to be_persisted
+  end
+end
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
index 0d872414..c75a69b1 100644
--- a/spec/rails_helper.rb
+++ b/spec/rails_helper.rb
@@ -8,6 +8,7 @@ abort("The Rails environment is running in production mode!") if Rails.env.produ
 # that will avoid rails generators crashing because migrations haven't been run yet
 # return unless Rails.env.test?
 require 'rspec/rails'
+require 'factory_bot_rails'
 require 'support/webmock'
 # Add additional requires below this line. Rails is not loaded until this point!
 
@@ -34,6 +35,8 @@ rescue ActiveRecord::PendingMigrationError => e
   abort e.to_s.strip
 end
 RSpec.configure do |config|
+  config.include FactoryBot::Syntax::Methods
+
   config.before(:suite) do
     DatabaseCleaner.clean_with(:truncation)
   end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index ef8c8355..b249e056 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,6 +1,23 @@
-require 'factory_bot_rails'
 require 'simplecov'
-SimpleCov.start 'rails'
+
+SimpleCov.start 'rails' do
+  enable_coverage :branch
+
+  add_filter '/spec/'
+  add_filter '/config/'
+  add_filter '/vendor/'
+
+  add_group 'Models', 'app/models'
+  add_group 'Controllers', 'app/controllers'
+  add_group 'Services', 'app/services'
+  add_group 'Actions', 'app/actions'
+  add_group 'Jobs', 'app/jobs'
+  add_group 'Helpers', 'app/helpers'
+
+  if ENV['CI']
+    minimum_coverage line: 5, branch: 5
+  end
+end
 
 # This file was generated by the `rails generate rspec:install` command. Conventionally, all
 # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
@@ -18,7 +35,6 @@ SimpleCov.start 'rails'
 #
 # See https://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
 RSpec.configure do |config|
-  config.include FactoryBot::Syntax::Methods
   # rspec-expectations config goes here. You can use an alternate
   # assertion/expectation library such as wrong or the stdlib/minitest
   # assertions if you prefer.

From 0f9762164fe15ae424f6fe5aa94058d210c205a1 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 12 Dec 2025 14:56:33 -0800
Subject: [PATCH 71/75] fix lints

---
 spec/actions/add_ons/filter_spec.rb  | 2 +-
 spec/actions/clusters/filter_spec.rb | 2 +-
 spec/actions/projects/filter_spec.rb | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/spec/actions/add_ons/filter_spec.rb b/spec/actions/add_ons/filter_spec.rb
index d6ed3b6d..896e95a6 100644
--- a/spec/actions/add_ons/filter_spec.rb
+++ b/spec/actions/add_ons/filter_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe AddOns::Filter do
     redis = create(:add_on, cluster: cluster, name: 'redis-cache')
     create(:add_on, cluster: cluster, name: 'postgres-db')
 
-    expect(described_class.execute(params: { q: 'REDIS' }, add_ons: AddOn.all).add_ons).to eq([redis])
+    expect(described_class.execute(params: { q: 'REDIS' }, add_ons: AddOn.all).add_ons).to eq([ redis ])
     expect(described_class.execute(params: { q: '' }, add_ons: AddOn.all).add_ons.count).to eq(2)
   end
 end
diff --git a/spec/actions/clusters/filter_spec.rb b/spec/actions/clusters/filter_spec.rb
index b771db4b..b04facbb 100644
--- a/spec/actions/clusters/filter_spec.rb
+++ b/spec/actions/clusters/filter_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe Clusters::Filter do
     prod = create(:cluster, account: account, name: 'production-us')
     create(:cluster, account: account, name: 'staging-eu')
 
-    expect(described_class.execute(params: { q: 'PROD' }, clusters: Cluster.all).clusters).to eq([prod])
+    expect(described_class.execute(params: { q: 'PROD' }, clusters: Cluster.all).clusters).to eq([ prod ])
     expect(described_class.execute(params: { q: '' }, clusters: Cluster.all).clusters.count).to eq(2)
   end
 end
diff --git a/spec/actions/projects/filter_spec.rb b/spec/actions/projects/filter_spec.rb
index a1ff9ce6..a86884cc 100644
--- a/spec/actions/projects/filter_spec.rb
+++ b/spec/actions/projects/filter_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe Projects::Filter do
     api = create(:project, cluster: cluster, account: cluster.account, name: 'api-service')
     create(:project, cluster: cluster, account: cluster.account, name: 'web-frontend')
 
-    expect(described_class.execute(params: { q: 'API' }, projects: Project.all).projects).to eq([api])
+    expect(described_class.execute(params: { q: 'API' }, projects: Project.all).projects).to eq([ api ])
     expect(described_class.execute(params: { q: '' }, projects: Project.all).projects.count).to eq(2)
   end
 end

From f8ce23f11661876238255d42fe2187913fd53ff4 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Fri, 12 Dec 2025 15:22:19 -0800
Subject: [PATCH 72/75] update form update fields

---
 Gemfile                                       |  2 +
 Gemfile.lock                                  |  1 +
 app/actions/sso/sync_user_teams.rb            | 13 +++--
 app/controllers/accounts/oidc_controller.rb   | 55 ++++++++-----------
 app/models/oidc_configuration.rb              |  2 +-
 app/models/sso_provider.rb                    |  4 ++
 app/services/oidc/authenticator.rb            | 34 +++++++++---
 .../sso_providers/ldap/_form_fields.html.erb  |  2 +-
 .../sso_providers/oidc/_form_fields.html.erb  |  2 +-
 .../oidc/_redirect_uri_info.html.erb          |  7 ++-
 .../accounts/sso_providers/show.html.erb      |  1 +
 lib/devise/strategies/ldap_authenticatable.rb | 30 +++-------
 spec/actions/sso/sync_user_teams_spec.rb      |  9 ++-
 spec/models/sso_provider_spec.rb              | 25 ++++++++-
 14 files changed, 109 insertions(+), 78 deletions(-)

diff --git a/Gemfile b/Gemfile
index 0a958770..2ef8b9c7 100644
--- a/Gemfile
+++ b/Gemfile
@@ -116,3 +116,5 @@ gem 'flipper-active_record', '~> 1.2.2'
 gem 'flipper-ui', '~> 1.2.2'
 
 gem "net-ldap", "~> 0.20.0"
+
+gem "jwt", "~> 2.9"
diff --git a/Gemfile.lock b/Gemfile.lock
index 3f80664f..e9d60357 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -723,6 +723,7 @@ DEPENDENCIES
   importmap-rails
   jbuilder
   jsbundling-rails
+  jwt (~> 2.9)
   k8s-ruby (~> 0.17.2)
   kubeclient (~> 4.12)
   light-service (~> 0.20.0)
diff --git a/app/actions/sso/sync_user_teams.rb b/app/actions/sso/sync_user_teams.rb
index ea66740b..a65ce24d 100644
--- a/app/actions/sso/sync_user_teams.rb
+++ b/app/actions/sso/sync_user_teams.rb
@@ -1,10 +1,11 @@
 class SSO::SyncUserTeams
   extend LightService::Organizer
-  def self.call(email:, team_names:, account:, sso_provider:, uid:, name: nil)
-    with(email:, team_names:, account:, sso_provider:, uid:, name:).reduce(
-      SSO::CreateTeamsInAccount,
-      SSO::CreateUserInAccount,
-      SSO::SyncTeams,
-    )
+  def self.call(email:, team_names:, account:, sso_provider:, uid:, name: nil, create_teams: false)
+    actions = []
+    actions << SSO::CreateTeamsInAccount if create_teams
+    actions << SSO::CreateUserInAccount
+    actions << SSO::SyncTeams if create_teams
+
+    with(email:, team_names:, account:, sso_provider:, uid:, name:).reduce(actions)
   end
 end
diff --git a/app/controllers/accounts/oidc_controller.rb b/app/controllers/accounts/oidc_controller.rb
index 2f7337a9..86603877 100644
--- a/app/controllers/accounts/oidc_controller.rb
+++ b/app/controllers/accounts/oidc_controller.rb
@@ -4,8 +4,8 @@ module Accounts
     before_action :load_account
 
     def authorize
-      oidc_config = @account.sso_provider&.configuration
-      unless oidc_config.is_a?(OIDCConfiguration)
+      oidc_configuration = @account.sso_provider&.configuration
+      unless oidc_configuration.is_a?(OIDCConfiguration)
         redirect_to account_sign_in_path(@account.slug), alert: "OIDC is not configured for this account"
         return
       end
@@ -15,8 +15,8 @@ module Accounts
       session[:oidc_state] = state
 
       # Build authorization URL
-      auth_url = build_authorization_url(oidc_config, state)
-      redirect_to auth_url, allow_other_host: true
+      authorization_url = build_authorization_url(oidc_configuration, state)
+      redirect_to authorization_url, allow_other_host: true
     end
 
     def callback
@@ -26,9 +26,9 @@ module Accounts
         return
       end
 
-      oidc_config = @account.sso_provider&.configuration
+      oidc_configuration = @account.sso_provider&.configuration
 
-      unless oidc_config.is_a?(OIDCConfiguration)
+      unless oidc_configuration.is_a?(OIDCConfiguration)
         redirect_to root_path, alert: "OIDC is not configured"
         return
       end
@@ -39,7 +39,7 @@ module Accounts
       end
 
       # Exchange code for tokens
-      result = OIDC::Authenticator.new(oidc_config).authenticate(
+      result = OIDC::Authenticator.new(oidc_configuration).authenticate(
         code: params[:code],
         redirect_uri: oidc_callback_url(slug: @account.slug)
       )
@@ -51,26 +51,15 @@ module Accounts
 
       # Create or find user
       sso_provider = @account.sso_provider
-      if sso_provider.just_in_time_team_provisioning_mode?
-        ar_result = ActiveRecord::Base.transaction do
-          SSO::SyncUserTeams.call(
-            email: result.email,
-            team_names: result.groups || [],
-            account: @account,
-            sso_provider: sso_provider,
-            uid: result.uid,
-            name: result.name
-          )
-        end
-      else
-        ar_result = SSO::CreateUserInAccount.execute(
-          email: result.email,
-          account: @account,
-          sso_provider: sso_provider,
-          uid: result.uid,
-          name: result.name
-        )
-      end
+      ar_result = SSO::SyncUserTeams.call(
+        email: result.email,
+        team_names: result.groups || [],
+        account: @account,
+        sso_provider: sso_provider,
+        uid: result.uid,
+        name: result.name,
+        create_teams: sso_provider.just_in_time_team_provisioning_mode?
+      )
 
       if ar_result.failure?
         redirect_to account_sign_in_path(@account.slug), alert: "Failed to create user account"
@@ -94,22 +83,22 @@ module Accounts
       redirect_to root_path, alert: "Account not found"
     end
 
-    def build_authorization_url(oidc_config, state)
+    def build_authorization_url(oidc_configuration, state)
       params = {
         response_type: "code",
-        client_id: oidc_config.client_id,
+        client_id: oidc_configuration.client_id,
         redirect_uri: oidc_callback_url(slug: @account.slug),
-        scope: oidc_config.scopes,
+        scope: oidc_configuration.scopes,
         state: state
       }
 
-      auth_endpoint = oidc_config.authorization_endpoint.presence || discover_authorization_endpoint(oidc_config)
+      auth_endpoint = oidc_configuration.authorization_endpoint.presence || discover_authorization_endpoint(oidc_configuration)
       "#{auth_endpoint}?#{params.to_query}"
     end
 
-    def discover_authorization_endpoint(oidc_config)
+    def discover_authorization_endpoint(oidc_configuration)
       # Fetch from OIDC discovery document
-      discovery_url = oidc_config.discovery_url
+      discovery_url = oidc_configuration.discovery_url
       response = HTTP.get(discovery_url)
       if response.status.success?
         JSON.parse(response.body.to_s)["authorization_endpoint"]
diff --git a/app/models/oidc_configuration.rb b/app/models/oidc_configuration.rb
index 65bdc47d..13875680 100644
--- a/app/models/oidc_configuration.rb
+++ b/app/models/oidc_configuration.rb
@@ -27,7 +27,7 @@ class OIDCConfiguration < ApplicationRecord
   validates :uid_claim, presence: true
 
   def discovery_url
-    "#{issuer.chomp('/')}/.well-known/openid-configuration"
+    URI.join(issuer, ".well-known/openid-configuration").to_s
   end
 
   def uses_discovery?
diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index afd4486f..fc8c47f5 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -41,4 +41,8 @@ class SSOProvider < ApplicationRecord
   def oidc?
     configuration_type == "OIDCConfiguration"
   end
+
+  def sso_users_count
+    providers.joins(:user).distinct.count(:user_id)
+  end
 end
diff --git a/app/services/oidc/authenticator.rb b/app/services/oidc/authenticator.rb
index 40bd09f3..9c30b4bc 100644
--- a/app/services/oidc/authenticator.rb
+++ b/app/services/oidc/authenticator.rb
@@ -86,8 +86,6 @@ module OIDC
 
     def extract_claims(id_token, access_token)
       if id_token.present?
-        # Decode JWT without verification for now (verification should be added for production)
-        # The ID token contains the user claims
         payload = decode_jwt(id_token)
         return payload if payload.is_a?(Result)
         payload
@@ -100,14 +98,32 @@ module OIDC
     end
 
     def decode_jwt(token)
-      # Simple JWT decode (without signature verification - should add JWKS verification for production)
-      parts = token.split(".")
-      return Result.new(success?: false, error_message: "Invalid JWT format") if parts.length < 2
+      jwks = fetch_jwks
+      decoded = JWT.decode(token, nil, true, {
+        algorithms: %w[RS256 RS384 RS512 ES256 ES384 ES512],
+        jwks: jwks,
+        iss: config.issuer,
+        aud: config.client_id,
+        verify_iss: true,
+        verify_aud: true
+      })
+      decoded.first
+    rescue JWT::DecodeError => e
+      @logger.error "OIDC auth: JWT decode error - #{e.message}"
+      Result.new(success?: false, error_message: "Invalid token: #{e.message}")
+    end
 
-      payload = Base64.urlsafe_decode64(parts[1] + "=" * (4 - parts[1].length % 4))
-      JSON.parse(payload)
-    rescue => e
-      Result.new(success?: false, error_message: "Failed to decode JWT: #{e.message}")
+    def fetch_jwks
+      return @jwks_cache if @jwks_cache
+
+      jwks_uri = config.jwks_uri.presence || discover_endpoint("jwks_uri")
+      response = HTTP.get(jwks_uri)
+
+      unless response.status.success?
+        raise JWT::DecodeError, "Failed to fetch JWKS from #{jwks_uri}"
+      end
+
+      @jwks_cache = JWT::JWK::Set.new(JSON.parse(response.body.to_s))
     end
 
     def fetch_userinfo(access_token)
diff --git a/app/views/accounts/sso_providers/ldap/_form_fields.html.erb b/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
index 64b84e91..bf2d96cb 100644
--- a/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
+++ b/app/views/accounts/sso_providers/ldap/_form_fields.html.erb
@@ -54,7 +54,7 @@
       label: "Bind Password",
       description: "Password for the bind DN"
     )) do %>
-      <%= ldap_form.password_field :bind_password, class: "input input-bordered w-full" %>
+      <%= ldap_form.text_field :bind_password, type: "password", class: "input input-bordered w-full" %>
     <% end %>
   </div>
 
diff --git a/app/views/accounts/sso_providers/oidc/_form_fields.html.erb b/app/views/accounts/sso_providers/oidc/_form_fields.html.erb
index 908f0cd4..f8c7f5be 100644
--- a/app/views/accounts/sso_providers/oidc/_form_fields.html.erb
+++ b/app/views/accounts/sso_providers/oidc/_form_fields.html.erb
@@ -26,7 +26,7 @@
       label: "Client Secret",
       description: "OAuth 2.0 client secret"
     )) do %>
-      <%= oidc_form.password_field :client_secret, class: "input input-bordered w-full", required: true %>
+      <%= oidc_form.text_field :client_secret, type: "password", class: "input input-bordered w-full", required: true %>
       <label class="label">
         <span class="label-text-alt">* Required</span>
       </label>
diff --git a/app/views/accounts/sso_providers/oidc/_redirect_uri_info.html.erb b/app/views/accounts/sso_providers/oidc/_redirect_uri_info.html.erb
index 992cd3a3..a1faf016 100644
--- a/app/views/accounts/sso_providers/oidc/_redirect_uri_info.html.erb
+++ b/app/views/accounts/sso_providers/oidc/_redirect_uri_info.html.erb
@@ -1,8 +1,11 @@
-<div class="alert mb-4">
+<div class="alert alert-warning mb-4">
   <iconify-icon icon="lucide:info" class="mr-2"></iconify-icon>
   <div>
     <div class="font-medium">Redirect URI</div>
     <div class="text-sm mt-1">Configure this redirect URI in your OIDC provider:</div>
-    <code class="block mt-2 text-xs bg-base-300 p-2 rounded break-all select-all"><%= oidc_callback_url(slug: current_account.slug) %></code>
+    <pre
+      class="inline-block cursor-pointer mt-2"
+      data-controller="clipboard"
+      data-clipboard-text="<%= oidc_callback_url(slug: current_account.slug) %>"><%= oidc_callback_url(slug: current_account.slug) %></pre>
   </div>
 </div>
diff --git a/app/views/accounts/sso_providers/show.html.erb b/app/views/accounts/sso_providers/show.html.erb
index 20657229..d93e8487 100644
--- a/app/views/accounts/sso_providers/show.html.erb
+++ b/app/views/accounts/sso_providers/show.html.erb
@@ -20,6 +20,7 @@
                 <% else %>
                   <span class="badge badge-ghost">Disabled</span>
                 <% end %>
+                <span class="badge badge-info"><%= @sso_provider.sso_users_count %> <%= "user".pluralize(@sso_provider.sso_users_count) %></span>
               </div>
             </div>
             <div class="flex gap-2">
diff --git a/lib/devise/strategies/ldap_authenticatable.rb b/lib/devise/strategies/ldap_authenticatable.rb
index 3139f383..5c28fd49 100644
--- a/lib/devise/strategies/ldap_authenticatable.rb
+++ b/lib/devise/strategies/ldap_authenticatable.rb
@@ -51,27 +51,15 @@ module Devise
 
         email = result.email
 
-        if sso_provider.just_in_time_team_provisioning_mode?
-          groups = result.groups
-          ar_result = ActiveRecord::Base.transaction do
-            SSO::SyncUserTeams.call(
-              email: email,
-              team_names: groups,
-              account: ldap_configuration.account,
-              sso_provider: sso_provider,
-              uid: result.user_dn,
-              name: result.name
-            )
-          end
-        else
-          ar_result = SSO::CreateUserInAccount.execute(
-            email: email,
-            account: ldap_configuration.account,
-            sso_provider: sso_provider,
-            uid: result.user_dn,
-            name: result.name
-          )
-        end
+        ar_result = SSO::SyncUserTeams.call(
+          email: email,
+          team_names: result.groups || [],
+          account: ldap_configuration.account,
+          sso_provider: sso_provider,
+          uid: result.user_dn,
+          name: result.name,
+          create_teams: sso_provider.just_in_time_team_provisioning_mode?
+        )
 
         if ar_result.failure?
           return fail(:invalid_login)
diff --git a/spec/actions/sso/sync_user_teams_spec.rb b/spec/actions/sso/sync_user_teams_spec.rb
index 3f6732b2..58213d6d 100644
--- a/spec/actions/sso/sync_user_teams_spec.rb
+++ b/spec/actions/sso/sync_user_teams_spec.rb
@@ -13,7 +13,8 @@ RSpec.describe SSO::SyncUserTeams do
         team_names: [ { name: 'Existing' }, { name: 'NewTeam' } ],
         account: account,
         sso_provider: sso_provider,
-        uid: 'user-uid-123'
+        uid: 'user-uid-123',
+        create_teams: true
       )
 
       expect(result).to be_success
@@ -36,7 +37,8 @@ RSpec.describe SSO::SyncUserTeams do
         team_names: [ { name: 'KeepTeam' } ],
         account: account,
         sso_provider: sso_provider,
-        uid: 'existing-uid'
+        uid: 'existing-uid',
+        create_teams: true
       )
 
       expect(result).to be_success
@@ -58,7 +60,8 @@ RSpec.describe SSO::SyncUserTeams do
         team_names: [],
         account: account,
         sso_provider: sso_provider,
-        uid: 'existing-uid'
+        uid: 'existing-uid',
+        create_teams: true
       )
 
       expect(result).to be_success
diff --git a/spec/models/sso_provider_spec.rb b/spec/models/sso_provider_spec.rb
index 6a183e5c..44acba83 100644
--- a/spec/models/sso_provider_spec.rb
+++ b/spec/models/sso_provider_spec.rb
@@ -24,5 +24,28 @@
 require 'rails_helper'
 
 RSpec.describe SSOProvider, type: :model do
-  pending "add some examples to (or delete) #{__FILE__}"
+  describe '#sso_users_count' do
+    let(:sso_provider) { create(:sso_provider) }
+
+    it 'returns 0 when no users have signed in' do
+      expect(sso_provider.sso_users_count).to eq(0)
+    end
+
+    it 'counts users who have signed in via SSO' do
+      user1 = create(:user)
+      user2 = create(:user)
+      create(:provider, user: user1, sso_provider: sso_provider, uid: 'uid-1', provider: sso_provider.name)
+      create(:provider, user: user2, sso_provider: sso_provider, uid: 'uid-2', provider: sso_provider.name)
+
+      expect(sso_provider.sso_users_count).to eq(2)
+    end
+
+    it 'does not count users from other SSO providers' do
+      other_sso_provider = create(:sso_provider, account: create(:account))
+      user = create(:user)
+      create(:provider, user: user, sso_provider: other_sso_provider, uid: 'uid-1', provider: other_sso_provider.name)
+
+      expect(sso_provider.sso_users_count).to eq(0)
+    end
+  end
 end

From 3a61b10e8112f1d56bcce9ebab3e4fa2ba28c379 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sat, 13 Dec 2025 15:50:01 -0800
Subject: [PATCH 73/75] make forms better for creating a new project

---
 .../controllers/radio_selector_controller.js  |  4 +-
 .../_dockerfile_fields.html.erb               |  2 +-
 .../build_configurations/_form.html.erb       | 65 ++++++++++---------
 .../_new_form_container_registry.html.erb     |  2 +-
 .../projects/create/_new_form_git.html.erb    |  2 +-
 .../environment_variables/index.html.erb      |  2 +-
 .../projects/services/_overview.html.erb      |  4 +-
 app/views/projects/services/new.html.erb      |  4 +-
 .../_edit_form_container_registry.html.erb    |  2 +-
 .../projects/update/_edit_form_git.html.erb   |  2 +-
 app/views/projects/volumes/_form.html.erb     |  2 +-
 config/tailwind.config.js                     |  6 +-
 12 files changed, 51 insertions(+), 46 deletions(-)

diff --git a/app/javascript/controllers/radio_selector_controller.js b/app/javascript/controllers/radio_selector_controller.js
index a1ad23d6..f54f6b33 100644
--- a/app/javascript/controllers/radio_selector_controller.js
+++ b/app/javascript/controllers/radio_selector_controller.js
@@ -4,17 +4,19 @@ export default class extends Controller {
   static targets = ["radio", "partial"]
   
   connect() {
-    this.toggle()
+    //this.toggle()
   }
 
   toggle() {
     const selectedRadio = this.radioTargets.find(radio => radio.checked)
+    console.log(selectedRadio)
     
     if (selectedRadio) {
       const selectedValue = selectedRadio.value
       
       this.partialTargets.forEach(partial => {
         if (partial.dataset.value === selectedValue) {
+          console.log(partial)
           partial.classList.remove('hidden')
         } else {
           partial.classList.add('hidden')
diff --git a/app/views/projects/build_configurations/_dockerfile_fields.html.erb b/app/views/projects/build_configurations/_dockerfile_fields.html.erb
index 16a83f5f..2487dd89 100644
--- a/app/views/projects/build_configurations/_dockerfile_fields.html.erb
+++ b/app/views/projects/build_configurations/_dockerfile_fields.html.erb
@@ -8,7 +8,7 @@
       </label>
       <%= bc_form.text_field(
         :dockerfile_path,
-        class: "input input-bordered w-full focus:outline-offset-0",
+        class: "input input-bordered w-full focus:outline-offset-0 font-mono text-sm",
         value: build_configuration.dockerfile_path
       ) %>
       <label class="label">
diff --git a/app/views/projects/build_configurations/_form.html.erb b/app/views/projects/build_configurations/_form.html.erb
index 36adc383..3ac18adb 100644
--- a/app/views/projects/build_configurations/_form.html.erb
+++ b/app/views/projects/build_configurations/_form.html.erb
@@ -2,42 +2,13 @@
   <div>
     <% build_configuration = project.build_configuration || BuildConfiguration.new %>
     <%= form.fields_for :build_configuration, build_configuration do |bc_form| %>
-      <div class="form-control mt-4">
-        <%= render "shared/partials/radio_selector", selected: build_configuration.driver, options: [
-          {
-            icon: "skill-icons:docker",
-            name: "project[build_configuration][driver]",
-            label: "Local Docker",
-            value: "docker",
-            description: "Build images using Docker on the deployment server. Simple setup, suitable for smaller projects."
-          },
-          {
-            icon: "/images/logo-compact.webp",
-            name: "project[build_configuration][driver]",
-            label: "Canine Cloud",
-            value: "cloud",
-            description: "We'll build the images for you on our servers, for free."
-          },
-          {
-            icon: "skill-icons:kubernetes",
-            name: "project[build_configuration][driver]",
-            label: "Kubernetes Build Cloud",
-            description: "Build images in your Kubernetes cluster. Scalable, distributed builds with better resource utilization.",
-            value: "k8s",
-            partial: "projects/build_configurations/k8s_build_cloud",
-            locals: { current_account:, bc_form:, build_configuration: }
-          }
-        ].select { |option| BuildConfiguration::BUILDER_OPTIONS.include?(option[:value].to_sym) } %>
-        
-      </div>
-
       <div class="form-control mt-1 mb-2 w-full max-w-md">
         <label class="label">
           <span class="label-text">Build context directory</span>
         </label>
         <%= bc_form.text_field(
           :context_directory,
-          class: "input input-bordered w-full focus:outline-offset-0",
+          class: "input input-bordered w-full focus:outline-offset-0 font-mono text-sm",
           value: build_configuration.context_directory
         ) %>
         <label class="label">
@@ -95,11 +66,43 @@
         </div>
       </div>
 
+      <div class="form-control mt-4">
+        <label class="label mb-2">
+          <span class="label-text">Build driver</span>
+        </label>
+        <%= render "shared/partials/radio_selector", selected: build_configuration.driver, options: [
+          {
+            icon: "skill-icons:docker",
+            name: "project[build_configuration][driver]",
+            label: "Local Docker",
+            value: "docker",
+            description: "Build images using Docker on the deployment server. Simple setup, suitable for smaller projects."
+          },
+          {
+            icon: "/images/logo-compact.webp",
+            name: "project[build_configuration][driver]",
+            label: "Canine Cloud",
+            value: "cloud",
+            description: "We'll build the images for you on our servers, for free."
+          },
+          {
+            icon: "skill-icons:kubernetes",
+            name: "project[build_configuration][driver]",
+            label: "Kubernetes Build Cloud",
+            description: "Build images in your Kubernetes cluster. Scalable, distributed builds with better resource utilization.",
+            value: "k8s",
+            partial: "projects/build_configurations/k8s_build_cloud",
+            locals: { current_account:, bc_form:, build_configuration: }
+          }
+        ].select { |option| BuildConfiguration::BUILDER_OPTIONS.include?(option[:value].to_sym) } %>
+        
+      </div>
+
       <div class="form-control mt-4">
         <label class="label mb-2">
           <span class="label-text">Build method</span>
         </label>
-        <%= render "shared/partials/radio_selector", selected: build_configuration.build_type || "dockerfile", options: [
+        <%= render "shared/partials/radio_selector", selected: build_configuration.build_type, options: [
           {
             icon: "skill-icons:docker",
             name: "project[build_configuration][build_type]",
diff --git a/app/views/projects/create/_new_form_container_registry.html.erb b/app/views/projects/create/_new_form_container_registry.html.erb
index db8248d4..f55950ee 100644
--- a/app/views/projects/create/_new_form_container_registry.html.erb
+++ b/app/views/projects/create/_new_form_container_registry.html.erb
@@ -53,7 +53,7 @@
         label: "Predeploy command",
         description: "The command to run before deploying the project. This is useful for running migrations or other setup commands."
       )) do %>
-        <%= form.text_field :predeploy_command, class: "input input-bordered w-full focus:outline-offset-0" %>
+        <%= form.text_field :predeploy_command, class: "input input-bordered w-full focus:outline-offset-0 font-mono text-sm" %>
       <% end %>
 
       <%= render "shared/partials/namespace_input_group", form: %>
diff --git a/app/views/projects/create/_new_form_git.html.erb b/app/views/projects/create/_new_form_git.html.erb
index 34e0fa83..e38cfd05 100644
--- a/app/views/projects/create/_new_form_git.html.erb
+++ b/app/views/projects/create/_new_form_git.html.erb
@@ -94,7 +94,7 @@
         label: "Predeploy command",
         description: "The command to run before deploying the project. This is useful for running migrations or other setup commands."
       )) do %>
-        <%= form.text_field :predeploy_command, class: "input input-bordered w-full focus:outline-offset-0" %>
+        <%= form.text_field :predeploy_command, class: "input input-bordered w-full focus:outline-offset-0 font-mono text-sm" %>
       <% end %>
 
       <% if Flipper.enabled?(:build_configuration, current_account) %>
diff --git a/app/views/projects/environment_variables/index.html.erb b/app/views/projects/environment_variables/index.html.erb
index f6c7da2c..bea2c33e 100644
--- a/app/views/projects/environment_variables/index.html.erb
+++ b/app/views/projects/environment_variables/index.html.erb
@@ -26,7 +26,7 @@
           <%= form_with(url: project_environment_variables_path(@project), method: :post) do |form| %>
             <%= form.text_area(
               :text_content,
-              class: "textarea textarea-bordered w-full",
+              class: "textarea textarea-bordered w-full font-mono text-sm",
               placeholder: "KEY1=value1\nKEY2=value2",
               rows: 6,
               data: {
diff --git a/app/views/projects/services/_overview.html.erb b/app/views/projects/services/_overview.html.erb
index 0c7bb7c8..0d6065d2 100644
--- a/app/views/projects/services/_overview.html.erb
+++ b/app/views/projects/services/_overview.html.erb
@@ -8,13 +8,13 @@
         </div>
         <div class="form-control form-group">
           <%= form.label :command %>
-          <%= form.text_field :command, class: "input input-bordered w-full", required: false %>
+          <%= form.text_field :command, class: "input input-bordered w-full font-mono text-sm", required: false %>
         </div>
         <% if service.cron_job? %>
           <div class="form-control form-group">
             <%= form.fields_for :cron_schedule do |cron_schedule_form| %>
               <%= cron_schedule_form.label :schedule %>
-              <%= cron_schedule_form.text_field :schedule, class: "input input-bordered w-full", placeholder: "0 0 * * *", value: service.cron_schedule.schedule %>
+              <%= cron_schedule_form.text_field :schedule, class: "input input-bordered w-full font-mono text-sm", placeholder: "0 0 * * *", value: service.cron_schedule.schedule %>
             <% end %>
           </div>
         <% end %>
diff --git a/app/views/projects/services/new.html.erb b/app/views/projects/services/new.html.erb
index 27ac586a..d0b33652 100644
--- a/app/views/projects/services/new.html.erb
+++ b/app/views/projects/services/new.html.erb
@@ -76,7 +76,7 @@
 
         <div class="form-group">
           <%= form.label :command %>
-          <%= form.text_field :command, class: "input input-bordered w-full max-w-sm", required: false %>
+          <%= form.text_field :command, class: "input input-bordered w-full max-w-sm font-mono text-sm", required: false %>
           <label class="label">
             <span class="label-text-alt">Optional: A blank command will run the default command from the Dockerfile</span>
           </label>
@@ -114,7 +114,7 @@
             <h3 class="text-lg font-bold">Cron job</h3>
             <%= form.fields_for :cron_schedule do |cron_schedule_form| %>
               <%= cron_schedule_form.label :schedule %>
-              <%= cron_schedule_form.text_field :schedule, class: "input input-bordered w-full max-w-sm", placeholder: "0 0 * * *" %>
+              <%= cron_schedule_form.text_field :schedule, class: "input input-bordered w-full max-w-sm font-mono text-sm", placeholder: "0 0 * * *" %>
             <% end %>
             <label class="label">
               <span class="label-text-alt">Use <a href="https://crontab.guru/" target="_blank">crontab.guru</a> to schedule your cron job</span>
diff --git a/app/views/projects/update/_edit_form_container_registry.html.erb b/app/views/projects/update/_edit_form_container_registry.html.erb
index 2d235201..2643b9c5 100644
--- a/app/views/projects/update/_edit_form_container_registry.html.erb
+++ b/app/views/projects/update/_edit_form_container_registry.html.erb
@@ -14,7 +14,7 @@
     <% end %>
 
     <%= render(FormFieldComponent.new(label: "Predeploy command")) do %>
-      <%= form.text_field :predeploy_command, class: "input input-bordered w-full focus:outline-offset-0" %>
+      <%= form.text_field :predeploy_command, class: "input input-bordered w-full focus:outline-offset-0 font-mono text-sm" %>
     <% end %>
   </div>
 
diff --git a/app/views/projects/update/_edit_form_git.html.erb b/app/views/projects/update/_edit_form_git.html.erb
index bdb677e5..ec024798 100644
--- a/app/views/projects/update/_edit_form_git.html.erb
+++ b/app/views/projects/update/_edit_form_git.html.erb
@@ -24,7 +24,7 @@
     <% end %>
 
     <%= render(FormFieldComponent.new(label: "Predeploy command")) do %>
-      <%= form.text_field :predeploy_command, class: "input input-bordered w-full focus:outline-offset-0" %>
+      <%= form.text_field :predeploy_command, class: "input input-bordered w-full focus:outline-offset-0 font-mono text-sm" %>
     <% end %>
 
     <% if Flipper.enabled?(:build_configuration, current_account) %>
diff --git a/app/views/projects/volumes/_form.html.erb b/app/views/projects/volumes/_form.html.erb
index c8116029..0bdf91b9 100644
--- a/app/views/projects/volumes/_form.html.erb
+++ b/app/views/projects/volumes/_form.html.erb
@@ -38,7 +38,7 @@
     <label class="label">
       <span class="label-text">Mount Path</span>
     </label>
-    <%= f.text_field :mount_path, class: "input input-bordered w-full" %>
+    <%= f.text_field :mount_path, class: "input input-bordered w-full font-mono text-sm" %>
     <label class="label">
       <span class="label-text-alt">* Required</span>
     </label>
diff --git a/config/tailwind.config.js b/config/tailwind.config.js
index c576a08f..cd19ee21 100644
--- a/config/tailwind.config.js
+++ b/config/tailwind.config.js
@@ -28,6 +28,9 @@ module.exports = {
         sm: "13px",
         base: "15px",
       },
+      fontFamily: {
+        body: ["DM Sans", "sans-serif"],
+      },
     },
     container: {
       center: true,
@@ -40,9 +43,6 @@ module.exports = {
         "2xl": "6rem",
       },
     },
-    fontFamily: {
-      body: ["DM Sans", "sans-serif"],
-    },
   },
   darkMode: "class",
   daisyui: {

From b11b001b65a7ef6be9c3aba4653cfbf84d0df392 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sat, 13 Dec 2025 16:25:37 -0800
Subject: [PATCH 74/75] dsiable buttons on submission

---
 app/javascript/controllers/radio_selector_controller.js     | 2 +-
 app/views/add_ons/edit.html.erb                             | 2 +-
 app/views/add_ons/new.html.erb                              | 2 +-
 app/views/clusters/_edit_form.html.erb                      | 2 +-
 app/views/clusters/build_clouds/_edit.html.erb              | 2 +-
 app/views/clusters/cluster_types/instructions/_k8s.html.erb | 2 +-
 app/views/clusters/edit.html.erb                            | 2 +-
 app/views/projects/build_configurations/_form.html.erb      | 6 +++---
 .../projects/create/_new_form_container_registry.html.erb   | 2 +-
 app/views/projects/create/_new_form_git.html.erb            | 2 +-
 app/views/projects/environment_variables/index.html.erb     | 4 ++--
 app/views/projects/project_forks/_form.html.erb             | 2 +-
 app/views/projects/services/_advanced.html.erb              | 2 +-
 app/views/projects/services/_overview.html.erb              | 2 +-
 app/views/projects/services/new.html.erb                    | 2 +-
 .../projects/services/resource_constraints/_show.html.erb   | 4 ++--
 .../projects/update/_edit_form_container_registry.html.erb  | 2 +-
 app/views/projects/update/_edit_form_git.html.erb           | 2 +-
 18 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/app/javascript/controllers/radio_selector_controller.js b/app/javascript/controllers/radio_selector_controller.js
index f54f6b33..560351e4 100644
--- a/app/javascript/controllers/radio_selector_controller.js
+++ b/app/javascript/controllers/radio_selector_controller.js
@@ -4,7 +4,7 @@ export default class extends Controller {
   static targets = ["radio", "partial"]
   
   connect() {
-    //this.toggle()
+    this.toggle()
   }
 
   toggle() {
diff --git a/app/views/add_ons/edit.html.erb b/app/views/add_ons/edit.html.erb
index 686ab0ac..78a163f7 100644
--- a/app/views/add_ons/edit.html.erb
+++ b/app/views/add_ons/edit.html.erb
@@ -28,7 +28,7 @@
           <div data-yaml-editor-target="editor" class="mt-2"></div>
         </div>
         <div class="form-footer">
-          <%= form.submit "Save", class: "btn btn-primary" %>
+          <%= form.submit "Save", class: "btn btn-primary", data: { turbo_submits_with: "Saving..." } %>
         </div>
       <% end %>
       <div class="text-sm text-gray-500">
diff --git a/app/views/add_ons/new.html.erb b/app/views/add_ons/new.html.erb
index 0222b39f..f3a7cd4f 100644
--- a/app/views/add_ons/new.html.erb
+++ b/app/views/add_ons/new.html.erb
@@ -107,7 +107,7 @@
         </div>
 
         <div class="form-footer">
-          <%= form.button "Create Add On", class: "btn btn-primary" %>
+          <%= form.button "Create Add On", class: "btn btn-primary", data: { turbo_submits_with: "Creating..." } %>
 
           <% if form.object.new_record? %>
             <%= link_to t("cancel"), add_ons_path, class: "btn btn-secondary" %>
diff --git a/app/views/clusters/_edit_form.html.erb b/app/views/clusters/_edit_form.html.erb
index d836af14..2e078546 100644
--- a/app/views/clusters/_edit_form.html.erb
+++ b/app/views/clusters/_edit_form.html.erb
@@ -8,7 +8,7 @@
     <% end %>
 
     <div class="form-footer">
-      <%= form.submit "Save", class: "btn btn-primary" %>
+      <%= form.submit "Save", class: "btn btn-primary", data: { turbo_submits_with: "Saving..." } %>
     </div>
   <% end %>
 </div>
diff --git a/app/views/clusters/build_clouds/_edit.html.erb b/app/views/clusters/build_clouds/_edit.html.erb
index ba46561f..c4cfb81e 100644
--- a/app/views/clusters/build_clouds/_edit.html.erb
+++ b/app/views/clusters/build_clouds/_edit.html.erb
@@ -122,7 +122,7 @@
                       data: { turbo_frame: dom_id(cluster, "build_cloud") } do %>
             Cancel
           <% end %>
-          <%= form.submit "Save Configuration", class: "btn btn-primary" %>
+          <%= form.submit "Save Configuration", class: "btn btn-primary", data: { turbo_submits_with: "Saving..." } %>
         </div>
       <% end %>
 
diff --git a/app/views/clusters/cluster_types/instructions/_k8s.html.erb b/app/views/clusters/cluster_types/instructions/_k8s.html.erb
index 91e8bc9b..8bb76a06 100644
--- a/app/views/clusters/cluster_types/instructions/_k8s.html.erb
+++ b/app/views/clusters/cluster_types/instructions/_k8s.html.erb
@@ -32,7 +32,7 @@
   <% end %>
 
   <div class="form-footer">
-    <%= form.button "Submit", class: "btn btn-primary" %>
+    <%= form.button "Submit", class: "btn btn-primary", data: { turbo_submits_with: "Submitting..." } %>
 
     <% if form.object.new_record? %>
       <%= link_to t("cancel"), clusters_path, class: "btn btn-secondary" %>
diff --git a/app/views/clusters/edit.html.erb b/app/views/clusters/edit.html.erb
index 969e4c25..300ecd45 100644
--- a/app/views/clusters/edit.html.erb
+++ b/app/views/clusters/edit.html.erb
@@ -39,7 +39,7 @@
               <div data-yaml-editor-target="editor" class="mt-2"></div>
             </div>
             <div class="form-footer flex gap-2">
-              <%= form.submit "Save", class: "btn btn-primary" %>
+              <%= form.submit "Save", class: "btn btn-primary", data: { turbo_submits_with: "Saving..." } %>
               <button type="button"
                       class="btn btn-outline"
                       data-action="click->content-toggle#cancelEdit">
diff --git a/app/views/projects/build_configurations/_form.html.erb b/app/views/projects/build_configurations/_form.html.erb
index 3ac18adb..2ae67bb5 100644
--- a/app/views/projects/build_configurations/_form.html.erb
+++ b/app/views/projects/build_configurations/_form.html.erb
@@ -70,7 +70,7 @@
         <label class="label mb-2">
           <span class="label-text">Build driver</span>
         </label>
-        <%= render "shared/partials/radio_selector", selected: build_configuration.driver, options: [
+        <%= render "shared/partials/radio_selector", selected: build_configuration.driver || (Rails.application.config.local_mode ? "docker" : "cloud"), options: [
           {
             icon: "skill-icons:docker",
             name: "project[build_configuration][driver]",
@@ -81,7 +81,7 @@
           {
             icon: "/images/logo-compact.webp",
             name: "project[build_configuration][driver]",
-            label: "Canine Cloud",
+            label: "Canine Cloud (recommended)",
             value: "cloud",
             description: "We'll build the images for you on our servers, for free."
           },
@@ -102,7 +102,7 @@
         <label class="label mb-2">
           <span class="label-text">Build method</span>
         </label>
-        <%= render "shared/partials/radio_selector", selected: build_configuration.build_type, options: [
+        <%= render "shared/partials/radio_selector", selected: build_configuration.build_type || "dockerfile", options: [
           {
             icon: "skill-icons:docker",
             name: "project[build_configuration][build_type]",
diff --git a/app/views/projects/create/_new_form_container_registry.html.erb b/app/views/projects/create/_new_form_container_registry.html.erb
index f55950ee..35b603d8 100644
--- a/app/views/projects/create/_new_form_container_registry.html.erb
+++ b/app/views/projects/create/_new_form_container_registry.html.erb
@@ -60,7 +60,7 @@
     </div>
 
     <div class="form-footer">
-      <%= form.button "Submit", class: "btn btn-primary" %>
+      <%= form.button "Submit", class: "btn btn-primary", data: { disable_with: "Submitting..." } %>
 
       <% if form.object.new_record? %>
         <%= link_to t("cancel"), projects_path, class: "btn btn-secondary", data: { turbo: false } %>
diff --git a/app/views/projects/create/_new_form_git.html.erb b/app/views/projects/create/_new_form_git.html.erb
index e38cfd05..2e52f383 100644
--- a/app/views/projects/create/_new_form_git.html.erb
+++ b/app/views/projects/create/_new_form_git.html.erb
@@ -110,7 +110,7 @@
     </div>
 
     <div class="form-footer">
-      <%= form.button "Submit", class: "btn btn-primary" %>
+      <%= form.button "Submit", class: "btn btn-primary", data: { turbo_submits_with: "Submitting..." } %>
 
       <% if form.object.new_record? %>
         <%= link_to t("cancel"), projects_path, class: "btn btn-secondary", data: { turbo: false } %>
diff --git a/app/views/projects/environment_variables/index.html.erb b/app/views/projects/environment_variables/index.html.erb
index bea2c33e..9b0e82c2 100644
--- a/app/views/projects/environment_variables/index.html.erb
+++ b/app/views/projects/environment_variables/index.html.erb
@@ -10,7 +10,7 @@
       <div class="flex flex-row justify-between">
         <div>
           <button class="btn btn-neutral btn-outline" type="button" data-action="environment-variables#add">Add new environment variable</button>
-          <%= form.submit "Save", class: "btn btn-primary" %>
+          <%= form.submit "Save", class: "btn btn-primary", data: { turbo_submits_with: "Saving..." } %>
         </div>
         <%= link_to "Download as .env", download_project_environment_variables_path(@project), class: "btn btn-outline", target: "_blank" %>
       </div>
@@ -34,7 +34,7 @@
                 'textarea-autogrow-resize-debounce-delay-value': "500"
               }
             ) %>
-            <%= form.submit "Add variables", class: "btn btn-primary" %>
+            <%= form.submit "Add variables", class: "btn btn-primary", data: { turbo_submits_with: "Adding..." } %>
           <% end %>
         </div>
       </div>
diff --git a/app/views/projects/project_forks/_form.html.erb b/app/views/projects/project_forks/_form.html.erb
index 9d74806b..cc53163d 100644
--- a/app/views/projects/project_forks/_form.html.erb
+++ b/app/views/projects/project_forks/_form.html.erb
@@ -26,6 +26,6 @@
     <% end %>
   </div>
   <div class="form-footer">
-    <%= form.submit "Save", class: "btn btn-primary" %>
+    <%= form.submit "Save", class: "btn btn-primary", data: { turbo_submits_with: "Saving..." } %>
   </div>
 <% end %>
\ No newline at end of file
diff --git a/app/views/projects/services/_advanced.html.erb b/app/views/projects/services/_advanced.html.erb
index 0279d8b5..70ed825b 100644
--- a/app/views/projects/services/_advanced.html.erb
+++ b/app/views/projects/services/_advanced.html.erb
@@ -48,7 +48,7 @@
       </div>
 
       <div class="form-footer mt-6 flex gap-2">
-        <%= form.submit @service.pod_yaml.present? ? "Update Pod Template" : "Save Pod Template", class: "btn btn-primary" %>
+        <%= form.submit @service.pod_yaml.present? ? "Update Pod Template" : "Save Pod Template", class: "btn btn-primary", data: { turbo_submits_with: "Saving..." } %>
         <button type="button"
                 class="btn btn-outline"
                 data-action="click->content-toggle#cancelEdit">
diff --git a/app/views/projects/services/_overview.html.erb b/app/views/projects/services/_overview.html.erb
index 0d6065d2..e74b323f 100644
--- a/app/views/projects/services/_overview.html.erb
+++ b/app/views/projects/services/_overview.html.erb
@@ -52,7 +52,7 @@
       </div>
     </div>
     <div class="form-footer">
-      <%= form.submit class: "btn btn-primary" %>
+      <%= form.submit class: "btn btn-primary", data: { turbo_submits_with: "Saving..." } %>
     </div>
   <% end %>
 </div>
\ No newline at end of file
diff --git a/app/views/projects/services/new.html.erb b/app/views/projects/services/new.html.erb
index d0b33652..aa6be6e6 100644
--- a/app/views/projects/services/new.html.erb
+++ b/app/views/projects/services/new.html.erb
@@ -124,7 +124,7 @@
       </div>
 
       <div class="form-footer">
-        <%= form.button "Submit", class: "btn btn-primary", data: { turbo: "false" } %>
+        <%= form.button "Submit", class: "btn btn-primary", data: { turbo: "false", disable_with: "Submitting..." } %>
         <%= link_to "Cancel", project_services_path(@project), class: "btn btn-outline" %>
       </div>
     <% end %>
diff --git a/app/views/projects/services/resource_constraints/_show.html.erb b/app/views/projects/services/resource_constraints/_show.html.erb
index 2b0b2bcb..1bfcb0c3 100644
--- a/app/views/projects/services/resource_constraints/_show.html.erb
+++ b/app/views/projects/services/resource_constraints/_show.html.erb
@@ -10,12 +10,12 @@
       <%= render "projects/services/resource_constraints/form", form: form, resource_constraint: %>
       <% if resource_constraint.persisted? %>
         <div class="form-footer mt-6">
-          <%= form.submit "Update Resource Constraints", class: "btn btn-primary" %>
+          <%= form.submit "Update Resource Constraints", class: "btn btn-primary", data: { turbo_submits_with: "Updating..." } %>
         </div>
       <% else %>
         <div class="form-footer mt-6">
           <%= link_to "Cancel", project_service_resource_constraint_path(service.project, service), class: "btn btn-outline" %>
-          <%= form.submit "Create Resource Constraints", class: "btn btn-primary" %>
+          <%= form.submit "Create Resource Constraints", class: "btn btn-primary", data: { turbo_submits_with: "Creating..." } %>
         </div>
       <% end %>
     <% end %>
diff --git a/app/views/projects/update/_edit_form_container_registry.html.erb b/app/views/projects/update/_edit_form_container_registry.html.erb
index 2643b9c5..ba8bc60e 100644
--- a/app/views/projects/update/_edit_form_container_registry.html.erb
+++ b/app/views/projects/update/_edit_form_container_registry.html.erb
@@ -19,7 +19,7 @@
   </div>
 
   <div class="form-footer">
-    <%= form.button "Submit", class: "btn btn-primary" %>
+    <%= form.button "Submit", class: "btn btn-primary", data: { turbo_submits_with: "Submitting..." } %>
 
     <% if form.object.new_record? %>
       <%= link_to t("cancel"), projects_path, class: "btn btn-secondary" %>
diff --git a/app/views/projects/update/_edit_form_git.html.erb b/app/views/projects/update/_edit_form_git.html.erb
index ec024798..9640bc4a 100644
--- a/app/views/projects/update/_edit_form_git.html.erb
+++ b/app/views/projects/update/_edit_form_git.html.erb
@@ -35,7 +35,7 @@
   </div>
 
   <div class="form-footer">
-    <%= form.button "Submit", class: "btn btn-primary" %>
+    <%= form.button "Submit", class: "btn btn-primary", data: { turbo_submits_with: "Submitting..." } %>
 
     <% if form.object.new_record? %>
       <%= link_to t("cancel"), projects_path, class: "btn btn-secondary" %>

From a6978d9464d0cbbebbc90fb8a60c9a7d11156752 Mon Sep 17 00:00:00 2001
From: Chris <chris@example.com>
Date: Sat, 13 Dec 2025 16:36:02 -0800
Subject: [PATCH 75/75] fix bug with new form git

---
 app/views/projects/create/_new_form_git.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/projects/create/_new_form_git.html.erb b/app/views/projects/create/_new_form_git.html.erb
index 2e52f383..e4db13e7 100644
--- a/app/views/projects/create/_new_form_git.html.erb
+++ b/app/views/projects/create/_new_form_git.html.erb
@@ -110,7 +110,7 @@
     </div>
 
     <div class="form-footer">
-      <%= form.button "Submit", class: "btn btn-primary", data: { turbo_submits_with: "Submitting..." } %>
+      <%= form.button "Submit", class: "btn btn-primary", data: { disable_with: "Submitting..." } %>
 
       <% if form.object.new_record? %>
         <%= link_to t("cancel"), projects_path, class: "btn btn-secondary", data: { turbo: false } %>